Article by Ken Westin
When I explain the conferences and activities such as penetration testing and lock picking to those outside of the security community, I get a similar responses such as “isn’t that illegal?” When I try to explain to them that it depends on intent, it only confuses them more.
I have experience working with law enforcement and one topic that comes up often is the fine line between “cop and criminal”. This makes sense, as the good detective needs to think like a criminal to catch a criminal, this rings particularly true in computer security.
When I tried to explain what a gray hat hacker is to my father who is a big Clint Eastwood fan, I said they are like Dirty Harry ( some more so than others), only armed with “the most powerful security tools in the world” instead of a magnum . The methods may be unorthodox and on the fringe, but the intentions are for the most part good, get the bad guy and keep the world safe.
Usually when there is a large scale hack in the news, the grey hat is more interested in the “how” than the “why”. There is a respect for the “black hat’s” technical abilities, while keeping a wary eye on them and not turning your back. Some grey hats have had run ins with the law, not due to purposely being malicious, but because curiosity got the best of them.
A good example of this is Joe “Kingpin” Grand who presented at ToorCamp this summer, who while young had some legal trouble due to his “technical curiosity”, turned around and has become a prolific inventor, hardware hacker and has testified before the Senate regarding homeland computer security.
When looking at those in the security field who spend countless hours scouring applications and servers for holes, it is important to not judge based on their act of exposing vulnerabilities, but their intentions for doing so. In many respects the security community holds ethics very high, more so than many other industries and I am amazed at how much effort and pride researchers put into their work.
In the end the color of your hat is dictated by your intentions, not necessarily your practice.
Cross-posted from Tripwire's State of Security