The international “security industry” has not only borrowed the ‘black hat’ / ‘white hat’ dichotomy from ancient Hollywood western movies but also a self-characterisation that is no longer justified by the actions and attitudes of those who take part.
In this little essay I’m exploring how the events of the past months have changed the picture of the “white hat” hackers.
The Emperor is Naked!
Going back in time: Not more than a year ago, the clandestine “security community” was treated with respect: highly skilled experts, paid by governments and huge multinational companies to protect their interests; the warriors of the cyberspace, if you will. You don’t want to mess with them, nor with the organisations they represent – unless you have an equally powerful organization or government to back you, that is.
Entering stage: “Anonymous”. Not an organisation but rather just a mob of angry youngsters; at that time: angry with international banks and payment services that refused to transfer money to WikiLeaks (probably due to U.S.-government pressure). This angry mob now decided to attack these global players: VISA, MasterCard … the tools are as low-tech as one could possibly imagine but the enthusiasm is high … and they win!
One after the other these big company web sites fell. Not that it did much damage – the transactions are handled over other channels, and – honestly – how many people actually even noticed the outage? But it destroyed something that is immensely important: trust in their technical capabilities.
All these huge organisations were completely unable to deflect the attack; and even if you could forgive a company like VISA or MasterCard for not keeping their web server secure, you would never forgive it to their security consultants. The police giving an even more desolate impression: obviously struggling to make even the faintest impression of “handling the situation” they went around and arrested a few random teenagers. This really helped little to calm the storm, but much to have everybody know just how clueless they were.
It was a pivotal point: Anonymous took the role of that fearless kid who shouted: “Look, the emperor wears no clothes!”
From that moment onwards, nobody could take this kind of “security experts” serious any more. And nobody did.
A Darker Shade of Grey
Soon after that, a certain Aaron Barr did the mistake of his life by talking big of his supposed insider knowledge of Anonymous; he was working for HBGarry, a company that really likes to be portrayed with a brightly white hat: firmly embedded in the “security community”, cooperating with the FBI and many big players in the world of security…
Surely, no hacker with a sane mind would dare to mess with such a company? Well, maybe half a year earlier this would have been true. It was not true any more.
And the drama continued: Inevitably, Anonymous hit hard on HBGary. At first simply with the usual DDoS attacks, but soon a group of more apt hackers managed to break into their network and the best sense of the word gutted them in a way this has never been done before.
More importantly, the outfall of the “Anonymous” atom bomb striking HBGary was an unfiltered insight into the business world of the so-called “whitehats”: And that sight was not pretty:
Underneath the whitewashed surface, these people were dealing in smear campaigns, blackmailing and spying on civil liberties groups … oh, and let’s not forget to mention the balloons of hot air they were trying to sell for hard tax dollars.
It also became clear that HBGary is not the exceptional black sheep in the white flock: others were in just as deep.
This day, white hats turned grey. Dark grey.
Coda
Many more things have been uncovered since then. Most notably: self-proclaimed “white hat” Karim Hijazi offered money to LulzSec to hack and damage his competitors (they refused). But the story is not over yet.
My point is: if this is what the “good guys” do, I’d rather side with the “bad”. So far, “black hat” hackers like LulzSec have shown a lot more responsibility and moral backbone than the “white hat” community. Not only that, but they have also shown more skills.
Thank goodness – because this is what we need today: skilled hackers with strong moral standing. Anonymous and LulzSec have shown that they are worthy of placing our hopes in them.
It's all very intriguing; I expect there may be interesting times ahead also...
ReplyDeletePS Good write-up, but there's a small typo in para 9: *portrayed* not portrait
Thanks, and I agree completely: There are very interesting times ahead. I am sure that Internet is not going to be the same in a year from now. This could be for good or for bad. We'll see.
ReplyDelete(I also corrected the typo you mentioned - and a few others.. someone else sees one?)
A~O
strong moral standing? i am not sure about that, they did release the usernames and passwords of foolish, but ultimately innocent users AND encouraged them to try paypal and facebook.
ReplyDeleteyou might say loyal to their ethics, but never moral. if anything they are the real definition of immoral.
Thank God, the real Revolution has begun. Hit the bastards hard. They deserve it.
ReplyDeleteSo wait a minute...one organization that was political in nature, and one individual not being as clean as they portray, allows you to paint with a very broad brush to say "white hats" have no moral fortitude?
ReplyDeleteWhat about the legit security professionals who fight day in and day out to convince profit motivated companies to spend their cash on what the organization sees as "insurance"? While they may not win the battle often, they are trying to do the right thing and have just as much (if not more) moral fortitude than a bunch of rebels who hide behind masks.
Yeah, NamePrivate, it's a tough world out there: one rotten fruit and the whole basket shall be dumped...
ReplyDeleteWell, if you look at it: it wasn't just one 'black sheep' ... wherever the guys poked, they found dirt. Makes it hard to believe that the rest is so different.
But, granted: This being a blog, I exaggerated and polemicised. There may be whitehats who deserve this name somewhere out there.
So, dear whitehats: What's your plan to stop the "black sheep with the white hats" from tainting your good name? Where is your master plan? Can you hear me, whitehats?
Uh, not sure if it is worth waiting for them. But, please, feel free to prove me wrong. I'd be delighted if you do!
Gn0sis and Sabu hacked HBGary not Anonymous.
ReplyDeleteTopiary jumps into the mix with them, sprinkle in an Anon member or 2 and LulzSec is formed.
Lulz hacks SONY, which in and of itself wasn't necessarily a bad thing. Then they start all the skiddie BS and DoXing innocent users ...
Anon may have started out with the right idea, but letting Lulz run wild and shite on it was idiotic
Now its all just a CF that's going to result in the death of internet anonymity and a surrendering of your civil liberties and rights.
There is nothing "moral" about this anymore.