The world of hackers can be roughly divided into three groups. “Black hats” break into corporate computer systems for fun and profit, taking credit card numbers and e-mail addresses to sell and trade with other hackers, while the “white hats” help companies stop their disruptive counterparts.
However, it is the third group, the “gray hats,” that are the most vexing for companies. These hackers play it any number of ways, which can leave a company vulnerable to lost assets as well as a tarnished reputation as security breaches are exposed. (The terms are a nod to Westerns, with the villain wearing a black hat and the hero a white one.)
These gray hat hackers surreptitiously break into corporate computers to find security weaknesses. They then choose whether to notify the company and stay silent until the hole has been patched, or embarrass the company by exposing the problem.
The debate among all of these groups over the best course of action has never been settled and will be an undercurrent at the Def Con 18 hackers conference starting today in Las Vegas.
For companies, the best strategy for finding software flaws is just as unsettled. Facebook encourages its employees to try to hack the company site. Some companies encourage outsiders to break in. For example, mint.com, a personal finance Web site owned by Intuit, enlists hackers to test its security once a quarter.
Others just wish the hackers would simply go away, as AT&T did after a group discovered a loophole on the company’s Web site last month that exposed 114,000 e-mail addresses and cellular identification numbers for owners of the iPad 3G.
“Some will say that the public is better off if we just tell everyone,” said Dean Turner, director of Symantec’s antivirus security response teams.
Some companies, he points out, prefer to turn hackers from the dark side by fixing the problem and giving them public credit. Salesforce, Facebook, PayPal and Microsoft have notices on their sites encouraging researchers to find flaws in their systems.
If the hackers adhere to a set of rules, the companies pledge not to initiate legal action and the companies promise to work with the hackers to fix the problem and give them the appropriate credit for finding the flaw.
Mike Reavey, director of Microsoft’s security response center, says Microsoft wants the researchers to report flaws without fear of repercussions.
“We take security very seriously; our focus is to put customer safety first,” Reavey said. “We realize we can’t do this alone, which is why we want to partner with the research community.”
Dino Dai Zovi, a prominent white hat computer security expert at Trail of Bits, a New York security firm, says he likes to work with companies.
“If you find something new, not only are you protecting people that use a system, but there’s the excitement and thrill of finding something new that no one else knows about,” Dai Zovi said.
He is also motivated by the money available to the bug hunters, as they are also known. In 2006, he won US$10,000 at a major white-hat competition sponsored by Tipping Point, a security company, by breaking into an Apple laptop through a vulnerability in the Safari Web browser and video player.
Mozilla, the maker of the Firefox Web browser, and Google both announced last week that they would begin paying for new bug discoveries too.
Gray hats may bask in the recognition, but some can also seek to make money from an exploit. One of the gray hats, a security researcher based in Singapore who would not share his real name and goes by the online pseudonym “The Grugq,” chooses not to tell companies about the bugs he finds, he said via instant message. Telling Microsoft about a loophole earns only a “gold star,” The Grugq said.
Hackers can sell or trade the flaws they uncover in what is called the bug market, until the company plugs the hole and renders it worthless.
“The people actively using the bugs get very upset when they die,” The Grugq wrote.
Some bugs can sell for as much as US$75,000 online.
Credit card numbers were once the main product traded. Jeff Moss, who organizes conferences for hackers, says more gray hats are tempted to gain access to systems as the value of security holes increases.
“There’s a vulnerability marketplace that has been steadily increasing,” he said. “The cost of e-mail addresses is worth more money now than it was 10 years ago, and there’s a big demand for fresh vulnerabilities and information.”
Some companies want to lead the gray hats toward the white hat camp.
Other companies, including AT&T, are still wrestling with the distinctions between security researchers trying to help and those gray hats with murky motives. AT&T would not comment on its policy for dealing with gray hats.
Chris Paget, the co-founder and professed chief hacker of H4rdw4re, a phone and hardware security company, said it seemed that AT&T was attacking researchers instead of working with them.
“I think there’s a good case to be made that AT&T just isn’t used to dealing with this kind of situation,” he said. “A lot of companies aren’t.”
Moss, known online as “The Dark Tangent,” said the involvement of the FBI in the iPad 3G case had given some researchers reason to reconsider disclosing online holes.
“It’s a wait and see effect in the community right now,” Moss said.
The threat of legal action is not the only reason hackers are taking stock.
“There’s a lot of money to be made in identify theft, credit card numbers and e-mail lists,” Dai Zovi said. “White hats are sick of giving away information; they want to be paid for the work now too.”
From the Iran war and nuclear weapons to tariffs and artificial intelligence, the agenda for this week’s Beijing summit between US President Donald Trump and Chinese President Xi Jinping (習近平) is packed. Xi would almost certainly bring up Taiwan, if only to demonstrate his inflexibility on the matter. However, no one needs to meet with Xi face-to-face to understand his stance. A visit to the National Museum of China in Beijing — in particular, the “Road to Rejuvenation” exhibition, which chronicles the rise and rule of the Chinese Communist Party — might be even more revealing. Xi took the members
The Chinese Nationalist Party (KMT) and the Taiwan People’s Party (TPP) on Friday used their legislative majority to push their version of a special defense budget bill to fund the purchase of US military equipment, with the combined spending capped at NT$780 billion (US$24.78 billion). The bill, which fell short of the Executive Yuan’s NT$1.25 trillion request, was passed by a 59-0 margin with 48 abstentions in the 113-seat legislature. KMT Chairwoman Cheng Li-wun (鄭麗文), who reportedly met with TPP Chairman Huang Kuo-chang (黃國昌) for a private meeting before holding a joint post-vote news conference, was said to have mobilized her
Before the Chinese Communist Party (CCP) and its People’s Liberation Army (PLA) can blockade, invade, and destroy the democracy on Taiwan, the CCP seeks to make the world an accomplice to Taiwan’s subjugation by harassing any government that confers any degree of marginal recognition, or defies the CCP’s “One China Principle” diktat that there is no free nation of Taiwan. For United States President Donald Trump’s upcoming May 14, 2026 visit to China, the CCP’s top wish has nothing to do with Trump’s ongoing dismantling of the CCP’s Axis of Evil. The CCP’s first demand is for Trump to cease US
As artificial intelligence (AI) becomes increasingly widespread in workplaces, some people stand to benefit from the technology while others face lower wages and fewer job opportunities. However, from a longer-term perspective, as AI is applied more extensively to business operations, the personnel issue is not just about changes in job opportunities, but also about a structural mismatch between skills and demand. This is precisely the most pressing issue in the current labor market. Tai Wei-chun (戴偉峻), director-general of the Institute of Artificial Intelligence Innovation at the Institute for Information Industry, said in a recent interview with the Chinese-language Liberty Times
RSS