[ILUG] Coloured hats.

Fri Apr 23 14:42:01 IST 2004

On Fri, Apr 23, 2004 at 02:13:35PM +0100, Colm Buckley wrote:
> On 23 Apr 2004, at 14:09, Robin Farrell wrote:
> 
> > Having a discussion in the office here, thought I would throw it to the
> > people who know.
> > Can you define what you think a white hat hacker and a black hat 
> > hacker are for me?
> Black hat = malicious hacker.  Someone who breaks into a system to 
> cause damage or for personal gain.

the shorter definition: an asshole

> White hat = benevolent hacker.  Someone who breaks into a system to 
> demonstrate its vulnerabilities, and help fixing them.

it's importat to note that the system they are breaking into is usually
one that is theirs or one that they have been asked to try to break into.
for instance a person might try a wide variety of attacks on their own
openssh server.  if they do that and code up a patch they *WON'T* go
off and break into other people's openssh servers and install the patch.
they would inform the openssh developers and pass along the vulnerability
and a patch if they have it.

and then there's the disclosure debate.  in general white hat hackers
should not widely disseminate vulnerabilities w/o giving the developers of
the vulnerable system a reasonable amount of time to come up with a fix.
the problem lies in the definition of "a reasonable amount of time."
also, when disclosing, a white hat shouldn't disclose working code for
a vulnerability.

kevin

-- 
kevin at ie.suberic.net  ~  "you're either with us or against us." --dubya
iraq: vietnam again?  ~  in that simplistic world-view progressives and
a new lbj selected -  ~  liberals are "us" while bush and bin laden are
"looney bush junior"  ~  "against us."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux.ie/pipermail/ilug/attachments/20040423/14f8754d/attachment.pgp