Grey hat: Difference between revisions
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
==History== |
==History== |
||
The term ''Grey Hat'' was coined by a hacker group called [[L0pht]] in 1998. They group references it in an interview with the NY Times<ref>[http://www.physics.ohio-state.edu/~wilkins/html/hackers/] from 1999 describing their ''Grey Hat'' behavior. The earliest known use of the term ''Grey Hat'', in the context of computer security literature, may be traced back to 2001. Cliff used the phrase to describe hackers who support the [[security through obscurity | ethical reporting]] of [[vulnerability_(computing) | vulnerabilities]] directly to the software vendor.<ref>[http://www.symantec.com/connect/articles/intrusion-detection-systems-terminology-part-one-h Symantec.com] Cliff, A. (July 2, 2001). "Intrusion Detection Systems Terminology"</ref>. He contrasted this with the [[full disclosure]] practices that were prevalent in the [[white hat]] community at the time; and the principals of the [[black hat]], whereby no one should be made aware of security holes. |
The term ''Grey Hat'' was coined by a hacker group called [[L0pht]] in 1998. They group references it in an interview with the NY Times<ref>[http://www.physics.ohio-state.edu/~wilkins/html/hackers/] from 1999 describing their ''Grey Hat'' behavior</ref>. The earliest known use of the term ''Grey Hat'', in the context of computer security literature, may be traced back to 2001. Cliff used the phrase to describe hackers who support the [[security through obscurity | ethical reporting]] of [[vulnerability_(computing) | vulnerabilities]] directly to the software vendor.<ref>[http://www.symantec.com/connect/articles/intrusion-detection-systems-terminology-part-one-h Symantec.com] Cliff, A. (July 2, 2001). "Intrusion Detection Systems Terminology"</ref>. He contrasted this with the [[full disclosure]] practices that were prevalent in the [[white hat]] community at the time; and the principals of the [[black hat]], whereby no one should be made aware of security holes. |
||
In 2002, however, the [[Antisec_Movement | Anti-Sec]] community published use of the term to refer to people who proverbially worked in the security industry by day, but sought to engage in black hat activities by night.<ref>[http://www.digitalsec.net/stuff/website-mirrors/pHC/old/greyhat-IS-whitehat.txt Digitalsec.net] #Phrack High Council. (August 20, 2002). "The greyhat-IS-whitehat List"</ref>. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lended a sense of popular notoriety. |
In 2002, however, the [[Antisec_Movement | Anti-Sec]] community published use of the term to refer to people who proverbially worked in the security industry by day, but sought to engage in black hat activities by night.<ref>[http://www.digitalsec.net/stuff/website-mirrors/pHC/old/greyhat-IS-whitehat.txt Digitalsec.net] #Phrack High Council. (August 20, 2002). "The greyhat-IS-whitehat List"</ref>. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lended a sense of popular notoriety. |
||
Revision as of 13:35, 26 July 2010
| Part of a series on |
| Computer hacking |
|---|
A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts illegally, though in good will, and limits their disclosure of vulnerabilities on a need-to-know basis. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but are prepared to commit crimes during the course of their technological exploits in order to achieve better security.[1]
History
The term Grey Hat was coined by a hacker group called L0pht in 1998. They group references it in an interview with the NY Times[2]. The earliest known use of the term Grey Hat, in the context of computer security literature, may be traced back to 2001. Cliff used the phrase to describe hackers who support the ethical reporting of vulnerabilities directly to the software vendor.[3]. He contrasted this with the full disclosure practices that were prevalent in the white hat community at the time; and the principals of the black hat, whereby no one should be made aware of security holes.
In 2002, however, the Anti-Sec community published use of the term to refer to people who proverbially worked in the security industry by day, but sought to engage in black hat activities by night.[4]. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lended a sense of popular notoriety.
Following the rise and eventual decline of the Full Disclosure vs Anti-Sec 'golden era' - and the subsequent growth of Ethical Hacking philosophy - the term 'grey hat' began to take on all sorts of diverse meanings.
In 2004, Harris (et al) published a book on grey hat methodologies. This built upon the idea that black hats have malicious intentions and do not disclose their secrets; whereas white hats always engaged in public full disclosure, freely publicising security flaws in the hope that they will be fixed. The authors espoused that grey hats fall somewhere between, in that they derive income from notifying the vendor of what needs to be fixed after they have penetrated a system.[5]
In 2006 Moore used the term to describe freelance hackers who browse the internet in search of security holes, and then seek to charge the host a fee for fixing the issue.[6]
In 2008, the EFF defined grey hats as an ethical security researchers who use illegal methods to improve security.[7].
Consensus
Drawing upon common denominators, a grey hat is a hacker that:
- Engages in security research with the intention to secure rather than destroy; and
- Does not support full disclosure of vulnerabilities; and
- Usually reports the vulnerability to the product vendor; and
- Is challenged by questions of ethics and law in the line of their work.
Grey hats are easily distinguished from black hats in many ways (esp. intent), but can only be distinguished from white hats on the topic of full disclosure.
Examples
In April 2000, {} and Hardbeat gained unauthorized access to apache.org.[8] They chose to alert Apache crew of the problems rather than try to damage the apache.org servers.[9]
In June 2010, a group of computer experts known as Goatse Security exposed a flaw in AT&T security which allowed the e-mail addresses of iPad users to be revealed.[10] The group revealed the security flaw to the media after AT&T had been notified. Since then, the FBI has opened an investigation into the incident and raided the house of weev, the group's most prominent member.[11]
See also
References
- ^ Redhat.com
- ^ [1] from 1999 describing their Grey Hat behavior
- ^ Symantec.com Cliff, A. (July 2, 2001). "Intrusion Detection Systems Terminology"
- ^ Digitalsec.net #Phrack High Council. (August 20, 2002). "The greyhat-IS-whitehat List"
- ^ Harris ; et al. (2004). Grey Hat Hacking: The Ethical Hacker's Handbook. McGraw-Hill Osborne Media.
{{cite book}}: Explicit use of et al. in:|last=(help) - ^ Moore, Robert (2006). Cybercrime:Investigating High-Technology Computer Crime. Cincinnati, Ohio: Anderson Publishing.
- ^ EFF.org Electronic Frontier Foundation (EFF). (August 20, 2008). "A 'Grey Hat' Guide"
- ^ Wired.com
- ^ Textfiles.com
- ^ FBI Opens Probe of iPad Breach Wall Street Journal, Spencer Ante and Ben Worthen. June 11, 2010
- ^ Tate, Ryan (9 June 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Gawker.com. Gawker Media. Retrieved 13 June 2010.
{{cite news}}: Check|authorlink=value (help); External link in|authorlink=