Not all hackers are stealing your credit card info...
The term Hacking is widely interpreted as “breaking into computers”. Although this sounds criminal, it sometimes is not. A lot of hacking actually happens with permission of the rightful owner of a site or device, for instance when a company hires hackers to test their software for vulnerabilities. It does however becomes illegal when you commit computer trespassing. But as in real life, there will always be hackers that act “on the wrong” side. A widely accepted way to differentiate between hackers is using three types of “hats”: The white hat, the black hat, and the lesser known grey hat. The idea is that a white hat hacker hacks for the good, a black hat hacker is so called “evil” and a grey hat hacker is a combination of a white hat and a black hat hacker. Grey hat hackers sometime cross the lines in to the darker domains, where as a white hat act neatly between the lines called 'scope'. These different types of hackers also have different motives. While a white hat hacker might do it for the thrill, the challenge and the recognition, a black hat hacker will more likely do it for the money and the thrill (and sometimes even for political reasons). The market The hacker “market” is huge, and complying to all aspects of that market requires different types of skills. For example, a hacker that attacks websites needs a different set of skills than a hacker who finds vulnerabilities in software like IOS and Windows.
The not so ethical market
There is a fairly big community on the internet that sells so called DDOS attacks. A DDOS basically means that you send an enormous flood of data -from multiple sources- to a system or website in order to make it unreachable for regular traffic. For a couple of bucks you can buy a DDOS attack and take any website down. Websites that offer these attacks aren’t even hidden on the dark web. Try Googling for the word “stresser”, and pick one to start your very own DDOS attack.
There are also companies who buy vulnerabilities from hackers for huge amounts of money. Zerodium for example payed a group of unknown hackers a million dollars after finding a zeroday vulnerability in IOS9. The question if this is considered ethical is a difficult one to answer. The hackers themselves didn’t harm anyone but the companies / governments who buy the vulnerabilities from Zerodium might. Does this make black hats from the hackers that the vulnerability and sold it? Or did they act responsible?
The ethical hacker market is way different than the black hat market. For example, an ethical hacker would never attack a website using a DDOS attack because they know that this type of an attack is mostly unpreventable. Ethical hackers are way more focussed on improving security instead of breaking it. Let’s take Shellshock for example, which affected millions of systems.
This vulnerability was reported by an ethical hacker who later got rewarded $20.000,- for finding this vulnerability. He might have gotten more, but instead of selling this vulnerability to companies like Zerodium he reported it responsibly, so vendors could fix it.
The fight between good and evil
Overtime we have seen a lot of examples where “bad” hackers have exposed user information stolen from systems they breached. An example of this is the Adobe hack where over 150 million user records have leaked or the Ashley Madison hack that had a huge impact (and a lot of media attention).
Unfortunately, it is this media attention that composes the image of hackers these days, and that image sadly can’t be fixed in a day. Although there are a lot of prevented data leaks because white hat hackers were kind enough to take the risk and report these vulnerabilities to a company/vendor – for example via coordinated vulnerability disclosure (also called Responsible Disclosure) - white hat hackers will never be able to “compensate” the impact that black hat hackers have on the media. Let’s face it:
“11 million Ashley Madison passwords revealed.”
Sounds way better on the front page of a news site than
“Hackers prevent possible data leakage at Ashley Madison.”
Luckily we are on the right track by showing that there are also “friendly” hackers. A great example where white hat hackers have shown that there are also “good” hackers was the car hack by Charlie Miller and Chris Valasek.
Another example where you can see the impact of white hat hackers preventing companies from getting hacked and leaking millions of records is the already mentioned Coordinated Vulnerability Disclosure, which basically means that a hacker is allowed to “take a look” and when something is found he/she has to report that in a “responsible” way. The deal is that the company that runs this program does not take the hacker to court when the hacker played by the rules. More and more companies are already doing this (Including the Dutch government!), and we see this as a great way to get the hacker community working together in a positive way with the corporate world. Some companies even take it further than that, they actively ask hackers to test their systems and reward hackers for vulnerabilities found in their network or services. Those vulnerability reward programs are also called “bug bounty programs”.
A company that runs such a bug bounty program with great results is Facebook. In 2015 Facebook paid around 1 million (in total 4.3 million since they started in 2011) to hackers who reported vulnerabilities in their systems. You can read more about Facebook’s experience with white hat hackers at their report from 2015:
Last year Facebook received 13,233 reports from researchers all over the world. That’s a huge number and it tells a lot about how big and growing this community is. Let's keep building a future where it is more profitable and accepted for hackers to just report vulnerabilities instead of misusing them!