Several decades ago, if someone referred to a person as a computer “hacker” or that they’d developed a “clever hack” it was intended as a compliment to one’s prowess in solving a difficult computer problem, probably with a unique solution that was off the beaten path of tried and true methods. However, despite a small camp of old-school followers that still adhere to this usage, today hacking (and it’s cracking sibling) refers to unauthorized entry or tampering in a computer, network, or program. While there are a few books and magazine articles that celebrate the “clever solution” old-school hacking definition, most of the time when you hear someone discussing hacking, they refer to activity of the illegal variety.
The growth of the internet and interconnectedness of so many computers has led to a dramatic increase in hacking. The internet has enabled hackers in increase their activity for two reasons. First, there are more computers connected to networks making more targets for hackers to access. Second, the internet is a fertile ground for hackers to spread their methods and recruit others to help.
Hackers speak of “vulnerabilities” and “exploits.” A vulnerability is a problem within a system or code that would allow someone to take advantage of it in a way not intended. An exploit is the actual code or method used to take advantage of a vulnerability.
Within hacker communities, you’ll hear of two types of hackers: black hat and white hat. Just like the old western movies, hackers see the white hats as good guys (or girls) and the black hats as bad. Defining a black hat as “bad” is fairly easy. Any person who gains unauthorized access to a computer or network and steals information, modifies code or settings, disrupts the system, or otherwise makes any changes or does any damage is clearly acting as a “black hat.”
“White hat” hackers are harder to define. A lot of what people who think they are “white hats” do falls into a grey or black area. Many “white hats” gain unauthorized access to a system for one of three reasons they feel justifies their activity. Their first reason may be to prove the system’s insecurity and to alert the owner to the insecurity so the owner can take steps to correct it. Their justify their action by seeing that they are doing good and that they are helping the owner make the system more secure. But, in the physical world, if a “white hat” bypassed someone’s home security system to break-in and prove the system wasn’t a good one, it would still be clear that a crime was committed and the homeowner would be unlikely to thank the “whitehat” for pointing out their alarm deficiencies.
The second justification for “white hats” is to prove that a certain operating system or application is insecure by proving vulnerabilities that need to be fixed. In this case, the “white hat” will attack a system or systems and report (or boast) of the vulnerability they exploited to prove to others they shouldn’t use this system or to prompt the vendor to fix it. Again, there’s a problem in this logic in that if one uses unauthorized access to someone else’s system to make a point, the end doesn’t justify the means of “unauthorized access.”
A third justification of “white hats” is the “Mount Everest Defense.” (Question: “Why did you climb Mount Everest?” Answer: “Because it was there.”) In this justification, white hats see gaining unauthorized access as an intellectual challenge and defend their activities by stating that they didn’t do any damage or steal anything, so what’s the harm? Here the issue has parallels to “no trespassing” signs: when an owner doesn’t want someone on their property, the “challenge” isn’t justification for the illegal act of trespassing.
So, in what cases is a “white hat” really a “white hat?” If a system’s owner invites or hires someone to attempt to hack it to find vulnerabilities, that’s legitimate white hat security work. Anything other than that for any motive is questionable at best.
Another related phrase you’ll hear bantered about is “script kiddie.” This is a derogatory term used by hackers who think they are superior to refer to hackers who can’t come up with any original hacks of their own and just run scripts provided by others to exploit vulnerable systems.
So, lastly in this line of definitions, we come to “cracker.” To the old-schoolers to hold onto “hacks” as being clever solutions, all the people who break into other people’s systems that we’ve categorized as “white hat” or “black hat” would actually be called “crackers.” However, within the more frequent “hacker” context, crackers are those who break the copyright or encryption protection on software so it can be illegally traded.
Before leaving this article, here’s one precaution for you: Any operating system and most applications have vulnerabilities. Don’t subscribe to the myths that vendor X’s products are insecure but I use Y so I’m safe. Or that open source is inherently more secure (or insecure depending on your camp) than closed source software. Don’t subscribe to the myth that older software versions are more secure because newer ones have new bugs and holes that haven’t been patched. What you need to do is to be informed about the software and systems you use. If a vendor provides a service that automatically notifies you when there’s a vulnerability (and hopefully a fix) in software you use, subscribe to it and keep your systems patched.
Jim Minatel is a freelance writer for Developer.com in addition to working with Wiley and WROX publishing.