One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 7856 |
| Date de publication | 2016-04-14 03:50:25 (vue: 2016-04-14 03:50:25) |
| Titre | Defining "Gray Hat" |
| Texte | WIRED has written an article defining “White Hatâ€, “Black Hatâ€, and “Grey Hatâ€. It's incomplete and partisan.Black Hats are the bad guys: cybercriminals (like Russian cybercrime gangs), cyberspies (like the Chinese state-sponsored hackers that broke into OPM), or cyberterrorists (ISIS hackers who want to crash the power grid). They may or may not include cybervandals (like some Anonymous activity) that simply defaces websites. Black Hats are those who want to cause damage or profit at the expense of others.White Hats do the same thing as Black Hats, but are the good guys. The break into networks (as pentesters), but only with permission, when a company/organization hires them to break into their own network. They research the security art, such vulnerabilities, exploits, and viruses. When they find vulnerabilities, they typically work to fix/patch them. (That you frequently have to apply security updates to your computers/devices is primarily due to White Hats). They develop products and tools for use by good guys (even though they sometimes can be used by the bad guys). The movie “Sneakers†refers to a team of White Hat hackers.Grey Hat is anything that doesn't fit nicely within these two categories. There are many objective meanings. It can sometimes refer to those who break the law, but who don't have criminal intent. It can sometimes include the cybervandals, whose activities are more of a prank rather than a serious enterprise. It can refer to “Search Engine Optimizers†who use unsavory methods to trick search engines like Google to rank certain pages higher in search results, to generate advertising profits.But, it's also used subjectively, to simply refer to activities the speaker disagrees with. Our community has many debates over proper behavior. Those on one side of a debate frequently use Gray Hat to refer to those on the other side of the debate.The biggest recent debate is “0day sales to the NSAâ€, which blew up after Stuxnet, and in particular, after Snowden. This is when experts look for bugs/vulnerabilities, but instead of reporting them to the vendor to be fixed (as White Hats typically do), they sell the bugs to the NSA, so the vulnerabilities (call “0days†in this context) can be used to hack computers in intelligence and military operations. Partisans who don't like the NSA use “Grey Hat†to refer to those who sell 0days to the NSA.WIRED's definition is this partisan definition. Kim Zetter has done more to report on Stuxnet than any other journalist, which is why her definition is so narrow.But Google is your friend. If you search for “Gray Hat†on Google and set the time range to pre-Stuxnet, then you'll find no use of the term that corresponds to Kim's definition, despite the term being in widespread use for more than a decade by that point. Instead, you'll find things like this EFF “Gray Hat Guideâ€. You'll also find how L0pht used the term to describe themselves when selling their password cracking tool called “L0phtcrackâ€, from back in 1998.Fast forward to today, activists from the EFF and ACLU call 0day sellers “merchants of deathâ€. But those on the other side of the debate point out how the 0days in Stuxnet saved thousands of lives. The US government had decided to stop Iran's nuclear program, and 0days gave them a way to do that without bombs, assassinations, or a shooting war. Those who engage in 0day sales do so with the highest professional ethics. If that WaPo article |
| Envoyé | Oui |
| Condensat | 0day 0days 1998 about aclu activists activities activity advertising after almost also anonymous any anything apply are art article as pentesters assassinations back bad because behavior being biased biggest black blew bombs break broke bugs bugs/vulnerabilities but call called can categories cause certain chinese choose community company/organization computers computers/devices context corresponds cracking crash criminal cybercrime cybercriminals cyberspies cyberterrorists cybervandals damage death†debate debates decade decided defaces defining definition describe despite develop different disagrees doesn don done due eff either engage engine engines enterprise ethics even expense experts exploits fast fbi find fit fix/patch fixed foreswear forward frequently friend from full gangs gave generate good google government gray grey grid guide†guys guys: hack hackers had has hat hats hat†have her higher highest hires hot how include incomplete information instead intelligence intent iphone iran isis journalist kim l0pht law leaked like listener lives look many may meanings methods might military more movie narrow network networks nicely not nsa nsa†nuclear oaths objective obviously one only operations opinion opm optimizers†other others out over own pages particular partisan partisans password people permission petty point power prank pre prejudices primarily products professional profit profits program proper range rank rather reasons recent refer refers reflects report reporting research results russian sales same saved search security sell sellers selling serious set shooting side simply snowden some sometimes speaker sponsored state stop stuxnet subjectively such team term than them themselves then these thing things those though thousands time today tool tools trick true two typically unlocking unsavory updates use used using vendor viruses vulnerabilities want wapo war way websites when which white who whose why widespread wired within without word work written you your zetter “0day “0days†“black “gray “grey “l0phtcrack†“merchants “search “sneakers†“white |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.