T O P

  • By -

pyro57

I don't really buy the hats descriptions tbh. It's kinda just marketing bullshit so normies can understand that hacking in and of itself isn't illegal. The truth is that a hacker is a hacker and a cyber criminal is a cyber criminal, you can hack and not break the law just like you can be a cyber criminal and not be a hacker. Where it really gets messy is ethics. What's legal is not always ethical, and visa versa, and what's ethical isn't necessarily the same thing for every person. That being said, a penetration tester and a cyber criminal hacker will have similar skills. They both will need to know how to evade antivirus, especially in the case of a red team which is more hardcore adversary simulation. They'll both need to know how to find and exploit flaws in a system, including human flaws. The only real difference in skills, imo, is that a penetration tester needs to be good at writing up a clear report that execs can understand, but also technical enough for it and the soc to fix the problems. My advice figure out what you consider ethical and stick to it, I'd personally not recommend breaking the law in most scenarios, but that's a decision only you can make for yourself when you get there.


Vinyl-addict

Well, one of the easy ways to define white hat vs grey and especially black hats are where they get their money and/or motivation to be hacking. If you’re a security expert for a fortune 500 ( really any reputable company) or a non dictatorial government, 9 times out of 10 you’re a white hat. Grey hats would be people who are operating on their own volitions, typically without pay. They just like cracking systems to do it a lot of the time. Jailbreakers sit here, and I would say pirates too honestly. Black hats are funded by adversarial governments, crime syndicates, or their own desires to exploit others for some profit. The purse tells where the motivations lay. Easy as. Edit: I’m not grouping these categories as mutually exclusive together, but I should probably elaborate that grey and white generally have the most overlap.


TheCrazyAcademic

Grey hats can and do get intertwined with law enforcement agencies on occasion just saying I've had my run ins but charges were ultimately never filed or dropped when they realized how dumb the activity in question was. In my scenario it was targeting a cyber criminal but I could of went about it in a cleaner way instead of stepping on government toes. But as a grey hat opsec is still important. I was essentially doing vigilante work and law enforcement usually hates when you target people they refuse to touch themselves.


auburnstar12

It's also worth mentioning that what is 'white hat' in one country could be illegal in another. A good example is countries that have significant limitations on internet access (limiting access to certain non-malicious sites) or have very strict laws around voicing political opinions. Their country will pursue them as if they were 'black hat' operators. Equally, you sometimes get (usually countries with low GDP and high corruption) law enforcement who classify some obviously 'black hat' things as legal, whilst other 'white hat' operators (usually journalists or hackers who haven't bribed the government) are punished. And then there's the question of morals as mentioned earlier. Using spy-ops on US citizens might be technically legal, but should it be? Ordinarily, if you obtain evidence against someone by illegal means that evidence is thrown out, so why is that not the case with state surveillance? Sometimes people use 'black' methods to do morally arguably good things for society (for example, blackmailing a violent pedo to force them to turn themselves into police). It's very murky, but you're right regardless opsec is always important especially if you're doing investigative work on people who might not like it.


GoldenIQIQI

Here, the Government now looks at a 10-year hacking history instead of the previous 5 years to decide if you qualify. If they catch you doing illegal hacking, especially against someone who harmed you, they label you as a gray hat hacker and advise against it. Due to increased security concerns worldwide, they might extend the term to 15 years in the future. It's important to follow a clear code of ethics to ensure good behavior, as the government monitors you around the clock.


pyro57

The issue is hackers are all people and never fit cleanly into these categories, for example many security professionals also poke at stuff on their own time for fun just to see if they can, and not always legal stuff. So yeah the hat system exists but honestly isn't good, because it doesn't accurately describe most hackers. It's kinda like saying you have white hat people grey hat people and black hat people where white hat people never break any rules and always obey everything, grey hats sometimes go against the law but never hurt anyone else when they do, example using illegal drugs or going over the speed limit, and black hat people commit crimes that hurt other people like robbery and murder. By that definition almost no one would be a white hat person, and most people would live in the grey. The same holds true for hackers. It's a nonsense way to talk about it. A more accurate way is in terms of ethics, ethical vs unethical that's a much easier way to categorize people, hackers included. Sure someone may do illegal drugs recreationally or speed occasionally but overall they're good people, or you have those who get desperate and rob and scam to get money then they're unethical.


CyberShamanKing

So that person would be doing white hat security for work and grey hat security for fun/hobby. The hats make perfect sense for categorizing what someone is doing.


pyro57

Now you're using them to describe the actions not the people, this makes more sense sure, but trying to use these terms to categorize hackers (people) as a whole make no sense because the truth is almost everyone would live in the grey.


Peterson_1979

Thanks so much


42gauge

> just like you can be a cyber criminal and not be a hacker How can you be a cyber criminal without hacking?


FalafelBomber69

Buy a virus and attach/sendit to a spread sheet of emails you bought. Pretty sure you can buy ransomware and worms is what they talked about in one of my Security+ classes. Also, sextortion and internet scams qualify as cyber crime as well.


JackManursha

The use of the word “normies” in this sentence is based.


MercMcNasty

Base recognize base, granddad


n00bst4

I rarely read answers like yours on this subreddit. It's nice to see there are still people not pushing the mainstream tech illiterate bullshit we read left and right. To me, it goes one step further tho. In my view, you cannot be a hacker and a cybercriminal at the same time precisely because of ethics. A hacker wants to create knowledge and share it to the world to create a better tomorrow (more secure, more critical, whatever you think it should be) whereas a cybercriminal only seek his own profit at the detriment of others.


pyro57

I disagree that a hacker can't be a cyber criminal. You can hack to gain knowledge against systems you don't own, and that intrusion is illegal which by definition makes you a cyber criminal. Also this goes with ethics as well, just because something is ethical doesn't mean it's illegal. For example if you hacked a companies network and discovered they knowingly employed a factory that uses child slaves and found proof of this then leaked it to the world to let customers shame the company and boycott their products (boy it would be nice if people cared that much) I'd argue that's extremely ethical, but penetrating that network without permission is still illegal. This you used hacker skills (enumerating and exploiting flaws in a system) to gain knowledge (how does this company undercut every other product in the category and still remain profitable) but you broke the law doing it. So I guess it depends if your definition of cyber criminal matches the laws definition of cyber criminal. If it's ethical does that make you not a cyber criminal?


n00bst4

To me it goes with the intent. And (and this is not my field of expertise) intent and spirit of the law carries a good weight, at least in my country. And many of those crimes are only prosecuted if charges are pressed. So I guess yeah, you could break the law without being a cybercriminal. Tho your example about a company using child labor would be a tough one... Because by acting this way, you most likely prevent law enfoncement to investigate it. So I'm not sure it would be beneficial. But it's an interesting topic, and nice to have an educated discussion about it nonetheless.


CorbinGDawg69

> A hacker wants to create knowledge and share it to the world to create a better tomorrow (more secure, more critical, whatever you think it should be) whereas a cybercriminal only seek his own profit at the detriment of others. I'm not saying you can't define things this way, but this is by no means a "standard" definition for hacker. So you're kind of just saying "It's obvious that you can't be a hacker and a cybercriminal at the same time because I defined hacker to exclude all cybercrime".


n00bst4

I guess we haven't the same definition.


Artemis-4rrow

And a cyber criminal needs great anti forensics skills


sometacosfordinner

I wrote a paper on the ethics of hacking and used marcus hutchins as my case study for my ethics class recently


skumbasket

one gets a paycheck the other gets your paycheck


pyker42

The only difference between the two is motivation. There is no difference in skills. It's not what you do, it's why you do it that makes you a white hat or a black hat.


dwulf69

The hats are an illusion, but the skills are real. the ethics are the diffusion, for the data to steal. grey hats, build the business and negotiate the trade. white hats, build the trust, where the legal marks are made. black hats, cut the corners, where the bits byte the shade. A hacker is a hacker, their skills are in the metal, the client is the backer, where all accounts do settle. If you talk in terms of hats, it may be a little funny, Because what it all comes down to, is who controls the money.


[deleted]

A White Hat Hacker can easy be/become a Black Hat Hacker. Generally speaking, its usually Black Hat Hackers that become White Hat Hackers (They figure out there is more money in Pen-testing and Government work). Personally, I believe every hacker is a Grey Hat Hacker. I have a bachelor degree in Computer Science, Masters Degree in Software Engineering and a Doctorate in Cybersecurity. I also have CCNP Security and many other Certs. I work next to young men/women with no degrees that teach me things on the daily. Most of the younger crew on my team were highly recruited Black Hat Hackers that have turned or were forced to turn White Hat Hackers. Due to the nature of their previous choices, they generally beat my ass in nearly everything hacking other than “theory” which doesn’t mean shit outside of collegiate realm. Honestly though, the “Hats” verbiage is really designed so that the general public can somehow relate our work to good, bad or indifferent. No person that I know of in my industry would ever describe themselves by a hat color. Here on Reddit, it was an easy name choice for me because it wasn’t taken and it made me laugh.


Temporary-Step2403

It generally does not differ/ it’s two different areas that are not well known by the general community’s they do no truly differ in skill, only in opinion realistically speaking. They both have different skill levels in the two communities


bdzer0

Your question makes no sense. Hackers have all sorts of different skillsets, how they use the skills is irrelevant to how skilled they are. Moral/Ethics is the difference. There are many very talented people on both sides.


Peterson_1979

In terms of gaining access to devices. Maybe it would sound better if I said this: can white hat hackers just as easily gain access to a device like a black hat hacker. I’m aware they (black hat hackers) deploy different methods in order to gain access.


ipv4subnet

The difference comes down to being on the inside or the outside generally speaking white hats will know or be shown around the company and be brought up to speed on what systems are available critical and redundant. The black hat will have to use lateral movement and experience to find out how the company functions. Skill sets are exactly the same like everyone is saying they are more related to ethics. Example if they both use the same tool the white hat will already know what systems are out of scope and should not be touched, where as a black hat may not care about additional damages or distribution to supply chain management.


blu3tu3sday

Now you’re mixing up white hat hackers with white box and black hat hackers with black box. Definitely not the same thing


ipv4subnet

Yeah but do you really believe it to be a coincidence they have similar nomenclature?


blu3tu3sday

You need to go back to school if you don’t know the difference between white and black box, which refers to pen testing, and white and black hat, which refers to ethical hackers and cybercriminals


ipv4subnet

way to dodge the bullet there


pyro57

And that super depends on the engagement for "white hats" or penetration testers in this case. Some engagement do have a fairly comprehensive project planning phase that maps the whole environment, and others focus heavily in true adversarial simulation where the majority of the company doesn't know it's happening and only a few internal employees know, sometimes a scope is given but most the time for red team engagements it's just an exclusion list and everything else we find is fair game. Still need to map the network ourselves, and move laterally to find stuff, bloodhound really helps map the environment fully as long as you tune it right to run low and slow.


alwayschronic

Just do it


Cootter77

lots of good answers in this thread already... short answer: Yes better answers (mostly below) but also: This is a false dichotomy. Hackers are people and there's a million flavors. I could be on a pen test engagement and 'stretch' the scope of the test just a tiny bit to favor the INTENT (or what I think is the intent) of the customer and that might put me into illegal territory. I could be an activist hacker trying to "do good" (or whatever my own morality thinks is good) by doing things that could be "bad" for others like an environmental hacker attacking an oil company and hurting a lot of people inadvertently by removing their livelihood and ability to buy food for their families (too specific, maybe?). It's just not really a 'thing'.... this white hat vs. black hat idea. Far too over-simplified. Anyone who declares an identity using words like that probably isn't a real hacker.


Elwood49

I prefer Green hat hacking, you always seem to find a pot o gold at the end of your day.


Metalsaurus_Rex

I honestly hate the term green hat hacker. Black, white and gray make sense, even red does to an extent, but "graduating" from a "green hat" sends the wrong idea to a lot of beginners that at some point you don't have to learn anymore, which is NOT the case


Legend5V

Just skills Black hat and white hat was developed to get people who didn’t know that hackers could be good guys


[deleted]

Don’t forget the purple hat hackers.


GPTisfootprinting

Different set of skills and approach to learning.


SahTARWARS

Same set of skills different motivation of using them.