Feb 25

Black, White or Grey? What colour hat do you wear?

Category: InfoSec

There is often a lot of talk about this concept, specifically in the vs debate that has gone on for what seems like forever now. I have, as you would expect, my own take on this. Lets start with a history lesson and the basics. White Hats are the “good guys” and Black Hats are the “bad guys”, why? because back in the good old days of spaghetti westerns, good guys always wore White Hats and the bad guys wore Black Hats, it’s that simple! Of course, in the scripted world of the western, it was that simple, the bad guy was that easy to spot and the good guys rode off into the sunset, but back in the real world it’s a little more difficult to identify.

The line between Black and White is often understood to be the law itself, i.e. if you’re a hacker, cracker or even a “skidie”, your hat changes colour the minute you go from having permission to do something to not having permission.  I however wager that if we were to exact that understanding on every security expert in this field of expertise, today, it would be a near 100% perfect sea of Black Hats.

So the question becomes, if that’s the case, are we all really the “bad guys”? I put to you a different concept, I different way of thinking about this that, personally, I think fits much better.

First of all let’s forget about hats and the law and look at a couple of basic concepts. Motivation is the activation or energization of goal-oriented behaviour and  is defined as intrinsic or extrinsic. Intrinsic comes from rewards inherent to a task or activity itself – the enjoyment of a puzzle or the love of playing whereas Extrinsic comes from outside of the performer. Money is the most obvious example, but coercion and threat of punishment are also common extrinsic motivations.

Another point of consideration is Goal orientation, often seen as an aspect of an individual’s motivation. An individual’s goal orientation describes the that they choose and the methods used to pursue those . One of the most common conceptualizations of goal orientation is the three factor model, that is, individuals can be described in terms of goal orientation based on three factors:

  • mastery,
  • performance-approach, and
  • performance-avoid.

Individuals with a mastery goal orientation seek challenging tasks and value learning. Highly performance-approach oriented individuals seek tasks that allow them to demonstrate the skills they already possess, and highly performance-avoidant tend to avoid tasks where they may fail and thus appear incompetent.

The final aspect to consider in this equation is an agent’s intention in performing an action. In so much as his or her specific purpose in doing so, the end or goal that is aimed at, or intended to accomplish. In recent years, there has been a large amount of work done on the concept of intentional action in experimental philosophy. This work has aimed at illuminating and understanding the factors which influence people’s judgments of whether an action was done intentionally. For instance, research has shown that unintended side-effects are often considered to be done intentionally if the side-effect is considered bad and the person acting knew the side-effect would occur before acting. Yet when the side-effect is considered good, people generally don’t think it was done intentionally, even if the person knew it would occur before acting. The most well-known example involves a chairman who implements a new business program for the sole purpose to make money but ends up affecting the environment in the process. If he implements his business plan and in the process he ends up helping the environment, then people generally say he unintentionally helped the environment; if he implements his business plan and in the process he ends up harming the environment, then people generally say he intentionally harmed the environment. The important point is that in both cases his only goal was to make money. While there have been many explanations proposed for why the “side-effect effect” occurs, researchers on this topic have not yet reached a consensus.

So now we understand a little about motivation, goals & Intentions, what really makes the “bad guy” bad? Well its worth adding into themix that the “good guys” and “bad guys” all have the same level of skill, they all learned it the same way and they all have the same aptitude (loosely speaking of course). In fact during the learning process its probably fair to wager that on occasion everyone ended up, purely through exploration, somewhere they shouldn’t have been.  Does this make us all “bag guys”?

I certainly do not think so. In my opinion, motivation, goals & are what separate the good from the bad, and in this context the “White Hats” from the “Black Hats”. Let’s look at an example. the CERT Coordination Centre came up with an interesting classification matrix, which I have provided below as a diagram:

In the above diagram, we see six types of (as well as a virtual 7th type that could be all 6 in a different context), six types of motivation and four goals.  It is assumed in  this classification, as insinuated by the word “”, that we are dealing with the “bag guys” or Black Hats here, however, I would argue that the first type, “Hacker” has a motivation and goal that is not negative or in fact malicious in any way, so should they also be considered a “bad guy”?  Its fair to say, someone hell bent on the quest for knowledge in that particular classification may take a devil may care approach that could have a negative impact on the systems they are exploring, but again, is this malicious intent, or just carelessness?

In summary I put it to you that there are no White Hats, or Black hats in the world today, just Shades of Grey, and that only motivation, goals and intent separate those of us trying to help from those who have a more nefarious purpose.

1 comment

1 Comment so far

  1. SF April 12th, 2010 2:26 pm

    Just to add the laws that govern these acts make no ref to intent and I think unfairly some people have fallen foul of the law for just being inquisitive shall we say. Perhaps performing a simple directory traversal attempt on a tsunami charity site for example! (one instant) When if they really had a criminal intent\goal they have skills which would not fall so easily ie TOR\cantenna\spoofs etc. An example was required and made… I think motivation and threat capability is often forgotten to easily, which I debated with an ISO27001 lecturer recently in actual fact. The ISO feeling was that it was not a factor in risk criteria. My reply “As Willie Sutton the bank robber said when asked why he robbed banks, ‘because that’s where the money is’.”

Leave a comment