Hackers’ motives are often widely misunderstood. Some act behind the scenes to make the internet a safer place by bringing vulnerabilities to light.
Hacking often conjures up images of shadowy hooded figures, illuminated only by the six computer screens in front of them. They furiously type away at a keyboard as code cascades down their screens, racing to take down a computer network for vengeance or personal gain. This is how Hollywood has personified hackers, anyway.
The truth is, there are many reasons people get into hacking and not all of them are bad. Sure, there are bad actors who earn the ire of the FBI for network takedowns and ransomware heists – these are known as black-hat hackers. But there are also hackers that act as forces for good and help companies protect their networks. These are known as white hat hackers.
What is white hat hacking?
A white hat hacker is defined by Wikipedia as “an ethical computer hacker or computer security expert, who specializes in penetration testing and other testing methodologies that ensures the security of an organization’s information systems.” The name comes from western films, where the good guys would wear white hats and bad guys black ones. Grey hat hackers, alternatively, hack with good intentions but often without permission.
The first instance of an ethical hacking force was a vulnerability assessment by the U.S. air force on its “Multics” operating systems. Known as penetration testing, this is where a security specialist uses every available tool to infiltrate a network and then assists in patching those holes. Penetration testing, also shortened to “pen testing,” can employ many tactics both digital and physical.
A full-scale ethical hack might involve sending e-mails to staff asking for login details, , searching for backdoors in the network made vulnerable by exploits either from out of date software or environments set up incorrectly, searching through garbage cans for sensitive info or breaking into an office building. Generally, only high-level executives or owners of a business who’ve hired the pen tester will be aware of the activities with lower-level managers and employees the “targets” of the hack. This allows hackers to test the most vulnerable part of a security system: humans.
In pen testing, white hat hackers replicate the destructive techniques a black-hat hacker might utilize. In most cases, these hacks employ the “long-con” methodology to discover and penetrate a company’s security flaws. Unlike in Hollywood hacking, where a hooded figure races to type lines of code before being discovered, most hackers take their time when probing for system vulnerabilities. There is generally no rush to compromise an organization that’s going about business as usual. Far more important is avoiding detection while hunting for vulnerable access points.
Famous White hats
Notable examples of white-hat hackers abound, many of them with interesting stories and implications for the organizations they’ve assisted. Here are just a few.
Kevin Mitnick is particularly memorable because he began his career as a black-hat hacker. By age 12, Kevin had used social engineering tactics and dumpster diving to bypass Los Angeles’s bus punch card system. By 16 he’d gained unauthorized access to a network owned by the Digital Equipment Corporation and copied software found on their systems, a crime for which he was charged nine years later, in 1988. He served 12 months in prison for these early-life exploits, followed by three years of supervised release.
Near the end of this three-year monitoring period, Mitnick hacked into the Pacific Bell voicemail system, prompting the authorities to issue a warrant for his release. Mitnick fled from the FBI and become a fugitive for more than two years. After his capture in 1995 he returned to prison for five years.
His release in 2000 would be his final one. After, Mitnick decided to don the white hat and became a paid security consultant for multiple Fortune 500 companies and the FBI. He now teaches social engineering classes around the world and is a part owner of a security training platform.
Joanna is known for her research on stealth malware known as rootkits and has been training users on the subject for years. Her most notable achievement, however, is an operating system she created called Qubes OS. Qubes is a free-to-download OS offering its users “security through isolation.” Joanna uses the phrase “Converged Multi-Level Secure System” to describe how it remains secure.
Essentially this means Qubes achieves a high level of privacy by creating isolation between separate domains on a computer. Many users have experience with virtual machine (VMs). Qubes employs a series of VMs that are separated to ensure that data is not located in the same place on a hard drive. For instance, a work domain (most trusted), shopping domain (less trusted) and random domain (least trusted) would be isolated on separate virtual machines.
Qubes is well-liked by people who use a TOR browser or frequent the dark web. Compared to Mac OS or Windows, Qubes goes to much greater lengths to obscure the identity of the user. For instance, you can run Qubes entirely off a flash drive connected to a USB port on your computer. That means serial codes and other identification numbers discoverable on your motherboard, CPU, etc. remain invisible. It also uses a method of Full Disk Encryption on the OS itself for an even greater level of security.
Well known for exposing security flaws in Apple products, Charlie Miller has been making waves as a white hat hacker for years. He’s exposed flaws in trusted technical systems, always for the purpose of enhancing their security. In 2008, he won a $10 thousand cash prize at the Pwn2Own conference for being the first to find a critical bug in the Macbook Air. In 2009, he cracked the Safari browser. More recently, he went viral for hacking and remotely controlling the braking, steering and acceleration on a 2014 Jeep Cherokee.
Apple products are often imagined to have impenetrable security. We also don’t often think of cars as “hackable” devices. The truth is that every digital device from your phone to your WiFi-enabled thermostat has security flaws. Flaws will always exist and there are many reasons a bad actor may want unauthorized access into your devices.
That’s why cybersecurity exists – to fight a never-ending battle with black hat hackers. Lucky for us, there are white hat hackers like Charlie Miller that dedicate themselves to testing and improving our digital systems.
So take a moment to salute these heroes of the internet.
Sadly, the word Hacker has been ruined by the press. As an early Hacker, the word meant someone who works on something until it is finished and fully understood. When you hacked at something, often it, or parts of it, were unknown and the goal was to fully understand how it worked and where potential problems were. In the early days, Hackers were not destructive, but worked in a positive sense. Then some started using hacking for destructive purposes, or for personal gain, and the media called these people hackers and the word took on a negative connotation. As part of an annual conference (not black hat or 2600) where smart insightfully minded people gather to share ideas in a totally positive way (invite only, and no destructive hackers are allowed) we have tried to get the media to use the word “cracker” for people who are trying to do damage, and hacker for people who hack for good, but that has been like pushing a rope. Hacking is not always bad, and, in fact is probably responsible for most truly new innovation.