Marcus Hutchins, a young security researcher who made his fame when he “accidentally” stopped the propagation of a nasty ransomware virus, was arrested earlier this month on charges of writing the code for another malware, one used in stealing banking credentials.
Hutchins, who is a “hacker” by definition—someone who knows all about computers—can perfectly be innocent or guilty of all charges. But as is the case with hackers in general, it will ultimately come down to not the tools he created or used but the color of his hat.
Hackers are often described as either “white hat,” black hat,” or “gray hat” hackers. But what is a white hat hacker—and how does that differ from the rest? Here’s a quick rundown.
What is a white hat hacker?
White hat hackers are the good guys, security researchers who use their technical prowess to protect others from cyberattacks. When white hat hackers find a vulnerability or a security bug in software, they report it to the vendor so that they can fix it, or occasionally take matters into their own hands to prevent others from being harmed.
In the past, being a white hat hacker wasn’t a rewarding job. For the most part, software vendors didn’t compensate them for their help in fixing security flaws. In some cases, software vendors pressed charges against security researchers for reverse engineering or tinkering with their products.
More recently, white hat hackers have received increasing acknowledgment for their work. Several companies have come to recognize the value of the work and commitment of security researchers and compensate them for their efforts. Facebook, Microsoft, and Uber are among the companies that have set up so-called bug bounty programs, enabling researchers to claim rewards for finding and reporting security holes in their software. The Pentagon has also launched a similar program.
What is a black hat hacker?
Black hat hackers are the evil twins of white hats, criminals who use their abilities for their own benefits and to the detriment of others. When black hats find security holes in software or networks, they do not disclose them to the vendors. They either sell them to other criminals or exploit them to cause harm to their victims, whether for political or financial reasons or simply to prove themselves to other hackers.
Black hat hackers either act as individuals or in groups, and they often serve the purposes of nation states. Unfortunately, there are more black hats than white hats, and they are often better organized. Part of it is due to the fact that being a black hat is much more compensating—if you’re willing to take the risk of spending years or decades in prison. Hopefully, this will change as more organizations endorse the work of legitimate security researchers.
What is a gray hat hacker?
Gray hats try to play in the zone between white and black. They do not disclose security discoveries to criminal gangs, but they don’t reveal them to the vendors, either. They might test the security boundaries of a company’s network without telling them but will let them know later on without performing any malicious activities.
Some gray hat organizations sell software vulnerabilities to government agencies instead of reporting them to their respective vendors. These exploits are known as zero-days (or 0days). These zero-day brokers, such as Zerodium and Hacking Team, claim to do so to help governments fight crime and catch terrorists. However, they often end up serving the needs of despotic regimes that use their tools to spy on and persecute dissidents.
There’s already a fine line between being a white hat and a black hat hacker. There are those who believe that there’s no difference between gray and black. As Game of Thrones‘ Melisandre once told Ser Davos, “If half an onion is black with rot, it is a rotten onion. A man is good, or he is evil.”