Every time I hack or crack something, I face a tough ethical dilemma. I wonder, am I hurting people’s security and privacy by doing this? When I improve the code that is designed to simplify the cloning of RFID access cards, am I helping the society? Am I helping criminals break into buildings? When I write a tutorial that explains “how to hack in”, am I helping the society? Or am I helping the criminals send phishing spam?
To untangle this, let’s start with definitions. White hat hacker is defined as someone who improves security, while a black hat hacker is defined as someone who harms security. This isn’t very helpful. Whose security are we talking about? Is a hacker working for a government security organization considered white hat or black hat? After all, they are improving *their* organization’s security. Are our guys the white guys, while “the other” guys are black hat? And how do we define harm or benefit? Is a hacker who releases info about 0-day exploit causing harm, or benefit? It seems these definitions shift the ethics off to another level avoiding the deeper philosophical implications.
Here is a more useful definition:
- White hat hacker: Hacker who shares their tools and knowledge in a public and open manner for the purpose of enabling everyone to gain privacy and control.
- Black hat hacker: Hacker who secretively guards their tools and knowledge for the purpose of relinquishing privacy and control from others.
This definition allows us to ask us another interesting question. What would happen if majority of hackers were white hat? What would happen if majority of hackers were black hat?
Black Hat Majority:
Information security is in a very bleak state. Black hats have all kinds of back doors, and everyday users can only throw up their arms and say “privacy is dead”, “liberty is dead”, “I do not have control over my devices – others do”. This is a state we are in now.
White Hat Majority:
Information security is in a good state. Published exploit is a defensible exploit. Black hats still have the fringes to operate in. However, overall, every day users are fairly certain that they have the control over their systems and that they are not just puppets within a system controlled by others.
This makes it easy for me to say: I’m proud to be a white hat hacker. I’m also proud to be on the right side of the race between the two sides.
I hope this makes others who have been on the sidelines, wondering what’s the right thing to do, jump right in.