When we hear the word hacker we so often think of someone in a dark room stealing secrets, causing mayhem, or just getting hold of people’s credit card information. The 1995 movie “Hackers” helped to create this depiction, showing us that savvy teenagers could wield a lot of power from their bedrooms. But much of the time all these early hackers did was hack into telephone networks and get themselves free calls. If you don’t already know, this criminal activity was part of something known as “phreaking.” As you may have seen in some of our other shows, some of those early hackers from the 80s and 90s went on to become security advisers for companies and governments, so you could say they went over to the good side. And that’s what we’ll talk about today, the various sides of hacking. Unlike in the movies, when we used to have what kids might call “goodies” and “baddies”, life is generally not so clear cut; goodness and badness are not generally demarcated with bold lines. The world of hacking is not a wild west movie in which we understand who is the villain and who is spotlessly ethical by the color of the brimmed hat they wear. So, when we talk about the ethics of hacking, or lack thereof, the conclusion is sometimes open to interpretation. We might take for instance one of the most famous hackers in the world, Julian Assange. While many people shower him with plaudits and call him a modern hero, we could ask what the U.S. government thinks about him. He might well be labelled a “Threat to national security.” Actually, if you read a 2010 article in Wired it states Assange was a black hat hacker in his early days, sometimes going by the names of “Proff” and “Mendax”. In those days he and his friends just broke into government computers, including NASA and the Department of Defense, just because they could. It didn’t seem back then Assange and Co. were on a mission to show the world that sometimes governments do bad things and don’t tell anyone about it. In years to come some would call this man the most ethical hacker on the planet, but as we said, some people would certainly tell you different. With this in mind, let’s start this story in the middle and explain to you what a grey hat hacker is. We might not need to tell you that it’s a blend of hats; these people are neither overtly good or obviously bad. So, what would one of these people do? Well, they might just get into your company’s computer system and then tell you about it. Imagine someone coming up to you and telling you, “Hey man, I know you think it’s a secret where you hid all that cash, but I know for sure it isn’t and someone is gonna get it soon. I think I can help you.” This help might not always come for free, however. In the case of company or government hacking, these grey hats might just ask for a job and tell the department they can fix the vulnerability. They might also ask for a payment, though, which we could say makes their hat a darker hue of grey. What they are doing is not technically black hat, but often it is still illegal. But think about it, as a business owner, or as that guy that hid his cash, would you rather know what might happen and prevent a big loss, or just wait knowing you have lax security? They want to be paid for their expertise of course, because just like anyone else in the world they have to put food on the table. They might not feel like donning a shirt and tie and doing a daily commute on a packed train to work as a security guy for a company, and so they do their work at home and take it easy. If you read the excellent Rolling Stone article about hackers being scouted by the FBI, many of them were unemployable by some branches of the government because of their colorful tattoos and the fact in the past they had not always followed the letter of the law. Now you’ll need a good example of a grey hat hacker. One famous case was of Khalil Shreateh, a man who in 2013 hacked the Facebook page of Mark Zuckerberg. Did he start posting pictures of nudity or posting rude words. No, he contacted Facebook and told them there was a vulnerability. He actually told Facebook’s security team that there was a bug and he could post on any wall that existed on Facebook. This was a big thing, as spammers could have caused mayhem had they discovered the bug. But Facebook didn’t take him seriously, well, not until Shreateh posted on Zuckerberg’s wall. He partly wrote, “Sorry for breaking your privacy.” Zuckerberg then took him seriously, but still refused to pay him as it was against Facebook policy. This was a true grey hat, with a whiter shade, as he could have sold that vulnerability to more nefarious folks. Then again, he broke into Facebook and spotted a flaw and that is something Facebook hadn’t hired him to do. Some of the media later talked to Shreateh, with one report stating he was not exactly rich and needed the money, “He is sitting there in Palestine doing this research on a five-year-old laptop that looks like it is half broken. It's something that might help him out in a big way,” it was reported. In the end a bunch of hackers got together and donated him some money. By the way, Facebook later updated its policy on what to do if someone finds a bug in the system. It seems, as far as we can see, that Facebook didn’t change its stance and update Shreatah’s bank account… What about white hat hackers? Well, these goodies don’t secretly break into systems to explore vulnerabilities and then ask for a payment. They are more often than not paid employees, advisors, specialists that work with businesses and organizations to prevent hackers from getting into systems. You can thank these people that your passwords are (usually) safe; that money just doesn’t disappear from your bank account and that nuclear warheads don’t just start turning towards a town near you without the say so from a government leader and those behind him. These hackers might be told by a government or a company, do your best, hack our system, but that’s all in the contract. They are hired to exploit any possible vulnerabilities. Who is a good example of a white hat hacker? We’ve talked about him before so we won’t say much. His name is Jeff Moss. In the bad old days he was known as Dark Tangent and while he may have snooped around in systems he said in one interview that he was never exactly a part of the dark side of hacking. But he is very talented, and he uses those talents for the common good. He created the Black Hat and DEF CON computer security conferences, has advised Homeland Security, and generally talks all around the world on how to keep cyberspace a safe place. He is a security officer in many ways, a guardian of the online galaxy, and has even spent some time trying to get his hacker friends jobs with businesses and the government. Now for black hat hackers, the villains of our story, or at least sometimes anti-heroes. We say that because some people can’t help but cheer these hackers on when they get one over on the government or steal money from a corporation. But more often than not, when they do their hacking someone suffers and it’s not always just the CEO, it’s also Joe Public. Hacking the government can also cost the taxpayer a ton of money and sometimes put citizens at risk. These black hat hackers’ intent is often to steal or to damage. They might shut down or cripple systems, causing absolute mayhem, and then demand money. This is called Ransomware, a kind of malware that gets into computers and causes big problems. This can be pretty bad for the public when you consider that the UK’s National Health Service was affected by the WannaCry ransomware hack, perhaps the biggest Black Hat hack the world has ever seen. This attack went just about all over the world, but just in the UK, 19,000 NHS appointments were cancelled. Imagine you were waiting for your appointment in agony, were on death’s door, or even just had a bad case of bronchitis…that’s not a cool hack, and so we can safely say that WannaCry painted the digital world black for a while. Black hats might steal data and sell it on the dark web, or they might steal money from people and companies. Some of them, though, have a touch of The Joker in them, in that they take pride in creating chaos and the fact they have no other reason for doing it besides getting a thrill out of it. Black hats can just be power hungry, people bent on causing destruction without necessarily making money. But most times they want cash and they use their skills to steal. Other times they just want secrets, and that’s why governments keep a tight lid on their treasure troves of sensitive data. We won’t give you a list of black hat hackers because we’ve devoted an entire show to this topic, but to offer some short examples we will remind you of Albert Gonzalez, said to be the man behind the biggest ATM and credit card theft hack in history. He got 20 years, and there was no grey in his hat whatsoever. It was all about greed… but still clever. Then there was the Scottish man, Gary McKinnon, and he was black but we might say not exactly a very dark shade of black. It’s said he was behind the “biggest military computer hack of all time,” and he really embarrassed the U.S. government when he told certain departments that their security was terrible. He disrupted systems of the military and NASA and caused absolute mayhem, but still, there are people that have later cheered him on. Maybe he’s the typical anti-hero, but we think the U.S. government would safely say he is a villain. McKinnon was indicted and if extradited to the U.S. could have served up to 70 years for his playing with some of the country’s most sensitive computer systems. Human Rights organizations didn’t want him extradited, and neither did scores of celebrities and other famous people that supported him. Pink Floyd even got behind the man, who is said to suffer from Autism and Asperger’s Syndrome. McKinnon also always said his snooping in U.S. computers was because he just wanted to find evidence of extra-terrestrial life. So, this is what we meant at the start of the show, some black hats are blacker than others. What is your take on hacking? When is hacking white, black, grey, and when is it hard to say? Tell us in the comments. Also, be sure to check out our other show Why Is The Government Terrified Of This Hacker?. Thanks for watching, and as always, don’t forget to like, share and subscribe. See you next time.