Sitting in a busy and bustling coffee shop near a lively outdoor mall I can see people of all walks of life rushing in and out of the corner storefront. Phones in one hand and personal cups in the other, they flock in bursts just before the hour ticks for their AM appointments.
Fashionable and drab they exist in all as a motley crew of patrons. This crowd has something in common, they expect excellent service and consistent product to fuel their active lives. This morning pitstop seems to be less of a luxury and more a ritual sacrifice of hard earned cash and plastic for their brain vitalizing caffeine.
The underlying systems that allow for payment and brewing have been developed over years with trial and error to bring the craft of a seemingly perfect brew to a frothy head.
Modern technology companies often don’t dedicate the R&D budgets and time required to create a perfect product. On the contrary, in a fast paced throw away culture, extensive testing and error checking their wares seems rarely habitual before it is released. The culture has become one that builds hardware as cheap as they can, and then the manufacturers tend to right them off and move on to the next hardware release. A new team then writes its operating software in the same right, this doesn’t leave much time for fixing any issues before release.
These companies often chock it up to calculated risk, then they put a handful of developers on “bug fixes” after the fact and release firmware upgrades and software patches to elevate the issue after it is found; that is until the developers are assigned to newer hardware.
Imagine how you would feel if your coveted cup of joe was wrong, would you suck it down or go back and ask for a fix? This is a summation of time versus benefit at its best.
This is the gap that the hacker community has begun to fill. These tinkering and methodical personalities take existing technologies and start dissecting it under a microscope. Some of these people are driven simply by curiosity and fueled by the opportunity of discovery. Using their abilities for good, they uncover the vulnerabilities in modern hardware and software systems and report them to bug bounty programs with the manufacturer. The ethical company would then set a crack team to task and release a high priority fix. The people who report the bugs for repair privately to vendors before releasing them into the wild are called white hats, and they are normally your friends.
On occasion there is no program for reporting the finds and they notify the manufacturer. With no response they release the bugs to the general public. Often these bugs lead to the development of a successful exploit of the flaw. When these are known and unpatched they are called a “zero day.”
These tend to place pressure on the vendors to create patches to close the holes.
Enter the black hat, imagine someone who has these same skills, often someone who started off with curiosity and the same drive. What turns a white hat to gray, or to a black? Sometimes it’s the corporation not having a bounty program and taking legal action against the researcher in this developing culture. Perhaps it is a lack of underlying ethics that leads the person to a new culture of taking over giving.
Cultures are often formed by the melding of personal habits into a community methodology.
In the old adage, “knowledge is power,” it is often seen that whoever holds the cards gets to make the play. Many hackers hand this back to the company, and some sell that power to private companies and intelligence agencies. Where there concerns often lean to the financial or political slants.
Others in turn “just want to watch the world burn” as was told to the dark knight of Gotham’s elite.
Friend or foe? Well, that comes down to perceived allegiances, I would encourage you to watch the Ted talk by Keren Elazari, Hackers: The Internet’s Immune System. There is an emerging community in a new digital era of curious people. I invite you to make the distinction between a malicious attacker who is a blackhat and global community contributor seeking to guard and protect your data security. Be kind to hackers, they are people and as such they like the benefit of the doubt.