Black/Grey Hatting Anonymous
#1
I don't know if anyone has seen this document: https://nofile.io/f/8kTVHn3tV9O/0325-CYB...ternet.pdf

It's prepared by the National Crime Agency, and looks at the pathways that lead people towards cyber crime. I will quote from a few key statements:

Quote:"Autism spectrum disorder (ASD) appears to be more prevalent amongst cyber criminals than the general populace though this remains unproven."

"Completing the challenge, sense of accomplishment, proving oneself to peers is a key motivation for those involved in cybercriminality"

"Positive opportunities, role models, mentors can deter young people away from cyber crime."

The rest of the paper is basically frame around justifying those key findings, which comes out of a review of the academic literature surrounding the topic, and primary evidence in the form of "Cease & Desist" letters, and interviews with convicted cyber criminals.

Now, anyone who has read my introduction posts on this forum will know that I consider myself on the Autistic spectrum, and that I find it very difficult to stay on the straight and narrow. 

https://greysec.net/showthread.php?tid=2...6#pid10396
https://greysec.net/showthread.php?tid=2...9#pid10399

In fact, black hatting, to me, is like an addiction. White hatting is like a patch, but, due to my previous convictions, I can't realistically get a job as an ethical hacker. 

Grey hatting is just ridiculous, because you can identify security vulnerabilities with the best of intent, but you've still committed a crime and law enforcement won't give a crap what your intentions are. In fact, I'd strongly recommend against grey hatting, because it's just as bad (as far as the law goes) as black hatting, but instead of law enforcement tracking you down, you basically admit your guilt to the world... 

Anyway, I digress. I was wondering if anyone considers themselves in a similar situation as myself. I desperately want to avoid committing any more crimes (offences that our Western societies treats as serious criminal activities), but it's very challenging to do this by myself; it literally feels like vulnerable platforms are throwing themselves at me trying to get my attention...

What I need, at times like that, is a distraction. When alcoholics crave a drink, they go to an AA meeting. They have sponsors to lean on for advice. The NCA report mentions that mentors play an important role in preventing offending, so I was thinking something along the lines of that. A group of people that we can talk openly about any black hatting compulsions, and perhaps have members propose white hatting alternatives, or new puzzles they've come across (which again, is a 'patch' until the compulsions die down again).

Black Hatters Anonymous.

...Anyone vaguely interested in the idea...??
Reply
#2
Black Hatting can sound great sometimes I have to admit, but it isn’t worth it in my opinion.
You can get large sums of money in little period of time with sometimes simple tasks and when you need to pay a rent and food it’s appealing to say the least.

But as I already said it’s not worth the risk for me, you can fuck your entire life with a stupid mistake. Also if you get into a complex operation you need to keep a cold head and follow a permanent “paranoid” state which can be exhausting and drive you crazy.

There are also certain things that are totally unethical to me, carding for example, however things like penetration testing without getting into the threatening looks doable to me.

I stay on the safe zone and control myself, there is yet a lot to learn for me.
Reply
#3
(04-05-2018, 07:16 AM)enmafia2 Wrote: Black Hatting can sound great sometimes I have to admit, but it isn’t worth it in my opinion.
You can get large sums of money in little period of time with sometimes simple tasks and when you need to pay a rent and food it’s appealing to say the least.

But as I already said it’s not worth the risk for me, you can fuck your entire life with a stupid mistake. Also if you get into a complex operation you need to keep a cold head and follow a permanent “paranoid” state which can be exhausting and drive you crazy.

There are also certain things that are totally unethical to me, carding for example, however things like penetration testing without getting into the threatening looks doable to me.

I stay on the safe zone and control myself, there is yet a lot to learn for me.

I'm not really even talking about traditional black hatting, cause even for what I was convicted for, I have never tried to attack websites or anything in order to make money... It's always been about doing it because it's a fun challenge. So when I say Black Hat, I'm not talking about carding, or ransomware, or DDoS, or botnets... I'm talking about breaking the law and gaining "unauthorised access to a computer system". Which may be totally innocent, and it may not even result in any data or system compromise. For example, entering example.org/../../../../../ is a crime in most Western countries, even if there is no file escape vulnerability in the system. It shows intent to hack, which is a crime in the UK at least.

That's why Grey Hatting is (I think) more risky than Black Hatting - people are currently punished for reporting security vulnerabilities if they've discovered them without authorization. In my opinion, we should be fostering a culture where people aren't afraid to approach website owners to tell them that they have a massive gaping whole in their system! I tried this once, and the company literally just called the police. 

I repeat: I found a vulnerability on their website, basically just through casual browsing, I told them about it and gave them advice on how to fix it, and they called the police...

After that, I just gave up on the fact that I could ever actually try to help people with what I know - it changed to just becoming about the challenge. 

I really just mean hacking; I personally have never done this for profit, but there may be others who have done, and are trying to stop, but need some help sometimes... So just thought I would throw the idea out there. 

If anyone feels on the verge of Black Hatting or running a script against a website... Feel free to reach out or something. I often find if someone gives me a suitably interesting puzzle, I'll just swap focus to that!
Reply
#4
(04-05-2018, 07:27 AM)EnigmaCookie Wrote: I'm not really even talking about traditional black hatting, cause even for what I was convicted for, I have never tried to attack websites or anything in order to make money... It's always been about doing it because it's a fun challenge. So when I say Black Hat, I'm not talking about carding, or ransomware, or DDoS, or botnets... I'm talking about breaking the law and gaining "unauthorised access to a computer system". Which may be totally innocent, and it may not even result in any data or system compromise. For example, entering example.org/../../../../../ is a crime in most Western countries, even if there is no file escape vulnerability in the system. It shows intent to hack, which is a crime in the UK at least.

That's why Grey Hatting is (I think) more risky than Black Hatting - people are currently punished for reporting security vulnerabilities if they've discovered them without authorization. In my opinion, we should be fostering a culture where people aren't afraid to approach website owners to tell them that they have a massive gaping whole in their system! I tried this once, and the company literally just called the police. 

I repeat: I found a vulnerability on their website, basically just through casual browsing, I told them about it and gave them advice on how to fix it, and they called the police...

After that, I just gave up on the fact that I could ever actually try to help people with what I know - it changed to just becoming about the challenge. 

I really just mean hacking; I personally have never done this for profit, but there may be others who have done, and are trying to stop, but need some help sometimes... So just thought I would throw the idea out there. 

If anyone feels on the verge of Black Hatting or running a script against a website... Feel free to reach out or something. I often find if someone gives me a suitably interesting puzzle, I'll just swap focus to that!

Oh yeah, I get you.
This is definitely a big concern for everyone, I’m sure more vulnerabilities would be fixed if you could reach freely to companies just like you did.

But when your property is trespassed, you are not comfortable; when people get into your system, it’s the same deal. Furthermore, if you don’t understand what the hacker is trying to explain you panic even more.
Finally add the reputation of the word hacker, many people who are not into cyber security associate hacker with bad intentions which is in many cases wrong.

This is slowly changing tho, dictionaries are changing the definitions,companies are more aware of the importance of cyber security and it’s not as underground as it used to be.
Reply
#5
(04-05-2018, 08:22 AM)enmafia2 Wrote: Oh yeah, I get you.
This is definitely a big concern for everyone, I’m sure more vulnerabilities would be fixed if you could reach freely to companies just like you did.

But when your property is trespassed, you are not comfortable; when people get into your system, it’s the same deal. Furthermore, if you don’t understand what the hacker is trying to explain you panic even more.
Finally add the reputation of the word hacker, many people who are not into cyber security associate hacker with bad intentions which is in many cases wrong.

This is slowly changing tho, dictionaries are changing the definitions,companies are more aware of the importance of cyber security and it’s not as underground as it used to be.

Oh I totally agree, it's terrifying for users (often at a high level in the company structure) who are not technical in any way to see that someone has emailed you a bunch of data that you didn't even realise had a possibility of being insecure.

Even after I learnt my lesson from Grey Hatting, and turned to White Hatting doing reverse engineering with IoT devices, I would find a HUGE vulnerability that in one case raised legitimate health and safety concerns ... And the company basically tells me to piss off. They don't want to hear it. Ah, it's so frustrating.

At the same time you've got the world's media telling us that we need more cyber security professionals and everything is so insecure... 

So I've basically given up on doing cyber security to help people. I'm not interested in hurting people; I just like the puzzle. The problem is the BEST puzzles are real systems and real people.
Reply
#6
P
(04-05-2018, 09:01 AM)EnigmaCookie Wrote: So I've basically given up on doing cyber security to help people. I'm not interested in hurting people; I just like the puzzle. The problem is the BEST puzzles are real systems and real people.

Well I have to disagree with you there, when you get into CTFs there are a lot of hard ones which are even harder than real case scenarios...
See for example FinFisher a malware developed for governments, compare it with other ctfs with vms... okay it has obfuscation but it can be reversed with some radare rules, some ctfs don’t even have opcode table!

And I’m talking about a piece of software developed for governments when devs are paid thousands, in real world what do you get when you have to reverse malware nowadays... 80% shitty ransomware based on previous attacks and crypto miners...

When you get into penetration testing it’s the same thing, you can own thousands of websites with the same vulnerability,most websites don’t even update their cms or look for vulns.

About osint and forensics I can’t really tell as I don’t know about real case scenarios.
Reply
#7
The article seems to downplay the role of financial motivations, but the vast majority of cyberattacks are financially motivated. The major players in cybercrime don't match this kind of profile they describe. They tend to start cybercrime in college due to curiosity and a desire to make money, but then continue to do so in their professional lives. Thus, it seems like they're primarily interviewing script kiddies and unskilled hackers.

The real fundamental problem is that cybercrime simply pays a lot more than legal avenues. Furthermore, because of the experience required, it can be incredibly hard to find a security job straight out of college. Many go into software development or IT before pivoting to security. If a penetration tester can simply infect networks and use ransomware or cryptomining, he will earn a hell of a lot more money than what he makes via a job. The chance of someone being rich from legal means, like starting a business, are incredibly low, compared to being a hacker. In our society, there is a strong push for being financially successful and money is the most important thing. We idolize the be-your-own-boss rich guy kind of job, and blackhat hacking offers exactly that. It's no surprise that there are so many blackhats, especially in poorer countries.

So I don't have any personal dislike of blackhats. They're just trying to make it in a world where it's incredibly hard to make it. There are rich guys who have private jets and gold plated everything, but don't even have to work. They've got it made and think of us as peasants. Furthermore, a company may pay $5k for a pen test, but a very small portion actually goes to the penetration tester. Most of it is given to by the owners of the company as profit. And, 50% of getting a job is in the social skills not technical. I know all kinds of shitty hackers who get high paying jobs in infosec because they have good social skills. So it's hard not to be resentful with all that in mind.
Reply
#8
(04-09-2018, 09:37 PM)vxer Wrote: The article seems to downplay the role of financial motivations, but the vast majority of cyberattacks are financially motivated. The major players in cybercrime don't match this kind of profile they describe. They tend to start cybercrime in college due to curiosity and a desire to make money, but then continue to do so in their professional lives. Thus, it seems like they're primarily interviewing script kiddies and unskilled hackers. 

This targeting was intentional. They are basically trying to separate "legitimate" cyber criminals, from script kiddies. Both commit very similar crimes in terms of the law, i.e., they may well be charged the the same offences, but the gravity of the offending differs vastly between them. Because of this, script kiddie convictions represent an area of LE that can be 'improved', as convictions especially at a young age will prompt users down a path of continued re-offending.

So you're right that financial motivations are underplayed, but it's because it's out of scope.
Reply
#9
"The problem is the BEST puzzles are real systems and real people."

I'm not sure best = hardest here. Most fun, exhilarating etc would work just as well. Rewarding could be another one. Not that CTF's CAN'T be any of those things but some people might not "get their rocks off" as much without that very real threat/living on the edge type vibe. There really isn't much of a patch for that but just chasing the challenge can be "patched" pretty easily with CTFs, bug bounty, vulnerable VMs etc.

Culture is another problem.

It's no secret that a large chunk of companies (hell, likely large majority) would rather send you to jail/sue you into oblivion than improve their product. The culture of engineering, from hardware to the software and beyond, is pure dogshit as well. Most optimism will likely get beaten out of you in the first few jobs if you are even lucky enough to make it that far.

Eng Workflow
1. Make it work
2. Try making it a bit prettier, possibly easier to use... maybe improve how well it works.
3. SELL SELL SELL, make money, meet deadlines, and beat other vendors to market etc

This happened to me personally at nearly every level from schooling to the work environment. Clock my time, collect my check, and meet the bare minimum specs. I don't see reward for anything beyond that - in fact, often enough, it just adds more bullshit to my already "tight" schedule and I'm salaried. No thanks.

Though the bulk of the link is off-topic there a few choice quotes from this daily dave rant (http://seclists.org/dailydave/2015/q3/13).

-----
"I keep up with the Google Project Zero blog because I think it's hilarious to see them fawn over bugs like they're actually hacking with them."
-----

This speaks to that first part I brought up about "the thrill" - whitehat is never the same as black, it can only ever pale in comparison. "Oh, this doesn't count because it's out of scope".

-----
"Attack research doesn't get good in the public domain, it gets good because it is used to, you know, attack. It has to jump through hoops and quirks and work over sat hops and against thousands of targets and do all sorts of weird things that would never come up in a lab environment."
-----

Oh, you mean I can't target the home router of your sr sysadmin/dev who left the default router creds and works from home (true story, seen it b4)? Or even go upstream and attack their shitty little small town ISP? What about abusing your dogshit corporate policies and procedures to glean helpful info? No? "These vectors aren't in scope!!!" the company cries! Well, maybe they should be.

And, again, back to culture...

-----
"if you gave me a billion dollars today, what percentage of the Google security team could I employ tomorrow?

It's an interesting question I think. From an adversarial perspective that is. Say e.g. the NSA or whoever actually cared about someone fixing "hundreds!" of bugs in desktop software and the real Internet wasn't a facsimile of an early 90ies LAN party. Say that was the case.

If "they" got _real_ budget to buy out all the "top researchers" in the industry, do you honestly think it wouldn't cripple Google's effort overnight?

And that's essentially the crux of the problem. You can't fight religious wars with mercenaries. You need martyrs."
-----

You need martyrs and, right now, there is nothing motivating people unless it's an internal/ideological motivation. 100% agree on the idea of lines being blurred between black/grey (even white at times) adding to the issues.

I'm... probably not the best influence or person to ask on this topic but there's my 2 cents.

TL;DR as music links.

https://www.youtube.com/watch?v=kGjSq4HqP9Y
https://www.youtube.com/watch?v=h9_31bUYHvA
https://www.youtube.com/watch?v=ttJBdr6eBuo
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  is there anything wrong with the terms "white hat," "black hat," or "grey hat" to you QMark 2 815 04-14-2020, 03:16 AM
Last Post: QMark
  Is it ok if I want to be grey hat? QMark 7 4,919 01-27-2018, 11:22 PM
Last Post: Vector
  Black Hat USA, DEF CON, BSides LV Cypher 3 3,862 07-06-2017, 10:46 PM
Last Post: Insider
  [Official] The Black Hand - Recruitment LSD 22 9,019 01-03-2016, 09:12 PM
Last Post: Contract