Eureka! White Hat vs Black Hat vs Ethical Hacker

Posted on October 04, 2009

Game of Chess on Black and White Hat
Image credit Andreas Nilsson

I normally steer clear of discussions that attempt to define hat colour as the Return on Energy Expended (RoEE) is consistently low. But I heard something last night that finally nails the definitions and thought I’d share.

Black Hat = A person that attacks a sytem without the authorisation of the owner.

White Hat = A person that attacks a system with the authorisation of the owner .

Ethical Hacker = A failed attempt at linking “ethics” to “hacking” that ends up describing a subset of White Hat and Black Hat hackers!

Ethical Hacker falls short because it makes the assumption that Black Hats are not ethical. For example; hacktivists take the actions they do from a very strong sense of ethics whilst clearly demonstrating Black Hat behaviour (i.e. attacking systems without authorisation). You may not share their ethics but that doesn’t mean they don’t have ethics.

Summary = Don’t presume to link ethics (or motivation) to hat colour. It doesn’t work. Think “authorisation” instead.

Sidepoint from me: I’ve noticed people calling themselves ‘grey hat’ as if to give off some kind of darkish aura and be one of the cool kids. The definitions above don’t leave space for ‘grey’. You either break in with permission or you don’t. If you choose to do both, then you are both a Black Hat and a White Hat – you don’t get ‘grey’ – it doesn’t exist!

This insight courtesy of Professor Tom Wilhelm during an interview on PaulDotCom Episode 169