You can't have nice things because you aggressively criminalized the white hats, thus were never warned by them before a black hat took your nice things away.
> Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?
Because doing that and also disclosing your identity would be incredibly stupid?
> You can't have nice things because you aggressively criminalized the white hats
voakbasda even proposed giving a bounty. Is defacing a website and spearfishing the users (as is claimed higher up in the thread) needed for white hats to do their thing? I'm surprised that we aren't all in agreement that this isn't at least grey hat behavior.
It's unclear to me where the line is being drawn and a zero-tolerance policy applied with maximum criminal penalties pursued.
The whole world sucks: the companies who are slovenly with our data, the criminals who exploit that data when it is inevitably leaked, the grey hat hackers who "joyride to prove they found your keys" to use the memorable metaphor from elsethread, the circumstances which make probing for vulnerabilities incredibly risky because one misstep gets you a prison sentence. the resulting feast of vulnerabilities ripe for criminal exploitation....
Do you understand that, from the perspective of the person suffering an attack, there is absolutely zero difference between a good guy that breaks in without a contract, permission, or other sort approval and an actual bad guy? The act of committing a crime actively destroys trust.
Come to me with a list of potential vulnerabilities that I can detect and investigate with an open source scanner, and we can talk. Come to me after you've already broken in, and you will never be grated the trust required to work on security systems.
I think this whole scenario effectively is perjury. Once someone has been proven to lie, everything associated with that lie needs to be vetted (or simply thrown out), because you have demonstrated that this person cannot be trusted to tell the truth. Does anyone here think that perjury is moral or ethical? Is the scenario presented here really that different?
The "person suffering the attack" is not the only party who suffers from an attack — the individuals whose information gets leaked also suffer when a company hoards toxic data and it inevitably spills.
From the perspective of those individuals, there is a dramatic difference between black hats who exploit their data and grey hats who humiliate the toxic data hoarders.
Do you think those individuals will see the difference?
Also, I would argue there is no gray. A white that breaks the law cannot be trusted, because they become indistinguishable from a black hat that is pretending to be a white hat.
This all comes down a matter of trust, and breaking the law does not build trust in anyone except other criminals. If anything, it erodes trust by demonstrating the willingness to skirt the rules when it suits you.
In this case and context, I see the use of "gray hat" as an attempt whitewash black hat activities. Once you behave like a black hat, you always need to be treated like a black hat. Trust is like that, particularly when talking about security.
>You can't have nice things because you aggressively criminalized the white hats
This isn't how a white hat should behave. At the first issue, they should have stopped, reported, and waited. At the very least, a responsible disclosure, followed by a reasonable time, then maybe public disclosure-- or just move on. Continuing to dig and steal information because someone didn't reply is unacceptable.
I cede the point. It's incredibly frustrating because the harm done is minuscule in comparison to the unsafe business practices exposed. The toxic data hoarder will skate, the messenger will be shot, and the public will continue to be victimized by black hats exploiting toxic data stockpiles.
> Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?
Because doing that and also disclosing your identity would be incredibly stupid?