[ajmurmann]

> You can't have nice things because you aggressively criminalized the white hats

voakbasda even proposed giving a bounty. Is defacing a website and spearfishing the users (as is claimed higher up in the thread) needed for white hats to do their thing? I'm surprised that we aren't all in agreement that this isn't at least grey hat behavior.

[rectang]

It's unclear to me where the line is being drawn and a zero-tolerance policy applied with maximum criminal penalties pursued.

The whole world sucks: the companies who are slovenly with our data, the criminals who exploit that data when it is inevitably leaked, the grey hat hackers who "joyride to prove they found your keys" to use the memorable metaphor from elsethread, the circumstances which make probing for vulnerabilities incredibly risky because one misstep gets you a prison sentence. the resulting feast of vulnerabilities ripe for criminal exploitation....

[voakbasda]

Do you understand that, from the perspective of the person suffering an attack, there is absolutely zero difference between a good guy that breaks in without a contract, permission, or other sort approval and an actual bad guy? The act of committing a crime actively destroys trust.

Come to me with a list of potential vulnerabilities that I can detect and investigate with an open source scanner, and we can talk. Come to me after you've already broken in, and you will never be grated the trust required to work on security systems.

I think this whole scenario effectively is perjury. Once someone has been proven to lie, everything associated with that lie needs to be vetted (or simply thrown out), because you have demonstrated that this person cannot be trusted to tell the truth. Does anyone here think that perjury is moral or ethical? Is the scenario presented here really that different?

[rectang]

The "person suffering the attack" is not the only party who suffers from an attack — the individuals whose information gets leaked also suffer when a company hoards toxic data and it inevitably spills.

From the perspective of those individuals, there is a dramatic difference between black hats who exploit their data and grey hats who humiliate the toxic data hoarders.

[voakbasda]

Do you think those individuals will see the difference?

Also, I would argue there is no gray. A white that breaks the law cannot be trusted, because they become indistinguishable from a black hat that is pretending to be a white hat.

This all comes down a matter of trust, and breaking the law does not build trust in anyone except other criminals. If anything, it erodes trust by demonstrating the willingness to skirt the rules when it suits you.

In this case and context, I see the use of "gray hat" as an attempt whitewash black hat activities. Once you behave like a black hat, you always need to be treated like a black hat. Trust is like that, particularly when talking about security.

[rectang]

> Do you think those individuals will see the difference?

No more or less than an individual whose home was not robbed because a crime was prevented unbeknownst to them.

However, I believe that the toxic data hoarding companies collectively don't see any difference, and so they don't care if individuals suffer. The suffering of individuals when data is leaked is an externality, and it is only when forced to pay for that externality that companies would start to care.

In this regard, the black hats and the toxic data hoarders both contribute towards undermining the common good. Companies don't care if money disappears mysteriously from the bank accounts of individuals who happen to be their customers — companies just don't want to be embarrassed, as it isn't their money being stolen.

But the grey hats disrupt this state of affairs. They are truly antagonistic to the toxic data hoarders, because they humiliate them, rather than merely use them to steal from somebody else.

This status quo of companies operating unsafely, creating massive but dispersed and plausibly deniable harm, is perfectly legal. But should the public trust these companies? Should the public trust individuals who work hard at these companies to build toxic data stockpiles and cover up intrusions, rather than those who expose the harms these practices bring? Who are the "good guys"?