9 Replies - 2470 Views - Last Post: 10 February 2014 - 01:39 PM

#1 ILoveJava   User is offline

  • D.I.C Regular

Reputation: 29
  • View blog
  • Posts: 389
  • Joined: 12-March 12

White Hat Hacking

Posted 10 February 2014 - 04:17 AM

Hey guys, so the whole, ethical/white hat hacking thing has really pulled my attention lately, and I'd love to get more into it as computer security is something I'm really interested in.

Are there any professional hackers or security experts out there who would be able to shed some light on actually moving into a position of this sort. A few friends of mine just told me to read up on tutorials, and hack into a server, then leave behind a file just saying I've done it and how, but wouldn't this technically be illegal?

I also know this can be perceived as just some guy who wants to learn to hack, but I'm serious about this.

Is This A Good Question/Topic? 0
  • +

Replies To: White Hat Hacking

#2 Ntwiles   User is offline

  • D.I.C Addict

Reputation: 148
  • View blog
  • Posts: 831
  • Joined: 26-May 10

Re: White Hat Hacking

Posted 10 February 2014 - 04:24 AM

Yes, that's still illegal. And even though you haven't done any harm, hacking or trying to hack the right server could get you into some serious hot water.

Personally, I think all 'white hat' hackers are just grey hat hackers with something to prove.

I do think there is something to be said for having basic hacking in your skillset. Learning how people try to break things is a good way to learn how to build things stronger.

There are websites available which offer hacking lessons/challenges, and have an open, kind of 'hack this site' mentality. Wink wink.

This post has been edited by Ntwiles: 10 February 2014 - 04:27 AM

Was This Post Helpful? 0
  • +
  • -

#3 ILoveJava   User is offline

  • D.I.C Regular

Reputation: 29
  • View blog
  • Posts: 389
  • Joined: 12-March 12

Re: White Hat Hacking

Posted 10 February 2014 - 04:29 AM

I thought so. I don't think anyone would be too happy finding a file that simply says "Ha, I hacked your shit".

I honestly have no malicious intent, whether anyone wants to believe this or not. I'm truly interested in it.

I'll also have a look around for a few websites, thank you, Ntwiles.
Was This Post Helpful? 0
  • +
  • -

#4 no2pencil   User is online

  • Professor Snuggly Pants
  • member icon

Reputation: 6644
  • View blog
  • Posts: 30,940
  • Joined: 10-May 07

Re: White Hat Hacking

Posted 10 February 2014 - 04:57 AM

It's common sense. If you broke into the police station & left your phone number, they are not going to call you & thank you. Same goes with servers. It is incredibly rare that someone is rewarded for their efforts. To do this legally, you start a company, contract the work, & then perform.
Was This Post Helpful? 0
  • +
  • -

#5 baavgai   User is online

  • Dreaming Coder
  • member icon


Reputation: 7199
  • View blog
  • Posts: 15,008
  • Joined: 16-October 07

Re: White Hat Hacking

Posted 10 February 2014 - 06:23 AM

Computer security guys, the good ones anyway, are all "white hat" hackers. And they do the most legal thing in the world: they hack themselves.

Essentially, you cannot defend against security threats unless you understand how they work. To have a truly secure system, you have to try to break it. You have to know how to break it. You have to think about how you'd break anything. When it was my job, I would occasionally send users emails telling them their password sucked. ( Now you just invalidate it and force them to change it using bizarre draconian rules. )

Sometimes, a user is suffering from the delusion that email is secure. Or they get bent because the email really did come from the company, so the company must be hacked. If you simply send them an email from the President or Bill Gates, enlightenment comes quickly.

I've found security holes in other systems and alerted the owners. You don't do anything, you don't even reveal how deep your penetration testing went, you just express concern and insist on doing something in a more secure way. Companies will often adopt the more secure practice when it's pointed out this way.

If a company brags about their security and they're wrong, you can ask nicely if you can test it. They'll say sure until they realize you're serious. Then they'll say no and take a serious look at it themselves.

Another term is "Ethical Hacker", which I don't much care for. The term "hacking" has morphed a lot on my lifetime. It didn't initially imply anything unethical.

More here: http://www.pcworld.c...cal_hacker.html
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14175
  • View blog
  • Posts: 56,787
  • Joined: 12-June 08

Re: White Hat Hacking

Posted 10 February 2014 - 08:25 AM

Quote

A few friends of mine just told me to read up on tutorials, and hack into a server, then leave behind a file just saying I've done it and how, but wouldn't this technically be illegal?

Well that's a pretty dumb ass suggestion by your friends. Perhaps looking at 'information assurance' degrees, the 'certified ethical hacking' cert, etc and using those to springboard into a pen testing job.
Was This Post Helpful? 0
  • +
  • -

#7 jon.kiparsky   User is offline

  • Beginner
  • member icon


Reputation: 11095
  • View blog
  • Posts: 18,982
  • Joined: 19-March 11

Re: White Hat Hacking

Posted 10 February 2014 - 10:07 AM

There are a lot of areas to consider in security - anauthorized entry is just one of them. (like baavgai I'm old enough to know what "hacking" means, and it's a good thing) Analysis of malware looks to me like a really fascinating area of study, if you have heavy-duty low-level programming skills. Cryptography is a really interesting area, if you have the math for it. I don't work in security myself, but if you want to work in any of these areas, there are academic paths towards all of them now, and these are good ways to get the skills you need without playing cowboy.

Quote

I've found security holes in other systems and alerted the owners. You don't do anything, you don't even reveal how deep your penetration testing went, you just express concern and insist on doing something in a more secure way. Companies will often adopt the more secure practice when it's pointed out this way.

If a company brags about their security and they're wrong, you can ask nicely if you can test it. They'll say sure until they realize you're serious. Then they'll say no and take a serious look at it themselves


I can't recommend trying either of these tacks. Both of them involve a non-zero chance that you'll be forced to waste a lot of your finite time trying to explain to people who don't understand anything about security just why what you did was technically legal. The problems is that since the laws in this area are still relatively new, not very consistent, and often based on analogy to other sorts of unauthorized intrusion or theft, there's a really good chance you'd lose that argument, either because you were unable to convince a non-technical person of the validity of your case, or else because you were in fact on the wrong side of the law.

From an ethical perspective, you should adopt the stance that "I have no right to access, modify, or use another person's resources unless I know that they have authorized me to do so, and intend for me to do so, even if my actions are intended to be for their benefit." This is a useful rule because it also corresponds nicely with the rather murky legal situation: if you act on this rule, you'll probably not going get into legal difficulties.
Was This Post Helpful? 2
  • +
  • -

#8 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14175
  • View blog
  • Posts: 56,787
  • Joined: 12-June 08

Re: White Hat Hacking

Posted 10 February 2014 - 11:12 AM

That is exactly right jon - 'do no harm', and from a business stand point - until I get a contract. Going around pen testing folks, to alert them later, is never a good idea. If you are barging around like a bull in a china shop and turn off a mission critical application, section, muck up data flow, etc then you'll be substituting the rabbit in a big ol' pot of hasenpfeffer.

Here's a good sweep of the ideas of separation.: Core Rules and Concepts of Ethical Hacking
Was This Post Helpful? 0
  • +
  • -

#9 baavgai   User is online

  • Dreaming Coder
  • member icon


Reputation: 7199
  • View blog
  • Posts: 15,008
  • Joined: 16-October 07

Re: White Hat Hacking

Posted 10 February 2014 - 12:15 PM

Quick cautionary tale. One of the most insecure boxes made, and still made, in a thing called a PLC. It's basically a remote control for industrial machinery. It has the brains of a retarded gerbil and simply throwing an oversized packet at it can send it into a panic attack.

A security analyist decided to run nmap on the secure PLC VLAN. Boxes started dropping like flies and the equipment started throwing up alarms. It was all very dramatic. This was years before Stuxnet, but had the same potential. You simply pull the plug on a running house sized centrifuge and it will tear itself apart, along with the building it's in.
Was This Post Helpful? 1
  • +
  • -

#10 jon.kiparsky   User is offline

  • Beginner
  • member icon


Reputation: 11095
  • View blog
  • Posts: 18,982
  • Joined: 19-March 11

Re: White Hat Hacking

Posted 10 February 2014 - 01:39 PM

View Postmodi123_1, on 10 February 2014 - 01:12 PM, said:

That is exactly right jon - 'do no harm', and from a business stand point - until I get a contract.



Yes, a contract is exactly the sort of thing that satisfies the "unless I know that they have authorized me to do so, and intend for me to do so" clause.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1