Top Hats For Everyone!

Tuesday, September 11, 2012

Jim Palazzolo


What color hat are you wearing today?  Are you happy with your life and the way things are around you?  

Deciding, for research sake, do you wear a grey colored hat today or are you angry and vengeful, deciding to go with a darker colored black hat?  Does anyone care about the hats anymore?

It may seem like a trivial question, but I do remember some time back reading or hearing a reference that basically stated:  If you give public attention to your adversary, the stronger they get by giving them recognition. 

We keep using terms like “Hacker” and “Black Hat”; and, I understand the need to continue to classify the behavior.  However, are we inadvertently giving individuals too much inherited power by recognizing them in context and connotation?

I’ll admit I’ve been having a very tough time finding my own words to express this thought.  In my head it’s very black and white.  You’ve either committed a crime, or you have not; meaning:  Just because you’ve thought about getting back at your old boss does not make you a bad person, nor does successfully completing a pen test make you a wanted criminal; but, the raw act itself, what did you, or a group of individuals do?  Did you break the law, or did you not? 

It seems is so much simpler to look at it in those terms: black and white.  I think the ecosystem of cyber security is simply moving in that direction naturally; so, I’d like to give it another nudge. 

I can’t remember the last time that I read an article that specifically stated a group of “Black Hat Hackers” broke into a bank’s infrastructure and stole a large sum of money.  Rather, most articles seem to simply state:  “a group of individuals broke into a bank’s infrastructure and stole a large sum of money”.

But what would be gained by changing the language, and what would simply change by changing the language used to describe cyber security?  Would you no longer like your job because you’ve lost the romantic espionage side?  Would you come to work if you couldn’t claim that you were a hacker?  Would changing the language change the overall surface of behavior in the ecosystem itself?  Would hacktivists continue to hack into systems if they were no longer given a name like “hacktivists”?

From my understanding, if you go back to the manifesto and other literature, the term “Hacker” simply meant someone who liked to tinker with things and make them do things that they were not designed to do; and, they enjoyed the journey of discovery. 

I can hear it now, large cyber security vendors shouting, “They are Hackers! Evil, malicious, and devious people who wish to overthrow your empire!”  All of that just to protect their profits.  I mean, if you took out all the fearful language, what would you have left?  Would you buy something where the advertisement sounded like this:

“Are you experiencing broken headers that are affecting your overall network performance?  Do you have emails that are sending users to destinations they do not want to go to?  Then get our new shiny network traffic manager”

Even though we are pretty much talking about a layer 7 firewall, there really doesn’t seem to be a need to rush out and protect myself from “Hackers” trying to forge headers and send in phishing emails to redirect users to malicious sites. 

So what can we deduce from this random thought?  For starters, language truly drives the industry.  Whether out of fear,  profit, or protection, it is clear that the language used has a way of drawing in customers to spend their money on your products and services. 

Secondly, the new question arises:  would changing the language change the behavior of the ecosystem?  Would people take their vetted up frustrations and run out to join a “Hacktivist” group if there were no banner to rally behind?  Where would they go? 

So it is very clear that the language we use has a very direct affect to the ecosystem we work within.  The real quest will be in choosing what to say.

Possibly Related Articles:
Security Awareness
Information Security
Penetration Testing Network Security Hacktivist hackers Black Hat FUD White Hat Media
Post Rating I Like this!
Michael Johnson It reminds me of a small pen testing firm at Infosec Europe earlier this year who said (as a selling point) they don't hire hackers. How did other attendees interpret that, I wondered?

I also wonder if the 'evil mastermind hackers' marketing strategy will eventually backfire on the vendors themselves - there comes a point where firms begin to see the 'Black Hats' as considerably more skilled than the besuited professional, a point where Magical Ultimate Layered Threat Management Systems gain a reputation for not doing what they say on the tin. Some of us are already on the backfoot by repeating the mantra (or even accepting) that security breaches are inevitable.
aleph I doubt very much that changing the lexicon would stop people form doing what they have always done, whether it's blue team or red team.

Believe it or not, the media actually helps in some cases - for example when trying to convince a superior or the board to buy the Splunk Enterprise license that your environment has needed for 3 years (not singling out Splunk, it's just an example). Showing Sony's drop in stock price was enough for me to get my budget expanded. But even without the rhetoric, security companies aren't going to stop making products, and "black hats" aren't going to stop offensive hacking. I just think the rhetoric is largely irrelevent to the overall motivations of the duality, and everybody in between.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.