gray goo = G = Great Renaming

gray hat

See black hat.

--The Jargon File version 4.3.1, ed. ESR, autonoded by rescdsk.

A grey hat is someone, well, doesn't fit into the category of white hat or black hat hacker. Well, cracker is probably a better word to use to define them. Allow me to explain:

There are two sides to the cracker spectrum, the white hat crackers; who are often hired by software firms and when they discover a weakness they notify the makers of the software privately so it can be fixed. Black hat crackers don't divulge weaknesses they discover, they'll use them for their own personal gain. "Gray hat" hackers/crackers seem to fall somewhere in between; often publicizing their discoveries but not necessarily notifying the software creator. They are people who do both legal and illegal systems intrusion/analysis. Often, their find will be posted online for others to see, and the software maker is either not notified or notified publicly, obliterating any chance of it being a secret defect. Many will also show examples of how to duplicate their results, but leave critical details out so that a regular script kiddie will not be able to duplicate it.

The term "gray hat" was originally coined by the L0pht, a very well-known hacking group, to describe those who wanted to stand apart from privately-owned corporate security testers but also distance themselves from the notorious black hats. The category defined by this phrase has come to encompass most independent security experts and consultants, as well as many corporate security researchers. "We chose the term 'gray hat' to represent the independent researcher who didn't have a vested interest in any particular company or product," said Chris Wysopal, formerly known on L0pht as "Weld Pond."

Most of the exploits published in 2600 magazine are probably in the "Gray hat" category; they're not privately disclosed to the company affected, but not completely hidden for personal gain either. 2600's mantra is basically that they want to publish security weaknesses to help people tighten their own, of course by letting the hacker community know as well.

I have also seen another definition of "gray hat"; a reformed criminal cracker, someone who got arrested for illegal computer cracking, but is reformed now and works in the computer or IT industry. Large corporations like IBM a while back used to advertise that they hired former criminal hackers to try and break into their systems, and show them how to make them more secure. However, they would probably fall under the white hat category, as they don't divulge their discoveries to anyone but their employers.

Some business managers are afraid that they will take the information they know and post backdoor logins on the Internet or something along those lines, thus going from white hat to "gray hat."

With the DMCA laws in effect, and the White House's cyber-security team now considering computer break-ins an issue of Homeland Security, being a gray hat nowadays is a lot riskier, possibly holding the gray hat liable in both civil and criminal circumstances if they divulge a software weakness publicly.


Log in or register to write something here or to contact authors.