The world of hackers has largely been conceived of as a world of black and white. When a “black hat” hacker discovers a security vulnerability in a piece of software or a website–say, a method for intercepting emails or accessing strangers’ bank accounts, he exploits it for personal gain, often breaking the law in doing so. When a “white hat” hacker makes the same discovery, he reveals it–either to the company that makes the technology or to the public (the latter is usually a better way of making sure the company in question actually fixes the problem).
Now, a fascinating piece in Forbes reveals a third kind of hacker, who exploits security vulnerabilities for a hefty profit, but does so without breaking the law. But don’t call them “grey hat” hackers–the results of their work may actually be more destructive than your typical act of black-hat cyber fraud.
The French security firm Vupen found a flaw in Chrome, Google’s popular web browser. Unlike some software companies that make legal threats to discourage hackers from disassembling their wares, Google welcomes such attacks. It’ll even pay you for them–tell Google exactly how you beat their security, and they may award you $60,000 in contest prize money. But Vupen scoffed at Google’s little challenge. They’d rather keep Google in the dark and sell their knowledge to government agencies for far greater sums.
Intelligence and law enforcement agencies pay big bucks for techniques that allow them to crack into their targets’ computers, steal information and monitor their behaviour. Such spying techniques are highly valuable as the target is unaware of them. So is Google, and so are the courts. Security researcher Chris Soghoian, a white hat hacker if there ever was one, calls these commercialized exploits a “black hole” in which spooks can snoop without having to get warrants and without oversight or accountability of any kind.
Even worse, once a hack becomes a weapon, what’s to stop it from being traded in the growing international cyber-arms trade? We’ve already seen spyware developed by an American firm, sold legitimately to the United Arab Emirates and then somehow winding up in the hands of Syria’s murderous government, which deployed it against its own citizens. As Vupen’s own chief executive/lead hacker Chaouki Bekrar admits to Forbes, “if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”