It isn’t true. Hackers – and even using the word ‘hacker’ as a catchall term is somewhat ridiculous – come from a vast multinational, multicultural background, bound only by the technologies needed to, well, hack.
Hackers come in different forms, too. Good, bad, chaotic, malicious, with many hackers using their knowledge for the sake of good, to protect the public, and to work against those malicious entities. Those individuals who perform probing security hacks can often be rewarded by large companies unaware of a critical security issue, saving time, money, and data. But it doesn’t always work that way.
Hacker types are referred to as ‘hats' and there are three main colours to remember:
- Black: Generally considered to be the bad guys, a black-hat hacker may compromise information for their personal gain, or use botnets to perform compromising attacks on other networks. Black-hats fit directly into the media stereotype of a hacker.
- White: The opposite of black-hat hackers, a white-hat hacker may ask permission before performing security checks on a company, then informing them of any critical security problems before any malicious entities can exploit the issue.
- Grey: As with life, nothing is ever black-and-white, and hacking is no different. A grey-hat hacker may infiltrate a company database without permission, but leave the data alone, then inform the company as to their activities allowing the issues to be fixed. Grey-hats typically operate on their own terms, performing arguably unethical activities and technically committing crimes along the way.
Some companies welcome the intrusions of white-hat hackers. Perhaps welcome is too strong, but many certainly understand the benefits of white-hat probing and accordingly offer bounties to those hackers who work to protect their businesses. It is widely accepted that bounty programs incentivise positive behaviour, and so it should.
Accordingly, a number of bug-hacker sites have sprung up to allow clearer communication of potential bugs, expected fixes, bounties paid, and payment processing. For example, hackerone.com has fixed over 14,000 bugs, and processed over $4.8M in bounty payments, working with Yahoo!, Twitter, Adobe, Square, Airbnb and Dropbox along the way. Crowd-sourced Bugcrowd offers a similar service, sourcing and solving bugs within a community.
On the subject of hacking bounties, over the October/November/Halloween weekend a group of hackers claimed a $1,000,000 bounty for finding a method to remotely jailbreak a new iPhone or iPad running the latest version of iOS (9.1 and 9.2b), the Apple mobile operating system. The exploit had to come through either the Chrome or Safari browser, or a text or multimedia message.
Jailbreaking is the process of cracking, or unlocking the iOS mobile operating system to allow the user more control over their device. A remote jailbreak exploit hasn’t been exposed for well over a year, way back in iOS 7.
Bounty hunting can be big business, as you can see, and it has also opened other opportunities, with companies such as Google hiring full-time bounty hunters as full-time security researchers. Clearly, bounties bring the best of the hacking community to the fore, making a securer Internet for us all.
Image courtesy of: Salvatore Vuono / freedigitalphotos.net.