The Fall of Hacker Groups

[tptacek]

I asked because I figured you'd give a different definition than the one I'm familiar with.

Black Hat -> Using vulnerabilities to break into other people's computers.

Gray Hat -> Using information gleaned from breakins to other people's computers to find new vulnerabilities.

or

Gray Hat -> Finding vulnerabilities and supplying them to people who break into other people's computers while retaining deniability about the actual breakins; ie, supplying your friends without wanting to know what they're doing with the exploits.

The 1990s "gray hat" would be the guy using leaked SunOS 4.1.3 source to find vulnerabilities.

Your distinction isn't invalid; these "hat colors" have always been confusing.

[OvidNaso]

That's a fairly large ethical gap between those two Gray Hat definitions.

As a, fairly well read, outsider, Black Hat, to me, always implied actualy damage, financial or otherwise.

Gray Hats, on the other hand, still might break in and exploit vulnerabilities, but made certain not to cause any damage.

I suppose this partitioned people based on primary motivation. Black Hat's were in it for personal gain or evil, White Hat's for protection, and Gray Hat's for intellectual pursuit. Much easier to categorize and rationalize the romanticism associated with the culture when your "team" is the Gray Hat's.

[Igglyboo]

Yea the second gray hat is most definitely black. That's not morally questionable, you sold a vulnerability to a bad actor, anyone can see that that is illegal.

Leaking documents like snowden is an actual moral gray area.