Researchers are hackers. In the hat color terminology, there are Blackhat, Whitehat and various shades of Greyhat hackers. Today, the delineation between the different shades is getting clearer. Researchers, for example, would be a subset of Whitehats.
The distinction, however, has not always been clear and can still be blurry. It is aggravated by the ability of hackers to change hats. Consider, for example, the case of Marcus Hutchins (MalwareTech). He describes himself on Twitter as, “Hacker, content creator, threat intelligence analyst…” He could, but didn’t, include ‘researcher’. The FBI does not believe this has always been the case.
In May 2017 he became the world’s hero for finding a ‘kill switch’ able to stop the further spread of WannaCry. But less than three months later he was arrested by the FBI after attending Def Con in Las Vegas over an earlier connection with Kronos malware.
At the ensuing trial, the Judge recognized that Hutchins had “turned the corner” between immoral and moral hacking. He was sentenced to time served with the Judge commenting, “It’s going to take individuals like yourself, who have the skill set, even at the tender age of 24 or 25, to come up with solutions.”
For us, this is not about Hutchins — it’s about that blurry boundary between different shades of hat. To gain an insight, we talked to Cris Thomas (formerly and still usually known as Space Rogue). Thomas is now IBM’s X-Force Red Global Strategy Lead. In the 1990s, however, he was a founding member of the Lopht Heavy Industries hacker collective.
Hacker or researcher?
Thomas does not consider himself a researcher – he says he has always been a hacker (although never of the Blackhat variety). There were no researchers when he started at Lopht some 25 to 30 years ago.
“Researchers take notes and keep journals and work on things,” he said. “The stuff that I was doing, years ago – and what a hacker would do today – is just hack on stuff, mess around and play with things to see what breaks and what still works.
“The researcher,” he continued, “is a bit more formalized, even though the end-result between hacker and researcher might be the same, such as the discovery of a vulnerability., or an unexpected result from unexpected input.” It’s the process that is different. If it is well-documented and follows a plan, that’s when it is research. But a hacker has a less formal approach to the process.
“But I think,” he continued, “in both cases, excluding Blackhats, you will find that the person conducting the work, whether it’s a hacker or a researcher, is very concerned about the final output, about the user, about the product that they’re looking at, and basically trying to make the world a better place.”
Both Whitehat hackers and Whitehat researchers are viewed positively today – but that hasn’t always been the case. The history of LophtCrack is a good example.
LophtCrack is a password auditing and recovery application developed by Lopht Heavy Industries in 1997. It was marketed as an auditing tool – but it achieved its purpose by showing sysadmins how easy individual passwords were to crack.
Around 2000, a newsletter that advised subscribers on their security problems advised the use of LophtCrack to recover a lost password. Within hours, the newsletter editor received a telephone call from the Chief Constable of Scotland complaining the advice was aiding Blackhat hackers. After further discussion, the Chief Constable admitted that the police used LophtCrack to help gain access to confiscated computers, but that didn’t mean other people should be allowed to use it.
Thomas admits that LophtCrack was – and still is (because it is now available as open source) – a dual purpose tool. “A hammer is a dual-purpose tool,” he said. “Most people use a hammer to hammer nails, but a few burglars might use it to break a window.” Is that a reason to ban hammers?
“We of course,” he continued decided that it’s much more important that administrators be able to force their users to choose good passwords than that bad people could use it to break passwords. Did some criminals use LophtCrack to break into systems? I’m sure they did. Were there many, many more systems that were secured because of LophtCrack? Absolutely.”
But the LophtCrack story sheds further light on the hacker/researcher relationship with industry. LophtCrack was released to the public because Microsoft denied a problem with NT. This vendor denial problem continues today.
Lopht found a problem in Lanman. “A lot of times a researcher or a hacker will find a vulnerability and attempt to convince a vendor that this vulnerability exists, and they need to release a patch,” he explained. “But a lot of times the vendor is, like, ‘we can’t duplicate your research – we don’t believe this is a problem’.”
This is what happened before Lopht released LophtCrack. “We went to Microsoft and said, hey, you’ve got some issues in NT. It wasn’t just us – there was a lot of people telling Microsoft at the time. There were some issues in Windows NT with your password implementation; you really need to button this up.
“But they told us this is not real a problem for most for people, so they don’t need to do anything about it. They said it was a ‘theoretical’ problem. We said it wasn’t. We said, we’ve shown you our proof of concept, and we’ve shown you our research. It is not theoretical, and you need to fix it. Microsoft still took the attitude, ‘no, no we don’t’. So, we went full disclosure and said, ‘Yeah, this is a problem; this is the tool and now everybody is going to use it’.”
This is an early example of the full disclosure issue that still exists today. If a vendor ignores the research, the researcher or hacker is forced to go public. Since the issue has been ignored, a proof-of-concept exploit is usually developed. As a result, a well-intentioned researcher may be forced to create a zero-day exploit simply to force the vendor to fix it – and the white hat of the researcher begins to get a bit discolored.
A negative response from companies you are genuinely trying to help could help push neutral hacker/researchers more towards the dark side. That didn’t happen with Thomas. “Today,” he said, “I want to improve the user experience, to make the world a better place. In the beginning, it was probably simple curiosity – what happens if I do this?”
That, almost innocent, curiosity continues today. But he believes the motivation for Blackhat hackers is simply money. Blackhat hacking is a job with a paycheck. He puts state actors in the same category (even if they have the additional motivation of patriotism). For himself, he says, “I sit here at home and I’m hacking on stuff in my spare time. No one’s paying me to do that and there’s probably no other game for it other than my own personal satisfaction.”
Some researchers are lucky enough to be paid by legitimate companies to do legitimate research, so there is a monetary value and paycheck to their work. “But,” adds Thomas, “I think their primary motivation for Whitehat hackers and researchers is more towards fixing stuff, making the user’s life better, and making the world a more secure place.” He goes so far as to compare it to law enforcement – to protect and serve. “I think everybody’s individual motivation is, of course a little bit different, but I think most people probably fit somewhere in that area, at least on the research or hacker side as opposed to the criminal side.”
Education and hacking
One interesting question is the role of education in developing both Whitehat and Blackhat hackers. In this series we have spoken to researchers who have said that a formal education was irrelevant to their work, and others who have claimed their university degree has helped them.
It is getting increasingly difficult to obtain a legitimate job in cybersecurity without first getting a university degree. “It definitely helps,” said Thomas. “Is it required? You don’t need one per se but you’re going to have a hard time finding somebody who’s going to hire you without a degree. Unless you have experience, but it’s hard to get the experience without the degree.”
In the UK, it may get worse. The government is planning to establish a cybersecurity professional body. The consultation document states: “As part of this, we know that there has been consideration of the value of a Register of Practitioners, similar to what exists in the medical and legal professions. This would set out the practitioners who have met the eligibility requirements to be recognized as a suitably qualified and ethical senior practitioner under a designated title award.”
If you consider the medical and legal professions, it is the professional bodies that decide whether an individual can work in that profession. Grounds for disbarment are established by the professional body, and can include insufficient academic qualifications or behavior disliked by the body. So, while a university degree is almost a requirement to get started in cybersecurity today, it may soon become an absolute necessity.
The relevance to this discussion is simple – what happens to those talented people who cannot get a formal education, or whose moral ethics are already borderline? It is becoming increasingly recognized that a statistically high number of hackers are neurodiverse, and it is likely that an even higher number of Blackhat hackers are similar.
“The high technology field does seem to attract folks who are neurodiverse,” comments Thomas. “Are there an overwhelming number? I don’t know. Is it greater than natural population? I’m gonna say yes, but I don’t have any numbers to back that up. That’s just based on my personal experience. Would anybody in the Lopht be considered neurodiverse? Maybe, but I don’t think any of us were really super, extremely neurodiverse.”
Neurodiverse conditions include ADHD and what used to be called Asperger’s syndrome. People with these conditions find it very hard – if not impossible – to obtain a formal education; yet are frequently highly accomplished in high technology. Where do they go if they cannot find legitimate employment even though they are more skilled than many who are employed? It is worth asking whether governments’ desire to control things will create more Blackhat hackers.
Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective. His informal approach to investigations (that is, ‘just hacking on stuff’) means he describes himself as a hacker rather than a researcher – who he believes takes a more formal and well-documented approach to investigations.
He has never been a Blackhat. His career shows that Whitehat hackers can succeed within the mainstream business environment – he is now X-Force Red Global Strategy Lead at IBM. Other members of Lopht have done similar. Peiter Zatko, formerly Mudge at Lopht, is at the time of writing Head of Security at Twitter. Chris Wysopal (Weld Pond at Lopht), who worked on Netcat for Windows and LophtCrack, co-founded Veracode, where he is CTO. Christien Rioux (the first employee at Lopht Heavy Industries) co-founded Veracode with Wysopal and is now a Distinguished Engineer at Lacework.
But despite the subsequent success of the Lopht alumni, it is worth remembering that many of their earlier products were frowned upon by The Establishment.