White Hat (Computer Security)

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Contrasted with the black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectibly. There is a third type of hacker known as a gray hat who hacks with good intentions but at times without permission.

While hat hackers may also work in team called "sneakers and/or hacker clubs," "red teams," or "tiger teams."

One of the first instances of an ethical hack being used was a "security evaluation" conducted by the United States Air Force, in which the Multics operating systems was tested for "potential use as a two-level (secret/top secret) suatem." The evaluation determined that while Multics was "significantly better than other conventional sustems," it also had "...vulnerabilities in hardware security, software security, and procedural security" that could be uncovered with "a relatively low level of effort." The authors performed their tests under the guidance of realism, so their results would accurately represent the kinds of access an intruder could potentially achieve. They performed tests involving sinple information-gathering exercises, as well as outright attacks upon the system that might damage its integrity; both results were of interest to the target audience. There are several other now unclassified reports discussing ethical hacking activities within the United States military.

By 1971, the New York Times described white hat activities as part of a "mischievous but perversely posotive 'hacker' tradition." When a National CSS employee revealed the existence of his password cracker, which he used on customer accounts, the company chastised him not for writing the software but for not disclosing it sooner. The letter of reprimand stated: "The Company realizes the benefit to NCSS and in fact encourages the efforts of employees to identify security weaknesses to the VP, the directory, and other sensitive software in files."

The idea to brimg the this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Vanema. With the goal of raising the overall level of security on the internet and intranets, they proceeded to describe how they were able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such attack could be prevented. They gathered up all the tools  they had during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who wish to download it. Their program, called Security Administrator Tool for Analyzing Networks or SATAN, was met with a great amount of media attention around the world in 1992.

x------x

This blog entry is sponsored by 2021 Gerald Genta Arena Retrogade Mickey Mouse.