No, it's actually not. It's distinguished precisely by using a vulnerability with the intention to compromise others. You can't just redefine "black hat" to be whatever normative disagreement you have with how people choose to disclose vulnerabilities. That's entirely subjective.
Excellent, great citation! Now, precisely what did the security researchers hack for their own gain, and precisely which computer's security was violated?
If we can call them "hackers" just because they ostensibly compromised their own hardware or software as a proof of concept for the vulnerability research, does that mean that all of Google's Project Zero consists of hackers and black hats because they get paid (personal gain) by Google to find security vulnerabilities?
Project Zero practices responsible disclosure. They do not make money from the exploitation of the companies whose software/hardware they find flaws in. The difference is very stark and you are being deliberately obtuse.
> They do not make money from the exploitation of the companies whose software/hardware they find flaws in.
Right, and neither did these researchers.
In point of fact, no, the difference really isn't all that stark. It's a difference of degree, not category. You apparently have a problem with disclosing vulnerabilities without providing advanced notice to the vendor, and you consider it especially distasteful to do so if you're financially benefitting from that. But all of that still comprises vulnerability disclosure, which is categorically different from actively using a vulnerability to compromise users as part of a criminal enterprise.
We can go back and forth like this all day, because every time someone bends the definition of black hat to fit something they disagree with, I can form a counterpoint which is technically true but which no one is willing to call black hat behavior, like Google Project Zero. On the other hand, if we use the definition of black hats as criminals engaging in online fraud, augmented by security vulnerabilities, then of course Google Project Zero doesn't qualify. You're going to have a very difficult time broadening the scope of this terminology to suit your definition without accidentally including groups you don't want to be in the same bucket.
And that's precisely my point. If you broaden terms too much, like "black hat" to "stuff with computers in bad faith", we can just weasel in whatever satisfies the definition or agrees with our personal viewpoint. Black hat criminals do not engage in debatable behavior, because it's strictly illegal and directly profits at the expense of other people. At best, all you can do is formulate an abstract argument about people being harmed by rapid disclosure, but that actually comes down to a debate of disclosure guidelines, not a debate of activist investing.
Actually dsacco convinced me with his arguments (that those guys are not black hats). Don't assume bad faith in opponents when you are losing the argument ...
On the other hand I agree with responsible disclosure. And I think that should be made mandatory by law.
And finally, I also agree with some fines for companies allowing these holes to exist for so long. Especially those discoverable by 4 (more or less) random guys.
This is not black and white situation, so don't look for easy conclusions.
There is a reasonably accepted definition for what a "black hat" is. I don't particularly agree with conceptually bucketing people into black hats or white hats, but the paradigm has an existing meaning.
In any case, if we go by what you're saying, then anyone can define "black hat" to mean whatever they want, which means it's a meaningless and unproductive concept to throw around in conversation.
Your assertion is in a catch-22 here. Words have meaning without requiring an independent body to rigorously define them. The established definition of a black hat is someone who compromises other people using security failures for their own gain. If instead we choose to say that the term has no established definition, then the entire point is moot, because calling someone a "black hat" no longer means anything.
> There is a "reasonably accepted" definition of black hat, by your reasoning, and it is: someone who uses computers in bad faith.
Speaking as someone who 1) works in the security industry, 2) has managed corporate disclosure programs as an internal security engineer, 3) has run a security consulting firm working with many companies, and 4) has reported security vulnerabilities in disclosure programs; no, that's not the reasonably accepted definition. I can't think of any colleague I've ever worked with off the top of my head, nor any widely read security-focused periodical (like Krebs), who would use the term "black hat" for such a generalized disagreement of ethics.
I think the "security industry" has a delusional image of themselves and regard most of them as grey hats at best. An insider's opinion on what constitutes black hat is not particularly impressive to me. And this is not a generalized disagreement of ethics. Bad faith is has a specific meaning and you are unreasonably stretching it.
> I think the "security industry" has a delusional image of themselves and regard most of them as grey hats at best.
This criticism of the industry might hold more weight if you actually evidenced a willingness to use terminology according to its accepted usage, not as a tool to advance your ethical opinions.
> And this is not a generalized disagreement of ethics.
It actually is, because I strictly disagree that either of 1) trading on bad news, like security vulnerabilities, or 2) disclosing vulnerabilities without notifying the vendor are unethical. You're free to disagree! Your opinion is just as valid as mine; the thing is, we don't define words based on opinions, because then we'd never get anywhere, and we could label people we don't like whatever term we know other people don't like, even if we don't share the same definition of the term. By calling people who do either of #1 or #2 black hats, you're exercising rhetoric that puts them in with actual criminals, doing actual illegal things just because they are doing something you disagree with.
> Bad faith is has a specific meaning and you are unreasonably stretching it.
Okay. I guess I'm free to also call scientists working on whatever thing I disagree with pseudoscientists then, just because I find their work ethically unsettling. Better yet, I could call them criminals.
Words aren't defined by any authority. Their historical and present common uses however are documented by dictionaries et al. The most authoritative source on the term "black hat" is probably esr's jargon file: http://www.catb.org/jargon/html/B/black-hat.html
To save the click: "1. [common among security specialists] A cracker, someone bent on breaking into the system you are protecting."
Your (and hdyr's) looser version is not in common usage and in that sense is wrong.
This is exactly my point. The Jargon file is pretty dated and imo the definition given there isn't really adequate.
My looser version is indeed in common usage. If nothing else 5 HN users seem to agree with my definition enough to upvote my initial comment on the matter.
