‘Hackers’ and ‘cybercriminals’ are not the same thing, here’s why - Lacework

‘Hackers’ and ‘cybercriminals’ are not the same thing, here’s why

Allie Fick, Security Reporter

December 21, 2022

Abstract architectural photo shot from the ground. Features a lot of modern windows and steel.Hackers and cybercriminals aren’t the same. Pop culture and media have popularized using the terms interchangeably, which has led to many people—myself included—accidentally using the wrong word. While it seems like a minor mistake, grouping the good hackers with the bad ones is more harmful than you might realize.

Meet your problem solvers

When you arrive at a crowded bar and see a long line of people waiting to enter, what do you do?

Many of us would just wait in the line. We realize there’s a system in place and then we follow those rules. But not everyone sees it that way.

Hackers are problem solvers. They see how a system works, and they figure out how to make it behave differently than intended. This is why, when expert hacker, author, and speaker Ted Harrington wanted to avoid a line at a bar, he knew exactly what to do. By thinking like a hacker, he tricked the hostess into revealing the name of one of the VIP groups, confidently declared he was with that group, and seamlessly entered the bar without waiting.

The unique perspective of a hacker

Hackers like Ted have a unique ability to see problems differently than most people. They set a goal, learn how a system works, and gather information to get around that system.

The nonprofit organization, Hacking is NOT a Crime, which promotes the decriminalization of hacking, defines a hacker as “an inquisitive critical thinker who solves complex problems in an unorthodox manner.” They’re experts at finding alternative ways to accomplish something. Hackers aren’t always criminals, though there are still negative stigmas associated with their practice.

According to Hacking is NOT a Crime, hackers are often misrepresented in pop culture as criminals with bad intentions — stereotypes that negatively influence public opinion and legislation. These negative perceptions have ripple effects. For example, when hackers find security vulnerabilities, they sometimes don’t disclose them publicly because they’re afraid of the consequences. Even though they haven’t done anything wrong (and organizations would actually benefit from knowing about these security issues), hackers decide it’s simply not worth the risk.

It’s all about intentions

The difference between good and bad hackers all comes down to intent. The two groups want to find the same flaws, but what they do with that information is very different. The bad hackers — the actual cybercriminals — want to take these flaws and benefit personally at someone else’s expense.

Ethical hackers, on the other hand, are using their intellectual curiosity to prevent breaches from happening before the malicious hackers arrive. They make informed opinions about how a bad hacker is going to act and often work for companies that want to improve their security posture.

The path from cybercriminal to ethical hacker

Tommy DeVoss first became interested in hacking in the 90s as an elementary school student when he connected with experienced hackers in online chat rooms. Eventually, he began hacking websites out of boredom, which landed him in prison in the early 2000s. Upon release, he was banned from touching computers. But he couldn’t seem to avoid his favorite hobby—he ended up in prison two more times for violating orders to stay away from computers.

When he was released the third time, Tommy couldn’t find a job. Though he had advanced technical skills, it was hard to find a company that was willing to trust him. Finally, a startup that helped companies like grocery stores track their inventories gave him a chance and hired him as a software developer. A few years later, he read a blog post about people being paid for bug bounties.

It sounded too good to be true—he could get paid to hack?

How can you make money hacking? 

A bug bounty is a monetary reward offered to hackers who find security vulnerabilities (bugs). These programs benefit organizations because it helps improve their security by solving issues before they are discovered by cybercriminals.

When Tommy heard this, he immediately created an account on HackerOne—a security platform that connects hackers with businesses who want to improve their security.

After Tommy won his first bounty in 2016, he began to spend most of his time looking for more bugs, which proved to be a much more efficient way to make money than software development. But as technology improved, he realized he needed to improve his tactics. As other hackers figured out how to use the automated security tools that he had traditionally used, he began to look for things that a normal web app scanner couldn’t find. When he made that switch, he started to make massive amounts of money—there were a few instances where he made more than $100,000 in just one day. Today, Tommy is the head of application security for a company in New York City and helps organizations improve their security.

Tommy often cautions new hackers that getting involved with illegal activities just isn’t worth it. “If you’re good enough to do this as a black hat, you’re good enough to do this as a white hat, and you can make life-changing money doing it,” he said in a Darknet Diaries podcast interview.

He also wants new hackers to know that bug bounty hunting is hard work, but they shouldn’t get discouraged. One of the biggest misconceptions about bug bounties is that hackers are going to be instantly successful. While it’s possible to make a lot of money, it’s important to remember that experienced or well-known hackers sometimes have advantages like special or early invitations to hacking events. He also says that he fails a lot more than he’s successful. It’s hard, consistent work. To keep his hacking skills up to date, he reads every blog post he can find about hacking to learn from others’ tactics.

The safer route to hacking

For most people, becoming a hacker isn’t nearly as risky as it was for Tommy. “[Ethical hackers] represent a well-educated subset of the population whose keen resourcefulness, critical thinking skills, and subject matter expertise are in higher demand now than ever before,” wrote Bugcrowd, a security company that connects ethical hackers with businesses, in their 2021 Inside the Mind of a Hacker report.

According to the report, most hackers are college graduates with a variety of backgrounds—computer science, engineering, information technology. This field doesn’t require a specific or formal education; anyone who is curious and good at solving problems and critical thinking can be successful. Bugcrowd found that 79% of hackers taught themselves how to hack with online resources.

Is trust an issue? 

Business leaders sometimes have hesitations about working with people with expert hacking skills, but it’s important to focus on the intent of hackers instead of fearing their capabilities. Malicious hackers wouldn’t be interested in working with a company that hires ethical hackers—if they wanted to hack the business, they could do it on their own anonymously. And it’s important to remember that most hackers do have good intentions—86% of hackers think reporting a critical vulnerability is more important than trying to make money.

Casey Ellis, CTO of Bugcrowd, says that we can compare hackers to locksmiths. A locksmith could technically break into your house and steal your possessions, just like a burglar would. But that’s not what usually happens—their moral responsibility and the risk of losing their job prevents it. That’s how we should think about hackers—they know how to break in, but that’s not how they use their abilities. “If a burglar wants to rob your house, they’ll do it anyway,” Ellis said. They don’t need to get hired by you to do it.

How to distinguish between good and bad 

If the difference between ethical hackers and cybercriminals comes down to intent, how do you distinguish between good and bad intentions?

Bryan McAninch (Aph3x), the co-founder of Hacking is NOT a Crime, separates hacker activity into four categories to draw the line between good and bad: ethical/legal, ethical/illegal, unethical/legal, and unethical/illegal. His organization doesn’t condone anything that is unethical, regardless of whether it’s legal or not. They strongly support ethical/legal activities.

The area where the company sees the biggest opportunity to have an impact is in the ethical/illegal area. He said that this is the area where whistleblowers, or ethical people who see something wrong, come into play. They perform acts of civil disobedience, break nondisclosure agreements, or even break the law in an effort to be transparent for the greater good of the public.

Hacking is NOT a Crime wants to see policy reform for ethical/illegal activities because they believe that, if some of those activities were made legal, it could fix a lot of problems we face today. It’s easy to tell when something is illegal because it’s simply a question of whether someone is breaking the law or not. But what about when an illegal act is helping someone but not actually hurting anyone?

Within the hacking community, there are people who want to uncover unethical things that they’ve discovered (e.g., misused customer data), but they don’t out of fear of getting in trouble with the law, because they discovered that information illegally (e.g., they didn’t have prior permission to access a company’s network). But their findings are for the greater good, which puts them in a predicament. If they’ve uncovered an unethical act illegally, is that ethical? Is it worth it for them to get in trouble with the law?

Bryan says that as the world becomes increasingly more dependent on technology, our personal privacy and security will be impacted. If we aren’t looking for vulnerabilities or exposing unethical acts, we will all suffer.

Organizations that facilitate bug bounties usually set specific scopes for each bounty, outlining the types of vulnerabilities they want hackers to disclose, which part of a system they can test, and the types of testing they can use. When hackers discover vulnerabilities outside the scope of the bug bounties, they’re put in a similar situation where they must decide whether they want to follow the rules or disclose a vulnerability.

Jasiel Spelman, a security engineer at Lacework with extensive experience analyzing exploits, said that disclosing information outside of the scope of a bug bounty can be valuable because it can help businesses realize the value in expanding the scope of the program.

The US government is beginning to recognize that a lot of security research is beneficial and conducted by curious individuals with good intentions, not criminals. In May 2022, the US Department of Justice revised its policy for charging violations of the Computer Fraud and Abuse Act (CFAA). With the changes, the government will not charge ethical hackers or those conducting good-faith security research. The policy defines good-faith security research as accessing a computer to test, investigate, or correct a security flaw in a way designed to avoid public harm, and the information gathered is used primarily “to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

What should we call hackers? 

Not everyone who hacks is a criminal. Most hackers are just curious and have a real need to expose wrongdoing in the world. So what should we call the good hackers? Should we call them ethical hackers? White hats? Security researchers?

Some hackers argue that you don’t even need the term “ethical” because all hackers are implicitly ethical. It would be like calling a doctor an ethical doctor or a lawyer an ethical lawyer. The ethical part is assumed.

Hacking is NOT a Crime encourages anyone using “hacker” with a negative connotation to instead use “cybercriminal” to help people easily distinguish the good from the bad. In all other cases, we can simply say “hacker.”

There’s not a strong consensus on how exactly to refer to the good hackers, and it varies from company to company, but one thing is clear: a hacker isn’t always a malicious person, so we shouldn’t use the term negatively.

Learn more about hacking

Just because a hacker thinks like a bad guy, doesn’t mean they are one. It means they’re smart people who can make informed decisions about how hackers would act. For those who are interested in a career in hacking, Bugcrowd and Hacker 101 offer free ethical hacking training.

Lacework Labs, our own team of security researchers, recently released our Cloud Threat Report that highlights the trends and tactics we’ve seen from cybercriminals over the past few months.