Good and Bad Hackers: Different Sides of the Same Coin
While malicious hackers continue to pose everyday threats, white hat hackers are increasingly becoming the first line of defense—and offense—for global security. From playing crucial roles in warfare to combating human trafficking, ‘friendly hackers’ are essential actors in today’s digital age.
Although a modern shift and growing trend in the Internet of Things (IoT) devices have made room for more security threats, concepts of cyber vulnerabilities and hacking have long existed.
In 2000, Joseph Mitola was part of an Institute of Electrical and Electronics Engineers delegation to China, along with 30 fellow members. “I was lucky enough to meet the founding director at the Beijing Institute of Technology,” Mitola recalled during an interview with SIGNAL Media.
As the author of a book on software radio, Mitola noted China’s adoption of the phrase and technology concept. “When I met this lab director, I said, ‘There’s a lot of software in these radios. How do you deal with that?’”
“And he said, ‘All my students have to learn how to defend from being hacked and the best defense is a good offense, so they have to go into a website, get data and come out without being detected and without inflicting harm on the website.’”
Mitola, who at the time worked for The MITRE Corporation, was fascinated by the curriculum and continued to converse with the lab director. When asking how students receive a passing grade, the answer shocked Mitola and later his colleagues.
“Your Defense Department websites are by far the best protected,” the lab director answered. “To get an ‘A,’ my students have to get into a [Department of Defense] DOD website, get some data that isn’t available to the general public and do it all without being noticed.”
Later reporting this news to his MITRE team, Mitola’s colleague confirmed that 95% of attacks on the DOD website originated from academic institutions.
While the student hackers did not allegedly collect any data, they did learn how to protect their software radios from attacks. “The way to protect your software radio is to determine how attackers get in and then to block those pathways and methods,” Mitola stated.
“He was the first friendly attacker that I actually ran into,” Mitola said of the Chinese lab director.
Since then, cyber threats from the People’s Republic of China have significantly grown. Salt Typhoon, for example, compromised private information from numerous U.S. companies and government agencies.
Additionally, in September 2024, Kim Zetter reported a hacking competition by the Northwestern Polytechnical University, run by China’s People’s Liberation Army, which may have targeted real victims.
Although the U.S. does not typically publicly disclose information on its cyber offenders, recent talks from the current administration have called for more offensive operations.
“Attackers think in a different way than defenders,” Mitola said. “Defenders are interested in protecting their data, protecting access to it.”
Concepts such as rule-based access control and role-based access control help protect such information by granting certain privileges to specific users, he explained.
“Attackers don’t think that way. Attackers think, ‘How does a system work? What can I do to make it break?’”
The Morris Worm, for example, was not intended to crash as many systems as it did, Mitola noted of the first alleged major attack on the internet.
Attackers, therefore, search for the best way to interrupt in the most unexpected way, he said. Mitola followed by speaking on how attackers can leverage stack overflows, errors that can be encountered within user-mode threads, according to Microsoft.
“A stack is supposed to be a certain size, and when the software is using the [central processing unit] CPU to do one task and it gets interrupted, the data that was in use has to go somewhere, so it gets put on a stack and then the process that’s associated with the keyboard does its thing, and then the data is taken off the stack and put back into the CPU,” he began.
“If you’re clever about what you type in, then the system will try to do something that will cause the bounds of the stack to be violated. So, a lot of times the operating system will just basically go into a mode where it presents a screen to a supervisor or a manager supposedly that says, ‘Hey, I don’t know what to do, here’s my error code.’”
A human being should then resolve that error code, Mitola said.
“But if the attacker is smart, then instead of presenting that help screen from the operating system to the user ... it’s presented to the software that caused the problem. So, that software says, ‘OK, I’ll take it from here,’ and then it just can do anything it wants to in the system because it now has what’s called root privileges.”
Root privileges mean near full operational control of the computer.
“When an operating system hits certain problems, it doesn’t know what to do and it has no remedy and, therefore, it needs help from a person,” Mitola stated, explaining that most large-scale cyber attacks originated from similar vulnerabilities.
While attackers devise the best ways to break a system, defenders think of measures to put in place to protect it. The two, however, are different sides of the same coin, Mitola said.
A prime example of this is an annual hacker convention titled DEF CON that welcomes thousands of attendees to Las Vegas every year. The event, founded by Jeff Moss—aka Dark Tangent—will celebrate its 33-year anniversary later this month.
Moss is also the founder of Black Hat Briefings, a conference that takes place before DEF CON and tends to be more theoretical, Mitola noted.
In a conversation with SIGNAL Media, Chris Depa, ENSCO’s cyber director for advanced programs, recalled his experience at DEF CON 10 years ago. “They used to play ‘Find-the-Fed,’” he said, describing a game to find a government employee in the room.
Ten years later, Depa said that by a show of hands, roughly 95% of the room confirmed they worked for the government, whether through contracting or directly serving within a government agency.
“It just shows you where the industry has gone and the importance of those things for the government,” he said, referring to the crucial role hackers play in national security.
One such example is a collaborative project between the Defense Advanced Research Projects Agency, or DARPA, with DEF CON, as well as other partners: Anthropic, Google, Microsoft, OpenAI, the Linux Foundation, the Open Source Security Foundation and Black Hat USA.
The project is an artificial intelligence (AI) cyber challenge titled AIxCC, which was launched in 2023 and will host its final competition at this year’s DEF CON convention. Through this initiative, DARPA is “working to advance AI-driven cybersecurity and usher in a future where we can patch vulnerabilities before they can be exploited,” said AIxCC program manager Andrew Carney.
“We have learned so much from the DEF CON community over the years, from Cyber Fast Track to the Cyber Grand Challenge, and more. It is the best place in the world to engage with the hacker community that has paved the way for so many advancements in cybersecurity, and our presence there will help ensure AI Cyber Challenge tools are widely used when they are open-sourced after the competition,” he concluded.
The winners of the final competition will also be announced this August. The first-place prize will be $4 million.
In another DOD and DEF CON partnership, the U.S. Space Force’s Space Systems Command hosted a capture the flag competition called Hack-A-Sat, with a final event that took place at DEF CON 31 in 2023. Hackers at the convention leveraged the Moonlighter satellite, which was specifically designated “to advance cybersecurity for space systems,” a release stated. The top five teams competed for a chance to win $100,000.
Meanwhile, other government agencies, private companies and nonprofit organizations are investing in friendly hackers to mitigate cyber threats.
For Depa and his ENSCO cyber team, their day-to-day jobs revolve around offering clients cybersecurity planning, risk assessments and defense cyber operations. By attempting to hack clients’ systems, Depa can detect vulnerabilities and therefore put mitigation rules in place.
Just last year, ENSCO also volunteered to work with CyberFox Team’s OSINT4Good initiative to end human trafficking.
“In general, what that looks like is using [AI] for the purposes of creating profiles to go out onto social media and find individuals that would be committing human trafficking or finding people that are currently being exploited by that and identifying either locations, points of contact, cell phone number and even the purposes of websites that might be housing that information that could lead law enforcement to finding those people,” Depa described.
From an AI standpoint, the team has used capabilities such as ChatGPT to create scripts, and photo generators for realistic profile photos.
“You can create profiles using that for the purposes of basically fooling a person that is doing harm to someone else in the human trafficking realm,” he said.
Several other examples exist of groups using their own digital skills to do ‘good,’ depending on their own definition of the word, Depa mentioned.
One hacker group hacks North Korean systems for the purpose of getting people out of the country while exposing the regime. Another group targets members of Scientology to free them from their beliefs.
Comments