The theory goes that you have your “white hats” who are the good guys, your “black hats” who are the bad guys and somewhere in between – potentially swinging both ways – you’ve got your “grey hats”. Whilst the white hats are theoretically always on the side of good and walk a pretty straight line, the grey hats may step beyond that line into the murky territory that is more about breaking into things than what it is protecting things. Whilst they can actually be enormously useful at highlighting security shortcomings, they can also make quite a mess of things.
It got me thinking recently in relation to the VTech data breach, the one with the millions of kids’ details leaked as a result of them capturing info via tablets designed for children. I worked pretty closely with the reporter who was passed the data by the individual who siphoned it out of VTech’s system and naturally one of the questions we both wanted answered was “why?” – why suck out that much information?
This is where things start going from grey to black; the motive was (allegedly) to help VTech understand that there was a serious security risk in their systems. Now on the whiter end of the scale, you’d privately contact the company involved and say “Hey, I just happened upon a SQL injection risk on your site you might want to get sorted out”. A little greyer and you might provide a small piece of data as a proof. But by the time you start pulling millions of records, chat logs and kids photos, you’re well and truly out of the grey and into the black.
But here’s the paradox of it all – the individual was worried that if he privately disclosed the security issue, he wouldn’t be taken seriously and many times, that’s exactly what happens. Either that or VTech wouldn’t act promptly or comprehensively review their systems (they had a heap of issues across many different assets). As much as the attacker (and that’s a fair word under the circumstances) did the wrong thing in the way he went about this, nothing gets an organisation to sit up and pay attention faster than an incident like this.
Here’s where it gets even greyer: if he did indeed only share the data with the reporter and he in turn only shared it with me, are we as a society actually now better off? Think about it – the airtime this incident received has caused millions of parents to think twice about putting their kids’ data online. It must have as the story has been splashed all over the mainstream media for weeks now. Parents should think twice about where they share their kids’ identities, but without this incident going public in the way it did, their views would be no different to what they were before it hit the news.
A 21 year old man has now been picked up in the UK in relation to hacking VTech. Assuming he’s the guy, he’ll almost certainly face some pretty stiff penalties and possibly get himself a record and even a custodial sentence. And he should suffer some form of penalty too, but I can’t help feeling that as a result of his actions and assuming the data never did actually go beyond the three of us, we may just be a little better off now than we were before. It’s all a bit grey.