Black Wolf Technologies

Out of all the jobs I could be doing, I think vulnerability research would be the most interesting and rewarding. Unfortunately, I can't make enough money doing it to pay my bills. I'm not one of the Dave Aitel, or Jon Erickson's of the world, unfortunately - I don't have enough credibility to write a book. Knowledge, maybe. Finding things wrong with software is actually not that hard. There are several classes of vulnerabilities that can be discovered in an automated way. The difficult part is the analysis, or finding out 1) if it's exploitable and 2) how to exploit it and 3) recommending ways to fix it. For me, finding a security bug is like solving any hard problem - the "aha!" is an adrenaline rush, and I'm on a high for hours. I've tried explaining it to my roommates, but they just don't get it. Just like I don't get why someone would want to be an accountant! Hey Jon! I never feel so technical or geeky as when I'm 20 stack frames deep in a gdb session, trying to determine what piece of data is triggering an overflow. It feels arcane, it looks arcane and holy fuck don't interrupt me. Seriously - I'm mind-deep in hexadecimal and wading through code that someone else wrote. MMmm...

So you've heard the term "black hat" before, and you're wondering what it means? A hacker's hat is determined by what they do with[out] permission. This "hat" terminology is also used in the SEO community - black hat SEO is much different from black hat hacking. Being a black hat hacker (or "attacker") can get you fined or put in prison - black hat SEO will only get you de-listed from Google. Hacker hat colors are used to distinguish what the hacker does with[out] permission, and what they do if they find a vulnerability in a system. Permission usually means they have something in writing stating what IPs or software are fair game, and any limits that are imposed on the breach attempt. Think of this piece of documentation as a real-life get out of jail free card. Limits on what techniques are used for the breach are important - perhaps there is production data, with live credit card information that should not be seen (but it should be encrypted or masked anyway, right?) A black hat hacker does things without permission, and profits directly or indirectly from any discovered vulnerabilities. The term "cracker" used to be used to distinguish black hatters from the others, but mainstream media doesn't use it, so neither do the public. To the average citizen, hacker == black hat. Black hats are the people who write exploits and don't notify vendors, or sell them to organized crime or other black hats. They are hired by organized crime to write software that steals passwords, identities and banking information. A lot of them are young, from non-US countries (due to legalities) and don't have formal education in computing science.