NSO Group is White Hat, Really

by Tillie Kottmann

Chances are you hate-clicked your way onto my blog, looking for a comments section where you can yell at me to let me know I’m wrong. But before you do that let’s first talk classification, shall we.

What is your classification based on?

There are two coexisting ways in which most seem to understand and explain the ‘hacking hat concept’, they’re both pretty flawed. When you ask someone to explain white/black hats they will probably tell you that white hats are defensive, while black hats are offensive, this explanation falls apart fairly quickly once you ask them if so called “ethical” pentesters and red teamers are black hats and people hardening the security of ransomware gangs are white hats. This is because even the people explaining it as such actually classify hackers into groups based on their (the observers) personal value system, those who are or work for the “good people” (the “good” governments, local corporations, law enforcement, people on their side of the political spectrum) are white hats and those working for the “bad/evil people” (other governments, organized crime, local resistance groups, foreign state actors) are black hats. It’s easy to see how this way of classifying is highly subjective and leads to collisions.

This classification cannot be absolute

One thing that should be clear by now is that any classification of hackers into black and white hats needs to be relative to the system a hacker is a part of. Which is how we very quickly come to how I classify hackers into hats:

White hats are hackers who work within or in support of a system, they generally do so without consequences and usually legally, though not neccessarily. Black hats are hackers who work outside or against the system, generally with eventual consequences and often illegally, though not neccessarily.

White hats and black hats are not universal good and evil, I mean how could they be when the concepts of good and evil are subjective and not the same accross the world. Of course this classification is still based on the values within a given system and has to be viewed with that context in mind. It should now be clear to you why I consider NSO Group (and Corporate Intelligence in general) white hat and how that is the only proper way to view them in that classification.

What good is that classification though?

It’s absolutely useless and always has been, the classification in white and black hats serves no one other than the system and those in power, it’s their way of classifying hackers into good and evil from their point of view. The more you understand about this classification the less use it brings. Letting hackers (and people in general) classify themselves into categories based on their values and goals is way more useful for discourse about “good” and “evil” hackers.

You’re still wrong and I still want to yell at you!

Feel free to do so on Twitter or Mastodon.