Recently, a former student of mine wrote me asking how to handle an overzealous white-hat hacker. In this case, the hacker had probed the publically exposed computer networks and assets of my friend's company, then left multiple copies of a document describing the weaknesses he found -- and asked to be hired to close the holes and locate more weaknesses.
Large companies find themselves on the receiving end of such aggressive solicitations on a regular basis. My friend asked if I thought the hacker's actions were unethical. My answer: Any security probing of a computer or network without the express permission of the owners is an ethical violation.
[ Also on InfoWorld: No honeypot? Don't bother calling yourself a security pro | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
This particular white hat (better defined as a gray hat) listed his computer security certifications and accomplishments. I told my friend he should tell the hacker to contact the various certification agencies and ask them how they felt about his unrequested services. They, too, will tell him that his actions were unethical. In many cases they would be illegal, as well. Whitehat hackers have been arrested and convicted for doing the same.
Between white hat and black hat is gray hat
Nonetheless, although I consider what the white-hat hacker did in this scenario to be unethical, I don't consider him to be all bad. Simply hacking your network and doing devious things would be all bad. This is more of a gray area -- hence the gray-hat designation. I'm sure the hacker's intent was simply to get a job using his skills in a "good" way. I mean, what harm could there be in identifying weaknesses and telling people about them -- and possibly drumming up money along the way?
Let me repeat: It's unethical and possibly illegal.