Transparent Hat Hackers: Hacking Outside the Box

Most people are familiar with the concept of white hat hackers and black hat hackers, who are separated along ethical lines. Black hat hackers violate computer security for the wrong reasons, while white hat hackers do it for ethical reasons, such as showing the world some systems are not secure enough. There are actually several other types of “hats,” as well, such as gray hats (in between white and black) and green hats (newbies). Today, I’d like to introduce another type of hat: a transparent hat.

Hacking requires a deep understanding of computer systems. Hackers must understand the hardware level, have intimate knowledge of the system and have special, esoteric skills, such as being able to write assembly language programs under special constraints or understanding obfuscated programs.

Transparent hat hackers do not hurt computer systems for malicious causes, nor do they do it for the right cause. In fact, they do not hurt any systems at all. Instead, transparent hat hackers design and solve difficult mathematical problems that are related to the cyberdomain and enhance their abilities in ways that would help develop the cyberdomain.

Let me provide some examples.

Example No. 1

Thinking outside the box, here is a program I wrote for the IEEEXtreme 5.0 competition:

Given a seven-digit number, make an exercise from it whose result is 100. You may use the four basic math operations and parentheses between digits such that the result is a valid exercise whose result is 100. Note that you must use all the digits, keep the order of the digits and you are not allowed to combine several digits into a number.

Thus, the solutions “5x5x4,” “5x5x4+0x1x5x5” and “5x(5+5+1+0)+45” are not valid for the number 5551045, while the solution “5x(5+5+1+0+4+5)” is.

Your task is to write a program that, given a seven-digit decimal number, finds an exercise whose result is 100. You must keep the original digits in order and add characters from the following six-character alphabet: “+-x/().” So far, it is a straightforward task that requires some programming skills and some optimization to solve it fast enough. However, here comes the interesting part — the validity is checked using the following script:

Hacking Outside the Box image 1

Click to see the answer

A zero exit code is considered a valid solution. If you pay close attention to the scoring script, for example, you would see a way to fool it and solve the input “5750004,” which is unsolvable by the definition above but solvable by tricking the script.

Example No. 2

What does the following program do?

Hacking Outside the Box image 2

Click to see the answer

This 81-bytes-long 8086 assembly program can run on a Dos-Box and demonstrates some card magic. Can you understand it?

 

Example No. 3

The task here is to beat the robots in this shooting game. Download the game, run it and try to win.

www.codeguru.co.il/gurucode/shooter.zip [NOTE: Clicking this link will start a program download]

Solving a math exercise (Example No. 1), reverse engineering card tricks in assembly (Example No. 2) or finding bugs in a computer game (Example No. 3) does not directly cause any harm to a computer system, doesn’t hurt anyone’s privacy, is not considered a crime and even isn’t considered to be a zero-day exploit. However, these exercises do teach you the skills needed for hacking. Example No. 1 shows you how to think outside the box and bend the rules of the system, while Example No. 2 shows you how to reverse engineer packed code that uses undocumented Microsoft operating system interrupts and appreciate the compression of data into code. Example No. 3 shows you how to look for common programming errors that tend to appear in real-life software and create security problems used by all types of hacking experts. And taken all together, these 3 examples reveal that hackers may not necessarily wear either white or black hats.

Share this Article:
Oded Margalit

CCoE CTO, IBM

Dr. Oded Margalit is the CTO of IBM's Cybersecurity Center of Excellence at Beer-Sheva Israel, where he leads the technical agenda of Center, working with research and development teams worldwide, as well as with clients and partners. Previously he was with IBM research lab at Haifa Israel where he worked on Machine Learning, Constraint Satisfaction Problem, formal verification and more.