April 20, 2015 By Oded Margalit 3 min read

Most people are familiar with the concept of white hat hackers and black hat hackers, who are separated along ethical lines. Black hat hackers violate computer security for the wrong reasons, while white hat hackers do it for ethical reasons, such as showing the world some systems are not secure enough. There are actually several other types of “hats,” as well, such as gray hats (in between white and black) and green hats (newbies). Today, I’d like to introduce another type of hat: a transparent hat.

Hacking requires a deep understanding of computer systems. Hackers must understand the hardware level, have intimate knowledge of the system and have special, esoteric skills, such as being able to write assembly language programs under special constraints or understanding obfuscated programs.

Transparent hat hackers do not hurt computer systems for malicious causes, nor do they do it for the right cause. In fact, they do not hurt any systems at all. Instead, transparent hat hackers design and solve difficult mathematical problems that are related to the cyberdomain and enhance their abilities in ways that would help develop the cyberdomain.

Let me provide some examples.

Example No. 1

Thinking outside the box, here is a program I wrote for the IEEEXtreme 5.0 competition:

Given a seven-digit number, make an exercise from it whose result is 100. You may use the four basic math operations and parentheses between digits such that the result is a valid exercise whose result is 100. Note that you must use all the digits, keep the order of the digits and you are not allowed to combine several digits into a number.

Thus, the solutions “5x5x4,” “5x5x4+0x1x5x5” and “5x(5+5+1+0)+45” are not valid for the number 5551045, while the solution “5x(5+5+1+0+4+5)” is.

Your task is to write a program that, given a seven-digit decimal number, finds an exercise whose result is 100. You must keep the original digits in order and add characters from the following six-character alphabet: “+-x/().” So far, it is a straightforward task that requires some programming skills and some optimization to solve it fast enough. However, here comes the interesting part — the validity is checked using the following script:

[expand title=”Click to see the answer”]

A zero exit code is considered a valid solution. If you pay close attention to the scoring script, for example, you would see a way to fool it and solve the input “5750004,” which is unsolvable by the definition above but solvable by tricking the script.


Example No. 2

What does the following program do?

[expand title=”Click to see the answer”]

This 81-bytes-long 8086 assembly program can run on a Dos-Box and demonstrates some card magic. Can you understand it?



Example No. 3

The task here is to beat the robots in this shooting game. Download the game, run it and try to win.

www.codeguru.co.il/gurucode/shooter.zip [NOTE: Clicking this link will start a program download]

Solving a math exercise (Example No. 1), reverse engineering card tricks in assembly (Example No. 2) or finding bugs in a computer game (Example No. 3) does not directly cause any harm to a computer system, doesn’t hurt anyone’s privacy, is not considered a crime and even isn’t considered to be a zero-day exploit. However, these exercises do teach you the skills needed for hacking. Example No. 1 shows you how to think outside the box and bend the rules of the system, while Example No. 2 shows you how to reverse engineer packed code that uses undocumented Microsoft operating system interrupts and appreciate the compression of data into code. Example No. 3 shows you how to look for common programming errors that tend to appear in real-life software and create security problems used by all types of hacking experts. And taken all together, these 3 examples reveal that hackers may not necessarily wear either white or black hats.

More from Threat Intelligence

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today