What determines if a question should be considered Blackhat?

Question

I asked this question recently which got a lot of votes and people thought was interesting, as well as some very interesting answers. It could have been the start of a very interesting discussion, except it was oddly closed for being "too blackhat".

This is ridiculous.

I asked only what techniques may exist to do so, not for advice on actually doing so.

I would think that question is not so different from other bypassing questions on this site, such as how to bypass ASLR.

The question is, to what extent do you determine a question is blackhat? Simply asking about an attack scenario is not enough, as there is nothing inherently blackhat about discussing potential attacks.

Now, if someone is asking for specific tools or instructions for a scenario, then that could be considered blackhat. In this case however I asked about potential attacks, with the question and level being similar to what would be presented at any security conference.

I would propose that simply asking how things can be bypassed, or what the potential attacks may be in a scenario should not be considered blackhat, as ideally good questions will be abstracted enough where it is possible to determine motivation.

It only makes sense for questions which are obviously blackhat to be considered blackhat. Thoughts?

Answer 1

I didn't get involved in moderating your original question, and will not defend or decry the position taken by another mod. However, I will say that my evaluation of that question is that it's overly vague. "How can a network's captive portal be bypassed" depends on the implementation of the captive portal, its integration into the host network and how much access an attacker has. Even if a good answer using assumptions based on today's common practice were provided, that answer could quickly become outdated or may not apply to the situation you're asking about.

I would prefer to see a question that details the situation you're working with, and asks for discussion of the residual risk and remaining attacks against that situation. Honestly, whether you intend to use that information for evil is unimportant to me for the purposes of deciding whether you get a good answer (though of course I would frown on evil applications, and remind you to check the legality of any actions you take). My reasoning is that even if you choose to use the site's powers for good, someone else will not.

Answer 2

Thoughts?

There is no such thing as black and white, only shades of gray.

After that deep philosophical bombshell: it's a subjective call. Any information can be used both constructively and destructively. I think the difference is in the impression of intent. The ASLR question, for example, says:

How effective is ASLR in preventing... How hard is it for an attacker

For a start, you're not asking: "how do I bypass ASLR?". Secondly, the question is posited as an evaluation of the defence and the threat. None of the answers actually detail any mechanisms.

What would be some hypothetical ways to bypass a captive portal? How could you bypass this?

I won't pass judgement as to whether you intend to use this or not. Likely you don't, as you're here on meta, but see how it looks? What if it was:

I have a wireless network with two separate LANs, one isolated to ensure all users sign our AUP with a restricted set of services, and one for users who have signed it. Is it possible for a malicious user to circumvent this and if so how do I prevent it?

Pretty much the same question, but looks totally different in terms of intent. If I were to draw the line in the sand, I would say the key in my version would be that you're coming at it from a defence angle too.

Do I think it should have been closed? Don't know. Moderators are only other human beings and they sometimes make mistakes, but I can see what their reasoning might have been.

Answer 3

The reason I think this issue is important is because it will affect how the site is viewed by the most savvy and potentially helpful white-hats out there. I want them to get involved here. If the site has lots of questions that would appear shady to a first-time googler, they are simply less likely to want to associate themselves with it. So how things are worded is important, not just the technical content.

Beyond that, I think that setting a constructive tone of voice is also an important element of how to word questions here, so that even when they technically are useful to both extremes, they are slightly more helpful to the white hats and at the same time are less attractive or helpful to the script kiddies. Though I also am not generally a fan of "politically correct" language, I think we should try to move the questions and answers here in the direction of being "professional".

One aspect of that is that in cases like this one, questions be worded to ask for help with mitigating any weaknesses, as well as avoiding explicit exploit code.

I'll also agree, as Ninefingers notes, that there is indeed a lot of grey in between white and black. Unfortunately this introduces more room for "subjective" interpretations which can easily get out of hand. This can easily lead to jumping to conclusions and being rude with each other, and I urge folks to recognize that and try to avoid it.

Answer 4

Got to this meta question quite late, but I'll try and articulate my thoughts on the matter:

A key difference between black and white hats is that white hats try to help, to fix, to find the problems and teach the admins how to remediate.

So in my opinion providing education so that security professionals can not only learn how to break, attack, exploit etc. but also to detect attacks, identify issues, fix problems and protect assets is what can make a question or answer white hat.

So let us not just ask for exploits, or tell people how to break in, lets provide guidance on how to keep the bad guys out!