Panel debates Samaritan-hack amnesty

Hack-and-tell: a crime or public service?

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Do good intentions count in a network intrusion, or should well-meaning hackers be prosecuted just like any other computer criminal?

A panel of information security experts chewed on that issue at a security conference here Monday -- and for one of them, the question was more than academic.

"Obviously, nobody wants to be compromised and it's never a one-hundred percent pleasant experience," said Adrian Lamo, described in the conference program as a communication phenomena researcher. "But I'd like to see more receptivity to processing compromises that don't result in damage, without necessarily destroying the life of the person involved."

The conference on "Information Security in the Age of Terrorism," hosted by the American Management Association, was Lamo's first public appearance since his high-profile hack of the New York Times' internal network last month, in which he exploited lax security to tap a database of 3,000 Times op-ed contributors, culling such tidbits of information as Robert Redford's social-security number, and former president Jimmy Carter's home phone number.

The 21-year-old Lamo has a year-long history of exposing gaping security holes at large corporations, then voluntarily helping them fix the vulnerabilities he exploited -- sometimes visiting their offices or signing non-disclosure agreements in the process. So far, his helpful habits have kept him from being prosecuted, and some companies have even professed gratitude for his efforts. In December, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

But one month after Lamo notified the New York Times of its vulnerabilities through a SecurityFocus Online reporter, the Times intrusion remains a sword of Damocles suspended over the hacker's head. The paper hasn't sought Lamo's assistance, and isn't thanking him for the attention. "We're still investigating and exploring all of the options," said spokesperson Christine Mohan on Monday. Asked if the Times is contemplating filing a criminal complaint with the FBI, Mohan added, "That is one of the options."

Though he's made friends of many of his targets, Lamo doesn't dispute that cracking their networks without permission violates federal computer crime laws. But none of the security professionals alongside him on Monday's panel would condemn illegal computer intrusion as unacceptable in and of itself.

Instead, they generally agreed that there should be room for a benign hacker to notify an organization of a vulnerability without being prosecuted for exploiting it, and that the decision to prosecute was properly left in the hands of the hacked organizations, and government prosecutors.

"The companies who are approached by Adrian and folks like him should have a gentleman's understanding that they won't bring him to prosecutors," said Richard Forno, CTO of Shadowlogic. (Forno is a columnist for SecurityFocus Online).

The factors to consider: whether the intruder causes harm, what they do with their access, and how quickly they come clean with the organization they've hacked.

"Ethical hackers who don't do damage and push the state of the art in security, they're providing a valuable service," said Jonathan Couch, a network security engineer at Sytex Inc. "The government needs to have the discretion not to prosecute."

Zero Tolerance

But all the talk of limited amnesty for hackers was too much for NFR Security CTO Marcus Ranum, who signaled his dissent by applauding alone from the back of the room at the mention of a legislative proposal that would make some hackers eligible for life imprisonment. "You guys are a bunch of security professionals and you're sitting here making apologies for hackers," said Ranum. "That's the lamest thing I've never heard of."

In an interview later, Ranum called Lamo a "sociopath," and said his hacks are indefensible. "It's against the law, how much more cut and dried can you get?" said Ranum. "If society was comfortable with what he's doing, they'd change the law."

Even panelists without Ranum's moral certitude said after the session that Lamo would flunk their own test for hacker amnesty, primarily because he often enjoys illicit access to a network for weeks before telling the company. Such was the case in the New York Times intrusion.

"He had access to internal, sensitive, private information, and he didn't give up his access until he was ready," said Brian Martin, a security consultant for CACI-NSG, and a former hacker himself. "I don't necessarily think he should do time, but I don't think he should be exempt just because he reported it."

"As soon as he found a significant hole, he should have reported it," said Forno. "But to find a way in, prowl around for four or five weeks, and then report it -- that should be criminal."

Lamo responded that the elapsed time before he reports a hack is a function of his vagabond style: he frequently finds a hole in a network, then wanders away only to return days or weeks later to prod a little more. "The reality is, this is not what I do for a living," said Lamo. "It is a hobby."

What seems certain is that Lamo's hobby is going to fuel more controversy. Some observers think he'd be better off collecting stamps. "I don't see how it can stay this way," said Chris Wysopal, director of research and development for @Stake. "I think once there are people following in his footsteps, there might be a clampdown."

© 2002 SecurityFocus.com; all rights reserved.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.