Technology

Panel Debates Hacker Amnesty


WASHINGTON -- Do good intentions count in a network intrusion, or should

well-meaning hackers be prosecuted just like any other computer criminal?

A panel of information security experts chewed on that issue at a security

conference here Monday -- and for one of them, the question was more than

academic.

"Obviously, nobody wants to be compromised and it's never a one-hundred

percent pleasant experience," said Adrian Lamo, described in the conference

program as a communication phenomena researcher. "But I'd like to see more

receptivity to processing compromises that don't result in damage, without

necessary destroying the life of the person involved."

The conference on "Information Security in the Age of Terrorism," hosted by

the American Management Association, was Lamo's first public appearance

since his high-profile hack of the New York Times internal network

last month, in which he exploited lax security to tap a database of 3,000

Times op-ed contributors, culling such tidbits of information as

Robert Redford's social-security number, and former president Jimmy Carter's

home phone number.

The 21-year-old Lamo has a year-long

history of exposing gaping security holes at large corporations, then

voluntarily helping them fix the vulnerabilities he exploited -- sometime

visiting their offices or signing non-disclosure agreements in the process.

So far, his helpful habits have kept him from being prosecuted, and some

companies have even professed gratitude for his efforts. In December, Lamo

was praised by communications giant WorldCom after he discovered, then

helped close, security holes in their intranet that threatened to expose the

private networks of Bank of America, CitiCorp, JP Morgan, and others.

But one month after Lamo notified the New York Times of its

vulnerabilities through a SecurityFocus Online reporter, the Times

intrusion remains a sword of Damocles suspended over the hacker's head. The

paper hasn't sought Lamo's assistance, and isn't thanking him for the

attention. "We're still investigating and exploring all of the options,"

said spokesperson Christine Mohan on Monday. Asked if the Times is

contemplating filing a criminal complaint with the FBI, Mohan added, "That

is one of the options."

Though he's made friends of many of his targets, Lamo doesn't dispute that

cracking their networks without permission violated federal computer crime

laws. But none of the security professionals alongside him on Monday's panel

would condemn illegal computer intrusion as unacceptable in and of itself.

Instead, they generally agreed that there should be room for a benign hacker

to notify an organization of a vulnerability without being prosecuted for

exploiting it, and said the decision to prosecute was properly left in the

hands of the hacked organizations, and government prosecutors.

"The companies who are approached by Adrian and folks like him should have a

gentleman's understanding that they won't bring him to prosecutors," said

Richard Forno, CTO of Shadowlogic. (Forno is a columnist for SecurityFocus

Online).

The factors to consider: whether the intruder causes harm, what they do with

their access, and how quickly they come clean with the organization they've

hacked.

"Ethical hackers who don't do damage and push the state of the art in

security, they're providing a valuable service," said Jonathan Couch, Sr., a

network security engineer at Sytex Inc. "The government needs to have the

discretion not to prosecute."

ZERO TOLERANCE.

But all the talk of limited amnesty for hackers was too much for NFR

Security CTO Marcus Ranum, who signaled his dissent by applauding alone from

the back of the room at the mention of a legislative proposal that would

make some hackers eligible for life imprisonment. "You guys are a bunch of

security professionals and you're sitting here making apologies for

hackers," said Ranum. "That's the lamest thing I've never heard of."

In an interview later, Ranum called Lamo a "sociopath," and said his hacks

are indefensible. "It's against the law, how much more cut and dry can you

get?" said Ranum. "If society was comfortable with what's he's doing, they'd

change the law."

Even panelists without Ranum's moral certitude said after the session that

Lamo would flunk their own test for hacker amnesty, primarily because he

often enjoys illicit access to a network for weeks before telling the

company. Such was the case in the New York Times intrusion.

"He had access to internal, sensitive, private information, and he didn't

give up his access until he was ready," said Brian Martin, a security

consultant for CACI-NSG, and a former hacker himself. "I don't necessarily

think he should do time, but I don't think he should be exempt just because

he reported it."

"As soon as he found a significant hole, he should have reported it," said

Forno. "But to find a way in, prowl around for four or five weeks, and then

report it -- that should be criminal."

Lamo responded that the elapsed time before he reports a hack is a function

of his vagabond style: he frequently finds a hole in a network, then wanders

away only to return days or weeks later to prod a little more. "The reality

is, this is not what I do for a living," said Lamo. "It is a hobby."

What seems certain is that Lamo's hobby is going to fuel more controversy.

Some observers think he'd be better off collecting stamps. "I don't see how

it can stay this way," said Chris Wysopal, director of research and

development for @Stake. "I think once there are people following in his

footsteps, there might be a clampdown."


Monsanto vs. GMO Haters
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus