[ISN] Panel debates Samaritan-hack amnesty

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 01:40:30 PST

  • Next message: InfoSec News: "[ISN] 1024-bit encryption is 'compromised'"

    By Kevin Poulsen, SecurityFocus Online
    Posted: 27/03/2002 at 05:51 GMT
    Do good intentions count in a network intrusion, or should
    well-meaning hackers be prosecuted just like any other computer
    A panel of information security experts chewed on that issue at a
    security conference here Monday -- and for one of them, the question
    was more than academic.
    "Obviously, nobody wants to be compromised and it's never a
    one-hundred percent pleasant experience," said Adrian Lamo, described
    in the conference program as a communication phenomena researcher.  
    "But I'd like to see more receptivity to processing compromises that
    don't result in damage, without necessarily destroying the life of the
    person involved."
    The conference on "Information Security in the Age of Terrorism,"  
    hosted by the American Management Association, was Lamo's first public
    appearance since his high-profile hack of the New York Times' internal
    network last month, in which he exploited lax security to tap a
    database of 3,000 Times op-ed contributors, culling such tidbits of
    information as Robert Redford's social-security number, and former
    president Jimmy Carter's home phone number.
    The 21-year-old Lamo has a year-long history of exposing gaping
    security holes at large corporations, then voluntarily helping them
    fix the vulnerabilities he exploited -- sometimes visiting their
    offices or signing non-disclosure agreements in the process. So far,
    his helpful habits have kept him from being prosecuted, and some
    companies have even professed gratitude for his efforts. In December,
    Lamo was praised by communications giant WorldCom after he discovered,
    then helped close, security holes in their intranet that threatened to
    expose the private networks of Bank of America, CitiCorp, JP Morgan,
    and others.
    But one month after Lamo notified the New York Times of its
    vulnerabilities through a SecurityFocus Online reporter, the Times
    intrusion remains a sword of Damocles suspended over the hacker's
    head. The paper hasn't sought Lamo's assistance, and isn't thanking
    him for the attention. "We're still investigating and exploring all of
    the options," said spokesperson Christine Mohan on Monday. Asked if
    the Times is contemplating filing a criminal complaint with the FBI,
    Mohan added, "That is one of the options."
    Though he's made friends of many of his targets, Lamo doesn't dispute
    that cracking their networks without permission violates federal
    computer crime laws. But none of the security professionals alongside
    him on Monday's panel would condemn illegal computer intrusion as
    unacceptable in and of itself.
    Instead, they generally agreed that there should be room for a benign
    hacker to notify an organization of a vulnerability without being
    prosecuted for exploiting it, and that the decision to prosecute was
    properly left in the hands of the hacked organizations, and government
    "The companies who are approached by Adrian and folks like him should
    have a gentleman's understanding that they won't bring him to
    prosecutors," said Richard Forno, CTO of Shadowlogic. (Forno is a
    columnist for SecurityFocus Online).
    The factors to consider: whether the intruder causes harm, what they
    do with their access, and how quickly they come clean with the
    organization they've hacked.
    "Ethical hackers who don't do damage and push the state of the art in
    security, they're providing a valuable service," said Jonathan Couch,
    a network security engineer at Sytex Inc. "The government needs to
    have the discretion not to prosecute."
    Zero Tolerance
    But all the talk of limited amnesty for hackers was too much for NFR
    Security CTO Marcus Ranum, who signaled his dissent by applauding
    alone from the back of the room at the mention of a legislative
    proposal that would make some hackers eligible for life imprisonment.  
    "You guys are a bunch of security professionals and you're sitting
    here making apologies for hackers," said Ranum. "That's the lamest
    thing I've never heard of."
    In an interview later, Ranum called Lamo a "sociopath," and said his
    hacks are indefensible. "It's against the law, how much more cut and
    dried can you get?" said Ranum. "If society was comfortable with what
    he's doing, they'd change the law."
    Even panelists without Ranum's moral certitude said after the session
    that Lamo would flunk their own test for hacker amnesty, primarily
    because he often enjoys illicit access to a network for weeks before
    telling the company. Such was the case in the New York Times
    "He had access to internal, sensitive, private information, and he
    didn't give up his access until he was ready," said Brian Martin, a
    security consultant for CACI-NSG, and a former hacker himself. "I
    don't necessarily think he should do time, but I don't think he should
    be exempt just because he reported it."
    "As soon as he found a significant hole, he should have reported it,"  
    said Forno. "But to find a way in, prowl around for four or five
    weeks, and then report it -- that should be criminal."
    Lamo responded that the elapsed time before he reports a hack is a
    function of his vagabond style: he frequently finds a hole in a
    network, then wanders away only to return days or weeks later to prod
    a little more. "The reality is, this is not what I do for a living,"  
    said Lamo. "It is a hobby."
    What seems certain is that Lamo's hobby is going to fuel more
    controversy. Some observers think he'd be better off collecting
    stamps. "I don't see how it can stay this way," said Chris Wysopal,
    director of research and development for @Stake. "I think once there
    are people following in his footsteps, there might be a clampdown."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 05:27:43 PST