Hacking: It's a love-hate relationship

[InfoSec News <isn () C4I ORG>]

Forwarded By: infosec () infosec 20m com

http://www.zdnet.com/zdnn/stories/news/0,4586,2602525,00.html?chkpt=zdnnstop


Hacking: It's a love-hate relationship
By Bob Sullivan, MSNBC
July 12, 2000 12:41 PM PT

The world of computer hackers divides itself into good and bad by hat
color, and the good guys are supposed to wear white. So when the owner
of "whitehats.com" was arrested earlier this year, it sent shudders
through the secretive security community.

Max Vision, regarded as a classic upstanding white hat -- and, it
turns out, an FBI informant -- was indicted for breaking into
government computers. The case illustrates the often awkward love-hate
relationship between hackers and law enforcement agencies.

Max Ray Butler, 28, also known as Max Vision, was charged in March
with hacking into the U.S. Department of Defense and other sensitive
government computer systems. But Butler is not your typical precocious
teen-age hacker. According to his complaint, Butler has worked as an
FBI informant for two years.

Butler is also by most accounts an upstanding member of the security
industry. He writes free software that helps companies catch computer
intruders, frequently posts notes to security mailing lists, describes
himself as an "expert in ethical hacking," and was regarded by many in
the security community as a genuine "white hat."

A deal gone bad The FBI wouldn't discuss its case, and Butler directed
questions about his case to his lawyer, Jennifer Granick.

But several of Butler's friends say the arrest was the result of deal
gone bad.

They suggest Butler was caught hacking, then agreed to act as an FBI
consultant to avoid jail time. The deal went sour at some point, and
then he was charged. Granick refused to discuss details, but she did
hint her client was charged out of retribution.

"Even after the facts of this case arose, they continued to want his
assistance, but at a certain point they had a disagreement about what
kind of assistance he was providing them and at that point he was
charged," Granick said. "They certainly seem to have a love-hate
relationship with [hackers]."

Magnetic attraction When Butler next appears in court in September,
computer hackers and law enforcement agents will watch the case
carefully as, for one of the first times, a federal court will take up
just how cozy investigators should get with the computer underground.

But no matter the outcome of the case, say some security experts,
hackers and federal authorities will continue their often tense
relations. In fact, the two groups need each other, according to Kevin
Poulsen, perhaps the second most famous convicted computer hacker
behind Kevin Mitnik. Poulsen said there seems to be an irresistible
attraction between law enforcement and hackers.

"Hackers tend to have a certain mindset, a mischievousness, a
cleverness when it comes to figuring out things, definitely a
sneakiness. The only place a hacker can use that part of the brain
legally is in the government," he said. Poulsen, who served a 5-year
term for rigging radio station contests, was himself turned in by a
computer criminal-turned-informant.

"It is love-hate. It goes both ways. The government needs that kind of
talent to get those kinds of things done, and hackers are drawn to
places where they can use their talents without risk of jail time."

Still, many law enforcement officers, say that is no different from
the use of informants in the real world.

"There is no difference between using a hacker as a cooperator versus
using a drug dealer as a cooperator. Sometimes it takes a thief to
catch a thief," said Elliot Turrini, who prosecuted the Melissa virus
author for the U.S Department of Justice.

White, black and gray But computer hackers respond that drug buyers
and so-called "gray hats" -- hackers who work on the edge of legality
-- shouldn't be compared. In the murky, nickname-laden world of
computer security, the lines between research and illegal activity are
often blurry, they say.

"I don't think there's a single security person out there who hasn't
scanned a site and done something that could be considered illegal,"
said Dragos Ruiu, a Butler friend and CEO of security firm Dursec.com.
Hackers -- "white hats" -- scan computers from across the Internet to
see if they are vulnerable; computer intruders -"black hats" -- then
take that information and break into the computer. It's unclear if
scanning alone is illegal or simply a harmless "knock on the door."

In fact, the lines are so blurry that according to one federal
prosecutor who requested anonymity, the U.S. Department of Justice is
currently engaged in its own internal ethical debate about how much
"illegal" hacking undercover FBI agents should be allowed to perform
during investigations. Engaging in such activity is necessary because
only by showing such skills can an undercover agent gain the trust of
computer criminals, the source said.

And if they can't engage in those activities themselves, they
sometimes get hackers to do it for them. Ruiu, of Vancouver, Canada,
said he's been approached by law enforcement officers during his
career and asked to perform questionable tasks.

"I remember thinking, 'I don't know if law enforcement should be
involved in this," he said. "And am I doing something that is going to
come back and bite me?" He worries that if Butler is sent to jail,
security professionals will stop cooperating with authorities all
together.

Staying clean Still, other hackers say the line between legal and
illegal activity isn't murky at all, and as long as you've got a clean
background, there's no reason to stop helping government agents catch
criminals. Joel de la Garza, a security expert at Security Inc., said
he's been cooperating with the FBI for about five years.

"I've never committed cyber crimes. I have nothing to fear," he said.
"I want these people to come to justice.

Martin Roesch, a well-known white hat who writes software which
detects hacker activity, has also assisted in government
investigations. He says his clean reputation means the Max Vision case
won't impact any choice he might make to work with law enforcement.
Like de la Garza, he attaches his real name to his computer security
work, instead of using a pseudonym like most hackers - but he concedes
that has its drawbacks.

"I've always been a white hat, tried to stay pretty squeaky clean," he
said. "But being a white hat has its ups and downs. You aren't privy
to a lot of information you might have if you had a fancy handle."

The perils of being inside And it's that inside information that
federal agents can't resist, which is why some create their own online
personas and attempt to gain the trust of noted computer criminals
that way. Still, it's much easier to form uneasy alliances with known
underground characters -- either by threatening them with arrest or
purely paying them -- and take advantage of their existing
relationships.

"This is an important tool for law enforcement," said Tom Talleur, a
federal investigator for 31 years, now a cybercrime consultant with
KPMG LLP. "Courts have held that it's legitimate....But it can have
unintended consequences."

For example, the informant may use information gleaned courtesy of the
relationship to law enforcement to commit more crimes. That's a
particular problem in any case that involves obsessive-compulsive
informants like drug buyers, he said, who seem incapable of keeping
promises to stay clean in the face of their overwhelming urges.
Computer hackers are often obsessive-compulsive as well, he said, and
will sometimes use information learned through their affiliation to
break into government systems.

Poulsen disagrees, pointing out that Butler's case is a rarity, that
there are few examples of hackers for hire turning against the law
enforcement group they're working for. When informants who are hackers
engage in illegal behavior, he said, they rarely betray their
"employer."

Meanwhile, Butler's friends say they're sure he didn't take advantage
of his relationship with the FBI, either.

"Here's a guy who's done nothing but add to the state of security. If
this case really does keep going forward, it's a sign of desperation
on the part of law enforcement, grasping at a guy who has been
helping," Ruiu said.

No end in sight Despite the complications of Butler's case, both
hackers and federal investigators concede that for at least the near
term, the FBI and other investigators will continue to turn to the
computer underground for help -- both for technical expertise and
access to individuals they can't find in the real world.

"They are coming up to speed rather quickly from a technology
standpoint," said Space Rogue, editor of the Hacker News Network Web
site. "But you always need somebody on the inside who's familiar with
the people."

And despite the outcome of Max Butler's case, Poulsen thinks the flow
of information between the groups won't slow down, because hackers
will always want a chance to use their skills with impunity.

"So it's a chance both sides have to take," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".