Panel debates Samaritan-hack amnesty

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/24599.html

By Kevin Poulsen, SecurityFocus Online
Posted: 27/03/2002 at 05:51 GMT

Do good intentions count in a network intrusion, or should
well-meaning hackers be prosecuted just like any other computer
criminal?

A panel of information security experts chewed on that issue at a
security conference here Monday -- and for one of them, the question
was more than academic.

"Obviously, nobody wants to be compromised and it's never a
one-hundred percent pleasant experience," said Adrian Lamo, described
in the conference program as a communication phenomena researcher.  
"But I'd like to see more receptivity to processing compromises that
don't result in damage, without necessarily destroying the life of the
person involved."

The conference on "Information Security in the Age of Terrorism,"  
hosted by the American Management Association, was Lamo's first public
appearance since his high-profile hack of the New York Times' internal
network last month, in which he exploited lax security to tap a
database of 3,000 Times op-ed contributors, culling such tidbits of
information as Robert Redford's social-security number, and former
president Jimmy Carter's home phone number.

The 21-year-old Lamo has a year-long history of exposing gaping
security holes at large corporations, then voluntarily helping them
fix the vulnerabilities he exploited -- sometimes visiting their
offices or signing non-disclosure agreements in the process. So far,
his helpful habits have kept him from being prosecuted, and some
companies have even professed gratitude for his efforts. In December,
Lamo was praised by communications giant WorldCom after he discovered,
then helped close, security holes in their intranet that threatened to
expose the private networks of Bank of America, CitiCorp, JP Morgan,
and others.

But one month after Lamo notified the New York Times of its
vulnerabilities through a SecurityFocus Online reporter, the Times
intrusion remains a sword of Damocles suspended over the hacker's
head. The paper hasn't sought Lamo's assistance, and isn't thanking
him for the attention. "We're still investigating and exploring all of
the options," said spokesperson Christine Mohan on Monday. Asked if
the Times is contemplating filing a criminal complaint with the FBI,
Mohan added, "That is one of the options."

Though he's made friends of many of his targets, Lamo doesn't dispute
that cracking their networks without permission violates federal
computer crime laws. But none of the security professionals alongside
him on Monday's panel would condemn illegal computer intrusion as
unacceptable in and of itself.

Instead, they generally agreed that there should be room for a benign
hacker to notify an organization of a vulnerability without being
prosecuted for exploiting it, and that the decision to prosecute was
properly left in the hands of the hacked organizations, and government
prosecutors.

"The companies who are approached by Adrian and folks like him should
have a gentleman's understanding that they won't bring him to
prosecutors," said Richard Forno, CTO of Shadowlogic. (Forno is a
columnist for SecurityFocus Online).

The factors to consider: whether the intruder causes harm, what they
do with their access, and how quickly they come clean with the
organization they've hacked.

"Ethical hackers who don't do damage and push the state of the art in
security, they're providing a valuable service," said Jonathan Couch,
a network security engineer at Sytex Inc. "The government needs to
have the discretion not to prosecute."

Zero Tolerance

But all the talk of limited amnesty for hackers was too much for NFR
Security CTO Marcus Ranum, who signaled his dissent by applauding
alone from the back of the room at the mention of a legislative
proposal that would make some hackers eligible for life imprisonment.  
"You guys are a bunch of security professionals and you're sitting
here making apologies for hackers," said Ranum. "That's the lamest
thing I've never heard of."

In an interview later, Ranum called Lamo a "sociopath," and said his
hacks are indefensible. "It's against the law, how much more cut and
dried can you get?" said Ranum. "If society was comfortable with what
he's doing, they'd change the law."

Even panelists without Ranum's moral certitude said after the session
that Lamo would flunk their own test for hacker amnesty, primarily
because he often enjoys illicit access to a network for weeks before
telling the company. Such was the case in the New York Times
intrusion.

"He had access to internal, sensitive, private information, and he
didn't give up his access until he was ready," said Brian Martin, a
security consultant for CACI-NSG, and a former hacker himself. "I
don't necessarily think he should do time, but I don't think he should
be exempt just because he reported it."

"As soon as he found a significant hole, he should have reported it,"  
said Forno. "But to find a way in, prowl around for four or five
weeks, and then report it -- that should be criminal."

Lamo responded that the elapsed time before he reports a hack is a
function of his vagabond style: he frequently finds a hole in a
network, then wanders away only to return days or weeks later to prod
a little more. "The reality is, this is not what I do for a living,"  
said Lamo. "It is a hobby."

What seems certain is that Lamo's hobby is going to fuel more
controversy. Some observers think he'd be better off collecting
stamps. "I don't see how it can stay this way," said Chris Wysopal,
director of research and development for @Stake. "I think once there
are people following in his footsteps, there might be a clampdown."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.