The Lawyer Hackers Call

[InfoSec News <isn () C4I ORG>]

http://www.forbes.com/tool/html/00/aug/0805/feat.htm

08.05.00

By Arik Hesseldahl

Say your day begins with a raid on your home or office by FBI agents.
As they cart away your computer and everything connected to it, they
tell you that you're a suspect in a computer hacking crime.

Your first call may very well be to Jennifer Granick. The San
Francisco-based criminal defense attorney has been quietly making a
name for herself as the one hackers turn to when they find themselves
on the wrong side of the law.

She's also becoming a regular on the hacker convention scene, where
her talks attract huge crowds. She was in Las Vegas for the eighth
annual Def Con conference where she gave a talk on among other things,
search and seizure laws. Days before that she gave a talk on legal
issues faced by Internet service providers (ISP) at the Black Hat
Briefings, a more serious set of meetings for security professionals
and law enforcement officials that precedes the more festive Def Con.
Looking like she could have just walked off the set of MTV's Real
World the 31-year-old Granick is far from the suit-clad,
briefcase-carrying stereotype a young hacker may associate with
lawyers.

But anyone who takes her young appearance as a sign of weakness is in
for a shock. In casual conversation she'll rattle off the relevant
cases and issues she thinks are most important to the hacking
community. She'll move quickly from talk of port scanning (the act of
looking at what pathways into an Internet server are active) to the
intricacies of when a police officer can and cannot stop a person for
a search.

Nor is she afraid to rock the boat. In 1997 she spearheaded efforts to
provide pro bono legal counsel for a group of more than 100 San
Francisco bicycle activists who organized a mass ride. Many organizers
found themselves in handcuffs for disrupting the flow of motor
traffic. Most ultimately had their criminal charges thrown out.

A New Jersey native, Granick moved to San Francisco to attend the
University of California's Hastings College of the Law, where she
graduated in 1993. From there she went to work for a state public
defenders office, then opened a private practice in 1997.

Though she says she's long been interested in computers and first
explored the Internet in the pre-Web days of 1991, she says she's not
much of a geek herself. She's a dedicated Apple Computer (nasdaq:
AAPL) Macintosh user who just bought her first handheld, a Handspring
(nasdaq: HAND) Visor.

"I saw this area of the law as one that would be growing and dynamic,
and it satisfied my professional interests in being a criminal defense
lawyer and also my personal interest in computers," she says.

Her hacker clients tend to fit a strong pattern, she says. So far, all
have been male. All have been smart, educated and curious. And often,
she says, the charges result from a misunderstanding. So far she's
taken seven hacker cases, some of which are still pending.

The law is just beginning to gets its arms around the concept of
computer hacking, but in a way that Granick says errs on the side of
extreme punishment for crimes when considered in context are not often
that serious.

"The law is in a state of flux and the argument I hear most often is
that new technology is moving so fast that old laws are being crushed
by the onslaught," she says. "The reality is that laws are being
adapted to fit new technology in radical and extreme ways and that, in
the criminal context, the pressure is on for heavy punishments in
sentencing. What we really need is clarity."

Take the case of one Granick client who used nothing more than a
standard Web browser to discover the master password file of one
Internet service provider that was not locked away as well as it
should have been. The server's administrator had made a common mistake
for which there was a common fix. Anyone who simply typed the correct
address into a Web browser could have seen it. The passwords
themselves were encrypted, meaning they couldn't be read without
breaking the secret code that protected them. After making a copy of
the file, the hacker ran it through a code-breaking program that
exposed the passwords as plain text. But there it stopped. He didn't
use the passwords for any malicious purpose, though he could have. He
also could have alerted the ISP in question that its system was
vulnerable to the weakness, which he also didn't do.

While some ISPs would have simply changed the way it manages user
passwords and moved the file to a different server, this ISP opted to
call the FBI. In the end, Granick negotiated the criminal charges
before trial from felonies, which carry jail time, down to
misdemeanors with a probation sentence. He pled guilty.

Such cases are not uncommon. Prosecutors have typically argued that
checking a system you don't own for weaknesses is just as dishonest as
walking down a street and checking the doors of homes to see if
they're unlocked. But the law is far from clear on this and many of
gray areas in which hackers tend to fall.

"There is so much vagueness not only in the definitions of crimes, but
in the way that sentences are applied that we really don't have any
kind of regularity," she says. "The most important thing about the
rule of law is that it's not supposed to be subjective. But that's
just not the circumstance we're seeing."

If she had her way, Granick says laws would distinguish between
legitimate activities and actions that cause harm.

"The laws should be specific and exact enough that people should know
exactly what is and is not prohibited. I don't think its useful for
people to wonder if their legitimate activities carried out in the
name of computer security will get them in trouble with the law," she
says.

Of course lawmakers are doing their best to make everything and
anything connected to hacking illegal, even though it often
compromises a person's ability to probe for unknown weaknesses along
the Internet's infrastructural underpinnings. Finding and then fixing
those weaknesses requires the freedom to look around. Though most
people who consider themselves hackers would agree that theft is theft
and fraud is fraud, such crimes should be treated no differently in
virtual world than they are in the real world.

But one thing is certain. The issues Granick grapples with are not
going away. When she first began to explore how the law interacts with
computers, the Internet and hackers, few people she knew really
understood the connection.

"It used to be that my Mom had no idea what kind of law I was
interested in, no matter how many times I tried to explain it," she
says. "Now we have Napster on the cover of magazines and everyone
understands."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".