Stopping computer crime is an issue most people can agree on, but determining who is a criminal and what constitutes a "crime" are still divisive topics in cyberspace.
Recent prosecution of so-called white hat hackers -- those who find security vulnerabilities in Web sites or systems, either inadvertently or intentionally, and subsequently make the owners of those sites or systems aware of the problem -- have brought several issues to the fore: Do white hat hackers provide a service or a disservice? Should security researchers who find vulnerabilities in Web sites report them, or is the risk of prosecution too great? And finally, if the white hat hackers hang up their hats, what will the ramifications be?
According to several computer security experts, the white hat/black hat hacker debate is raging because the ethics and morality of a young cyberspace society are still being hammered out, and the laws in the digital world have not caught up with the laws in the physical world.
Marcus J. Ranum, chief of security for Tenable Network Security Inc., in Columbia, Md., says there's no such thing as a "white hat." He said, "This industry is still young, and you've got immature people trying to wrap themselves in the flag and use this terminology." In the physical world, he said, "if there's a hole in a fence, is it OK to crawl in? The real world has resolved these problems, but the ethics in the real world hasn't evolved to cyberspace."
Acceptable behavior in the cyberworld is analogous to the physical world, according to Brian Chess, founder and chief scientist at Fortify Software Inc. in Palo Alto, Calif. "Say you walk down the block and make sure everybody's front door lock is locked. If you tell [the home owners] you're helping them with security, there's no way that would be acceptable. For the white hat folks, if you discover a vulnerability and you poke at it, there's no way to tell what your intentions are. The white hat guys have to know that is not acceptable behavior, and the current state of law backs that up."
However, points out Jeremiah Grossman, founder and CTO of WhiteHat Security Inc. in Santa Clara, Calif., if the "good guys" become unwilling to look for or to disclose security vulnerabilities, but the "bad guys" continue unabated, "we now have an uneven playing field."
For security researchers, the risk has always been there, but the world has shifted, Grossman said.
"Web applications are no longer things we can test in the privacy of our own computers; now we have to test on computers not our own," he said. "Everyone is claiming [the rule of thumb is] you don't test live production systems without written consent, but that is short-sighted. [The site owners] are never going to give you written consent if you're an amateur security researcher. But the bad guys aren't going to stop looking."
Some white hat hackers have already stopped looking, Grossman said. "I know several colleagues who have [shut down]. They have good jobs, they're standup citizens; it's not worth the risk even if they only get a slap on the wrist," he said.
Prosecution of white hat hackers
One self-proclaimed white hat who was prosecuted and found guilty under the U.K.'s Computer Misuse Act is Daniel Cuthbert, the "tsumani hacker." Cuthbert, a security professional, gained unauthorized access to a Web site that was collecting donations for victims of the 2004 Asian tsunami. Cuthbert claimed he did not receive a thank you or confirmation when he made an online donation, so he said he went on to test the site to make sure he had not been phished.
Cuthbert said he has "washed his hands" of any future such efforts. "We need to educate the corporate world. There's a small minority hellbent on criminal damage, but the majority of people in security research aren't like that," he said. "If we find a hole and do so in a responsible-disclosure way, we are doing it for the betterment of everyone. At the moment, a lot of people who find holes are too scared to come forward."
Eric McCarty did come forward -- through the Security Focus computer security site -- when he found a vulnerability on the University of Southern California's online application system when he was allegedly registering for a class last June. McCarty told Security Focus how he was able to access the database at USC and copied a small number of records. He worked through Security Focus to notify and help USC fix the problem. He has been charged with computer intrusion under the U.S. Patriot Act. A trial date has been set for July 11, 2006.
A legal spokesperson for McCarty, contacted by e-mail for this story, responded: "Eric believes, as do his supporters, that this is a classic case of 'Kill the messenger over the message he bears,' and that this type of frivolous and baseless prosecution will hurt the IT security field and prevent good people (white hats) from disclosing the vulnerabilities they find. This obviously is bad, because as black hats become more and more sophisticated and discover these vulnerabilities for themselves, these vulnerabilities that put private information at risk will remain the province of the malicious cracker underground."
A key part of the problem, though, is distinguishing intent, said David Escalante, director of computer policy and security at Boston College in Chestnut Hill, Mass. "I think you're always glad to get information from a supposed white hat," he said. "If it's someone from a member of your community, you feel better, like a student." An outsider, though, raises different issues, he said.
Boston College had to confront such an issue several years ago. Escalante said the school received an anonymous e-mail saying there was a security problem. When the sender was asked to explain further, the university was given a cell phone number. BC did verify and fix the problem. "On the one hand we were appreciative, but we really wondered, because they were hiding behind an anonymous cell phone and e-mail accounts, if they'd done more [then they told us]," he said. "Ultimately we decided not to prosecute, but we understand USC's desire to prosecute."
Unrequested help like that which BC received is not welcome, Chess said. "If you really want to help with Web site security, you need to ask permission up front," he said.
Ranum said white hats don't want to sign a nondisclosure, however. "The problem is these guys are insisting they make the rules, but it's not their playground to make the rules. It's such an obvious moral distinction, and somehow the industry has managed to steer away from that obviousness," he said.
While there is no agreement on what constitutes a white hat, there does seem to be agreement on when a white hat crosses the line. "The easy litmus test is whether people want to do a press release about it or get a thank you card," Ranum said. "Then the motive is not entirely pure."
According to McCarty's spokesperson, "When information that is exposed by a vulnerability is used for personal gain (money, notoriety, etc.), the white hat has crossed the line. As evidenced by all the facts in Eric's case, there was no intent to steal or use the information exposed for personal gain of any sort. Eric wanted to remain anonymous, since he is not a part of the grey or black hat underground where notoriety is as good as gold. Eric insisted the vulnerability be fixed first before it was exposed to the community at large, which shows again that he believes in responsible disclosure."
Chess summed it up: "We're still wrestling with how our physical world and electronic world are related. The electronic world is very young. When you can draw a good analogy to physical world, the same set of values should be applied."