When is hacking a crime?

Kevin Finisterre admits that he likes to hew close to the ethicalline separating the "white hat" hackers from the bad guys, but littledid he know that his company's actions would draw threats of a lawsuitfrom Hewlett-Packard.

This summer, the consultant with security firm Secure Network Operationshad let HP know of nearly 20 holes in its Tru64 operating system. But inlate July, when HP was finishing work to patch the flaws, anotheremployee of Finisterre's company publicly disclosed one of thevulnerabilities and showed how to exploit it--prompting the technologygiant to threaten litigation underthe Digital Millennium Copyright Act.

Finisterre, who was not hired by HP, now says he'll think twice beforevoluntarily informing another company of any security holes he finds.

"As more laws come out, you are going to have to make a decision onwhich side of the fine line you want to be--black hat or white hat," the22-year-old consultant said.

In recent months, hackers of allbackgrounds have been forced to rethink their practices while facing aroundhouse combination of the DMCA, heightened law enforcement activityand deeper scrutiny by employers.

The issue pits two extremes against one another. At one end are thecorporate-security experts who wear their metaphorical white hatsbecause they adhere strictly to regulations and tend to believe thatsoftware vulnerabilities should be disclosed only to the software makeror a trusted third party. At the other are the black hats who aregenerally interested only in gaining access and breaking security.

Who is a hacker? In the most general sense, a "hacker" is someone who enjoys modifying and subverting systems, whether technological, bureaucratic or sociological. Most often the term is used to describe someone who has learned about technology by picking apart systems. In the past decade, however, "hacker" has come to describe those people with a hands-on interest in computer security and circumventing such security.

In the middle are the gray hats, who are finding their once-acceptableacts, such as informing the public of company security holes, could nowland them in jail.

Even the White House has weighed in on the controversy. Whileacknowledging the need for third-partydiscovery of flaws, President Bush's cybersecurity team believesthat more stringent ethics need to be the rule, rather than theexception.

"We are reaching a crossroad where decisions have to be made as to whichway people are going to go: Are they going to continue to function as asecurity consultant or go to the dark side?" said Howard Schmidt, vicechairman of the White House's Critical Infrastructure Protection Board.

That sentiment is echoing across the once-vast gray area where the majorityof today's serious hackers toil. With law enforcement and corporatelegal departments increasingly on the attack, many security experts areworrying that the next bug they discover or tool they create could getthem sued or prosecuted.

"You can't do anything these days," complained H.D. Moore, a securityexpert and hacker for network protection firm Digital Defense. "It usedto be that you could hack a box and people would say, 'Ah, it's just astupid kid.' Now it's a mission-critical server you just hit, and that'sterrorism."

Making the situation more difficult is the amorphous definition ofethical hacking. Although the subject has been addressed extensivelyin law and ethics philosophy, rarely a month goes by without a debate over whether aparticular vulnerability had been disclosed responsibly.

The term "gray hat" was originally coined by the L0pht--one of thebest-known old-school hacking groups, pronounced "the loft"--for thosewho wanted to stand apart from corporate security testers but alsodistance themselves from the notorious black hats. The category definedby this phrase has come to encompass most independent security expertsand consultants, as well as many corporate security researchers.

"We chose the term 'gray hat' to represent the independent researcherwho didn't have a vested interest in any particular company or product,"said Chris Wysopal, director of research and development for securityfirm @Stake, a company that had been formed out of the core group ofL0pht hackers. Wysopal himself went by "Weld Pond" when he was part of the L0pht.

But others don't believe that a gray area should exist, even for hackerswho break into a company's servers only to inform its networkadministrators about the vulnerabilities--a technique made famous byitinerant hacker Adrian Lamo. He has found his way into the networks of WorldCom, the New York Times, America Online and Excite@Home before breaking thenews to the company or, more often, to the press.

To those like Peter Lindstrom, director of security strategies for theHurwitz Group consultancy, Lamos and others of his ilk are criminalhackers.

"If you are gray, you are black," Lindstrom said. "It's not that I don'tunderstand what they are trying to do, but it comes down to what you areactually doing."

When hackers attack a network, an administrator has few ways to judgetheir intent. Every incident must be treated as an emergency, Lindstrommaintains, so every trespasser should be treated as a criminal.

That point of view may be in the minority today, but it's rapidlygaining support. The trend is lending new strength to such laws as theDigital Millennium Copyright Act

Cracking down on grays
Last year, the FBI arrested Russianprogrammer-cum-hacker Dmitri Sklyarov for violating the criminalprovisions of the DMCA by producing a program that could circumvent thecopy protections surrounding Adobe Systems' e-book format. Adobe forced theissue with the FBI and then backed off amid wide criticism. Now the JusticeDepartment is pursuing the case against Sklyarov's company, Elcomsoft.

The arrest has worried those who find holes in software. At this year'sDefcon hacking conference, some international researchers doubted theywould attend in 2003, given the turn in the U.S. legal environment.

"The DMCA is so vague and complex and confusing," said Jennifer Granick,a defense lawyer and clinical director at Stanford University's Centerfor Internet and Society. "This is the most serious problem."

The DMCA has become a favorite legal weapon of the software and mediaindustries to silence critics andsecurity experts, despite exemptions written by the Library of Congressfor security research. Princeton University professor Edward Feltondelayed presenting his findings regarding the security of several musicstandards when the Recording Industry Association of America threatened him with a lawsuit.

In addition to the case against ElcomSoft, the FBI is reportedlyinvestigating Lamo for his hacking of a database that contained contactinformation for New York Times columnists.

Internal affairs
Many security companies, such as Digital Defense, InternetSecurity Systems and @Stake, trumpet the fact that they hire hackers aspart of their cachet. Oracle even maintains a staff of its own homegrown hackers, bringing in outsiders only on occasion, said Chief Security Officer Mary Ann Davidson.

"I use the term 'hacker' mostly in a term of professional respect," shesaid. "I don't believe in blaming the research community for our ownfailings, but we should let light in on the situation."

Others, however, operate on a don't-ask, don't-tell policy.

"Companies say, 'We don't hire hackers.' But you go there and they havea room full of them," said "md5," a member of the GhettoHackers, aSeattle-area group of white hats.

Today's security-conscious climate means that programmers and hackers have to pay more attention to politics and laws, anew sensitivity that some believe has discouraged them from notifyingcompanies of vulnerabilities.

"There are a lot of (flaws) still being discovered, but no one isreleasing them," Moore said. While lists such as Bugtraq continue topost flaws, he added, "interesting" vulnerabilities aren't beingdisclosed as often.

The recent experience of Secure Network Operations is a case in point.Finisterre--who also goes by "dotslash"--has not changed his philosophy,but his company has become far more wary of publicizing security flaws."We are more treading on water when we approach a vendor now, becausewhat HP did scared the crap out of us," he said.

Hats of the future
The debate has given rise to some new possible guidelines for defininghacker ethics. For some time, a hacker known as Rain Forest Puppy hasadhered to a policy that spells out how a security researcher and asoftware maker should communicate. At its core, the so-called RFPolicy guidelinesrecommend that a software company give updates to the researcher everyfive days.

@Stake's Wysopal co-authored a more formal set of rules for researchers that advocates more leniencyfor software makers. Rather than five days, the report asked researchersto give a company seven days to respond and 30 days to make a good-faithattempt to fix the problem.

Oracle's Davidson said such guidelines begin an important dialogue. "Notto excuse ourselves for sitting on our keisters, if that's what we aredoing, but to say, 'Step into our shoes,'" she said. "Hackers only haveto find one hole to make a name for themselves, but we have to find allof them."

And as companies and law enforcement agencies focus increasingly on thevulnerabilities of critical networks and systems, those consideringthemselves gray hats may not have much longer to play in the middle of theroad.

"I think that we have seen a shift in people and their focus to do theright thing," said Schmidt of the White House cybersecurity team. "Nomatter what color your hat, you need to realize that there is a greaterdependency on networks today."