Tracking down malicious computer activity can put researchers on shaky legal footing.
When ethical hackers track down computer criminals, do they risk prosecution themselves?
Security researchers at this week’s Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own.
One such researcher introduced himself by saying “Hi, I’m Dave Dittrich, and I’m a computer criminal.” Dittrich, senior security engineer and researcher at the University of Washington’s Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says.
Working within the University of Washington Network, Dittrich says he “copied files from one host in Canada that was caching malicious software and logs of compromised hosts,” allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.
While Dittrich was figuratively wearing the white hat, his actions could potentially have been seen as unauthorized intrusions, because he started copying files before receiving permission to do so, he says. Dittrich notified government authorities – as well as the DDOS attack’s innocent victims - of his actions and findings, but he says relying totally upon bureaucratic processes could have taken one or two years.
“In a situation where there are ongoing attacks, and there is no understanding of what is going on, time becomes critical,” Dittrich said.
Dittrich and others spoke Tuesday during a panel titled “Ethics in Botnet Research” during the Usenix workshop on large-scale exploits and emergent threats (LEET). The topic is also being tackled on an ongoing basis by the Electronic Frontier Foundation’s Coders’ Rights Project.
“We are studying criminal activity, and some of the things we do can’t be distinguished from the criminals themselves,” Dittrich said. “We’re all trying to do good. Everyone in this room has their own ethical codes. I don’t know if they totally overlap, but we’re all trying to do good.”
Security researchers may ultimately have no control over how law enforcement authorities view their actions, panelists said.
“We are at the mercy of prosecutors’ discretion, but we are pushing some of these boundaries,” said Jose Nazario, a network security researcher with Arbor Networks who has been investigating the Conficker worm.
Still, the ethical hacking community should collaborate to develop a set of ethical guidelines that can be shown to government when and if it starts taking a greater role in oversight, panelists said.
“As a community, we can authoritatively build up our own sense of ethics,” said Vern Paxson, a senior scientist with the International Computer Science Institute, and professor at the University of California, Berkeley. “This is going to be shoved down our throats in a couple of years, based in part on actions people in this room take.”
Those people include Thorsten Holz, a aPh.D student researching botnets at the University of Mannheim in Germany. During research in which Holz and colleagues impersonate a bot, Holz says he gained access to 33GB worth of keylogger data related to 170,000 victims.
“This contained private information such as what victims are typing, their passwords, very detailed information about more than 170,000 people,” Holz said during the panel. “This is something where we had a lot of internal discussions [and discussions with lawyers and police] on what to do with it, and what are the legal and ethical implications.”
Holz says his research team decided to share information in a way that victims could be notified.
Panelists and audience members discussed the legal concept of misprision, which calls for the prosecution of people who fail to report felonies, and debated what level of responsibility researchers have in notifying victims. Notifying someone that they are the victim of a botnet is the equivalent of picking a candy wrapper up off the street, Paxson opined. But if a researcher takes over a botnet and cleans it, there is more uncertainty ethically because the researcher could potentially cause unforeseen damage, he said. Many worms can have surprising behavior not anticipated by their authors, he noted.
Attorney Aaron Burstein, also sitting on the panel, said that following one’s own ethical code won’t necessarily protect a researcher from the rule of law.
“Frequently, we find it’s possible to break the law while doing something ethical, and conversely following the law doesn’t necessary ensure that you are acting ethically,” he said.
Holz said it’s a good idea to work with law enforcement, but noted that it is difficult. “The typical police officer is not aware of many things that happen in cyberspace,” he said.