Skip Links

The legal risks of ethical hacking

Good guys’ actions sometimes indistinguishable from criminal activity, researchers say

By , Network World
April 24, 2009 02:49 PM ET

Network World - When ethical hackers track down computer criminals, do they risk prosecution themselves? 

Security researchers at this week’s Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own.

One such researcher introduced himself by saying “Hi, I’m Dave Dittrich, and I’m a computer criminal.” Dittrich, senior security engineer and researcher at the University of Washington’s Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says.

Working within the University of Washington Network, Dittrich says he “copied files from one host in Canada that was caching malicious software and logs of compromised hosts,” allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.

While Dittrich was figuratively wearing the white hat, his actions could potentially have been seen as unauthorized intrusions, because he started copying files before receiving permission to do so, he says. Dittrich notified government authorities – as well as the DDOS attack’s innocent victims - of his actions and findings, but he says relying totally upon bureaucratic processes could have taken one or two years.

“In a situation where there are ongoing attacks, and there is no understanding of what is going on, time becomes critical,” Dittrich said.

Dittrich and others spoke Tuesday during a panel titled “Ethics in Botnet Research” during the Usenix workshop on large-scale exploits and emergent threats (LEET). The topic is also being tackled on an ongoing basis by the Electronic Frontier Foundation’s Coders’ Rights Project

“We are studying criminal activity, and some of the things we do can’t be distinguished from the criminals themselves,” Dittrich said. “We’re all trying to do good. Everyone in this room has their own ethical codes. I don’t know if they totally overlap, but we’re all trying to do good.”

Security researchers may ultimately have no control over how law enforcement authorities view their actions, panelists said.

“We are at the mercy of prosecutors’ discretion, but we are pushing some of these boundaries,” said Jose Nazario, a network security researcher with Arbor Networks who has been investigating the Conficker worm.

Still, the ethical hacking community should collaborate to develop a set of ethical guidelines that can be shown to government when and if it starts taking a greater role in oversight, panelists said.

“As a community, we can authoritatively build up our own sense of ethics,” said Vern Paxson, a senior scientist with the International Computer Science Institute, and professor at the University of California, Berkeley. “This is going to be shoved down our throats in a couple of years, based in part on actions people in this room take.”

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News