,
The Good Samaritan defence, invoked by hackers like Adrian Lamo, can too easily be distorted by those with less altruistic intentions.
How would you feel if one day, while you were at the office going about your daily business, I decided to take it upon myself to check the security of your home? How would you feel if I sauntered up to the front door and, finding that it didn’t sufficiently resist my efforts to open it, I walked through that door and then proceeded to meander around your house, assessing the various security risks that lay vulnerable within?The idea seems pretty strange, no? Well, this is a metaphor that a lot of people use to describe the actions of hackers who enter the systems of large organizations large organizations illegally. Some may do this to satisfy their curiosity, some to provide weekend kicks, and some to try out new tools or techniques.
Most people would consider this sort of activity to be not only illegal, but also immoral and unethical. However, what if the intruder doesn’t do any damage, view any confidential material, or take any valuable information? In fact, what if they take it upon themselves to report to the organization what they found and how they managed to access the site? Aren’t they, in fact, helping the ostensible victim? Couldn’t this be seen as helping make the Internet as a whole more secure?
The Justification
To some Internet wanderers, this argument justifies their actions, and epitomizes the fundamental meaning of the word ‘hacker.’ Adrian Lamo, perhaps the most controversial of these folks (referred to as ‘ethical hackers’, ‘rogues’, and ‘vigilantes’ among other monikers) told a Washington conference audience earlier this week that he’d love to see a situation where folks like him wouldn’t have to fear for their legal lives when reporting the findings of their unauthorized network browsing to corporations. (For more on the conference and Lamo’s comments, please see the SecurityFocus article Panel Debates Hacker Amnesty.) After all, in repeated media interviews, Lamo has made it clear that his personal code of conduct keeps him legitimate and free from prosecution, even though what he’s doing is technically illegal.
While the idea of ‘exploratory hacking’ or ‘Good Samaritan hackers’ is not new, such actions run contrary to national laws regarding unauthorized network access. In the eyes of the law, any unauthorized entry into a privately held network is illegal, regardless of the intent and regardless of what activities may be undertaken once access to that network has been gained. In short, it is illegal to break into an organization’s clearly delineated property in cyberspace. That’s what at the heart of the controversy, and what must be proven in the courtroom.
Some folks - including Lamo and numerous respected corporate security professionals - argue that if the hackers “look but don’t touch” and promptly reports their findings to the “victim” company – instead of exploiting them for personal gain – they are helping the firm. Granted, the attacker gained access illegally but if they acted responsibly by reporting their findings to the company, the benefits that this information would offer the company would offset the benefits of prosecuting the intruder. As they say in street ball, no blood, no foul.
In security circles, this is a controversial issue, to be sure. Chris Wysopal from @Stake thinks that such unsanctioned junkets are relatively benign. "It’s sort of like wandering around in the woods not caring about invisible property lines that aren't posted, yet respecting fences and No Trespassing signs." Others, like Marcus Ranum of NFR, take a more black-and-white view of the issue. As he was quoted as saying in the recent SecurityFocus article, “It's against the law, how much more cut and dry can you get?”
The Refutation
As a security professional, I can see both sides of the coin. As in the full disclosure debate, this is a heated discussion in which each side’s arguments have merit. However, I tend to side with the law and Ranum: breaking into a network without proper authorization is illegal.
There is simply no way of knowing that the person reporting the vulnerability is disclosing everything he or she found about the network. What’s to prevent someone from reporting just enough vulnerability information to appease the ‘victim’ and deflect any potential legal action, while withholding other information for future malicious purposes? Another problem is that these hackers tend to rummage around the system in question for extensive periods prior to reporting the exploit in question. If the concern is to help companies harden their systems, the responsible thing to do is report the exploit as soon as system access has been attained, not keep seeing how much farther one can go before detection. After all, once access has been attained, and the exploit confirmed, there is no valid reason for the hacker to continue rifling through the system.
Should the law be changed to allow for ‘ethical hacking’ by Lamo his ilk? No. Changing the law could provide an automatic ‘Good Samaritan’ defense for anyone charged with unauthorized network access. This would only further muddy the already murky waters of cyber-law. For instance, an intruder could rummage through the system, viewing all sorts of potentially valuable information and then leave the system with impunity, information in hand, knowing that if he’s caught, he could claim he was trying to help the victim company out. How then are we to differentiate between the Good Samaritan and the thief?
The Reality
Realistically, we should make the best of the situation. Folks like Lamo aren’t going away anytime soon. If one disappears, another will appear in an ongoing game of hacker Whack-a-Mole. Until we are able to resolve the many security issues that plague us, the responsible thing is for victim companies to accept such rogue hackers and Good Samaritans as a way of life in the Information Age and work with them to address their problems if and when reported. Of course, the most responsible thing would be to ensure – through effective security practices and legislation – that folks like Lamo cannot penetrate and wander around privately held systems, for personal gain or any other purpose.