News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Jaikumar Vijayan's picture
Jaikumar Vijayan

Second Take

More posts | Read bio

April 24, 2009 - 2:34 P.M.

If a security vendor breaks into a malicious site, is it hacking?

7 comments

A security researcher I spoke with at the RSA Conference this week described an investigation his company had undertaken recently of a malicious Web site that had victimized dozens of people in this country and elsewhere.

A lot of the very specific details he shared about the site and how it was structured and what sort of data files it contained could have only come from him or his counterparts having broken into the site themselves. That perhaps explains why the PR folks at the company are now so anxious I don't write anything about it until they clear everything with their legal folks.

Based on the information provided by the security vendor, the site certainly deserves to be taken offline and probably will, by law enforcement soon enough. The question is does that make the practice right? Is it okay for security researchers and vendors to break into a site, however good the justification might be, without some sort of legal oversight or permission? It's not a particularly new question for sure, but it's one that is becoming more important to address with cyber crooks running rampant on the Web these days.

One benefit to being a crime fighter on the Internet is that you don't really need a search warrant to enter a Web site run by criminals and poke around to see what you can find. You don't even need to be in law enforcement.

Okay, maybe legally speaking you might need something. But the fact is no one's going to notice-or even care--if a security researcher or White Hat were to break into a malicious Web site to see what's there and figure out how to protect against it and other similar sites.

If the bad guys do notice someone poking around, they are hardly going to run to the cops. All they are going to do is abandon that place and go somewhere else to continue their nefarious activities.

That probably explains why the security vendor I spoke with is by far not the only one to do this sort of investigation. A lot of the public data on the bad guys and their tactics that exists in the industry today has no doubt come from similar snooping, and monitoring and break-ins by security researchers. Few though are likely to admit openly that they are breaking in to other systems or adopting tactics similar to those used by the hackers themselves to get at the data because they are unsure of their legal standing.

Going forward, there might be less reason for them to carry out such tasks themselves. There's growing talk about the need for the U.S. government to develop an offensive cyber warfare capability designed to strike back at those who mean to do harm to the country's interests in cyber space.

Those capabilities most likely exist already. If a security vendor can do it, there's little doubt that an agency such as the National Security Agency for instance, doesn't already know how to do it--and isn't to some extent already. So when people talk about the need for a cyber-offense capability what they are likely referring to is the need for a formal legal framework for implementing such a strategy. Such a framework would obviously need to address questions about justifiability and proper attribution and define clearly what a proper course of action would be.

 

What People Are Saying

Add new comment

White Hat hacking

Submitted by Ken on May 1, 2009 - 9:22 A.M.

Even the Feds were concerned whether this is a legit thing to do - they sponsored a free Dept Homeland Security course called Cyber-Ethics at http://www.act-online.net to look at both sides of the issue and offer a certificate (college level course) that gives POST credit to cops or Continuing Legal Education (CLE) credits for lawyers. Little dry but cool section on Black Hat versus White Hat hacking (module 6)

Reply | Report this comment

Playing by the rules

Submitted by No Spooks Around Here on April 26, 2009 - 8:59 P.M.

Is always is much harder. The 'bad' guys get to do what they want, and the 'good' guys get to stand and watch. Very frustrating.
You can't legally enter another person's web server without their express permission to do so - even bad guys have rights, unfortunately.
All you achieve is alerting them that the game is up, and they move on to another neighbourhood, before being caught by the authorities.

Reply | Report this comment

Sure it's hacking, but is hacking illegal

Submitted by motie38 on April 26, 2009 - 6:57 P.M.

in all instances? If a law enforcement officer shoots someone about to kill or rob an innocent third party is it illegal? If instead a private citizen who is legally carrying a gun shoots someone in the act of that same crime, is that illegal? How about if I broke the window out of a locked car in the theater parking lot? Yes, that's illegal. But what if I did that because I saw a baby crying and turning blue in the back seat?
Is hacking by definition illegal? If I was the head of a big corporation I would likely hire someone to hack into my system on purpose, then report on how he did it. If he got caught by authorities, would he and I face charges, or would he be excused after I explained to the authorities what he was doing?

Reply | Report this comment

Sure it's hacking when it's illegal...

Submitted by Ken on May 1, 2009 - 9:31 A.M.

Hate to repeat myself but the Feds (DHS/FEMA- not the Katrina part) put a free (college level) web course up that covers this topic - it's called "Cyber-Law and White Collar Crime" that covers the current law in the US (some Int'l) on intellectual property and hacking for profit (botnets that are used for DDoS attacks) and hacking to be malicious - pretty good coverage of the topic - better than sludging around Wikipedia/Google looking stuff up...it's at http://www.act-online.net. There is also a 4 min FLASH movie showing a simulated Storm II variant attack by a botnet herder at http://dev.act-online.net/tfi

Reply | Report this comment

It's not so easy to tell

Submitted by Anonymous on April 26, 2009 - 11:20 P.M.

First of all, a police officer is supposed to do his best trying to prevent the crime without killing the presumed criminal.
Second, how can a private citizen legally carrying a gun (preferably a heavy assault weapon like let's say a M61 Vulcan - boy, don't you love that beast) tell that the dubious looking guy close to the victim is in fact trying to help the poor old lady stand up after being beaten by the real criminal who managed to run away few seconds before ? All this in a blink of an eye in a poorly lighted back alley ? Firing your gun at a person might very well have unwanted consequences and some times irreversible also. What are a police officer's feelings after mortally shooting a young boy just because he thought he might have been armed and trying to commit a crime ?
Remember, by killing a criminal before he was able to commit the crime you'll never be 100% sure he was really determined to actually commit it. This is the uncomfortable position of any law enforcement official.
Fortunately, hacking websites does not make people die, however my vote is for acting within the limits prescribed by law.

Reply | Report this comment

illegal is illegal

Submitted by geeky on April 26, 2009 - 2:49 P.M.

Yes, it is hacking, and there is no doubt that it is hacking, or illegal access to a computer system rather. There should be no legal question. If it were done in person it would be called breaking and entering, or trespassing, whether or not the person owning said property is a criminal. I doubt I am alone in thinking that there are serious problems when people start to believe that they do not require a warrant for a search. Security professionals are not cops. When they are accessing systems illegally, for good or ill, they are criminals. You cannot condemn one person's illegal access to a computer and not another. There is nothing white hat about what you are talking about, at best it's grey hat.
What's more, I do not believe that I would support a government agency doing similar.

Reply | Report this comment

tisk tisk

Submitted by Anonymous on April 25, 2009 - 8:07 P.M.

My grandpa always said two wrongs don't make a right.

Hmm, his brother who is still alive says the same thing, and he was a G-Man.

Breaking the law to obtain information is stupid anyway as any information obtained in this manner would be thrown out in court, lead to a dismissal of the case and possible disciplinary actions including lawsuits and criminal proceedings.

Reply | Report this comment

Related Posts

RSA Conference, day three/four
RSA Conference, day two
IObit accused of stealing from Malwarebytes
Is the Windows 7 adoption surge driven by piracy?

Today's Top Stories

Which IT projects are right for the cloud?
Five ways to lose your identity (and wallet) this holiday season
Ciena will pay $769M for Nortel's metro Ethernet business
Report: Microsoft may pay News Corp. to delist from Google
Intel: Don't look for one device to do it all
Top 5 Chrome OS myths debunked
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.