Hackers Live by Own Code

It wasn’t Mary Ann Davidson’s worst nightmare, but it was close.

A fax from a hacker in the Middle East landed on her desk at Oracle Corp., proclaiming the discovery of a hole in the company’s database software through which he could steal crucial information from such customers as Boeing Co., Ford Motor Co. and the CIA. The fax warned Davidson, the company’s chief security officer, to contact the hacker immediately -- or else.

Luckily, the hacker hadn’t found a real hole; he’d just misinterpreted a function of the program. More surprisingly, he meant no harm.

“The sort of threatening tone he took was really only to get our attention,” Davidson said. “He actually turned out to be a nice guy.”

The confrontational style of Davidson’s hacker isn’t unusual. As they troll through other people’s computer networks, hackers abide by their own quirky rules of etiquette. What would strike most folks in corporate America as bad manners or worse may be considered the height of courtesy in hackerdom.

In large part, that disconnect stems from the fierce individualism of hackers -- they are, after all, the sort of people who set aside the instruction manual and take a machine apart to see how it works. Though they inhabit a lawless domain where no data are considered private and “No Trespassing” signs are meaningless, they adhere to their own codes of ethics that vary depending largely on what motivates the hacker to hack.

Sometimes it’s fame. Now and then it’s money. Often it’s a selfless desire to make software more secure. And occasionally it’s a yearning to wreak senseless havoc.

The frequency of such attacks is on the rise, capped by the Blaster worm and SoBig virus that overpowered e-mail programs and crashed computer systems this summer. Computer Economics Inc. of Carlsbad, Calif., estimates that damage caused by hackers will cost companies and consumers $12.5 billion this year, up 13% from 2002.

Most hackers aren’t malicious, security experts agree. But from afar, it can be difficult to distinguish the saboteurs from the merely curious, because they use the same tools, travel in the same virtual circles and often share a disdain for the rule of law.

Their philosophy predates personal computers, going back to the days when pranksters manipulated the telephone system to make free long-distance calls and cause other mischief. The personal rules that guide them today generally allow them to break laws, as long as they believe nobody will get hurt.

Firms Are Fair Game

This maverick outlook is best personified by Kevin Mitnick, either the most notorious hacker or the most demonized, depending on your point of view. He stole millions of dollars’ worth of software after cracking into the computer systems of big companies such as Sun Microsystems Inc. and Motorola Inc. But he said he never sold any of it or otherwise profited from his electronic theft.

Mitnick, now 40, served five years in federal prison. Yet that hasn’t deterred a younger generation of hackers who view private companies as fair game as long as no data are destroyed or profit turned. For many of them, hacking is just something their curiosity compels them to do.

Adrian Lamo, a 22-year-old hacker from Sacramento, always viewed his hacking habit as harmless at worst and helpful at best. If he has a chance to inform people about a security flaw in a company’s internal network, he considers the disclosure a form of public service.

Lamo says he can’t help it. He just starts wondering, then he looks for holes in a company’s infrastructure, and he’s in.

“When I’m curious about something, it’s difficult to not seek out security problems,” he said.

Working sporadically during long nights in Kinko’s copy shops two years ago, Lamo used his battered Toshiba laptop computer to burrow deep into WorldCom Inc.’s internal networks. By the time he was done, he could have redirected the phone giant’s employee paychecks to his own account or shut down the system of WorldCom customer Bank of America Corp.

Lamo did neither.

Instead, he recounted his exploits to a hacker turned journalist at SecurityFocus.com, a Web site devoted to tracking hacks, holes and fixes. SecurityFocus then called WorldCom executives and told them Lamo was happy to answer any of their questions. After Lamo showed WorldCom what he had done and how to prevent it from happening again, the company publicly thanked him for improving its security.

Part of Lamo’s creed is a refusal to take financial advantage of anything he finds. The biggest compensation he’s ever accepted from a company he’s broken into, he said, was a bottle of water.

Chris Wysopal used to feel the same way when he worked at an outfit known as the L0pht, a band of security enthusiasts in a Boston apartment strewn with spare computer parts salvaged from area trash bins.

Claiming a dedication to telling software buyers the unvarnished truth, the L0pht crew published free security warnings on its Web site and in e-mail newsletters. Those warnings often were accompanied by programs to help people test whether their computers were vulnerable to attack.

In Wysopal’s view, hacker etiquette didn’t require him to give software makers advance warning before publishing his discoveries -- even though his reports could aid the unscrupulous. Without the threat of public exposure and the fear that malicious hackers would use the newfound information, he figured, software makers wouldn’t have incentive to make fixes in a timely manner.

“They dealt with security like a feature request -- they would get around to it in the next version,” Wysopal said.

The shaming tactics started working, so well that by 1999, Wysopal was forced to reconsider what constituted appropriate hacker behavior.

After the L0pht publicized a problem with a piece of Microsoft Corp. software for server computers, the company responded that it would have been happy to fix the mistake if only it had been given the chance. Instead, Microsoft had to race to develop a fix and get it to customers in time to head off an assault.

End to Free-for-All

Wysopal, along with a great number of his fellow hackers, realized the days of the free-for-all should end. It was no longer morally defensible to tell malicious teens how to hurt firms and their customers before they had the tools to defend themselves. Now he works with software makers to develop patches before blowing the whistle.

“It isn’t as much fun,” said Wysopal, who helped the L0pht morph into a computer security company called @stake Inc. “But if we publish right away, we are really arming the bad guys.”

For other hackers, proper etiquette is dictated by the pursuit of money.

The most direct angle is simply to tell the software company there’s a bug, then request a fee to explain it.

“If I come up with a vulnerability and I inform the source that I’ve discovered it, but I say, ‘Would you mind paying me $5,000 to help you close it?’ from my perspective that’s a very reasonable request,” said Bob Weiss, president of Password Crackers Inc. in North Potomac, Md., which helps companies recover information hidden on their machines.

But what looks like a reasonable request to a hacker is often perceived as extortion by the company being asked to shell out. That’s how one California software firm reacted after it heard from a hacker who had found a hole in its Web-messaging system and offered to explain it -- for $10,000.

“The company got pretty mad,” said Jennifer Granick, a cyber law specialist at Stanford University who represented the hacker in 2000. “It’s very difficult for some cocky 18-year-old kid to approach a company without it feeling threatened.” After Granick smoothed things over, the company agreed not to press charges.

There’s also the loss-leader approach. After identifying a problem and explaining it, many hackers offer to look for additional glitches in exchange for a consulting fee.

Even that strategy backfired on a Boxboro, Mass., security group called SnoSoft. In 2002, SnoSoft researchers found a hole in a version of the Unix operating system made by Hewlett-Packard Co. The hackers told HP they would explain it for free, but they also asked to be paid for additional work.

“We made it clear we wouldn’t charge [for the initial bug], because that would be extortion,” SnoSoft co-founder Adriel Desautels said.

HP declined to offer SnoSoft a contract. Instead, the company threatened to sue under the Digital Millennium Copyright Act of 1998, which prohibits some attempts to tinker with programs to see how they work.

To computer security experts -- including some inside HP -- that threat amounted to a gross violation of etiquette on the part of HP. The company backed down and recently said it would never use the digital copyright law to stifle research. The Palo Alto computing giant declined to discuss the SnoSoft case.

For a few hackers, there is only one principle that matters: Do as much damage as possible.

That may have been the goal of a group of Chinese hackers who reverse-engineered a patch designed to fix a devastating hole in most versions of Microsoft’s Windows operating system for PCs and servers. Within days, the hackers published a program to seize control of unsuspecting computers, which was used by others in the Blaster worm attack this summer.

Counterattacks Increase

With malevolent programs on the rise, large software companies are trying to get a handle on the problem. A consortium of software giants including Microsoft and Oracle has joined with security firms such as Symantec Corp. to formalize the etiquette of hacking so that software makers have time to patch holes before they are disclosed to the world at large.

The rules proposed by the new Organization for Internet Safety would give companies a month or so to develop and distribute a patch. Then another month is supposed to elapse before the hacker can disclose any details about the problem that the patch was designed to fix.

But hackers say they are unlikely to sign off on the rules, especially because they would neutralize the biggest weapon in their arsenal -- the threat of public exposure.

In the meantime, companies that find themselves victimized by hackers are stepping up their counterattacks.

The New York Times wasn’t amused when Lamo, the hacker who helped WorldCom beef up its network security, bragged to SecurityFocus that he had wriggled into the newspaper’s computers.

Once inside, Lamo perused records of contributors to the paper’s Op-Ed page (including the Social Security numbers and home phone numbers of former heads of state), conducted database searches using the paper’s Lexis-Nexis account and added himself to a list of expert sources on hacking.

Unlike WorldCom, the New York Times called the FBI. In September, federal prosecutors in New York charged Lamo with the electronic equivalent of breaking and entering.

Out on bail, Lamo said he had no regrets about the way he hacked.

“I always knew that the things I did could have consequences,” he said.