What's The Line Between Good Samaritan Hacking... And Extortion?
from the sending-a-bill,-perhaps dept
We've had plenty of stories in the past about security researchers who have faced legal problems after exposing security vulnerabilities in various products or websites, leading to long debates about the border between breaking the law and trying to help protect against vulnerabilities. Plenty of security researchers are now worried to even report some vulnerabilities, for fear of having the messenger blamed (or, worse, arrested). However, there probably is a line to be drawn somewhere -- and calling up a bank who had a flaw in their website, telling them how to fix it, and then demanding payment for letting them know about it, probably crosses that line. It's one thing to have the company ask you to help them fix a hole you discovered. It's quite another to demand payment. In this case, though, even though the hacker pleaded guilty, the judge let him off, noting that it seemed more a mistake of being naive than any malicious intent.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
asking for money
[ link to this | view in thread ]
Originally
[ link to this | view in thread ]
[ link to this | view in thread ]
Hacker
darkwind
[ link to this | view in thread ]
if these terms are misused or changed or what, i'm sorry. but yeah. when someine discoveres a hole in the system, they sure as hell should report it. demanding payment/withholding information unless paid is wrong. but i'll come back to the "catch me if you can" movie. the feds knew this guy was a master forger and whatnot. did they throw him in jail? yes. did they realize he had the brains to defeat just about anyone that tried to copy him, HELL YES. and just like any smart business, they hired him to protect their assetts.
[ link to this | view in thread ]
The problem is...
[ link to this | view in thread ]
Hardly Extortion
[ link to this | view in thread ]
Hacker
It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.
I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.
"There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :
ethic - the discipline dealing with what is good and bad and with moral duty and obligation.
Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.
So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.
[ link to this | view in thread ]
Re: Hacker
[ link to this | view in thread ]
Why is online any different from offline?
Also remember that intent is part of the equation for criminal charges. If someone can prove that they never intended to commit a crime, they should not be found guilty. Course, it is against the law to attempt to or hack into a system. The second you try to defeat the security a site has, you are breaking the law. Doesn't matter what your purpose is once you get in, trying to get in is against the law.
[ link to this | view in thread ]
it's an unclear line. what is good? what is bad? did they steal, did they want to, are they writing backdoors so their "friends" can come in and save the day?
[ link to this | view in thread ]
it's the other way around
hackers gain fame and respect by sharing knowlege, writing good code that they give away, or by playing elaborate, albeit mostly harmless, pranks.
crackers are malicious or profit seeking in their intent and are not often interested in fame or respect.
in the old days, before PC's, the only way to get access to a computer if you weren't a student was to "borrow" time on a university or corporate mainframe. back then, computer security was based largely on obscurity, so gaining access was often trivial. most of the time all you needed to know was the phone number for a modem, which could easily be found using a wardialer. so it's true that some old school hacking did involve a form of digital tresspassing, it was more along the lines of loitering than breaking and entering.
today, now that PCs make computers accessible to many more people, and the internet provides access to way more information, there is not much need to "borrow" time one other people's systems, so the term hacking has been confused with cracking. most modern hackers have systems of their own and are part of organized projects. there are some legitimate reasons to probe a system's security, like white and blackbox security testing, pen testing, and the like.
it should also be pointed out that much of the exploitation and damage is done by people who use real hacker's tools to do harm, but posess no real knowlege themselves. these people are known as script kiddies.
a real hacker finds a flaw in a system, publishes it so the vendor will be pressured into fixing it, and crackers use the exploit to breaks stuff in the mean time. if the vendor is stupid and doesn't fix the flaw quickly, then the exploit gets automated in a script or some other tool and script kiddies run wild with it.
for example: the encryption on the password file for NT/win2k/winXP can be brute forced somewhat trivially. the guy that discovered the process was a real hacker. the problem has yet to be fixed in the default windows install, so there are a hundred kiddie toolz out there to "recover lost passwords".
[ link to this | view in thread ]
Hacker
It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.
I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.
"There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :
ethic - the discipline dealing with what is good and bad and with moral duty and obligation.
Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.
So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Hacker
It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.
I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.
"There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :
ethic - the discipline dealing with what is good and bad and with moral duty and obligation.
Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.
So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.
[ link to this | view in thread ]
Re: it's the other way around
Your statement is ridiculous! How would you know? The greatest "criminals" as hackers are usually thought of, are the ones that never reveal what they've done.
[ link to this | view in thread ]
RE: Hacker
On the other hand, if someone could easily walk into a bank and dodge all security measures - not leaving a single trace - that would be a big problem. You're not just supposed to protect yourself via your house - you're also supposed to protect your family members. The bank, on the other hand, is legally and morally bound to protect its members and their money. If it's going to arrest anyone that is courageous enough to reveal that they have security vulnerabilities - whether physical or digital - then it is not pro-actively protecting its members' security.
Was the hacker in question "out of line" for trying to demand payment? Yes. But I would also say that the bank should have offered to pay him in the first place for providing a service that they should have. Was he out of line in the first place by hacking into the bank? Legally, yes - morally, on the other hand, no, as his intentions (I hope and have been given no contrary evidence) were pure.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Hacker
I know some people who used to hack into our schools computer system and would change password and grades and call it a joke.That is the kinda shit that gettes hacker(or information liberators as most prefer)a bad name.
Bottem line...Nothing is completly safe if it is on-line.
Don't want information comprimised then don`t put it on line
[ link to this | view in thread ]
Re: Re:
I compleatly agree...
[ link to this | view in thread ]
Etymology of "hacker"
I've found calling malicious hacking efforts "mal-hacking" to be a whole lot more clearly understood by non-geeks than the term "cracking."
My Midwesterner grandparents talked about "hacking away" at a problem long before the advent of the personal computer. "Like cuttin' down a tree. You have to keep hacking away at it."
I believe the original MIT hackers kept hacking away at their model railroad* until they got it to work, someone applied the term "hacking" to their dogged efforts, and the title "hacker" was born. It was a complementary term, denoting a willingness to follow through a tedious job with attention to minute detail.
*For those not familiar with the story, a group of MIT model railroad enthusiasts are said to have taken a pile of old electro-mechanical telephone switching equipment and cobbled together a complex control system for their RR layout. Several authors hold that they were the first to be called "hackers" in a modern technical context.
[ link to this | view in thread ]
There is one problem with Darkwind's statement about nothing online being safe. So should we stop online banking, online payments, online trading, online anything? Think about it, if its not safe, why should people use the Internet for commercial use?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
It's just a mistake
The bank probably wanted to know who this guy was, they called the cops on him. It turns out he had prior convictions of fraud. Now, he works as a casual security consultant, some of the work having been performed, for the aforementioned institutions.
After the judge saw that this guy is on the straight and narrow, they let him go.
This guy just isn't too smart about how to do business with banks.
[ link to this | view in thread ]
Re: Hacker
Entirely different scenario then what you're presenting.
[ link to this | view in thread ]
Re: Hacker
[ link to this | view in thread ]
Re: Re: it's the other way around
do you have *any* idea who those guys are?
[ link to this | view in thread ]