What's The Line Between Good Samaritan Hacking... And Extortion?

from the sending-a-bill,-perhaps dept

We've had plenty of stories in the past about security researchers who have faced legal problems after exposing security vulnerabilities in various products or websites, leading to long debates about the border between breaking the law and trying to help protect against vulnerabilities. Plenty of security researchers are now worried to even report some vulnerabilities, for fear of having the messenger blamed (or, worse, arrested). However, there probably is a line to be drawn somewhere -- and calling up a bank who had a flaw in their website, telling them how to fix it, and then demanding payment for letting them know about it, probably crosses that line. It's one thing to have the company ask you to help them fix a hole you discovered. It's quite another to demand payment. In this case, though, even though the hacker pleaded guilty, the judge let him off, noting that it seemed more a mistake of being naive than any malicious intent.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    JJ, Sep 28th, 2006 @ 1:29am

    asking for money

    yeah, i'd say the demanding money part pretty clearly is where the line was crossed in this case.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Kevin, Sep 28th, 2006 @ 1:41am

    Originally

    Originally, there was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge of how the system worked and you would not alter anything. I think the line is drawn when someone uses extortion tactics (extortion is illegal) or starts messing around with files. To use a (albeit poor) analogy, if I am walking along the sidewalk and step on your lawn, it shouldn't be a big deal. Unless I come up and start messing up your property, or unlocking your fence and telling you I found a hole in your security system and demand to be payed for my (unsolicited) work.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    milo, Sep 28th, 2006 @ 3:51am

    "there was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge" Exactly.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Darkwind6975, Sep 28th, 2006 @ 4:33am

    Hacker

    In most case the ethics have been droped but i still believe there are some good information liberators out there all be not very meany but there are still some..I mean Window recently ask the hackers at death con to try and see if they could break windows vista sercurity..that will make my information safer in the long run

    darkwind

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 5:47am

    it has always been my understanding that hacking is breaking into a secured establishment with the INTENT of causing malicious harm. CRACKING afaik is the breaking into a secured establishment with the intent of doing it/learning the process while not actually damaging the content.

    if these terms are misused or changed or what, i'm sorry. but yeah. when someine discoveres a hole in the system, they sure as hell should report it. demanding payment/withholding information unless paid is wrong. but i'll come back to the "catch me if you can" movie. the feds knew this guy was a master forger and whatnot. did they throw him in jail? yes. did they realize he had the brains to defeat just about anyone that tried to copy him, HELL YES. and just like any smart business, they hired him to protect their assetts.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Sanguine Dream, Sep 28th, 2006 @ 5:48am

    The problem is...

    on both sides of the hack. Some hackers go too far and demand money as well as alter/copy/steal information. I don't hack but I know that it's supposed to, "So this is how this works." and not, "I wonder what this data is worth?" But at the same time you have coporations that have turned hackers into a scapegoat for any technological wrongdoing/mistake/blunder.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Ben Robinson, Sep 28th, 2006 @ 5:52am

    Hardly Extortion

    I think it is a bit much to call this case extortion, he was a bit cheeky yes but not extortion. At the time he asked for the money he had already done everything and helped the bank secure their systems. The fact that he then decided to bill them for his time can hardly be called extorion. To use another lawn analogy it's a bit like cutting a strangers overgrown lawn, without him asking you, then billing him for your time.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Darstan, Sep 28th, 2006 @ 6:01am

    Hacker

    I think any one that hacks a system, without the express consent of the owner of the system should be procecuted no matter if they are doing it for the benefit of security or not.

    It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.

    I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.

    "There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :

    ethic - the discipline dealing with what is good and bad and with moral duty and obligation.

    Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.

    So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    ebrke, Sep 28th, 2006 @ 6:21am

    Re: Hacker

    I would agree with you except for the the troubling thought that many companies feel that security by obscurity is a great security model and would never ask anyone to test their defenses. They seem to prefer to clean up the mess afterward rather than being proactive and trying to prevent the mess in the first place. The old "it won't happen to us" mentality.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 6:25am

    I walk down the street late at night and see that the door to the bank has been unlocked. I open the door, I walk through the bank, I go into offices, I see the vault has been left open, and I walk in and look at the all the money. A cop sees me in there, what do you think will happen? Or, the next day, people realize that the bank was left unsecured, think I would expect a call from the police after the security tapes were reviewed?

    Why is online any different from offline?

    Also remember that intent is part of the equation for criminal charges. If someone can prove that they never intended to commit a crime, they should not be found guilty. Course, it is against the law to attempt to or hack into a system. The second you try to defeat the security a site has, you are breaking the law. Doesn't matter what your purpose is once you get in, trying to get in is against the law.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 6:28am

    well, sure arrest them. and have the owner hire people to breach his securty. remember, these guys pay top dollar to protect their systems, and THINK they are safe. to pay someone else to "break" that is just a waste in their minds. either they paid too much for the protection, or don't want to admit they are wrong.

    it's an unclear line. what is good? what is bad? did they steal, did they want to, are they writing backdoors so their "friends" can come in and save the day?

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    chris (profile), Sep 28th, 2006 @ 6:54am

    it's the other way around

    hacking is the pursuit of knowlege, period. there are many great hackers that have never intruded on any system. richard stallman, linus torvolds, eric raymond, steve wozniak, are all famous hackers that have never broken into a computer system or stolen anything.

    hackers gain fame and respect by sharing knowlege, writing good code that they give away, or by playing elaborate, albeit mostly harmless, pranks.

    crackers are malicious or profit seeking in their intent and are not often interested in fame or respect.

    in the old days, before PC's, the only way to get access to a computer if you weren't a student was to "borrow" time on a university or corporate mainframe. back then, computer security was based largely on obscurity, so gaining access was often trivial. most of the time all you needed to know was the phone number for a modem, which could easily be found using a wardialer. so it's true that some old school hacking did involve a form of digital tresspassing, it was more along the lines of loitering than breaking and entering.

    today, now that PCs make computers accessible to many more people, and the internet provides access to way more information, there is not much need to "borrow" time one other people's systems, so the term hacking has been confused with cracking. most modern hackers have systems of their own and are part of organized projects. there are some legitimate reasons to probe a system's security, like white and blackbox security testing, pen testing, and the like.

    it should also be pointed out that much of the exploitation and damage is done by people who use real hacker's tools to do harm, but posess no real knowlege themselves. these people are known as script kiddies.

    a real hacker finds a flaw in a system, publishes it so the vendor will be pressured into fixing it, and crackers use the exploit to breaks stuff in the mean time. if the vendor is stupid and doesn't fix the flaw quickly, then the exploit gets automated in a script or some other tool and script kiddies run wild with it.

    for example: the encryption on the password file for NT/win2k/winXP can be brute forced somewhat trivially. the guy that discovered the process was a real hacker. the problem has yet to be fixed in the default windows install, so there are a hundred kiddie toolz out there to "recover lost passwords".

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Darstan, Sep 28th, 2006 @ 7:14am

    Hacker

    I think any one that hacks a system, without the express consent of the owner of the system should be procecuted no matter if they are doing it for the benefit of security or not.

    It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.

    I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.

    "There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :

    ethic - the discipline dealing with what is good and bad and with moral duty and obligation.

    Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.

    So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 7:14am

    Re:

    I believe it is the other way around: hacking=knowledge; cracking=malice...

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Darstan, Sep 28th, 2006 @ 7:18am

    Hacker

    I think any one that hacks a system, without the express consent of the owner of the system should be procecuted no matter if they are doing it for the benefit of security or not.

    It is no different then having some one break into your house then turn around and tell you that they broke in and here is how to fix the problem. I'm sorry but I would have that person arrested just the same for breaking and entering.

    I feel that yes having people hack systems to find vulnerabilities is a good thing but it should be something the owner of the system has agreed to allow happen in order to improve their security.

    "There was an unspoken hacker rule/ethic that the only reason you would hack a system is to gain the knwoledge." This statement is a joke unto it self. The deffinition of :

    ethic - the discipline dealing with what is good and bad and with moral duty and obligation.

    Since when is it another persons moral duty and obligation to invade another's privacy since that is what a hacker is doing. Even if they are doing it just to see how a system works. They are still invading another's privacy. Most people would not tolerate some one invading their privacy in the real world why should they tolerate it in cyber space.

    So in short any one who is caught hacking should be at the mercy of the victim of the hacking unless they were asked by the victim to hack the system as part of a service.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Muychingon, Sep 28th, 2006 @ 7:24am

    Re: it's the other way around

    richard stallman, linus torvolds, eric raymond, steve wozniak, are all famous hackers that have never broken into a computer system or stolen anything.

    Your statement is ridiculous! How would you know? The greatest "criminals" as hackers are usually thought of, are the ones that never reveal what they've done.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Jaek, Sep 28th, 2006 @ 7:25am

    RE: Hacker

    Oh, sure. Compare someone hacking into a bank's website - which should be secure - to breaking into someone's house - which is easy. You're supposed to be able to feel secure in your own house, even though the house is not secure. With all likelihood, someone could break in without waking you up or alerting you, even if you were in the other room.

    On the other hand, if someone could easily walk into a bank and dodge all security measures - not leaving a single trace - that would be a big problem. You're not just supposed to protect yourself via your house - you're also supposed to protect your family members. The bank, on the other hand, is legally and morally bound to protect its members and their money. If it's going to arrest anyone that is courageous enough to reveal that they have security vulnerabilities - whether physical or digital - then it is not pro-actively protecting its members' security.

    Was the hacker in question "out of line" for trying to demand payment? Yes. But I would also say that the bank should have offered to pay him in the first place for providing a service that they should have. Was he out of line in the first place by hacking into the bank? Legally, yes - morally, on the other hand, no, as his intentions (I hope and have been given no contrary evidence) were pure.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Ben Robinson, Sep 28th, 2006 @ 7:29am

    Re:

    You analagy would only be apropriate if instead of being caught by the police, after going into the vault and seeing the money he had gone back outside, phoned the bank and said your door and vault are open, anybody could steal the money. Then later sending them an invoice for security services for spotting the open doors and at that point getting arrested for extortion.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 7:53am

    hey darstan, how many times you gonna post your stupid rantings?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Darkwind6975, Sep 28th, 2006 @ 7:54am

    Hacker

    Look we will all disagree on any one answer.The law however is clear...It is still against the law to enter some ones computer With out thier expressed permission. So weather it is for fame,Money,Information, or anything eles it is not acceptable by the court of law.
    I know some people who used to hack into our schools computer system and would change password and grades and call it a joke.That is the kinda shit that gettes hacker(or information liberators as most prefer)a bad name.

    Bottem line...Nothing is completly safe if it is on-line.
    Don't want information comprimised then don`t put it on line

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Darkwind6975, Sep 28th, 2006 @ 8:09am

    Re: Re:

    Anonymous..i respect you more and more after each commnt of yours i read.
    I compleatly agree...

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Phlatus the Elder, Sep 28th, 2006 @ 8:20am

    Etymology of "hacker"

    Just to stay sort of on topic, this person did indeed cross the line.

    I've found calling malicious hacking efforts "mal-hacking" to be a whole lot more clearly understood by non-geeks than the term "cracking."

    My Midwesterner grandparents talked about "hacking away" at a problem long before the advent of the personal computer. "Like cuttin' down a tree. You have to keep hacking away at it."

    I believe the original MIT hackers kept hacking away at their model railroad* until they got it to work, someone applied the term "hacking" to their dogged efforts, and the title "hacker" was born. It was a complementary term, denoting a willingness to follow through a tedious job with attention to minute detail.

    *For those not familiar with the story, a group of MIT model railroad enthusiasts are said to have taken a pile of old electro-mechanical telephone switching equipment and cobbled together a complex control system for their RR layout. Several authors hold that they were the first to be called "hackers" in a modern technical context.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Sep 28th, 2006 @ 8:29am

    The term hacker isn't all that great in the world of golf.

    There is one problem with Darkwind's statement about nothing online being safe. So should we stop online banking, online payments, online trading, online anything? Think about it, if its not safe, why should people use the Internet for commercial use?

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Darkwind6975, Sep 28th, 2006 @ 8:31am

    Re:

    thats a good question..i do but i know the riskes and accept them

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Lay Person, Sep 28th, 2006 @ 9:18am

    It's just a mistake

    It appears this guy did work not only for the NZ Telecom comapny but the police department as well.

    The bank probably wanted to know who this guy was, they called the cops on him. It turns out he had prior convictions of fraud. Now, he works as a casual security consultant, some of the work having been performed, for the aforementioned institutions.

    After the judge saw that this guy is on the straight and narrow, they let him go.

    This guy just isn't too smart about how to do business with banks.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Chris, Sep 28th, 2006 @ 11:24am

    Re: Hacker

    That's a stupid argument. If someone breaks into your house and says "hey, your locks won't stop a determined person with a crowbar," then yes, they should be prosecuted. Then again, if someone wakes you up at night and says "hey, did you know there's a giant hole in the back of your house? Yeah, I just walked right in. You should probably fix that."

    Entirely different scenario then what you're presenting.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    crystal_tech, Sep 28th, 2006 @ 1:46pm

    Re: Hacker

    i think there is a show bout breaking into houses lol... but i'm guessing your mac user?

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    chris (profile), Oct 4th, 2006 @ 3:45pm

    Re: Re: it's the other way around

    Your statement is ridiculous! How would you know? The greatest "criminals" as hackers are usually thought of, are the ones that never reveal what they've done.

    do you have *any* idea who those guys are?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This