Black Hat speaker calls for an end to gray-hat hacking
Marcus J. Ranum, security guru and chief executive officer of Network Flight Recorder Inc. of Rockville, Md., has been making enemies lately by calling for more accountability among hackers, especially those who produce so-called toolz'freeware used to expose and exploit security vulnerabilities.
Proponents of toolz and of full disclosure of security holes in commercial products say toolz are the best way to educate users about risks and to ensure that software makers fix holes. But Ranum believes they only encourage the legions of script kiddies, or casual hackers who use other people's work to attack systems.
'Distributing these toolz is not helping,' Ranum told an audience at the Black Hat Briefings in Las Vegas last month. 'Free speech in computer security has created an enormous gray area where people are comfortable doing irresponsible things.'Hackers' rights
His suggestion that there should be limits to free speech did not sit well with many in the largely libertarian audience. But Ranum warned that the days of the gray-hat hackers'those who inhabit the shadows between the good-guy white hats and the criminal black hats'are numbered. His agenda is to radicalize the issue of computer security and eliminate fence-sitters.
'I don't think we're going to make progress on this issue until we can say, 'This is a good guy, and this is a bad guy,' ' he said.
The public no longer perceives hackers as colorful and amusing characters, Ranum said. The government and other organizations see them as an army of nonideological terrorists. Ranum predicted that a legal plague of biblical proportions will descend on hackers as civil litigation replaces criminal prosecution.
Ranum was not alone in his prediction that litigation is going to make a hacker's life miserable.
'Just cure it by suing people,' said Dominique Brezinski, a technical adviser at the CIA's In-Q-Tel technology incubator. 'In a lot of cases, civil [action] makes more sense than criminal.'
Lawyers are better funded than law enforcement agencies, he said. Civil cases are easier to win, more damaging to the defendant and hold out the possibility of recovering damages for the plaintiff.
Brezinski, who used to work for online bookseller Amazon.com Inc., said the company lost millions of dollars earlier this year in what he called stupid attacks.
'The vast majority were launched by teenagers and others doing it for fun,' he said. 'But it's not so fun when they get sued for the costs of the attacks or more.'
Not everyone agreed.
'My view is diametrically opposed to Marcus's,' said Mudge, vice president of research and development for the security consulting company @Stake Inc. of Cambridge, Mass. The executive, who goes only by the name Mudge, formerly was a prominent member of the hacker group L0pht.
L0phtCrack, a tool developed by Mudge useful to hackers and systems administrators, was singled out by Ranum as an example of a tool that does more harm than good.
'Stop distributing that stuff,' Ranum chided his friend Mudge.
'L0phtCrack 3.0 comes out in two days,' Mudge retorted.