◆ SpookStack

News: When is hacking a cri » ry software vulnerabilities should be disclosed only to the software maker or a trusted third party. At the other are the black hats who are generally interested only in gaining access and breaking security. In the middle are the gray hats, who are finding their once-acceptable acts, such as informing the public of company security holes, could now land them in jail. DEFINING hacker | Who is a hacker? In the most general sense, a {| "hacker" is someone who enjoys modifying and subverting i systems, whether technological, 4 bureaucratic or sociological. Even the White House has weighed in on the controversy. While, acknowledging the need for third-party discovery of flaws, President Bush's cybersecurity team believes that more stringent ethics need to be the rule, rather than the exception. Most often the ferm is used to describe someone who has learned about technology by E picking apart systems. } In the past decade, however, | "hacker" has come to describe | those people with a hands-on interest in computer security and circumventing such security. “We are reaching a crossroad where decisions have to be made as to which way people are going to go: Are they going to continue to function as a security consultant or go to the dark side?" said Howard Schmidt, vice chairman of the White House's Critical Infrastructure Protection Board. That sentiment is echoing across the once-vast gray area where the majority of today's serious hackers toil. With law enforcement and corporate legal departments increasingly on the attack, many security experis are worrying that the next bug they discover or tool they create could get them sued or prosecuted. “You can't do anything these days," complained H.D. Moore, a security expert and hacker for network protection firm Digital Defense. "It used to be that you could hack a box and people would say, ‘Ah, it's just a stupid kid.’ Now it's a mission-critical server you just hit, and that's terrorism." Making the situation more difficult is the amorphous definition of ethical hacking. Although the subject has been addressed extensively in flaw and ethics philosophy, rarely a month goes by without a debate over whether a particular vulnerability had been disclosed responsibly. The term “gray hat" was originally coined by the LOpht~one of the best-known old-school hacking groups, pronounced "the loft"-for those who wanted to stand apart from corporate security testers but also distance themselves from the notorious black hats. The category defined by this phrase has come to encompass most independent security experts and consultants, as well as many corporate security researchers. . “We chose the term ‘gray hat' to represent the independent researcher who didn't have a vested interest in any particular company or product," said Chris Wysopal, director of research and development for security firm @Stake, a company that had been formed out of the core group of LOpht hackers. Wysopal himself went Page 2 of 6 * News in Brief " News for your PDA * Contact Us ™ Corrections ELREWSLETTERS © Tech Update Today T security Update T 08 update Your e-mail here J Sign rae up! P All newsletters w FAQ Manage my newsletters FBI(19-cv-1495)-1038