◆ SpookStack

News: When is hacking a rir hackers, bringing in outsiders only on occasion, said Chief Security Officer Mary Ann Davidson. “| use the term ‘hacker mostly in a term of professional respect," she said. "| don't belteve in blaming the research community for our own failings, but we should let light in on the situation." Others, however, operate on a don't-ask, don't-te!l policy. "Companies say, ‘We don't hire hackers.’ But you go there and they have a room full of them,” said “md5," a member of the GhettoHackers, a Seattle-area group of white hats. Today's security-conscious climate means that programmers and hackers have to pay more attention to politics and laws, a new sensitivity that some believe has discouraged them from notifying companies of vulnerabilities. "There are a lot of (flaws) still being discovered, but no one is releasing them,” Moore said. While lists such as Bugtraq continue to post flaws, he added, “interesting” vulnerabilities aren't being disclosed as often. The recent experience of Secure Nefwork Operations is a case in point. Finisterre--who also goes by “dotslash"--has not changed his philosophy, but his company has become far more wary of publicizing security flaws. "We are more treading on water when we approach a vendor now, because what HP did scared the crap out of us," he said. Hats of the future The debate has given rise to some new possible guidelines for defining hacker ethics. For some time, a hacker known as Rain Forest Puppy has adhered to a policy that spells out how a security tesearcher and a sofware maker should communicate. At its core, the so-called RFPolicy quidelines recommend that a software company give updates to the researcher every five days. @Siake’s Wysopal co-authored a more formal set of rules for researchers that advocates more leniency for software makers. Rather than five days, the report asked researchers to give a company seven days to respond and 30 days to make a good-faith attempt to fix the problem. Oracle's Davidson said such guidelines begin an important dialogue. “Not fo excuse ourselves for sitting on our keisters, if that's what we are doing, but to say, ‘Step into our shoes," she said. “Hackers only have to find one hole to make a name for themselves, but we have to find all of them." . And as companies and law enforcement agencies focus increasingly on the vulnerabilities of critical networks and systems, those considering themselves gray hats may not have much longer to play in the middle of the road. "| think that we have seen a shift in people and their focus to do the right thing,” said Schmidt of the White House cybersecurity team. “No matter what color your hat, you need to realize that there is a greater dependency on networks today." Page 4 of 6 FBI(19-cv-1495)-1040