Note: This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

It's a weblog! ... sort of.

Thursday, April 25 2024

Main Menu

Home
Topics

News Links

Transvasive Security
OpenBSD Journal
daemonnews
MacRumors
MacSlash
Surfin' Safari
Slashdot (Apple)
Slashdot (BSD)
Slashdot (YRO)
Slashdot

Campaign

Browse Happy logo

Access

If you do not have an account, you can create one.

Max Vision: Black Hat or White Hat ?

Hackers

This is interesting. I stumbled across an old wired.com article dating back to May 24. I'm somewhat surprised I hadn't heard about it earlier -- Max was (and still is) a respected member of the security community; the ArachNIDS database of network attack signatures at www.whitehats.com is the best publicly available signature database on the web, and is better and more current than many commercial products. It's true that he's done much to help keep computers secure.

A few things about this bother me. First, although it's only implied by the article, it appears that the Feds busted him as retribution for his refusal to inform on his friend. It bothers me more that the FBI had specifically instructed him to collect PGP keys at DefCon - I had always believed that the reports of Feds attending DC to look for bad guys was way overblown, although recent events (the arrest of Dimitri Skylarov) suggest otherwise.

However, I think what most bothers me the most is the fact that, as Max says, the difference between white hat and black hat is small. I am concerned that the hunt for hackers (and I'm not talking about people like the Russian extortionists) will have negative consequences for security professionals. Already there has been at least one security professional, Scott Moulton, arrested for basically doing his jobYou can read about it at securityfocus (sorry about the frames) and I also found a message he sent to a security mailing list at neohapsis.

While Moulton probably shouldn't have scanned the 911 network without permission, I firmly believe what he did does not justify criminal charges. If it happened to me, I would definitely be upset, and if I was his employer, I might terminate his contract, but there's no way that this guy should even be facing criminal charges for what he did. At least the Federal civil suit was thrown out.

It could just as easily have been any of a large number of security professionals, who in the course of their job, either scan for vulnerabilities, or probe a suspected attacker to gather more information. Georgia needs to get a clue.

posted by Loki on Fri, 07 Sep 2001 12:46:48 -0500

Powered by OpenBSD Powered by Apache Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS Valid RSS!

xml News aggregators can get a full RSS feed from rss.php.
RSS browsers supporting the feed URI scheme can get a full RSS feed here.

All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the Poster. The Rest © 2001-2005 technomagik.net