informa
News

Hacker: Researchers at Risk

From one hacker to another: Watch your back

A popular white-hat hacker known as "simple nomad" is warning his peers that security researchers may soon have to go further underground to publish vulnerabilities and exploit code.

Mark Loveless (a.k.a. "simple nomad"), security architect for Vernier Networks, says recent events should spur researchers to operate as though they are being "watched."

To prove his point, Loveless points to developments such as Microsoft suing an anonymous hacker over hacking its DRM software; a rumor that Data Rescue may only sell its popular IDA Pro reverse-engineering tool to government agencies; and his general concerns about federal government "snooping."

Loveless, who will deliver the keynote on the topic at this weekend's ToorCon8 hacker conference in San Diego, Calif., said in an interview that he's trying to shake up the hacker community. "My main point is to get hackers to start acting like they are being watched constantly and [as if] they are under investigation, in an effort to start using safer computing tactics, encryption, etc.," he says. "I plan on telling them that up front -- if they are uncomfortable, there is a reason."

"This is a wakeup call," he says. "We're going to slowly lose ground, and the walls will close in tighter on our little community."

Not all researchers agree with Loveless' dire predictions. "The bigger driver shaping researchers these days is that there is really no motivation for an independent researcher to actually ever share any research with the public," says Marc Maiffret, CTO and chief hacking officer for eEye Digital Research. "The copyright laws and lawsuits are really more of a concern for companies who are doing research... Today there are exceptions to almost every law that allows for people to still reverse-engineer software for security purposes."

Dan Kaminsky, an independent researcher, says it's no surprise hackers are under as much scrutiny as anyone else today. He also considers the DRM issue separate: "I caution against seeing the DRM wars as reflective of anything larger," he says. Microsoft currently is suing the writer of a program called FairUse4WM for allegedly accessing source code in its copy protection technology.

Researchers say they watch their backs more carefully these days. And most security companies don't release exploit code for fear of legal ramifications.

Renowned researcher HD Moore says his former company, Digital Defense, was so afraid of legal ramifications that it released advisories on only two of more than 100 vulnerabilities it found in financial products in the nearly six years he spent at the company.

"Nearly all U.S. firms do not release exploit code," says Moore, director of security research for BreakingPoint Systems. "In my eyes, that's actually making the problem worse, since it's creating the perspective -- and assumption -- that releasing code makes one liable."

Moore admits he does worry a bit about what the future holds for researchers like he who publish exploit code. "But not enough to start hiding what I do," he says. "The only way it will become illegal is if we let it. So yes, be careful, but also support the EFF [Electronic Frontier Foundation] and pursue your own efforts to champion the cause," including contacting Congress.

Loveless, meanwhile, says researchers should be encrypting their correspondences and chats online if they aren't already. That's something Moore says he routinely does with about half the hackers he talks to.

And Loveless says he's worried about a rumor that Digital Rescue is considering selling IDA Pro only to the government, thanks to some commercial licensing problems. The IDA Pro reverse-engineering tool is wildly popular among the hacker set. Digital Rescue declined to comment on this article. But most researchers say even if it's true, there will be other such tools emerging to take its place.

Halvar Flake, CEO and head of research at Sabre Security, who has been using IDA Pro for eight years, says the anti-reverse-engineering movement is the result of a dying content industry looking for a new business model. "The existing copyright laws are more than sufficient to protect intellectual property if properly enforced."

Flake doesn't believe reverse-engineering is in danger, however. "I am fully convinced there is a valid need for reverse-engineering that is beneficial for, and needed by, society," says Flake, whose native Germany recently passed laws that have blurred whether possessing exploits is legal or not. Flake says in Germany it's now illegal to create, possess, or distribute tools for the purpose of a crime.

Loveless argues that it's getting more likely large vendors will go after hackers that reverse-engineer their software, citing the violation of software licensing terms. "Would this catch the bad or good white-hat? It will begin to play itself out in DRM."

Meanwhile, some researchers have simply stayed or moved overseas for more freedom in their work. Loveless says he's considered relocating out of the country, too. "I've been looking at that myself. I visited a real estate office" while overseas recently, Loveless says. "I want to know, if I end up having to move to continue my career, what my options are."

Moore says he works with a lot of overseas researchers in Israel, Spain, and Eastern Europe. "They don't have those types of worries over there about being sued."

And some security experts say the legal pressures from the vendor community are not so much about digital rights as about not taking responsibility for security problems in their own products. "I am seeing a disturbing trend for so-called 'victims' of these hacks to retaliate against the researcher/hacker rather than improve their product or service," says Richard Stiennon, founder and chief research analyst for IT-Harvest.

It hasn't had a chilling effect on researchers -- yet. Most researchers say they aren't panicking, and it hasn't slowed down their reverse-engineering or exploit-writing. "My view is that the more I do to make exploit technology commonplace and justifiably useful, the less chance the U.S. outlaws exploit distribution," Moore says.

The downside is any legal fallout will hurt the honest, indie researcher. "I predict that the independent, honest researcher will have second thoughts about publishing their discovered vulns [sic]," says IT-Harvest's Stiennon. "The unethical hackers will not even be aware this is happening and won't care. And honest researchers at companies/organizations will feel protected by their employer."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • eEye Digital Security
  • Vernier Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • Recommended Reading: