When coding becomes a crime
Jim Stickley has just walked into a bank and stolen the contents of its entire customer database.
Dressed as a maintenance worker, he bypassed security, installed a wireless sniffer in a spare computer port, made good his escape and, using a laptop stashed in a nearby van, harvested social security numbers, bank details and passwords of the bank’s customers using custom-built code.
“Sometimes I go in as a tax inspector or health-and-safety officer. I nearly always install a network sniffer – it rarely goes south,” Stickley said. “But, yeah, sometimes people from the organisation get arrested.”
Stickley has a right to commit these apparent heists – as a professional penetration tester, he gets paid for what he describes as the “most exciting job in the world, dodging guards and firewalls”.
However, his work is legal only because he has permission from the companies he hacks; without it, he’d be arrested and imprisoned for computer crime, like an increasing number of hackers, ethical or otherwise.
Staying on the right side of the law isn’t as easy as you might imagine
However, staying on the right side of the law isn’t as easy as you might imagine. It has more to do with getting the paperwork right than motivation: if you have permission, it’s legal. Officials around the world may be ramping up their own cybersecurity efforts, but they take a dim view of security researchers working outside the law.
Security research isn’t clear-cut. Deliberately vague laws that vary from country to country leave security workers and hobbyist hackers at risk of legal action.
Take, for example, the case of Andrew Auernheimer (also known as “weev”), a 27-year-old hacker who was sentenced in March to three years and five months in prison for exposing a weakness at US carrier AT&T, in what he claims was an effort to improve the company’s security. He became an unlikely cause célèbre among security workers because the authorities had to stretch the limits of American hacking laws to put him away.
While he isn’t a figure who easily attracts sympathy – he’s known for obnoxious behaviour online and describes himself as a troll – the security industry feared that, by making an example of Auernheimer, the US would set a precedent.
His sentence was for an “exploit” that didn’t involve breaking and entering; the AT&T system was so insecure he was able to harvest the email addresses of iPad owners without employing any dark arts. Auernheimer and an accomplice discovered that AT&T revealed the addresses to anyone who entered a URL based on an ICCID number, which is unique to every iPad SIM; simply guessing the URLs revealed the addresses.
Since these numbers were sequential, it was easy to harvest 114,000 of them using a widely available script. However, it didn’t help Auernheimer’s case that he collected details on the mayor of New York, the White House chief of staff, and several military officials.
Auernheimer didn’t publish the data, but he passed it to a Gawker blogger who published a selection with much of the detail redacted. Despite this, the FBI was immediately on the case, pushing hard for a conviction.
The security community argued that Auernheimer’s actions shouldn’t count as hacking; if going to a web page and copying an email address counts as “unauthorised access”, many of us have committed a crime.
“The data Weev collected was email addresses and names, nothing sensitive in the slightest. Everything they collected was essentially sent in cleartext over the internet at some point,” said Immunity founder and former NSA security researcher Dave Aitel at the time. “It’s obvious to anyone with any technical background that the case the FBI brought against him is a travesty, and the fact they won is even more insane.”