Computer programmers, researchers and students descended on New York City's Hotel Pennsylvania today for the HOPE conference, a forum for all things related to security, including a healthy dose of sessions devoted to breaking security. This year's conference is dubbed the "Last HOPE" because the Hotel Pennsylvania is shutting down. Apparently there aren't any other suitable venues in the whole of Manhattan for dozens of computer whizzes with a penchant for mischief, such as jamming cell phone signals and locking elevator doors. The hotel was a cheap gig for the conference organizers and willing to put up with these high-tech shenanigans.
Turns out, hackers (they don't like to be called "hackers" because it's a cliché and implies they're breaking the law, even though much of what they do is perfectly legal) have lots of questions about how the law applies to their work. This is particularly true when it comes to "botnets," legions of computers that have been turned into obedient zombies and are used by criminals to attack other computers.
Here's how it works: A hacker creates a bot by sending a virus, worm or other so-called "malware" over a network (often through e-mail) and installing it on unsuspecting computers. Once on a computer, the malware allows the hacker to take remote control of the computer, turning that machine into a zombie or robot (hence the name "bot) that can be manipulated into sending spam or large volumes of data to servers run by businesses, schools or other organizations, effectively clogging these servers and often rendering them useless for some period of time.
Some hackers amass large numbers of bots--called botnets--that they can then use to attack other computers, or the hackers can rent their botnets to other criminals. If this sounds farfetched, it's not. Owen Thor Walker, a teen who pleaded guilty earlier this year to six charges of accessing computers for dishonest purposes and without authorization, damaging computer systems, and possession of software for the purposes of committing a computer crime, narrowly avoided going to jail by offering to help police catch other cyber criminals, the Tech Herald reported Thursday.
Even government computers have fallen victim to botnets. In January 2006, Jeanson James Ancheta (20 years old at the time) pleaded guilty to a botnet attack on, among others, the Defense Department and was sentenced to 57 months in prison. Ancheta agreed to pay roughly $15,000 in restitution to the Weapons Division of the United States Naval Air Warfare Center in China Lake, Calif., and the Defense Information Systems Agency, whose national defense networks were intentionally damaged by Ancheta's malicious software.
The botnet threat has created a demand among computer programmers working for businesses, school and government agencies to mount defenses against them.
Of course, a proper defense requires an in-depth study of live botnet armies. So, how do law-abiding programmers find and study botnets without landing themselves behind bars (turns out, it's illegal to intercept and read data traveling across a network without permission)?
If a programmer finds himself or herself mistakenly intercepting legitimate network traffic (such as an online purchase that includes credit card information), they could have some explaining to do, Alexander Muentz, a Philadelphia attorney, cautioned attendees Friday during a session entitled, "Botnet Research, Mitigation and the Law." He added, "Just because you can (intercept and read information) doesn't make it legal."
Muentz warned those attending his presentation to be careful when defending against botnet attacks and discouraged attendees from "the macho response," if they find that their systems have been attacked by a botnet. "The counterattack defense, where you build your own white-hat, botnet army and take it to your attacker, isn't likely to work in court (if you're caught)," he said. On the bright side, if a legit programmer does succeed in attacking his or her attacker, it's unlikely that attacker will go to the police.
Last HOPE runs through July 20 and includes sessions that showcase skills such as lock picking, safecracking and escaping handcuffs. Speakers include Kevin Mitnick, a security consultant who spent five years in prison for computer-related crimes (although not hacking), and Jello Biafra, the former lead singer of the Dead Kennedys. Other activities include a laptop version of the game "capture the flag" and Segway racing.