<h1 class="articleHeadline">Hackers
With Enigmatic Motives Vex Companies</h1>
<h6 class="byline">By <a href="http://topics.nytimes.com/top/reference/timestopics/people/b/nick_bilton/index.html?inline=nyt-per" title="More Articles by Nick Bilton" class="meta-per">NICK BILTON</a></h6><div class="articleBody">
<p>
The world of hackers can be roughly divided into three groups. “Black
hats” break into corporate computer systems for fun and profit, taking
credit card numbers and e-mail addresses to sell and trade with other
hackers, while the “white hats” help companies stop their disruptive
counterparts. </p>
</div>
<div class="articleInline runaroundLeft">
<div class="inlineImage module">
<div class="image">
<div class="icon enlargeThis"><a href="javascript:pop_me_up2('http://www.nytimes.com/imagepages/2010/07/26/business/security.html','security_html','width=720,height=564,scrollbars=yes,toolbars=no,resizable=yes')">Enlarge
This Image</a></div>
<a href="javascript:pop_me_up2('http://www.nytimes.com/imagepages/2010/07/26/business/security.html','security_html','width=720,height=564,scrollbars=yes,toolbars=no,resizable=yes')">
<img src="http://graphics8.nytimes.com/images/2010/07/26/business/security/security-articleInline.jpg" alt="" height="127" width="190">
</a>
</div>
<h6 class="credit">Stuart Isett for The New York Times</h6>
<p class="caption">Jeff Moss, who organizes conferences, says more
hackers are tempted to gain access to systems as the value of security
holes rises. </p>
</div>
</div>
<p>
But it is the third group, the “gray hats,” that are the most vexing for
companies. These hackers play it any number of ways, which can leave a
company vulnerable to lost assets as well as a tarnished reputation as
security breaches are exposed. (The terms are a nod to westerns, with
the villain wearing a black hat and the hero a white one.) </p><p>
These gray-hat hackers surreptitiously break into corporate computers to
find security weaknesses. They then choose whether to notify the
company and stay silent until the hole has been patched or embarrass the
company by exposing the problem. </p><p>
The debate among all of these groups over the best course of action has
never been settled and will be an undercurrent at the <a href="http://www.defcon.org/html/defcon-18/dc-18-index.html" title="The
conference site.">Def Con 18 hackers conference</a> starting Friday in
Las Vegas. </p><p>
For companies, the best strategy for finding software flaws is just as
unsettled. <a href="http://topics.nytimes.com/top/news/business/companies/facebook_inc/index.html?inline=nyt-org" title="More articles about Facebook." class="meta-org">Facebook</a>
encourages its employees to try to hack the company site. Some companies
encourage outsiders to break in. For example, Mint.com, a personal
finance Web site owned by Intuit, enlists hackers to test its security
once a quarter. </p><p>
Others just wish the hackers would simply go away, as <a href="http://topics.nytimes.com/top/news/business/companies/at_and_t/index.html?inline=nyt-org" title="More information about AT&T Corp" class="meta-org">AT&T</a>
did after a group discovered a loophole on the company’s Web site in
June that exposed 114,000 e-mail addresses and cellular identification
numbers for owners of the <a href="http://topics.nytimes.com/top/reference/timestopics/subjects/i/ipad/index.html?inline=nyt-classifier" title="More articles about iPad." class="meta-classifier">iPad</a> 3G.
</p><p>
“Some will say that the public is better off if we just tell everyone,”
said Dean Turner, director of <a href="http://topics.nytimes.com/top/news/business/companies/symantec_corporation/index.html?inline=nyt-org" title="More information about Symantec Corp" class="meta-org">Symantec</a>’s
antivirus security response teams. </p><p>
Some companies, he points out, prefer to turn hackers from the dark side
by fixing the problem and giving them public credit. Salesforce,
Facebook, PayPal and <a href="http://topics.nytimes.com/top/news/business/companies/microsoft_corporation/index.html?inline=nyt-org" title="More information about Microsoft Corp" class="meta-org">Microsoft</a>
have notices on their sites encouraging researchers to find flaws in
their systems. </p><p>
If the hackers adhere to a set of rules, the companies pledge not to
initiate legal action. And the companies promise to work with the
hackers to fix the problem and give them the appropriate credit for
finding the flaw. </p><p>
Mike Reavey, director of Microsoft’s Security Response Center, says
Microsoft wants the researchers to report flaws without fear of
repercussions. “We take security very seriously; our focus is to put
customer safety first,” Mr. Reavey said. “We realize we can’t do this
alone, which is why we want to partner with the research community.” </p><p>
Dino A. Dai Zovi, a prominent white hat computer security expert at
Trail of Bits, a New York security firm, said he liked to work with
companies. </p><p>
“If you find something new not only are you protecting people that use a
system, but there’s the excitement and thrill of finding something new
that no one else knows about,” Mr. Dai Zovi said. </p><p>
He is also motivated by the money available to the bug hunters, as they
are also known. In 2006 he won $10,000 at a major white hat competition
sponsored by Tipping Point, a security company, by breaking into an <a href="http://topics.nytimes.com/top/news/business/companies/apple_computer_inc/index.html?inline=nyt-org" title="More information about Apple Inc." class="meta-org">Apple</a>
laptop through a vulnerability in the Safari Web browser and video
player. <a href="http://topics.nytimes.com/top/reference/timestopics/organizations/m/mozilla_foundation/index.html?inline=nyt-org" title="More articles about the Mozilla Foundation" class="meta-org">Mozilla</a>,
the maker of the Firefox Web browser, and <a href="http://topics.nytimes.com/top/news/business/companies/google_inc/index.html?inline=nyt-org" title="More information about Google Inc" class="meta-org">Google</a>
both announced last week that they would begin paying for new bug
discoveries, too. </p><p>
Gray hats may bask in the recognition, but some can also seek to make
money from an exploit. One of the gray hats, a security researcher based
in Singapore who would not share his real name and goes by the online
pseudonym The Grugq, chooses not to tell companies about the bugs he
finds, he said via instant message. Telling Microsoft about a loophole
earns only a “gold star,” The Grugq said. </p><p>
Hackers can sell or trade the flaws they uncover in what is called the
bug market, until the company plugs the hole and renders it worthless.
“The people actively using the bugs get very upset when they die,” wrote
The Grugq. Some bugs can sell for as much as $75,000 online. </p><p>
Credit card numbers were once the main product traded. Jeff Moss, who
organizes conferences for hackers, says more gray hats are tempted to
gain access to systems as the value of security holes increases.
“There’s a vulnerability marketplace that has been steadily increasing,”
he said. “The cost of e-mail addresses is worth more money now than it
was 10 years ago, and there’s a big demand for fresh vulnerabilities and
information.” </p><p>
Some companies want to lead the gray-hat hackers toward the white-hat
camp. </p><p>
Other companies, including AT&T, are still wrestling with the
distinctions between security researchers trying to help and those gray
hats with murky motives. AT&T would not comment on its policy for
dealing with gray-hat hackers. </p><p>
Chris Paget, the co-founder and professed chief hacker of H4rdw4re, a
phone and hardware security company, said it seemed that AT&T was
attacking researchers instead of working with them. “I think there’s a
good case to be made that AT&T just isn’t used to dealing with this
kind of situation,” he said. “A lot of companies aren’t.” </p><p>
Mr. Moss, known online as The Dark Tangent, said the involvement of the <a href="http://topics.nytimes.com/top/reference/timestopics/organizations/f/federal_bureau_of_investigation/index.html?inline=nyt-org" title="More articles about the Federal Bureau of Investigation." class="meta-org">F.B.I.</a> in the iPad 3G case had given some
researchers reason to reconsider disclosing online holes. “It’s a wait
and see effect in the community right now,” Mr. Moss said. </p><p>
The threat of legal action is not the only reason hackers are taking
stock. “There’s a lot of money to be made in identify theft, credit card
numbers and e-mail lists,” Mr. Dai Zovi said. “White hats are sick of
giving away information; they want to be paid for the work now too.” <br></p><p><a href="http://www.nytimes.com/2010/07/26/technology/26security.html?hpw">http://www.nytimes.com/2010/07/26/technology/26security.html?hpw</a><br>
</p>