Article

Passing the conference 'sniff' test

Anne Saita

BALTIMORE -- At last year's USENIX Security Symposium, Marcus Ranum was minding his own business -- checking his e-mail, updating his Web site, etc. -- when another conference attendee sent him an e-mail. In the text: Ranum's password. Ranum, known for his work in intrusion detection, later angrily confronted the sender at the conference about invading his privacy. Bill Cheswick, a well-known security expert who sent the offensive message, later chalked up his actions as just "a friendly nudge."

Cheswick then refrained from any more password-sniffing at the request of USENIX organizers. But on Thursday,

    Requires Free Membership to View

Sound Off!

Let us know whether you think using hacking tools to sniff attendee's traffic for insecure practices serves a useful purpose or should be prohibited. Click the Sound Off button at the top of this story.

a year after the incident, the chief scientist for Somerset, N.J.-based network security provider Lumeta Inc. defended the use of wired and wireless sniffers to catch passwords and other sensitive data transmitted through cleartext protocols.

"I've tried to act as ethically as I know how with a variety of experiments on the Internet," he told this year's USENIX Security Symposium audience in Baltimore. He said such acts help him gain statistical information, such as how many people still use inherently insecure FTP or Telnet to transmit data. "And I think that's a valid thing to report," he said.

Cheswick also admits his findings demonstrate an individual's or enterprise's need for stronger password policies. "One could argue I performed a valuable public service for them," he said. Others rationalize their eavesdropping as education -- by posting the passwords they teach humiliated victims a lesson and ultimately help better protect networks.

But others say such practices, though commonplace at security conferences, are illegal and ethically wrong, and should be discouraged by organizers or made consensual through signed waivers during conference signup. "From a legal standpoint, you're smack in Gray Area Land, and when in Gray Area Land it's best to avoid it," said Paul Ohm, a prosecutor with the Department of Justice's Computer Crime and Intellectual Property section.

Password sniffing is prohibited under federal wiretap laws and carries a prison penalty for those convicted, as well as a minimum

Is it ethical?

The high road to professional prosperity
An ethicist says the answer to IT security job dilemmas may be solved simply by following basic principles we learned in grade school.

$10,000 in civil damages for victims. However, despite the high stakes, "you're not likely to see someone hauled away in handcuffs from one of these conferences," Ohm said.

But there are conferences, such as those sponsored by The SANS Institute, that eject attendees found to be using hacking tools illegally or improperly, including to listen to another's network traffic. By contrast, several well-known hacker conventions encourage such behavior.

Abe Singer, a security researcher at the San Diego Supercomputer Center, is not a fan of the "wall of shame" employed at conferences like last month's DefCon in Las Vegas. During the conferences, attendees post passwords collected using network sniffers. Humiliation is used as a tool for change [and sport]. But it could backfire, Singer said. "We need to encourage them to learn and do better, not turn them off."

One way to make sniffing permissible for research or education is to get each guest to sign a waiver. But that too has drawbacks. "I'm not sure I want to be at a place that requires you to sign away your privacy," Singer said.

Attorney Mike Scher, who works for security integrator Nexum of Chicago, said the security community is at a crossroads when it comes to establishing social norms, either through gentle shaming or heavy-duty humiliation. But he, too, questioned the tactics. "Are we justified to do the same thing as the bad guys just because we're good security experts?"


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: