BALTIMORE -- At last year's USENIX Security Symposium, Marcus Ranum was minding his own business -- checking his e-mail, updating his Web site, etc. -- when another conference attendee sent him an e-mail. In the text: Ranum's password. Ranum, known for his work in intrusion detection, later angrily confronted the sender at the conference about invading his privacy. Bill Cheswick, a well-known security expert who sent the offensive message, later chalked up his actions as just "a friendly nudge."
Cheswick then refrained from any more password-sniffing at the request of USENIX organizers. But on Thursday,
"I've tried to act as ethically as I know how with a variety of experiments on the Internet," he told this year's USENIX Security Symposium audience in Baltimore. He said such acts help him gain statistical information, such as how many people still use inherently insecure FTP or Telnet to transmit data. "And I think that's a valid thing to report," he said.
Cheswick also admits his findings demonstrate an individual's or enterprise's need for stronger password policies. "One could argue I performed a valuable public service for them," he said. Others rationalize their eavesdropping as education -- by posting the passwords they teach humiliated victims a lesson and ultimately help better protect networks.
But others say such practices, though commonplace at security conferences, are illegal and ethically wrong, and should be discouraged by organizers or made consensual through signed waivers during conference signup. "From a legal standpoint, you're smack in Gray Area Land, and when in Gray Area Land it's best to avoid it," said Paul Ohm, a prosecutor with the Department of Justice's Computer Crime and Intellectual Property section.
Password sniffing is prohibited under federal wiretap laws and carries a prison penalty for those convicted, as well as a minimum
But there are conferences, such as those sponsored by The SANS Institute, that eject attendees found to be using hacking tools illegally or improperly, including to listen to another's network traffic. By contrast, several well-known hacker conventions encourage such behavior.
Abe Singer, a security researcher at the San Diego Supercomputer Center, is not a fan of the "wall of shame" employed at conferences like last month's DefCon in Las Vegas. During the conferences, attendees post passwords collected using network sniffers. Humiliation is used as a tool for change [and sport]. But it could backfire, Singer said. "We need to encourage them to learn and do better, not turn them off."
One way to make sniffing permissible for research or education is to get each guest to sign a waiver. But that too has drawbacks. "I'm not sure I want to be at a place that requires you to sign away your privacy," Singer said.
Attorney Mike Scher, who works for security integrator Nexum of Chicago, said the security community is at a crossroads when it comes to establishing social norms, either through gentle shaming or heavy-duty humiliation. But he, too, questioned the tactics. "Are we justified to do the same thing as the bad guys just because we're good security experts?"