November 14, 2023 at 08:09AM
Chris Wysopal, founder and CTO of Veracode, discusses his background as a hacker and the ethical hacker’s role in cybersecurity. He explains that hackers have a curiosity to understand how systems work and can uncover unintended consequences. Wysopal also discusses the dual use dilemma of hacking tools like L0phtCrack and the challenges of the law in distinguishing authorized and unauthorized activity. The article highlights the importance of responsible disclosure and the need for a more clear-cut legal framework for ethical hacking.
Chris Wysopal, also known as Weld Pond, is the founder and CTO of Veracode, a company that focuses on developing secure code. He was also a member of the hacker collective L0pht Heavy Industries. Wysopal describes himself as a hacker who wants to understand how systems work and explore how they can be manipulated. He believes that hacking is about exploring technology and uncovering its functions and possibilities.
Wysopal distinguishes between ethical hackers (whitehats) and malicious hackers (blackhats). Ethical hackers want to help vendors prevent misuse, while malicious hackers exploit unintended consequences for personal gain. However, the line between the two can sometimes be blurred, and some hackers may switch between the two positions during their careers.
Wysopal explains that despite the Senate testimony given by L0pht in 1998, which exposed a flaw in the Border Gateway Protocol (BGP) and highlighted the need for government involvement in cybersecurity, the problems highlighted by L0pht have only worsened in recent years. The rise of greyhats, hackers who straddle the line between whitehat and blackhat, has coincided with improved vulnerability patching by vendors.
One example of a dual-use hacking tool developed by L0pht is L0phtCrack, a password auditing tool that could be used by both sysadmins and malicious attackers. The purpose of releasing this tool was to persuade Microsoft to improve its password system. However, Microsoft did not respond to the vulnerability report or the proof of concept, and it took five years before they made any changes.
Wysopal discusses the concept of whitehats, greyhats, and the law. He believes that current laws, such as the Computer Fraud and Abuse Act (CFAA), are vague and do not clearly define what is and is not allowed in terms of computer authorization. He cites the case of Andrew Auernheimer, who was arrested and prosecuted under the CFAA for exploiting a flaw in AT&T’s website. While Auernheimer’s conviction was eventually overturned, the case highlights the ambiguity of the law and its potential chilling effect on vulnerability research.
Wysopal argues that good faith security research should be allowed, and the CFAA should be changed to accommodate it. He believes that the law’s current subjective interpretation by prosecutors outside of the court system continues to have a chilling effect on ethical hacking and vulnerability research.