Claiming a dedication to telling software buyers the unvarnished truth, the L0pht crew published free security warnings on its Web site and in e-mail newsletters. Those warnings often were accompanied by programs to help people test whether their computers were vulnerable to attack.
In Wysopal's view, hacker etiquette didn't require him to give software makers advance warning before publishing his discoveries -- even though his reports could aid the unscrupulous. Without the threat of public exposure and the fear that malicious hackers would use the newfound information, he figured, software makers wouldn't have incentive to make fixes in a timely manner.
"They dealt with security like a feature request -- they would get around to it in the next version," Wysopal said.
The shaming tactics started working, so well that by 1999, Wysopal was forced to reconsider what constituted appropriate hacker behavior.
After the L0pht publicized a problem with a piece of Microsoft Corp. software for server computers, the company responded that it would have been happy to fix the mistake if only it had been given the chance. Instead, Microsoft had to race to develop a fix and get it to customers in time to head off an assault.
End to Free-for-All
Wysopal, along with a great number of his fellow hackers, realized the days of the free-for-all should end. It was no longer morally defensible to tell malicious teens how to hurt firms and their customers before they had the tools to defend themselves. Now he works with software makers to develop patches before blowing the whistle.
"It isn't as much fun," said Wysopal, who helped the L0pht morph into a computer security company called @stake Inc. "But if we publish right away, we are really arming the bad guys."
For other hackers, proper etiquette is dictated by the pursuit of money.
The most direct angle is simply to tell the software company there's a bug, then request a fee to explain it.
"If I come up with a vulnerability and I inform the source that I've discovered it, but I say, 'Would you mind paying me $5,000 to help you close it?' from my perspective that's a very reasonable request," said Bob Weiss, president of Password Crackers Inc. in North Potomac, Md., which helps companies recover information hidden on their machines.
But what looks like a reasonable request to a hacker is often perceived as extortion by the company being asked to shell out. That's how one California software firm reacted after it heard from a hacker who had found a hole in its Web-messaging system and offered to explain it -- for $10,000.
"The company got pretty mad," said Jennifer Granick, a cyber law specialist at Stanford University who represented the hacker in 2000. "It's very difficult for some cocky 18-year-old kid to approach a company without it feeling threatened." After Granick smoothed things over, the company agreed not to press charges.
There's also the loss-leader approach. After identifying a problem and explaining it, many hackers offer to look for additional glitches in exchange for a consulting fee.
Even that strategy backfired on a Boxboro, Mass., security group called SnoSoft. In 2002, SnoSoft researchers found a hole in a version of the Unix operating system made by Hewlett-Packard Co. The hackers told HP they would explain it for free, but they also asked to be paid for additional work.
"We made it clear we wouldn't charge [for the initial bug], because that would be extortion," SnoSoft co-founder Adriel Desautels said.
HP declined to offer SnoSoft a contract. Instead, the company threatened to sue under the Digital Millennium Copyright Act of 1998, which prohibits some attempts to tinker with programs to see how they work.
To computer security experts -- including some inside HP -- that threat amounted to a gross violation of etiquette on the part of HP. The company backed down and recently said it would never use the digital copyright law to stifle research. The Palo Alto computing giant declined to discuss the SnoSoft case.
For a few hackers, there is only one principle that matters: Do as much damage as possible.
That may have been the goal of a group of Chinese hackers who reverse-engineered a patch designed to fix a devastating hole in most versions of Microsoft's Windows operating system for PCs and servers. Within days, the hackers published a program to seize control of unsuspecting computers, which was used by others in the Blaster worm attack this summer.
Counterattacks Increase
With malevolent programs on the rise, large software companies are trying to get a handle on the problem. A consortium of software giants including Microsoft and Oracle has joined with security firms such as Symantec Corp. to formalize the etiquette of hacking so that software makers have time to patch holes before they are disclosed to the world at large.
