I just read Winn Schwartau's article, "Striking back: Corporate vigilantes go on the offensive to hunt down hackers" (NW, Jan. 11, page 1).
I met up with Winn at Comdex in November, and he told me he was working on the story. He explained the background and I was intrigued - the idea that companies would launch counterattacks against hackers is powerful. I envisioned network administrators launching digital counteroffensives and unleashing barrages of virtual artillery. Of course, I was being naive because I thought the response would be a purely digital salvo.
With Winn was the pseudonymous "Lou Cipher," whose vigilante efforts were detailed in Winn's story. Cipher is a security honcho working for a large financial institution.
Cipher proceeded to discuss, quite candidly and enthusiastically, the various vigilante actions he and his henchmen had undertaken. I heard all about how they had broken into houses and removed the hacker's PCs and how they had to "discipline" more persistent recidivists with baseball bats (he emphasized that bat-smashing wasn't a frequent event).
[Other than "Cipher's" claims, no one has verified any such event took place. In fact, if "Cipher" is even halfway intelligent, the stories are definitely fiction. Else, bragging about multiple felonies committed in several states would not be the best thing for his career, or the company he works for.]
Cipher appalled me for several reasons. To start, he relished his vigilantism. He recounted his stories of theft, threats and grievous bodily harm with the self-righteous satisfaction of someone who has few scruples and sees himself as a tough guy.
But it was his belief in the correctness of his actions and his assumed moral authority to do so that really irritated me. I asked him if he had ever made a mistake. Had he ever broken into a house looking for some 15-year-old hacker's PC and been in the wrong house? Well, of course, he hadn't committed the burglaries personally, and he assured me that he and his henchman hadn't made mistakes . . . as far as he knew.
[On the off chance that "Cipher" is being honest, he and his team make incredible assumptions that law enforcement cannot. Even if they get an IP address, he cannot be sure of who was sitting at the keyboard, let alone if someone was using a compromised PC to bounce through.]
What Cipher commissioned, and apparently plans to go on commissioning, amounts to first-degree burglary, and there's nothing romantic or even rational about theft as a response to hackers.
[Uh, Mr. Journalist.. burglary is the least of his concerns if he is being honest. Aggrevated assault with a bat is a bit more severe.]
I told the story (except the name of the guilty) to Russ Hayes of the Ventura County District Attorney's Office, and he thought Cipher was full of it. But Network World checked Cipher's bona fides, and he seems all too real.
[How do you check his "bona fides" for burglary and assault? Did you verify police reports of breakins or assults in a specific area, that matches his claims? I'm guessing no. Sure, he works at a bank, sure he is a loud mouth windbag, that is easy to verify.]
According to Hayes, first-degree burglary carries up to a six-year prison sentence. Hayes also pointed out that even though Cipher might not have actually done the job, "He would be as guilty as the thief," as would whoever in the company sanctioned such work. Add to that a charge of conspiracy, and we're talking serious time in the big house. As for correcting people's attitude with a baseball bat, I think we're looking a life sentence straight in the eye.
According to an informal survey Winn conducted, 23% of the respondents thought a physical response to a hacker attack was appropriate, while 54% thought a physical response was sometimes justified.
I'm shocked. That means that 77% thought physical responses were a reasonable course of action.
Let's see if Winn's results are accurate. Network World is running a poll to find out your feelings on the subject of electronically vigilantism.
I don't have a problem with electronically defending yourself and even mounting a virtual counterattack. But when the activities extend into the real world, things are going too far. If your company is considering a physical response, remember that even if the police don't know much about cybercrime, they know more than enough about real world crime to throw your butts in jail.
No baseball bats to nwcolumn[at]gibbs.com or (800) 622-1108, Ext. 7504.