Some recently proposed legislation could open up computer networks to vigilante-style justice.
There’s never been a better time to be a hacker. Twice last week, Bush administration officials reached out to the hacker community, asking attendees at two different Las Vegas conferences to be responsible citizens and report any vulnerabilities they discover to both software makers and the government. Bush’s computer security adviser, Richard Clarke, even suggested possible legal protections for hackers who act in good faith rather than trying to exploit vulnerable networks out of sheer malice. (Considering that the Department of Justice recently reported 400 laptops missing and unaccounted for, he might also have asked hackers to keep an eye out for laptops with FBI logos.)
But government work isn’t the only option open to hackers these days. If a bill recently introduced by U.S. Rep. Howard Berman passes, hackers will be able to find plenty of gainful and glamorous employment in the movie and music industries. That’s because the California Democrat’s bill would give copyright holders legal immunity for hacking peer-to-peer file-trading networks that infringe on their copyrights. It’s akin to saying that since entertainment companies have been wronged, they should now be free to put together a posse and exact a little technological revenge.
Understandably, the bill is a little unsettling to people who run corporate IT departments, even those who operate legitimate, secure corporate networks. Why? Berman’s bill is so broad that it could lead to a rash of hacking activity. If passed, it would allow copyright holders to go after perceived infringements through almost any means necessary, as long as they don’t actually delete or modify files on someone’s PC. “Spoofing” P2P networks with bogus files? No problem. Posting deliberately malicious code on a P2P network? Green light. Denial-of-service attacks? Go ahead — even if it brings down the whole network, causing problems for legal and illegal users alike.
Given the broad scope of copyright law, everyone holds some kind of copyright. Even your personal e-mails are copyrighted implicitly, as soon as you put fingers to keyboard. So all of the above attacks would be open not only to record and movie companies but also to lunatic fringe religious groups, disgruntled former employees, and terrorists.
And even if you think your corporate network is free of P2P file-trading, you may be mistaken. Some file-sharing tools, like LimeWire and Kazaa, can work through firewalls. Your employees may be trading files without your even knowing it. So that guy in your payroll department who’s been trafficking in Britney Spears videos on the Q.T. could trigger a denial-of-service attack, causing a crippling amount of traffic on your company’s Internet connection and bringing e-business as usual to a grinding halt.
It’s one thing to encourage hackers to be responsible about computer vulnerabilities they’ve discovered. But giving them carte blanche to hack into P2P networks, under the guise of protecting intellectual property, seems a bit over the top. The people who own copyrights on digital entertainment are understandably worried about online piracy, but that doesn’t justify turning the Internet into a Wild West of vigilante vengeance.
What can you do? First, network management software (such as HP OpenView, IBM’s Tivoli, or Computer Associates Unicenter) can tell you whether employees are using your network for file-trading. Let employees know what your company’s policies are for acceptable use of the network. If file-trading presents a problem, or you’re worried about its potential security impact, shut it down. If your current network security system doesn’t let you throttle back or cut off P2P network traffic altogether, it’s time to upgrade.
Also, an intrusion-detection system such as Cisco IDS, Internet Security Systems RealSecure, or Enterasys DragonIDS — all of which alert network administrators to security threats — can help protect against denial-of-service attacks and also help you diagnose problems and find fixes after such an attack happens. If you’ve been attacked or are concerned about DOS attacks, you need intrusion detection on top of your firewall or other existing network security device.
Finally, Berman’s bill isn’t the law — yet. Let your congressional representatives know what you think about it, while there’s still time to make a difference. The Electronic Frontier Foundation has more information about the bill and a form letter you can send to your representative.
Link broken? Try the Wayback Machine.