White-Hat Whining
With this vigor for prosecuting cybercriminals, the white-hat defense rings hollow. Take the case of McCarty, a San Diego resident with Cisco and Microsoft certifications and a self-proclaimed security researcher. McCarty admitted to the FBI last June that he discovered security flaws in a USC Web application connected to a database containing Social Security numbers, birth dates, and other information on more than 275,000 university applicants. McCarty launched what's known as a SQL Injection attack by entering commands into the app's login screen that gave him access to personal records without the use of a valid user name and password.

Although McCarty didn't damage USC's systems, and there haven't been any reports of identity theft or other crimes related to the breach, prosecutors may try to prove the attack was malicious: McCarty had been denied admission to the university. According to FBI documents, an E-mail recovered from one of McCarty's computers reads, "All they had to do was admit me into their school ... but nooooooooooooo ... they had to make it all complicated."

McCarty's defense isn't without precedent. Late last year, Daniel Cuthbert, a former employee of ABN Amro, was fined about $700 and ordered to pay more than $1,000 in court costs after he was convicted under England's 1990 Computer Misuse Act of gaining unauthorized access to a Web site that was collecting donations for victims of the 2004 tsunami in Southeast Asia. Cuthbert claimed that he conducted two tests to check the site's security after he suspected his donation had gone to a phishing site rather than the charity. But his case was a year ago in a U.K. court, and patience is wearing thin with such excuses.

There are still pockets of sympathy for people who poke holes in Internet systems. "McCarty was trying to prove a point," says Rick Fleming, VP of security and risk management consulting for Digital Defense, which offers security-testing services. "Part of me commends him for saying, 'Hello, wake up.' But he crossed an ethical boundary because he didn't have permission to test that system, and he broke the law."

Who's Watching The Web Apps?
If the court comes down hard on McCarty, it will discourage others from scouting the Web for vulnerabilities. Some say that's a bad thing. More and more computer applications run as Web apps in someone else's IT environment--think Google E-mail or Salesforce .com. Shouldn't they face the same scrutiny that Microsoft does? "I can buy a Windows license and rip [the software] apart to my heart's content and not break any laws," says Jeremiah Grossman, a founder and CTO with Web application security provider WhiteHat Security. Most security researchers follow guidelines published in an online document known as RFPolicies for communicating with software developers when they find bugs. But the 5-year-old guidelines don't address Web-based apps.

There needs to be a third-party registration agency that so-called penetration testers could contact before testing a Web site to demonstrate their intent isn't malicious, suggests Keith Levkoff, an analyst with technology consulting firm Edison Group.

Strict adherence to the letter of the law without taking good intentions into account could hurt Web security. "I don't think you should get in trouble for noticing the facts of the world around you and pointing out what's insecure," says Jennifer Granick, executive director of Stanford Law School's Center for Internet & Society Cyberlaw Clinic. McCarty's fate could determine a lot about what the stakes are for anyone trespassing on another's network--whether that person is a "penetration tester" or unambiguous crook.

They had better be prepared for the worst, because the feds are promising to beef up their online ranks. The Justice Department has a team of 40 prosecutors specializing in coordinating computer crime and intellectual property violation investigations across states and countries. It also trains prosecutors in each of the 94 U.S. attorneys' offices to deal with such cases. The FBI says it has a cyberspecialist in each of its 56 field offices, some with "cybersquads." The Secret Service, whose agents investigate financial crime such as counterfeiting, also have people who specialize in electronic crimes.

Judges and prosecutors have shown they aren't shy about going hard on cybercriminals. In this environment, the concept of a white-hatted, good-guy hacker could ride into the sunset.

Handcuff photo courtesy of White Packert/Ionica