Still, the criminal aspect of hacking is pervasive--and profitable. "Some security companies are paying for vulnerability information, the spamming industry is paying for zero-day exploits, upwards of $5,000, and there are elements of organized crime looking for expertise," says Mark Loveless, senior security analyst at security vendor BindView Corp. Zero-day exploits are software tools or applications that take advantage of undisclosed, unpatched software vulnerabilities. The term refers to the worst-case scenario: a worm or other attack that strikes a vulnerability that no one knew about or could prepare a patch to defend against. "Hackers are attacking hackers and raiding other hackers' zero-day libraries," he says.
Loveless, also known as Simple Nomad, is founder of a hacker lab called Nomad Mobile Research Centre, which provides a way for interested parties to anonymously discuss and share information about computer-security issues "without fear of personal retribution from others." The lab seeks to protect hackers from legal action from software vendors whose code they've reverse-engineered or from government agencies.
Loveless argues that laws such as the Digital Millennium Copyright Act and the USA Patriot Act, combined with the new push to criminalize what he calls "security research," will push even more of this activity underground. The DMCA prohibits any hardware or software that can circumvent copy-protection schemes for digital media such as music, movies, and E-books. Hackers fear that vendors will use these and other laws to prevent them from conducting security research and publicizing the flaws they discover.
"The underground is doing just that, going completely underground," Loveless says. "A lot of things we used to do for research--research that was once questionable--can now be considered a criminal act."
As a result, information about software vulnerabilities and hacking techniques that was once shared in a somewhat open fashion on Web sites, in E-mail mailing lists, and in newsletters and magazines is increasingly being shared among smaller invitation-only groups and through encrypted mailing lists or networks. "The underground is the stuff you don't hear about in the press. It's conversations in encrypted channels about security, security tools, exploits, and vulnerabilities," Simple Nomad says. "The underground is about helping each other out to develop a tool without considering what use the tool might be used for. There's a purity to that, which I find refreshing. It's about pure information."
