CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Discover a security flaw? Get a lawyer

Some companies have a funny way of thanking computer programmers who find and inform them about security flaws in their software--they sue them.

Some companies have a funny way of thanking computer programmers who find and inform them about security flaws in their software: They sue them.

A manufacturer of computerized gambling equipment, WMS Gaming, of Chicago, earlier this year sued Edmonton, Alberta, software consultant Zues Yaghi for $10 million after he showed the company and Canadian authorities a "back door" he'd discovered in the company's casino slot machines.

In a case that was reported in Canada, but mostly ignored elsewhere, Yaghi went to officials of the Alberta Gaming and Liquor Commission, who videotaped the consultant winning hundreds of dollars, according to The Edmonton Journal. He turned all the money over to the officials on the spot.

Both Yaghi and the manufacturing company say the software error in the machines allowed millions of dollars of fraudulent gains. At least two people other than Yaghi took advantage of the bug at casinos in the United States and Canada before the software was fixed, the company says.

Yaghi may have erred when he proposed to the company that they hire him as a consultant to find and repair such flaws for a fee of $250,000. The company offered $50,000 instead, which Yaghi declined.

The company then obtained an order from a Canadian court to seize computers from Yaghi's home, persuaded the gaming commission to ban him from Alberta casinos, and filed the $10 million lawsuit.

In response, Yaghi is suing WMS Gaming for $1 million and the gaming commission for $3 million.

All these events began in winter 2000, but the story only recently came to light. Canadian Judge Andrea Moen originally sealed the court documents to prevent information about the manufacturer's flaw from spreading. The documents were opened to scrutiny in late June, after which the Canadian press disclosed the case.

Although this unfortunate example revolves around computerized gambling, it illustrates a growing trend of so-called gray-hat hackers in all kinds of e-commerce.

As opposed to white-hat hackers, who work to improve security, and black-hat hackers, or "crackers," who steal goods or credit card information from corporate computers, gray-hat hackers ask companies to hire them to fix security flaws they've found.

In some cases, gray-hat hacking swerves from openly disclosing problems (as Yaghi did by promptly going to the company and authorities) into outright extortion.

FBI agents on Aug. 22 arrested a man in Tarpon Springs, Fla., after he allegedly used public library email terminals to demand $1 million from Boston-based Parametric Technology, according to the St. Petersburg Times.

Parametric received emails from a person threatening to reveal how consumers could "unlock" the company's sophisticated $100,000 engineering CDs without paying, FBI documents say.

In other cases, e-commerce companies are more than happy to pay big sums to gray-hat hackers who find and report weaknesses in their defenses.

A maker of computer products in China, the Hisense Group, last month offered a reward of more than $60,000 to anyone who could break into a server protected by one of its security devices, according to Computerworld.

Law enforcement officials tend to take a hard line on all forms of hacking. They say a person who tests a company's defenses is like a burglar who tries all the doorknobs in a neighborhood until he finds one that's unlocked.

By contrast, Jennifer Granick, a San Francisco attorney who specializes in defending accused crackers such as Kevin Poulsen, says white- and gray-hat hackers aren't burglars and perform a valuable service.

But she cautioned that companies may not be as sympathetic. "That's a fine line for people to walk, because the legal definition of extortion is extremely broad."

Considering today's shifting legal standards, if you happen to discover an e-commerce security flaw, you may want to follow three rules:

• Don't demand a million dollars.

• Don't send emails that say "or else."

• Have a good lawyer negotiate the contract.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.