How harmless is Herbless?

Los Angeles has seen more than its fair share of heroes over the years, mostly the product of Hollywood celluloid who sport everything from Stetsons to space suits.

But this time last week, the town was the unlikely setting for a corporate conference addressed by none other than Kevin Mitnick, a legendary - if not infamous - hacker.

What's more, the 37 year-old, who has only just been released after a five year stint in prison, was at the Giga Information Group's ebusiness conference to deliver a keynote address. He explained how, before the Feds caught up with him, he had managed to penetrate the supposedly secure networks of multinationals such as Motorola and Sun Microsystems, gliding in and out like a ghost through walls.

His motivation? Ostensibly to understand how corporate IT networks were bolted together, but his words belied a different goal. "Back then it was the cool thing to do. I enjoyed the thrill, the challenge that it gave me - but I feel I have grown out of that now."

But Mitnick wasn't the only one to publicly renounce hacking last week. Several thousand miles away on this side of the pond, Herbless, another notorious practitioner, revealed how he too was quitting the scene "for reasons that may or may not become apparent".

Herbless's valedictory email, sent to vnunet.com, was the culmination of a mass hacking spree across the UK. He is believed to be responsible for breaking into more than 450 corporate sites over a period of several months.

Unlike Mitnick, Herbless has not yet been caught. But among his victims were the websites of equally well known corporates, including the mighty Hong Kong Shanghai Bank where he posted a spoof address from Tony Blair, complete with speech bubble, in which the UK Prime Minister ostensibly gives his support to the hacker's actions.

One-man crusade
The infiltrations were otherwise little more than that - no data was stolen or tampered with, no funds were embezzled. Instead, his visits were more cuckoo-like in nature - he merely used other people's sites to nest his own particular rants on everything from smoking to the price of petrol.

The attacks also tended to follow the same pattern, exploiting a weakness in Microsoft's SQL Server database. This meant that if website administrators had not changed the default password, Herbless could get in.

In a move that could be construed as chivalrous or otherwise, Herbless also left instructions behind telling administrators how they could rectify his defacements. All of which might paint a portrait of someone who, though clearly a nuisance, was not malicious.

So why bother hacking into the sites in the first place? Arguably, he could have achieved as much by writing to newspaper letter columns or addressing the debating masses at Speakers' Corner.

Ironically, part of the answer may be found in the hills of Los Angeles. In another anonymous email to a national newspaper, Herbless distanced himself from the illegal, mercenary or desperately self-promotional aspects of hacking.

"I don't seem to fit into the typical Hollywood-inspired hacker image. I don't wear black clothes, roller blade or have long hair. But I do have piercings and a tattoo - so I suppose that makes up for my lack of standard issue hacker gear."

Hero or non-conformist anti-hero? Hollywood could get at least one blockbuster and several sequels out of that.

But Alistair Kelman, one of the UK's best known IT lawyers, who defended, among others, Robert Schifreen and Steve Gold after they notoriously hacked into Prince Philip's Prestel mailbox in 1984, believes that most hackers tend to be socially isolated, if not complete loners.

"The computer becomes their best friend," he contended. "But it's also a device which, in their minds, can help them seem attractive to others even if it's only to fellow hackers."

Over at City law firm Theodore Goddard, web expert David Engel points to a recent BBC2 documentary which indicated a correlation between addiction to the internet and suicide.

"The internet also seems to attract an abnormally high proportion of people who like the sound of their own voice," he explained. "It's a medium that, after all, does allow them to broadcast to the whole world. Hacking into secure systems provides an extra thrill - it can be dangerous, a bit like riding on the top of tube trains."

But while Herbless and his ilk might insist that they hack merely to publicise their usually political grievances, and otherwise do little damage, many disagree. In particular, the posting of defamatory material could leave website administrators unwittingly open to libel actions.

See you in court
Engel cites the recent High Court case in which Mr Justice Eady awarded more than £15,000 in damages - plus an estimated £480,000 in legal costs - to physicist Dr Laurence Godfrey, who sued Demon Internet over material posted on one of its discussion forums.

The internet service provider had tried to argue that it was not responsible for content posted by its users, nor had it ever suggested that there was any truth in the remarks. But the fact that it had not taken sufficient steps to remove the content, despite several complaints by the physicist, proved to be its downfall.

Engel argues similarly that website administrators who, either through ignorance or ineptitude, allow defamatory statements to be posted by hackers, can equally be held responsible.

But, he says, there is still a defence under Section 1 of the Defamation Act, which hinges on three key points: that website staff did not write the material in question; that administrators had taken reasonable care to safeguard the site from such postings; and that nothing they did contributed to the publication.

"Quite what constitutes 'reasonable care' by website publishers hasn't been decided. If it could be demonstrated that the site's security was too lax, and this is what allowed the hacker to post libellous statements, then the courts could rule in the plaintiff's favour," Engel admitted.

This could mean that, in future, courts will rule that failure to protect website or network passwords constitutes negligence.

The weak link
But as Mitnick told the Los Angeles conference last week, his hacking successes were based as much on duping staff into divulging confidential information - or "social engineering" as he called it - as on breaking down the technology.

"People are the weakest link," he revealed. "Companies should focus more on educating them about security."

Only time will tell whether Herbless has truly renounced his ways. Mitnick, who otherwise faces the threat of a further spell in prison, has promised to stay on the straight and narrow, although cynics might argue that lucrative tours on the keynote circuit provide him with all the incentive he needs.

Others, like Paul Rogers, a network security analyst at MIS Corporate Defence Solutions, believe that Herbless's sudden exit was prompted by things getting too hot following police involvement.

After all, the purported authors of both the Melissa and Love Bug viruses were tracked down because they failed to realise that the Windows operating system generates a globally unique identifier for every computer. This is based on the ID number in the machine's network adaptor card.

And Herbless could well have left his cyber dabs behind in the same way during his hacking sprees.

Rogers, who has seen some of the communications that Herbless sent to others, admits that finding out his true identity wouldn't be "rocket science", although whether the specialist teams at Scotland Yard's computer crimes unit would be able to do so is another matter, he said.

He also suggests that the word on the grapevine is that Herbless is a "normal guy, who's had a couple of years in IT, but is currently unemployed".

"Having time on his hands is what allowed him to make so many attacks. He just did it for the thrill," he said.

So will Herbless be back? "Perhaps, but not necessarily using that name again," predicted Rogers cryptically. Watch this cyberspace, as they say.