LAS VEGAS – Hackers have liberated one of the Internet's most popular security websites from its corporate owners.
This time, however, it's perfectly legal.
A ragtag group of programmers, system administrators and newly unemployed security consultants said last weekend at the Defcon convention that they purchased the rights to Packet Storm from Securify for just $1.
During the peak of the Internet boom in mid-1999, when attracting hordes of visitors to your website was more important than making money, the information security company purchased Packet Storm from founder Ken Williams for what was reportedly about $150,000.
Packet Storm features links to security news, bulletins and tips – but is perhaps best known for its uncensored archive of live exploit code. Researchers study the code to learn how to guard against intrusions, while unskilled would-be hackers use it to break into computers that haven't been secured properly.
When the market downturn and Securify's changing business model threatened Packet Storm's existence, some Securify employees and like-minded geektrepreneurs decided to run the site as a nonprofit venture.
"With the expectation of profit removed, we have a lot more freedom," says Emerson Tan, a newly minted Packet Storm editor who lives in Calgary and works for a management consulting firm he did not want named in this article.
Tan brings an open-source attitude toward his work. Instead of having Packet Storm rely on one site, he plans a network of mirror sites and is asking for news and file contributions.
The news is sure to cheer fans of Packet Storm, and there seem to be plenty of them. The site's archive includes 2.6 GB of files, and its editors say it has 10,000 unique visitors each day.
This isn't the first time Packet Storm has been threatened with oblivion. In 1999, it got the boot from its original home at Harvard after AntiOnline founder John Vranesevich complained to the university that a hidden directory included embarrassing photos of him.
Packet Storm's recent changes are part of a larger trend that some mavens decry: growing corporate control over security-related information. Some sites provide early warnings of new vulnerabilities only to paying subscribers or approved groups, not the general public.
A recent article by Richard Forno targets a deal between the taxpayer-funded Computer Emergency Response Team at Carnegie Mellon University and the Electronics Industry Association to create the fee-based Internet Security Alliance. Companies that pay thousands to tens of thousands of dollars annually would receive warnings 45 days before anyone else.
"It is more likely that company security officers will spend their meager security resources not for a frivolous ISA membership but for necessary security items – new virus control software, licenses for firewall products, and other more tangible 'here and now' security solutions," Forno said.
Another site that's taking a not-for-profit approach is Vulnwatch.org, a new security vulnerability announcement list. Its editors say: "Vulnwatch is completely non-commercial and chartered to stay that way. It is supported by volunteers and donors."
Steve Manzuik announced the project at Defcon, and says it's designed to provide an open forum for vulnerability information that's free and untainted by any corporate affiliation.
"Lately the over-commercialization of vulnerability information has begun to detract from the community spirit that has enabled so many to publish their security research for the benefit of all," Manzuik said.
Part of the reason for this so-called commercialization is that security is one of the few tech areas expected to enjoy rapid growth in the next few years. An analyst at Bear, Stearns in New York recently told The New York Times that venture capital funds have invested more than $500 million in about 75 security-related companies over the last year and a half.
On the other hand, counterexamples like OneSecure's failed attempt to enter the managed security business prove that the security field is as competitive as any other. OneSecure laid off 80 to 90 percent of its roughly 200-person workforce last week, and many were roaming the Defcon convention looking for jobs.
