The hacking hobbyist

Baker, a 24-year-old systems programmer, is part of a group of computer experts who spend their free time trying to figure out potential Internet security threats to large networks. Over the last year, Baker's hobby has led him to technology security lapses at E*Trade, the Charles Schwab brokerage concern, Wells Fargo bank and the Critical Path e-mail service. Baker is a member of a clan known as "gray-hat" hackers, who occupy the ethical territory between the malicious "black hats" and the "white hats," hired by companies to check their own systems' security. Gray Hat protocol is to first notify hacked companies of possible network flaws, and then possibly posting the flaw on Web sites where gray hats exchange trade gossip, as Baker did when he discovered the E*Trade network security hole. The company quickly vowed to clean up the matter after reporters called. In a world where hackers are either jailed or earn thousands in consulting fees, Baker's hobby is puzzling. The online gatherings for this community are places like Bugtraq, run by Virginia-based SecurityFocus.com. Five to 10 network vulnerabilities can be posted on Bugtraq in just one day, said chief technology officer Elias Levy, who estimates the gray hat community numbers 10,000 people, ranging from researchers at well-known labs and universities to amateurs. "People make targets of themselves," said Baker, who says he gave E*Trade months to address the issues before posting vulnerabilities. "If there isn't any press, there isn't any action. It is the key to making the whole plan work."