[This was originally published on attrition.org. This is a rebuttal piece to Sam Bowne, the person, Twitter personality (@sambowne), City College San Francisco professor and self-proclaimed whitehat hacker.]
Background: I was first introduced to Sam when noted charlatan Gregory D. Evans accused Bowne of being one of the “world’s biggest cyber bully’s” (sic). I was briefly involved in an e-mail thread with several people and gave input to Sam regarding Evans’ past. Apparently Evans’ press release, possibly coupled with a formal complaint to the school, resulted in Sam having to appear before a board at the college to defend himself against the accusations. I don’t know the details other than he left the meeting absolved of the allegations.
After the incident, I kept following Sam on Twitter as he provided a good set of links to interesting security news and gave input as he saw fit. During that time, he consistently made tweets about being a whitehat and showing scorn for blackhats / criminals. This proud waving of the whitehat flag became a badge of honor to him as he turned himself into a self-deprecating martyr of sorts.
Sat Oct 30 Sam Bowne says: @RayDavidson: @DownloadSquad: This guy was no whitehat–what he did was clearly illegal http://bit.ly/dvjiZO
Fri Dec 10 Sam Bowne says: Interesting controversy about white-hats using botnet vulns to clean off infections–I think it’s clearly illegal #BayThreat
Sat Feb 05 Sam Bowne says: @attritionorg Well, I don’t know who did it. I address whitehats because I don’t think anyone else will listen to me.
Sun Feb 06 Sam Bowne says: I just submitted an article to Infosec Island pontificating about black and white hats. If they run it, I will need an asbestos T-shirt.
Sat Feb 26 Sam Bowne says: @mckt_ I’ve been saying for weeks that white hats and CISSPs need to obey the law. This seems to be an intolerable offense to most tweeps
Fri Apr 08 Sam Bowne says: Rt @DaveMarcus: …”ethical” or “whitehat” in your profile … its lame… <– Some of us are Lame & Proud
Mon Apr 25 Sam Bowne says: RT @willbradley: @sambowne oh, nice. Gotta love righteous white hats. <–The technical term is “Insufferable Pompous Ass”
Sat Jun 04 Sam Bowne says: Rt @LulzSec: We just DDoS’d the IP that tried to inject us <–Offensive security, often discussed, but off-limits to white hats
Sat Jun 25 Sam Bowne says: I get a lot of abuse being a whitehat on Twitter, but it’s worth it. I’ve been able to help several people because of it.
He also shows a conflicted view on ethics while not realizing it. He sees a clear difference between obeying and breaking the law, he disagrees with the CISSP Code of Ethics in talking with blackhats and finally admits that he is interested in theoretical abstraction of ethical rules and doesn’t care about enforcement of ethical rules.
Fri Mar 05 Sam Bowne says: .@heavenraiza Re: Ethical Hacking–I see a clear difference between obeying the law and breaking it.
Wed Jan 12 Sam Bowne says: @hypatiadotca I don’t think it violates ethics to talk to black-hats, as long as I am trying to get them to go straight, not doing crimes
Fri Feb 18 Sam Bowne says: .@jack_daniel @Viss I am interested in the theoretical abstraction of ethical rules, regardless of whether there is enforcement
All of this is fine; having a healthy debate about ethics is good. Despite his proud whitehat designation, I actually appreciate him for realizing the CISSP Code of Ethics is ridiculous. It gave me hope that while good natured, he really did understand that the world is full of grays, despite past tweets about ethics suggesting he only saw black and white.
In the last few weeks, Sam started asking his followers for security contacts at various organizations.
Fri Jun 10 Sam Bowne says: I need a security contact inside PBS. Please contact me by Twitter or email to email@example.com — thanks!
Mon Jun 20 Sam Bowne says: Does anyone have a security contact inside CNN? Those SQL holes need to be closed NOW.
Tue Jun 21 Sam Bowne says: Does someone have a network security contact in the Los Angeles Police Dept.? It’s not an emergency, but something they should know.
Fri Jun 24 Sam Bowne says: I am still seeking an infosec contact inside the Los Angeles Police Department. It’s getting more important too.
Sun Jun 26 Sam Bowne says: OK, this is pretty insane: does anyone have an infosec contact inside the government of China? Bad stuff, really bad
Sun Jun 26 Sam Bowne says: I need an infosec contact inside Inition or Thinglab, makers of 3-D printers http://t.co/JbebZkp
Sun Jun 26 Sam Bowne says: I need an infosec contact inside Relay Specialties, Inc. http://t.co/STkji0t
The first two requests are understandable. In the wake of activity from LulzSec and other groups, there was public exploitation of vulnerabilities in the websites of PBS and CNN. Sam was trying to find contacts to report the vulnerabilities being exploited by criminals. After that, his requests became more curious and begged the question of where he was getting the information. I had seen no tweets regarding vulnerabilities at the LAPD, Chinese government or the rest of his list. Was he monitoring an IRC channel or message forum where this information was being shared? Was he or his students actively testing web sites and products without permission? I was curious, so I asked.
Sun Jun 26 attrition.org says: @sambowne are your students finding all these issues in .cn gov, vendors and other contacts you are after?
Sun Jun 26 attrition.org says: @sambowne your proud ‘whitehat’ designation is curious when you ask for a sec contact inside the Chinese government.
Mon Jun 27 attrition.org says: @sambowne you going to explain how you and/or your students are finding these issues?
Tue Jun 28 attrition.org says: @sambowne Any particular reason you are ignoring my (and other’s) request for you to explain how you are finding so many?
Tue Jun 28 attrition.org says: @can0beans Nope, on day 2 of @sambowne tweeting, but not answering our question.
Tue Jun 28 RBC says: @sambowne I’m curious about what @attritionorg asked you as well. Curious where all your finds are coming from
Wed Jun 29 RBC says: @sambowne You always seemed so up front and bold with your beliefs. You always defended yourself, why are you not responding2 @attritionorg
Tue Jun 28 Chris Teodorski says: @attritionorg @sambowne did you get an answer to this?
With Sam ignoring these queries and comments, it seemed to many people, including myself, that he may have started live testing web sites for vulnerabilities and reporting them. Since he didn’t reply to any of us, even in private, it certainly began painting a picture that he may be dabbling in grayhat hacking.
This prompted me to go to his school web site to see if they had an ethics policy, so that I could quote it to him. While trying to find that, using their search engine like any user would, I ran into two security issues. The first was an SSL certificate for Google instead of CCSF which was curious. The second was a much more interesting issue that had serious ramifications. Following a general disclosure guideline that I have used for almost 15 years, I tried to find a listed security contact so I could inform them. When I couldn’t find anyone with ‘security’ in their title, and no apparent place to report such problems, I asked Sam if he could provide the contact information for me.
I started on Twitter, half-joking with him since he had been asking for other security contacts. I had already found it ironic that he was searching for security contacts via Twitter, while his own employer had none listed. Sam was tweeting after the question was sent, and had plenty of time to respond. I sent a DM and got a reply from him that was more troubling to me than anything else I had seen from him.
When he didn’t reply publicly, and didn’t reply to my second DM, I called the college the next day to get the information and let him know. At this point, I was mildly annoyed and made the comment about finding the ethics panel because everything to that point suggested to me that he was slowly going rogue. (I did not call for the ethics panel info, and had no intention of actually filing a complaint; I wanted to convey that I was serious about my questions and concern.) CCSF’s response was outstanding, with an immediately reply confirming they got the e-mail and would look into it at once. By the next day, Sam had blocked @attritionorg on Twitter. This was very curious given our friendly past, his ignoring my questions about how he was finding vulnerabilities, and even the brief direct messages.
Tue Jun 28 attrition.org says: oh @sambowne .. can you give me a security contact at ccsf.edu please? need to report something troubling.
Tue Jun 28 attrition.org says: @sambowne after being transferred twice, I got 2 contact addresses @ccsrf.edu to report a sec problem to. neither were you..
Tue Jun 28 attrition.org says: @sambowne after I send this e-mail to them about the security problems, next call is to find the ethics panel contact information
Tue Jun 28 attrition.org says: Very fast reply from IT @ ccsf.edu, they are looking into what I reported already. They confirmed @sambowne is not a proper sec contact.
Wed Jun 29 attrition.org says: So called “whitehat” @sambowne -> “This person has protected their tweets.” Running from honest questions Sam?
Sun Jun 26 zookus says: “@attritionorg: @sambowne you going to explain how you and/or your students are finding these issues?” I too am very interested.
The direct messages between us were brief, but troubling as I said:
to sambowne – I am serious. Can I get a security contact for ccsf.edu please? Ran into what I consider a serious issue on the web site. 9:51 PM Jun 27th
from sambowne – Please tell me what you have found. 10:11 PM Jun 27th
to sambowne – I cannot validate that you are the appropriate security contact for the City College of San Francisco. Monday, June 27, 2011 10:17:24 PM
Rather than help me find a designated security contact at his college, he asked me for the information. Per ethical and responsible disclosure guidelines, I did not provide him the information. Before you get on my case about him being an employee there, remember that Sam himself would have done the same thing.
Mon Jun 27 Sam Bowne says: The general wisdom I have told my students is not to even bother without an introduction to a real security contact inside.
The security contacts provided to me during my phone call confirmed that Sam was not a designated contact, but helped them from time to time by sharing information. In the long run, I was right to follow responsible disclosure and not distribute the information to a non-security contact at the affected organization.
From: Brian Martin (bmartin[at]attrition.org) To: xxxxx[at]ccsf.edu, xxxxxxxx[at]ccsf.edu Date: Tue, 28 Jun 2011 18:30:06 -0500 (CDT) Subject: Possible security problem in ccsf.edu website [security contacts]; I received your e-mail addresses after calling the school and asking who I should report this to. Please forgive me if you are not the appropriate contact, and either forward this information to the correct party or let me know who I should contact. While performing a search of your website, I ran into an oddity that may have security implementations. To reproduce: [..]
From: Txxxx Rxxxx (xxxxx[at]ccsf.edu) To: Brian Martin (bmartin[at]attrition.org>, Gxxxx Vxxxx (xxxxx[at]ccsf.edu) Date: Tue, 28 Jun 2011 16:36:30 -0700 Subject: Re: Possible security problem in ccsf.edu website Brian- Thanks for the info, Gxxxx and I sit next to each other and will look into the issues you have raised. Sam Bowne is a Faculty Member in our academic Computer Networking Department (CNIT), he is not part of our internal security team although he does research into security-related topics and regularly shares information with us.
In the end, it wasn’t anything sinister or unethical. Sam was simply performing a “Cold Calls” experiment, in which he was reporting published vulnerabilities to companies that likely were not aware of it.
Given everything I had seen; asking for security contacts for organizations that suggested he may be live testing, comments suggesting he saw a code of ethics as somewhat flexible, pretending to be a security contact when he wasn’t and ignoring any question related to the fiasco, the evidence suggested to me that he was making the transition from Samdalf the White to Samdalf the Gray. Why he didn’t send me an e-mail or DM saying he was working on a project, or merely “getting info from a public web site”, confused me. I am certainly happy that he is staying on his ethical kick, but would fully encourage him to work on his communication skills.