A new group of online activists is raising questions about just how far information technology people should go to stop illegal activity online.
In mid-December, some 30 seasoned information security professionals, "white hat" hackers and technologists formed Condemned.org, an activist group dedicated to "eradicat[ing] the existence of child pornography, pedophilia and exploitation on the Internet."
As of its 10th day of operation, Dec. 21, Condemned.org claimed to have "eradicated" more than 20 child pornography servers through proper legal channels, according to Kent Browne, a 40-year-old systems architect for an East Coast consulting firm and a spokesman for Condemned.org.
Browne also claimed that members have hacked into more than 13 servers overseas and erased their hard drives.
Even as some legal experts condemn the attacks, Browne claimed that technologists are lining up to join the fight.
"Everyone that I have spoken to is so anti-child-pornography that they literally beg me to find something for them to do to help," said Ben Bidner, a security administrator for a Web server group in Australia who founded and runs the Condemned.org server.
Condemned also got support from a half-dozen Internet service providers, as well as Web development and security companies in Australia and the U.S., such as Geoday Pty., DuFunk and Ion12 Web Development.
"Condemned.org is striving not only to rid these servers from the Internet, but to make the public aware that we are here actively opposing child pornography," Bidner said.
Comstar.net, a corporate Internet service provider in Atlanta, has joined the cause, offering the group a free mirror site and connectivity. "It's the best cause I've ever come across on the Internet," said Jerry Zepp, Comstar's chief security officer.
Condemned.org aims to make it simple for "normal Internet users" to report offending Web addresses by filling out a simple template located at http://www.condemned.org.
Condemned.org pushes the information forward to law enforcement agencies -- local field offices of the FBI when servers are discovered in the U.S., and the Western Australian Police Web server.
But Condemned also takes action of its own, Zepp said.
First, Condemned.org volunteers notify server administrators of the illegal material stored on their machines' hard drives. Most are responsive, especially administrators at free e-mail services and Internet service providers who are unaware of the material at first, Browne said.
America Online Inc., for example, said it has a general policy of terminating an account, then notifying law enforcement if it's made aware of illegal images or child-porn-related screen names.
But when neither administrators nor law enforcement officials respond, Condemned.org resorts to hacking. Although no one at the organization would admit to hacking servers in the U.S., Browne acknowledged that a few Condemned.org volunteers have taken out 13 overseas sites this way.
"We have hacked some of these sites in areas of the world where there are no laws," he said. "In those countries, we've taken servers completely off-line with buffer overflows or straight exploits written by a couple of guys on our staff. Once we get in, we erase their file directories and everything on their hard drives."
But according to some experts, such attacks, in addition to being illegal, may be counterproductive.
"Groups that are hacking these sites are making it hard for us to convict the pedophiles behind those sites," said Parry Aftab, an attorney and president of CyberAngels.org, a 6-year-old antipedophile group with 1,400 volunteer members.
"If you take down a server, you take away my evidence," he said.
"If someone's using an Internet connection from the U.S. to hack other servers, it's a violation of cyberterrorism laws," said Aftab, who has written two books on children's online safety. "Heck, I'd love to string up every pedophile on the earth, but we can't do that. We don't live in a lawless society."
Pete Gulotta, special agent for the Baltimore office of the FBI's Innocent Images child pornography detail, agrees that taking down overseas sites may impede prosecutions, but he wouldn't offer an opinion on the legality of the attacks.
The FBI and U.S. Customs Service officials work with foreign governments on international investigations, often undercover. "The problem lies with countries that don't have treaties with the U.S., some of which are in the Pacific Rim," Gulotta explained. "If you have servers in places like that, you're not going to get satisfaction with any law enforcement effort."
Other security experts are more vehement. "Certain things in our society are blatantly offensive. And one of those things is kiddie porn," said Winn Schwartau, founder of security consultancy Interpac Inc. in Seminole, Florida.
"The amount of damage caused by leaving these servers up is far greater than the damage caused by a few hackers."
Jeffrey Hormann, commander of the U.S. Army's Computer Crime Investigative Unit, said the attacks threaten more than just pornographers.
"One of the greatest problems law enforcement has in policing cyberspace is the view that cyberspace is so vastly different than the physical world. So we allow the technical community to take it upon itself to stop groups allegedly involved in child pornography," Hormann said. "But what about online gambling or groups professing hate crimes. Do we allow attacks on their servers, too? In the physical world, we don't allow the businessman whose store has been broken into to hunt down and retaliate against the perpetrator."
While federal agents don't publicly condone online server assaults, most law enforcement officials turn a blind eye, according to Browne and Schwartau, both of whom have had extensive off-the-record debates with law enforcement associates.
"[Authorities] said to me, 'If you get up before any judge in the world, chances are he has kids and he's not going to convict you,'" Browne said. "Who would? This is horrid, horrid."
(Radcliff is a Computerworld contributing writer in Northern California.
Contact her at firstname.lastname@example.org.)