Vigilantes rule the wild, wild Web

Apparently, there's another option. You might decide to take the law into your own hands. Which means you might call a man known as Lou Cipher. "Lou" says he's spent the last 10 years working for Fortune 500 companies, turning the tables on computer intruders, performing what some have called vigilante justice in cyberspace.

Cipher, a pseudonym, of his own choosing, says he retired from a 15-year career as a computer consultant in 1990. By then, he had already started his life as a hacker for hire.

In the past 10 years, he's says he's been hired over 50 times by big U.S. firms - mostly financial institutions - looking to get hackers off their back. He says fees now start at $100,000 for new clients, "with no promises of success."

He and his "associates" often take on their tasks by "bridging from the virtual world to the physical." That means breaking into the same computers a hacker has hijacked, chasing the trail through cyberspace, obtaining a real-world address and paying a real-life visit.

Cipher says he's even broken into homes and stolen hackers' computers to teach them a lesson. He gives the machines back after recovering any stolen information

"I am engaged in the protection and regaining of stolen assets because of the inability of government to provide adequate protection and prosecution," Cipher says. And that includes, he admits, breaking laws himself. His defense: "It's self-defense.

"You can call the FBI right now and say a person just got off with a database of customers. What is the FBI going to do?"

Giving Feds the fits
The increase in technology crime has given fits to law enforcement agencies who find they don't have the necessary skills to keep up with an army of new criminals, emboldened by the anonymity the Net provides. Even when federal agents act, justice can be slow. It took almost six months for the recent nationwide FBI hacker "crackdown" to produce an arrest.

So Cipher, and some say other such corporate vigilantes, take the law into their own hands.

Still, to call breaking into someone else's home an act of corporate self-defense would likely be considered a stretch in court.

"I don't see that argument holding water," said cyberlaw expert Dorsey Morrow. "It would be a dangerous thing for a corporation to do. The potential liability is incredible."

Particularly if vigilantes hit the wrong target. That's the concern of computer consultant Brian Martin, who maintains the popular hacker information site "attrition.org."

"So Lou and his gang roll up on this house and know the intruder dialed from there. They bust in and terrorize an elderly couple. Oops!" Martin said. "How could they have been so wrong? Because the hacker used a laptop from the phone box outside their house. That scenario scares me."

First identified in a column
Cipher was first identified in public when information warfare expert Winn Schwartau used his name in a column for Network World in January. Claims of baseball bat-wielding vigilantes stirred skepticism in the underworld, and neither Martin nor Space Rogue, who maintains the Hacker News Network Web site, say they've ever heard of a hacker being visited by any private security agent.

"Considering the size of this community, if he has visited more than 10 people I am sure word would have leaked," Rogue said. But he added "There have been rumors floating around for a few years of corporations with their own internal security taking matters into their own hands."

That has law enforcement agencies anxious enough to discuss the matter publicly. Jim Christy, special agent for the Department of Defense, debated Schwartau on the topic at the Infowarcon conference earlier this month.

"I have no problem with identifying a bad guy and warning them," said Christy, who for 11 years was chief of computer crime for the Air Force Office of Special Investigations. "That's a legitimate self-defense option for a victim. But it crosses the line when you violate the rights of others. ... It crosses the line when you break the law."

Rely on informants
He said the key to making law enforcement agencies more effective is for more victims of computer crime to come forward. Without a backlog of cases, agents can't demand additional resources. Companies that hire vigilantes, or who simply brush computer crime under the rug out of fear of embarrassment, only make the situation worse, he said.

But that won't help victims today, Schwartau said, and they need somewhere to turn.

"The legal community says it's blatantly illegal," Schwartau said. Schwartau, who once shared ownership of a Web site venture with Cipher, says the legal community is being closed-minded on the topic. "Is disarming an adversary illegal? ... You're allowed to do repossession, which is stealing your own possessions back."

When MSNBC visited Cipher at his daytime consulting job, where he is a security adviser for a large U.S. brokerage company, Cipher said he painstakingly verfies his targets and admits sometimes he doesn't catch them. Most of the examples he offered involved pre-emptive strikes against hackers "probing" financial networks - the cyber equivalent of "casing" a bank before a robbery.

Such pre-emptive strikes have taken him as far as Eastern Europe, and even India, he said. In one case, he said college-aged hackers in hte Czech Republic were worming their way toward a bank's credit card database. Another incident involved hackers in India trying to fake an electronic funds transfer.

But sometimes, he said, he does his work entirely over the Internet. Last month he says his agents broke into the computer of a man who held a vast database of stolen credit cards. They scrambled the card numbers to render them useless.

Many more of his stories are less dramatic, involving a polite curbside or coffeehouse conversation with a hacker. Often, that's enough, he says.

"They are very surprised when we come to visit, when we bridge to the physical world," he said.