Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own.

One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says.

Working within the University of Washington network, Dittrich accessed other people's computers to identify and clean up infected machines, and shut down malicious accounts.

While Dittrich was figuratively wearing the white hat, his actions could potentially have been seen as unauthorized intrusions, he says. Dittrich notified government authorities -- as well as the DDOS attack's innocent victims - of his actions and findings, but he says relying totally upon bureaucratic processes could have taken one or two years.

"In a situation where there are ongoing attacks, and there is no understanding of what is going on, time becomes critical," Dittrich said.

Dittrich and others spoke Tuesday during a panel titled "Ethics in Botnet Research" during the Usenix workshop on large-scale exploits and emergent threats (LEET). The topic is also being tackled on an ongoing basis by the Electronic Frontier Foundation's Coders' Rights Project. 

"We are studying criminal activity, and some of the things we do can't be distinguished from the criminals themselves," Dittrich said. "We're all trying to do good. Everyone in this room has their own ethical codes. I don't know if they totally overlap, but we're all trying to do good."

Security researchers may ultimately have no control over how law enforcement authorities view their actions, panelists said.

"We are at the mercy of prosecutors' discretion, but we are pushing some of these boundaries," said Jose Nazario, a network security researcher with Arbor Networks who has been investigating the Conficker worm.

Still, the ethical hacking community should collaborate to develop a set of ethical guidelines that can be shown to government when and if it starts taking a greater role in oversight, panelists said.

"As a community, we can authoritatively build up our own sense of ethics," said Vern Paxson, a senior scientist with the International Computer Science Institute, and professor at the University of California, Berkeley. "This is going to be shoved down our throats in a couple of years, based in part on actions people in this room take."