www.upside.com Hackers for Hire January 14, 1999 by Deborah Radcliff Lured by steady paychecks, some hackers are giving up their nefarious ways and joining corporate America. But can folks with aliases such as Dr. Who and Hobbit handle a 9-to-5 life? Yobie Benjamin, glad to have an extrapassenger during the congested morning commute, screams down the carpool lane through a Silicon Valley artery. From the slightly elevated perspective of his Ford Explorer, he's talking "corporate strategy," "business objectives" and "total customer solutions." Benjamin is psyched for an internetworking dinner his company, Cambridge Technology Partners Inc. (CTP), is hosting for more than 40 CIOs and senior executives from companies such as Cisco Systems Inc., Levi Strauss & Co. and Network Associates Inc. By all appearances, Benjamin seems destined to become one of them. Just another hacker gone legit. Until recently, hackers cloaked themselves behind their computers with online identities such as Oblivion, SirDystic and Dr. Who. Now, some hackers--at least those over 30--are stepping out of the shadows and into a media blizzard: coverage on "20/20," CNN, and "Silicon Valley Business This Week" and articles in the New York Times. They've morphed into the decade's cool new computer security experts. [Until recently? Now more than ever are they doing it. And the arbitrary age of '30' is wrong. 16 year olds have found themselves on various shows and in columns.] But as hackers shed their old lives to move into new ones with high-profile jobs that earn them big bucks, technology companies and their cus tomers have to wonder: Will they fit in? And can they be trusted to stay on the straight and narrow? Some, like the 39-year-old Benjamin, are proving their worth in corporate environments. Benjamin was director of technology for Cambridge, Mass.-based Cambridge Technology Partners' enterprise security services division. But for every Benjamin, there are dozens of hackers who can't make the grade. And even more who don't want to. "For some, like hackers, knowledge is power," says Penny Leavy, vice president of worldwide marketing and business development for Finjan Software Inc. of San Jose. "For others, it's money. And for others, it's climbing the corporate ladder." Benjamin sat on the technical advisory board of Finjan, which makes software that defends computers and networks against malicious Java, ActiveX and other mobile code (small programs that are transmitted through networks and the Internet and then executed on the desktop). Benjamin is by no means your late-night, no-life nerd. With a bachelor of arts degree in communications from the University of the Philippines in Quezon City, he has developed training films for Asian immigrants and written speeches for former San Francisco Mayor Frank Jordan. The father of two daughters, Benjamin now finds his free time consumed with "Sesame Street" books and preschool get-togethers--not hacking. Screen first, hire later Benjamin calls himself an "ethical hacker," one who grew up on the ARPAnet, pre-Web bulletin boards and "borrowed" time-share machine space in the 1970s and '80s. He wears his tar-black hair well past his shoulders. And he's hardwired to many underground hacking groups, members of which worship him for his superior technical skills. In fact, one of Benjamin's own Sun Microsystems Inc. Solaris servers runs in a humming equipment room at the Berkeley, Calif., home of Peter Shipley, administrator for the infamous hacking group dis.org. Ah, Shipley: With his Tiny Tim locks and propensity for vampire fangs and Goth clubs, the 33-year-old Shipley is a true technology junkie. Going by the name Evil Pete among his hacker buddies, he presides over about 20 servers and a T1 line inside his spare bedroom. But now Shipley has gone corporate, too. Since early spring, he has held the position of chief security architect at the $10.4 billion international accounting firm KPMG Peat Marwick LLP of New York. Screen first, hire later There are more like Shipley and Benjamin working for Big 5 accounting firms, startups and security consulting firms around the country. In fact, CTP's avant-garde, 20-person enterprise security services unit is home to about 10 hackers. These aren't your run-of-the-mill computer geeks, though. All hold some claim to technical fame, according to Erich Oehler, director of the unit. For instance, one of his hackers designed secure operating systems for highly sensitive government agencies. "[In terms of] skills and motivation, there's a lot of creativity in our group," Oehler says. Oehler is testy about emphasizing the hacking element of his year-old unit, and with good reason: It has cost him clients. "We're sensitive about saying we hire hackers because, frankly, some customers have turned us down," Oehler says. "They worry about all these rogue hackers running amok." He quickly adds that CTP protects its clients by putting all hires through rigorous screening and background checks. And once hired, the hackers must abide by the company's core values--"openness, honesty, dedication, respect and trust." Located on the outskirts of San Francisco's Multimedia Gulch, CTP's security services unit conducts technical security audits for paying clients. The unit's offerings sometimes piggyback onto other application development. For example, the unit may be called upon to build security into a customer's newly developed electronic-commerce package. It also does primary research and development to identify software vulnerabilities and then design defense mechanisms around them. vogue While Oehler worries about spotlighting former hackers, there's no denying they're a hot commodity. In August 1998, "20/20" broadcast a 10-minute segment in which CTP hackers cracked a financial institution's system (with permission, of course) to identify and illustrate the computer insecurities for that customer's executive management. It's all part of what those in the hacking community term mediawhoring--a plot to legitimize their shadowy habits and cash in on a worldwide security services industry expected to reach $7.3 billion by 2000, based on figures provided by Richard Brewer, a senior analyst with Framingham, Mass.-based market research firm International Data Corp. (IDC). [Mediawhoring is not when ANY hacker gets ANY media press. It is more used for *Wannabe* hackers who have little or no skill, jumping in the spotlight piggybacking off the hacker reputation.] "A month after the '20/20' segment, [Benjamin] told me that the value of that segment couldn't be measured in terms of public relations," says Ron Moritz, Finjan's director of technology. "There's value in having someone on your team with such national recognition and professional credibility." While such coverage propels hackers' careers, it also raises awareness about technical security issues. In a joint survey by the San Francisco-based Computer Security Institute and the FBI, 241 of 520 business respondents said they lost a combined total of more than $136 million in 1997 because of computer crime or misuse. And, for the first time in the survey's three-year history, more than half the respondents cited the Internet as the leading point of vulnerability. No wonder hackers are in such demand: It's their decades of hands-on experience with telephone systems, dial-up modems, operating systems and internetworking equipment--combined with their natural paranoia and ingenuity--that makes them so hot. Such skill sets are tough to find, says IDC's Brewer, adding, "Right now, everyone's fighting over skilled security professionals"--which could explain why Shipley and Benjamin command six-figure salaries. "[Benjamin] has the unique ability to understand the broader business implications of a particular technology effort," says Finjan's Moritz. At many a quarterly technology review, for example, Benjamin has asked questions that skirt the obvious and provoke Finjan's developers to tackle project development in a more comprehensive way. Douglas Graham, a KPMG partner specializing in electronic commerce, feels the same way about his hire, Shipley. "You're probably wondering why a big accounting firm would hire hackers," he says with a smile. Essentially, Graham explains, it's a toss-up between National Security Administration-trained hackers "because the NSA has an awful lot of money to look into security issues," and ethical freelance hackers "because they have an awful lot of time to look into security issues." A Little different Continues Graham, "Yes, hackers dress a little differently. And their tastes in music can [be] kind of strange. But some, like [Shipley], are comfortable technically, very ethical and straightforward. And he wears a suit to client meetings." [What does taste in music have to do with anything? I am sure you will find employees with just as 'different' tastes in music as hackers.] Not just any suit, but a Brooks Brothers suit, boasts Shipley, whose words spill out so fast they often slur. Shipley also has achieved fame in the hacker community. An overflow crowd awaited him at the Eighth Annual Conference on Computers, Freedom and Privacy, held in Austin, Texas, Feb. 18-20, 1998, where he discussed Internet security holes. Ditto for his update talk at the annual DEFCON hacker conference last summer in Las Vegas. At DEFCON, he spoke about his experiment with war dialing, which is a technique hackers use to scan telephone prefixes to determine which numbers are linked to modems. Shipley rigged his computer to dial 5.3 million Bay area phone numbers looking for exploitable modems. Of the phone numbers that turned out to be connected to modems, 75 percent were insecure enough for a hacker to get into the computer systems attached to them. "KPMG respects my technical knowledge," says Shipley, who is vague about his job description because it involves software product development with some big-name industry players. But much of his work is similar to what he did in his 10 years as an independent contractor--security assessments for clients sprinkled with a couple of lectures each month. Only now he has an expense account. And he's managing projects and helping hire other hackers. Graham insists this "ethical hacker" brings value to KPMG by convincing clients they need help securing their computers. For instance, it took Shipley a mere two hours to show a banking client that it had wasted millions on some ineffectual security efforts. "[Shipley] demonstrated this dramatically by remotely bringing down the main server while the client's chief information officer watched," Graham explains. The bank was happy with Shipley's work, especially because he discovered the security flaws before the bad guys did. According to Graham, there's a technical career path for such people at KPMG, though he has yet to figure out exactly what that is. Shipley's take: He may make it to middle management but not to partner level because he lacks the necessary formal education, management background and corporate experience. [Big 6 accounting firms typically want their partners to have degrees in ACCOUNTING. Of course Shipley didn't pursue that path while becoming a security professional. He could have a Masters in engineering and it would probably not meet their qualifications.] Dog that dogma Despite such glowing reviews, many in law enforcement and industry will never trust hackers, even reformed or white-hat (nonmalicious) hackers, as these born-again security specialists call themselves. [And hackers don't trust these ex-criminals claiming to be law enforcement. We all know police officers who have smoked dope, consumed liquor while under age, and often worse. Its a two way street.] "Culturally, there's a lack of trust when it comes to hackers," says Rob Clyde, co-founder of Rockville, Md.-based Axent Technologies Inc., a computer security tools company. [Yet Axent hires some.] Bad habits Clyde makes his point by relating a story of the disaster that befell an Axent client three years ago. That client, a government agency, contracted with a hacker to clean up its systems. When the hacker left, the agency discovered that he had posted its system's vulnerabilities on underground hacker Web sites and bulletin boards. Many of those holes hadn't been patched yet. "That agency will never hire a hacker again," Clyde says. [That they know of.. fact is, most hackers don't advertise their background when applying for jobs.] But even that kind of treachery sometimes gets a positive spin: These hackers are doing corporate America a favor by breaking systems and publishing weaknesses because it forces software vendors to fix inferior products. For instance, two years ago, Benjamin discovered a way to manipulate the security settings on Microsoft Corp.'s Internet Explorer 3.0. As the code enters a computer, it drops the security level to give a cracker (a bad-guy hacker) control of the machine. Benjamin immediately informed Microsoft of the weakness, and the problem has since been patched. Benjamin's former unit at CTP was even turning such code into profit. The unit was cataloguing and documenting all known hacker attacks against various systems to run against clients' systems when assessing their computer security measures. This knowledge base would make his organization's job much more efficient, according to Benjamin, because the team would be able to launch attacks against clients' systems from a single source. [Something many hackers and security companies have been doing for over 10 years.] Despite the new air of legitimacy, many hackers--especially the younger ones with no formal education--don't have much of a future in corporate America. [A nice unfounded vague statement.] "I've had my share of hackers inquiring about jobs here," says Finjan's Moritz. "Most are immature, and I don't trust them." Many, he says, boast about technical prowess they don't possess, and others try to strong-arm Finjan into buying their polluted code. "They'll come in and tell me they [have] a new virus in ActiveX or Java," Moritz says. "When I ask one to show me, he'll say he won't until I pay for it. We show [these kind of people] the door. It's usually something we already know about that they got [from] the Net." Benjamin adds that poor communications skills prevent even those hackers with better ethics from being regarded as corporate material. "It shows when you take them into a corporate environment and say, 'I need you to write something,'" he explains. And even white-hat hackers such as Shipley and Benjamin can suffer transition problems. Both complain about internal politics, inefficiencies, paperwork, their PR "flacks" and the bureaucratic red tape that most corporate lifers have learned how to handle. For now, however, the pair is willing to play the game. Others, such as 29-year-old Yetzer-RA, are wavering. Yetzer-RA, who wants to keep his identity secret to protect his employer, would just as soon ditch his job as a Microsoft NT security administrator at an East Coast medical facility. It's not that he minds wearing a tie to work four days a week. What bothers him is the internal politics. He's not popular with the old-timers. "[In 1997], I ran a security sweep on a machine and found that 12 people could access that computer without passwords," says Yetzer-RA. "I brought this to my boss' attention, but those responsible for the machine were not pleased." Hobbit Blame it partially on his direct manner, which can be perceived as insubordinate and rude. The burly, long-haired Yetzer-RA, who has a penchant for silk vests, says he's holding out for the day he can work for himself; for now, though, he lacks the necessary skills. Hobbit, however, is another story. His real name is Al Walker, but he goes by Hobbit because he never wears shoes (even during Massachusetts winters). He, too, is a legend in the hacker community. Seven years ago, the 38-year-old Hobbit tried corporate life. He spent three years managing the computer systems at collegial startup FTP Software Inc. in North Andover, Mass. (acquired in August 1998 by networking software provider NetManage Inc. of Cupertino, Calif.). At the time, Finjan's Leavy worked at FTP as vice president of worldwide sales. Barefoot or not, says Leavy, "Hobbit is a truly brilliant individual." Hobbit jumped off the FTP ship in 1994. "The suits came in and took over at the time of our IPO," he explains. "It started going icky--corporate and marketing-driven instead of tech-driven. My sleaze meter paged, and I bailed." In his mad-scientist way, Hobbit would be content to build computers from the componentry he picks out of trash bins and driveways. Ultimately, he'd like to make all computers inherently secure. Unfortunately, he says, "Nobody's interested in funding research in discovering security holes." To pay his bills, Hobbit has worked out consulting gigs at two local Internet service providers that occupy 10 to 30 hours of his week. He has no desire to return to corporate America, he says, except for the occasional consulting engagement. One of these engagements, at the United States Federal Reserve Bank of New York, brought Hobbit and Shipley together in 1997 to train the Reserve's Red Team (technicians who hack against the Reserve's system to test for security flaws). Soon after, Benjamin did some computer security evaluation at the Reserve. It was a stretch for those in the staunch, conservative banking environment to welcome these guys. Shipley showed up in his black Dracula cape. And Hobbit, with his bare feet and waist-length brown hair, was a sight to behold. Benjamin fared better: He wore a suit. After they started covering their material, however, appearances were forgotten, according to Paul Raines, the Reserve's VP of electronic security. "I was impressed by their professionalism, their detailed knowledge and their willingness to help," he says. [Shipley showed up in a suit the first day. He owns a cloak that is used for warmth, not decoration. When he presents, he wears professional attire when needed, or casual (jeans/shirt) when warranted. Yes, I have taught next to Shipley and say this from first hand experience.] At the time, Benjamin's CTP unit was in discussions with an entertainment conglomerate to secure satellite feeds for the Winter Olympics in Nagano, Japan. When scheduling conflicts arose, he'd tell his unit, "Forget Nagano. This is the Federal Reserve," Raines recounts with a chuckle. "Benjamin saw the importance of what the Federal Reserve represented, not only for the U.S. banking system, but also for the international banking system." As former operation commander for the U.S. Air Force's Minute Man nuclear missiles, Raines is no dupe. He runs criminal-background checks on all people who work with the Reserve's computers. He also limits their access to only those machines they're testing. And he asks for a liability contract. Raines advises anyone considering hiring hackers to do the same. Thus, hackers in corporate environments walk a tightrope. While they're trying to shed bad habits, stay on the right side of the law and speed-learn corporate culture and business strategy, skeptics are just waiting for them to fail. [More blatant stereotyping. MANY hackers work just fine in corporate atmostpheres. In fact, these companies have NO idea they have hired hackers.] Yet as long as hackers who've gone legit have avoided accumulating police records, those with the right combination of technical skills, critical-thinking ability and ambition can earn management's trust and forge a path to the executive suite. Benjamin is a good example: In late November 1998, he joined Big 5 accounting firm Ernst & Young LLP of New York as a general partner and global strategist for electronic commerce, Internet and emerging technologies. Deciphering Hackerspeak There's a certain mystique surrounding hackers. Are they First Amendment revolutionaries liberating information for the public's benefit? Or are they malicious scoundrels bent on wreaking havoc by infecting computer networks with faulty code? It depends on whom you ask. While some so-called ethical hackers want to set the record straight and change public perceptions of the hacker community, most prefer to remain a mystery. They operate in what they call "the underground," a subculture based on an unusual blend of anonymity and camaraderie. Most hackers protect their true identities by assuming aliases, and they protect their brethren by sniffing out wanna-bes and outsiders. A dead giveaway that you don't belong in hacker inner circles is failure to understand the vocabulary, so Upside did some investigating and compiled this glossary. It may not garner you instant acceptance, but as more hackers go corporate, knowing their lingo will help you communicate with your new co-workers. Carding The naughty--and illegal--practice of committing credit card fraud by commandeering someone's card number to purchase goodies for yourself and your friends. While advances in credit card security have made carding more difficult, electronic commerce is a carder's dream come true. Cracker A bad-guy hacker. The larger hacker population, which purports to oppose criminal activity, uses this term pejoratively to refer to hackers who break security on systems for the sole purpose of committing evil acts. Cypherpunk Someone obsessed with using encryption to keep data private. In particular, cypherpunks seek to prevent the government, which they liken to Big Brother, from accessing their information. Paranoid hackers who believe in conspiracy theories tend to become cypherpunks. Easter egg A message, image or sound effect that a programmer hides in a program's object code as a joke. Harmless and often amusing, Easter eggs can be found in most applications. Here's an easy-to-view example: Open Netscape Navigator 3.0 and press CRTL-ALT-F at the same time. You'll be magically transported to a real-time fishcam, courtesy of Netscape programmer Lou Montulli. Media whore In the hacker subculture, stepping out of the underground and into the media spotlight is the ultimate betrayal. Hackers who pander to the press for personal glory or fame are cast aside and labeled media whores. [No, not the ultimate betrayal necessarily. Those who step out to educate the media are not media whores.] Phreaking Hacking into a telephone system, usually to make free long-distance calls. Computer hacking and phreaking go hand in hand, though some people are pure phreakers. The tools of the trade are homemade electronic devices called "boxes." The most common--the Red Box--enables hackers to make free calls. More sinister is the Bud Box, which is used to eavesdrop on others' phone conversations. Samurai A hacker who hires out for legal cracking jobs, breaking into systems to test their security. These professional hackers see themselves as warriors defending their employers' systems from unethical crackers. Another term used to describe these hackers for hire is sneakers. [Samurai? Try Penetration Team member, or "ethical hacker" as the media likes to say.] Suit What hackers call the rest of us behind our backs. The term reveals the contempt most hackers have for the conventions of corporate America, especially the wearing of suits. Government officials (think FBI and National Security Administration) are also commonly referred to as "suits." Tentacle A fake identity used by a hacker in cyberspace to perform bad deeds without getting caught. One person may have multiple tentacles, or aliases. Trojan horse Hidden code within a legitimate program that causes the program to malfunction. As legend has it, during the Trojan War the Greeks hid in a hollow wooden horse to gain entrance into Troy so they could launch their attack. Similarly, hackers use Trojan horses to infiltrate programs. Virus Probably the best-known term in the lexicon, a virus is an independent program that corrupts computer data and systems. What makes viruses so nefarious is that they replicate and are unknowingly transferred from one computer to another. You think it's bad when the flu goes around the office--try a nasty computer virus! Weapons of choice for most crackers, some viruses can cause irreversible damage. Of course, software providers such as Network Associates Inc. and Symantec Corp. aren't complaining--they've made a fortune selling virus-protection software. War dialer A program that scans telephone prefixes to determine which numbers are linked to computer equipment such as modems or fax machines. War dialers are an important part of aphreaker's arsenal. Warez Pirated software illegally distributed and downloaded from the Internet. Widely circulated among crackers, warez programs are versions of commercial software that have already been cracked. Die-hard warez users refer to themselves as "warez d00dz." White hat A nonmalicious hacker, also known as an ethical hacker or a true hacker. These hackers claim to come in peace. While their activities are still considered illegal, white hat hackers see themselves as harmless information hounds. They hack to satisfy their curiosity, not to damage computer systems or engage in other criminal activity. [White Hat hackers can hack legally. On their own networks or for clients. Their activities are not necessarily considered illegal.] Worm Like its squishy invertebrate namesake, a computer worm is creepy. Similar to a virus, a worm is a cracker program that replicates and spreads from one network to another. But unlike a virus, a worm can damage a computer system without being activated by a user. --Natalie Fonseca Hacker havens In the online hacker community--the Underground--people with aliases such as Brimstone and Lord Somer host Web sites from unknown locations. After all, the key to hacker success is anonymity. Upside decided to expose some of these sites for your surfing pleasure. Whether you're a hacker wanna-be looking to hone your skills or a curious bystander interested in finding out how "the other half" lives, get your kicks by visiting these underground hacker sites. Just don't tell anyone Upside sent you! 2600 Magazine: The Hacker Quarterly This site is the home page for 2600 Magazine, the Middle Island, N.Y.-based publication for and about hackers. Prominently featured on the site is the Kevin Mitnick Lockdown Clock, which lists precisely how long (down to the second) the infamous hacker has been "imprisoned by the U.S. government without a trial." Less political is the Hacked Sites of the Future section, which illustrates what some well-known Web sites might look like if hackers got their hands on the code. The spoofs include fake copies of the Amazon.com Inc. and Microsoft Corp. home pages. Dis.Org This San Francisco Bay area-based site is run by the DOC (Dis.Org Crew), a loosely formed network of about a dozen hackers. Unlike their counterparts who engage in illegal hacking (also known as cracking), the members of this group have gone corporate. While the site contains general hacking information and a discussion list, its main purpose appears to be promoting the group's computer security consulting business. Hacker News Network (HNN) A takeoff on Ted Turner's Cable News Network (CNN), HNN aims to be the leading news source for hackers worldwide. Dissatisfied with the mainstream media's portrayal of hackers and their comings and goings, HNN's founders provide what they call "the real news from the computer underground for the computer underground." While HNN is no substitute for CNN, it's a good place to find out which hackers The Man has busted. If you're a hacker who frequently grants media interviews (referred to on the site as a "media whore"), there's a handy article titled "A hacker's guide to talking to the media" in the Original Content section. Hackers.com HDC (Hackers Dot Com), run by eight underground gurus, is the ultimate resource for so-called "ethical hackers." According to the HDC crew, the site is about "freedom of speech, freedom of information, ethics and satisfying curiosities." In other words, if you're looking for tips on how to infiltrate the FBI's computer network, this isn't the site for you. But its extensive archive, Neophyte section for beginners and links to like-minded sites should keep you busy for some time. As a bonus, fans can purchase a hackers.com e-mail address for $50 a year. The Hacker's Layer Evil lurks within the Hacker's Layer. Home to the darker side of the hacker community, this site offers tutorials on most types of illicit hacking activities. Every parent's nightmare, the hosts of this site offer tips on how to commit credit card fraud and otherwise disturb others' privacy. Law-abiding citizens will find this site truly frightening. L0pht Heavy Industries The hackers behind this site decided to turn their hacking know-how into a legitimate enterprise by forming LHI Technologies LLC. The band of hackers, which operates from a secret location in Boston, offers consulting services for those looking to secure their networks from, well, other hackers. Visitors to the Web site can also purchase three LHI software products that identify vulnerabilities in computer networks. Perfect for network administrators and shaggy miscreants!