What's the hat got to do with it?
          Setting the record straight on Christopher Klaus and ISS
     Joe Barr takes off his rose-colored glasses and discovers that
     deception and darkness are old hat in the world of computer
     security. Plus: [35]ISS's Christopher Klaus responds to some of the
     claims put forth in this article. (2,100 words)
   By [36]Joe Barr
   I t's time to eat crow again. No, this is not about failing the Linux
   Professional Institute's Level 1 System Admin certification exam a few
   weeks ago. It's much worse than that.
   This week I'm eating crow because I didn't follow my gut instinct on
   [37]a story I wrote, and consequently portrayed Christopher Klaus as
   wearing the wrong color hat. In the weeks since that piece on ISS
   Linux Security Training ran (see [38]Resources), I've had a number of
   people give me the same basic, unyielding, irrefutable message: I got
   it all wrong about Klaus and ISS.
   "All wrong" may even include trying to use white hats and black hats
   to categorize individuals in the phreaking/cracking community as
   either "good" or "evil." More than one reader wrote that if you are a
   part of the computer underworld, you are a part of it, period. I can
   see where they are coming from. Illegal electronic breaking and
   entering or the theft of services puts you in that world. Whether you
   do it for kicks, for money, or for malicious intent is a side issue.
   This week, I am going to retrace the steps I took in researching the
   ISS piece and, wherever I can, show how I got it wrong. I'm not
   attempting to dodge responsibility for being wrong; I'm just trying to
   set the record straight now that I have more information.
   Lo primero, primero 
   First things first. I began my research of ISS and Christopher Klaus
   comfortable in the knowledge that I would find, as is so often the
   case, that he had come over from the dark side to find respectability
   in the industry as a security expert, consultant, or adviser. But the
   small, poorly lit trail I found seemed to indicate just the opposite,
   and gradually my take on both ISS and Christopher Klaus was reversed.
   I tried to contact Klaus for the original story, but ISS told me he
   was in Peru and would be unavailable until the end of June. Instead, I
   spoke with Christopher Rouland, who heads up the ISS X-Force security
   advisory team. When I asked him about Klaus' past -- what "elite"
   bulletin boards he might have hung out on, what his "nick" had been,
   etc. -- Rouland just laughed and said, "I don't really see him hanging
   out on elite bulletin boards." That planted the first doubt in my mind
   about my original hunch that Klaus had come over from the dark side.
   The conversation quickly turned away from Klaus' background, focusing
   instead on Rouland's work as the director of X-Force.
   Rouland's deflection of my questions about Klaus probably should have
   triggered an alarm, but it didn't. Tom Noonan, CEO of ISS, said in a
   June 1999 U.S. News story on hackers (see [39]Resources) that ISS
   "wouldn't hire anyone on the dark side." But at the time I didn't know
   of Noonan's remarks, and I certainly did not know that Christopher
   Rouland had been on the dark side himself, known in the old days as
   "Mister Fusion."
   Further research led me to a bio of Klaus indicating that he had
   worked with government labs while still a high school student. That
   didn't sound like the kind of kid who would hang out on elite BBS
   systems either. I also found an exchange of notes published in phrack
   between Klaus and "Erik Bloodaxe," then editor of the legendary zine,
   in which Klaus stated in no uncertain terms that he did not want the
   source code for his scanning tool (ISS) published there. The next
   issue of phrack contained a satire by Klaus lampooning the language,
   mores, and ways of the underground.
   The computer underworld 
   I read those attempts by Klaus to disassociate himself from the
   cracking/phreaking community as evidence of the purity of his soul. I
   was so convinced my original take on Klaus had been wrong that I wrote
   he "appears to have always been on the side of the angels...didn't
   hang out on an 'elite' BBS ... didn't sit on IRC and try to build a
   rep on #hack...."
   The first hint of serious problems with my take on Klaus and ISS
   appeared only a day or so after the article was posted. I heard from
   well-known and widely respected members of the security community
   telling me in no uncertain terms that I had been sold a bill of goods.
   For example, Elias Levy, aka Aleph1, wrote, "If you think that ISS is
   not based on the notion of 'using a thief to catch a thief' you might
   want to find out for yourself where the last two editors of phrack
   worked instead of believing the corporate propaganda that they don't
   hire hackers."
   One famous (but anonymous) name from one of the best-known hacker
   groups in the world wrote: "#hack is where I first talked to him ...
   he was in the hacker scene like anybody else in the hacker scene. I
   met Christopher Klaus (kewp) at Summercon in Atlanta, and he sure
   wasn't talking about how he was a different breed of white-hat hacker
   Given these kindly hints, I began to question more people to get at
   the truth about Christopher Klaus, as well as ISS employees in
   general. My trip to San Diego for the USENIX conference proved to be a
   veritable gold mine of information.
   I also contacted Christopher Goggans (aka Erik Bloodaxe) and asked him
   what he remembered of Klaus' request not to publish the ISS code.
   Goggans told me he had found the request odd enough to publish it and
   his response in phrack. He also told me he later asked "kewp" on #hack
   what the note was all about. Klaus told him that ISS was preparing for
   an IPO and thought it better not to have a close association with
   phrack. So much for my conclusion that Klaus had not hung on #hack to
   build a rep.
   Da word onna net 
   Several sources mentioned rumors that Klaus had not written ISS
   himself, but had assembled it from the work of others. One source I
   met at USENIX told me to check that story with Peter Shipley, now the
   director of labs at OneSecure, a firm specializing in virtual private
   networks and security.
   Shipley wrote the first Internet scanner, Netsweep, in 1988. He has
   been a part of both the dark side and the security communities for
   years, and he often speaks about security at conferences like CFP
   (Computers, Freedom, Privacy). In fact, I met him here in Austin at
   CFP '98.
   As I dug deeper to get beneath the corporate hype about how pure ISS
   and its employees were, I found that ISS was widely disliked. Perhaps
   this is a natural result of ISS providing defenses against "security
   tools" like Back Orifice from groups like cDc (the Cult of the Dead
   Cow). Perhaps not.
   Peter Shipley is no exception; he explained to me up front why he
   doesn't like ISS. "Christopher Klaus took my exploits and took my
   tests and put them into his product," Shipley said. "And I actually
   got recognition for this ... If you ran ISS until they IPO'd you
   actually saw my name. They removed my name when they IPO'd. I never
   saw a dime."
   Another story I heard from more than one source (I have not yet been
   able to confirm it) is that a famous name from a famous security
   organization submitted an exploit to ISS. Days later, an ISS sales
   team visited the firm where, unbeknownst to the salespeople, this
   person worked, and presented his own exploit to him as being an
   example of "ISS research."
   Twist of fate 
   As I was enjoying the food at the big reception and party at USENIX in
   San Diego last month, two other attendees sat down at my table. I
   noticed they were both from Lawrence Livermore National Labs. I asked
   if that was the lab where Klaus had been an intern, and one of them
   replied that yes, it was. Klaus had been in his department.
   My early research had turned up a quote from Klaus explaining his
   first Internet use. Klaus said, "I was accepted for a high-school
   internship program at Lawrence Livermore National Labs, where I
   conducted research on network security vulnerabilities and technology
   that could automate security weakness detection."
   Neal Mackanic, the man from LLNL, told a slightly different version of
   the tale. Mackanic told me, "Christopher was selected by the governor
   of Florida to be part of a two-week supercomputing summer camp at LLNL
   in the National Energy Research Supercomputing Center (NERSC). It was
   after he attended this two weeks that he was caught hacking the
   student bulletin board system by one of the NERSC staff, Jim Morton.
   Morton encouraged Christopher to use his talents for good, and that
   began our relationship with him and his ISS tool."
   Another tip led me so far underground I found myself at a local
   Borders bookstore looking for a copy of Cybershock, Winn Schwartau
   (Thunder's Mouth Press, 2000). On pages 321-322, ISS, Christopher
   Klaus, and Christopher Rouland are included in a general discussion of
   firms that "strongly advertise that they do not use hackers at all."
   It also mentions that Rouland (Mr. Fusion, remember?) was "picked up"
   in 1990 and debriefed by Air Force OSI "cybercop" Jim Christy for
   breaking into the Pentagon.
   It was finally clear to me that anyone with the slightest bit of real
   knowledge of Klaus and ISS (as opposed to your naive and gullible
   reporter) was aware that, contrary to the company's denials, ISS not
   only has a history of life on the dark side, but has hired and
   continues to hire black hats.
   But why all the bother? 
   Although I was no longer surprised, I was curious why ISS went to such
   trouble to create the back story regarding Klaus and company. At about
   the time of the IPO and Tom Noonan's debut as CEO, a major effort to
   distance ISS from the computer underground began -- so money obviously
   had something to do with it. But was the effort really necessary?
   I spoke with Dr. Daniel Geer, president-elect of USENIX and CTO of
   Internet security firm @stake, while I was in San Diego. I asked him
   about @stake's recent acquisition of the L0pht, one of the best-known
   underground "security" organizations, whose membership is as legendary
   in the hacker community as the cDc's. Geer replied that he thought
   people like me would be glad people like him were using people like
   them (the L0pht).
   And he's right. The black hat community is the very best source of
   talent and expertise for firms doing serious Internet security. So why
   would a firm like ISS deny its own background and that of its
   employees? Perhaps the answer can be found by using its list of
   clients as tea leaves.
   One ISS office is located in Reston, Va., between Dulles Airport and
   federal intelligence agencies such as the NSA, CIA, DIA, and so on.
   Perhaps in order to land some government contracts, an image of never
   having sinned must be maintained -- or at least claimed. But why would
   a federal agency require such disclaimers in a contract when they know
   better than most that black hats are the experts? To paraphrase a
   classic line from a movie, "Would you like to play Global Information
   What do you think? Do I finally have ISS sized up correctly? Do you
   have theories about whether Internet security firms should use black
   hats? Or given that they do, that they should confirm or deny that
   fact? Let me know. Obviously, I've still got a lot to learn.
   Addendum: After this article was posted, Christopher Klaus contacted
   me to offer his side of the story. I outlined my conversation with him
   in the [40]sidebar below. [INLINE]

   Christopher Klaus responds
   After this article had been posted, Christopher Klaus contacted
   LinuxWorld to offer his point of view on several aspects of this
   story. Klaus had been unavailable to speak to me when the story was
   In regards to his request that Erik Bloodaxe, then editor of phrack,
   not publish the source code for ISS, Klaus stated that Erik had asked
   him for permission to publish the code, and that his note, which ended
   up being published in phrack, was in response to that query. "I did
   not want the Internet scanner to be used as a hacking tool," Klaus
   As far as sitting on #hack in IRC, Klaus said, "I was doing research
   for security." He stated that he was basically just listening to see
   if any exploits were being posted. He denied having told Erik in IRC
   that the reason he didn't want the ISS code published was that his
   company was getting ready to go public.
   While Klaus acknowledged that he did go by the name of "kewp" on IRC,
   he pointed that "if anyone did a whois on me, it showed my name [and]
   where I was coming from, Lawrence Livermore. It wasn't like I was part
   of a secret hacker underground."
   About Peter Shipley's comments, Klaus said that very little of the
   original ISS was based on any work by Shipley. Further, he said that
   the portion of the code that was Shipley's was ultimately removed
   through a "clean room" process, and that an audit of the code was
   performed prior to obtaining venture capital to ensure that all the
   code was ISS's.
   The third item Klaus contested was his experiences at Lawrence
   Livermore National Lab. Klaus denied being caught hacking into a
   student BBS. He said that, during his tenure there, "they [LLNL] were
   getting hacked by some German hackers, the Computer CHAOS Club." He
   noted some security holes in the BBS and discussed them with some LLNL
   administrators. Klaus added, "I had read Neuromancer, and I said it
   would be really neat to develop some technology that would scan for a
   matrix or network looking for these flaws or security holes and use
   them for the good of helping Lawrence Livermore fix their
   Klaus concluded by reasserting that ISS tries very hard not to hire
   "black hat" hackers, and that the company's employment agreements
   stipulate that employees will be let go if they get caught hacking.