http://www.linuxworld.com/linuxworld/lw-2000-07/lw-07-vcontrol_1.html What's the hat got to do with it? Setting the record straight on Christopher Klaus and ISS Summary Joe Barr takes off his rose-colored glasses and discovers that deception and darkness are old hat in the world of computer security. Plus: ISS's Christopher Klaus responds to some of the claims put forth in this article. (2,100 words) By Joe Barr I t's time to eat crow again. No, this is not about failing the Linux Professional Institute's Level 1 System Admin certification exam a few weeks ago. It's much worse than that. This week I'm eating crow because I didn't follow my gut instinct on a story I wrote, and consequently portrayed Christopher Klaus as wearing the wrong color hat. In the weeks since that piece on ISS Linux Security Training ran (see Resources), I've had a number of people give me the same basic, unyielding, irrefutable message: I got it all wrong about Klaus and ISS. "All wrong" may even include trying to use white hats and black hats to categorize individuals in the phreaking/cracking community as either "good" or "evil." More than one reader wrote that if you are a part of the computer underworld, you are a part of it, period. I can see where they are coming from. Illegal electronic breaking and entering or the theft of services puts you in that world. Whether you do it for kicks, for money, or for malicious intent is a side issue. This week, I am going to retrace the steps I took in researching the ISS piece and, wherever I can, show how I got it wrong. I'm not attempting to dodge responsibility for being wrong; I'm just trying to set the record straight now that I have more information. Lo primero, primero First things first. I began my research of ISS and Christopher Klaus comfortable in the knowledge that I would find, as is so often the case, that he had come over from the dark side to find respectability in the industry as a security expert, consultant, or adviser. But the small, poorly lit trail I found seemed to indicate just the opposite, and gradually my take on both ISS and Christopher Klaus was reversed. I tried to contact Klaus for the original story, but ISS told me he was in Peru and would be unavailable until the end of June. Instead, I spoke with Christopher Rouland, who heads up the ISS X-Force security advisory team. When I asked him about Klaus' past -- what "elite" bulletin boards he might have hung out on, what his "nick" had been, etc. -- Rouland just laughed and said, "I don't really see him hanging out on elite bulletin boards." That planted the first doubt in my mind about my original hunch that Klaus had come over from the dark side. The conversation quickly turned away from Klaus' background, focusing instead on Rouland's work as the director of X-Force. Rouland's deflection of my questions about Klaus probably should have triggered an alarm, but it didn't. Tom Noonan, CEO of ISS, said in a June 1999 U.S. News story on hackers (see Resources) that ISS "wouldn't hire anyone on the dark side." But at the time I didn't know of Noonan's remarks, and I certainly did not know that Christopher Rouland had been on the dark side himself, known in the old days as "Mister Fusion." Further research led me to a bio of Klaus indicating that he had worked with government labs while still a high school student. That didn't sound like the kind of kid who would hang out on elite BBS systems either. I also found an exchange of notes published in phrack between Klaus and "Erik Bloodaxe," then editor of the legendary zine, in which Klaus stated in no uncertain terms that he did not want the source code for his scanning tool (ISS) published there. The next issue of phrack contained a satire by Klaus lampooning the language, mores, and ways of the underground. The computer underworld I read those attempts by Klaus to disassociate himself from the cracking/phreaking community as evidence of the purity of his soul. I was so convinced my original take on Klaus had been wrong that I wrote he "appears to have always been on the side of the angels...didn't hang out on an 'elite' BBS ... didn't sit on IRC and try to build a rep on #hack...." The first hint of serious problems with my take on Klaus and ISS appeared only a day or so after the article was posted. I heard from well-known and widely respected members of the security community telling me in no uncertain terms that I had been sold a bill of goods. For example, Elias Levy, aka Aleph1, wrote, "If you think that ISS is not based on the notion of 'using a thief to catch a thief' you might want to find out for yourself where the last two editors of phrack worked instead of believing the corporate propaganda that they don't hire hackers." One famous (but anonymous) name from one of the best-known hacker groups in the world wrote: "#hack is where I first talked to him ... he was in the hacker scene like anybody else in the hacker scene. I met Christopher Klaus (kewp) at Summercon in Atlanta, and he sure wasn't talking about how he was a different breed of white-hat hacker then." Given these kindly hints, I began to question more people to get at the truth about Christopher Klaus, as well as ISS employees in general. My trip to San Diego for the USENIX conference proved to be a veritable gold mine of information. I also contacted Christopher Goggans (aka Erik Bloodaxe) and asked him what he remembered of Klaus' request not to publish the ISS code. Goggans told me he had found the request odd enough to publish it and his response in phrack. He also told me he later asked "kewp" on #hack what the note was all about. Klaus told him that ISS was preparing for an IPO and thought it better not to have a close association with phrack. So much for my conclusion that Klaus had not hung on #hack to build a rep. Da word onna net Several sources mentioned rumors that Klaus had not written ISS himself, but had assembled it from the work of others. One source I met at USENIX told me to check that story with Peter Shipley, now the director of labs at OneSecure, a firm specializing in virtual private networks and security. Shipley wrote the first Internet scanner, Netsweep, in 1988. He has been a part of both the dark side and the security communities for years, and he often speaks about security at conferences like CFP (Computers, Freedom, Privacy). In fact, I met him here in Austin at CFP '98. As I dug deeper to get beneath the corporate hype about how pure ISS and its employees were, I found that ISS was widely disliked. Perhaps this is a natural result of ISS providing defenses against "security tools" like Back Orifice from groups like cDc (the Cult of the Dead Cow). Perhaps not. Peter Shipley is no exception; he explained to me up front why he doesn't like ISS. "Christopher Klaus took my exploits and took my tests and put them into his product," Shipley said. "And I actually got recognition for this ... If you ran ISS until they IPO'd you actually saw my name. They removed my name when they IPO'd. I never saw a dime." Another story I heard from more than one source (I have not yet been able to confirm it) is that a famous name from a famous security organization submitted an exploit to ISS. Days later, an ISS sales team visited the firm where, unbeknownst to the salespeople, this person worked, and presented his own exploit to him as being an example of "ISS research." Twist of fate As I was enjoying the food at the big reception and party at USENIX in San Diego last month, two other attendees sat down at my table. I noticed they were both from Lawrence Livermore National Labs. I asked if that was the lab where Klaus had been an intern, and one of them replied that yes, it was. Klaus had been in his department. My early research had turned up a quote from Klaus explaining his first Internet use. Klaus said, "I was accepted for a high-school internship program at Lawrence Livermore National Labs, where I conducted research on network security vulnerabilities and technology that could automate security weakness detection." Neal Mackanic, the man from LLNL, told a slightly different version of the tale. Mackanic told me, "Christopher was selected by the governor of Florida to be part of a two-week supercomputing summer camp at LLNL in the National Energy Research Supercomputing Center (NERSC). It was after he attended this two weeks that he was caught hacking the student bulletin board system by one of the NERSC staff, Jim Morton. Morton encouraged Christopher to use his talents for good, and that began our relationship with him and his ISS tool." Another tip led me so far underground I found myself at a local Borders bookstore looking for a copy of Cybershock, Winn Schwartau (Thunder's Mouth Press, 2000). On pages 321-322, ISS, Christopher Klaus, and Christopher Rouland are included in a general discussion of firms that "strongly advertise that they do not use hackers at all." It also mentions that Rouland (Mr. Fusion, remember?) was "picked up" in 1990 and debriefed by Air Force OSI "cybercop" Jim Christy for breaking into the Pentagon. It was finally clear to me that anyone with the slightest bit of real knowledge of Klaus and ISS (as opposed to your naive and gullible reporter) was aware that, contrary to the company's denials, ISS not only has a history of life on the dark side, but has hired and continues to hire black hats. But why all the bother? Although I was no longer surprised, I was curious why ISS went to such trouble to create the back story regarding Klaus and company. At about the time of the IPO and Tom Noonan's debut as CEO, a major effort to distance ISS from the computer underground began -- so money obviously had something to do with it. But was the effort really necessary? I spoke with Dr. Daniel Geer, president-elect of USENIX and CTO of Internet security firm @stake, while I was in San Diego. I asked him about @stake's recent acquisition of the L0pht, one of the best-known underground "security" organizations, whose membership is as legendary in the hacker community as the cDc's. Geer replied that he thought people like me would be glad people like him were using people like them (the L0pht). And he's right. The black hat community is the very best source of talent and expertise for firms doing serious Internet security. So why would a firm like ISS deny its own background and that of its employees? Perhaps the answer can be found by using its list of clients as tea leaves. One ISS office is located in Reston, Va., between Dulles Airport and federal intelligence agencies such as the NSA, CIA, DIA, and so on. Perhaps in order to land some government contracts, an image of never having sinned must be maintained -- or at least claimed. But why would a federal agency require such disclaimers in a contract when they know better than most that black hats are the experts? To paraphrase a classic line from a movie, "Would you like to play Global Information Warfare?" What do you think? Do I finally have ISS sized up correctly? Do you have theories about whether Internet security firms should use black hats? Or given that they do, that they should confirm or deny that fact? Let me know. Obviously, I've still got a lot to learn. Addendum: After this article was posted, Christopher Klaus contacted me to offer his side of the story. I outlined my conversation with him in the sidebar below. [INLINE] -- Christopher Klaus responds After this article had been posted, Christopher Klaus contacted LinuxWorld to offer his point of view on several aspects of this story. Klaus had been unavailable to speak to me when the story was written. In regards to his request that Erik Bloodaxe, then editor of phrack, not publish the source code for ISS, Klaus stated that Erik had asked him for permission to publish the code, and that his note, which ended up being published in phrack, was in response to that query. "I did not want the Internet scanner to be used as a hacking tool," Klaus said. As far as sitting on #hack in IRC, Klaus said, "I was doing research for security." He stated that he was basically just listening to see if any exploits were being posted. He denied having told Erik in IRC that the reason he didn't want the ISS code published was that his company was getting ready to go public. While Klaus acknowledged that he did go by the name of "kewp" on IRC, he pointed that "if anyone did a whois on me, it showed my name [and] where I was coming from, Lawrence Livermore. It wasn't like I was part of a secret hacker underground." About Peter Shipley's comments, Klaus said that very little of the original ISS was based on any work by Shipley. Further, he said that the portion of the code that was Shipley's was ultimately removed through a "clean room" process, and that an audit of the code was performed prior to obtaining venture capital to ensure that all the code was ISS's. The third item Klaus contested was his experiences at Lawrence Livermore National Lab. Klaus denied being caught hacking into a student BBS. He said that, during his tenure there, "they [LLNL] were getting hacked by some German hackers, the Computer CHAOS Club." He noted some security holes in the BBS and discussed them with some LLNL administrators. Klaus added, "I had read Neuromancer, and I said it would be really neat to develop some technology that would scan for a matrix or network looking for these flaws or security holes and use them for the good of helping Lawrence Livermore fix their vulnerabilities." Klaus concluded by reasserting that ISS tries very hard not to hire "black hat" hackers, and that the company's employment agreements stipulate that employees will be let go if they get caught hacking.