An Interview with Se7en: Part Two By Richard Thieme Se7en is out in the light and air now, up from seventeen years underground. He's one of the new variety of human being -- homo sapiens hackii -- who has learned from working with computers at every level, from code language to point-and-click, to think in ways that fit how computers organize information. Se7en is on the road now, delivering seminars to technicians about hackers -- how they think, how they behave. He works with organizations that are favorite targets of hackers because of their work or status. He speaks to groups of 30-50 people at a time, cross-disciplinary groups consisting of engineers, security personnel, administrators -- people who deal with the Internet on a daily basis. Naturally, they're concerned about security. On his first round of talks, he discussed basic security, making his clients aware of what's out there. He helped them distinguish hackers in search of trophies from thieves working for governments and businesses. On his second round of seminars, Se7en is focused on the details of security, the technical end. The technicians are set up in networks and shown how to scan their own services, searching their networks for security holes. se7en's classes only give concepts on how to secure a network. Showing the absolute basics of portscanning is about the most technical methods discussed. "Basically we set up our own network of fifteen machines and taught them how to break root, showing them how easy it was with UNIX. It was important for them to get hands on experience, get the feel of it. We showed them how to grab a password file and run it through Crack. We introduced them to SYN flooding and explained the concept behind it. We showed them some of the scripts that are NOT available out there. We didn't launch an attack, because that would have been lethal, but we got them to the point from which they could launch it." They set up encrypted Internet sessions and ran them through the whole gamut of hacker behaviors. It was all hands-on, technical training. It was a high-level disjointed lecture that impressed people who did not know security. These classes are far from showing a comprehensive methodology hackers use. The engineers are learning a lot. They return to work more capable of securing their systems and also better equipped to talk to the managers who make decisions. Se7en believes as a result of his experience on the road that the hands-on technical people who work on the front lines of the Internet and understand it are seldom promoted into management positions where decisions are made. So managers often lack experience on the front lines. Because they don't deal with the issues on a day to day basis, they often don't understand the problems brought to them. Ironically that makes them hesitant to promote technical experts into management positions. They would leave no one to fix things when they break. Se7en is seeing similar problems at all of the places he visits. Most come from outsiders scanning the system, port-sniffing, testing for vulnerabilities. It's a big inconvenience. The systems operated by multi-national corporations or government organizations are immense, incorporating numerous protocols and computers. They're too complicated for fledgling hackers to penetrate as a rule. Even more experienced ones have trouble getting in. That means that the ones who do break through are seriously talented hackers. The ones to watch are the ones you never hear about. Se7en thinks hackers in the "visible underground" make an essential contribution to computing. He laughed at some of the conversation among technicians about firewalls, because he knows that systems always have holes. Hacking organizations such as the LOpht, TNo, and the Guild (the current publishers of Phrack Magazine) release UNIX security vulnerability scripts to the public all the time. Their research into SecurID's (a one-time password hardware product) and most recently, the SYN flooder script, have been devastating. Now they're looking into Windows NT. They promise results. These genuinely "elite" groups have friendly script wars with one another. They compete to see who can release the most scripts the fastest. The LOpht in particular has promised to put out five new vulnerability scripts per week. They accumulate scripts, waiting until they have about a dozen, then drop them in one big bombshell. The l0pht and TNo do not participate in these contests. This coming from a TNo member and friend of Mudge from the l0pht. Companies like Microsoft know, of course, that there are numerous holes in their operating systems, but don't know what they are. As applications are developed, working versions are periodically compiled for testers. The testers try to find as many bugs as they can, but the testing environment can never reveal the problems that will be found in the real world. A million people using Windows NT for a year will turn up bugs that a controlled environment will never find. Mainstream hackers keep the global network as clean and secure as it can be kept. It's a yin yang kind of thing. If hackers didn't know that and wanted to keep vulnerabilities from the companies themselves, they wouldn't release scripts publically through so many different loops. When the Guild discovered the SYN flood exploit and wrote the corresponding script for it, for example, they published it in Phrack, on the Internet, and in other magazines. That's not something a hacker would do if he's looking for a way to exploit the vulnerability. The Network, then, including the Internet, is the REAL testing environment, and that's where groups like the LOpht are performing a valuable service. Either the holes will be found by groups looking for them and making them public or they'll be found by more dangerous crackers working behind the scenes. Hard core crackers, engaging in serious crime and espionage, will not publish articles in 2600 or Phrack. That's why, Se7en says, you never hear of the people who do hard crime. When someone is forced to the surface, he says, it's always someone the underground has never heard of before. After years in the business, he knows the rosters as well as anyone. A way to cover that he hasn't been around for seventeen years as claimed. Se7en described an intrusion of a particular server in detail, then went on to discuss the organizational response. He was not surprised when they responded the way Se7en and his friends responded when someone tried to mailbomb their list. The organization asked them politely to stop their annoying activity, and when they didn't, they cut them off. The best way to respond to nuisance intrusions is the legitimate way. Try to reason with the intruders, then talk to the systems administrators in charge of the computers they're using. Most often, the sysadmins don't know what's going on, and once they find out, they shut them down. Se7en lived and worked in South Africa when he was younger and thinks the "official" (i.e. non-governmental) hacking scene is just coming alive. South Africans have not generally had wide access to the Internet or hacking publications, Now everyone has access to hacker web sites, but Se7en thinks most of those are a waste of time -- links to other sites, doctrinal positioning, and a lot of old warez for "warez puppies" to download and use without creativity or insight. Contrary to the image of hackers as anti-social, Se7en is keenly aware of the social systems that keep the flow of information free and open -- frequent hacking conventions, mailing lists, magazines, and the vast informal network of contacts. Some of the resources on the Net are useful, but the good ones are harder and harder to find. Se7en finds five or six useful web sites or mailing lists in a year, and he has to wade through a lot of garbage to get there. But that's no different, he acknowledges, than the hours he spent sifting through trash in rubbish bins. Persistence! he says, sounding like an experienced businessman. "Honestly, that's what it takes: Persistence. Doing it weekend after weekend after weekend, every Sunday night, going through the trash knowing that if you miss a week, that's the week when all the dial-ins for the switches are thrown away. Eventually you'll find some gold that you can use. The same thing goes for web searches. You have to wade through tons of garbage, but if you're persistent and just keep at it and at it and at it, eventually you'll find little gold nuggets here and there." He has been impressed with the increasing number of South Africans interfacing with the mailing lists. They're connecting with people who have been hacking ten or fifteen years, he cautions. Naturally, with only one or two years experience, they have a lot of questions. He understands where they are -- he remembers being there himself -- but has some advice for those who encounter flames when they ask too many questions or the wrong ones. Basic netiquette requires that you research thoroughly everything you can before you ask questions. RTFM. Read the fucking manual. Learn everything you can FIRST, and only when you're stuck, ask a question. Do your best to answer it yourself before putting it on a mailing list going to fifteen hundred people. Don't expect others to do your homework. Tell the list you tried to find the answer and couldn't. Don't just go out there saying, where can I find this or that? That's a sure way to get flamed. In the end, it comes down to people, not technology. Ultimately, Se7en says with a laugh, computer security is a hopeless pursuit. The Internet is just too big, too complicated, too specialized, for every system to be secure. Security is inconvenient, and inconvenience makes people uncomfortable. It's always a trade off between convenience and security. The moment you allow legitimate users onto a site from outside the system, you're doomed. All someone has to do is duplicate what that legitimate user is allowed to do. The above statements are amusing coming from someone who now claims to effectively teach computer security. The weakest link in any chain is and always has been people. "You can have the most secure system in the world, and if I call up and pretend to be from the help desk and ask for your log-in password, and you give it to me, then the best security in the world won't help you. "If you don't know anything about computers, and don't know that the System Administrator never needs to know your password, how can you know if someone's conning you?" It comes down, Se7en says, to awareness and accountability -- managers who understand the real issues and insist on accountability throughout the system for knowledge about the network and procedures that must be followed. Without that, all it takes is a little "social engineering" and the most expensive firewall won't mean a thing.