Security Scene Errata


Los Angeles Times
Thursday, July 24, 1997 
Home Edition 
Section: Life & Style 
Page: E-1 

'Hacking Ain't What It Used to Be'; 
By: LAURA ACCINELLI 
SPECIAL TO THE TIMES 

It's 2 o'clock in the morning and up on the 25th floor of the Aladdin Hotel,
Deth Veggie, who is 23, and Grandmaster, 27, are feeling their age. They're
reminiscing about the good old days of computer hacking and they're growing
rueful. Young hackers, they complain, have no idea what the older generation
went through. 

"In our day, you had to stumble onto the Net. Now, it's in your face," says
Grandmaster, who in 1984 published one of the world's first electronic
magazines from his Lubbock, Texas, bedroom by uploading his musings on life,
music and hackers to pirate bulletin boards.  "That's right," agrees Deth
Veggie. "We had to walk 10 miles uphill through the snow to use the Net and
then crank the handle, give a push and run and jump on. And remember when it
was 110-baud, GM?" 

Grandmaster shakes his head. "Yeah, man, it was bells and whistles and
string and Pringles cans. Oh, we had it rougher than kids today."
Grandmaster laughs at his geezer impersonation, but at the Aladdin on July
12, site of DefCon, the hackers' fifth annual convention, not all laments
for the pioneering past are ironic. Often they preface ageless gripes about
contemporary shortcomings.

"Kids today, they're in for the thrill, not the knowledge," says se7en, at
28 a veteran hacker from the Bay Area. "They don't want to spend 10 to 12
hours a day in a dark room for 10 years learning about systems. They say,
'Show me how to grab this file or crash that server. Oh, that's neat. Now 
show me something else cool.' "

Pot calling the kettle black.

Se7en's handle derives from seven-digit telephone numbers-he's an old phone
"phreaker." In ancient times, more than 15 years ago, he'd sneak through
phone lines onto the Internet, then the Department of Defense-funded
preserve of Cold War eggheads.

This nickname was taken on shortly after the movie 'seven' was
released.

Now point-and-click technology ushers millions onto the Net. Companies
compete desperately to produce operating systems, servers, data bases. Kids
today can "recipe hack"-instead of cooking up strategies, they download
readily available hacker tools and then joy ride through systems.

"Hacking," se7en sighs, "ain't what it used to be." These days, he is not so
much se7en, hacker, as Christian Valor, computer-security specialist, who is
hired by companies around the country to break into their systems and show
them how to plug the holes.

se7en has been on a SINGLE penetration contract, and was nothing
more than an onlooker according to other team members.

Valor says he charges $2,800 a day. At least once a month, he says, an agent
from the FBI's National Computer Crime Squad asks him to lunch and picks his
brain. He goes, he says, "as a public service."

se7en's current rate is almost a third of this figure.

Many of the hackers' refrains have a civil-service ring. They say they get
no respect.  Stereotyped as criminals, maligned in the media, "exploited" by
employers-hackers, you might say, are smartin'.

"No matter what we do, we're the bad guys. They say, 'We can't trust you,
you're going to break our system,' " says Sluggo, a 30-year-old Canadian
who's a good candidate for the Hacker Hall of Fame and an employee of an
international information-security company.

Sluggo would like to integrate his Batman and Bruce Wayne personas. "I'm
tired of the cloak of darkness. We should be able to stand up and say,
'Here's who I am, this is my real name, here's where I work and we're great
and we're doing you a service.' Everybody is so stinking excited about
getting on the Net and getting their piece of the action and it's full of
holes."

You could also say that some hackers are conflicted. Technical
vulnerabilities are a multibillion-dollar-a-year problem, says Ira Winkler,
director of technology for the National Computer Security Assn. in
Pennsylvania. Many top hackers now work on anti-hacking projects. Poachers
may now be gatekeepers, but their bosses remember that not long ago they
were climbing over the fences.

"If you hide your whole hacker background-which is how you got to know so
much more cool stuff than a lot of people-you get further ahead," says Dark 
Tangent. "You have to say, 'I have an intrinsic knowledge of Sun-OS,' when 
everybody knows that really means, 'I can break into Sun-OS.' "

Some newly legitimate hackers, especially those who have accumulated some of
life's accouterments-such as children-manage to reconcile cashing the checks
and trashing the product. "It's all changing. We all work for large
companies. We all have as much access as we want," says daemon9, a.k.a.
Route, whose mother calls him Michael. He's 23, lives in the Bay Area and is
editor of Phrack, an online magazine. "We grew up, got richer and learned
that everybody's paranoid."

DefCon, named after the Strategic Air Command alert conditions, is where
hackers who have made friends electronically meet face to face, share
secrets, get drunk. In the Aladdin's Magic Carpet Room, about 1,000 guys,
mostly under 25, mostly white and mostly dressed in black, discuss their
concerns, among them the "Newbie" question: "Should they be handed
information or learn on their own?"

Conventioneers play "Hacker Jeopardy" and "Spot the Feds" (hint: khaki
shorts, clean white Reeboks, ankle socks). The goal in games of hacker-style
"Capture the Flag" is to bring down everyone else's server while protecting
your own.

A new spirit of cooperation between hacker and his natural-born foe, Fed,
was evident this year. The first-ever "Black Hat Briefings," presented by
DefCon organizer Dark Tangent / Jeff Moss of Seattle, introduced "white
hats" to the hackers. About 35 from the Pentagon, FBI, CIA and National
Security, and an additional 65 from banks, corporations and universities,
paid $1,000 each to listen to 22 hackers expose up-to-the-nanosecond
technical vulnerabilities.

Most hackers are benign, says Richard Thieme of Milwaukee, a former
Episcopal priest who has become an online pundit of hacker culture. "It's
the same old story," Thieme says. "It's not what you do that's a problem.
It's your perceived allegiance."

In some ways, the subculture has changed very little, says Douglas Thomas, a
USC communications professor writing a book about hackerdom. Many of the
hackers from the mid-'80s are still active. At 23 or 24 they are elder
statesmen to a generation of 14- and 15-year-olds, and the principle that
guides them lives on from that prehistoric period, the 1960s: Information
wants to be free. "First and foremost hacking is about learning and
boundless curiosity, and breaking into systems is almost incidental," Thomas
says.

Most of the estimated 50,000 hackers in the U.S., claims the National
Computer Security Assn.'s Winkler, are "clueless teenagers" who rely on
tools that everyone has. Of the 1,000 hackers at DefCon, he says, a dozen
are skilled enough to take down the Internet. With another eight or so, they
make up a core group of high-level hackers who go into systems and break
software and then are nice enough to tell everyone, hoping that the vendors
will make the fixes.

"They are not so much interested in protecting the system from other hackers
as protecting the public from Microsoft and other vendors," Thomas says.

Some hackers, of course, do go bad. They're the "crackers" who destroy files
for malice or steal them with crime in mind. Crackers have given all hackers
a bad name.

Opiate, 22, who works in information security in Canada, takes a harder
line. Now when anyone can go online, cracking, he says, is the act of going
into files without permission. In these days of Linux, a Unix clone that
runs on a PC, hackers don't need to go "outside." They can do research on
their own network of computers.

That's how the L0pht in Boston works. For example, Mudge and others from his
group never hacked Microsoft to expose the weaknesses in Windows NT that
they broadcast on their Web site. Instead, they did research on about 60
computers built from scraps.

"Hackers are almost a consumer watch group," Mudge says. "If I buy a car and
the thing falls apart, I can go back and demand repairs. In the software
world, everybody is complacent.
Vendors say, 'Hey, you weren't suppose to close the door so hard.' "

Part of the problem, says Hobbit, also of L0pht, comes from the pressure to
get products on the market. "The only way to make companies do something is
to post some sort of working exploit and make a big splash," Hobbit says.
"It's a horrible way to do things, but one of the few that actually gets the
attention of the manufacturers."

This technique prompted the recent security scares on ESPN Sportszone and
NBA.com. An anonymous organization "seeking to make the Internet a safe
place . . . to do business" sent e-mail messages to customers of the Web
sites, which were accused of "a careless abuse of privacy and security."
Recipients were sent the last eight digits of their credit card.

Cryptographer Bruce Schneier remembers when tinkering with computers wasn't
cutthroat. "It was all kind of fun 10 years ago when it wasn't important and 
only the Feds really cared.  But the Web has changed everything." Now that it's 
about real money, everybody cares, he says.

"You can be in St. Petersburg and attack Citibank," Schneier says, citing
the case of Vladimir Levin, Russia's most famous hacker. "Things are nastier
now that the Net allows you to automate your attacks. You don't need skills.
What you need is ethics."

An unwritten code of ethics, in fact, does exist, says se7en / Valor, an
apostle of hacker responsibility. Look but don't touch, that's the Golden
Rule. Cruising systems is OK for knowledge, not for profit. Never destroy
data. And, a nod to the younger generation, do your own work.

This coming from the person who claims to have hacked and
deleted 100 systems in the fight against pornography. Hypocrite?