Security Scene Errata


Los Angeles Times
Saturday, August 1, 1998 
Home Edition 
Section: Business 
Page: D-1 

A Haute Commodity; 
Hacking, er, Vulnerability Analysis, Is Big Business; 

By: ASHLEY DUNN 
TIMES STAFF WRITER 

In the world of computer hacking, DEF CON-an annual two-day fest of beer
drinking, tech talk and conspiracy theory-was once the center of it all.
Hackers would gather amid the swirling excess of Las Vegas and for $40 revel
in a low-budget locale where discussing radio scanners and Windows NT
security weaknesses was considered a great way to spend the weekend. 

But now the center of the hacking world has clearly shifted. Just before the
convention, which runs through Sunday at the Plaza hotel, the organizers of
DEF CON put on a related event, the Black Hat Briefings-a $995 affair held
in the opulent environs of Caesar's Palace designed to teach corporate
executives, government officials and system administrators how to protect
their systems from hacker attacks. It was a rousing success, drawing 350
people mostly in suits, military uniforms and polo shirts as opposed to DEF
CON's typical T-shirts, tennis shoes and body rings. 

"For me, Black Hat is where the interesting stuff is now," said Jeff Moss,
the organizer of both Black Hat and DEF CON. "Interesting isn't beating your
head in for four days trying to break into a company." 

Boosted by the growth of the Internet and the prospect of billions of
dollars through online sales, the art of hacking-once a craft largely
practiced by only the military and the technological counterculture-has
become big business.

Hacking has gradually changed into a legitimate field known in the computer
industry as "information security." Hackers, the technological equivalent of
the hippies of yore, are now called "penetration testers" and "vulnerability
analysts." Corporate headhunters prowl the DEF CON convention floors,
offering salaries as high as $90,000 for penetration testers with just a few
years of corporate experience.

Information security is now a huge industry, encompassing the development of
protective network firewalls, secure electronic commerce systems, virus
prevention and detection software, encryption and user authentication
systems.

With the tidal flow of dollars-and the development of powerful hacking tools
that even a child can use-a subtle pressure has also been exerted on the
culture of hacking, drawing off the best of the older generation of hackers
into the corporate world and swelling the ranks with hordes of new arrivals
sporting DEF CON T-shirts and tattered copies of the hacker magazine 2600.

"Any hacker who learned something either ends up now working for a company
or as a consultant," said Christian Valor, a 30-year-old former hacker who
now runs a security consulting firm in San Francisco. "It's where all old
hackers go to die. We gave up our 2600 T-shirts and don Armani."

se7en does not run a security consulting firm.

DEF CON was created in 1993 to commemorate the passing of another generation
of hackers. Moss, then 22, had once run a computer bulletin board-a kind of
electronic meeting place-for hackers and wanted to throw a party for a group
that was disbanding.

Moss, known on the networks as Dark Tangent, thought it was time for
everyone to meet face to face after years of knowing each other only through
electronic messages. He named the event DEF CON-referring both to the
Strategic Air Command's defense alert conditions and to the event being a
"def," as in good, convention. The first event was attended by 110 people,
and it has been growing ever since.

Moss, who now works as director of security assessment services for San
Jose-based Secure Computing, said he began to sense a change in the hacker
underground about two years ago when representatives from large computer
companies began appearing at DEF CON, searching for experienced hackers who
could navigate the arcane world of network security systems.

Karan Khanna, product manager for Microsoft's Windows NT security systems,
said that in the past, companies largely viewed network security as a
time-consuming money pit of development. It was just a necessary feature of
network operating systems, like a radiator in a car.

The rise of the Internet transformed the equation. Information security has
become one of the key pieces in constructing the economy of the future,
necessary for everything from online buying to secure e-mail.

The Internet was also bringing a large number of new hobbyists into play.
Unlike an earlier generation that had to discover the workings of the
electronic world on their own, the new hackers found a variety of software
tools, such as L0phtcrack and Satan, that essentially reduced hacking to a
form of recipe following. These were simple tools that could wreak havoc on
a network.

Khanna said maintaining an adversarial relationship with all hackers was
futile. His group began to reach out to the most skilled hackers through
conventions such as Black Hat.

The appearance of DEF CON has changed little over the years, despite its
growth and the influx of corporate dollars. It is still largely a gathering
of young, male computer users who see DEF CON as the modern equivalent of an
antiwar march.

This year, about 2,000 are attending the conference. Vendors are doing a
brisk business in everything from OpenBSD T-shirts to retina scanners. There
are more books for sale on creating a new identity and using a scanner than
any person would ever want to read in a lifetime.

Moss said that the crowd has changed a bit over time, becoming less elite
and more of a party than before. The hacker's quest for technical knowledge
has become overwhelmed by the cookbook power of modern hacking tools. The
clearest sign of the change was seen in the T-shirt slogan for this year's
DEF CON. Six years ago, the first convention used a satirical version of the
1st Amendment showing government and big business appropriating the
Constitution for their own purposes. The fourth convention had the simple,
but cocky: "Why?  Because we can." Standing in the midst of the DEF CON
chaos with an eight-inch, spiked Mohawk, 20-year-old Sebastian Lenoir spoke
nostalgically about the old days. "It's no longer profitable to be
idealistic," he said. "If I go to a company for a job, I go in a suit. Buzz
goes the Mohawk."

Lenoir, who sets up network security systems, said computer crime has become
a bit tired. "I can either hack a system or sit there and work for a company
to help test their system," said Lenoir, who goes by the computer handle Mr.
Mojo. "It's the same thing, except one is legal and one is not."
But like any movement, there are always those who continue on the old path
long after others have departed.

One of the most famous of those groups is a Boston collective of seven
friends known as the L0pht, a hacker-ish distortion of the word "loft,"
which describes their makeshift workplace.  The L0pht was created by a
hacker known only as Mudge, or Dr. Mudge, as most call him these days. Mudge
still hews to the old style of not disclosing his real name or age. It's
just a policy with him.

Mudge is best known in recent times for his creation of L0phtcrack, which
exploits a once-obscure but now widely known weakness in Windows NT that
allows hackers to read user passwords.

Mudge works for a large technology firm during the day and dedicates his
nights to understanding the deeper workings of technologies. Windows NT is
boring now, he said. He has moved on to studying wireless communications.

He does it for the same reason he started hacking years ago-a pursuit of the
deeper reality of technology. In many ways he sees himself in the mold of
'60s radical Abbie Hoffman, the classic free spirit. The hacker world, Mudge
said, is filling with Jerry Rubins. Rubin, another '60s radical, eventually
joined the establishment.

"For every Abbie Hoffman, there's a bunch of Jerry Rubins, but you only need
that one Abbie Hoffman," Mudge said. "If you don't have that Abbie Hoffman,
the world would be a futile place."