February 12, 1998
Reformed Crackers Reveal Their Secrets
To Paying Audiences of Former Victims
By MATT RICHTEL
SAN FRANCISCO -- Christian Valor, a phone freak of no
small renown, drags on a Marlboro and explains how
for the past two hours he has held Army, Air Force and
NASA officials at rapt attention.
"no small renown", according to who?
"Who do you want to learn how to protect your system
from?" Valor said. "Some corporate guy, or me -- a guy
who's actually" hacked into your computer network?
After knowing se7en for three years, I can say pretty confidently
that this statement is false.
Corporations and governments are spending megabucks
these days to learn to guard networks from vandals,
terrorists and punks with computer programming skills
and too much time on their hands. This week in San
Francisco, the authorities learned it first hand: from
hackers themselves.
The idea of hackers using their expertise to instruct
industry is not common, but it is not a new phenomenon
either. What this group brings to the table is
first-hand insight into the methods of crackers --
hackers who use their skills maliciously to infiltrate
These hackers aren't malicious.
government and corporate computer systems. These
presenters say they have eschewed that life to preach
for profit to the government and private sectors.
As if hearing about car theft tactics from retired
felons, the attendees learned not just the gritty
technical details of attacks, but about cultural aspects
too -- why crackers use their skills maliciously, which
systems they crack, some of the tragically petty reasons
they decide to target a company or individual. And ruin
their lives.
The former members of the hacker underground sought to
downplay the "hysteria" they say exists about hackers --
many of whom they say are pretenders -- and to point out
that many government and corporate systems can be
cracked. Valor told how gangs of crackers warring for
bragging rights last year hacked into 363 major Web
sites, including ABC News, the Naval Dental Center,
Amnesty International and the Army Information Center.
A hacker calling himself Michael Diamond -- a
25-year-old who wears bleached blond hair, earrings in
both ears, a tongue bar and a tattoo on his left arm --
told the audience of the planning that goes into the
attack. Then he launched into a technical description of
the programming language of attacks and described what
security experts should look for to determine if, and
how, they've been hit.
The 17 attendees of the workshop on Monday and Tuesday
hailed from NASA, the Army, the Department of Energy and
the Seattle Police Department, among other groups. Much
of the material was old hat to some of the more seasoned
security personnel, but at least one said that the
presentation -- and others like it -- have an edge over
more traditional talks.
"True hackers have told us about problems that we never
hear about from high-placed consultants in the
mainstream," said Seattle Police Detective Greg Roberts.
The information exchange owes its existence to Fred
Villella, a retired Army colonel who spent several
of the Reagan years an executive secretary to the
national security adviser.
After he left government, Villella in 1985 founded New
Dimensions International, focusing on corporate and
government security issues. Three years later, he
offered his first computer security curriculum, and in
1995, he started to focus on the threat, hosting his
first symposium on "hackers, crackers and sniffers."
Initially, he hired standard security types from the
software and corporate world to present the material.
Then, in 1996, he attended Def.Con, the annual hacker
get-together in Las Vegas and had an epiphany. "There
was a world that those of us in the professional
training environment just are not aware of," Villella
said. "It was a revelation."
Even as he began recruiting hackers, it was not a world
that Villella felt entirely comfortable with, nor one he
thought the corporate world would readily receive.
Villella couldn't sleep the night before one of the
first conferences knowing one hacker liked to present
bare-footed and another had "frosted hair."
The feeling was mutual. The hacker
community is inherently suspect of
the government and corporations.
Authorities are seen by the more
immature crackers simply as targets
-- the way egg-tossing teens look at
cars -- and by mature hackers and
crackers as an ideological foe --
that endanger our collective security
and private data by failing to
protect computer networks.
Villella is somewhat vague about the
success of the operation. He said New
Dimensions made roughly 20
presentations in 1997, traveling
around the country to talk with NASA,
the Army, the Department of Defense
and other government and corporate
entities. The workshops generally run
$695 per person for two days or $995
for four days. In San Francisco,
there were 17 attendees for the first
two days, although Villella said the
workshop was free for 11 of the
attendees because he was testing new
curriculum.
They are not without competition.
Hackers even have testified before
Congress to explain the extent of the
vulnerabilities.
Meanwhile, Villella now acts as
something of an uncle for his
particular group. He keeps them on
schedule -- including getting one
notorious late sleeper out of bed --
pays for their appearances and
expenses, and tries to keep the peace
among the hackers. It's clear he
faces a balancing act. The hackers
can be touchy -- fiercely
independent, highly intelligent,
sometimes arrogant and demanding.
(Says one hacker jarringly during his
talk: "It's my talk, Fred, don't
interrupt me.") "It's my role," says
the soft-spoken Villella, who calls
himself "Uncle Fred." "It's one I've
come to accept."
The first day of the workshop
belongs to Diamond, editor of
Phrack magazine, a technical and
respected quarterly online hacking
journal. ("It's supposed to be
quarterly," Diamond said. "But it
comes out when I get around to it.")
Diamond gives what in many quarters
would be a highly technical talk,
explaining the programming language
behind various hacker attacks. He
touches on such techniques as
tunneling, fragmentation, sniffing
and spoofing attacks. He explains the
programming language hackers use to
find their way to the "root" of a
system, which is essentially the
highest level of access.
The audience varies in its level of
comprehension. The guys from the
Army, who are relatively new to
computer security, look dumbfounded.
In reality, though, the talk mostly
validates the types of attacks that
more experienced security personnel
have come to expect, said Phil Cox,
with the Computer Incident Advisory
Capability team of the Department of
Energy. Cox said the Department of
Energy gets about an "incident a day"
of an attempted hack.
On the third day of the workshop, the class will hear
from Jordan Payne, a well-known female hacker. On the
fourth day, they'll hear from Peter Shipley, who will
expound on Web security. He said he plans to tell
attendees that they cannot expect networks to be secure,
just because they use an expensive secure server. They
need to audit the entirety of their systems to look for
vulnerabilities, he said.
The second day belongs to the Valor, 29, who announced
his "retirement" last year from malicious attacks.
Because he has some extra time, though, he tells the
audience about his exploits as a phone freak, which is
someone who learns to manipulate the telephone system to
pull pranks.
The stories sound as if they are mostly an annoyance to
victim individuals and companies, such as when Valor and
Possible because prank calls are the extent of his ability?
his friends dumped the telephone charges of Kaiser
Permanente, a major hospital chain, onto the bill of a
local CBS affiliate (Valor said the phone freakers were
upset at CBS for failing to run a story about them). But
he said the experiences show how unprepared corporations
are for attack, and what they can learn from the
crackers' exploits.
"Crackers have contributed more to computer security
than any other person from any company," he insisted.