An Interview with Se7en: Part Two

By Richard Thieme

Se7en is out in the light and air now, up from seventeen years underground. He's one of the new variety of human being -- homo sapiens hackii -- who has learned from working with computers at every level, from code language to point-and-click, to think in ways that fit how computers organize information.

Se7en is on the road now, delivering seminars to technicians about hackers -- how they think, how they behave. He works with organizations that are favorite targets of hackers because of their work or status.

He speaks to groups of 30-50 people at a time, cross-disciplinary groups consisting of engineers, security personnel, administrators -- people who deal with the Internet on a daily basis. Naturally, they're concerned about security.

On his first round of talks, he discussed basic security, making his clients aware of what's out there. He helped them distinguish hackers in search of trophies from thieves working for governments and businesses.

On his second round of seminars, Se7en is focused on the details of security, the technical end. The technicians are set up in networks and shown how to scan their own services, searching their networks for security holes.

se7en's classes only give general concepts on how to secure a network. Showing the absolute basics of portscanning is about the most technical methods discussed.

"Basically we set up our own network of fifteen machines and taught them how to break root, showing them how easy it was with UNIX. It was important for them to get hands on experience, get the feel of it. We showed them how to grab a password file and run it through Crack. We introduced them to SYN flooding and explained the concept behind it. We showed them some of the scripts that are NOT available out there. We didn't launch an attack, because that would have been lethal, but we got them to the point from which they could launch it."

They set up encrypted Internet sessions and ran them through the whole gamut of hacker behaviors. It was all hands-on, technical training.

It was a high-level disjointed lecture that impressed people who did not know security. These classes are far from showing a comprehensive methodology hackers use. Further, the computers and networks were always set up by another employee of NDI, never se7en.

[..]

Hacking organizations such as the LOpht, TNo, and the Guild (the current publishers of Phrack Magazine) release UNIX security vulnerability scripts to the public all the time. Their research into SecurID's (a one-time password hardware product) and most recently, the SYN flooder script, have been devastating. Now they're looking into Windows NT. They promise results.

These genuinely "elite" groups have friendly script wars with one another. They compete to see who can release the most scripts the fastest. The LOpht in particular has promised to put out five new vulnerability scripts per week. They accumulate scripts, waiting until they have about a dozen, then drop them in one big bombshell.

The l0pht and TNo do not participate in these contests. This coming from a TNo member and friend of Mudge from the l0pht.

[..]

Hard core crackers, engaging in serious crime and espionage, will not publish articles in 2600 or Phrack. That's why, Se7en says, you never hear of the people who do hard crime. When someone is forced to the surface, he says, it's always someone the underground has never heard of before. After years in the business, he knows the rosters as well as anyone.

A way to cover that he hasn't been around for seventeen years as claimed.

[..]

Ultimately, Se7en says with a laugh, computer security is a hopeless pursuit. The Internet is just too big, too complicated, too specialized, for every system to be secure. Security is inconvenient, and inconvenience makes people uncomfortable. It's always a trade off between convenience and security. The moment you allow legitimate users onto a site from outside the system, you're doomed. All someone has to do is duplicate what that legitimate user is allowed to do.

The above statements are amusing coming from someone who now claims to effectively teach computer security and makes a living off it.

main page ATTRITION feedback