Security Scene Errata


www.upside.com
Hackers for Hire
January 14, 1999
by Deborah Radcliff

Lured by steady paychecks, some hackers are giving up their nefarious ways
and joining corporate America. But can folks with aliases such as Dr. Who
and Hobbit handle a 9-to-5 life? 

Yobie Benjamin, glad to have an extrapassenger during the congested
morning commute, screams down the carpool lane through a Silicon Valley
artery. From the slightly elevated perspective of his Ford Explorer, he's
talking "corporate strategy," "business objectives" and "total customer
solutions." Benjamin is psyched for an internetworking dinner his company,
Cambridge Technology Partners Inc. (CTP), is hosting for more than 40 CIOs
and senior executives from companies such as Cisco Systems Inc., Levi
Strauss & Co. and Network Associates Inc. By all appearances, Benjamin
seems destined to become one of them. 

Just another hacker gone legit. 

Until recently, hackers cloaked themselves behind their computers with
online identities such as Oblivion, SirDystic and Dr. Who. Now, some
hackers--at least those over 30--are stepping out of the shadows and into
a media blizzard: coverage on "20/20," CNN, and "Silicon Valley Business
This Week" and articles in the New York Times. They've morphed into the
decade's cool new computer security experts. 

[Until recently? Now more than ever are they doing it. And the
arbitrary age of '30' is wrong. 16 year olds have found themselves on
various shows and in columns.]

But as hackers shed their old lives to move into new ones with
high-profile jobs that earn them big bucks, technology companies and their
cus tomers have to wonder: Will they fit in? And can they be trusted to
stay on the straight and narrow? 

Some, like the 39-year-old Benjamin, are proving their worth in corporate
environments. Benjamin was director of technology for Cambridge,
Mass.-based Cambridge Technology Partners' enterprise security services
division. But for every Benjamin, there are dozens of hackers who can't
make the grade. And even more who don't want to. 

"For some, like hackers, knowledge is power," says Penny Leavy, vice
president of worldwide marketing and business development for Finjan
Software Inc. of San Jose. "For others, it's money. And for others, it's
climbing the corporate ladder." 

Benjamin sat on the technical advisory board of Finjan, which makes
software that defends computers and networks against malicious Java,
ActiveX and other mobile code (small programs that are transmitted through
networks and the Internet and then executed on the desktop).  Benjamin is
by no means your late-night, no-life nerd. With a bachelor of arts degree
in communications from the University of the Philippines in Quezon City,
he has developed training films for Asian immigrants and written speeches
for former San Francisco Mayor Frank Jordan. The father of two daughters,
Benjamin now finds his free time consumed with "Sesame Street" books and
preschool get-togethers--not hacking. 

Screen first, hire later

Benjamin calls himself an "ethical hacker," one who grew up on the
ARPAnet, pre-Web bulletin boards and "borrowed" time-share machine space
in the 1970s and '80s. He wears his tar-black hair well past his
shoulders. And he's hardwired to many underground hacking groups, members
of which worship him for his superior technical skills. In fact, one of
Benjamin's own Sun Microsystems Inc. Solaris servers runs in a humming
equipment room at the Berkeley, Calif., home of Peter Shipley,
administrator for the infamous hacking group dis.org. 

Ah, Shipley: With his Tiny Tim locks and propensity for vampire fangs and
Goth clubs, the 33-year-old Shipley is a true technology junkie.  Going by
the name Evil Pete among his hacker buddies, he presides over about 20
servers and a T1 line inside his spare bedroom. 

But now Shipley has gone corporate, too. Since early spring, he has held
the position of chief security architect at the $10.4 billion
international accounting firm KPMG Peat Marwick LLP of New York. 

Screen first, hire later

There are more like Shipley and Benjamin working for Big 5 accounting
firms, startups and security consulting firms around the country. In fact,
CTP's avant-garde, 20-person enterprise security services unit is home to
about 10 hackers. These aren't your run-of-the-mill computer geeks,
though. All hold some claim to technical fame, according to Erich Oehler,
director of the unit. For instance, one of his hackers designed secure
operating systems for highly sensitive government agencies. "[In terms of]
skills and motivation, there's a lot of creativity in our group," Oehler
says. 

Oehler is testy about emphasizing the hacking element of his year-old
unit, and with good reason: It has cost him clients. "We're sensitive
about saying we hire hackers because, frankly, some customers have turned
us down," Oehler says. "They worry about all these rogue hackers running
amok." He quickly adds that CTP protects its clients by putting all hires
through rigorous screening and background checks. And once hired, the
hackers must abide by the company's core values--"openness, honesty,
dedication, respect and trust." 

Located on the outskirts of San Francisco's Multimedia Gulch, CTP's
security services unit conducts technical security audits for paying
clients. The unit's offerings sometimes piggyback onto other application
development. For example, the unit may be called upon to build security
into a customer's newly developed electronic-commerce package. It also
does primary research and development to identify software vulnerabilities
and then design defense mechanisms around them. 

vogue

While Oehler worries about spotlighting former hackers, there's no denying
they're a hot commodity. 

In August 1998, "20/20" broadcast a 10-minute segment in which CTP hackers
cracked a financial institution's system (with permission, of course) to
identify and illustrate the computer insecurities for that customer's
executive management. 

It's all part of what those in the hacking community term mediawhoring--a
plot to legitimize their shadowy habits and cash in on a worldwide
security services industry expected to reach $7.3 billion by 2000, based
on figures provided by Richard Brewer, a senior analyst with Framingham,
Mass.-based market research firm International Data Corp.  (IDC). 

[Mediawhoring is not when ANY hacker gets ANY media press.
It is more used for *Wannabe* hackers who have little or no skill, 
jumping in the spotlight piggybacking off the hacker reputation.]

"A month after the '20/20' segment, [Benjamin] told me that the value of
that segment couldn't be measured in terms of public relations," says Ron
Moritz, Finjan's director of technology. "There's value in having someone
on your team with such national recognition and professional credibility." 

While such coverage propels hackers' careers, it also raises awareness
about technical security issues. In a joint survey by the San
Francisco-based Computer Security Institute and the FBI, 241 of 520
business respondents said they lost a combined total of more than $136
million in 1997 because of computer crime or misuse. And, for the first
time in the survey's three-year history, more than half the respondents
cited the Internet as the leading point of vulnerability. 

No wonder hackers are in such demand: It's their decades of hands-on
experience with telephone systems, dial-up modems, operating systems and
internetworking equipment--combined with their natural paranoia and
ingenuity--that makes them so hot. Such skill sets are tough to find, says
IDC's Brewer, adding, "Right now, everyone's fighting over skilled
security professionals"--which could explain why Shipley and Benjamin
command six-figure salaries. 

"[Benjamin] has the unique ability to understand the broader business
implications of a particular technology effort," says Finjan's Moritz.  At
many a quarterly technology review, for example, Benjamin has asked
questions that skirt the obvious and provoke Finjan's developers to tackle
project development in a more comprehensive way. 

Douglas Graham, a KPMG partner specializing in electronic commerce, feels
the same way about his hire, Shipley. "You're probably wondering why a big
accounting firm would hire hackers," he says with a smile.  Essentially,
Graham explains, it's a toss-up between National Security
Administration-trained hackers "because the NSA has an awful lot of money
to look into security issues," and ethical freelance hackers "because they
have an awful lot of time to look into security issues." 

A Little different

Continues Graham, "Yes, hackers dress a little differently. And their
tastes in music can [be] kind of strange. But some, like [Shipley], are
comfortable technically, very ethical and straightforward. And he wears a
suit to client meetings." 

[What does taste in music have to do with anything? I am sure
you will find employees with just as 'different' tastes in music as
hackers.]

Not just any suit, but a Brooks Brothers suit, boasts Shipley, whose words
spill out so fast they often slur. 

Shipley also has achieved fame in the hacker community. An overflow crowd
awaited him at the Eighth Annual Conference on Computers, Freedom and
Privacy, held in Austin, Texas, Feb. 18-20, 1998, where he discussed
Internet security holes. Ditto for his update talk at the annual DEFCON
hacker conference last summer in Las Vegas. At DEFCON, he spoke about his
experiment with war dialing, which is a technique hackers use to scan
telephone prefixes to determine which numbers are linked to modems. 
Shipley rigged his computer to dial 5.3 million Bay area phone numbers
looking for exploitable modems. Of the phone numbers that turned out to be
connected to modems, 75 percent were insecure enough for a hacker to get
into the computer systems attached to them. 

"KPMG respects my technical knowledge," says Shipley, who is vague about
his job description because it involves software product development with
some big-name industry players. But much of his work is similar to what he
did in his 10 years as an independent contractor--security assessments for
clients sprinkled with a couple of lectures each month.  Only now he has
an expense account. And he's managing projects and helping hire other
hackers. 

Graham insists this "ethical hacker" brings value to KPMG by convincing
clients they need help securing their computers. For instance, it took
Shipley a mere two hours to show a banking client that it had wasted
millions on some ineffectual security efforts. "[Shipley] demonstrated
this dramatically by remotely bringing down the main server while the
client's chief information officer watched," Graham explains. The bank was
happy with Shipley's work, especially because he discovered the security
flaws before the bad guys did. 

According to Graham, there's a technical career path for such people at
KPMG, though he has yet to figure out exactly what that is. Shipley's
take: He may make it to middle management but not to partner level because
he lacks the necessary formal education, management background and
corporate experience. 

[Big 6 accounting firms typically want their partners to have
degrees in ACCOUNTING. Of course Shipley didn't pursue that path while
becoming a security professional. He could have a Masters in engineering
and it would probably not meet their qualifications.]

Dog that dogma

Despite such glowing reviews, many in law enforcement and industry will
never trust hackers, even reformed or white-hat (nonmalicious) hackers, as
these born-again security specialists call themselves. 

[And hackers don't trust these ex-criminals claiming to be
law enforcement. We all know police officers who have smoked dope, consumed
liquor while under age, and often worse. Its a two way street.]

"Culturally, there's a lack of trust when it comes to hackers," says Rob
Clyde, co-founder of Rockville, Md.-based Axent Technologies Inc., a
computer security tools company. 

[Yet Axent hires some.]

Bad habits

Clyde makes his point by relating a story of the disaster that befell an
Axent client three years ago. That client, a government agency, contracted
with a hacker to clean up its systems. When the hacker left, the agency
discovered that he had posted its system's vulnerabilities on underground
hacker Web sites and bulletin boards. Many of those holes hadn't been
patched yet. "That agency will never hire a hacker again,"  Clyde says. 

[That they know of.. fact is, most hackers don't advertise
their background when applying for jobs.]

But even that kind of treachery sometimes gets a positive spin: These
hackers are doing corporate America a favor by breaking systems and
publishing weaknesses because it forces software vendors to fix inferior
products. For instance, two years ago, Benjamin discovered a way to
manipulate the security settings on Microsoft Corp.'s Internet Explorer
3.0. As the code enters a computer, it drops the security level to give a
cracker (a bad-guy hacker) control of the machine. Benjamin immediately
informed Microsoft of the weakness, and the problem has since been
patched. 

Benjamin's former unit at CTP was even turning such code into profit.  The
unit was cataloguing and documenting all known hacker attacks against
various systems to run against clients' systems when assessing their
computer security measures. This knowledge base would make his
organization's job much more efficient, according to Benjamin, because the
team would be able to launch attacks against clients' systems from a
single source. 

[Something many hackers and security companies have been doing
for over 10 years.]

Despite the new air of legitimacy, many hackers--especially the younger
ones with no formal education--don't have much of a future in corporate
America. 

[A nice unfounded vague statement.]

"I've had my share of hackers inquiring about jobs here," says Finjan's
Moritz. "Most are immature, and I don't trust them." Many, he says, boast
about technical prowess they don't possess, and others try to strong-arm
Finjan into buying their polluted code. "They'll come in and tell me they
[have] a new virus in ActiveX or Java," Moritz says. "When I ask one to
show me, he'll say he won't until I pay for it. We show [these kind of
people] the door. It's usually something we already know about that they
got [from] the Net." 

Benjamin adds that poor communications skills prevent even those hackers
with better ethics from being regarded as corporate material. "It shows
when you take them into a corporate environment and say, 'I need you to
write something,'" he explains. 

And even white-hat hackers such as Shipley and Benjamin can suffer
transition problems. Both complain about internal politics,
inefficiencies, paperwork, their PR "flacks" and the bureaucratic red tape
that most corporate lifers have learned how to handle. For now, however,
the pair is willing to play the game. 

Others, such as 29-year-old Yetzer-RA, are wavering. Yetzer-RA, who wants
to keep his identity secret to protect his employer, would just as soon
ditch his job as a Microsoft NT security administrator at an East Coast
medical facility. It's not that he minds wearing a tie to work four days a
week. What bothers him is the internal politics. He's not popular with the
old-timers. "[In 1997], I ran a security sweep on a machine and found that
12 people could access that computer without passwords," says Yetzer-RA.
"I brought this to my boss' attention, but those responsible for the
machine were not pleased." 

Hobbit

Blame it partially on his direct manner, which can be perceived as
insubordinate and rude. The burly, long-haired Yetzer-RA, who has a
penchant for silk vests, says he's holding out for the day he can work for
himself; for now, though, he lacks the necessary skills. 

Hobbit, however, is another story. His real name is Al Walker, but he goes
by Hobbit because he never wears shoes (even during Massachusetts
winters). He, too, is a legend in the hacker community. 

Seven years ago, the 38-year-old Hobbit tried corporate life. He spent
three years managing the computer systems at collegial startup FTP
Software Inc. in North Andover, Mass. (acquired in August 1998 by
networking software provider NetManage Inc. of Cupertino, Calif.). At the
time, Finjan's Leavy worked at FTP as vice president of worldwide sales.
Barefoot or not, says Leavy, "Hobbit is a truly brilliant individual." 

Hobbit jumped off the FTP ship in 1994. "The suits came in and took over
at the time of our IPO," he explains. "It started going icky--corporate
and marketing-driven instead of tech-driven. My sleaze meter paged, and I
bailed." 

In his mad-scientist way, Hobbit would be content to build computers from
the componentry he picks out of trash bins and driveways.  Ultimately,
he'd like to make all computers inherently secure.  Unfortunately, he
says, "Nobody's interested in funding research in discovering security
holes." 

To pay his bills, Hobbit has worked out consulting gigs at two local
Internet service providers that occupy 10 to 30 hours of his week. He has
no desire to return to corporate America, he says, except for the
occasional consulting engagement. 

One of these engagements, at the United States Federal Reserve Bank of New
York, brought Hobbit and Shipley together in 1997 to train the Reserve's
Red Team (technicians who hack against the Reserve's system to test for
security flaws). Soon after, Benjamin did some computer security
evaluation at the Reserve. 

It was a stretch for those in the staunch, conservative banking
environment to welcome these guys. Shipley showed up in his black Dracula
cape. And Hobbit, with his bare feet and waist-length brown hair, was a
sight to behold. Benjamin fared better: He wore a suit.  After they
started covering their material, however, appearances were forgotten,
according to Paul Raines, the Reserve's VP of electronic security. "I was
impressed by their professionalism, their detailed knowledge and their
willingness to help," he says. 

[Shipley showed up in a suit the first day. He owns a cloak
that is used for warmth, not decoration. When he presents, he wears
professional attire when needed, or casual (jeans/shirt) when
warranted. Yes, I have taught next to Shipley and say this from
first hand experience.]

At the time, Benjamin's CTP unit was in discussions with an entertainment
conglomerate to secure satellite feeds for the Winter Olympics in Nagano,
Japan. When scheduling conflicts arose, he'd tell his unit, "Forget
Nagano. This is the Federal Reserve," Raines recounts with a chuckle.
"Benjamin saw the importance of what the Federal Reserve represented, not
only for the U.S. banking system, but also for the international banking
system." 

As former operation commander for the U.S. Air Force's Minute Man nuclear
missiles, Raines is no dupe. He runs criminal-background checks on all
people who work with the Reserve's computers. He also limits their access
to only those machines they're testing. And he asks for a liability
contract. Raines advises anyone considering hiring hackers to do the same. 

Thus, hackers in corporate environments walk a tightrope. While they're
trying to shed bad habits, stay on the right side of the law and
speed-learn corporate culture and business strategy, skeptics are just
waiting for them to fail. 

[More blatant stereotyping. MANY hackers work just fine in
corporate atmostpheres. In fact, these companies have NO idea they
have hired hackers.]

Yet as long as hackers who've gone legit have avoided accumulating police
records, those with the right combination of technical skills,
critical-thinking ability and ambition can earn management's trust and
forge a path to the executive suite. Benjamin is a good example: In late
November 1998, he joined Big 5 accounting firm Ernst & Young LLP of New
York as a general partner and global strategist for electronic commerce,
Internet and emerging technologies. 

Deciphering Hackerspeak

There's a certain mystique surrounding hackers. Are they First Amendment
revolutionaries liberating information for the public's benefit? Or are
they malicious scoundrels bent on wreaking havoc by infecting computer
networks with faulty code? It depends on whom you ask. 

While some so-called ethical hackers want to set the record straight and
change public perceptions of the hacker community, most prefer to remain a
mystery. They operate in what they call "the underground," a subculture
based on an unusual blend of anonymity and camaraderie. Most hackers
protect their true identities by assuming aliases, and they protect their
brethren by sniffing out wanna-bes and outsiders. 

A dead giveaway that you don't belong in hacker inner circles is failure
to understand the vocabulary, so Upside did some investigating and
compiled this glossary. It may not garner you instant acceptance, but as
more hackers go corporate, knowing their lingo will help you communicate
with your new co-workers. 

Carding The naughty--and illegal--practice of committing credit card fraud
by commandeering someone's card number to purchase goodies for yourself
and your friends. While advances in credit card security have made carding
more difficult, electronic commerce is a carder's dream come true. 

Cracker A bad-guy hacker. The larger hacker population, which purports to
oppose criminal activity, uses this term pejoratively to refer to hackers
who break security on systems for the sole purpose of committing evil
acts. 

Cypherpunk Someone obsessed with using encryption to keep data private. 
In particular, cypherpunks seek to prevent the government, which they
liken to Big Brother, from accessing their information. Paranoid hackers
who believe in conspiracy theories tend to become cypherpunks. 

Easter egg A message, image or sound effect that a programmer hides in a
program's object code as a joke. Harmless and often amusing, Easter eggs
can be found in most applications. Here's an easy-to-view example: Open
Netscape Navigator 3.0 and press CRTL-ALT-F at the same time. You'll be
magically transported to a real-time fishcam, courtesy of Netscape
programmer Lou Montulli. 

Media whore In the hacker subculture, stepping out of the underground and
into the media spotlight is the ultimate betrayal. Hackers who pander to
the press for personal glory or fame are cast aside and labeled media
whores. 

[No, not the ultimate betrayal necessarily. Those who step
out to educate the media are not media whores.]

Phreaking Hacking into a telephone system, usually to make free
long-distance calls. Computer hacking and phreaking go hand in hand,
though some people are pure phreakers. The tools of the trade are homemade
electronic devices called "boxes." The most common--the Red Box--enables
hackers to make free calls. More sinister is the Bud Box, which is used to
eavesdrop on others' phone conversations. 

Samurai A hacker who hires out for legal cracking jobs, breaking into
systems to test their security. These professional hackers see themselves
as warriors defending their employers' systems from unethical crackers.
Another term used to describe these hackers for hire is sneakers. 

[Samurai? Try Penetration Team member, or "ethical hacker"
as the media likes to say.]

Suit What hackers call the rest of us behind our backs. The term reveals
the contempt most hackers have for the conventions of corporate America,
especially the wearing of suits. Government officials (think FBI and
National Security Administration) are also commonly referred to as
"suits." 

Tentacle A fake identity used by a hacker in cyberspace to perform bad
deeds without getting caught. One person may have multiple tentacles, or
aliases. 

Trojan horse Hidden code within a legitimate program that causes the
program to malfunction. As legend has it, during the Trojan War the Greeks
hid in a hollow wooden horse to gain entrance into Troy so they could
launch their attack. Similarly, hackers use Trojan horses to infiltrate
programs. 

Virus Probably the best-known term in the lexicon, a virus is an
independent program that corrupts computer data and systems. What makes
viruses so nefarious is that they replicate and are unknowingly
transferred from one computer to another. You think it's bad when the flu
goes around the office--try a nasty computer virus! Weapons of choice for
most crackers, some viruses can cause irreversible damage. Of course,
software providers such as Network Associates Inc. and Symantec Corp.
aren't complaining--they've made a fortune selling virus-protection
software. 

War dialer A program that scans telephone prefixes to determine which
numbers are linked to computer equipment such as modems or fax machines. 
War dialers are an important part of aphreaker's arsenal. 

Warez Pirated software illegally distributed and downloaded from the
Internet. Widely circulated among crackers, warez programs are versions of
commercial software that have already been cracked. Die-hard warez users
refer to themselves as "warez d00dz." 

White hat A nonmalicious hacker, also known as an ethical hacker or a true
hacker. These hackers claim to come in peace. While their activities are
still considered illegal, white hat hackers see themselves as harmless
information hounds. They hack to satisfy their curiosity, not to damage
computer systems or engage in other criminal activity. 

[White Hat hackers can hack legally. On their own networks
or for clients. Their activities are not necessarily considered
illegal.]

Worm Like its squishy invertebrate namesake, a computer worm is creepy. 
Similar to a virus, a worm is a cracker program that replicates and
spreads from one network to another. But unlike a virus, a worm can damage
a computer system without being activated by a user. --Natalie Fonseca

Hacker havens

In the online hacker community--the Underground--people with aliases such
as Brimstone and Lord Somer host Web sites from unknown locations.  After
all, the key to hacker success is anonymity. 

Upside decided to expose some of these sites for your surfing pleasure. 
Whether you're a hacker wanna-be looking to hone your skills or a curious
bystander interested in finding out how "the other half" lives, get your
kicks by visiting these underground hacker sites. Just don't tell anyone
Upside sent you! 

2600 Magazine: The Hacker Quarterly
       This site is the home page for 2600 Magazine, the Middle Island,
       N.Y.-based publication for and about hackers. Prominently
       featured on the site is the Kevin Mitnick Lockdown Clock, which
       lists precisely how long (down to the second) the infamous hacker
       has been "imprisoned by the U.S. government without a trial."
       Less political is the Hacked Sites of the Future section, which
       illustrates what some well-known Web sites might look like if
       hackers got their hands on the code. The spoofs include fake
       copies of the Amazon.com Inc. and Microsoft Corp. home pages.
       
Dis.Org
       This San Francisco Bay area-based site is run by the DOC (Dis.Org
       Crew), a loosely formed network of about a dozen hackers. Unlike
       their counterparts who engage in illegal hacking (also known as
       cracking), the members of this group have gone corporate. While
       the site contains general hacking information and a discussion
       list, its main purpose appears to be promoting the group's
       computer security consulting business.
       
Hacker News Network (HNN)
       A takeoff on Ted Turner's Cable News Network (CNN), HNN aims to
       be the leading news source for hackers worldwide. Dissatisfied
       with the mainstream media's portrayal of hackers and their
       comings and goings, HNN's founders provide what they call "the
       real news from the computer underground for the computer
       underground." While HNN is no substitute for CNN, it's a good
       place to find out which hackers The Man has busted. If you're a
       hacker who frequently grants media interviews (referred to on the
       site as a "media whore"), there's a handy article titled "A
       hacker's guide to talking to the media" in the Original Content
       section.
       
Hackers.com
       HDC (Hackers Dot Com), run by eight underground gurus, is the
       ultimate resource for so-called "ethical hackers." According to
       the HDC crew, the site is about "freedom of speech, freedom of
       information, ethics and satisfying curiosities." In other words,
       if you're looking for tips on how to infiltrate the FBI's
       computer network, this isn't the site for you. But its extensive
       archive, Neophyte section for beginners and links to like-minded
       sites should keep you busy for some time. As a bonus, fans can
       purchase a hackers.com e-mail address for $50 a year.
       
The Hacker's Layer
       Evil lurks within the Hacker's Layer. Home to the darker side of
       the hacker community, this site offers tutorials on most types of
       illicit hacking activities. Every parent's nightmare, the hosts
       of this site offer tips on how to commit credit card fraud and
       otherwise disturb others' privacy. Law-abiding citizens will find
       this site truly frightening.
       
L0pht Heavy Industries
       The hackers behind this site decided to turn their hacking
       know-how into a legitimate enterprise by forming LHI Technologies
       LLC. The band of hackers, which operates from a secret location
       in Boston, offers consulting services for those looking to secure
       their networks from, well, other hackers. Visitors to the Web
       site can also purchase three LHI software products that identify
       vulnerabilities in computer networks. Perfect for network
       administrators and shaggy miscreants!