http://www.linuxworld.com/linuxworld/lw-2000-07/lw-07-vcontrol_1.html
What's the hat got to do with it?
Setting the record straight on Christopher Klaus and ISS
Summary
Joe Barr takes off his rose-colored glasses and discovers that
deception and darkness are old hat in the world of computer
security. Plus: [35]ISS's Christopher Klaus responds to some of the
claims put forth in this article. (2,100 words)
By [36]Joe Barr
I t's time to eat crow again. No, this is not about failing the Linux
Professional Institute's Level 1 System Admin certification exam a few
weeks ago. It's much worse than that.
This week I'm eating crow because I didn't follow my gut instinct on
[37]a story I wrote, and consequently portrayed Christopher Klaus as
wearing the wrong color hat. In the weeks since that piece on ISS
Linux Security Training ran (see [38]Resources), I've had a number of
people give me the same basic, unyielding, irrefutable message: I got
it all wrong about Klaus and ISS.
"All wrong" may even include trying to use white hats and black hats
to categorize individuals in the phreaking/cracking community as
either "good" or "evil." More than one reader wrote that if you are a
part of the computer underworld, you are a part of it, period. I can
see where they are coming from. Illegal electronic breaking and
entering or the theft of services puts you in that world. Whether you
do it for kicks, for money, or for malicious intent is a side issue.
This week, I am going to retrace the steps I took in researching the
ISS piece and, wherever I can, show how I got it wrong. I'm not
attempting to dodge responsibility for being wrong; I'm just trying to
set the record straight now that I have more information.
Lo primero, primero
First things first. I began my research of ISS and Christopher Klaus
comfortable in the knowledge that I would find, as is so often the
case, that he had come over from the dark side to find respectability
in the industry as a security expert, consultant, or adviser. But the
small, poorly lit trail I found seemed to indicate just the opposite,
and gradually my take on both ISS and Christopher Klaus was reversed.
I tried to contact Klaus for the original story, but ISS told me he
was in Peru and would be unavailable until the end of June. Instead, I
spoke with Christopher Rouland, who heads up the ISS X-Force security
advisory team. When I asked him about Klaus' past -- what "elite"
bulletin boards he might have hung out on, what his "nick" had been,
etc. -- Rouland just laughed and said, "I don't really see him hanging
out on elite bulletin boards." That planted the first doubt in my mind
about my original hunch that Klaus had come over from the dark side.
The conversation quickly turned away from Klaus' background, focusing
instead on Rouland's work as the director of X-Force.
Rouland's deflection of my questions about Klaus probably should have
triggered an alarm, but it didn't. Tom Noonan, CEO of ISS, said in a
June 1999 U.S. News story on hackers (see [39]Resources) that ISS
"wouldn't hire anyone on the dark side." But at the time I didn't know
of Noonan's remarks, and I certainly did not know that Christopher
Rouland had been on the dark side himself, known in the old days as
"Mister Fusion."
Further research led me to a bio of Klaus indicating that he had
worked with government labs while still a high school student. That
didn't sound like the kind of kid who would hang out on elite BBS
systems either. I also found an exchange of notes published in phrack
between Klaus and "Erik Bloodaxe," then editor of the legendary zine,
in which Klaus stated in no uncertain terms that he did not want the
source code for his scanning tool (ISS) published there. The next
issue of phrack contained a satire by Klaus lampooning the language,
mores, and ways of the underground.
The computer underworld
I read those attempts by Klaus to disassociate himself from the
cracking/phreaking community as evidence of the purity of his soul. I
was so convinced my original take on Klaus had been wrong that I wrote
he "appears to have always been on the side of the angels...didn't
hang out on an 'elite' BBS ... didn't sit on IRC and try to build a
rep on #hack...."
The first hint of serious problems with my take on Klaus and ISS
appeared only a day or so after the article was posted. I heard from
well-known and widely respected members of the security community
telling me in no uncertain terms that I had been sold a bill of goods.
For example, Elias Levy, aka Aleph1, wrote, "If you think that ISS is
not based on the notion of 'using a thief to catch a thief' you might
want to find out for yourself where the last two editors of phrack
worked instead of believing the corporate propaganda that they don't
hire hackers."
One famous (but anonymous) name from one of the best-known hacker
groups in the world wrote: "#hack is where I first talked to him ...
he was in the hacker scene like anybody else in the hacker scene. I
met Christopher Klaus (kewp) at Summercon in Atlanta, and he sure
wasn't talking about how he was a different breed of white-hat hacker
then."
Given these kindly hints, I began to question more people to get at
the truth about Christopher Klaus, as well as ISS employees in
general. My trip to San Diego for the USENIX conference proved to be a
veritable gold mine of information.
I also contacted Christopher Goggans (aka Erik Bloodaxe) and asked him
what he remembered of Klaus' request not to publish the ISS code.
Goggans told me he had found the request odd enough to publish it and
his response in phrack. He also told me he later asked "kewp" on #hack
what the note was all about. Klaus told him that ISS was preparing for
an IPO and thought it better not to have a close association with
phrack. So much for my conclusion that Klaus had not hung on #hack to
build a rep.
Da word onna net
Several sources mentioned rumors that Klaus had not written ISS
himself, but had assembled it from the work of others. One source I
met at USENIX told me to check that story with Peter Shipley, now the
director of labs at OneSecure, a firm specializing in virtual private
networks and security.
Shipley wrote the first Internet scanner, Netsweep, in 1988. He has
been a part of both the dark side and the security communities for
years, and he often speaks about security at conferences like CFP
(Computers, Freedom, Privacy). In fact, I met him here in Austin at
CFP '98.
As I dug deeper to get beneath the corporate hype about how pure ISS
and its employees were, I found that ISS was widely disliked. Perhaps
this is a natural result of ISS providing defenses against "security
tools" like Back Orifice from groups like cDc (the Cult of the Dead
Cow). Perhaps not.
Peter Shipley is no exception; he explained to me up front why he
doesn't like ISS. "Christopher Klaus took my exploits and took my
tests and put them into his product," Shipley said. "And I actually
got recognition for this ... If you ran ISS until they IPO'd you
actually saw my name. They removed my name when they IPO'd. I never
saw a dime."
Another story I heard from more than one source (I have not yet been
able to confirm it) is that a famous name from a famous security
organization submitted an exploit to ISS. Days later, an ISS sales
team visited the firm where, unbeknownst to the salespeople, this
person worked, and presented his own exploit to him as being an
example of "ISS research."
Twist of fate
As I was enjoying the food at the big reception and party at USENIX in
San Diego last month, two other attendees sat down at my table. I
noticed they were both from Lawrence Livermore National Labs. I asked
if that was the lab where Klaus had been an intern, and one of them
replied that yes, it was. Klaus had been in his department.
My early research had turned up a quote from Klaus explaining his
first Internet use. Klaus said, "I was accepted for a high-school
internship program at Lawrence Livermore National Labs, where I
conducted research on network security vulnerabilities and technology
that could automate security weakness detection."
Neal Mackanic, the man from LLNL, told a slightly different version of
the tale. Mackanic told me, "Christopher was selected by the governor
of Florida to be part of a two-week supercomputing summer camp at LLNL
in the National Energy Research Supercomputing Center (NERSC). It was
after he attended this two weeks that he was caught hacking the
student bulletin board system by one of the NERSC staff, Jim Morton.
Morton encouraged Christopher to use his talents for good, and that
began our relationship with him and his ISS tool."
Another tip led me so far underground I found myself at a local
Borders bookstore looking for a copy of Cybershock, Winn Schwartau
(Thunder's Mouth Press, 2000). On pages 321-322, ISS, Christopher
Klaus, and Christopher Rouland are included in a general discussion of
firms that "strongly advertise that they do not use hackers at all."
It also mentions that Rouland (Mr. Fusion, remember?) was "picked up"
in 1990 and debriefed by Air Force OSI "cybercop" Jim Christy for
breaking into the Pentagon.
It was finally clear to me that anyone with the slightest bit of real
knowledge of Klaus and ISS (as opposed to your naive and gullible
reporter) was aware that, contrary to the company's denials, ISS not
only has a history of life on the dark side, but has hired and
continues to hire black hats.
But why all the bother?
Although I was no longer surprised, I was curious why ISS went to such
trouble to create the back story regarding Klaus and company. At about
the time of the IPO and Tom Noonan's debut as CEO, a major effort to
distance ISS from the computer underground began -- so money obviously
had something to do with it. But was the effort really necessary?
I spoke with Dr. Daniel Geer, president-elect of USENIX and CTO of
Internet security firm @stake, while I was in San Diego. I asked him
about @stake's recent acquisition of the L0pht, one of the best-known
underground "security" organizations, whose membership is as legendary
in the hacker community as the cDc's. Geer replied that he thought
people like me would be glad people like him were using people like
them (the L0pht).
And he's right. The black hat community is the very best source of
talent and expertise for firms doing serious Internet security. So why
would a firm like ISS deny its own background and that of its
employees? Perhaps the answer can be found by using its list of
clients as tea leaves.
One ISS office is located in Reston, Va., between Dulles Airport and
federal intelligence agencies such as the NSA, CIA, DIA, and so on.
Perhaps in order to land some government contracts, an image of never
having sinned must be maintained -- or at least claimed. But why would
a federal agency require such disclaimers in a contract when they know
better than most that black hats are the experts? To paraphrase a
classic line from a movie, "Would you like to play Global Information
Warfare?"
What do you think? Do I finally have ISS sized up correctly? Do you
have theories about whether Internet security firms should use black
hats? Or given that they do, that they should confirm or deny that
fact? Let me know. Obviously, I've still got a lot to learn.
Addendum: After this article was posted, Christopher Klaus contacted
me to offer his side of the story. I outlined my conversation with him
in the [40]sidebar below. [INLINE]
--
Christopher Klaus responds
After this article had been posted, Christopher Klaus contacted
LinuxWorld to offer his point of view on several aspects of this
story. Klaus had been unavailable to speak to me when the story was
written.
In regards to his request that Erik Bloodaxe, then editor of phrack,
not publish the source code for ISS, Klaus stated that Erik had asked
him for permission to publish the code, and that his note, which ended
up being published in phrack, was in response to that query. "I did
not want the Internet scanner to be used as a hacking tool," Klaus
said.
As far as sitting on #hack in IRC, Klaus said, "I was doing research
for security." He stated that he was basically just listening to see
if any exploits were being posted. He denied having told Erik in IRC
that the reason he didn't want the ISS code published was that his
company was getting ready to go public.
While Klaus acknowledged that he did go by the name of "kewp" on IRC,
he pointed that "if anyone did a whois on me, it showed my name [and]
where I was coming from, Lawrence Livermore. It wasn't like I was part
of a secret hacker underground."
About Peter Shipley's comments, Klaus said that very little of the
original ISS was based on any work by Shipley. Further, he said that
the portion of the code that was Shipley's was ultimately removed
through a "clean room" process, and that an audit of the code was
performed prior to obtaining venture capital to ensure that all the
code was ISS's.
The third item Klaus contested was his experiences at Lawrence
Livermore National Lab. Klaus denied being caught hacking into a
student BBS. He said that, during his tenure there, "they [LLNL] were
getting hacked by some German hackers, the Computer CHAOS Club." He
noted some security holes in the BBS and discussed them with some LLNL
administrators. Klaus added, "I had read Neuromancer, and I said it
would be really neat to develop some technology that would scan for a
matrix or network looking for these flaws or security holes and use
them for the good of helping Lawrence Livermore fix their
vulnerabilities."
Klaus concluded by reasserting that ISS tries very hard not to hire
"black hat" hackers, and that the company's employment agreements
stipulate that employees will be let go if they get caught hacking.