[ISN] Hackers: Under the hood - Brian Martin aka Jericho
InfoSec News
isn at c4i.org
Wed Apr 21 07:13:59 EDT 2004
http://www.zdnet.com.au/insight/security/0,39023764,39116620-3,00.htm
Name: Brian Martin
Handle(s): Jericho, Security Curmudgeon
Age: 30
Place of birth: South Carolina, USA
Marital status: Single
Current residence: Colorado, USA
Job: Independent security consultant
First computer: Tandy TRS-80
Best known for: Creating computer security Web site attrition.org
The name Brian Martin might not ring a bell in the security sphere but
"Jericho" certainly would.
Martin is known for his work behind attrition.org, an online resource
famous for cataloguing defaced Web sites and security vulnerabilities.
He cheerfully admits to "hacking his brains out" in the past. If he
was a burglar, Martin would be the type who'd break in and clean up
your house.
College life was cut short in his second year at architecture school.
"I dropped out because I thought the program was horrid and they
weren't modern," he said. Despite studying architecture and drafting,
he wasn't allowed to use a computer to complete assignments.
One of his silliest hacks, he told ZDNet Australia , was "breaking
into a machine to run 'satan' [a vulnerability scanner] after its
release only to find that we had to install Perl and a new gcc
[compiler] for the admin because satan wouldn't compile."
"You could tell a hacker [was in] a system back then ... it ran
smoother than any other on the network. Every system we hacked was
made more secure, stuff fixed and upgraded, and boxes were more
streamlined.
"It took us a full day to get the machine [to] run satan. We ran it
once, laughed, and never used it again," he said.
One time, paranoia got the better of him.
"I hacked into the phone switch to see if there was a trace on my line
... if there was, my 'investigation' would have been recorded. Back
then, half the phone switches had no login. [You'd] connect, ctrl-d to
'wake it up', and you'd have access to 200,000 phone lines," he
recalled.
But those were memories from a bygone era. Today, he's a reformed
character.
Sharing his life with three cats, Martin works as a freelance security
consultant. But, he's damning in his condemnation of the security
industry.
"I think the industry sucks. It's self destructing and over run with
criminals of one type or another," he said. "Everyone is out for a
dollar, they don't care about security any more. It's all about name
recognition, egos and cheating people out of money. [It] has been for
a while ... to the point where I just don't like it."
It's the dishonesty and lack of "real" skills that annoys him the
most. Then there's the rampant practise of overcharging for products
which Martin describes as "shoddy, band-aid solutions".
"Think about it. Consultants are hired to tell customers what security
they need but they overcharge these clients, lie about the solutions
... that's fraud ... the industry is full of criminals," he said.
Thumbing through his resume is a sobering experience. As a supporter
of infamous hacker Kevin Mitnick -- who has been imprisoned three
times for computer crime -- Martin sifted through 10 gigabytes of
electronic evidence and 1,600 pages of witness testimony in his role
as a technical consultant for the defence team.
As testament to his versatility as a public speaker, Martin has also
delivered presentations to law enforcement agencies, at the famous
DefCon hacker conference, and Blackhat briefings.
Despite his accomplishments, he once thought about throwing it all
away but realised he couldn't bring himself to disconnect from the
industry completely. "I like osvdb, and I like my friends in the
industry, and working a few days a month to live comfortably is nicer
than 40 hours a week in a store," he says.
Osvdb is the Open Source Vulnerability Database, a vast online archive
of security vulnerabilities, maintained in part by Martin, who formed
many of his friendships online.
"I'm still good friends with people I met online as far back as 1995,"
he said. "I met all of the attrition staff online at first, [and]
eventually in person. It started out with a few mails, turned into
chat for most of the day and eventually led to meeting."
"Attrition started with two or three of us, and the rest got involved
as they found a piece they wanted to help with," he added.
Martin draws no distinction between online communications and
face-to-face interaction, and believes anyone who thinks it strange
just doesn't understand.
"If you meet someone and become good friends through talking and
hanging out, then he moves across the country, do you stop being
friends with him? Of course not.
"Is it really any different that instead of a face-to-face chat, it's
done via text? Does it invalidate our conversations, what we talk
about, how we choose to bond, and how we become friends?"
Friends for life is obviously his mantra ... be they virtual or
otherwise. -- Patrick Gray.
More information about the ISN
mailing list