[ISN] Now Hiring: Hackers (Tattoos welcome)

From: mea culpa (jerichot_private)
Date: Sat Apr 25 1998 - 15:00:12 PDT

  • Next message: mea culpa: "[ISN] UK Seminar: Proving Computer Crime"

    By Susan Moran                      
    Special to the Tribune              
    April 12, 1998                      
    Even the computer professionals who like to wear Birkenstocks and T-shirts
    to work find the dress code of GenX hackers a bit extreme. The main
    elements seem to be tattoos and nose rings. 
    They'd better get used to them. Many computer hackers, some of them
    recovering computer criminals, are adeptly turning their coveted expertise
    into big bucks. 
    A surge in computer crime, spurred by the shift to networked computers and
    by the growing popularity of the Internet, has created a huge demand for
    information security experts who can help protect companies' computer
    systems. Recent high-profile attacks on government and university computer
    networks highlighted the vulnerability of these networks and spurred
    corporate executives to seek ways to fortify their systems. 
    "Is the threat getting worse?  Definitely yes," said Eugene Schultz,
    research director of Integrity Solutions International, a subsidiary of
    San Diego, Calif.-based Science Applications Corp., a high-tech R&D
    corporation (www.saic.com). "That's largely the inevitable consequence of
    the shift from the mainframe work environment to one of interconnected PCs
    and workstations," which means anyone with access to one machine has easy
    access to the whole network, Schultz said. 
    NASA, the U.S. Navy and university campuses throughout the country were
    recently the targets of "denial of service" attacks on thousands of
    computers running Microsoft Corp.'s Windows NT and Windows 95 operating
    systems. The attacks, launched over the Internet, made computers crash but
    apparently caused no data loss. 
    In a separate recent incident, the Justice Department last month arrested
    three Israeli teenagers suspected of masterminding the break-ins of
    hundreds of military, government and university computer sites to gaze at
    unclassified information. The Federal Bureau of Investigation is also
    investigating two California teens who linked up with their Israeli
    co-conspirators over the Internet. 
    Schultz said it could have been much worse. "Do I say the sky is falling? 
    No way. But the sky could fall," he said. 
    One thing dropping from the skies into hackers' laps are fat checks from
    frightened clients. 
    Many companies are amassing teams of in-house experts to guard their
    networks against cyber prowlers, while others prefer to bring in outside
    consultants. The most experienced network security experts are often
    hackers--commonly defined as computer whizzes who love to write code (and
    not, as is often--but incorrectly--used as a generic term for a computer
    Many hackers over the years have relished poking holes in Fortune 500 and
    other big companies' computer programs and chip-making codes, and then
    publicly, brazenly attacking the likes of Microsoft Corp. and Netscape
    Communications Corp. for selling products with bugs. In fact, some hackers
    operated Web sites devoted to discovering and disclosing flaws in
    companies' products. 
    But it seems many are taking the lead from hacker-experts like Dan Farmer,
    the creator of "SATAN," a software tool for probing for security
    weaknesses on the Internet.  He was scooped up by Sun Microsystems Inc. to
    help detect and repair computer security holes. And with hackers
    increasingly in hot demand, they can demand hefty fees or salaries--an
    attractive way to pay off college tuition or supplement meager income
    Hackers' anarchistic style is gradually gaining acceptance in corporations
    and government agencies, although some conservative organizations feel
    safer renting experts from established consulting firms. 
    Fred Villella, a 60-something retired Army colonel, runs a
    computer-security consulting business out of San Diego, Calif.  The firm
    offers educational seminars for businesses and dispatches highly skilled,
    renowned hackers to help companies patch network holes and guard against
    future cyberattacks.  He knows well the unmatched talent of many funky
    hackers as well as the corporate skittishness toward them. 
    "I'm an old traditionalist, so when I first took one of my brightest young
    hackers--he had dyed yellow hair, an earring, tattoos on his arm--into a
    government research center, I was worried," said Villella. "I've got a
    long-standing reputation as a colonel. But then I relaxed when I saw the
    system administration guy (at the government site) was wearing earrings
    and the network manager had a ponytail and a beard to go with his suit." 
    That yellow-haired hacker, a 24-year-old who prefers to be known by his
    alias, "Route," also sports a tongue bar. His work as an information
    security consultant is worth $1,500 to $2,000 a day to clients who want to
    arm themselves against attacks by "crackers"--the correct term for hackers
    who use their computer expertise to commit malicious acts of infiltrating
    computer networks. On his own time, Route edits Phrack, a computer
    security journal (phrack.com). And he occasionally gives talks to
    government and corporate clients for Villella's firm, New Dimensions
    International (www.ndi.com). Route writes his own security-related tools
    and claims he's never used them for illegal snooping. 
    Route says his "fringe" appearance might help him stand out in people's
    minds and thus draw new business, but that his appearance is unimportant
    to the more computer-savvy clients who come to him for his talent.
    "Besides," he said, "I've got friends that look even more freakish than I
    Villella's New Dimensions just conducted a technical seminar in Elk Grove
    Village titled "The Hacker Phenomenon and Penetration Techniques," aimed
    at teaching corporate executives and engineers the secret formulas used by
    One way to help fend off intruders, he said, is to have employees use
    passphrases (rather than passwords, which can be readily cracked by
    software tools like L0phtCrack).  "Unless someone is really committed to
    getting your stuff, they'll go away and get something easier." 
    Villella helps hackers tempted to become crackers see that the choice
    between a potential jail sentence or a six-figure income working as
    security consultants shouldn't be too difficult to make. 
    An informal survey published earlier this month points to the increasing
    perils of the wired world--and the concomitant rising opportunities for
    hackers to capitalize on the fear and strike it rich as troubleshooters.
    The Computer Security Institute, a San Francisco-based watchdog group,
    reported that 64 percent of 520 companies said they had suffered security
    breaches within the last 12 months, a 16 percent jump over the 1997
    American Information Systems, a Chicago-based Internet service provider
    (ISP), stands among the ranks of ISPs that offer firewall solutions,
    audits and other computer security services to augment their core--and
    often unprofitable--access business. "We've seen extremely dramatic
    revenue growth in this area," said Stephen Schmidt, a vice president at
    Information security experts offer a range of services for clients. An
    experienced hacker might start with a network intrusion and penetration
    test. Basically that means breaking into a company's physical site--to
    check on the overall quality of a company's security environment--and then
    its computer network. 
    "It's fun breaking into sites," said Peter Shipley, a 32-year-old
    Berkeley, Calif., hacker whose accomplishments include breaking into most
    of the computer systems at the University of California, Berkeley, while a
    student there. He runs a consulting firm, called Network Security
    Associates (www.network-security.com), and charges $1,500 to $2,500 a day,
    depending on the project. 
    The experts also conduct external and internal security audits of a
    client's existing networks, assess the risks, and recommend improvements. 
    Another hacker who now makes a healthy living consulting goes by the alias
    "Mudge." He is a member of L0pht, a sort of "hacker think tank" 
    consisting of a handful of Boston-based hackers who work out of a loft
    space, where they research and develop products and swap information about
    computer and cellular phone security, among other things. Mudge consults
    for private and public organizations, teaches classes on secure coding
    practices, and writes his own and reviews others' code. "It pays well, but
    the money isn't the main reason I'm doing it," he said. 
    What he likes best is knowing he's among the elite experts who understand
    computer security more than big-name consultants. He's proud that he and
    his ragged assortment of hacker friends are called in to solve problems
    that stump the buttoned-down set. 
    "Not bad for a bunch of bit-twiddlers," he wrote in an e-mail missive. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (www.dim.com)

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:40 PDT