[ISN] Generation gap puts hackers on both sides of the fence

From: mea culpa (jerichoat_private)
Date: Mon Sep 21 1998 - 09:05:50 PDT

  • Next message: mea culpa: "[ISN] Salon Hyde Expose' Spurs Death Threats, Hacks"

    Forwarded From: William Knowles <erehwonat_private>
    NEW YORK (September 20, 1998 00:07 a.m. EDT http://www.nandotimes.com)  --
    The hacker calling himself Mudge pushed his long hair back, scratched his
    beard and stared at the computer screen. He knew there was something wrong
    with the data traffic he was watching, but what was it? 
    A week earlier, Mudge and his fellow hackers in their hangout known as the
    L0pht -- pronounced "loft" -- had acquired some software that was supposed
    to let computers talk to each other in code. But as Mudge watched the data
    he realized someone else was doing the same and maybe even decoding it,
    which shouldn't happen. 
    "So you are saying that you're using DES to communicate between the
    computers?" Mudge recalled asking representatives of the software maker.
    Yes, they said, they were using DES, a standard encryption method that for
    years was considered virtually uncrackable. 
    But this wasn't DES, thought Mudge. It's almost as if... 
    Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at
    all. In fact, the encoding was only slightly more complex than the simple
    ciphers kids did in grade school -- where "A" is set to 1, "B"  is set to
    2, and so on. 
    The company was selling this software as a secure product, charging
    customers up to $10,000. And yet, it had a security hole big enough to
    waltz through. 
    Instead of exploiting this knowledge, Mudge confronted the company. 
    "You realize there isn't any secure or 'strong' encoding being used in
    your communications between the computers, don't you?" he asked. 
    "And that you claimed you were using DES to encrypt the data," he pressed. 
    "That will go in the next revision." 
    Mudge is a "real" hacker -- one who used to snoop around the nation's
    electronic infrastructure for the sheer love of knowing how it worked. 
    His kind today are sighted about as often as the timberwolf, and society
    has attached to them the same level of legend. 
    Like the wolf, they were once considered a scourge. Law enforcement and
    telecommunication companies investigated and arrested many of them during
    the late 1980s and early '90s. 
    Today, many elite hackers of the past are making a go at legitimate work,
    getting paid big bucks by Fortune 500 companies to explore computer
    networks and find the weak spots. 
    And none too soon. The void left by the old hackers has been filled by a
    new, more destructive generation. 
    So today, Mudge -- who uses a pseudonym like others in the hacker
    community, a world where anonymity keeps you out of trouble -- wears a
    white hat. As part of L0pht, the hacker think tank, he and six comrades
    hole up in a South End loft space in Boston and spend their evenings
    peeling open software and computer networks to see how they work. 
    When they find vulnerabilities in supposedly secure systems, they publish
    their findings on the Web in hopes of embarrassing the companies into
    fixing the problems. A recent example: They posted notice via the Internet
    of a problem that makes Lotus Notes vulnerable to malicious hackers... 
    A Lotus spokesman said the company was aware of the flaw but it was
    extremely technical and unlikely to affect anyone. 
    The hackers at L0pht have made enemies among industry people, but they
    command respect. They were even called to testify before the U.S.  Senate
    Committee on Governmental Affairs in May. 
    Why do they publish what they find? 
    "If that information doesn't get out," Mudge replies, "then only the bad
    guys will have it." 
    The "bad guys" are the hacker cliche: secretive teens lurking online,
    stealing credit card numbers, breaking into Pentagon systems, and
    generally causing trouble. One of L0pht's members, Kingpin, was just such
    a cad when he was younger, extending his online shenanigans to real-world
    breaking and entering. Today, L0pht keeps him out of mischief, he said. 
    "We're like midnight basketball for hackers," said Weld Pond, another
    Malicious hacking seems to be on the rise. 
    Nearly two out of three companies reported unauthorized use of their
    computer systems in the past year, according to a study by the Computer
    Security Institute and the FBI. Another study, from Software AG Americas,
    said 7 percent of companies reported a "very serious"  security breach,
    and an additional 16 percent reported "worrisome"  breaches. However, 72
    percent said the intrusions were relatively minor with no damage. 
    American companies spent almost $6.3 billion on computer security last
    year, according to research firm DataQuest. The market is expected to grow
    to $13 billion by 2000. 
    Government computers are vulnerable, too. The Defense Department suffered
    almost 250,000 hacks in 1995, the General Accounting Office reported. Most
    were detected only long after the attack. 
    This is why business booms for good-guy hackers. 
    Jeff Moss, a security expert with Secure Computing Inc., runs a
    $995-a-ticket professional conference for network administrators, where
    hackers-cum-consultants mingle with military brass and CEOs. 
    "I don't feel like a sellout," said Moss, who wouldn't elaborate on his
    hacking background. "People used to do this because they were really into
    it. Now you can be into it and be paid." 
    News reports show why such services are needed: 
    ----Earlier this month, hackers struck the Web site of The New York Times,
    forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen
    said the break-in was being treated as a crime, not a prank.  The FBI's
    computer crime unit was investigating. 
    ----This spring, two California teenagers were arrested for trying to hack
    the Pentagon's computers. Israeli teen Ehud Tenebaum, also known as "The
    Analyzer," said he mentored the two on how to do it. The two Cloverdale,
    Calif., youths pleaded guilty in late July and were placed on probation. 
    ----Kevin Mitnick, the only hacker to make the FBI's 10 Most Wanted list,
    was arrested in 1995, accused of stealing 20,000 credit card numbers. He
    remains in prison. A film called "TakeDown," about the electronic
    sleuthing that led to Mitnick's capture, is in the works.  Comments
    protesting Mitnick's prosecution were left during the hack of the New York
    Times Web site. 
    ----In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky
    University, allegedly masterminded a Russian hacker gang and stole $10
    million from Citibank computers. A year later, he was arrested by Interpol
    at Heathrow airport in London. 
    "Lemme tell ya," growled Mark Abene one night over Japanese steak skewers.
    "Kids these days, they got no respect for their elders." 
    Abene, known among fellow hackers as Phiber Optik, should know. He was one
    of those no-account kids in the 1980s when he discovered telephones and
    computers. For almost 10 years, he wandered freely through the nation's
    telephone computer systems and, oh, the things he did and saw. 
    Celebrities' credit reports were his for the taking. Unlimited free phone
    calls from pilfered long-distance calling card numbers. Private phone
    lines for his buddies, not listed anywhere. And the arcane knowledge of
    trunk lines, switches, the entire glory of the network that connected New
    York City to the rest of the world. 
    But Abene's ticket to ride was canceled in January 1994, when, at age 22,
    he entered Pennsylvania's Schuylkill Prison to begin serving a
    year-and-a-day sentence for computer trespassing. The FBI and the Secret
    Service described him as a menace. The sentencing judge said Abene, as a
    spokesman for the hacking community, would be made an example. 
    And yet, to many in the digital community, Abene's offenses amounted to
    unbridled curiosity. He was just a kid poking around, doing what teen boys
    do, going to places they're told to avoid. 
    "Phree Phiber Optik" pins appeared. Many felt Abene embodied the hacker
    ethic espoused by his friend and fellow hacker, Paul Stira:  "Thou Shalt
    Not Destroy." 
    With black hair parted in the middle and falling to the center of his
    back, a thin beard ringing his mouth, the 26-year-old Abene still looks
    like a mischievous kid. Hacking, he said, is hardwired in boys.  When they
    play with toys when they're young, they break them, then try to figure out
    how the parts fit back together. 
    He added, "For some of us, it just never goes away." 
    Still, the hackers of the 1980s and early '90s have grown up. Some got
    busted, others simply graduated from college and fell out of the scene. 
    Today, many want to be seen as mainstream, said Jeremy Rauch, a network
    security expert for Secure Computing Inc. When it's time to talk
    consulting contracts with major corporations, the hair gets neatly combed,
    the suit replaces the combat boots and black T-shirt, and the
    counterculture rhetoric gets toned down. 
    A hacker in San Francisco who edits the online publication Phrack and goes
    by the pseudonym Route talks about his job at a security firm as a sign of
    maturity. Contentedly, he notes he can work from home, write as much code
    as he can and never punch a clock. 
    "Are there still hackers out there?" asked Mike Godwin, counsel for the
    Electronic Frontier Foundation, a cyber-rights group. In the early 1990s,
    he pushed hard for the organization to champion Abene and other members of
    the cyber gang Masters of Deception. By 1993, he said, hysteria
    surrounding hackers began to sputter, to be replaced by a fear of
    "There never were very many hackers," he said, not major ones, anyway. 
    Mainly, they were and are "this tiny minority of 13- to 18-year-olds who
    learned how to make toll-calls for free." 
    Today's younger hackers pull programs off the Web that sniff for passwords
    and unlock backdoors automatically. It's the equivalent of rattling every
    door on a street and finally getting lucky, chancing upon one that's
    As for the true hackers of the first generation, Godwin said: "These guys
    are genuinely smart and genuinely have a fascination with the technology.
    And they're mostly harmless." 
    What do younger hackers say to all this? 
    Not much, if you judge by interviews at DefCon6.0, the sixth annual hacker
    forum and party held in Las Vegas at the end of July. 
    Some said they hack to learn. Others took a counter-culture stance: 
    hacking as civil disobedience. They wouldn't give names or talk
    specifically about any criminal activities. It was as if they wanted to
    present themselves as blank slates, upon which the fears of their
    non-wired elders could be inscribed. 
    At DefCon, they set off stink bombs at one point, and pulled other
    juvenile pranks. 
    "Paging Mr. Mitnick," the intercom droned through the hotel-casino's
    meeting rooms. The unwitting hotel staff member repeated the call for the
    jailed hacker. "Paging Mr. Kevin Mitnick." 
    Pony-tailed guys dressed in black smirked. Gotcha. 
    As hard house and techno music provided a soundtrack, they drooled over
    new software and pawed through piles of stuff for sale: computer
    equipment, of course, but also more books on conspiracy, privacy
    protection, and police methods than any paranoid could want. 
    Among the titles: "Scanners & Secret Frequencies," "Secrets of a Super
    Hacker," even "Throbbing Modems." 
    The kids flocked to DefCon's talk by the "white hat" hackers of L0pht. 
    "We're in the middle generation right now," said convention organizer
    Moss. "You've got your original hackers from MIT -- the old school -- who
    are established. They're the forefathers of this information revolution.
    And you've got us who watched computers go from mainframe to desktop to
    laptop. And you've got the younger generation that have always known
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:01 PDT