Forwarded From: William Knowles <erehwonat_private> NEW YORK (September 20, 1998 00:07 a.m. EDT http://www.nandotimes.com) -- The hacker calling himself Mudge pushed his long hair back, scratched his beard and stared at the computer screen. He knew there was something wrong with the data traffic he was watching, but what was it? A week earlier, Mudge and his fellow hackers in their hangout known as the L0pht -- pronounced "loft" -- had acquired some software that was supposed to let computers talk to each other in code. But as Mudge watched the data he realized someone else was doing the same and maybe even decoding it, which shouldn't happen. "So you are saying that you're using DES to communicate between the computers?" Mudge recalled asking representatives of the software maker. Yes, they said, they were using DES, a standard encryption method that for years was considered virtually uncrackable. But this wasn't DES, thought Mudge. It's almost as if... Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at all. In fact, the encoding was only slightly more complex than the simple ciphers kids did in grade school -- where "A" is set to 1, "B" is set to 2, and so on. The company was selling this software as a secure product, charging customers up to $10,000. And yet, it had a security hole big enough to waltz through. Instead of exploiting this knowledge, Mudge confronted the company. "You realize there isn't any secure or 'strong' encoding being used in your communications between the computers, don't you?" he asked. "Well..." "And that you claimed you were using DES to encrypt the data," he pressed. "That will go in the next revision." Mudge is a "real" hacker -- one who used to snoop around the nation's electronic infrastructure for the sheer love of knowing how it worked. His kind today are sighted about as often as the timberwolf, and society has attached to them the same level of legend. Like the wolf, they were once considered a scourge. Law enforcement and telecommunication companies investigated and arrested many of them during the late 1980s and early '90s. Today, many elite hackers of the past are making a go at legitimate work, getting paid big bucks by Fortune 500 companies to explore computer networks and find the weak spots. And none too soon. The void left by the old hackers has been filled by a new, more destructive generation. So today, Mudge -- who uses a pseudonym like others in the hacker community, a world where anonymity keeps you out of trouble -- wears a white hat. As part of L0pht, the hacker think tank, he and six comrades hole up in a South End loft space in Boston and spend their evenings peeling open software and computer networks to see how they work. When they find vulnerabilities in supposedly secure systems, they publish their findings on the Web in hopes of embarrassing the companies into fixing the problems. A recent example: They posted notice via the Internet of a problem that makes Lotus Notes vulnerable to malicious hackers... A Lotus spokesman said the company was aware of the flaw but it was extremely technical and unlikely to affect anyone. The hackers at L0pht have made enemies among industry people, but they command respect. They were even called to testify before the U.S. Senate Committee on Governmental Affairs in May. Why do they publish what they find? "If that information doesn't get out," Mudge replies, "then only the bad guys will have it." The "bad guys" are the hacker cliche: secretive teens lurking online, stealing credit card numbers, breaking into Pentagon systems, and generally causing trouble. One of L0pht's members, Kingpin, was just such a cad when he was younger, extending his online shenanigans to real-world breaking and entering. Today, L0pht keeps him out of mischief, he said. "We're like midnight basketball for hackers," said Weld Pond, another member. **** Malicious hacking seems to be on the rise. Nearly two out of three companies reported unauthorized use of their computer systems in the past year, according to a study by the Computer Security Institute and the FBI. Another study, from Software AG Americas, said 7 percent of companies reported a "very serious" security breach, and an additional 16 percent reported "worrisome" breaches. However, 72 percent said the intrusions were relatively minor with no damage. American companies spent almost $6.3 billion on computer security last year, according to research firm DataQuest. The market is expected to grow to $13 billion by 2000. Government computers are vulnerable, too. The Defense Department suffered almost 250,000 hacks in 1995, the General Accounting Office reported. Most were detected only long after the attack. This is why business booms for good-guy hackers. Jeff Moss, a security expert with Secure Computing Inc., runs a $995-a-ticket professional conference for network administrators, where hackers-cum-consultants mingle with military brass and CEOs. "I don't feel like a sellout," said Moss, who wouldn't elaborate on his hacking background. "People used to do this because they were really into it. Now you can be into it and be paid." News reports show why such services are needed: ----Earlier this month, hackers struck the Web site of The New York Times, forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen said the break-in was being treated as a crime, not a prank. The FBI's computer crime unit was investigating. ----This spring, two California teenagers were arrested for trying to hack the Pentagon's computers. Israeli teen Ehud Tenebaum, also known as "The Analyzer," said he mentored the two on how to do it. The two Cloverdale, Calif., youths pleaded guilty in late July and were placed on probation. ----Kevin Mitnick, the only hacker to make the FBI's 10 Most Wanted list, was arrested in 1995, accused of stealing 20,000 credit card numbers. He remains in prison. A film called "TakeDown," about the electronic sleuthing that led to Mitnick's capture, is in the works. Comments protesting Mitnick's prosecution were left during the hack of the New York Times Web site. ----In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky University, allegedly masterminded a Russian hacker gang and stole $10 million from Citibank computers. A year later, he was arrested by Interpol at Heathrow airport in London. ****** "Lemme tell ya," growled Mark Abene one night over Japanese steak skewers. "Kids these days, they got no respect for their elders." Abene, known among fellow hackers as Phiber Optik, should know. He was one of those no-account kids in the 1980s when he discovered telephones and computers. For almost 10 years, he wandered freely through the nation's telephone computer systems and, oh, the things he did and saw. Celebrities' credit reports were his for the taking. Unlimited free phone calls from pilfered long-distance calling card numbers. Private phone lines for his buddies, not listed anywhere. And the arcane knowledge of trunk lines, switches, the entire glory of the network that connected New York City to the rest of the world. But Abene's ticket to ride was canceled in January 1994, when, at age 22, he entered Pennsylvania's Schuylkill Prison to begin serving a year-and-a-day sentence for computer trespassing. The FBI and the Secret Service described him as a menace. The sentencing judge said Abene, as a spokesman for the hacking community, would be made an example. And yet, to many in the digital community, Abene's offenses amounted to unbridled curiosity. He was just a kid poking around, doing what teen boys do, going to places they're told to avoid. "Phree Phiber Optik" pins appeared. Many felt Abene embodied the hacker ethic espoused by his friend and fellow hacker, Paul Stira: "Thou Shalt Not Destroy." With black hair parted in the middle and falling to the center of his back, a thin beard ringing his mouth, the 26-year-old Abene still looks like a mischievous kid. Hacking, he said, is hardwired in boys. When they play with toys when they're young, they break them, then try to figure out how the parts fit back together. He added, "For some of us, it just never goes away." ****** Still, the hackers of the 1980s and early '90s have grown up. Some got busted, others simply graduated from college and fell out of the scene. Today, many want to be seen as mainstream, said Jeremy Rauch, a network security expert for Secure Computing Inc. When it's time to talk consulting contracts with major corporations, the hair gets neatly combed, the suit replaces the combat boots and black T-shirt, and the counterculture rhetoric gets toned down. A hacker in San Francisco who edits the online publication Phrack and goes by the pseudonym Route talks about his job at a security firm as a sign of maturity. Contentedly, he notes he can work from home, write as much code as he can and never punch a clock. "Are there still hackers out there?" asked Mike Godwin, counsel for the Electronic Frontier Foundation, a cyber-rights group. In the early 1990s, he pushed hard for the organization to champion Abene and other members of the cyber gang Masters of Deception. By 1993, he said, hysteria surrounding hackers began to sputter, to be replaced by a fear of pornography. "There never were very many hackers," he said, not major ones, anyway. Mainly, they were and are "this tiny minority of 13- to 18-year-olds who learned how to make toll-calls for free." Today's younger hackers pull programs off the Web that sniff for passwords and unlock backdoors automatically. It's the equivalent of rattling every door on a street and finally getting lucky, chancing upon one that's unlocked. As for the true hackers of the first generation, Godwin said: "These guys are genuinely smart and genuinely have a fascination with the technology. And they're mostly harmless." ********* What do younger hackers say to all this? Not much, if you judge by interviews at DefCon6.0, the sixth annual hacker forum and party held in Las Vegas at the end of July. Some said they hack to learn. Others took a counter-culture stance: hacking as civil disobedience. They wouldn't give names or talk specifically about any criminal activities. It was as if they wanted to present themselves as blank slates, upon which the fears of their non-wired elders could be inscribed. At DefCon, they set off stink bombs at one point, and pulled other juvenile pranks. "Paging Mr. Mitnick," the intercom droned through the hotel-casino's meeting rooms. The unwitting hotel staff member repeated the call for the jailed hacker. "Paging Mr. Kevin Mitnick." Pony-tailed guys dressed in black smirked. Gotcha. As hard house and techno music provided a soundtrack, they drooled over new software and pawed through piles of stuff for sale: computer equipment, of course, but also more books on conspiracy, privacy protection, and police methods than any paranoid could want. Among the titles: "Scanners & Secret Frequencies," "Secrets of a Super Hacker," even "Throbbing Modems." The kids flocked to DefCon's talk by the "white hat" hackers of L0pht. "We're in the middle generation right now," said convention organizer Moss. "You've got your original hackers from MIT -- the old school -- who are established. They're the forefathers of this information revolution. And you've got us who watched computers go from mainframe to desktop to laptop. And you've got the younger generation that have always known computers." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:01 PDT