[ISN] Prime time for hackers is over

From: mea culpa (jerichot_private)
Date: Tue Oct 27 1998 - 16:42:22 PST

  • Next message: mea culpa: "[ISN] Dial a Strength Crypto on a Chip"

    Prime time for hackers is over
    The question hangs in the air like the grin of the Cheshire cat, a koan
    posed by a 28-year-old programmer sitting in his apartment in Denver.
    Blosser has a lot more room to stretch out in his place these days, now
    that the FBI took away his Pentium II (Blosser called it Big Boy), his 486
    (Little Boy) and a pile of his CDs. It's all gone, perhaps forever. And so
    is his job as a computer consultant. 
    Blosser lost big because he used his client's computers to go on a
    careless quest for a mathematical grail -- the next Mersenne prime. Ever
    since Marin Mersenne identified a unique class of prime numbers in the
    17th century, digit-searchers have been on the prowl for the next Big One.
    Their search reached the Internet a few years ago, with the release of
    Mersenne-hunting software that anyone can download. 
    Blosser, a systems consultant working for US West, installed it on the
    company's customer service network in September. He should have known how
    to configure the software to run in the background, but instead he
    misconfigured the machines so that they checked for network activity every
    two seconds instead of every 20 minutes -- flooding the system with
    packets in the process. 
    "We noticed a degradation of service at once," says a spokesman for US
    West. "We respect the pursuit of knowledge, but our workers tend to get
    irate if the network is not available for work." Thus, while the
    investigation of the case continues, US West is urging the FBI to
    prosecute Blosser as quickly as possible. 
    Like most hackers, Blosser wasn't trying to be bad. He was trying to
    advance knowledge, solve a puzzle, find out how things work.  From
    Leonardo da Vinci to Dark Tangent, "white hat" hackers have always been
    driven by a passion for knowledge, not a desire to foul things up. When
    Blosser loaded the Mersenne program onto the network at US West, he wasn't
    trying to bring down the network.  And he certainly wasn't trying to hide.
    (His name and e-mail address were all over the software.) 
    But his hack was unnecessary. The Golden Age of Hacking, which began in
    the '60s when mainframes at MIT became the Big Toy of a new generation, is
    over. Kids did this kind of thing when games were cracked using Apple IIs,
    then sent to friends via slow, acoustic-coupled modems at 300 bauds per
    second. Laws against unauthorized computer intrusion were all but
    nonexistent then. The challenges of playing the game and cracking the game
    were identical. 
    Today, hackers play the game of life with real money on the table and the
    credible threat of prison sentences hanging over their heads. Taking over
    a Baby Bell's network in the pursuit of pure knowledge may sound romantic,
    but more experienced hackers say it no longer makes much practical sense. 
    "The media tends to portray all security breaches as 'hacks,' but hacking
    is not just about security," says security professional Yobie Benjamin.
    "It's about the whole domain of computer science -- moving from node to
    node to see how things look. It's about harnessing the power of
    distributed computing." Benjamin laughs. "Blosser needs a midnight
    basketball league to keep him off the streets." 
    Indeed, that's what the gang at Boston's L0pht Heavy Industries call their
    enterprise -- a midnight basketball game for hackers.  Still animated by a
    passion for Solving the Puzzle and Seeing the Big Picture, the L0pht crew
    carries those hacker ideals forward by uncovering security holes in
    Windows NT or Novell products -- without actually trespassing on anyone's
    That's easier than ever to do these days, thanks to the open-door network
    of Windows, Unix and Sun machines available at upt.org -- the computer
    playpen descended from the bulletin board system where some of hacking's
    best and brightest honed their skills before graduating into corporate and
    intelligence ranks. "A lot of the old reasons to break in just aren't
    there anymore," says security consultant Tom Jackiewicz, who helped
    administer the upt.org bulletin board.  "Nobody can say they can't afford
    a Unix box when all you have to do is throw some free Linux onto a PC. You
    want to hack a Sun system? Break into ours -- if you can." 
    Jackiewicz says it's more fun to secure a network against hackers than to
    hack -- it's much more complex. You have to explore every single
    interaction among all the components, check out "all the weird shit that
    can happen." 
    "A guy called the other day to say he'd gotten root in our system," Tom
    laughs. "In fact, he was trapped in one of the five subsystems we created
    to look like the system." That level of detail and complexity is where the
    most advanced hacker minds find their challenges today. 
    Likewise, if it was empty processor cycles that Blosser wanted, he didn't
    need to siphon off US West's resources. When the number crunchers at
    Distributed.net decided to show that the U.S. government's security claims
    about 56-bit DES cryptography were a sham, they simply created a software
    client that anyone could download. After 4000 teams contributed computing
    power to break the code, DES fell in 212 days. The next challenge, DES
    II-1, cracked its target in 40 days. As David McNett of Distributed.net
    puts it, "I question Blosser's judgment, not his motives." 
    Hacking's "white hat" ideal lives on, but suitable targets for Robin
    Hood-style adventures have become increasingly hard to find. In 1997, a
    hacker and phreaker named Se7en went on a rampage against
    cyber-pedophiles, targeting their hangouts for network subversion. Nobody
    knows for sure how many Web sites or IRC chat channels Se7en and his
    cohorts took down, but nobody lifted a finger to curtail their vigilante
    attacks.  And when Peter Shipley at dis.org uncovered gaping flaws in the
    Oakland, Calif., fire department dispatch system during a massive
    war-dialing project, authorities overlooked his campaign -- in no small
    part because Shipley volunteered to fix the holes instead of bringing
    chaos to the streets of Oakland. 
    With all that in mind, Blosser's network-clogging "hack" was a throwback
    to the early 1990s, a ghost of hacking past, a Don Quixote apparition of a
    bygone age when the anarchist rhetoric of John Perry Barlow actually
    seemed to make sense to some.  Cyberspace felt more free then, even if it
    existed by permission of the military-industrial-educational complex that
    spawned it. 
    Today, the laws have tightened, surveillance technologies are ubiquitous,
    big money is at stake and the borderless economy is learning to regulate
    itself. Yet when asked why he loaded that software onto the network at US
    West, Blosser, a kid who is nearly 30, laughs and says, "Why not?" 
    Why not? Because it no longer pays to sustain the illusion. The hackers
    who played in that clubhouse are all going downtown, making good money
    while trying to keep their values intact. Blosser's naive quest for the
    Mersenne prime was charming, in its way -- but experienced hackers
    understand why that kind of innocence no longer has a place.  SALON | Oct.
    27, 1998
    Richard Thieme is a consultant, writer and professional speaker focused on
    the human dimensions of technology and the workplace. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:06 PDT