[ISN] Hackers for Hire

From: mea culpa (jerichoat_private)
Date: Sun Jan 17 1999 - 03:23:52 PST

  • Next message: mea culpa: "[ISN] U.S. Officials Try to Sell Encryption Policy in Valley"

    From: "Betty G.O'Hearn" <bettyat_private>
    Hackers for Hire
    January 14, 1999
    by Deborah Radcliff
    Lured by steady paychecks, some hackers are giving up their nefarious ways
    and joining corporate America. But can folks with aliases such as Dr. Who
    and Hobbit handle a 9-to-5 life? 
    Yobie Benjamin, glad to have an extrapassenger during the congested
    morning commute, screams down the carpool lane through a Silicon Valley
    artery. From the slightly elevated perspective of his Ford Explorer, he's
    talking "corporate strategy," "business objectives" and "total customer
    solutions." Benjamin is psyched for an internetworking dinner his company,
    Cambridge Technology Partners Inc. (CTP), is hosting for more than 40 CIOs
    and senior executives from companies such as Cisco Systems Inc., Levi
    Strauss & Co. and Network Associates Inc. By all appearances, Benjamin
    seems destined to become one of them. 
    Just another hacker gone legit. 
    Until recently, hackers cloaked themselves behind their computers with
    online identities such as Oblivion, SirDystic and Dr. Who. Now, some
    hackers--at least those over 30--are stepping out of the shadows and into
    a media blizzard: coverage on "20/20," CNN, and "Silicon Valley Business
    This Week" and articles in the New York Times. They've morphed into the
    decade's cool new computer security experts. 
    But as hackers shed their old lives to move into new ones with
    high-profile jobs that earn them big bucks, technology companies and their
    cus tomers have to wonder: Will they fit in? And can they be trusted to
    stay on the straight and narrow? 
    Some, like the 39-year-old Benjamin, are proving their worth in corporate
    environments. Benjamin was director of technology for Cambridge,
    Mass.-based Cambridge Technology Partners' enterprise security services
    division. But for every Benjamin, there are dozens of hackers who can't
    make the grade. And even more who don't want to. 
    "For some, like hackers, knowledge is power," says Penny Leavy, vice
    president of worldwide marketing and business development for Finjan
    Software Inc. of San Jose. "For others, it's money. And for others, it's
    climbing the corporate ladder." 
    Benjamin sat on the technical advisory board of Finjan, which makes
    software that defends computers and networks against malicious Java,
    ActiveX and other mobile code (small programs that are transmitted through
    networks and the Internet and then executed on the desktop).  Benjamin is
    by no means your late-night, no-life nerd. With a bachelor of arts degree
    in communications from the University of the Philippines in Quezon City,
    he has developed training films for Asian immigrants and written speeches
    for former San Francisco Mayor Frank Jordan. The father of two daughters,
    Benjamin now finds his free time consumed with "Sesame Street" books and
    preschool get-togethers--not hacking. 
    Screen first, hire later
    Benjamin calls himself an "ethical hacker," one who grew up on the
    ARPAnet, pre-Web bulletin boards and "borrowed" time-share machine space
    in the 1970s and '80s. He wears his tar-black hair well past his
    shoulders. And he's hardwired to many underground hacking groups, members
    of which worship him for his superior technical skills. In fact, one of
    Benjamin's own Sun Microsystems Inc. Solaris servers runs in a humming
    equipment room at the Berkeley, Calif., home of Peter Shipley,
    administrator for the infamous hacking group dis.org. 
    Ah, Shipley: With his Tiny Tim locks and propensity for vampire fangs and
    Goth clubs, the 33-year-old Shipley is a true technology junkie.  Going by
    the name Evil Pete among his hacker buddies, he presides over about 20
    servers and a T1 line inside his spare bedroom. 
    But now Shipley has gone corporate, too. Since early spring, he has held
    the position of chief security architect at the $10.4 billion
    international accounting firm KPMG Peat Marwick LLP of New York. 
    Screen first, hire later
    There are more like Shipley and Benjamin working for Big 5 accounting
    firms, startups and security consulting firms around the country. In fact,
    CTP's avant-garde, 20-person enterprise security services unit is home to
    about 10 hackers. These aren't your run-of-the-mill computer geeks,
    though. All hold some claim to technical fame, according to Erich Oehler,
    director of the unit. For instance, one of his hackers designed secure
    operating systems for highly sensitive government agencies. "[In terms of]
    skills and motivation, there's a lot of creativity in our group," Oehler
    Oehler is testy about emphasizing the hacking element of his year-old
    unit, and with good reason: It has cost him clients. "We're sensitive
    about saying we hire hackers because, frankly, some customers have turned
    us down," Oehler says. "They worry about all these rogue hackers running
    amok." He quickly adds that CTP protects its clients by putting all hires
    through rigorous screening and background checks. And once hired, the
    hackers must abide by the company's core values--"openness, honesty,
    dedication, respect and trust." 
    Located on the outskirts of San Francisco's Multimedia Gulch, CTP's
    security services unit conducts technical security audits for paying
    clients. The unit's offerings sometimes piggyback onto other application
    development. For example, the unit may be called upon to build security
    into a customer's newly developed electronic-commerce package. It also
    does primary research and development to identify software vulnerabilities
    and then design defense mechanisms around them. 
    While Oehler worries about spotlighting former hackers, there's no denying
    they're a hot commodity. 
    In August 1998, "20/20" broadcast a 10-minute segment in which CTP hackers
    cracked a financial institution's system (with permission, of course) to
    identify and illustrate the computer insecurities for that customer's
    executive management. 
    It's all part of what those in the hacking community term mediawhoring--a
    plot to legitimize their shadowy habits and cash in on a worldwide
    security services industry expected to reach $7.3 billion by 2000, based
    on figures provided by Richard Brewer, a senior analyst with Framingham,
    Mass.-based market research firm International Data Corp.  (IDC). 
    "A month after the '20/20' segment, [Benjamin] told me that the value of
    that segment couldn't be measured in terms of public relations," says Ron
    Moritz, Finjan's director of technology. "There's value in having someone
    on your team with such national recognition and professional credibility." 
    While such coverage propels hackers' careers, it also raises awareness
    about technical security issues. In a joint survey by the San
    Francisco-based Computer Security Institute and the FBI, 241 of 520
    business respondents said they lost a combined total of more than $136
    million in 1997 because of computer crime or misuse. And, for the first
    time in the survey's three-year history, more than half the respondents
    cited the Internet as the leading point of vulnerability. 
    No wonder hackers are in such demand: It's their decades of hands-on
    experience with telephone systems, dial-up modems, operating systems and
    internetworking equipment--combined with their natural paranoia and
    ingenuity--that makes them so hot. Such skill sets are tough to find, says
    IDC's Brewer, adding, "Right now, everyone's fighting over skilled
    security professionals"--which could explain why Shipley and Benjamin
    command six-figure salaries. 
    "[Benjamin] has the unique ability to understand the broader business
    implications of a particular technology effort," says Finjan's Moritz.  At
    many a quarterly technology review, for example, Benjamin has asked
    questions that skirt the obvious and provoke Finjan's developers to tackle
    project development in a more comprehensive way. 
    Douglas Graham, a KPMG partner specializing in electronic commerce, feels
    the same way about his hire, Shipley. "You're probably wondering why a big
    accounting firm would hire hackers," he says with a smile.  Essentially,
    Graham explains, it's a toss-up between National Security
    Administration-trained hackers "because the NSA has an awful lot of money
    to look into security issues," and ethical freelance hackers "because they
    have an awful lot of time to look into security issues." 
    A Little different
    Continues Graham, "Yes, hackers dress a little differently. And their
    tastes in music can [be] kind of strange. But some, like [Shipley], are
    comfortable technically, very ethical and straightforward. And he wears a
    suit to client meetings." 
    Not just any suit, but a Brooks Brothers suit, boasts Shipley, whose words
    spill out so fast they often slur. 
    Shipley also has achieved fame in the hacker community. An overflow crowd
    awaited him at the Eighth Annual Conference on Computers, Freedom and
    Privacy, held in Austin, Texas, Feb. 18-20, 1998, where he discussed
    Internet security holes. Ditto for his update talk at the annual DEFCON
    hacker conference last summer in Las Vegas. At DEFCON, he spoke about his
    experiment with war dialing, which is a technique hackers use to scan
    telephone prefixes to determine which numbers are linked to modems. 
    Shipley rigged his computer to dial 5.3 million Bay area phone numbers
    looking for exploitable modems. Of the phone numbers that turned out to be
    connected to modems, 75 percent were insecure enough for a hacker to get
    into the computer systems attached to them. 
    "KPMG respects my technical knowledge," says Shipley, who is vague about
    his job description because it involves software product development with
    some big-name industry players. But much of his work is similar to what he
    did in his 10 years as an independent contractor--security assessments for
    clients sprinkled with a couple of lectures each month.  Only now he has
    an expense account. And he's managing projects and helping hire other
    Graham insists this "ethical hacker" brings value to KPMG by convincing
    clients they need help securing their computers. For instance, it took
    Shipley a mere two hours to show a banking client that it had wasted
    millions on some ineffectual security efforts. "[Shipley] demonstrated
    this dramatically by remotely bringing down the main server while the
    client's chief information officer watched," Graham explains. The bank was
    happy with Shipley's work, especially because he discovered the security
    flaws before the bad guys did. 
    According to Graham, there's a technical career path for such people at
    KPMG, though he has yet to figure out exactly what that is. Shipley's
    take: He may make it to middle management but not to partner level because
    he lacks the necessary formal education, management background and
    corporate experience. 
    Dog that dogma
    Despite such glowing reviews, many in law enforcement and industry will
    never trust hackers, even reformed or white-hat (nonmalicious) hackers, as
    these born-again security specialists call themselves. 
    "Culturally, there's a lack of trust when it comes to hackers," says Rob
    Clyde, co-founder of Rockville, Md.-based Axent Technologies Inc., a
    computer security tools company. 
    Bad habits
    Clyde makes his point by relating a story of the disaster that befell an
    Axent client three years ago. That client, a government agency, contracted
    with a hacker to clean up its systems. When the hacker left, the agency
    discovered that he had posted its system's vulnerabilities on underground
    hacker Web sites and bulletin boards. Many of those holes hadn't been
    patched yet. "That agency will never hire a hacker again,"  Clyde says. 
    But even that kind of treachery sometimes gets a positive spin: These
    hackers are doing corporate America a favor by breaking systems and
    publishing weaknesses because it forces software vendors to fix inferior
    products. For instance, two years ago, Benjamin discovered a way to
    manipulate the security settings on Microsoft Corp.'s Internet Explorer
    3.0. As the code enters a computer, it drops the security level to give a
    cracker (a bad-guy hacker) control of the machine. Benjamin immediately
    informed Microsoft of the weakness, and the problem has since been
    Benjamin's former unit at CTP was even turning such code into profit.  The
    unit was cataloguing and documenting all known hacker attacks against
    various systems to run against clients' systems when assessing their
    computer security measures. This knowledge base would make his
    organization's job much more efficient, according to Benjamin, because the
    team would be able to launch attacks against clients' systems from a
    single source. 
    Despite the new air of legitimacy, many hackers--especially the younger
    ones with no formal education--don't have much of a future in corporate
    "I've had my share of hackers inquiring about jobs here," says Finjan's
    Moritz. "Most are immature, and I don't trust them." Many, he says, boast
    about technical prowess they don't possess, and others try to strong-arm
    Finjan into buying their polluted code. "They'll come in and tell me they
    [have] a new virus in ActiveX or Java," Moritz says. "When I ask one to
    show me, he'll say he won't until I pay for it. We show [these kind of
    people] the door. It's usually something we already know about that they
    got [from] the Net." 
    Benjamin adds that poor communications skills prevent even those hackers
    with better ethics from being regarded as corporate material. "It shows
    when you take them into a corporate environment and say, 'I need you to
    write something,'" he explains. 
    And even white-hat hackers such as Shipley and Benjamin can suffer
    transition problems. Both complain about internal politics,
    inefficiencies, paperwork, their PR "flacks" and the bureaucratic red tape
    that most corporate lifers have learned how to handle. For now, however,
    the pair is willing to play the game. 
    Others, such as 29-year-old Yetzer-RA, are wavering. Yetzer-RA, who wants
    to keep his identity secret to protect his employer, would just as soon
    ditch his job as a Microsoft NT security administrator at an East Coast
    medical facility. It's not that he minds wearing a tie to work four days a
    week. What bothers him is the internal politics. He's not popular with the
    old-timers. "[In 1997], I ran a security sweep on a machine and found that
    12 people could access that computer without passwords," says Yetzer-RA.
    "I brought this to my boss' attention, but those responsible for the
    machine were not pleased." 
    Blame it partially on his direct manner, which can be perceived as
    insubordinate and rude. The burly, long-haired Yetzer-RA, who has a
    penchant for silk vests, says he's holding out for the day he can work for
    himself; for now, though, he lacks the necessary skills. 
    Hobbit, however, is another story. His real name is Al Walker, but he goes
    by Hobbit because he never wears shoes (even during Massachusetts
    winters). He, too, is a legend in the hacker community. 
    Seven years ago, the 38-year-old Hobbit tried corporate life. He spent
    three years managing the computer systems at collegial startup FTP
    Software Inc. in North Andover, Mass. (acquired in August 1998 by
    networking software provider NetManage Inc. of Cupertino, Calif.). At the
    time, Finjan's Leavy worked at FTP as vice president of worldwide sales.
    Barefoot or not, says Leavy, "Hobbit is a truly brilliant individual." 
    Hobbit jumped off the FTP ship in 1994. "The suits came in and took over
    at the time of our IPO," he explains. "It started going icky--corporate
    and marketing-driven instead of tech-driven. My sleaze meter paged, and I
    In his mad-scientist way, Hobbit would be content to build computers from
    the componentry he picks out of trash bins and driveways.  Ultimately,
    he'd like to make all computers inherently secure.  Unfortunately, he
    says, "Nobody's interested in funding research in discovering security
    To pay his bills, Hobbit has worked out consulting gigs at two local
    Internet service providers that occupy 10 to 30 hours of his week. He has
    no desire to return to corporate America, he says, except for the
    occasional consulting engagement. 
    One of these engagements, at the United States Federal Reserve Bank of New
    York, brought Hobbit and Shipley together in 1997 to train the Reserve's
    Red Team (technicians who hack against the Reserve's system to test for
    security flaws). Soon after, Benjamin did some computer security
    evaluation at the Reserve. 
    It was a stretch for those in the staunch, conservative banking
    environment to welcome these guys. Shipley showed up in his black Dracula
    cape. And Hobbit, with his bare feet and waist-length brown hair, was a
    sight to behold. Benjamin fared better: He wore a suit.  After they
    started covering their material, however, appearances were forgotten,
    according to Paul Raines, the Reserve's VP of electronic security. "I was
    impressed by their professionalism, their detailed knowledge and their
    willingness to help," he says. 
    At the time, Benjamin's CTP unit was in discussions with an entertainment
    conglomerate to secure satellite feeds for the Winter Olympics in Nagano,
    Japan. When scheduling conflicts arose, he'd tell his unit, "Forget
    Nagano. This is the Federal Reserve," Raines recounts with a chuckle.
    "Benjamin saw the importance of what the Federal Reserve represented, not
    only for the U.S. banking system, but also for the international banking
    As former operation commander for the U.S. Air Force's Minute Man nuclear
    missiles, Raines is no dupe. He runs criminal-background checks on all
    people who work with the Reserve's computers. He also limits their access
    to only those machines they're testing. And he asks for a liability
    contract. Raines advises anyone considering hiring hackers to do the same. 
    Thus, hackers in corporate environments walk a tightrope. While they're
    trying to shed bad habits, stay on the right side of the law and
    speed-learn corporate culture and business strategy, skeptics are just
    waiting for them to fail. 
    Yet as long as hackers who've gone legit have avoided accumulating police
    records, those with the right combination of technical skills,
    critical-thinking ability and ambition can earn management's trust and
    forge a path to the executive suite. Benjamin is a good example: In late
    November 1998, he joined Big 5 accounting firm Ernst & Young LLP of New
    York as a general partner and global strategist for electronic commerce,
    Internet and emerging technologies. 
    Deciphering Hackerspeak
    There's a certain mystique surrounding hackers. Are they First Amendment
    revolutionaries liberating information for the public's benefit? Or are
    they malicious scoundrels bent on wreaking havoc by infecting computer
    networks with faulty code? It depends on whom you ask. 
    While some so-called ethical hackers want to set the record straight and
    change public perceptions of the hacker community, most prefer to remain a
    mystery. They operate in what they call "the underground," a subculture
    based on an unusual blend of anonymity and camaraderie. Most hackers
    protect their true identities by assuming aliases, and they protect their
    brethren by sniffing out wanna-bes and outsiders. 
    A dead giveaway that you don't belong in hacker inner circles is failure
    to understand the vocabulary, so Upside did some investigating and
    compiled this glossary. It may not garner you instant acceptance, but as
    more hackers go corporate, knowing their lingo will help you communicate
    with your new co-workers. 
    Carding The naughty--and illegal--practice of committing credit card fraud
    by commandeering someone's card number to purchase goodies for yourself
    and your friends. While advances in credit card security have made carding
    more difficult, electronic commerce is a carder's dream come true. 
    Cracker A bad-guy hacker. The larger hacker population, which purports to
    oppose criminal activity, uses this term pejoratively to refer to hackers
    who break security on systems for the sole purpose of committing evil
    Cypherpunk Someone obsessed with using encryption to keep data private. 
    In particular, cypherpunks seek to prevent the government, which they
    liken to Big Brother, from accessing their information. Paranoid hackers
    who believe in conspiracy theories tend to become cypherpunks. 
    Easter egg A message, image or sound effect that a programmer hides in a
    program's object code as a joke. Harmless and often amusing, Easter eggs
    can be found in most applications. Here's an easy-to-view example: Open
    Netscape Navigator 3.0 and press CRTL-ALT-F at the same time. You'll be
    magically transported to a real-time fishcam, courtesy of Netscape
    programmer Lou Montulli. 
    Media whore In the hacker subculture, stepping out of the underground and
    into the media spotlight is the ultimate betrayal. Hackers who pander to
    the press for personal glory or fame are cast aside and labeled media
    Phreaking Hacking into a telephone system, usually to make free
    long-distance calls. Computer hacking and phreaking go hand in hand,
    though some people are pure phreakers. The tools of the trade are homemade
    electronic devices called "boxes." The most common--the Red Box--enables
    hackers to make free calls. More sinister is the Bud Box, which is used to
    eavesdrop on others' phone conversations. 
    Samurai A hacker who hires out for legal cracking jobs, breaking into
    systems to test their security. These professional hackers see themselves
    as warriors defending their employers' systems from unethical crackers.
    Another term used to describe these hackers for hire is sneakers. 
    Suit What hackers call the rest of us behind our backs. The term reveals
    the contempt most hackers have for the conventions of corporate America,
    especially the wearing of suits. Government officials (think FBI and
    National Security Administration) are also commonly referred to as
    Tentacle A fake identity used by a hacker in cyberspace to perform bad
    deeds without getting caught. One person may have multiple tentacles, or
    Trojan horse Hidden code within a legitimate program that causes the
    program to malfunction. As legend has it, during the Trojan War the Greeks
    hid in a hollow wooden horse to gain entrance into Troy so they could
    launch their attack. Similarly, hackers use Trojan horses to infiltrate
    Virus Probably the best-known term in the lexicon, a virus is an
    independent program that corrupts computer data and systems. What makes
    viruses so nefarious is that they replicate and are unknowingly
    transferred from one computer to another. You think it's bad when the flu
    goes around the office--try a nasty computer virus! Weapons of choice for
    most crackers, some viruses can cause irreversible damage. Of course,
    software providers such as Network Associates Inc. and Symantec Corp.
    aren't complaining--they've made a fortune selling virus-protection
    War dialer A program that scans telephone prefixes to determine which
    numbers are linked to computer equipment such as modems or fax machines. 
    War dialers are an important part of aphreaker's arsenal. 
    Warez Pirated software illegally distributed and downloaded from the
    Internet. Widely circulated among crackers, warez programs are versions of
    commercial software that have already been cracked. Die-hard warez users
    refer to themselves as "warez d00dz." 
    White hat A nonmalicious hacker, also known as an ethical hacker or a true
    hacker. These hackers claim to come in peace. While their activities are
    still considered illegal, white hat hackers see themselves as harmless
    information hounds. They hack to satisfy their curiosity, not to damage
    computer systems or engage in other criminal activity. 
    Worm Like its squishy invertebrate namesake, a computer worm is creepy. 
    Similar to a virus, a worm is a cracker program that replicates and
    spreads from one network to another. But unlike a virus, a worm can damage
    a computer system without being activated by a user. --Natalie Fonseca
    Hacker havens
    In the online hacker community--the Underground--people with aliases such
    as Brimstone and Lord Somer host Web sites from unknown locations.  After
    all, the key to hacker success is anonymity. 
    Upside decided to expose some of these sites for your surfing pleasure. 
    Whether you're a hacker wanna-be looking to hone your skills or a curious
    bystander interested in finding out how "the other half" lives, get your
    kicks by visiting these underground hacker sites. Just don't tell anyone
    Upside sent you! 
    2600 Magazine: The Hacker Quarterly
           This site is the home page for 2600 Magazine, the Middle Island,
           N.Y.-based publication for and about hackers. Prominently
           featured on the site is the Kevin Mitnick Lockdown Clock, which
           lists precisely how long (down to the second) the infamous hacker
           has been "imprisoned by the U.S. government without a trial."
           Less political is the Hacked Sites of the Future section, which
           illustrates what some well-known Web sites might look like if
           hackers got their hands on the code. The spoofs include fake
           copies of the Amazon.com Inc. and Microsoft Corp. home pages.
           This San Francisco Bay area-based site is run by the DOC (Dis.Org
           Crew), a loosely formed network of about a dozen hackers. Unlike
           their counterparts who engage in illegal hacking (also known as
           cracking), the members of this group have gone corporate. While
           the site contains general hacking information and a discussion
           list, its main purpose appears to be promoting the group's
           computer security consulting business.
    Hacker News Network (HNN)
           A takeoff on Ted Turner's Cable News Network (CNN), HNN aims to
           be the leading news source for hackers worldwide. Dissatisfied
           with the mainstream media's portrayal of hackers and their
           comings and goings, HNN's founders provide what they call "the
           real news from the computer underground for the computer
           underground." While HNN is no substitute for CNN, it's a good
           place to find out which hackers The Man has busted. If you're a
           hacker who frequently grants media interviews (referred to on the
           site as a "media whore"), there's a handy article titled "A
           hacker's guide to talking to the media" in the Original Content
           HDC (Hackers Dot Com), run by eight underground gurus, is the
           ultimate resource for so-called "ethical hackers." According to
           the HDC crew, the site is about "freedom of speech, freedom of
           information, ethics and satisfying curiosities." In other words,
           if you're looking for tips on how to infiltrate the FBI's
           computer network, this isn't the site for you. But its extensive
           archive, Neophyte section for beginners and links to like-minded
           sites should keep you busy for some time. As a bonus, fans can
           purchase a hackers.com e-mail address for $50 a year.
    The Hacker's Layer
           Evil lurks within the Hacker's Layer. Home to the darker side of
           the hacker community, this site offers tutorials on most types of
           illicit hacking activities. Every parent's nightmare, the hosts
           of this site offer tips on how to commit credit card fraud and
           otherwise disturb others' privacy. Law-abiding citizens will find
           this site truly frightening.
    L0pht Heavy Industries
           The hackers behind this site decided to turn their hacking
           know-how into a legitimate enterprise by forming LHI Technologies
           LLC. The band of hackers, which operates from a secret location
           in Boston, offers consulting services for those looking to secure
           their networks from, well, other hackers. Visitors to the Web
           site can also purchase three LHI software products that identify
           vulnerabilities in computer networks. Perfect for network
           administrators and shaggy miscreants!
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:15 PDT