[ISN] Rebels with a cause

From: InfoSec News (isnat_private)
Date: Mon Apr 30 2001 - 22:19:26 PDT

  • Next message: InfoSec News: "[ISN] Wh00ps! Re: [ISN] Calendar of Significant Dates in May"

    http://www.torontostar.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=988515142192&call_page=TS_@Biz&call_pageid=971794782442&call_pagepath=Business/@Biz&col=971886476975
    
    Rachel Ross
    TECHNOLOGY REPORTER
    Apr. 30, 2001
    
    DETROIT - It's a Saturday afternoon and a handful of teens have paid
    good money to learn math. Really hard math. The kind you learn in your
    final year of university.
    
    Fifteen, sixteen, seventeen year-olds - and a couple of adults too -
    are quietly taking notes.
    
    A very smart man in a white lab coat writes equations on large sheets
    of paper tacked to the wall at the front of the room.
    
    He's teaching them about elliptical curve cryptography, math used to
    obscure data into a code that can later be deciphered. It's used to
    encrypt information traveling over the Internet.
    
    Cryptography is one of many topics covered at the annual network
    security conference known as Rubi Con, where hackers - yes, those kids
    who try to break through security into computer systems - and security
    professionals give presentations, and learn from each other's
    adventures.
    
    These are keeners who understand the digital things that most people
    have no clue about. They read computer code, manuals for phone
    equipment and sometimes other people's e-mail. They find the
    weaknesses and flaws in the software and hardware we use everyday. But
    these guys - well, most are male, though not all - aren't usually
    after money or infamy. And they don't leave a trail of trouble
    wherever they go.
    
    ``Many hackers are actually just curious technophiles,'' said Denis A.
    Baldwin, network administrator for Michigan lighting firm CAE, Inc.
    who attended the conference. They ``choose to be civilized in their
    conquests to prove their efforts and skills. No need to break
    something to prove your point if you can leave it standing for
    generations to come to see and prove against as well, right?''
    
    Says Nick Farr, one of the conference organizers: ``They are the
    Edisons, the Teslas . . . the kids who grew up immersed in the
    information age, and the generation that will probably make the
    strongest contributions to its fundamental infrastructure.''
    
    There are hackers who want to use your credit card number - but most
    of them just want to prove that they can get it.
    
    It's difficult to generalize about a group of people whose defining
    quality is independent thinking. They don't all hate cats, take drugs
    and listen to punk music. There is no hacker uniform. The one guy at
    this conference with the green dreadlocks and chains hanging from his
    pants actually stands out from the rather average- looking crowd.
    
    The biggest thing they have in common is their curiosity. It's also
    their greatest gift, something the business world shouldn't overlook.
    They're brainy, brash, attracted to riddles, energized by a bit of
    risk.
    
    ``Hackers, by their fundamental nature, enjoy the exploration and
    creative manipulation of information systems,'' says Farr, who calls
    himself a ``hacker sociologist.'' He is completing his thesis at the
    University of Michigan on the work ethic of hackers and how they fit
    in with the current corporate culture.
    
    ``If an employer can channel a hacker's energy into a project, the
    hacker will work furiously and without additional reward to solve the
    problem or finish the project.''
    
    About half a dozen teens drove down from Ontario for the annual
    conference, eager for knowledge. Some of them want to learn how to
    break into things - both physical and digital./ In contrast, others
    want be able to better secure their networks.
    
    The Canadian clan brought three cars' worth of computer equipment to
    the conference, including several desktop computers, a couple of
    laptops and a lot of wire to connect them all together.
    
    Most of them met for the first time just a few months ago at a meeting
    for hackers, an Ontario chapter of the popular hacker publication
    2600. Such meetings are held all over the U.S. and Canada.
    
    2600 - the trade magazine for hackers - takes its name from the early
    days of hacking, when the phone system was the primary target for
    inquiring minds. So-called ``phreakers'' would use a variety of
    techniques to make free long-distance calls. One popular technique
    used a whistle from the breakfast cereal, Captain Crunch, which
    happened to produce a tone of exactly 2600 hertz. Play that thing into
    a phone and voila, free long distance.
    
    Today's phone systems aren't vulnerable to the Captain's whistle, but
    2600 lives on as the title of the magazine.
    
    The two young men who founded this particular 2600 chapter and led the
    rest of the gang down to the conference call themselves Flame0ut and
    PrussianSnow. Everybody's got a nickname here: Cyanosis, Prez, Asher,
    Carbon. It makes a lot sense given that much of what they do isn't
    legal.
    
    There's no magic naming system. It's usually based on something they
    like or something that just sounds cool.
    
    (Their nicknames will be used throughout this story to protect their
    identities.)
    
    PrussianSnow, a spindly guy in a long black trench coat with a
    mustache and long black hair, has opted for a fairly traditional
    career path. He's been accepted at two engineering schools, and plans
    to start next year. ``That's what I want to do, that's who I am.
    Analyzing systems, figuring stuff out. That's what I'm really
    interested in.''
    
    Flame0ut looks like he's always thinking, but he's given up on the
    educational system - he dropped out of high school. He said he was
    failing all his classes. Now he works as a network administrator. But
    the job, like school, doesn't challenge him enough to keep him
    interested.
    
    Sara Housser is a spokesperson for Career Edge, which helps students
    without experience get a first job. While she recognizes their skills,
    she questions how well they will ultimately fit into the workplace.
    
    ``Are they going to be able to do the day-to-day stuff that's
    required, or will their attention span waver?'' said Housser. ``Will
    somebody else's agenda keep them interested?''
    
    According to Farr, ``youthful hackers are being hired for jobs that
    bore them, or insult their intelligence.''
    
    Flame0ut admits he isn't particularly interested in the agenda of his
    current employer. The job, installing software, is far below his skill
    level and doesn't pique his curiosity.
    
    ``It's not just that I like to disassemble things. Boring things are
    boring to take apart,'' said Flame0ut. ``It's only complex things that
    are things interesting to disassemble and they become increasingly
    interesting to disassemble when there is ingenuity involved in their
    design.''
    
    Flame0ut and PrussianSnow's most talked-about exploit, The Millennium
    Phone Hack, gave them access to free long-distance calls from any
    payphone. But they never made any. They made a couple of local calls
    to test their equipment, but once they were satisfied that their
    solution worked, they went home.
    
    There were the same kinds of non-malicious adventures at the
    conference.
    
    The guys spend a lot of time ``packet sniffing,'' a hacker technique
    that involves reading packets of data sent to and from computers
    accessing the Internet. Do you know that box that pops up when you're
    surfing the Internet, asking if you really want to submit personal
    information? If the information being sent isn't encrypted, hackers
    can read it.
    
    Sometimes a hacker can spend hours reading data and it won't produce
    anything useful.
    
    But here in Detroit, their patience paid off when they found the
    username and password for a Hotmail e-mail account used by another
    person at the conference.
    
    Someone with evil intentions would keep that password a secret, and
    use it every so often to wait for a juicy piece of e-mail to show up.
    
    The kids from Ontario did the opposite, writing the username and
    password on a big piece of paper in the lobby of the hotel - basically
    notifying the Hotmail user they have his information and he should
    probably change it.
    
    Hackers' curiosity often reaches beyond the Internet.
    
    The hackers at Rubi Con had an affinity for physical infiltration -
    breaking into abandoned buildings, exploring drains, climbing onto
    rooftops where they're not supposed to be.
    
    The hotel where the conference was held was perfect for it. The fourth
    floor has been abandoned for decades and while the elevator doesn't
    stop there, people found their way in. In small groups they explored
    the eerie rooms. Sheets were pinned to the windows to keep outsiders
    from looking in at the smashed mirrors, rusted bicycles, hanging wires
    and broken ceiling tiles. It was an infiltrator's dream.
    
    Once you set aside the illegality of their techniques, it's easy to
    see that some of these hackers are basically good people. The kind who
    will experiment, invent, and quite possibly change the world.
    
    But it would be foolish to think that all hackers are saints.
    
    Farr thinks employers do their homework before hiring a hacker.
    
    ``The question employers need to ask themselves is where and when to
    hire these innately curious folk,`` said Farr.
    
    Most computer security companies, such as Guardent in Toronto, have a
    simple rule about hiring hackers. They won't hire anyone with a
    criminal past.
    
    That leaves most of the kids at Rubi-Con in the game.
    
    ``The work schedule and habits of the typical hacker are a sign of the
    workplace to come,'' said Farr.
    
    ``The best solutions come from people whose passion for their work
    drives them, not a pre-set schedule or some survival derivative
    function.''
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 23:48:01 PDT