http://www.business2.com/magazine/2001/06/desirable_undesirables.htm Brendan I. Koerner 06/12/2001 issue "last night, I stayed up until 6 o'clock figuring out how to do this," says Riley "Caezar" Eller, a slender and bookish 27-year-old. Scribbling furiously on a dry-erase board covered with boxy diagrams representing a pair of networked computers, Eller maps out a novel cyberattack-a method of disabling a supposedly impregnable system with a few clever lines of code. His listeners nod each step of the way, occasionally grunting their approval. When the presentation is over and the imaginary defenses have all been surmounted, they break into polite applause. Such demonstrations are part of the standard curriculum at the major security consultancies. But Eller isn't giving this lecture in a sterile conference room at PricewaterhouseCoopers or Deloitte & Touche. The setting is a subterranean hideout that closely resembles a frat house, complete with lava lamps and a rickety bar that reeks of week-old spilled Smirnoff. His cohorts-sworn enemies of office cubicles and Brooks Brothers suits-are members of an invite-only group of ace programmers, cryptography enthusiasts, and hardware wizards. Their think tank-cum-social club is known as the Ghetto Hackers. They're a brash, fun-loving lot who revel in their notoriety as two-time champions of Capture the Flag, the Daytona 500 of the computer underground. They also enjoy a measure of renown as hosts of a celebrated bacchanal-a combination trivia contest and Animal House-style beer blast-at Def Con, the annual hacker convention. In their civilian lives, however, these self-taught technophiles make a mint locking down servers and designing hard-to-crack networks. Publicly, Corporate America expresses nothing but scorn for the denizens of this wired-world counterculture. Yet the Ghetto Hackers and their ilk are coveted-if controversial-players in the battle against cybercrime. While most of the major security firms insist on a hacker-free work force, even flaunting their purity in sales pitches, a host of smaller shops are scrambling to enlist the assistance of Eller and his associates. They reason that hacker talent of their high caliber is too precious to ignore. bad news is good news Hiring philosophies aside, security firms large and small agree that cybercrime has reached alarming levels. Internet security breaches cost businesses around the world upwards of $15 billion a year, according to the research firm Datamonitor. In one recent survey, conducted by the Computer Security Institute and the FBI, 85 percent of respondents reported at least one attack. High-profile debacles such as last February's Yahoo! takedown have exposed the Net's soft underbelly for all to see. The resulting hysteria, coupled with a severe shortage of talent, has been a boon to savvy job-seekers, including some with the kind of after-hours hobbies that the leading lights of the security establishment claim to abhor. With security services projected to become an $8.2 billion industry by 2004-up from just $2.8 billion in 1999-even low-tier workers expect base pay to average more than $75,000 a year. And the Ghetto Hackers are taking full advantage of a hot market. Michael "Koresh" Bednarczyk-at 30, one of the group's elder statesmen-is chief scientist at the Internet Security Advisors Group (known as ISAG), a highly regarded firm headed by Ira Winkler. (See "The Social Engineer") Drew "Ender" Miller, 23, a specialist in algorithms, recently left a longtime post at Datalight, an embedded-software developer, to become a programmer at LapLink.com. Eller, for his part, is the senior architect at ClicktoSecure, which makes a security scanning program called Hailstorm. Ghetto's ranks even include a high-level Microsoft employee, although his identity is well guarded. "They would recognize the name, and he positively would be fired," Eller says. Microsoft is not alone among technology titans in its low regard for job candidates with experience on what some call "the other side." At most of the top companies, official policy bars anyone linked to the underground scene, whether by attendance at an event like Def Con or by the act of swapping hacker tools over the Internet. "I don't believe in it, because they never go straight," says Tom J. Talleur, managing director of KPMG's forensics technology services division. "The problem is one of trust. It's one thing to give someone the keys to your house, it's another to give him complete root access-access to all of your secrets." So great is the threat, Talleur says, that even guilt by association can disqualify a job candidate, no matter how exceptional his skills or clean his rap sheet. But jobs with KPMG and other old-school industry mainstays don't necessarily tempt today's rising security experts. "I know the Big Five employed hackers in the past," says Eller, referring to the sizable security practices operated by the major accounting firms. "But I don't know if there are any really left. All the ones I know of have left for smaller, lighter, faster companies where they get meaningful amounts of equity." Ghetto's members also take issue with the logic of the Big Five's top brass. Eller and his friends view themselves as hackers in the purest sense of the word: People who satisfy an innate curiosity by determining how systems work from the inside out. "Intimately tied to learning how things come apart is learning how to put them together so they don't come apart," Eller insists. The hacker mentality espoused by Ghetto is an elegant spin on the credo of the Russian anarchist Mikhail Bakunin: "The passion for destruction is also a creative passion." Though many learned their crafts as mischievous kids-futzing with high school networks, probing obscure NASA servers-they are now self-professed law abiders one and all. the legal tightrope To the average American still grappling with the Paste command in Microsoft Word, hacker is synonymous with hoodlum. Hackers are commonly viewed as terrorists, says "Rizzo," the group's resident wireless expert, and one of several members who asked to be identified only by nickname. "They think it's evil little guys sitting in basements, basically punks." The real punks, he adds, are unskilled teens who use pre-programmed hacking tools to deface Webpages by filling them with Limp Bizkit lyrics. The Ghetto Hackers do not pretend to be candidates for sainthood, however. Many learned their trade while walking a legal tightrope. The son of a trainer on the horse-show circuit, Eller spent his self-described "white trash" childhood bouncing around the Rockies and Cascades, attending school with kids who did not take kindly to his gangly limbs, dark garb, and classroom smarts. As an 11-year-old martial arts expert, he saved up enough cash to purchase a plane ticket to Toronto for a tournament. But a premeet sprained ankle forced him to seek a life-altering refund. "I walked into the travel agent and begged a little and convinced them to give me my money back," Eller recalls. "And when I got out, across the street they were selling Commodore 64s." With the aid of a friendly employee who gave him a steep discount, he purchased one of the low-powered machines "and basically spent the next five years locked in my room." Since there were few tech-savvy teachers in Everett, Wash., Eller used bulletin boards to communicate with French and German hackers who taught him the programming ropes. A run of steep long-distance bills forced him to indulge in what he characterizes as "basic telco fraud," fiddling with phone cards to make them everlasting. It was that interval of law-bending that led to what he calls "The Visit"-Eller's only legal scrape. "I had a panic button wired up," he explains, "and as soon as I saw [the cops] out there, I hit it and fried all my disks." The experience, he sheepishly adds, scared him straight. The Visit was only a minor obstacle for Eller. He learned database programming as a teenage salesman at a mom-and-pop computer shop. As an entry-level worker at Datalight, Eller quickly ascended the salary ladder, maxing out at $72,000 per year after Def Con 7. Though coy about his current income, he is the proud owner of a high-tech condo in downtown Seattle, a domicile stocked with rack-mounted computers, a massive flat-screen Sony Trinitron, and an encyclopedic porn collection. Though the stereotypical tech worker may be a 100-hour-a-week drone, Eller will have none of that. "I'm all down with not working," he says. He dreams of cashing out in a few years ("I'm looking at 37"), possibly to become a college professor-a lofty aim for someone who dropped out of the Everett Community College business program before earning an associate's degree. In his lack of formal education, Eller typifies the security elite. It's a profession in which hands-on talent tends to gestate outside traditional channels. "With the proliferation of information we have now, a 5-year-old has access to all the same information as a college-level undergraduate," says Miller, a Ghetto Hacker who estimates that he is 85 percent self-taught. "People don't need to go to college; they need to apprentice, like blacksmiths or whatever. Find something you like, find someone else who is good at it, hang out with them for a couple of years.... You can have that Dairy Queen job and then turn around and be programming computers someday. I think that's awesome. Obviously, that's what I did." A native of tiny Marysville, Wash., Miller first met Eller through the local Assembly of God church. "My parents knew I was into computers, and his parents knew he was into computers, so they kind of hooked us up," he recalls. "I would take my systems over to his house and we'd share the latest and greatest stuff." At 15, Miller left home after a falling-out with his folks over religion-"My father basically gave me a mandate and just said, 'Our way or the highway,' so I took the highway." He begged Eller, five years his senior, for shelter. "I proposed to him some sort of deal like, I'd be his slave if he'd let me live with him," says Miller. "I cooked, cleaned, did his laundry, got into fights with his girlfriend, bummed cigarettes off of him." Another of Miller's responsibilities was to download free software from so-called warez sites-clearinghouses for the latest hacker paraphernalia. Eller encouraged his protege to sharpen his coding skills by writing elementary games. "I wrote Tic Tac Toe," Miller says with a bit of embarrassment. "It took about two weeks and 10 pages of code. And then Caezar sat down and said, 'Watch this,' and about 15 minutes later it was a page-and-a-half of code. I didn't understand any of it." Those mystifying tutorials taught Miller more than any high school Basic class ever could. At 17, he got a job as a quality assurance tester at Datalight, where he quickly proved his worth. After several months, "I got to the point where I was going in and finding the bugs in the tests that were testing the operating systems," he says. He boasts of making more money than his father. In his spare time, he writes algorithms for prime-number generators. don't ask, don't tell The Ghetto Hackers' digital "street smarts" serve them well in their white-collar pursuits. They have a knack for solving complex security riddles-sniffing out a previously unknown vulnerability, for example, or analyzing the behavior of an intelligent virus. Last November, acting on a tip from a Cambridge, Mass.-based hacker, Eller figured out a way for advanced cybervandals to use "stack overflows" to disable a theoretically secure machine. Before his research, the brightest computer scientists had dismissed the possibility of such an attack; Eller needed just two days to disprove the conventional wisdom. "The people who spend their mornings up until 6 a.m. trying to learn how something is broken or learn some new way to cause problems or fix problems, those are the people that are changing the world," says Eller, whose skill has earned him invitations to corporate-security conferences as far afield as Singapore. "That talent can't be measured in the kind of suit they wear." George Kurtz, founder of Foundstone Security and a former pooh-bah at PricewaterhouseCoopers and Ernst & Young, agrees about underground-bred employees in general, and the Ghetto Hackers in particular. "In terms of talent, they are exceeding what you're going to find at the Big Five," he says. "These guys are really, really sharp folks." Despite their supposed contempt for the underground, many big firms secretly side with Kurtz. They're willing, even anxious, to bring hackers into their ranks, as long as their nocturnal activities are kept hush-hush-a New Economy version of "Don't ask, don't tell." Any firm that claims never to hire such people "is either lying or doesn't have any expertise on staff," Rizzo says. "If you want to do something right," he adds, "you're going to hire an expert, right? What firms want to avoid is the appearance of having a bunch of law-breaking hooligans that are uncontrollable on their staff." Several firms, in fact, covertly wade through the underground in search of untapped talent. The Ghetto Hackers have been persistent targets of corporate recruiters, especially since their successive victories at Def Con's Capture the Flag event, a 48-hour digital joust in which teams score points by hacking rivals' machines. "After we won at Def Con 7 [in 1999], we got tons of job offers," says Eller, who himself became the object of a bidding war that led to a 20 percent raise. "And all because of something that only took us a couple of hours." Corporations that shun underground talent are only cheating themselves, says "Palante," a Ghetto Hacker who works in the information security consulting division of a corporation he declines to name. "When it comes to hiring hackers, remember that we're talking about a company paying someone to tell it about risks it may not even know exist," he wrote in a response to an antihacker screed published in the Toronto Globe and Mail last August. "The more a company's consultant knows about such 'black arts,' the fewer unknown risks there will be." KPMG's Talleur chortles at that assertion. Demolition experts, he argues, don't necessarily make the best architects. "The wonderful, colorful moniker of the hacker, going around with his cape flying? It's bullshit," he says. "They're not that smart.... Just because they're great at breaking into systems doesn't mean they're great at fixing them." Venture capitalists are beginning to believe otherwise. Last January, a renowned group of Boston-area hackers known as L0pht Heavy Industries was acquired by security startup @Stake for $10 million. The L0pht, home to such famed hackers as "Space Rogue," "Dildog," and "Mudge," gained notoriety by authoring password-cracking tools for Windows; as a division of @Stake, the crew now charges megabucks to help companies design secure products. The Ghetto Hackers seem a bit too pleasure-oriented to attract that sort of financial support. The group originated three years ago as an impromptu band of revelers at Def Con, which attracts thousands of hackers to Las Vegas each summer for three days of technical lectures, trick swapping, and carousing. The founders met by a stroke of fate as they downed drinks at the same table. On a lark, one celebrant registered them for the Capture the Flag contest. Inebriated beyond recognition and competing as "Team Boozer," the seat mates were stomped by a Scandinavian outfit calling themselves the Mad Swedish Hackers. The only good thing to emerge from that year's convention was the group's catchy moniker; the words first spewed from the mouth of a member known as "Shrub," who objected to his colleagues' habit of writing code on cocktail napkins. "What are we," he sneered, "a bunch of ghetto hackers?" Amid the alcoholic haze, however, they developed a sense of camaraderie-and a thirst for redemption. "It didn't matter who won at Def Con 7, but the Mad Swedish Hackers weren't going to win," says Miller. Ghetto considered a wide variety of revenge strategies, including abduction and "paying very beautiful women to seduce them." Eventually, Miller and his friends settled on the uncharacteristically mundane approach of trying to boost their own performance. Predominantly Seattleites, they kept in touch over the ensuing year, drawing other security-obsessed geeks into their clique. After their Capture the Flag triumph in 1999, Ghetto coalesced, renting workspace downtown before moving into their current basement quarters-beneath a bank on the Emerald City's outskirts-last spring. The new digs include an abandoned vault, which now houses a battery of servers behind a heavy iron door. Beyond harboring their weekly brainstorming sessions and the occasional gala, the 3,000-square-foot space serves as a laboratory for advanced research into everything from cryptography to phone systems. Satellite labs in San Francisco and San Diego, where several affiliates live, are set to open soon. The group, says Eller, is "really designed to be a think tank-a place where people can come together and share different ideas and come up with a kind of synergy." The Ghetto Hackers range in age from late teens to 30s, but they all share two key traits: technical prowess and a taste for hedonism. Plenty of people have the intellectual credentials to win Ghetto membership, "but they're sticks-in-the-mud," Eller says. Constantly on the lookout for kindred gearheads, Ghetto does a fair amount of recruiting at local hacker get-togethers known as 2600 meetings (named after a hacker magazine celebrated for its anticopyright activism). Prospects get invited to what Eller calls a "2621 party," where the real testing occurs. "If somebody can hang out and be mellow, not make a fool of themselves," Eller explains, "then we can say, 'OK, we should take this person's money.'" The monthly dues of $180 pay for rent, bandwidth, and special events, such as the screening of The Matrix that drew 450 of the group's closest friends to the Cinerama theater in downtown Seattle. Still, a few ambitious members foresee a day when the Ghetto Hackers may replace Ernst & Young on the speed dials of hip, security-conscious chief technology officers. In recent months, Bednarczyk has been lobbying his cohorts to transform Ghetto into a security startup. "We've got a diverse skill set in the group, and we've got some definite leaders in the up-and-coming technology," he says. "Probably more goes on in our meetings than in most boardrooms.... I see this group really turning into a consulting house. There's no reason it's not going to happen." Bednarczyk wants to form a limited partnership and establish a common bank account, perhaps offshore, so the group can take on odd jobs securing ISPs or conducting penetration tests. "I think there's a good chance that something will come of it," Miller says. But money, he adds, is not their only motivation. "Most people here have really good jobs, so the issue of making a million dollars on network security-nobody's worried about that." Some members prefer the idea of forming a nonprofit organization, permitting them to bid for government research grants. With Uncle Sam's sensitivities in mind, there's even talk of adopting a pseudonym, such as "Security Consortium," for official dealings. Meanwhile, Ghetto has a more pressing matter to consider: Def Con 9 and the prospect of a Capture the Flag three-peat. After the Tuesday meetings, they spend hours debating tactics and perfecting attacks on practice networks. Next month, the group will strut into Las Vegas' Alexis Park Resort-scene of this year's convention-with the cockiness of champions. "We've pretty much determined that we're never going to lose again," Miller says. "So most of the people here, they actually take time in the off-season to do things like download the latest patches." In an industry where notoriety can be parlayed into big-time bucks, spending the time to hone one's hacker chops is clearly a sound investment. Brendan I. Koerner who holds a Markle Fellowship at the New America Foundation, is a freelance writer living in New York. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 07:00:38 PDT