[ISN] Desirable Undesirables

From: William Knowles (wkat_private)
Date: Mon Jun 04 2001 - 16:04:54 PDT

  • Next message: InfoSec News: "[ISN] Real virus piggybacks on e-mail hoax"

    Brendan I. Koerner 06/12/2001 issue 
    "last night, I stayed up until 6 o'clock figuring out how to do this,"
    says Riley "Caezar" Eller, a slender and bookish 27-year-old.
    Scribbling furiously on a dry-erase board covered with boxy diagrams
    representing a pair of networked computers, Eller maps out a novel
    cyberattack-a method of disabling a supposedly impregnable system with
    a few clever lines of code. His listeners nod each step of the way,
    occasionally grunting their approval. When the presentation is over
    and the imaginary defenses have all been surmounted, they break into
    polite applause.
    Such demonstrations are part of the standard curriculum at the major
    security consultancies. But Eller isn't giving this lecture in a
    sterile conference room at PricewaterhouseCoopers or Deloitte &
    Touche. The setting is a subterranean hideout that closely resembles a
    frat house, complete with lava lamps and a rickety bar that reeks of
    week-old spilled Smirnoff. His cohorts-sworn enemies of office
    cubicles and Brooks Brothers suits-are members of an invite-only group
    of ace programmers, cryptography enthusiasts, and hardware wizards.
    Their think tank-cum-social club is known as the Ghetto Hackers.
    They're a brash, fun-loving lot who revel in their notoriety as
    two-time champions of Capture the Flag, the Daytona 500 of the
    computer underground. They also enjoy a measure of renown as hosts of
    a celebrated bacchanal-a combination trivia contest and Animal
    House-style beer blast-at Def Con, the annual hacker convention. In
    their civilian lives, however, these self-taught technophiles make a
    mint locking down servers and designing hard-to-crack networks.
    Publicly, Corporate America expresses nothing but scorn for the
    denizens of this wired-world counterculture. Yet the Ghetto Hackers
    and their ilk are coveted-if controversial-players in the battle
    against cybercrime. While most of the major security firms insist on a
    hacker-free work force, even flaunting their purity in sales pitches,
    a host of smaller shops are scrambling to enlist the assistance of
    Eller and his associates. They reason that hacker talent of their high
    caliber is too precious to ignore.
    bad news is good news
    Hiring philosophies aside, security firms large and small agree that
    cybercrime has reached alarming levels. Internet security breaches
    cost businesses around the world upwards of $15 billion a year,
    according to the research firm Datamonitor. In one recent survey,
    conducted by the Computer Security Institute and the FBI, 85 percent
    of respondents reported at least one attack. High-profile debacles
    such as last February's Yahoo! takedown have exposed the Net's soft
    underbelly for all to see.
    The resulting hysteria, coupled with a severe shortage of talent, has
    been a boon to savvy job-seekers, including some with the kind of
    after-hours hobbies that the leading lights of the security
    establishment claim to abhor. With security services projected to
    become an $8.2 billion industry by 2004-up from just $2.8 billion in
    1999-even low-tier workers expect base pay to average more than
    $75,000 a year. And the Ghetto Hackers are taking full advantage of a
    hot market.
    Michael "Koresh" Bednarczyk-at 30, one of the group's elder
    statesmen-is chief scientist at the Internet Security Advisors Group
    (known as ISAG), a highly regarded firm headed by Ira Winkler. (See
    "The Social Engineer") Drew "Ender" Miller, 23, a specialist in
    algorithms, recently left a longtime post at Datalight, an
    embedded-software developer, to become a programmer at LapLink.com.
    Eller, for his part, is the senior architect at ClicktoSecure, which
    makes a security scanning program called Hailstorm. Ghetto's ranks
    even include a high-level Microsoft employee, although his identity is
    well guarded. "They would recognize the name, and he positively would
    be fired," Eller says.
    Microsoft is not alone among technology titans in its low regard for
    job candidates with experience on what some call "the other side." At
    most of the top companies, official policy bars anyone linked to the
    underground scene, whether by attendance at an event like Def Con or
    by the act of swapping hacker tools over the Internet. "I don't
    believe in it, because they never go straight," says Tom J. Talleur,
    managing director of KPMG's forensics technology services division.
    "The problem is one of trust. It's one thing to give someone the keys
    to your house, it's another to give him complete root access-access to
    all of your secrets." So great is the threat, Talleur says, that even
    guilt by association can disqualify a job candidate, no matter how
    exceptional his skills or clean his rap sheet.
    But jobs with KPMG and other old-school industry mainstays don't
    necessarily tempt today's rising security experts. "I know the Big
    Five employed hackers in the past," says Eller, referring to the
    sizable security practices operated by the major accounting firms.
    "But I don't know if there are any really left. All the ones I know of
    have left for smaller, lighter, faster companies where they get
    meaningful amounts of equity."
    Ghetto's members also take issue with the logic of the Big Five's top
    brass. Eller and his friends view themselves as hackers in the purest
    sense of the word: People who satisfy an innate curiosity by
    determining how systems work from the inside out. "Intimately tied to
    learning how things come apart is learning how to put them together so
    they don't come apart," Eller insists. The hacker mentality espoused
    by Ghetto is an elegant spin on the credo of the Russian anarchist
    Mikhail Bakunin: "The passion for destruction is also a creative
    passion." Though many learned their crafts as mischievous kids-futzing
    with high school networks, probing obscure NASA servers-they are now
    self-professed law abiders one and all.
    the legal tightrope
    To the average American still grappling with the Paste command in
    Microsoft Word, hacker is synonymous with hoodlum. Hackers are
    commonly viewed as terrorists, says "Rizzo," the group's resident
    wireless expert, and one of several members who asked to be identified
    only by nickname. "They think it's evil little guys sitting in
    basements, basically punks." The real punks, he adds, are unskilled
    teens who use pre-programmed hacking tools to deface Webpages by
    filling them with Limp Bizkit lyrics.
    The Ghetto Hackers do not pretend to be candidates for sainthood,
    however. Many learned their trade while walking a legal tightrope. The
    son of a trainer on the horse-show circuit, Eller spent his
    self-described "white trash" childhood bouncing around the Rockies and
    Cascades, attending school with kids who did not take kindly to his
    gangly limbs, dark garb, and classroom smarts. As an 11-year-old
    martial arts expert, he saved up enough cash to purchase a plane
    ticket to Toronto for a tournament. But a premeet sprained ankle
    forced him to seek a life-altering refund. "I walked into the travel
    agent and begged a little and convinced them to give me my money
    back," Eller recalls. "And when I got out, across the street they were
    selling Commodore 64s."
    With the aid of a friendly employee who gave him a steep discount, he
    purchased one of the low-powered machines "and basically spent the
    next five years locked in my room." Since there were few tech-savvy
    teachers in Everett, Wash., Eller used bulletin boards to communicate
    with French and German hackers who taught him the programming ropes. A
    run of steep long-distance bills forced him to indulge in what he
    characterizes as "basic telco fraud," fiddling with phone cards to
    make them everlasting. It was that interval of law-bending that led to
    what he calls "The Visit"-Eller's only legal scrape. "I had a panic
    button wired up," he explains, "and as soon as I saw [the cops] out
    there, I hit it and fried all my disks." The experience, he sheepishly
    adds, scared him straight.
    The Visit was only a minor obstacle for Eller. He learned database
    programming as a teenage salesman at a mom-and-pop computer shop. As
    an entry-level worker at Datalight, Eller quickly ascended the salary
    ladder, maxing out at $72,000 per year after Def Con 7. Though coy
    about his current income, he is the proud owner of a high-tech condo
    in downtown Seattle, a domicile stocked with rack-mounted computers, a
    massive flat-screen Sony Trinitron, and an encyclopedic porn
    collection. Though the stereotypical tech worker may be a
    100-hour-a-week drone, Eller will have none of that. "I'm all down
    with not working," he says. He dreams of cashing out in a few years
    ("I'm looking at 37"), possibly to become a college professor-a lofty
    aim for someone who dropped out of the Everett Community College
    business program before earning an associate's degree.
    In his lack of formal education, Eller typifies the security elite.
    It's a profession in which hands-on talent tends to gestate outside
    traditional channels. "With the proliferation of information we have
    now, a 5-year-old has access to all the same information as a
    college-level undergraduate," says Miller, a Ghetto Hacker who
    estimates that he is 85 percent self-taught. "People don't need to go
    to college; they need to apprentice, like blacksmiths or whatever.
    Find something you like, find someone else who is good at it, hang out
    with them for a couple of years.... You can have that Dairy Queen job
    and then turn around and be programming computers someday. I think
    that's awesome. Obviously, that's what I did."
    A native of tiny Marysville, Wash., Miller first met Eller through the
    local Assembly of God church. "My parents knew I was into computers,
    and his parents knew he was into computers, so they kind of hooked us
    up," he recalls. "I would take my systems over to his house and we'd
    share the latest and greatest stuff."
    At 15, Miller left home after a falling-out with his folks over
    religion-"My father basically gave me a mandate and just said, 'Our
    way or the highway,' so I took the highway." He begged Eller, five
    years his senior, for shelter. "I proposed to him some sort of deal
    like, I'd be his slave if he'd let me live with him," says Miller. "I
    cooked, cleaned, did his laundry, got into fights with his girlfriend,
    bummed cigarettes off of him." Another of Miller's responsibilities
    was to download free software from so-called warez
    sites-clearinghouses for the latest hacker paraphernalia.
    Eller encouraged his protege to sharpen his coding skills by writing
    elementary games. "I wrote Tic Tac Toe," Miller says with a bit of
    embarrassment. "It took about two weeks and 10 pages of code. And then
    Caezar sat down and said, 'Watch this,' and about 15 minutes later it
    was a page-and-a-half of code. I didn't understand any of it."
    Those mystifying tutorials taught Miller more than any high school
    Basic class ever could. At 17, he got a job as a quality assurance
    tester at Datalight, where he quickly proved his worth. After several
    months, "I got to the point where I was going in and finding the bugs
    in the tests that were testing the operating systems," he says. He
    boasts of making more money than his father. In his spare time, he
    writes algorithms for prime-number generators.
    don't ask, don't tell
    The Ghetto Hackers' digital "street smarts" serve them well in their
    white-collar pursuits. They have a knack for solving complex security
    riddles-sniffing out a previously unknown vulnerability, for example,
    or analyzing the behavior of an intelligent virus. Last November,
    acting on a tip from a Cambridge, Mass.-based hacker, Eller figured
    out a way for advanced cybervandals to use "stack overflows" to
    disable a theoretically secure machine. Before his research, the
    brightest computer scientists had dismissed the possibility of such an
    attack; Eller needed just two days to disprove the conventional
    "The people who spend their mornings up until 6 a.m. trying to learn
    how something is broken or learn some new way to cause problems or fix
    problems, those are the people that are changing the world," says
    Eller, whose skill has earned him invitations to corporate-security
    conferences as far afield as Singapore. "That talent can't be measured
    in the kind of suit they wear."
    George Kurtz, founder of Foundstone Security and a former pooh-bah at
    PricewaterhouseCoopers and Ernst & Young, agrees about
    underground-bred employees in general, and the Ghetto Hackers in
    particular. "In terms of talent, they are exceeding what you're going
    to find at the Big Five," he says. "These guys are really, really
    sharp folks."
    Despite their supposed contempt for the underground, many big firms
    secretly side with Kurtz. They're willing, even anxious, to bring
    hackers into their ranks, as long as their nocturnal activities are
    kept hush-hush-a New Economy version of "Don't ask, don't tell." Any
    firm that claims never to hire such people "is either lying or doesn't
    have any expertise on staff," Rizzo says. "If you want to do something
    right," he adds, "you're going to hire an expert, right? What firms
    want to avoid is the appearance of having a bunch of law-breaking
    hooligans that are uncontrollable on their staff."
    Several firms, in fact, covertly wade through the underground in
    search of untapped talent. The Ghetto Hackers have been persistent
    targets of corporate recruiters, especially since their successive
    victories at Def Con's Capture the Flag event, a 48-hour digital joust
    in which teams score points by hacking rivals' machines. "After we won
    at Def Con 7 [in 1999], we got tons of job offers," says Eller, who
    himself became the object of a bidding war that led to a 20 percent
    raise. "And all because of something that only took us a couple of
    Corporations that shun underground talent are only cheating
    themselves, says "Palante," a Ghetto Hacker who works in the
    information security consulting division of a corporation he declines
    to name. "When it comes to hiring hackers, remember that we're talking
    about a company paying someone to tell it about risks it may not even
    know exist," he wrote in a response to an antihacker screed published
    in the Toronto Globe and Mail last August. "The more a company's
    consultant knows about such 'black arts,' the fewer unknown risks
    there will be." KPMG's Talleur chortles at that assertion. Demolition
    experts, he argues, don't necessarily make the best architects. "The
    wonderful, colorful moniker of the hacker, going around with his cape
    flying? It's bullshit," he says. "They're not that smart.... Just
    because they're great at breaking into systems doesn't mean they're
    great at fixing them."
    Venture capitalists are beginning to believe otherwise. Last January,
    a renowned group of Boston-area hackers known as L0pht Heavy
    Industries was acquired by security startup @Stake for $10 million.
    The L0pht, home to such famed hackers as "Space Rogue," "Dildog," and
    "Mudge," gained notoriety by authoring password-cracking tools for
    Windows; as a division of @Stake, the crew now charges megabucks to
    help companies design secure products.
    The Ghetto Hackers seem a bit too pleasure-oriented to attract that
    sort of financial support. The group originated three years ago as an
    impromptu band of revelers at Def Con, which attracts thousands of
    hackers to Las Vegas each summer for three days of technical lectures,
    trick swapping, and carousing. The founders met by a stroke of fate as
    they downed drinks at the same table. On a lark, one celebrant
    registered them for the Capture the Flag contest. Inebriated beyond
    recognition and competing as "Team Boozer," the seat mates were
    stomped by a Scandinavian outfit calling themselves the Mad Swedish
    Hackers. The only good thing to emerge from that year's convention was
    the group's catchy moniker; the words first spewed from the mouth of a
    member known as "Shrub," who objected to his colleagues' habit of
    writing code on cocktail napkins. "What are we," he sneered, "a bunch
    of ghetto hackers?"
    Amid the alcoholic haze, however, they developed a sense of
    camaraderie-and a thirst for redemption. "It didn't matter who won at
    Def Con 7, but the Mad Swedish Hackers weren't going to win," says
    Miller. Ghetto considered a wide variety of revenge strategies,
    including abduction and "paying very beautiful women to seduce them."
    Eventually, Miller and his friends settled on the uncharacteristically
    mundane approach of trying to boost their own performance.
    Predominantly Seattleites, they kept in touch over the ensuing year,
    drawing other security-obsessed geeks into their clique. After their
    Capture the Flag triumph in 1999, Ghetto coalesced, renting workspace
    downtown before moving into their current basement quarters-beneath a
    bank on the Emerald City's outskirts-last spring. The new digs include
    an abandoned vault, which now houses a battery of servers behind a
    heavy iron door.
    Beyond harboring their weekly brainstorming sessions and the
    occasional gala, the 3,000-square-foot space serves as a laboratory
    for advanced research into everything from cryptography to phone
    systems. Satellite labs in San Francisco and San Diego, where several
    affiliates live, are set to open soon. The group, says Eller, is
    "really designed to be a think tank-a place where people can come
    together and share different ideas and come up with a kind of
    The Ghetto Hackers range in age from late teens to 30s, but they all
    share two key traits: technical prowess and a taste for hedonism.
    Plenty of people have the intellectual credentials to win Ghetto
    membership, "but they're sticks-in-the-mud," Eller says. Constantly on
    the lookout for kindred gearheads, Ghetto does a fair amount of
    recruiting at local hacker get-togethers known as 2600 meetings (named
    after a hacker magazine celebrated for its anticopyright activism).
    Prospects get invited to what Eller calls a "2621 party," where the
    real testing occurs. "If somebody can hang out and be mellow, not make
    a fool of themselves," Eller explains, "then we can say, 'OK, we
    should take this person's money.'" The monthly dues of $180 pay for
    rent, bandwidth, and special events, such as the screening of The
    Matrix that drew 450 of the group's closest friends to the Cinerama
    theater in downtown Seattle.
    Still, a few ambitious members foresee a day when the Ghetto Hackers
    may replace Ernst & Young on the speed dials of hip,
    security-conscious chief technology officers. In recent months,
    Bednarczyk has been lobbying his cohorts to transform Ghetto into a
    security startup. "We've got a diverse skill set in the group, and
    we've got some definite leaders in the up-and-coming technology," he
    says. "Probably more goes on in our meetings than in most
    boardrooms.... I see this group really turning into a consulting
    house. There's no reason it's not going to happen." Bednarczyk wants
    to form a limited partnership and establish a common bank account,
    perhaps offshore, so the group can take on odd jobs securing ISPs or
    conducting penetration tests.
    "I think there's a good chance that something will come of it," Miller
    says. But money, he adds, is not their only motivation. "Most people
    here have really good jobs, so the issue of making a million dollars
    on network security-nobody's worried about that." Some members prefer
    the idea of forming a nonprofit organization, permitting them to bid
    for government research grants. With Uncle Sam's sensitivities in
    mind, there's even talk of adopting a pseudonym, such as "Security
    Consortium," for official dealings.
    Meanwhile, Ghetto has a more pressing matter to consider: Def Con 9
    and the prospect of a Capture the Flag three-peat. After the Tuesday
    meetings, they spend hours debating tactics and perfecting attacks on
    practice networks. Next month, the group will strut into Las Vegas'
    Alexis Park Resort-scene of this year's convention-with the cockiness
    of champions.
    "We've pretty much determined that we're never going to lose again,"
    Miller says. "So most of the people here, they actually take time in
    the off-season to do things like download the latest patches." In an
    industry where notoriety can be parlayed into big-time bucks, spending
    the time to hone one's hacker chops is clearly a sound investment.
    Brendan I. Koerner who holds a Markle Fellowship at the New America
    Foundation, is a freelance writer living in New York.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 07:00:38 PDT