[ISN] Sleeping with the enemy

From: InfoSec News (isnat_private)
Date: Tue Aug 13 2002 - 02:25:05 PDT

  • Next message: InfoSec News: "[ISN] Slim pickings for an IT gourmet"

    Forwarded from: William Knowles <wkat_private>
    By Kim Zetter
    August 13 2002
    A good hacker is hard to find, or so it seemed during the dot-com
    boom. Companies, particularly in the United States, were making the
    rounds of hacker conferences and IRC channels willing to pay $150,000
    for a security guru who was still going through his voice change.
    Even the American assistant secretary of defence showed up last year
    at the hacker blowout in Las Vegas known as Def Con to recruit "the
    best of the best" for a cyber-terrorism unit.
    But as computer security has become more specialised and training has
    improved, legitimate pros have elbowed aside the teens.
    So it seems odd that only 43 per cent of Australian organisations
    would be willing to hire former hackers to help secure their networks;  
    only 14 per cent of US organisations said they would do the same.
    Perhaps it all depends on who you are calling a hacker.
    Some of the most respected names in computer security are also some of
    the most respected names in the hacking community.
    And many tools used for testing the security of networks (and, well,
    for cracking them) were designed by hackers.
    Massachusetts-based security firm @stake is composed of former members
    of the L0pht hacking group, which developed a password-cracking tool
    called L0phtCrack. Peiter Zatko (aka Mudge), the company's pony-tailed
    founder, even testified before the US Congress on computer security.
    Then there's Chris Goggans (aka Erik Bloodaxe) of Security Design
    International, who served as editor of the notorious hacker zine
    Phrack, a cornucopia of illegal tips and tricks. And Rain Forest Puppy
    (he prefers not to have his real name published), another security
    pro, has found many holes in Microsoft products and has developed a
    respectful relationship with that company. But he has also developed
    an anti-IDS Web scanning tool called Whisker that hackers use to
    ferret out their prey.
    Most hackers working in security are either reformed black-hat hackers
    or people who never dirtied their hats beyond grey. That is, they may
    have cracked systems but didn't cause destruction or steal data. Or at
    least they did not get caught doing it.
    Hackers with a criminal record or who admit to still hacking are
    rarely trusted with a job these days, although, incredibly, at one
    time they were.
    The hiring of the latter type of hackers in the US has, thankfully,
    fallen out of fashion, says Giga analyst Steve Hunt. "You can hire
    someone who is an expert at defending resources or who is an expert at
    violating them. They both have the same fundamental skills. But just
    one has a professional ethic and a legacy of honour and service."
    The risks of hiring a known hacker are obvious. But you face the same
    risks with any disgruntled employee or with a closet hacker who does a
    little unauthorised sleuthing through your system.
    Companies that claim to oppose hiring hackers are probably unwittingly
    hiring them, says William Knowles, editor of security news list
    InfoSec, who notes that today's hackers have little to distinguish
    them from traditional security administrators.
    "A few years ago at Def Con I saw a lot of familiar faces in the
    hacking crowd, but I didn't know why they were familiar. Then I
    realised they were the same faces I'd seen at security conferences.  
    Companies have been hiring hackers for years, they just don't realise
    it," he says.
    Mario Duarte, a former administrator of the now-defunct Zuma, a San
    Francisco-based host for e-commerce sites, considered himself
    brilliant for hiring Optyx a few years back.
    Optyx was a skinny, 19-year-old hacker with blue hair and ties to Cult
    of the Dead Cow, makers of a Trojan horse called Back Orifice.
    Duarte says Optyx was invaluable for showing him holes in Zuma's
    systems that he was sure didn't exist.
    But he had sleepless nights over the next couple of months, wondering
    if the hacker would turn on him.
    As it happened, it was another hacker hired by Duarte at Optyx's
    request who proved a liability when a bad attitude and personal
    problems made it clear the teen didn't belong in a corporate
    But how do you fire a hacker? Pretty easily, it turned out. Optyx, who
    took pride in Zuma's servers as his personal domain, made it clear to
    his departing friend the possible consequences of seeking revenge:  
    "Don't even think about it, dude. I'll hunt you down and kill you."
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 06:16:34 PDT