[ISN] The Mind Of A Hacker

From: InfoSec News (isn@private)
Date: Tue Nov 11 2003 - 04:46:34 PST

  • Next message: InfoSec News: "Re: [ISN] Cyber terrorism not real: Gartner"

    Forwarded from: William Knowles <wk@private>
    
    http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=5ARRMPTZ3BM2MQSNDBCCKHQ?articleID=16100230
    
    By George V. Hulme, 
    InformationWeek 
    November 10, 2003
    
    Marc Maiffret is a hacker. Maiffret started hacking about six years 
    ago, at age 16, when a friend at school introduced him to computers, 
    and he got hooked on a digital-age narcotic: information. He consumed 
    what he could about the Internet, computers, networks, and phone 
    systems. "I wanted to learn more," says the guy whose teenage handle 
    was "Chameleon" and whose hair color shifts from black to green to 
    blue. Maiffret says some of his actions back then wouldn't meet with 
    widespread approval. "When I was younger, I was up to no good," he 
    admits. 
    
    Today, Maiffret could be considered one of the good guys. In 1998, 
    when he was 17, Maiffret co-founded eEye Digital Security, which makes 
    security software that has been adopted by companies such as 
    Prudential Financial. Now he has the title of chief hacking officer, 
    and he and his co-workers help to discover security flaws in software. 
    
    Hacker is a loaded word. The hacker community--and it's a thriving 
    online community--includes technophiles, curiosity seekers, 
    cybervandals, and outright thieves and fraudsters. The technophiles 
    love to take apart software to see how it works or what they can make 
    it do. Some write tools and applications such as password crackers, 
    vulnerability scanners, and anonymity tools, and make them freely 
    available on the Internet or hacker Web sites and message boards. Some 
    devote long hours to uncovering flaws in software that make systems 
    less secure by allowing destructive worms and viruses to gain access. 
    
    The others--the intruders, vandals, virus writers, and thieves--are 
    criminals, pure and simple. At their most benign, they are 
    trespassers, rummaging through proprietary systems and databases. 
    Hackers also are responsible for Web defacements, denial-of-service 
    attacks, and identity theft. Some see themselves as rebels or 
    revolutionaries, "hactivists" spreading a message of anarchy and 
    freedom. Some are simple mercenaries who write tools, known as 
    exploits, to take advantage of security flaws and make it easier to 
    penetrate systems. In some cases, they sell that information to 
    spammers, organized crime, other hackers, or the intelligence services 
    of foreign countries. 
    
    Hackers are blamed for unleashing worms and viruses that have cost 
    businesses billions of dollars a year in damages. The problems they 
    cause have gotten so bad that Microsoft last week created a $5 million 
    fund to provide rewards for information leading to the capture of the 
    people responsible for those attacks. Fed up with the damage done to 
    its reputation and, increasingly, to its revenue stream, Microsoft, 
    working with the FBI, the U.S. Secret Service, and Interpol, is 
    offering a bounty of $250,000 to people who help capture those 
    responsible for the Blaster worm and the Sobig virus, which wreaked 
    havoc this past summer on systems and networks worldwide. 
    
    Hacker is a term with negative connotations for most of the technology 
    community. "I used to call myself a hacker in the sense that I like to 
    twiddle with stuff, but I don't use that word to mean that any more," 
    says Marcus Ranum, senior scientist at TruSecure Corp., a 
    risk-management and security vendor. "That word has been ruined by 
    little selfish punks." 
    
    It's more than a question of semantics. Some of the positive that 
    hacking represents--intellectual curiosity, tech savvy, innovative 
    thinking--is overshadowed by its criminal aspects--the potential for 
    grave harm and mass destruction--but it's a difficult line, especially 
    for young people, who need to be encouraged to embrace technology and 
    its potential. Also, recent laws such as the Digital Millennium 
    Copyright Act and the USA Patriot Act may criminalize what some 
    security researchers see as legitimate avenues of inquiry, limiting 
    the technology industry's ability to help itself and eliminating 
    necessary research or driving it further underground. 
    
    That's why it's illuminating to inquire about hackers: Who they are, 
    what they do, and why. 
    
    Chris Wysopal is a hacker. Wysopal, VP of research and development at 
    security consulting firm @stake Inc., advises businesses and 
    government agencies how to better secure their computer networks and 
    systems. He has also held jobs at GTE Internetworking and Lotus 
    Development Corp. 
    
    Wysopal used to be known as "Weld Pond," a member of security-research 
    group L0pht Heavy Industries, a legitimate but unconventional business 
    that made its name in the 1990s by uncovering and disclosing software 
    vulnerabilities. In 1997, it released L0phtCrack, a tool that could be 
    used to audit and reveal Windows passwords. L0pht (pronounced "loft") 
    was condemned for releasing the password cracker, but Wysopal says the 
    group's mission was misunderstood. The goal of L0pht was to raise 
    security awareness and to provide security professionals with tools 
    "as powerful as the tools people use to break into things," he says. 
    And some organizations saw the advantage. "I think the General 
    Accounting Office was our first paying customer." 
    
    The distinction between hacker and legitimate security researcher can 
    be difficult to make. In 2001, Maiffret's firm, eEye Digital Security, 
    found a weakness in Microsoft's Internet Information Services server 
    software. The security firm notified Microsoft about the flaw, and 
    Microsoft issued a patch. But a month later, the notorious Code Red 
    worm raced through the Internet and attacked hundreds of thousands of 
    unpatched systems around the globe by taking advantage of the security 
    weakness eEye discovered. 
    
    The hacker community itself makes that distinction by referring to 
    white-hat and black-hat hackers, which reflects what sociologist 
    Bernhardt Lieberman refers to as the "dual nature of hacking." There 
    are hackers who are enthusiasts who try to push technology as far as 
    it can go to learn how things work, and there are hackers who are 
    serious threats to businesses and systems, whose intrusions and 
    malicious code cause great pain. 
    
    The terms hack and hacker originated in the 1950s at The Model 
    Railroad Club at the MIT. The image of the computer hacker has been 
    romanticized in popular culture in movies such War Games and Hackers. 
    Today, however, the word hacker is commonly used to refer to 
    criminal--or at least arrant--activity. "It's come to mean anyone who 
    works their way around legitimate controls in systems," says Herb 
    Mattord, an information systems instructor at Kennesaw State 
    University in Georgia. 
    
    Those clinging to a less-tainted definition of hacker don't think of 
    themselves as criminals. Most say they just want to learn more about 
    computers, says sociologist Lieberman, director of the research firm 
    Social Inquiry and professor emeritus of sociology at the University 
    of Pittsburgh. Lieberman has conducted detailed interviews with 42 
    hackers, analyzed the content of 2600: The Hacker Quarterly magazine, 
    and attended hacker gatherings. 
    
    When asked about their motives for hacking, nearly 100% say they hack 
    for intellectual challenge, to increase knowledge, to learn about 
    computers and computing, or to understand how things work. However, 
    14% cite attacking authority and the government among their 
    motivations. And 7% say it's to attack capitalism, break the law, or 
    become well known. 
    
    InformationWeek posted a series of questions on hacker bulletin boards 
    and Web sites seeking to understand why hackers hack. The responses 
    were illuminating, yet sometimes troubling. "Hacking to me is a way of 
    life. The infinite quest for knowledge is quite stimulating," says 
    Bio_XP. "Being a hacker forces you to think outside the box and look 
    at problems (computer-related or not) in a whole new way. Hackers 
    solve problems that affect us as well as others. By developing 
    software, patches, etc., we help many people, [and] in addition, we 
    help technologies improve and therefore progress." 
    
    Another, called LiquidFish, says he hacks because he's always thinking 
    about the vulnerabilities of things and how they can be exploited. 
    "It's just part of who I am," he says. "This extends to every new 
    thing I'm introduced to, not just computer related." 
    
    One hacker, whose handle is "unnamed," says motivations vary with each 
    person. "Some like to hack to test their skills and knowledge or just 
    to outsmart an admin," he says. "Others just are adrenaline junkies 
    that like the rush." 
    
    One teenage hacker complains that society and the media lump 
    criminals, vandals, and virus writers in with young tech lovers who 
    try to stay within the bounds of the law. "I try not to break the 
    law," he says. "I don't break into networks, though if you look around 
    there are plenty wide open." But today's computer security and 
    copyright laws make it "hard to tell what you're allowed to do and not 
    allowed to do even with the software you buy. Just trying to study the 
    software and write about the security holes you find could land you in 
    jail." 
    
    He knows that hacking has a bad reputation. "When I say in class that 
    my hobby is hacking, the teachers always look at me with disapproving 
    eyes like I'm automatically a criminal," the hacker says. "I do not 
    steal data or release a virus. That's all lame and not what I think 
    it's all about." 
    
    Still, the criminal aspect of hacking is pervasive--and profitable. 
    "Some security companies are paying for vulnerability information, the 
    spamming industry is paying for zero-day exploits, upwards of $5,000, 
    and there are elements of organized crime looking for expertise," says 
    Mark Loveless, senior security analyst at security vendor BindView 
    Corp. Zero-day exploits are software tools or applications that take 
    advantage of undisclosed, unpatched software vulnerabilities. The term 
    refers to the worst-case scenario: a worm or other attack that strikes 
    a vulnerability that no one knew about or could prepare a patch to 
    defend against. "Hackers are attacking hackers and raiding other 
    hackers' zero-day libraries," he says. 
    
    Loveless, also known as Simple Nomad, is founder of a hacker lab 
    called Nomad Mobile Research Centre, which provides a way for 
    interested parties to anonymously discuss and share information about 
    computer-security issues "without fear of personal retribution from 
    others." The lab seeks to protect hackers from legal action from 
    software vendors whose code they've reverse-engineered or from 
    government agencies. 
    
    Loveless argues that laws such as the Digital Millennium Copyright Act 
    and the USA Patriot Act, combined with the new push to criminalize 
    what he calls "security research," will push even more of this 
    activity underground. The DMCA prohibits any hardware or software that 
    can circumvent copy-protection schemes for digital media such as 
    music, movies, and E-books. Hackers fear that vendors will use these 
    and other laws to prevent them from conducting security research and 
    publicizing the flaws they discover. 
    
    "The underground is doing just that, going completely underground," 
    Loveless says. "A lot of things we used to do for research--research 
    that was once questionable--can now be considered a criminal act." 
    
    The DMCA has tempered discussion of security research since its 
    passage in 1998. Researchers began pulling some security tools off 
    their Web sites following the arrest of Russian programmer Dmitry 
    Skyarov at the DefCon security convention in July 2001. Skyarov 
    developed a program published by ElcomSoft Ltd. that made it possible 
    to convert encrypted Adobe Acrobat eBook Reader files into unprotected 
    Adobe PDF files. 
    
    A few months earlier, a team of security researchers from Princeton 
    University, Rice University, and Xerox decided not to publicly present 
    research that they had completed on circumventing watermark techniques 
    for digital music. The research was the result of a challenge issued 
    by the Secure Digital Music Initiative, a consortium of companies 
    trying to create open protection specifications. The SDMI tried to 
    block disclosure of the research, saying the DMCA might be applied if 
    the research were disclosed. 
    
    In August 2002, Hewlett-Packard sent a memo to a security-research 
    firm, Secure Network Operations Inc. (better known as SnoSoft), citing 
    the DMCA and threatening legal action after the group published code 
    that exposed a serious hole in HP's Tru64 Unix operating system. 
    Ultimately, HP took no legal action. 
    
    Despite the DMCA, a lot of hacking information can still be found on 
    the Internet. Some sites contain reports about newfound 
    vulnerabilities and research about security flaws. The information 
    that's available includes instructions on "How To Become A Hacker," 
    detailed data on the inner workings of phone and PBX systems, 
    virus-writing manuals, links to Web sites with free security tools 
    used to find vulnerable systems, and application-password crackers. 
    There's everything from serious discussions about newsworthy events 
    relevant to hackers, such as successful legal defenses, to handy 
    tidbits about the inner workings of most operating systems to 
    nostalgic threads titled "My First Hack." 
    
    Most security and business-technology professionals have little 
    patience with the argument that hackers help make computer systems and 
    networks more secure. "These chumps have nothing to offer. They have 
    no valuable security contribution at all," says TruSecure's Ranum, who 
    has developed security software since the 1980s and is the author of 
    The Myth Of Homeland Security (John Wiley & Sons, 2003). 
    
    But not all. "Bug hunters are absolutely essential [for] keeping 
    systems clean, semi-free of code defects, but most importantly they 
    keep software vendors honest," says a security analyst at a major 
    manufacturer. 
    
    Ranum has challenged hackers--at their own gatherings--to prove that 
    they care about improving security. "I told them that if they are so 
    smart, why don't they do something useful. If you want to be cool, 
    write a better antivirus tool. Or if you want to make a wonderful free 
    tool, write a tool that blocks the ability for Windows to run 
    executable programs on your system until you have authorized that it 
    is OK to run that executable." 
    
    Ranum laughs at the idea that it takes a hacker to stop a hacker. 
    "They often make the analogy that if you want to build a strong safe, 
    you need to hire a safecracker," he says. "That's pure nonsense." 
    
    Researcher Lieberman would like to see kids taught about the ethics of 
    computer use and hacking and says businesses should be willing to foot 
    the bill. "The government is busy chasing terrorists, but financial 
    institutions are losing millions," he says. Schools should develop 
    courses to channel the desire to learn about computing into positive 
    avenues, and businesses should be willing to finance those efforts. 
    "With financial institutions losing millions to hackers, they ought to 
    be funding the development of special learning programs," he says. 
    
    As a result, information about software vulnerabilities and hacking 
    techniques that was once shared in a somewhat open fashion on Web 
    sites, in E-mail mailing lists, and in newsletters and magazines is 
    increasingly being shared among smaller invitation-only groups and 
    through encrypted mailing lists or networks. "The underground is the 
    stuff you don't hear about in the press. It's conversations in 
    encrypted channels about security, security tools, exploits, and 
    vulnerabilities," Simple Nomad says. "The underground is about helping 
    each other out to develop a tool without considering what use the tool 
    might be used for. There's a purity to that, which I find refreshing. 
    It's about pure information." 
    
    That attitude is naive--even dangerous--in a society that must deal 
    with the risk of cyberterrorism, the cost of identity theft, and the 
    loss of essential services such as electricity and telephones caused 
    by a tool that was developed without considering what the tool might 
    be used for. 
    
    The changing views of acceptable behavior have even reached college 
    campuses. Actions that were once accepted, or at least tolerated, at 
    universities are not considered cool any longer, students say. Eric 
    Ogren, a computer-science major at Stanford University, says breaking 
    into computer systems, even without doing any damage, is "pretty 
    frowned upon now around here." But Ogren says there are still plenty 
    of students who hack their own systems and software to learn or to 
    improve security. "There's a lot of that going on, especially here 
    with research into security or just seeing how things work," he says. 
    But the Digital Millennium Copyright Act has changed the way students 
    and others view their activities. "I don't know too many fans of the 
    DMCA," Ogren says. 
    
    Kennesaw State's Mattord agrees. "There's no age that's too early to 
    start, and it would help some students on the edge from going over," 
    he says. 
    
    A few who spent their teenage years hacking doubt that education would 
    make a difference. "A lot of people doing this stuff like doing it 
    because they're doing something illegal or edgy. It's about the thrill 
    of it," eEye Digital's Maiffret says. "I don't think it's the same 
    thrill to break into some university system where you're allowed." 
    
    The need for that edginess may provide additional insight into the 
    thought process of hackers--and people attracted to work in security. 
    "It takes a certain mind-set to understand security," says Bruce 
    Schneier, founder and chief technology officer at Counterpane Internet 
    Security Inc., a security-services firm. "I can't walk into a store 
    without figuring out how to steal something. I can't walk into a 
    voting booth without seeing if I can vote twice. Normal people think 
    about how systems work. Security people think about how systems can be 
    forced to fail." 
    
    Richard Thieme, who writes and lectures about computer security and 
    has spoken at numerous hacker and security conventions, agrees. "You 
    can't be a good security person or good cop unless you know how a 
    criminal thinks, and you can't know how a criminal thinks unless at 
    least part of your heart is devoted to the black arts of larceny," he 
    says. "It's all about how you choose to channel and harness that 
    energy." 
    
    To Thieme, hacker means "unconventional thinkers, people who are 
    unconventional in every way and who refuse to accept no. If they're 
    told the machine wasn't meant to do something, they figure out a way." 
    
    Maiffret thinks most hackers will follow their own paths no matter 
    what. But people shouldn't assume that hackers are automatically bad. 
    He cites a recent case of a 17-year-old who E-mailed eEye about a 
    security flaw he believed he found in Microsoft software. "He wanted 
    to know if it was exploitable and how to work with Microsoft," 
    Maiffret says. 
    
    It turns out that the teenager had in fact found a real security hole 
    that needs to be patched. "We introduced him to the right people at 
    Microsoft," Maiffret says. "It's his bug, so we're just following 
    along to make sure it's all handled properly." 
    
    A nice story. But it's small comfort for business-technology managers 
    worried about someone getting access to sensitive customer data or 
    battling wave after wave of worms and viruses that threaten critical 
    systems and networks and drain their budgets. Until this onslaught is 
    brought under control, hacker will continue to be a dirty word to most 
    business-technology and computer-security professionals. 
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 11 2003 - 07:51:50 PST