http://www.zdnet.com.au/insight/security/0,39023764,39116620-2,00.htm Name: Raven Alder Handle(s): Raven Age: 28 Place of birth: Mississippi, USA Marital status: Single Current residence: Maryland, USA Job: Security consultant, True North Solutions First computer: Home-built 8088 machine in 1988 or so Best known for: Tracing spoofed distributed denial of service attacks Area(s) of expertise: ISP backbone networking, protocol decoding and design, Linux/BSD security, and cryptography What's the difference between male and female hackers? If you ask Raven Alder, she might let out a string of expletives because gender is a non-issue. Alder was the first woman to deliver a technical presentation at the famed DefCon hacker conference in Las Vegas. But don't harp on it. If there's one thing she hates, it's being type-cast as a "chick hacker". "If I never read another 'she's going to save the Internet' article or have a reporter wanting me to pose by the pool at DefCon with a life preserver, it will be too soon. "One popular magazine's 'do you think girl hackers should date boy hackers?' left a bad taste in my mouth, too. Nobody asks the guys this stuff, and finding myself a 'boy hacker' is not really tops on my list of things to do this weekend," Alder said. Born into a fairly well-to-do family, it was clear that Alder was a brainiac from a young age. "I skipped three grades and was taking college classes at 12, graduated high school at fourteen and college at eighteen," she said. "My parents very much encouraged my sister, brother and me to be academic achievers." Alder has the markings of an uber geek, but her lifestyle is far from sedentary. "Mom put all three of us through martial arts [Shorin Ryu Matsumura discipline] for at least a year. She wanted us to be able to defend ourselves. After that, it was our decision whether or not to continue," she explained. "My kid sister quit and did gymnastics instead, making it almost all the way to being an Olympic-class gymnast before quitting to become the captain of her high school cheerleading squad ... [but] I continued." Alder first dabbled with computers in 1985, fiddling with her school's Apple II, but didn't get serious until after graduate school. "I went to Virginia Tech in an entirely unrelated discipline, but you can't attend that school without becoming at least basically technically competent," she explains. Despite becoming quite involved with geekish pursuits, Alder says her social life hasn't suffered at all. "If anything, it's made it more to my tastes. I like geeks," she confessed. "I'm far more likely to enjoy the company of the folks I see at dc-securitygeeks meetings than I am of the people I'd see at my neighbourhood bar. I've met a variety of fascinating people through hacking, and some of them are now close friends." Alder hasn't taken a holiday "that didn't involve computer security" for around five years. "Most of my vacations are something like, 'Oh, I'll go to Ottawa Linux Symposium, that will be fun!'," she said. While her parents have been supportive, Alder's father is sometimes rattled by the idea of his child hanging around with "hacker types". When she called to tell him she'd be presenting at a computer security conference "he went to brag to his security officer friends". But the thrill didn't last too long. "DEFCON? Do you know what that is? It's full of HACKERS!" her father said. It took her 30 minutes to deliver the "hackers-are-not-bad" speech. But it's not all smiles and sunshine in the security business for Alder -- she once found a serious vulnerability in a "very popular security product". "I wrote up some proof of concept exploit code, and took it to my boss," she explained. The makers of the product didn't really seem to care about the issue nor want to fix it. "I carefully explained the importance of the problem, and the possible ramifications of exploiting it. People are trusting this product with their security data, and if the product itself is [insecure], it's un-trustable and you can't have faith in the veracity of that data," she said. Still, the vendor was unmoved, claiming no one would ever find the glitch. Alder was by this point annoyed. She had found the problem, so others could too. But the vendor simply refused to fix the problem. "Now, if I had been doing this as an independent researcher, I would have posted [it] to Full Disclosure (a security mailing list) at that point. However, since I was working for a company, disclosure was in their hands and not mine, and they chose not to say anything. So the vulnerable product is still out there. "I was explicitly told that I would be sued to the tune of several million dollars if I ever violated my NDA [non-disclosure agreement] and revealed the vulnerability. This is why closed source security is bad. Lesson learnt ... any vulnerability research I do from here on out is my own, and I will be answerable to nobody but myself for disclosure," she said. It could be this experience which has dimmed her view of the industry as a whole. There are good people in the security space, she says, but there are also some bad eggs. "The root problem that the security industry has is ... unscrupulous people selling to an uninformed market. The managers buying security products don't understand security at all, and so they trust the vendors to tell them what is best," Alder argued. "And somehow, conveniently, what is best has a great overlap with whatever that particular vendor happens to be selling." However, it's not just the vendors who are to blame. To a certain extent, Alder said, end-users engage in an "ignorance is bliss" management philosophy. "Many companies just want to be able to throw money at a product and feel secure. They're uninterested in understanding security or changing their habits and environment. Unfortunately, that's not the way that a successful security program works. People who understand security are necessary, and in chronically short supply," she said. "[Companies] have the latest and greatest firewall that nobody has ever bothered to configure, or a very expensive intrusion detection system (IDS) that nobody has the understanding to tune." Alder monitors the nessus.org IDS. Nessus is an open-source vulnerability scanner, so one might expect some sophisticated attacks against that domain but this is not always the case. "Sadly, most of the attacks that people threw at it were pretty stupid -- 'Oooh, I downloaded Nessus! Hey, I'll run Nessus against Nessus!'. I did see some exploit attempts that were fairly similar to the successful attacks against Debian and Gentoo at about the same time, though, so that was neat. And they didn't get in!," she recalled. It seems Alder genuinely enjoys her work, and gets some thrills through some unlikely pursuits. "Hiking, rock climbing, camping. I'm also an avid reader -- I have a taste for science fiction and fantasy, but I'm also fond of archaeology, linguistics, history, particle physics, and biology," she said. In her spare time, she downs chai while arguing philosophy with friends. To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or the internals of your operating system of choice. Ideally, learn both. Don't just be a script-kiddie who downloads an attack program off the Internet and think that's cool. "Understanding what you're doing is more cool. Having the know-how to develop a new and innovative attack or to develop a creative defence is a lot more impressive than 'dude, I sniffed your Hotmail password'." -- Patrick Gray. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Tue Apr 20 2004 - 02:14:50 PDT