[ISN] Hackers: Under the hood - Raven Alder

From: InfoSec News (isn@private)
Date: Tue Apr 20 2004 - 00:32:26 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - April 19th 2004"

    http://www.zdnet.com.au/insight/security/0,39023764,39116620-2,00.htm
    
    Name: Raven Alder 
    Handle(s): Raven 
    Age: 28 
    Place of birth: Mississippi, USA 
    Marital status: Single 
    Current residence: Maryland, USA 
    Job: Security consultant, True North Solutions 
    First computer: Home-built 8088 machine in 1988 or so 
    Best known for: Tracing spoofed distributed denial of service attacks 
    Area(s) of expertise: ISP backbone networking, protocol decoding and 
    design, Linux/BSD security, and cryptography 
    
    What's the difference between male and female hackers?
    
    If you ask Raven Alder, she might let out a string of expletives
    because gender is a non-issue.
    
    Alder was the first woman to deliver a technical presentation at the
    famed DefCon hacker conference in Las Vegas. But don't harp on it. If
    there's one thing she hates, it's being type-cast as a "chick hacker".
    
    "If I never read another 'she's going to save the Internet' article or
    have a reporter wanting me to pose by the pool at DefCon with a life
    preserver, it will be too soon.
    
    "One popular magazine's 'do you think girl hackers should date boy
    hackers?' left a bad taste in my mouth, too. Nobody asks the guys this
    stuff, and finding myself a 'boy hacker' is not really tops on my list
    of things to do this weekend," Alder said.
    
    Born into a fairly well-to-do family, it was clear that Alder was a
    brainiac from a young age.
    
    "I skipped three grades and was taking college classes at 12,
    graduated high school at fourteen and college at eighteen," she said.  
    "My parents very much encouraged my sister, brother and me to be
    academic achievers."
    
    Alder has the markings of an uber geek, but her lifestyle is far from
    sedentary.
    
    "Mom put all three of us through martial arts [Shorin Ryu Matsumura
    discipline] for at least a year. She wanted us to be able to defend
    ourselves. After that, it was our decision whether or not to
    continue," she explained. "My kid sister quit and did gymnastics
    instead, making it almost all the way to being an Olympic-class
    gymnast before quitting to become the captain of her high school
    cheerleading squad ... [but] I continued."
    
    Alder first dabbled with computers in 1985, fiddling with her school's
    Apple II, but didn't get serious until after graduate school.
    
    "I went to Virginia Tech in an entirely unrelated discipline, but you
    can't attend that school without becoming at least basically
    technically competent," she explains.
    
    Despite becoming quite involved with geekish pursuits, Alder says her
    social life hasn't suffered at all.
    
    "If anything, it's made it more to my tastes. I like geeks," she
    confessed. "I'm far more likely to enjoy the company of the folks I
    see at dc-securitygeeks meetings than I am of the people I'd see at my
    neighbourhood bar. I've met a variety of fascinating people through
    hacking, and some of them are now close friends."
    
    Alder hasn't taken a holiday "that didn't involve computer security"  
    for around five years. "Most of my vacations are something like, 'Oh,
    I'll go to Ottawa Linux Symposium, that will be fun!'," she said.
    
    While her parents have been supportive, Alder's father is sometimes
    rattled by the idea of his child hanging around with "hacker types".  
    When she called to tell him she'd be presenting at a computer security
    conference "he went to brag to his security officer friends". But the
    thrill didn't last too long.
    
    "DEFCON? Do you know what that is? It's full of HACKERS!" her father
    said.
    
    It took her 30 minutes to deliver the "hackers-are-not-bad" speech.
    
    But it's not all smiles and sunshine in the security business for
    Alder -- she once found a serious vulnerability in a "very popular
    security product".
    
    "I wrote up some proof of concept exploit code, and took it to my
    boss," she explained. The makers of the product didn't really seem to
    care about the issue nor want to fix it.
    
    "I carefully explained the importance of the problem, and the possible
    ramifications of exploiting it. People are trusting this product with
    their security data, and if the product itself is [insecure], it's
    un-trustable and you can't have faith in the veracity of that data,"  
    she said. Still, the vendor was unmoved, claiming no one would ever
    find the glitch.
    
    Alder was by this point annoyed. She had found the problem, so others
    could too. But the vendor simply refused to fix the problem.
    
    "Now, if I had been doing this as an independent researcher, I would
    have posted [it] to Full Disclosure (a security mailing list) at that
    point. However, since I was working for a company, disclosure was in
    their hands and not mine, and they chose not to say anything. So the
    vulnerable product is still out there.
    
    "I was explicitly told that I would be sued to the tune of several
    million dollars if I ever violated my NDA [non-disclosure agreement]
    and revealed the vulnerability. This is why closed source security is
    bad. Lesson learnt ... any vulnerability research I do from here on
    out is my own, and I will be answerable to nobody but myself for
    disclosure," she said.
    
    It could be this experience which has dimmed her view of the industry
    as a whole. There are good people in the security space, she says, but
    there are also some bad eggs.
    
    "The root problem that the security industry has is ... unscrupulous
    people selling to an uninformed market. The managers buying security
    products don't understand security at all, and so they trust the
    vendors to tell them what is best," Alder argued. "And somehow,
    conveniently, what is best has a great overlap with whatever that
    particular vendor happens to be selling."
    
    However, it's not just the vendors who are to blame. To a certain
    extent, Alder said, end-users engage in an "ignorance is bliss"  
    management philosophy.
    
    "Many companies just want to be able to throw money at a product and
    feel secure. They're uninterested in understanding security or
    changing their habits and environment.
    
    Unfortunately, that's not the way that a successful security program
    works. People who understand security are necessary, and in
    chronically short supply," she said.
    
    "[Companies] have the latest and greatest firewall that nobody has
    ever bothered to configure, or a very expensive intrusion detection
    system (IDS) that nobody has the understanding to tune."
    
    Alder monitors the nessus.org IDS. Nessus is an open-source
    vulnerability scanner, so one might expect some sophisticated attacks
    against that domain but this is not always the case.
    
    "Sadly, most of the attacks that people threw at it were pretty stupid
    -- 'Oooh, I downloaded Nessus! Hey, I'll run Nessus against Nessus!'.  
    I did see some exploit attempts that were fairly similar to the
    successful attacks against Debian and Gentoo at about the same time,
    though, so that was neat. And they didn't get in!," she recalled.
    
    It seems Alder genuinely enjoys her work, and gets some thrills
    through some unlikely pursuits. "Hiking, rock climbing, camping. I'm
    also an avid reader -- I have a taste for science fiction and fantasy,
    but I'm also fond of archaeology, linguistics, history, particle
    physics, and biology," she said.
    
    In her spare time, she downs chai while arguing philosophy with
    friends.
    
    To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or
    the internals of your operating system of choice. Ideally, learn both.  
    Don't just be a script-kiddie who downloads an attack program off the
    Internet and think that's cool.
    
    "Understanding what you're doing is more cool. Having the know-how to
    develop a new and innovative attack or to develop a creative defence
    is a lot more impressive than 'dude, I sniffed your Hotmail
    password'." -- Patrick Gray.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Apr 20 2004 - 02:14:50 PDT