[ISN] Hackers: Under the hood - Brian Martin aka Jericho

From: InfoSec News (isn@private)
Date: Wed Apr 21 2004 - 04:13:59 PDT

  • Next message: InfoSec News: "[ISN] Flaw Leaves Internet Open to Attacks"

    http://www.zdnet.com.au/insight/security/0,39023764,39116620-3,00.htm
    
    Name: Brian Martin
    Handle(s): Jericho, Security Curmudgeon
    Age: 30
    Place of birth: South Carolina, USA
    Marital status: Single
    Current residence: Colorado, USA
    Job: Independent security consultant
    First computer: Tandy TRS-80
    Best known for: Creating computer security Web site attrition.org
    
    
    The name Brian Martin might not ring a bell in the security sphere but
    "Jericho" certainly would.
    
    Martin is known for his work behind attrition.org, an online resource
    famous for cataloguing defaced Web sites and security vulnerabilities.
    
    He cheerfully admits to "hacking his brains out" in the past. If he
    was a burglar, Martin would be the type who'd break in and clean up
    your house.
    
    College life was cut short in his second year at architecture school.  
    "I dropped out because I thought the program was horrid and they
    weren't modern," he said. Despite studying architecture and drafting,
    he wasn't allowed to use a computer to complete assignments.
    
    One of his silliest hacks, he told ZDNet Australia , was "breaking
    into a machine to run 'satan' [a vulnerability scanner] after its
    release only to find that we had to install Perl and a new gcc
    [compiler] for the admin because satan wouldn't compile."
    
    "You could tell a hacker [was in] a system back then ... it ran
    smoother than any other on the network. Every system we hacked was
    made more secure, stuff fixed and upgraded, and boxes were more
    streamlined.
    
    "It took us a full day to get the machine [to] run satan. We ran it
    once, laughed, and never used it again," he said.
    
    One time, paranoia got the better of him.
    
    "I hacked into the phone switch to see if there was a trace on my line
    ... if there was, my 'investigation' would have been recorded. Back
    then, half the phone switches had no login. [You'd] connect, ctrl-d to
    'wake it up', and you'd have access to 200,000 phone lines," he
    recalled.
    
    But those were memories from a bygone era. Today, he's a reformed
    character.
    
    Sharing his life with three cats, Martin works as a freelance security
    consultant. But, he's damning in his condemnation of the security
    industry.
    
    "I think the industry sucks. It's self destructing and over run with
    criminals of one type or another," he said. "Everyone is out for a
    dollar, they don't care about security any more. It's all about name
    recognition, egos and cheating people out of money. [It] has been for
    a while ... to the point where I just don't like it."
    
    It's the dishonesty and lack of "real" skills that annoys him the
    most. Then there's the rampant practise of overcharging for products
    which Martin describes as "shoddy, band-aid solutions".
    
    "Think about it. Consultants are hired to tell customers what security
    they need but they overcharge these clients, lie about the solutions
    ... that's fraud ... the industry is full of criminals," he said.
    
    Thumbing through his resume is a sobering experience. As a supporter
    of infamous hacker Kevin Mitnick -- who has been imprisoned three
    times for computer crime -- Martin sifted through 10 gigabytes of
    electronic evidence and 1,600 pages of witness testimony in his role
    as a technical consultant for the defence team.
    
    As testament to his versatility as a public speaker, Martin has also
    delivered presentations to law enforcement agencies, at the famous
    DefCon hacker conference, and Blackhat briefings.
    
    Despite his accomplishments, he once thought about throwing it all
    away but realised he couldn't bring himself to disconnect from the
    industry completely. "I like osvdb, and I like my friends in the
    industry, and working a few days a month to live comfortably is nicer
    than 40 hours a week in a store," he says.
    
    Osvdb is the Open Source Vulnerability Database, a vast online archive
    of security vulnerabilities, maintained in part by Martin, who formed
    many of his friendships online.
    
    "I'm still good friends with people I met online as far back as 1995,"  
    he said. "I met all of the attrition staff online at first, [and]
    eventually in person. It started out with a few mails, turned into
    chat for most of the day and eventually led to meeting."
    
    "Attrition started with two or three of us, and the rest got involved
    as they found a piece they wanted to help with," he added.
    
    Martin draws no distinction between online communications and
    face-to-face interaction, and believes anyone who thinks it strange
    just doesn't understand.
    
    "If you meet someone and become good friends through talking and
    hanging out, then he moves across the country, do you stop being
    friends with him? Of course not.
    
    "Is it really any different that instead of a face-to-face chat, it's
    done via text? Does it invalidate our conversations, what we talk
    about, how we choose to bond, and how we become friends?"
    
    Friends for life is obviously his mantra ... be they virtual or
    otherwise. -- Patrick Gray.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Wed Apr 21 2004 - 05:32:10 PDT