http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003000 By Ira Winkler September 05, 2006 Computerworld I had some issues with last week's Computerworld.com column from Frank Hayes on "quack hackers" -- specifically, with his apparent belief in hackers as some generally noble breed. I believe I first met Hayes when he covered my presentation at the Black Hat conference back in 1997 or so, where I'm sure he also gained exposure to some of the less-than-honest "honest hackers." I also believe that he has enough exposure to see through the stereotypes that are out there. The hacker stereotype is that of a socially inept genius spending all his free time in isolation in front of his computer -- driven by never-ending curiosity, striving to understand the intricacies of computer systems and breaking through social and technical barriers to overcome adversity and make the only true advancements in computer security. Again, that's the stereotype. I have to admit that the socially inept aspect appears to be accurate (see "So, what's wrong with being an introvert?"). The rest of it, including the genius part, is more hype than fact. True, there are some genuine geniuses in the so-called hacker community, but those people are few and far between. Just as there are a few people who scrawl graffiti who demonstrate true artistic talent, there are a few hackers who demonstrate genuine technical ability. And just as a great many graffiti vandals mistakenly claim to share the talent of those rare artists, there are many, many people who meddle with computers and like to think that describing themselves as hackers puts them in the same category as the few brilliant hackers out there. I'll grant that there may have been a justification of sorts for hackers to infiltrate systems, once upon a time. The original hackers may have had to intrude on computer systems because there were few available, and information about how to work the computers was even more sparse. They had to access the telecommunications networks to get into computers so that they had any access to one. By the 1990s though, computer intrusions were wholly unnecessary; computers were and are readily available, as is reasonably thorough documentation. As systems and documentation became more widely available, the emphasis on actual technical prowess diminished, and we saw the rise of hacking scripts. Those prewritten tools allowed any inept person to take over a system that was ineptly protected -- hence the derisive term "script kiddie" for a person who cares more about attacking a system than learning about it. The widespread hacks that we see these days -- the ones that can be reliably traced -- are generally the result of someone wanting to be considered "l33t" rather than a display of technical prowess. Essentially, it's criminal activity that results from too much free time, again not unlike graffiti. There are many highly technical people out there who make tremendous discoveries and help improve security products, but they aren't hackers in the current sense. They do it for the challenge, not for social recognition. Of course, havoc-wreaking crackers have been perpetrating hoaxes long before Black Hat was around, creating rumors that have become myths. Many self-anointed hackers discover and report vulnerabilities that have been long since corrected. Then there was the hacker who garnered a great deal of media attention by claiming to organize a vigilante campaign against online child pornographers; that soon turned out to be a hoax. Then came the incident that should have permanently shut the door on the "honest hacker" shtick: the 1999 uproar when Cult of the Dead Cow, a particularly high-profile group of hackers, passed out CDs of the newly released version of the Back Orifice hacking tool at DefCon. Those CDs were "somehow" infected with the Chernobyl virus. Cult of the Dead Cow spokespeople claimed it was an accident, but do you really believe that some of the most security-savvy hackers around happened to not notice an infection from such a widespread, high-profile virus? The Black Hat conferences were designed to be a professional-grade DefCon event, one dedicated to security professionals even as the original show continued its evolution into an event for the script kiddies and professionals trying to fit into the hacker community. Black Hat, with its premium entrance fee, was intended to attract computer professionals who wanted in-depth technical knowledge about trends and techniques. From a business perspective, it was a brilliant expansion of the DefCon brand -- the very name, Black Hat, was both selling point and stigma. (As a matter of fact, I had a falling out with my employer at the time for being the first keynote speaker at the event.) The fee made the audience much more select, and while many of the sessions were repeated at DefCon the following weekend, it seemed to fill a void somewhere between the professional conferences that were weak in technical depth, and the Usenix security conferences that seemed to attract mainly academics and researchers. Years later, much of the press that comes out of Black Hat is related to the release of newly discovered vulnerabilities. Black Hat seems to have some of the most stringent submission guidelines around -- after all, it is prestigious to be a speaker at the event, and guidelines work to weed out the speakers who would waste attendees' time. But there is also a strong bias towards releasing new hacks -- so new that would-be reviewers don't get the opportunity to verify researchers' claims. It makes sense in some ways, but when it goes wrong ... well, we just saw what happens when it goes wrong. This year's events were the direct result of Black Hat review policies. I know several people who are (or at least were) reviewers for Black Hat, and I know that they have the technical skill to verify hacks. Frankly, given past hacker antics, faking vulnerabilities for the sake of getting attention at Black Hat was inevitable. Considering the trouble last year's Michael Lynn's presentation caused, one would think there'd be a serious push to verify what researchers were presenting at this year's conference. Obviously, one would be wrong. Genuine security researchers would not wait to reveal vulnerabilities at Black Hat. They would contact the vendor responsibly as soon as they discover the problem to have it corrected. On the other hand, hackers looking to make waves understand the effect of announcing vulnerabilities at Black Hat in front of all the media, who naturally write up the announcements themselves as news. Sadly, the upshot is that the event itself is now less prestigious, as Hayes observes. Unfortunately, the Black Hat conference's review process for evaluating new hacks doesn't seem to match the stringency of its paperwork requirements for nonhacking sessions. With such a flaw in the system, faked Black Hat demos are all but inevitable. Maybe we should give these would-be hackers credit: They might not have hacked Apple or Cisco, but they did hack Black Hat. _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Tue Sep 05 2006 - 23:21:15 PDT