this post first appeared in the Internet Security section of The Industry Standard in the year 2000.
The Kids Are Alright
When I was a lad growing up in the deserts of New Mexico, there were certain toys and certain skills that we were expected to have by around the age of sixteen. One of these involved being familiar with guns and in keeping with the spirit of the Wild West, I bought a pump-action BB-rifle at the age of twelve (against my mother’s worries) and began to set up a target range of old cans and bottles in the backyard. My sister ratted on me, as sisters will do, and after getting yelled at by my mom, my Dad took the gun away. The following weekend, however, he asked me to come with him on a dumprun. Arriving at the dump, we were met by my Uncle Jim, a Viet Nam vet turned self-styled cowboy who sported a handle-bar mustache and wore a side-arm around his waist. I was taken to the woods with the men, and we spent a day shooting off real guns, including a .22 rifle, a 9mm pistol, and a .357 Magnum whose kick-back made my arm so sore I thought I’d never fire a gun again. But we went back the following weekend, and Uncle Jim taught me all about guns: how to hold a gun, how to carry a gun, and how to aim, shoot and fire both pistols and rifles. Also how to clean and field-strip a gun, in the event I ever found myself in a combat situation. These aren’t skills that I need, as a left-leaning pacifist living in the big city. And as a MUNI rider in San Francisco, I also don’t need to know how to change a spark plug, adjust my carbuerator, or unstick a butterfly valve on a cold winter morning, but these are skills I have anyway, thanks to my years as a wanna-be hotrodder. And I certainly don’t need to know how to hot-wire a car, a skill I picked up on my sixteenth birthday, when a good friend heard me say I had no idea how to do it, and proceeded to crack the steering column on his own vehicle to show me how. These days, hot-roddin’ has given way to exploring the computer and all its secrets as the skills kids want to know. Living as we do in a networked world, knowing how to do the internal wiring on an extra phone line and setting up a DSL connection without reading the manual are skills that any self-respecting kid thinks they ought to know. Some kids take it a little further, of course, and learn all kind of tricks about their computer that has a lot of people scared about what the kids are doing down in the rec room with the Internet connection going all night long. And maybe we ought to be scared about what they’re doing down there – but it just might be that they’re learning the hazards of the networked world in order to protect themselves – and the rest of us – from a reality we’re going to be living in for a long long time.
When I was fifteen, I decided I wanted to be a hacker. My image of hackers was all about Matthew Broderick in the 1983 movie “War Games,” whose poster I had hanging on my wall in my room. From the film I learned that a hacker was introverted but smart, funny, but lacking in social gifts, and yet marked by a deep desire to get inside a complex problem until it took over his very being.
Impressed by an ad campaign that smelled of a bright clean future that I wanted to be a part of, I bought my first computer – a Commodore 64. Comprised of a tan plastic keyboard that could be plugged into the family tv set, the 64 sported 64K of memory, the Commodore 64 Basic programming language, and a modem, an exotic device that delivered incredible speeds of up to 300 baud. It also came with one game – Jumpman, which I quickly mastered and discarded to make an attempt at learning Basic. I made a ball bounce across the screen, wild color displays and flashing greeting cards, before running out of exercises to copy out of the manual that came with the machine. Moving on, the modem also proved to be disappointing – CompuServe was expensive, and the local BBSs I managed to find were either run by kids obsessed with Dungeons and Dragons or scientists from the laboratories in Los Alamos, and I didn’t fit easily into either group. And then I discovered a word processing program, and with the help of my dad, I bought a disk drive so I could save my earliest writings, which still float around on 5.25” floppy disks somewhere in my parent’s house. In the span of three months, the computer – this wild toy of the future – had become little more than a typewriter with a screen, and for awhile it sat expectantly in my room waiting for my latest writings, only to be sold the following summer for $50 to a twelve-year-old down the street.
But for other kids, the computer held a lot more fun and promise than an electronic shoebox in which to store the poetic meanderings of adolescent angst. The kid who bought my machine, for example, started his own dot-com in 1994 and retired late last year. For kids like him, first languages like 64 Basic led to Logo, then Fortran, then C. These kids can now be found working at places like Microsoft, Oracle, or at one of the thousands of start-up software companies throughout in any one of the dozens of high-tech epicenters scattered across the world. And for others, the computer’s modem became a gateway to communication with people around the world.
Deth Veggie, a hacker old-timer at the ripe old age of twenty-seven, was just such a kid.
Deth Veggie is the alias of a hacker aligned with the hacker gang known as “Cult of the Dead Cow.” CDC is one of the oldest continuously affiliated hacker groups on the Internet. Together since 1984, the Cult of the Dead Cow embodies many of the attributes of the hacking community – a steadfast desire to understand the intricacies of computer systems, a desire to share that knowledge with others, and a penchant for self-aggrandizement that is embodied on their website and through their outrageous performance antics each year at DefCon.
A member of the hacker group Cult of the Dead Cow since 1989, Deth Veggie was raised in a small town in rural New England, Veggie’s dad worked for a computer company called Digital, and Veggie had computers around him from the time he was five years old.
“At first, I played games on the computer,” said Veggie. “But soon I discovered that there was a way to use the computer to talk to other people. DEC had a program called DECnotes – forums, like CompuServe, where you could post messages about things you were interested in.”
And once Veggie posted something he began to receive his first replies – a conversation had begun. And he was hooked. Soon he discovered BBSs, bulletin board systems set up by people in their rooms with a computer and a phone line, and then he was calling all over the country hooking up with new friends and having new conversations. But there was a catch – the phone bills, which began to pile up. But there were friends out there to talk to, and Veggie, at twelve, was a little young for a job to pay for all those bills. And so Veggie graduated, then and there, from a kid with a desire to talk to other kids to a kid who needed to know how to get around those bills. And at that point, Deth Veggie became a hacker, starting first with the phone system, earning him the skills of the nearly dead art form known as “phone phreaking.”
According to “The Hacker Dictionary,” an online compendium of all things hacking, a phone phreaker is defined as “the art and science of cracking the phone system” to make long-distance phone calls for free. Perhaps the earliest form of hacking, it arose in the late ‘60s and early seventies, coinciding with the civil unrest taking place in the country, as a means of getting back at “The Man” and his sprawling communications systems. One of the most notable phone phreaking hacks, for example, was discovered when a guy named John Draper figured out that you could use a give-away whistle inside a box of Captain Crunch cereal to re-create the 2600mhz tone that a pay phone needed to hear to give you all the free long distance you could want. That hack was popularized by no less than Yippie leader Abbie Hoffman, who published it in his long-dead-but-not-forgotten newsletter “The Youth International Party Line.”
But hacking as we know it dates back even further than that – to the early sixties at least. According Steven Levy’s “Hackers”, a seminal classic of hacker life and lore, hacking began at MIT, when the “hulking giants” of mainframe computing took up entire rooms, and took its name from a model railroad club that referred to its members as hackers, who all soon graduated from model railroad track hacking to messing around with those big old giants that took their orders from paper punch cards. In short time, “hacking” came to refer to the programming shortcuts necessary in an age of limited computer time. But the hackers as we know of them today – the smart kids cruising through cyberspace looking for holes in the security walls that keep them from roaming with abandon – began in the late ‘70s, when the rise of the personal computer begat the rise of the BBS, bulletin board systems that those few people with personal computers could dial into with their modems to post text files and chat with one another. In the 1980s, IBM released the PC to the masses, and the colonization of cyberspace began in earnest. While BBSs were social hangouts for the young computer enthusiasts of the time, they also became pass-along points for hacker-related material. By the mid-‘80s, hacker gangs had begun to form and wreak havoc on machines (generally each other’s) across the Internet. The Legion of Doom and Master of Destruction led the way for hacker exploits, and eventually, the FBI intervened and began to arrest people for computer crimes. In 1986 Congress passed the Federal Computer Fraud and Abuse Act, which offered up to five years in jail for computer crime, and soon the arrests that would make hackers an ugly anti-hero began to make headlines.
Today, the perception of hacking is mixed, even among hackers themselves. In the mid-80s, incensed by media use of the term “hacker” to describe computer criminals, the term “cracker” was invented to differentiate between the two.
“Hacking,” said Deth Veggie, “isn’t really a new term. It refers to anyone who wants to take something apart so he can put it back together better than it was before. And it just so happens that what captures everyone’s attention for improvement these days is the computer.”
Today’s hacker strives to get down deep with the code that all those fancy computers run on, and hack away, hack away, hack away at the innards of silicon and ones and zeroes in order to come up with that “ultimate hack” that will satisfy the pleasure of a job well done and earn the respect and admiration of peers spread all across the world.
In any case, this is the image of the hacker that we used to know. But these days, the image of the hacker has become much-maligned, as everyone from journalists to government officials to captains of industry bemoan the hacker and their desires to get inside the machine – because chances are quite good that some hacker may actually try to get inside your machine in his quest for the ultimate hack.
But the hacker image problem might be changing. Recently, standing at the podium on the stage of DefCon, the ultimate hacker convention that takes place each year in San Jose and hosts thousands of young acolytes in the art and lore of computer hacking, no less a noble personage than Assistant Secretary of Defense Arthur Money dangled the prospect of a “job with the DoD” for those hackers with the right skills and the desire to help the government fight the war against cyber-terrorism, in the interests of national security.
Chances are good that most anyone with enough experience to work for the DoD scoffed at the offer – for most of them are pretty well aware that they can make a lot more money working with industry. But nevertheless, the appearance of Money at DefCon may mark a sea change for hackers, long perceived as a rogue element themselves, and now, perhaps, the country’s greatest defense against war in the wires.
And if the US were to hire hackers to help with its security forces, it wouldn’t be the first country to do so. Recently, India’s National Cyber Cop Committee has taken on some hacker advisors on to help the Committee combat cyber-crime in that country. (Reuters)
“We’ve received several calls asking why we’re interested in recruiting hackers to work for us,” said DoD spokesperson Susan Hansen. “We’re aware that DefCon is a gathering place for some of the best minds in the computer field, and Mr. Money thought it would be a good idea to fish where the fish are, so to speak, and let people know that the DoD is interested the best and the brightest to work on IT and computer security issues.”
According to Hansen, Money’s office has been interested in reaching out to computer enthusiasts and hackers since the formation of the Department’s Joint Task Force on Computer Network Defense. Formed in December of 1998 by Secretary of Defense William S. Cohen, the JTF-CND, as it is referred to in the acronym-filled world of the military, is in charge of coordinating DoD efforts to prevent unauthorized intrusions into its computer networks. Located at US Space Command in Colorado Springs, Colorado, the JTF-CND employs approximately forty people who track viruses, unauthorized intrusions and handles information assurance training for those who have access to classified data. “The most prominent threat we see today are distributed denial-of-service attacks and viruses,” said spokesperson Major Barry Venable. “we also look to guard against potential threats. Not only do you have to protect your networks, but we also safeguard our networks – training personnel to understand the proper usage of passwords, virus protection programs, and other safety measures we have in place.”
According to Venable, there was no single event that led to the formation of the JTF-CND, but rather a series of events, including an increased awareness within all branches of government of the need to create a “culture change” around the issues of information assurance, following the case involving former CIA director John Deutsch removing classified information from CIA headquarters to his home on his Macintosh laptop. Recognizing that many security breaches, like this one, occur through human error and ignorance of the issues, the JTF-CND coordinates efforts to insure against any future breaches. As for attempted intrusions against non-classified DoD networks, Venable confirmed that they have grown exponentially since 1994 – the year the Web was invented.
“Just to give an example, in 1994 we had approximately 295 attempts, while in 1999 there were close to 8000,” he said. “Of course, you have to bear in mind that part of the reason for the increase in attacks came as a result of the fact that we now have an organization – the JTF-CND – dedicated to finding and tracking these attempted intrustions.”
Ben Williamson: cell phone (805 708 5509) Ben Williamson is a twenty-one year-old system administrator and security consultant living in Los Angeles. At six foot four, he’s the kind of kid you’d expect to see running around the park playing football, but when I meet him he’s running through Linux commands on his computer terminal. He got involved in computers three years ago when an injury sidelined him from the field, and he started noodling around with his computer to figure out how it all really worked. A devout Macintosh user, Williamson started hanging out on the script-sites that sprinkle the Internet, and using the scripts to figure out how the Internet fit together. Beginning along in his room with a cast on his arm, within a matter of months Ben was hooking up with other proto-hackers all over the Internet. Spending time at script-sites, and tracking the exploits of other hackers through such sites as attrition.org (see side-bar “The Hacker Press”), Ben created a handle and began watching what others were doing, and following, in turn. Did he do anything that he feels safe in talking about? (something minor, perhaps?) Williamson began to contact other hackers via e-mail after “meeting” them through IRC (internet relay chat), on local and national BBS, and finally, through conferences and live meetings. But he says that the best hackers he’s met are the ones he found through reading the code notes of various shareware programs and discovering the identity of their authors. “Comments in people’s code says a lot about the kind of people they are,” said Williamson. “By reading their code, you can see their thought processes and how they approach a problem.” Eventually, Williamson hooked up with a hacking group whose members span the globe. In his group, there’s a hierarchy of sorts that revolves around a mentor, two peers, and two students for every member of the group. “Essentially, we arrange ourselves in such a way so that everyone has a mentor above – someone who knows more than you do; a peer at either side, to call upon for helping to solve new problems; and two students below. In this way, each of us is always learning, always teaching, and we always have help with someone who more or less knows the same things we do.” Williamson’s group dedicates themselves to software problem-solving and teaching the ethics of proper hacking to new students. “Initially, people get involved with hacking because they’re curious, and then they turn to malicious hacking out of a desire to show off their skills,” said Williamson. “What we try to do is to take on students who show promise and then we turn them onto problems that are actually worth solving, so that they’re not wasting their time out there destroying things.” Problems worth solving include the development of open-source software, such as the Linux operating system, which has been cobbled together by a world-wide ad hoc consortium of hackers like Williamson and countless since the program’s creator, Linus Torvald, released the source code on the Internet in 1992. “Beyond a certain point,” said Williamson, “you only have three directions to go with hacking: you can either keep doing the same old tricks, like spoofing, bombing, and website hacking, or you can get serious and become a real criminal cracker. Or, you can take the skills you picked up while you were figuring things out and use those skills wisely, to build new software and create a more secure Internet.” In addition to Linux development, there are all kinds of other projects for reformed hackers to be involved with on the Internet, such as the ones found at sourceforge.net, an on-line software development environment where hackers who’ve traded in their network-breaking skills for software-creating ones come to congregate, share information about positive hacks, and get involved with online software building projects. At sourceforge, the number-one ranked programmer is a man by the name of Eric Raymond, whom many consider to be one of the best hackers on the Internet. As the author of both “The Cathedral and the Bazaar,” a book about the development of Linux, and the keeper of the online hacker compendium known as “The Jargon File,” the idea that trickster hackers eventually reform themselves to become upstanding cyber-citizens interested in building a better Internet is near and dear to his heart.
What Hackers Can Do – and How They Do It
You log into your e-mail account and discover that you inbox contains hundreds of messages. You receive e-mail from your boss telling you that that you are a nincompoop and you’ve been fired. Or you wake up one morning to find that your company’s home-page has been taken down, only to be replaced by the logo of some hacker gang and some random propaganda. Suddenly, you realize that the AOL-friendly voice of cyberspace, “You’ve got mail,” has been replaced by a spine-tingling cackling, “You got hacked.” Welcome to the scary fringe of the digital frontier.
Hackers who engage in mischievous and malicious activity have a number of tactics for wreaking digital havoc, including mail-bombing, mail-spoofing, and web defacements. These “nuisance attacks” can have serious consequences, particularly if you or your company is the victim. In mail-bombing, a single e-mail is sent to your machine or server, and is sent hundreds or thousands of times with the intention of crashing your mail-server and rendering it inoperable. In mail-spoofing, an e-mail is sent to a victim with a “spoofed” header – funny if you receive a holiday greeting from someone posing as firstname.lastname@example.org – not so funny if your boss receives a mail from you telling him you’ve quit your job. Perhaps the most publicly-visible form of hacking is webpage defacement. A kind of digital graffiti, webpage defacement has taken on epic proportions across the Internet, and represents one of the more colorful aspects of the modern hacker world.
Just three days after the turn of the millennium, (and just in time for the Apocalypse) the website homepage of Sandia National Laboratories was defaced by forces unknown. Located in the deserts of New Mexico and known primarily for its contributions to weapons research, the Lab’s home-page was littered with all manner of foul obscenities, penned in crude html code and rendered in the primary colors of red, blue, and yellow. The defacement included shouts-outs to friends and comrades, a quote attributed to Jesus Christ, and this following tidbit which was cited as ‘satan’s prayer’: “Dear lord, i call upon all the powers of your dark forces to deliever me into the pits of hell were i was born.”
http://www.attrition.org/mirror/attrition/2001/01/03/antares.cmc.sandia.gov/ Relatively easy to accomplish by most hacking standards of competency, webpage defacement offers the ability to prove one’s skills as a hacker, embarrass the targeted website, and in some cases, to create a virtual soapbox for the advancement of causes, in a practice known as ‘hactivism.’ Hacktivism may have played a part in a recent attack on the Indra Gandi Center for Atomic Research webpage, (http://www.attrition.org/mirror/attrition/2001/01/02/igcar.ernet.in/) which was hacked on January the 2nd by a group calling itself G-Force Pakistan, who insisted that their attack was “proof” that India’s nuclear secrets weren’t secrets anymore. All three of these attacks have become so common that there are programs floating around on the web that allow anyone – not just the great hackers – to perform these tasks at will. Mail-bomb programs rise and fall at various staging locations on the web, some lasting only a few hours before they are taken down, generally by the system administrators who run the server where the program is staged, or by the authorities in the localities where the server resides. (As of this writing, I found an auto-mail-bomb program written in Spanish, and located at http://br.geocities.com/romney_rmc/pagina3link3.htm, but it may be gone by the time this story goes to press.) Mail-spoofing has also been automated – if you want to send mail to a friend from Colin.Powell@defense.mil informing him of his immediate draft into the armed forces, just aim your web-browser to www.websendmail.com, where an automated mailer-program will allow you to spoof away to your heart’s content. This program, developed by a reputable programmer who wanted to have a way to send himself mail from anywhere, has become quite sophisticated, offering not only the ability to create the illusion of a mail coming from anyone, anywhere, but which also allows the attacker to pin-point the day and time when the message will be sent. And even webpage defacements, which pose a serious public-relations problem for those who’ve been attacked, are beginning to become easier to for anyone with an idea and an agenda to easily accomplish. As a hack, the obstacle in defacing a webpage involves gaining “root access” on the targeted machine’s web-server so that the hacker has the ability to alter the source code of the website home-page. Recently, however, it was reported in ZDNet (http://www.zdnet.co.uk/news/2001/0/ns-19959.html) that there’s a cracker in the UK named “Evil Angelica” who’s offering his defacement services to those who want to embarrass a site but lack the skills – or the cojones – to do it themselves.
“Are you too brainless to hack a website?” taunted the cracker in a Christmas defacement. “Scared the feds might catch you? Would you like to be the envy of all you friends? Would you like to be an l33t h4x0r [elite hacker]? Design a cool web defacement, using your own name or group, zip it up with all the images and send it to me.”
But without a doubt, the most serious hacking is a denial-of-service attack. The point of a denial of service attack is to “disconnect” a networked machine from the Internet from a vantage point beyond the physical network. It’s similar to switching off a light in Bangor, Maine from San Francisco, California. One would think that there shouldn’t be any way you could reach into the proper circuitry to kill the Maine light-connection, but in a networked world, there are connections to all computers on that network – whether the machines are located in the same room or separated by thousands of miles of physical distance. With the right skills and patience, a hacker using their computer can actually reach your computer and turn it off so that it’s no longer able to connect to the Internet. Personal users are not all that likely to be the victims of such an attack, since most home computers never actually connect to the Internet, and are “virtually connected” through a host server such as AOL or a local ISP (internet-service-provider.) But for businesses, governments, and other agencies who have their servers connected directly to the Internet, the denial-of-service attack can mean the difference between a successful day online or a complete disaster. During the week of February 7, 2000 In a eerily timed blitz of prominent online businesses, hackers managed to launch effective denial-of-service attacks on Amazon.com, E-Bay, E*Trade, and Yahoo! Though none of these attack lasted more than a few hours, the result for each was a loss of business and services to customers, as well as the public-relations nightmare – and sometimes stock price drop – that can result following a successful denial of service attack. Of all the crimes associated with hacking, denial of service attacks pose the most serious risks to computers on the Internet, and also come with the heftiest punishments under the National Information Infrastructure Protection Act of 1996, which made denial of service attacks a federal crime punishable by years in prison. Jason Maltzen is a 29-year-old former hacker now gainfully employed as a programmer for Origin software, where he works on network security issues for a popular online role-playing fantasy game called Ultima. “A denial-of-service attack is a fairly complex hack,” said Maltzen, “involving a lot of strategy and planning, both to gain the proper access to a number of different machines, in order to avoid detection, and knowing exploits in all the machines along the chain so that you can gain access to them in order to attack your real target with a reasonable margin-of-error that you won’t get caught. “Exploits” is a common terminology within the hacking community, and is synonymous with the “holes” that security experts “patch” once they are discovered. “The first step,” according to Maltzen, “is generally to “own” a staging point that doesn’t point directly back to you. Using your own ISP dialup is a generally bad idea, because the connection can be traced back to you fairly quickly and easily. So, the trick is to find a good, relatively quiet, insecure machine, often at a university or overseas site where they’re generally not as security-conscious as American corporate sites, and are thus less likely to notice modified logs, and more likely to have older software with well-known exploits installed, which makes them easier to break into.” Depending on the target and personal paranoia, hackers will frequently find themselves a whole chain of such machines. As Maltzen pointed out, the advantage in using outdated machines is that many of them contain “known exploits” (or holes) that can easily be entered into. The advantage of using computers in foreign countries is that tracking back through the chain would have to involve cooperation from authorities in those countries. “Because these machines are connected to the Internet and offer services and accepts network connections as a part of their functionality of being on the Internet, it’s possible to scan the services running on your target machine, using a program like SATAN” continued Maltzen. “If the system administrator hasn’t kept up to date with the latest software releases, odds are it’ll be running something for which there’s a canned exploit. Even if they have, it’s possible there’s a new exploit for some service that hasn’t become public knowledge yet. Barring that, you’ll have to find a new exploit of your own, target a different but possibly trusted host at the same site (from which you could either gain access to the actual target, or at least potentially sniff a few passwords off their network), or work on some social engineering skills to obtain the proper passwords.” Social engineering is an old hacker term which refers to the art of calling people up who are directly involved with the maintenance of the machine in question, and through questions, figuring out a way to con the passwords out of them. This might be as simple a con as posing as a service technician or employee of the company that has simply forgotten a password. Oddly enough, though this is an old trick, it can still work, particularly if new personnel are installed and aren’t yet aware of the ruse. “Finding a new exploit is fairly tricky, and involves understanding the structure of the operating system software that the machine is running on, along with what other software and versions (web server, mail server, etc) they have. At that point, you’re looking for bugs in the software – places where the size of a buffer isn’t checked and can be caused to overflow based on input from the network, places where it doesn’t check environment variables, and can be made to build one that will execute arbitrary shell commands, that sort of thing. “Usually, it doesn’t get as far as the last step, because at some point, someone ends up doing that work to make the canned exploits. Then it’s just a question of asking around to find the right exploit.” “When you’re dealing with kids who are just trying to explore the system, these system intrusions can be helpful, to a degree, because they educate both the (generally) young intruder as to how things fit together, and they definitely educate the system administrators whose systems are getting hacked. Of course, this form of system intrusion can also be used in corporate espionage as well, to hack in and steal source code, copy all email to/from the CEO to an outside account, etc). Kinds of Hackers Hackers: A person who shows skill and aptitude at programmable systems such as computers, and enjoys the values of advanced problem solving. Most hackers get extremely annoyed when you tell them that people who break into OPM (Other People’s Machines) are hackers. You will be told that they are crackers.Crackers: Not a term that everyone is satisfied with, cracker is the politically correct term for “hacker who breaks into OPM or network and steals or does malicious things to data.”Phone Phreaks: Cracking the phone system to get free phone calls. Before the push-button phone, phreaking was actually something of a science, and through the use of black boxes, blue boxes, and other elegant electronic constructions, phone phreaks could make a thing of beauty and also get free phone service. Now, most phone phreaking means stealing phone card numbers or something similarly unethical, and thus, is frowned upon.Script Kiddies: Lowest form of life. A Script Kiddie is a cracker who knows just enough about computers to know how to find the “scripted” hacks and execute them. Basically, peopl who want to do damage but won’t even learn enough to do it themselves. Source: The Jargon File, online at http://www.tuxedo.org/~esr/jargon/
The Hacker Press (side-bar)
Though many hackers begin their careers alone in their bedrooms trying to figure out how things work, they are quickly and easily in touch with a global network of their peers, through IRC channels, bulletin boards, listservs, and ‘zines dedicated to their trade and exploits. While each resource has its own angle for covering the news of the hacking community, many take great pains to note that the information that they offer is meant to serve in an informational capacity, and that ‘responsible’ hackers should not use network information to attack and destroy Other People’s Machines and Networks. attrition.org: Attrition is one of the largest mirror-archive of web defacements on the Internet. In fact, attrition is generally the first to know when a site has been defaced, since it’s part of their mission to “record” each defacement using web-snapshot software before the hack has been discovered and the original page restored. The Hacker News Network: A daily e-paper maintained at www.hackernews.com, HNN reports on major hacks, new exploits, and on-going open-source software projects. Lead articles included a query on how long it will take for someone to break the authentication protocol on the Palm Pilot’s proposed new infrared payment system. happyhacker.org: The entry page for The Happy Hacker opens with a chilling quote from the Frank G. Cilluffo, Director of the Task Force on Information Warfare & Information Assurance: “By 2002, approximately 19 million people worldwide will have the skills to mount a cyber attack” followed by the question “Where will you stand in this war?” and three links: Defender, Computer Criminal, and Bystander. The defender link leads you to information about fighting computer crime. The Criminal link leads you to a page about the jail penalties for computer crime. The Bystander link takes you to AOL’s home-page. A fun and informative site about how to hack and why you shouldn’t, the happy hacker shows that not all hackers are in the game for malicious tricks. kuro5hin.org: (pronounced “corrosion”) Kuro5hin functions as a ‘general interest’ magazine of art and culture of technology. Taking its cues from open-source software development, Kuro5hin’s editorial model is “open-source” journalism, meaning that most of the news generated is written by the users and readers. It slants heavily towards technical ideas and stories. slashdot.org: Billing itself as “news for nerds,” slashdot is a news and information resource for people interested in the Linux operating system. Updated daily, slashdot’s angle leans heavily on the power and wonder of the open-source software projects, as well as nitty-gritty technical articles with such titles as “Synching Motorola TimePort w/ Linux PIMs.” 2600.org: Backed by a print magazine called 2600 Quarterly, and edited by Emmanuel Goldstein, 2600 is one of the oldest phone phreak and hacker ‘zines still in existence. Published since 1984, 2600 Quarterly covers hacking from a technical perspective and also offers features about busts, ongoing court cases, and the philosophical ramifications of hacking.
1) talk to security people and figure out their concerns about security issues. (this would establish an outline to the kinds of problems that we see, in both government and business.)
Chris Goggans is a network security expert in Virginia. A former hacker, Goggans went straight when: (okay – now: interview him as you would anyone else. Find out about HIM first – tell me about yourself, and then figure out what his spiel is.) Ask him directly: what are the major threats to business computers? What are the kinds of threats that the government is facing? Mention the Art Money scenario and see what he says.
In both government and business, the question of what to do when your network gets attacked.
Different kinds of hackers: white hat + black hat + hacker vs. crackers + script kiddies. Define the difference between hackers and crackers, hackers and script kiddies. Discuss methodologies/tools of all.
“There are lots of sophisticated adversaries out there.”
“why we won’t identify a group or specific intruder, because we wouldn’t want them to know we’re on to them, or to divulge our methodology of detection.” We feel that any threat to our military networks is a threat to our national security. As technology increases, there will be an increasing number of attacks. The JTF-CND exists to insure that we have preparedness in the event that there are any would be attackers coming into play.”
‘Information assurance’ is part of our job.
Most national security ‘secrets’ are on stand-alone machines, that aren’t connected to the Internet. Or in people’s heads. Encryption, detection, firewalls, security, authentication.
J-WID: Joint-Warrior Interoperability Demonstration, where we invite industry to come demonstrate new and emerging technologies that could be used in a fighting situation. We select the best of those for rapid fielding. We’re taken the initiative to find the tools. We’re doing this again in July. Rapid acquisition program. The two golden nuggets: Silent Runner – it’s a network security visualization tool that images information that can be used to visualize…Digital forensics tool. Passive. Patrol – A performance moderation tool. Real-time problem notification. In San Diego. Or Suffolk, Va. – Joint Warfare Battle Center. That’s happening right now.
Three categories: Unclassified, secret, top secret: All top secret information is compartmentalized. It’s not available to just anybody. Not only do you need to be involved, you have to have a demonstrated “need to know.” We do not place top secret information on open networks.
One of the areas that we’re working is computer network defense. One of the realms we’re just beginning to explore is computer network attack. Trained personnel is one of the biggest challenges we face – as soon as we train ‘em, they go elsewhere for better money.
The Clinton administration has been embarrassed in the past few years by several high-profile computer security incidents. Nuclear scientist Wen Ho Lee, who was fired from Los Alamos National Laboratory, has agreed to plead guilty to one felony count of mishandling classified information.
Former CIA Director John Deutch is under investigation by the Justice Department for allegedly keeping sensitive information on a home computer that was vulnerable to infiltration.
The Business World
Governments aren’t the only ones concerned about cracker attacks. In the business world, a recent attack on Ebay underscored how even a potentially easy hack like mail-spoofing can cause damage to customer relationships, consumer confidence, and credit card information. In this particular attack,
At the Embarcadero Center in San Francisco, across the hallway from the
What concerns both government and business security experts ar important to note that most hackers are not crackers. In fact, according to the Hacker’s Dictionary, maintained online by uber-hacker Eric Raymond at www.tuxedo.org,
Ben Williamson, age 21, began hacking three years ago after an injury left him with a lot of time on his hands. Beginning at script-sites like (where?) the young Mac enthusiast began figuring out how the internet actually worked on a machine-to-machine level, and began to learn tricks for circumnavigating the security at websites and hosting facilities through known exploits.
Over time, Williamson found a hacker gang to join – he wouldn’t reveal their name, but described how they met and how they’ve organized themselves.
Side-bar on famous hacker arrests:
1988: Robert Morris was the first hacker tried and convicted under the Federal Computer Fraud and Abuse Act of 1986, following his release of his “Internet worm” a form of computer virus that crashed over 6000 computers across the Internet and earned Mr. Morris a $10,000 fine.
1988: Kevin Mitnick’s first arrest and conviction came when the notorious hacker was busted for breaking into the Digital Equipment Company’s computer network. Sentenced to a year in jail, Mitnick would later make headlines again in the ‘90s.
1990: Operation Sundevil was the name of a FBI-led BBS crackdown that resulted in computer hardware and software confiscations across the country. Among those caught in the dragnet were Steve Jackson Games of Austin, Texas, who published a fantasy role-playing game called “GURPS: Cyberpunk” which the FBI believed was a manual for computer crime. The first amendment prevailed, ultimately, and the operation led to the formation of the Electronic Frontier Foundation, a political action group that keeps a watch on federal activity online.
1992: Mark Abene, a.ka. Phiber Optik was a founding member of the hacker gang Masters of Deception, whose arch-rivalry with the Legion of Doom led to a two-year “Hacker War” that ended in federal intervention and arrests. Abene spent a year in federal prison as a result.
1995: Kevin Mitnick was arrested again after a bizarre transcontinental chase that had the FBI after him for stealing 20,000 credit card numbers, and Japanese security expert (need his name) for breaking into his personal computer to steal cellular phone hacking tools. The Free Kevin ‘movement’ began when Mitnick was held in jail for over a year without bail. Mitnick pled guilty in April 1996 to illegal use of stolen cellular telephone numbers. Hactivism would make a great side-bar:http://discovery.com/area/technology/hackers/prehistory.html While in the public mind, hacker frequently carries a negative connotation
Questions for security people: Same thing. Deal with them as people first. Then figure out what they know, what their spiel is.
We also want to know their views on government hacks, on the security of state secrets, etc. when a hacker from their community breaks into a government system and compromises it. Do they have a mixed allegiance, for instance, if a hacker from Russia or a Middle East terrorist organization breaks into a U.S. government system with malicious intent? Which identity – the hacker or the American – dominates in that case?
If any of them have participated in hacks against the government (either our own or a foreign government) that would be interesting to know, but we don’t want to exclude them if they haven’t done this.
We want an idea of where the dangerous groups are (do they congregate in a particular region or country?), and where we are headed in terms of hacking and security in general. Where do these kids see it heading? Where does the government see it heading?
- Need to find a nice dramatic break-in to lead off the story with. Preferably an under-reported one.
- Branch into the costs of hacking/cracking, both in toto and for the government.
- Come back to government-related attacks.
Deal directly with groups that target the government: Is any group or person out there actually actively targeting government machines? (need to ask this both in the underground and directly of the government…)
- Outline their structural grouping (if you can find anyone)
- Talk more with g-men
- Elucidate how “script kiddies” may pose an additional, ominous threat.
- What is the motivation for people to actually go after the government?
- Is it still every hacker kid’s dream to take down the Pentagon?
- What is the government doing about hackers trying to take down their networks?
- Why not just talk to former hackers who are now working for the government?
- punishments (who gets caught, what happens when they get caught.)
Punishments? (Who’s been caught, what happens to them?)Need to find out about punishments, what the official punishment is, what actually happens.
- F) Wrap up with a discussion about ethics…. What are the kinds of motivations a hacker has? (for the feeling of power, for the sake of politics, and to expose vulnerabilities.)
- “Arguments for and against the issue of ‘exposing vulnerabilities’” Yes, they expose vulnerabilties, but what’s the counter-argument as to how you could go about exposing vulnerabilities? (Chris Goggan, Lotus Notes guy.)
- What are their own ethics?
- c) What are the threats the unethical pose?
c) How ‘ill-formed ethics’ can create “little monsters” (in the case of script kiddies, say.)
Tone source: PC World on-line virus story:
Robyn would be perfect – get specific about what I want, then send him e-mail to gauge his interest.
Michael Vatis Assistant Director of the FBI, in charge of the NIPC (National Infrastructure Protection Center) To arrange interview, fax request to: Debbie Weierman at 202-324-6842, or call the press office at 202-324-3691 and ask for Steve Berry or Dave Felber.
Brian Snow Technical Director Information Systems Security Organization National Security Agency (NSA) Ft. Meade, MD 20755-6577 (Don’t have phone number for him)
Jessica Herrera (she helped prosecute David L. Smith) Trial Attorney Department of Justice Computer Crime and Intellectual Property 202-514-1026 or Richard Salgado Dept. of Justice
David Jerrell Director Federal Computer Incident Response Capability (FedCIRC) 202-708-5060
Chris Goggans former hacker, now security consultant with Security Design 703-354-8326
Steven M. Zaki Information Security Marketing Analyst New York Office 212-551-7966 Princeton Office 609-924-2900 ext. 107 Mobile 609-209-3008 email@example.com http://www.iconsinc.com
I do have an interesting source in NYC whose company specializes in creating Computer Emergency Response Teams for companies. His company also has some government contracts for these services, and he claims to have some interesting tales about not-well-know government security breaches, so that’s a good possibility.
Dark Tangent, (Jeff) organizer of DefCon. (at DefCon.org)
“Priest” – the ‘goon-handler’ at DefCon
Emmanuel Goldstein @2600.com
Veggie@cultdeadcow.com Lookup Peter Shipley in Berkeley, not sure if the spelling is correct (from james Curnow, trolling for sources two.)
Posted in Technology