Information Security News mailing list archives
What's the hat got to do with it? Setting the record straight on Chris Klaus and ISS
From: InfoSec News <isn () C4I ORG>
Date: Thu, 6 Jul 2000 02:35:57 -0500
Awhile back, June 8th 2000 to be exact, ISN posted an article called 'Linux security classes: ISS founder is a cracker in a white hat' http://www.linuxworld.com/linuxworld/lw-2000-06/f_lw-06-iss.html Which wrote of Chris Klaus' spin-doctored past, I'm amazed it took this long to set the facts straight... :) William Knowles wk () c4i org http://www.linuxworld.com/linuxworld/lw-2000-07/lw-07-vcontrol_1.html July 2000 By Joe Barr It's time to eat crow again. No, this is not about failing the Linux Professional Institute's Level 1 System Admin certification exam a few weeks ago. Although I have received my test results (I failed, just as I expected), it's much worse than that. This week I'm eating crow because I didn't follow my gut instinct on a story I wrote about Linux security training a few weeks ago, and consequently portrayed Chris Klaus as wearing the wrong color of hat. In the weeks since my piece on ISS Linux Security Training (see Resources), I've had a number of people give me the same basic, unyielding, irrefutable message: I got it all wrong about Klaus and ISS. "All wrong" may even include trying to use white hats and black hats to categorize individuals in the phreaking/cracking community as either "good" or "evil." More than one reader wrote that if you are a part of the computer underworld, you are part of it, period. I can see where they are coming from. Illegal electronic breaking and entering or theft of services puts you in that world -- whether you do it for kicks, for money, or for malicious intent is a side issue. This week, I am going to retrace the steps I took in researching the ISS piece and, wherever I can, show how I got it wrong. I'm not attempting to dodge responsibility for being wrong; I'm just trying to set the record straight now that I have more information. Lo primero, primero First things first. I began my research of ISS and Chris Klaus comfortable in the knowledge that I would find, as is so often the case, that he had come over from the dark side to find respectability in the industry as a security expert, consultant, or advisor. But the small, poorly lit trail I found seemed to indicate just the opposite, and gradually my take on both ISS and Chris Klaus was reversed. I tried to contact Klaus for the original story, but ISS told me he was in Peru and would be unavailable until the end of June. Instead, I spoke with Chris Rouland, who heads up the ISS X-Force security advisory team. When I asked him about Klaus' past -- what "elite" bulletin boards he might have hung out on, what his "nick" had been, etc. -- Rouland just laughed and said, "I don't really see him hanging out on elite bulletin boards." That planted the first doubt in my mind about my original hunch. The conversation quickly turned away from Klaus' background, focusing instead on Rouland's work as director of X-Force. Rouland's deflection of my questions about Klaus probably should have triggered an alarm, but it didn't. Tom Noonan, CEO of ISS, said in a June 1999 U.S. News story on hackers (see Resources) that ISS "wouldn't hire anyone on the dark side." But at the time I didn't know of Noonan's remarks, and I certainly did not know that Chris Rouland had been on the dark side himself, known in the old days as "Mister Fusion." Further research led me to a bio of Klaus indicating he had worked with government labs while still a high school student. That didn't sound like the kind of kid who would hang out on elite BBS systems either. I also found an exchange of notes published in phrack between Klaus and "Erik Bloodaxe," then editor of the legendary zine, in which Klaus stated in no uncertain terms that he did not want the source code for his scanning tool (ISS) published there. The next issue of phrack contained a satire by Klaus lampooning the language, mores, and ways of the underground. The computer underworld Originally, I read these attempts by Klaus to disassociate himself from the cracking/phreaking community as evidence of the purity of his soul. By now, I was so convinced that my original take on Klaus had been wrong, I wrote that he "appears to have always been on the side of the angels...didn't hang out on an 'elite' BBS...didn't sit on IRC and try to build a rep on #hack...." The first hint of serious problems with my take on Klaus and ISS appeared only a day or so after the article was posted. I heard from well-known and widely-respected members of the "security" community telling me in no uncertain terms that I had been sold a bill of goods. For example, Elias Levy, aka Aleph1, wrote, "If you think that ISS is not based on the notion of 'using a thief to catch a thief' you might want to find out for yourself where the last two editors of phrack worked instead of believing the corporate propaganda that they don't hire hackers." One famous (but anonymous) name from one of the best-known hacker groups in the world wrote to say "#hack is where I first talked to him...he was in the hacker scene like anybody else in the hacker scene. I met Chris Klaus (kewp) at Summercon in Atlanta, and he sure wasn't talking about how he was a different breed of white-hat hacker then." Given these kindly hints from the security community, I began to question more people to get at the truth about Chris Klaus, as well as ISS employees in general. My trip to San Diego for the USENIX conference proved to be a veritable gold mine of information. I also contacted Chris Goggans (aka Erik Bloodaxe) and asked him what he remembered of Klaus' request not to publish the ISS code. Goggans told me he had found the request odd enough to publish it and his response in phrack. He also told me he later asked "kewp" on #hack what the note was all about. Klaus told him they were going to IPO and thought it better not to have a close association with phrack. So much for my conclusions about Klaus not having hung on #hack to build a rep. Da werd onna net Several sources mentioned rumors that Klaus did not write ISS himself, but rather created it from the work of others. One source I met at USENIX told me to check that story with Peter Shipley, now director of labs at OneSecure, a firm specializing in Virtual Private Networks and security. Shipley wrote the first Internet scanner, Netsweep, in 1988. He has been a part of both the dark side and the security communities for years, and often speaks about security at conferences like CFP (Computers, Freedom, Privacy). In fact, I met him here in Austin at CFP '98. As I dug deeper to get beneath the corporate hype about how pure ISS and their employees are, I found that ISS is widely disliked. Perhaps this is a natural result of ISS providing defenses against "security tools" like Back Orifice from groups like cDc (the Cult of the Dead Cow). Perhaps not. Peter Shipley is no exception to the rule; he explained to me up front why he doesn't like ISS. "Christopher Klaus took my exploits and took my tests and put them into his product," said Shipley. "And I actually got recognition for this...if you ran ISS until they IPO'd you actually saw my name. They removed my name when they IPO'd. I never saw a dime." Anonymously, I heard similar stories involving a number of other individuals who saw their own code become the property of ISS. I was told that one individual who went to work for ISS (reDragon, more on him later) and found his code already in their products. Another story I heard from more than one source (but have not yet been able to confirm) is that a famous name from a famous security organization submitted an exploit to ISS. Just days later, an ISS sales team visited the firm where, unbeknownst to the sales people, this person worked, and presented his own exploit to him as being an example of "ISS research." Twist of fate As I sat and enjoyed the food at the big reception and party at USENIX in San Diego, June 18-23, 2000, two other attendees sat down at my table. We introduced ourselves and I noticed they were both from Lawrence Livermore National Labs. I asked if that was the lab where Klaus had been an intern, and one of them replied that yes, it was. Not only that, Klaus had been in his department. My original research had turned up a quote from Klaus explaining his first Internet use. Klaus said, "I was accepted for a high-school internship program at Lawrence Livermore National Labs, where I conducted research on network security vulnerabilities and technology that could automate security weakness detection." Neal Mackanic, the man from LLNL, told a slightly different version of the tale. Mackanic told me, "Chris was selected by the governor of Florida to be part of a two-week supercomputing summer camp at LLNL in the National Energy Research Supercomputing Center (NERSC). It was after he attended this two weeks that he was caught hacking the student bulletin board system by one of the NERSC staff, Jim Morton. Morton encouraged Chris to use his talents for good, and that began our relationship with him and his ISS tool." Another tip led me so far underground I found myself at a local Borders bookstore looking for a copy of Cybershock (Thunder's Mouth Press, 2000), by Winn Schwartau. On pages 321-322, ISS, Chris Klaus, and Chris Rouland are included in a general discussion of firms that "strongly advertise that they do not use hackers at all." It also points to Rouland's (Mr. Fusion, remember?) being "picked up" in 1990 and debriefed by Air Force OSI "cyber-cop" Jim Christy for breaking into the Pentagon. It was finally clear to me that anyone with the slightest bit of real knowledge of Klaus and ISS (as opposed to your naive and gullible reporter) was aware that, contrary to the company's denials, ISS not only has a history of life on the dark side, but have hired and continue to hire blackhats. I wasn't surprised when I heard ISS had hired a young man known as "reDragon," who was at the time the editor of phrack, just as Erik Bloodaxe had been when Klaus stated he didn't want the source code for ISS published there. Nor was I surprised when I heard reDragon allegedly found some of his own code in ISS products while working there. Nor when I heard that a "dirty" cracker that went by the names of "prym" and "pwindows" had recently worked for ISS. But why all the bother? Although I was no longer surprised, I was curious as to why ISS went to such trouble to create the deception regarding Klaus and company. At about the time of the IPO and Tom Noonan's debut as CEO, a major effort to distance ISS from the computer underground began -- so money obviously had something to do with it. But was it really necessary? I spoke with Dr. Daniel Geer, president-elect of USENIX and CTO of Internet security firm @stake, while I was in San Diego. I asked him about @stake's recent acquisition of the L0pht, one of the best-known underground "security" organizations, whose membership is as legendary in the hacker community as the cDc's. Geer replied that he thought people like me would be glad people like him were using people like them (the L0pht). And he's right. The blackhat community is the very best source of talent and expertise for firms doing serious Internet security. So why would a firm like ISS be in denial about its own background and that of its employees? Perhaps the answer can be found by using its list of clients as tea leaves. One ISS office is located in Reston, Va., between Dulles Airport and many of the federal intelligence agencies like the NSA, CIA, DIA, and so on. Perhaps in order to land some government contracts, an image of never having sinned must be maintained -- or, as in the case of ISS, at least claimed. But why would a federal agency require such disclaimers in a contract when they know better than most that blackhats are the experts? Because, gentle readers, there are special operations in some agencies that definitely qualify as blackhat by nature. To paraphrase a classic line from a movie, "Would you like to play Global Information Warfare?" What do you think? Do I finally have ISS sized up correctly? Do you have theories about whether or not Internet security firms should use blackhats? Or given that they do, that they should confirm or deny that fact? Let me know. Obviously, I've still got a lot to learn. About the author Joe Barr is a contributing editor at LinuxWorld and a recovering programmer. In addition to writing for LinuxWorld and The Dweebspeak Primer, he is currently working with Nicholas Petreley on a Linux documentation project called The Essential Linux Open Book. Visit Joe's Linux Desktop discussion in the new Linux Forum, hosted on ITworld.com. joe.barr () linuxworld com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- What's the hat got to do with it? Setting the record straight on Chris Klaus and ISS InfoSec News (Jul 06)