What's the hat got to do with it? Setting the record straight on Chris Klaus and ISS

[InfoSec News <isn () C4I ORG>]

Awhile back, June 8th 2000 to be exact, ISN posted an article called
'Linux security classes: ISS founder is a cracker in a white hat'

http://www.linuxworld.com/linuxworld/lw-2000-06/f_lw-06-iss.html

Which wrote of Chris Klaus' spin-doctored past, I'm amazed it took
this long to set the facts straight... :)

William Knowles
wk () c4i org



http://www.linuxworld.com/linuxworld/lw-2000-07/lw-07-vcontrol_1.html

July 2000

By Joe Barr

It's time to eat crow again. No, this is not about failing the Linux
Professional Institute's Level 1 System Admin certification exam a few
weeks ago. Although I have received my test results (I failed, just as
I expected), it's much worse than that.

This week I'm eating crow because I didn't follow my gut instinct on a
story I wrote about Linux security training a few weeks ago, and
consequently portrayed Chris Klaus as wearing the wrong color of hat.
In the weeks since my piece on ISS Linux Security Training (see
Resources), I've had a number of people give me the same basic,
unyielding, irrefutable message: I got it all wrong about Klaus and
ISS.

"All wrong" may even include trying to use white hats and black hats
to categorize individuals in the phreaking/cracking community as
either "good" or "evil." More than one reader wrote that if you are a
part of the computer underworld, you are part of it, period. I can see
where they are coming from. Illegal electronic breaking and entering
or theft of services puts you in that world -- whether you do it for
kicks, for money, or for malicious intent is a side issue.

This week, I am going to retrace the steps I took in researching the
ISS piece and, wherever I can, show how I got it wrong. I'm not
attempting to dodge responsibility for being wrong; I'm just trying to
set the record straight now that I have more information.

Lo primero, primero

First things first. I began my research of ISS and Chris Klaus
comfortable in the knowledge that I would find, as is so often the
case, that he had come over from the dark side to find respectability
in the industry as a security expert, consultant, or advisor. But the
small, poorly lit trail I found seemed to indicate just the opposite,
and gradually my take on both ISS and Chris Klaus was reversed.

I tried to contact Klaus for the original story, but ISS told me he
was in Peru and would be unavailable until the end of June. Instead, I
spoke with Chris Rouland, who heads up the ISS X-Force security
advisory team. When I asked him about Klaus' past -- what "elite"
bulletin boards he might have hung out on, what his "nick" had been,
etc. -- Rouland just laughed and said, "I don't really see him hanging
out on elite bulletin boards." That planted the first doubt in my mind
about my original hunch. The conversation quickly turned away from
Klaus' background, focusing instead on Rouland's work as director of
X-Force.

Rouland's deflection of my questions about Klaus probably should have
triggered an alarm, but it didn't. Tom Noonan, CEO of ISS, said in a
June 1999 U.S. News story on hackers (see Resources) that ISS
"wouldn't hire anyone on the dark side." But at the time I didn't know
of Noonan's remarks, and I certainly did not know that Chris Rouland
had been on the dark side himself, known in the old days as "Mister
Fusion."

Further research led me to a bio of Klaus indicating he had worked
with government labs while still a high school student. That didn't
sound like the kind of kid who would hang out on elite BBS systems
either. I also found an exchange of notes published in phrack between
Klaus and "Erik Bloodaxe," then editor of the legendary zine, in which
Klaus stated in no uncertain terms that he did not want the source
code for his scanning tool (ISS) published there. The next issue of
phrack contained a satire by Klaus lampooning the language, mores, and
ways of the underground.

The computer underworld

Originally, I read these attempts by Klaus to disassociate himself
from the cracking/phreaking community as evidence of the purity of his
soul. By now, I was so convinced that my original take on Klaus had
been wrong, I wrote that he "appears to have always been on the side
of the angels...didn't hang out on an 'elite' BBS...didn't sit on IRC
and try to build a rep on #hack...."

The first hint of serious problems with my take on Klaus and ISS
appeared only a day or so after the article was posted. I heard from
well-known and widely-respected members of the "security" community
telling me in no uncertain terms that I had been sold a bill of goods.
For example, Elias Levy, aka Aleph1, wrote, "If you think that ISS is
not based on the notion of 'using a thief to catch a thief' you might
want to find out for yourself where the last two editors of phrack
worked instead of believing the corporate propaganda that they don't
hire hackers."

One famous (but anonymous) name from one of the best-known hacker
groups in the world wrote to say "#hack is where I first talked to
him...he was in the hacker scene like anybody else in the hacker
scene. I met Chris Klaus (kewp) at Summercon in Atlanta, and he sure
wasn't talking about how he was a different breed of white-hat hacker
then."

Given these kindly hints from the security community, I began to
question more people to get at the truth about Chris Klaus, as well as
ISS employees in general. My trip to San Diego for the USENIX
conference proved to be a veritable gold mine of information.

I also contacted Chris Goggans (aka Erik Bloodaxe) and asked him what
he remembered of Klaus' request not to publish the ISS code. Goggans
told me he had found the request odd enough to publish it and his
response in phrack. He also told me he later asked "kewp" on #hack
what the note was all about. Klaus told him they were going to IPO and
thought it better not to have a close association with phrack. So much
for my conclusions about Klaus not having hung on #hack to build a
rep.

Da werd onna net

Several sources mentioned rumors that Klaus did not write ISS himself,
but rather created it from the work of others. One source I met at
USENIX told me to check that story with Peter Shipley, now director of
labs at OneSecure, a firm specializing in Virtual Private Networks and
security.

Shipley wrote the first Internet scanner, Netsweep, in 1988. He has
been a part of both the dark side and the security communities for
years, and often speaks about security at conferences like CFP
(Computers, Freedom, Privacy). In fact, I met him here in Austin at
CFP '98.

As I dug deeper to get beneath the corporate hype about how pure ISS
and their employees are, I found that ISS is widely disliked. Perhaps
this is a natural result of ISS providing defenses against "security
tools" like Back Orifice from groups like cDc (the Cult of the Dead
Cow). Perhaps not.

Peter Shipley is no exception to the rule; he explained to me up front
why he doesn't like ISS. "Christopher Klaus took my exploits and took
my tests and put them into his product," said Shipley. "And I actually
got recognition for this...if you ran ISS until they IPO'd you
actually saw my name. They removed my name when they IPO'd. I never
saw a dime."

Anonymously, I heard similar stories involving a number of other
individuals who saw their own code become the property of ISS. I was
told that one individual who went to work for ISS (reDragon, more on
him later) and found his code already in their products.

Another story I heard from more than one source (but have not yet been
able to confirm) is that a famous name from a famous security
organization submitted an exploit to ISS. Just days later, an ISS
sales team visited the firm where, unbeknownst to the sales people,
this person worked, and presented his own exploit to him as being an
example of "ISS research."

Twist of fate

As I sat and enjoyed the food at the big reception and party at USENIX
in San Diego, June 18-23, 2000, two other attendees sat down at my
table. We introduced ourselves and I noticed they were both from
Lawrence Livermore National Labs. I asked if that was the lab where
Klaus had been an intern, and one of them replied that yes, it was.
Not only that, Klaus had been in his department.

My original research had turned up a quote from Klaus explaining his
first Internet use. Klaus said, "I was accepted for a high-school
internship program at Lawrence Livermore National Labs, where I
conducted research on network security vulnerabilities and technology
that could automate security weakness detection."

Neal Mackanic, the man from LLNL, told a slightly different version of
the tale. Mackanic told me, "Chris was selected by the governor of
Florida to be part of a two-week supercomputing summer camp at LLNL in
the National Energy Research Supercomputing Center (NERSC). It was
after he attended this two weeks that he was caught hacking the
student bulletin board system by one of the NERSC staff, Jim Morton.
Morton encouraged Chris to use his talents for good, and that began
our relationship with him and his ISS tool."

Another tip led me so far underground I found myself at a local
Borders bookstore looking for a copy of Cybershock (Thunder's Mouth
Press, 2000), by Winn Schwartau. On pages 321-322, ISS, Chris Klaus,
and Chris Rouland are included in a general discussion of firms that
"strongly advertise that they do not use hackers at all." It also
points to Rouland's (Mr. Fusion, remember?) being "picked up" in 1990
and debriefed by Air Force OSI "cyber-cop" Jim Christy for breaking
into the Pentagon.

It was finally clear to me that anyone with the slightest bit of real
knowledge of Klaus and ISS (as opposed to your naive and gullible
reporter) was aware that, contrary to the company's denials, ISS not
only has a history of life on the dark side, but have hired and
continue to hire blackhats.

I wasn't surprised when I heard ISS had hired a young man known as
"reDragon," who was at the time the editor of phrack, just as Erik
Bloodaxe had been when Klaus stated he didn't want the source code for
ISS published there. Nor was I surprised when I heard reDragon
allegedly found some of his own code in ISS products while working
there. Nor when I heard that a "dirty" cracker that went by the names
of "prym" and "pwindows" had recently worked for ISS.

But why all the bother?

Although I was no longer surprised, I was curious as to why ISS went
to such trouble to create the deception regarding Klaus and company.
At about the time of the IPO and Tom Noonan's debut as CEO, a major
effort to distance ISS from the computer underground began -- so money
obviously had something to do with it. But was it really necessary?

I spoke with Dr. Daniel Geer, president-elect of USENIX and CTO of
Internet security firm @stake, while I was in San Diego. I asked him
about @stake's recent acquisition of the L0pht, one of the best-known
underground "security" organizations, whose membership is as legendary
in the hacker community as the cDc's. Geer replied that he thought
people like me would be glad people like him were using people like
them (the L0pht).

And he's right. The blackhat community is the very best source of
talent and expertise for firms doing serious Internet security. So why
would a firm like ISS be in denial about its own background and that
of its employees? Perhaps the answer can be found by using its list of
clients as tea leaves.

One ISS office is located in Reston, Va., between Dulles Airport and
many of the federal intelligence agencies like the NSA, CIA, DIA, and
so on. Perhaps in order to land some government contracts, an image of
never having sinned must be maintained -- or, as in the case of ISS,
at least claimed. But why would a federal agency require such
disclaimers in a contract when they know better than most that
blackhats are the experts? Because, gentle readers, there are special
operations in some agencies that definitely qualify as blackhat by
nature. To paraphrase a classic line from a movie, "Would you like to
play Global Information Warfare?"

What do you think? Do I finally have ISS sized up correctly? Do you
have theories about whether or not Internet security firms should use
blackhats? Or given that they do, that they should confirm or deny
that fact? Let me know. Obviously, I've still got a lot to learn.

About the author

Joe Barr is a contributing editor at LinuxWorld and a recovering
programmer. In addition to writing for LinuxWorld and The Dweebspeak
Primer, he is currently working with Nicholas Petreley on a Linux
documentation project called The Essential Linux Open Book. Visit
Joe's Linux Desktop discussion in the new Linux Forum, hosted on
ITworld.com.

joe.barr () linuxworld com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".