Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Unix Security -- HOPE 2000

From: William Knowles <wk () C4I ORG>
Date: Fri, 21 Jul 2000 04:57:25 -0500
*********************************************************************
HOPE 2000 (H2K)
by Carole Fennelly

I finally attended my first "hackers" convention this past weekend in
NYC, HOPE 2000. Well, that's not exactly true. I only allocated one
day (Friday) for the con since I had tons of other work to catch up on
and, frankly, I didn't expect much. I was, however, looking forward to
meeting up with some friends and I hoped that I could at least settle
that burning question:  "What is a hacker?".

I had company -- my partner, Jon Klein, and our summer intern,
Thaylin.  We also met up with Brian Martin (Jericho), founder of
Attrition.org (home of the definitive Web defacement mirror).

Scott Blake, who recruits and manages hackers for Bindview, presented
the first scheduled talk:  "Selling Out: The Pros and Cons of Working
for 'The Man'". Unfortunately, I missed the first half, which Brian
tells me offered some useful advice for people unfamiliar with
corporate life. Scott apparently made some good points about
non-disclosure agreements and contracts -- information anyone entering
the industry should possess. I wish someone warned me when I started
out. Another valuable piece of advice:  Don't lie! If you have a past
that is likely to catch up with you, be up-front about it.

Scott also advised the audience to be in control of the interview
since it is *their* skills which are in demand. I really didn't think
it necessary, nor advisable, to feed their already-inflated egos. A
major point that I disagreed with though, was the motivation for
"selling out":  Money. While it certainly is a factor, a person with
little job experience should look beyond the instant gratification and
consider the type of experience they will gain. Yes, it all comes down
to money eventually, but the real payoff may be further down the road.

Overall, it was a good presentation for the newcomer to corporate
life.

High School Horror Tales
This had the potential of being a good panel discussion, but --
featuring four high school kids complaining that their teachers and
school administrators pick on them -- it missed. Deal with it and quit
whining. I'm sure there are real horror stories, such as kids getting
suspended or prosecuted by an ignorant administration; but, they
seemed to consider adults the enemy -- too bad since only adults can
fix the problem. However, audience members made some good points, and
were, in fact, more interesting than the speakers. I see the same
problem with high school technology programs that plague the entire IT
industry -- not enough qualified people. Is a technically competent IT
professional really going to teach in a high school for a fraction of
the pay they would get at an industry job?

MTV:  How Did it Happen?
For those lucky people who never saw it, MTV produced a special last
year titled "True Life: I'm a Hacker". Unfortunately, I did sit
through it and it was truly awful -- take my word for it:

http://www.projectgamma.com/news/archive/1999/october/102999-0323.shtml

http://www.2600.com/news/1999/1019.html

This panel discussion, led by Weld Pond (@Stake) and TommEE pickles
(ex-MTV employee), debated where MTV went wrong. The general consensus
seemed to blame the media for portraying hackers in such a negative
light. I'm sorry, but some of the people who participated in the
special -- namely Mantis and Shamrock -- did their level best to live
down to the stereotype.  Case-in-point:  Mantis demonstrated his elite
hacking skills by downloading a copy of "The Matrix". Oh, yeah - that
makes you a hacker all right.

It seems to escape many hackers that they are largely responsible for
the negative image given to them. Don't blame the media for buying
into the garbage you feed them.

Hactivism -- Terrorism or a New Hope?
Basically, this was a left-wing, liberal diatribe that the Internet
should be free for everyone and that companies should be forced to
share their resources with the less fortunate. A political activist
and street demonstrator, ShapeShifter, just found a new medium to
disrupt. The Internet should be free to everyone! Corporations are the
enemy! Disrupt them in any way possible to "get the message out"!  A
BBC reporter commented to me, "How do they [the hackers] expect us to
get it right when this is what they serve up to us?" DoS attacks
cannot be focussed, and often affect the less fortunate people more
than the big corporations.

The Legal Panel/DeCSS and DMCA
This panel focussed, primarily, on the legal battle between 2600
magazine and the MPAA. If you weren't already aware of the issues,
this panel provided little enlightenment. The impression I got was
that 2600's defense strategy for making DeCSS source available was to
claim it is a free speech issue. It sounded like they were looking for
a loophole, which doesn't help to win supporters. The DeCSS issue is a
serious one, but it looks like yet another "Free Kevin" campaign for
2600.  Bryan Pfaffenberger wrote a good article on this topic for
Linux Journal:

http://www2.linuxjournal.com/articles/currents/016.html

Becoming the Media -- How the Web Is Changing Everything
Space Rogue (founder of HNN and former member of L0pht) and Macki
(webmaster of 2600) led an informal discussion about online
journalism.  I found this discussion of particular interest and
enjoyed participating along with Kevin Poulsen (editorial directory of
SecurityFocus) and other media writers. An Australian audience member
brought up a point that I hear often:  Writers tend to focus on
American issues and forget that their audience is world-wide.

Cracking the Hacker Myth:  A Scientific Study to Find the Real Story I
had been bugging Brian Martin all day to share some of his amusing and
cutting observations with the audience at large. When he finally did
in this presentation, I missed it. Later, at the bar, I asked him
about it after several people commented on his participation and
referred to an absurd survey that he challenged. Brian remarked:

  "There are no accurate statistics or studies about hackers, so this
  noble group is stepping forward to spend their own money to do just
  that. Spending their own money to attend conferences and conduct
  surveys, they are researchers and scientists so they will get it
  right. When asked how many people would be involved in the survey,
  and more importantly how they qualified their participants as
  hackers, the best they could come up with as an 'answer' was a
  couple more minutes of meaningless babble that did not even begin to
  answer my questions. Oh, did I mention they are spending their own
  money to foot the bill of this project?"

Wrap-up at the Bar
Most "professional" conferences are focussed on the talks and
presenters. They get on stage, present material and field questions.
End of story. H2K was a bit different.  People from the audience lined
up at microphones to add their opinions and observations to the topic
at hand.  Often (especially in the case of the high school kids), the
audience speakers were far more intelligent and entertaining than the
scheduled speakers. A reporter sitting next to us commented that she
learned more from sitting with us at the bar than from the speakers.

So, what did I learn from my one day at a hacker con? Well, I learned
that trying to define "hacker" is like trying to define "real" rock
music. Everyone has their own perception of a "pure" definition. While
I think disco and rap were an evil plot by aliens, there are people
who consider them a form of rock music. To each his own, I suppose.

Hackers have been labeled "criminals", "activists", "pranksters",
"geniuses", "subversives" and "innovators", to name just a few. Which
is the correct label? Shuffle the deck and pick one. Chances are,
it'll fit someone at a hacker con.

Would I go to another hacker con? Absolutely -- and next time, I'll
plan to stay longer. Oh, not for the talks. With a few notable
exceptions, they were quite disappointing but I really enjoyed the
offline discussions with people who think "out-of-the-box". Then
again, I only spoke to the type of people that I would enjoy speaking
to but I guess that's the definition of "hacker" that fits -- the one
you seek.


Resources

A matter of degrees
Let the punishment fit the crime.
http://www.linuxworld.com/linuxworld/lw-2000-03/lw-03-devnul_3.html

Judge silences Websites in Linux DVD 'hack' case
Free speech or piracy?
http://www.linuxworld.com/linuxworld/lw-2000-01/lw-01-dvd.html

Protest draws attention to DMCA
The movement against the Digital Millennium Copyright Act is just
beginning.
http://www.linuxworld.com/linuxworld/lw-2000-03/lw-03-dmca.html

ZDNet reviews Jello Biafra's Keynote at H2K
http://www.zdtv.com/zdtv/cybercrime/hackingandsecurity/story/1,9955,2598
712,00.html

Why Hactivism doesn't work
http://www.zdtv.com/zdtv/cybercrime/spyfiles/story/0,9955,2000164,00.html

Brock Meeks H2K wrap-up (MSNBC)
http://www.msnbc.com/news/435153.asp

Why DefCon Beats H2K (ZDNet)
http://www.zdnet.com/zdnn/stories/comment/0,5859,2604580,00.html

************************************************************************

About the author
----------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for almost 20 years on various platforms, and
provides security consultation to several financial institutions in
the New York City area. She is also a regular columnist for SunWorld
(http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or
reach her at carole.fennelly () sunworld com

*********************************************************************

http://www.itworld.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: