Desirable Undesirables

[William Knowles <wk () c4i org>]

http://www.business2.com/magazine/2001/06/desirable_undesirables.htm

Brendan I. Koerner 06/12/2001 issue 

"last night, I stayed up until 6 o'clock figuring out how to do this,"
says Riley "Caezar" Eller, a slender and bookish 27-year-old.
Scribbling furiously on a dry-erase board covered with boxy diagrams
representing a pair of networked computers, Eller maps out a novel
cyberattack-a method of disabling a supposedly impregnable system with
a few clever lines of code. His listeners nod each step of the way,
occasionally grunting their approval. When the presentation is over
and the imaginary defenses have all been surmounted, they break into
polite applause.

Such demonstrations are part of the standard curriculum at the major
security consultancies. But Eller isn't giving this lecture in a
sterile conference room at PricewaterhouseCoopers or Deloitte &
Touche. The setting is a subterranean hideout that closely resembles a
frat house, complete with lava lamps and a rickety bar that reeks of
week-old spilled Smirnoff. His cohorts-sworn enemies of office
cubicles and Brooks Brothers suits-are members of an invite-only group
of ace programmers, cryptography enthusiasts, and hardware wizards.
Their think tank-cum-social club is known as the Ghetto Hackers.

They're a brash, fun-loving lot who revel in their notoriety as
two-time champions of Capture the Flag, the Daytona 500 of the
computer underground. They also enjoy a measure of renown as hosts of
a celebrated bacchanal-a combination trivia contest and Animal
House-style beer blast-at Def Con, the annual hacker convention. In
their civilian lives, however, these self-taught technophiles make a
mint locking down servers and designing hard-to-crack networks.

Publicly, Corporate America expresses nothing but scorn for the
denizens of this wired-world counterculture. Yet the Ghetto Hackers
and their ilk are coveted-if controversial-players in the battle
against cybercrime. While most of the major security firms insist on a
hacker-free work force, even flaunting their purity in sales pitches,
a host of smaller shops are scrambling to enlist the assistance of
Eller and his associates. They reason that hacker talent of their high
caliber is too precious to ignore.

bad news is good news

Hiring philosophies aside, security firms large and small agree that
cybercrime has reached alarming levels. Internet security breaches
cost businesses around the world upwards of $15 billion a year,
according to the research firm Datamonitor. In one recent survey,
conducted by the Computer Security Institute and the FBI, 85 percent
of respondents reported at least one attack. High-profile debacles
such as last February's Yahoo! takedown have exposed the Net's soft
underbelly for all to see.

The resulting hysteria, coupled with a severe shortage of talent, has
been a boon to savvy job-seekers, including some with the kind of
after-hours hobbies that the leading lights of the security
establishment claim to abhor. With security services projected to
become an $8.2 billion industry by 2004-up from just $2.8 billion in
1999-even low-tier workers expect base pay to average more than
$75,000 a year. And the Ghetto Hackers are taking full advantage of a
hot market.

Michael "Koresh" Bednarczyk-at 30, one of the group's elder
statesmen-is chief scientist at the Internet Security Advisors Group
(known as ISAG), a highly regarded firm headed by Ira Winkler. (See
"The Social Engineer") Drew "Ender" Miller, 23, a specialist in
algorithms, recently left a longtime post at Datalight, an
embedded-software developer, to become a programmer at LapLink.com.
Eller, for his part, is the senior architect at ClicktoSecure, which
makes a security scanning program called Hailstorm. Ghetto's ranks
even include a high-level Microsoft employee, although his identity is
well guarded. "They would recognize the name, and he positively would
be fired," Eller says.

Microsoft is not alone among technology titans in its low regard for
job candidates with experience on what some call "the other side." At
most of the top companies, official policy bars anyone linked to the
underground scene, whether by attendance at an event like Def Con or
by the act of swapping hacker tools over the Internet. "I don't
believe in it, because they never go straight," says Tom J. Talleur,
managing director of KPMG's forensics technology services division.
"The problem is one of trust. It's one thing to give someone the keys
to your house, it's another to give him complete root access-access to
all of your secrets." So great is the threat, Talleur says, that even
guilt by association can disqualify a job candidate, no matter how
exceptional his skills or clean his rap sheet.

But jobs with KPMG and other old-school industry mainstays don't
necessarily tempt today's rising security experts. "I know the Big
Five employed hackers in the past," says Eller, referring to the
sizable security practices operated by the major accounting firms.
"But I don't know if there are any really left. All the ones I know of
have left for smaller, lighter, faster companies where they get
meaningful amounts of equity."

Ghetto's members also take issue with the logic of the Big Five's top
brass. Eller and his friends view themselves as hackers in the purest
sense of the word: People who satisfy an innate curiosity by
determining how systems work from the inside out. "Intimately tied to
learning how things come apart is learning how to put them together so
they don't come apart," Eller insists. The hacker mentality espoused
by Ghetto is an elegant spin on the credo of the Russian anarchist
Mikhail Bakunin: "The passion for destruction is also a creative
passion." Though many learned their crafts as mischievous kids-futzing
with high school networks, probing obscure NASA servers-they are now
self-professed law abiders one and all.

the legal tightrope

To the average American still grappling with the Paste command in
Microsoft Word, hacker is synonymous with hoodlum. Hackers are
commonly viewed as terrorists, says "Rizzo," the group's resident
wireless expert, and one of several members who asked to be identified
only by nickname. "They think it's evil little guys sitting in
basements, basically punks." The real punks, he adds, are unskilled
teens who use pre-programmed hacking tools to deface Webpages by
filling them with Limp Bizkit lyrics.

The Ghetto Hackers do not pretend to be candidates for sainthood,
however. Many learned their trade while walking a legal tightrope. The
son of a trainer on the horse-show circuit, Eller spent his
self-described "white trash" childhood bouncing around the Rockies and
Cascades, attending school with kids who did not take kindly to his
gangly limbs, dark garb, and classroom smarts. As an 11-year-old
martial arts expert, he saved up enough cash to purchase a plane
ticket to Toronto for a tournament. But a premeet sprained ankle
forced him to seek a life-altering refund. "I walked into the travel
agent and begged a little and convinced them to give me my money
back," Eller recalls. "And when I got out, across the street they were
selling Commodore 64s."

With the aid of a friendly employee who gave him a steep discount, he
purchased one of the low-powered machines "and basically spent the
next five years locked in my room." Since there were few tech-savvy
teachers in Everett, Wash., Eller used bulletin boards to communicate
with French and German hackers who taught him the programming ropes. A
run of steep long-distance bills forced him to indulge in what he
characterizes as "basic telco fraud," fiddling with phone cards to
make them everlasting. It was that interval of law-bending that led to
what he calls "The Visit"-Eller's only legal scrape. "I had a panic
button wired up," he explains, "and as soon as I saw [the cops] out
there, I hit it and fried all my disks." The experience, he sheepishly
adds, scared him straight.

The Visit was only a minor obstacle for Eller. He learned database
programming as a teenage salesman at a mom-and-pop computer shop. As
an entry-level worker at Datalight, Eller quickly ascended the salary
ladder, maxing out at $72,000 per year after Def Con 7. Though coy
about his current income, he is the proud owner of a high-tech condo
in downtown Seattle, a domicile stocked with rack-mounted computers, a
massive flat-screen Sony Trinitron, and an encyclopedic porn
collection. Though the stereotypical tech worker may be a
100-hour-a-week drone, Eller will have none of that. "I'm all down
with not working," he says. He dreams of cashing out in a few years
("I'm looking at 37"), possibly to become a college professor-a lofty
aim for someone who dropped out of the Everett Community College
business program before earning an associate's degree.

In his lack of formal education, Eller typifies the security elite.
It's a profession in which hands-on talent tends to gestate outside
traditional channels. "With the proliferation of information we have
now, a 5-year-old has access to all the same information as a
college-level undergraduate," says Miller, a Ghetto Hacker who
estimates that he is 85 percent self-taught. "People don't need to go
to college; they need to apprentice, like blacksmiths or whatever.
Find something you like, find someone else who is good at it, hang out
with them for a couple of years.... You can have that Dairy Queen job
and then turn around and be programming computers someday. I think
that's awesome. Obviously, that's what I did."

A native of tiny Marysville, Wash., Miller first met Eller through the
local Assembly of God church. "My parents knew I was into computers,
and his parents knew he was into computers, so they kind of hooked us
up," he recalls. "I would take my systems over to his house and we'd
share the latest and greatest stuff."

At 15, Miller left home after a falling-out with his folks over
religion-"My father basically gave me a mandate and just said, 'Our
way or the highway,' so I took the highway." He begged Eller, five
years his senior, for shelter. "I proposed to him some sort of deal
like, I'd be his slave if he'd let me live with him," says Miller. "I
cooked, cleaned, did his laundry, got into fights with his girlfriend,
bummed cigarettes off of him." Another of Miller's responsibilities
was to download free software from so-called warez
sites-clearinghouses for the latest hacker paraphernalia.

Eller encouraged his protege to sharpen his coding skills by writing
elementary games. "I wrote Tic Tac Toe," Miller says with a bit of
embarrassment. "It took about two weeks and 10 pages of code. And then
Caezar sat down and said, 'Watch this,' and about 15 minutes later it
was a page-and-a-half of code. I didn't understand any of it."

Those mystifying tutorials taught Miller more than any high school
Basic class ever could. At 17, he got a job as a quality assurance
tester at Datalight, where he quickly proved his worth. After several
months, "I got to the point where I was going in and finding the bugs
in the tests that were testing the operating systems," he says. He
boasts of making more money than his father. In his spare time, he
writes algorithms for prime-number generators.

don't ask, don't tell

The Ghetto Hackers' digital "street smarts" serve them well in their
white-collar pursuits. They have a knack for solving complex security
riddles-sniffing out a previously unknown vulnerability, for example,
or analyzing the behavior of an intelligent virus. Last November,
acting on a tip from a Cambridge, Mass.-based hacker, Eller figured
out a way for advanced cybervandals to use "stack overflows" to
disable a theoretically secure machine. Before his research, the
brightest computer scientists had dismissed the possibility of such an
attack; Eller needed just two days to disprove the conventional
wisdom.

"The people who spend their mornings up until 6 a.m. trying to learn
how something is broken or learn some new way to cause problems or fix
problems, those are the people that are changing the world," says
Eller, whose skill has earned him invitations to corporate-security
conferences as far afield as Singapore. "That talent can't be measured
in the kind of suit they wear."

George Kurtz, founder of Foundstone Security and a former pooh-bah at
PricewaterhouseCoopers and Ernst & Young, agrees about
underground-bred employees in general, and the Ghetto Hackers in
particular. "In terms of talent, they are exceeding what you're going
to find at the Big Five," he says. "These guys are really, really
sharp folks."

Despite their supposed contempt for the underground, many big firms
secretly side with Kurtz. They're willing, even anxious, to bring
hackers into their ranks, as long as their nocturnal activities are
kept hush-hush-a New Economy version of "Don't ask, don't tell." Any
firm that claims never to hire such people "is either lying or doesn't
have any expertise on staff," Rizzo says. "If you want to do something
right," he adds, "you're going to hire an expert, right? What firms
want to avoid is the appearance of having a bunch of law-breaking
hooligans that are uncontrollable on their staff."

Several firms, in fact, covertly wade through the underground in
search of untapped talent. The Ghetto Hackers have been persistent
targets of corporate recruiters, especially since their successive
victories at Def Con's Capture the Flag event, a 48-hour digital joust
in which teams score points by hacking rivals' machines. "After we won
at Def Con 7 [in 1999], we got tons of job offers," says Eller, who
himself became the object of a bidding war that led to a 20 percent
raise. "And all because of something that only took us a couple of
hours."

Corporations that shun underground talent are only cheating
themselves, says "Palante," a Ghetto Hacker who works in the
information security consulting division of a corporation he declines
to name. "When it comes to hiring hackers, remember that we're talking
about a company paying someone to tell it about risks it may not even
know exist," he wrote in a response to an antihacker screed published
in the Toronto Globe and Mail last August. "The more a company's
consultant knows about such 'black arts,' the fewer unknown risks
there will be." KPMG's Talleur chortles at that assertion. Demolition
experts, he argues, don't necessarily make the best architects. "The
wonderful, colorful moniker of the hacker, going around with his cape
flying? It's bullshit," he says. "They're not that smart.... Just
because they're great at breaking into systems doesn't mean they're
great at fixing them."

Venture capitalists are beginning to believe otherwise. Last January,
a renowned group of Boston-area hackers known as L0pht Heavy
Industries was acquired by security startup @Stake for $10 million.
The L0pht, home to such famed hackers as "Space Rogue," "Dildog," and
"Mudge," gained notoriety by authoring password-cracking tools for
Windows; as a division of @Stake, the crew now charges megabucks to
help companies design secure products.

The Ghetto Hackers seem a bit too pleasure-oriented to attract that
sort of financial support. The group originated three years ago as an
impromptu band of revelers at Def Con, which attracts thousands of
hackers to Las Vegas each summer for three days of technical lectures,
trick swapping, and carousing. The founders met by a stroke of fate as
they downed drinks at the same table. On a lark, one celebrant
registered them for the Capture the Flag contest. Inebriated beyond
recognition and competing as "Team Boozer," the seat mates were
stomped by a Scandinavian outfit calling themselves the Mad Swedish
Hackers. The only good thing to emerge from that year's convention was
the group's catchy moniker; the words first spewed from the mouth of a
member known as "Shrub," who objected to his colleagues' habit of
writing code on cocktail napkins. "What are we," he sneered, "a bunch
of ghetto hackers?"

Amid the alcoholic haze, however, they developed a sense of
camaraderie-and a thirst for redemption. "It didn't matter who won at
Def Con 7, but the Mad Swedish Hackers weren't going to win," says
Miller. Ghetto considered a wide variety of revenge strategies,
including abduction and "paying very beautiful women to seduce them."
Eventually, Miller and his friends settled on the uncharacteristically
mundane approach of trying to boost their own performance.

Predominantly Seattleites, they kept in touch over the ensuing year,
drawing other security-obsessed geeks into their clique. After their
Capture the Flag triumph in 1999, Ghetto coalesced, renting workspace
downtown before moving into their current basement quarters-beneath a
bank on the Emerald City's outskirts-last spring. The new digs include
an abandoned vault, which now houses a battery of servers behind a
heavy iron door.

Beyond harboring their weekly brainstorming sessions and the
occasional gala, the 3,000-square-foot space serves as a laboratory
for advanced research into everything from cryptography to phone
systems. Satellite labs in San Francisco and San Diego, where several
affiliates live, are set to open soon. The group, says Eller, is
"really designed to be a think tank-a place where people can come
together and share different ideas and come up with a kind of
synergy."

The Ghetto Hackers range in age from late teens to 30s, but they all
share two key traits: technical prowess and a taste for hedonism.
Plenty of people have the intellectual credentials to win Ghetto
membership, "but they're sticks-in-the-mud," Eller says. Constantly on
the lookout for kindred gearheads, Ghetto does a fair amount of
recruiting at local hacker get-togethers known as 2600 meetings (named
after a hacker magazine celebrated for its anticopyright activism).
Prospects get invited to what Eller calls a "2621 party," where the
real testing occurs. "If somebody can hang out and be mellow, not make
a fool of themselves," Eller explains, "then we can say, 'OK, we
should take this person's money.'" The monthly dues of $180 pay for
rent, bandwidth, and special events, such as the screening of The
Matrix that drew 450 of the group's closest friends to the Cinerama
theater in downtown Seattle.

Still, a few ambitious members foresee a day when the Ghetto Hackers
may replace Ernst & Young on the speed dials of hip,
security-conscious chief technology officers. In recent months,
Bednarczyk has been lobbying his cohorts to transform Ghetto into a
security startup. "We've got a diverse skill set in the group, and
we've got some definite leaders in the up-and-coming technology," he
says. "Probably more goes on in our meetings than in most
boardrooms.... I see this group really turning into a consulting
house. There's no reason it's not going to happen." Bednarczyk wants
to form a limited partnership and establish a common bank account,
perhaps offshore, so the group can take on odd jobs securing ISPs or
conducting penetration tests.

"I think there's a good chance that something will come of it," Miller
says. But money, he adds, is not their only motivation. "Most people
here have really good jobs, so the issue of making a million dollars
on network security-nobody's worried about that." Some members prefer
the idea of forming a nonprofit organization, permitting them to bid
for government research grants. With Uncle Sam's sensitivities in
mind, there's even talk of adopting a pseudonym, such as "Security
Consortium," for official dealings.

Meanwhile, Ghetto has a more pressing matter to consider: Def Con 9
and the prospect of a Capture the Flag three-peat. After the Tuesday
meetings, they spend hours debating tactics and perfecting attacks on
practice networks. Next month, the group will strut into Las Vegas'
Alexis Park Resort-scene of this year's convention-with the cockiness
of champions.

"We've pretty much determined that we're never going to lose again,"
Miller says. "So most of the people here, they actually take time in
the off-season to do things like download the latest patches." In an
industry where notoriety can be parlayed into big-time bucks, spending
the time to hone one's hacker chops is clearly a sound investment.


Brendan I. Koerner who holds a Markle Fellowship at the New America
Foundation, is a freelance writer living in New York.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.