Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The hacking hobbyist

From: InfoSec News <isn () C4I ORG>
Date: Fri, 16 Mar 2001 20:35:29 -0600
http://www.nandotimes.com/technology/story/0,1643,500464331-500708815-503896284-0,00.html

SAN FRANCISCO (March 16, 2001 2:19 p.m. EST http://www.nandotimes.com)
- Jeff Baker hacks into corporate computer networks for fun - period.

Baker, a 24-year-old systems programmer, is part of a group of
computer experts who spend their free time trying to figure out
potential Internet security threats to large networks.

Over the last year, Baker's hobby has led him to technology security
lapses at E*Trade, the Charles Schwab brokerage concern, Wells Fargo
bank and the Critical Path e-mail service.

"It's fun in the same way chess is fun," Baker explained. "It's also
productive. I look into these systems and find out more about how
people are programming."

"Most other professionals have journals and conferences," Baker added.
"We don't; we poke around other people's systems."

Baker is a member of a clan known as "gray-hat" hackers, who occupy
the ethical territory between the malicious "black hats" and the
"white hats," hired by companies to check their own systems' security.

Gray Hat protocol is to first notify hacked companies of possible
network flaws, and then possibly posting the flaw on Web sites where
gray hats exchange trade gossip, as Baker did when he discovered the
E*Trade network security hole. The company quickly vowed to clean up
the matter after reporters called.

In a world where hackers are either jailed or earn thousands in
consulting fees, Baker's hobby is puzzling.

"There is a community of people that want to know how systems work,"
said Bruce Schneier, founder of Counterpane Internet Security and
author of the network security book "Secrets and Lies."

"They want to take a system and tweak it for maximum performance and
figure out how it works and how it fails and what the loopholes are."

The online gatherings for this community are places like Bugtraq, run
by Virginia-based SecurityFocus.com.

Five to 10 network vulnerabilities can be posted on Bugtraq in just
one day, said chief technology officer Elias Levy, who estimates the
gray hat community numbers 10,000 people, ranging from researchers at
well-known labs and universities to amateurs.

"Most security vulnerabilities are found because there are people who
enjoy poking around systems ... and we are all better for it,"
Schneier said.

As part of his campaign for safer computers, Baker chooses to "select
sites that people will really notice."

And there's no shortage of candidates.

"People make targets of themselves," said Baker, who says he gave
E*Trade months to address the issues before posting vulnerabilities.
"If there isn't any press, there isn't any action. It is the key to
making the whole plan work."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: