The Mind Of A Hacker

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=5ARRMPTZ3BM2MQSNDBCCKHQ?articleID=16100230

By George V. Hulme, 
InformationWeek 
November 10, 2003

Marc Maiffret is a hacker. Maiffret started hacking about six years 
ago, at age 16, when a friend at school introduced him to computers, 
and he got hooked on a digital-age narcotic: information. He consumed 
what he could about the Internet, computers, networks, and phone 
systems. "I wanted to learn more," says the guy whose teenage handle 
was "Chameleon" and whose hair color shifts from black to green to 
blue. Maiffret says some of his actions back then wouldn't meet with 
widespread approval. "When I was younger, I was up to no good," he 
admits. 

Today, Maiffret could be considered one of the good guys. In 1998, 
when he was 17, Maiffret co-founded eEye Digital Security, which makes 
security software that has been adopted by companies such as 
Prudential Financial. Now he has the title of chief hacking officer, 
and he and his co-workers help to discover security flaws in software. 

Hacker is a loaded word. The hacker community--and it's a thriving 
online community--includes technophiles, curiosity seekers, 
cybervandals, and outright thieves and fraudsters. The technophiles 
love to take apart software to see how it works or what they can make 
it do. Some write tools and applications such as password crackers, 
vulnerability scanners, and anonymity tools, and make them freely 
available on the Internet or hacker Web sites and message boards. Some 
devote long hours to uncovering flaws in software that make systems 
less secure by allowing destructive worms and viruses to gain access. 

The others--the intruders, vandals, virus writers, and thieves--are 
criminals, pure and simple. At their most benign, they are 
trespassers, rummaging through proprietary systems and databases. 
Hackers also are responsible for Web defacements, denial-of-service 
attacks, and identity theft. Some see themselves as rebels or 
revolutionaries, "hactivists" spreading a message of anarchy and 
freedom. Some are simple mercenaries who write tools, known as 
exploits, to take advantage of security flaws and make it easier to 
penetrate systems. In some cases, they sell that information to 
spammers, organized crime, other hackers, or the intelligence services 
of foreign countries. 

Hackers are blamed for unleashing worms and viruses that have cost 
businesses billions of dollars a year in damages. The problems they 
cause have gotten so bad that Microsoft last week created a $5 million 
fund to provide rewards for information leading to the capture of the 
people responsible for those attacks. Fed up with the damage done to 
its reputation and, increasingly, to its revenue stream, Microsoft, 
working with the FBI, the U.S. Secret Service, and Interpol, is 
offering a bounty of $250,000 to people who help capture those 
responsible for the Blaster worm and the Sobig virus, which wreaked 
havoc this past summer on systems and networks worldwide. 

Hacker is a term with negative connotations for most of the technology 
community. "I used to call myself a hacker in the sense that I like to 
twiddle with stuff, but I don't use that word to mean that any more," 
says Marcus Ranum, senior scientist at TruSecure Corp., a 
risk-management and security vendor. "That word has been ruined by 
little selfish punks." 

It's more than a question of semantics. Some of the positive that 
hacking represents--intellectual curiosity, tech savvy, innovative 
thinking--is overshadowed by its criminal aspects--the potential for 
grave harm and mass destruction--but it's a difficult line, especially 
for young people, who need to be encouraged to embrace technology and 
its potential. Also, recent laws such as the Digital Millennium 
Copyright Act and the USA Patriot Act may criminalize what some 
security researchers see as legitimate avenues of inquiry, limiting 
the technology industry's ability to help itself and eliminating 
necessary research or driving it further underground. 

That's why it's illuminating to inquire about hackers: Who they are, 
what they do, and why. 

Chris Wysopal is a hacker. Wysopal, VP of research and development at 
security consulting firm @stake Inc., advises businesses and 
government agencies how to better secure their computer networks and 
systems. He has also held jobs at GTE Internetworking and Lotus 
Development Corp. 

Wysopal used to be known as "Weld Pond," a member of security-research 
group L0pht Heavy Industries, a legitimate but unconventional business 
that made its name in the 1990s by uncovering and disclosing software 
vulnerabilities. In 1997, it released L0phtCrack, a tool that could be 
used to audit and reveal Windows passwords. L0pht (pronounced "loft") 
was condemned for releasing the password cracker, but Wysopal says the 
group's mission was misunderstood. The goal of L0pht was to raise 
security awareness and to provide security professionals with tools 
"as powerful as the tools people use to break into things," he says. 
And some organizations saw the advantage. "I think the General 
Accounting Office was our first paying customer." 

The distinction between hacker and legitimate security researcher can 
be difficult to make. In 2001, Maiffret's firm, eEye Digital Security, 
found a weakness in Microsoft's Internet Information Services server 
software. The security firm notified Microsoft about the flaw, and 
Microsoft issued a patch. But a month later, the notorious Code Red 
worm raced through the Internet and attacked hundreds of thousands of 
unpatched systems around the globe by taking advantage of the security 
weakness eEye discovered. 

The hacker community itself makes that distinction by referring to 
white-hat and black-hat hackers, which reflects what sociologist 
Bernhardt Lieberman refers to as the "dual nature of hacking." There 
are hackers who are enthusiasts who try to push technology as far as 
it can go to learn how things work, and there are hackers who are 
serious threats to businesses and systems, whose intrusions and 
malicious code cause great pain. 

The terms hack and hacker originated in the 1950s at The Model 
Railroad Club at the MIT. The image of the computer hacker has been 
romanticized in popular culture in movies such War Games and Hackers. 
Today, however, the word hacker is commonly used to refer to 
criminal--or at least arrant--activity. "It's come to mean anyone who 
works their way around legitimate controls in systems," says Herb 
Mattord, an information systems instructor at Kennesaw State 
University in Georgia. 

Those clinging to a less-tainted definition of hacker don't think of 
themselves as criminals. Most say they just want to learn more about 
computers, says sociologist Lieberman, director of the research firm 
Social Inquiry and professor emeritus of sociology at the University 
of Pittsburgh. Lieberman has conducted detailed interviews with 42 
hackers, analyzed the content of 2600: The Hacker Quarterly magazine, 
and attended hacker gatherings. 

When asked about their motives for hacking, nearly 100% say they hack 
for intellectual challenge, to increase knowledge, to learn about 
computers and computing, or to understand how things work. However, 
14% cite attacking authority and the government among their 
motivations. And 7% say it's to attack capitalism, break the law, or 
become well known. 

InformationWeek posted a series of questions on hacker bulletin boards 
and Web sites seeking to understand why hackers hack. The responses 
were illuminating, yet sometimes troubling. "Hacking to me is a way of 
life. The infinite quest for knowledge is quite stimulating," says 
Bio_XP. "Being a hacker forces you to think outside the box and look 
at problems (computer-related or not) in a whole new way. Hackers 
solve problems that affect us as well as others. By developing 
software, patches, etc., we help many people, [and] in addition, we 
help technologies improve and therefore progress." 

Another, called LiquidFish, says he hacks because he's always thinking 
about the vulnerabilities of things and how they can be exploited. 
"It's just part of who I am," he says. "This extends to every new 
thing I'm introduced to, not just computer related." 

One hacker, whose handle is "unnamed," says motivations vary with each 
person. "Some like to hack to test their skills and knowledge or just 
to outsmart an admin," he says. "Others just are adrenaline junkies 
that like the rush." 

One teenage hacker complains that society and the media lump 
criminals, vandals, and virus writers in with young tech lovers who 
try to stay within the bounds of the law. "I try not to break the 
law," he says. "I don't break into networks, though if you look around 
there are plenty wide open." But today's computer security and 
copyright laws make it "hard to tell what you're allowed to do and not 
allowed to do even with the software you buy. Just trying to study the 
software and write about the security holes you find could land you in 
jail." 

He knows that hacking has a bad reputation. "When I say in class that 
my hobby is hacking, the teachers always look at me with disapproving 
eyes like I'm automatically a criminal," the hacker says. "I do not 
steal data or release a virus. That's all lame and not what I think 
it's all about." 

Still, the criminal aspect of hacking is pervasive--and profitable. 
"Some security companies are paying for vulnerability information, the 
spamming industry is paying for zero-day exploits, upwards of $5,000, 
and there are elements of organized crime looking for expertise," says 
Mark Loveless, senior security analyst at security vendor BindView 
Corp. Zero-day exploits are software tools or applications that take 
advantage of undisclosed, unpatched software vulnerabilities. The term 
refers to the worst-case scenario: a worm or other attack that strikes 
a vulnerability that no one knew about or could prepare a patch to 
defend against. "Hackers are attacking hackers and raiding other 
hackers' zero-day libraries," he says. 

Loveless, also known as Simple Nomad, is founder of a hacker lab 
called Nomad Mobile Research Centre, which provides a way for 
interested parties to anonymously discuss and share information about 
computer-security issues "without fear of personal retribution from 
others." The lab seeks to protect hackers from legal action from 
software vendors whose code they've reverse-engineered or from 
government agencies. 

Loveless argues that laws such as the Digital Millennium Copyright Act 
and the USA Patriot Act, combined with the new push to criminalize 
what he calls "security research," will push even more of this 
activity underground. The DMCA prohibits any hardware or software that 
can circumvent copy-protection schemes for digital media such as 
music, movies, and E-books. Hackers fear that vendors will use these 
and other laws to prevent them from conducting security research and 
publicizing the flaws they discover. 

"The underground is doing just that, going completely underground," 
Loveless says. "A lot of things we used to do for research--research 
that was once questionable--can now be considered a criminal act." 

The DMCA has tempered discussion of security research since its 
passage in 1998. Researchers began pulling some security tools off 
their Web sites following the arrest of Russian programmer Dmitry 
Skyarov at the DefCon security convention in July 2001. Skyarov 
developed a program published by ElcomSoft Ltd. that made it possible 
to convert encrypted Adobe Acrobat eBook Reader files into unprotected 
Adobe PDF files. 

A few months earlier, a team of security researchers from Princeton 
University, Rice University, and Xerox decided not to publicly present 
research that they had completed on circumventing watermark techniques 
for digital music. The research was the result of a challenge issued 
by the Secure Digital Music Initiative, a consortium of companies 
trying to create open protection specifications. The SDMI tried to 
block disclosure of the research, saying the DMCA might be applied if 
the research were disclosed. 

In August 2002, Hewlett-Packard sent a memo to a security-research 
firm, Secure Network Operations Inc. (better known as SnoSoft), citing 
the DMCA and threatening legal action after the group published code 
that exposed a serious hole in HP's Tru64 Unix operating system. 
Ultimately, HP took no legal action. 

Despite the DMCA, a lot of hacking information can still be found on 
the Internet. Some sites contain reports about newfound 
vulnerabilities and research about security flaws. The information 
that's available includes instructions on "How To Become A Hacker," 
detailed data on the inner workings of phone and PBX systems, 
virus-writing manuals, links to Web sites with free security tools 
used to find vulnerable systems, and application-password crackers. 
There's everything from serious discussions about newsworthy events 
relevant to hackers, such as successful legal defenses, to handy 
tidbits about the inner workings of most operating systems to 
nostalgic threads titled "My First Hack." 

Most security and business-technology professionals have little 
patience with the argument that hackers help make computer systems and 
networks more secure. "These chumps have nothing to offer. They have 
no valuable security contribution at all," says TruSecure's Ranum, who 
has developed security software since the 1980s and is the author of 
The Myth Of Homeland Security (John Wiley & Sons, 2003). 

But not all. "Bug hunters are absolutely essential [for] keeping 
systems clean, semi-free of code defects, but most importantly they 
keep software vendors honest," says a security analyst at a major 
manufacturer. 

Ranum has challenged hackers--at their own gatherings--to prove that 
they care about improving security. "I told them that if they are so 
smart, why don't they do something useful. If you want to be cool, 
write a better antivirus tool. Or if you want to make a wonderful free 
tool, write a tool that blocks the ability for Windows to run 
executable programs on your system until you have authorized that it 
is OK to run that executable." 

Ranum laughs at the idea that it takes a hacker to stop a hacker. 
"They often make the analogy that if you want to build a strong safe, 
you need to hire a safecracker," he says. "That's pure nonsense." 

Researcher Lieberman would like to see kids taught about the ethics of 
computer use and hacking and says businesses should be willing to foot 
the bill. "The government is busy chasing terrorists, but financial 
institutions are losing millions," he says. Schools should develop 
courses to channel the desire to learn about computing into positive 
avenues, and businesses should be willing to finance those efforts. 
"With financial institutions losing millions to hackers, they ought to 
be funding the development of special learning programs," he says. 

As a result, information about software vulnerabilities and hacking 
techniques that was once shared in a somewhat open fashion on Web 
sites, in E-mail mailing lists, and in newsletters and magazines is 
increasingly being shared among smaller invitation-only groups and 
through encrypted mailing lists or networks. "The underground is the 
stuff you don't hear about in the press. It's conversations in 
encrypted channels about security, security tools, exploits, and 
vulnerabilities," Simple Nomad says. "The underground is about helping 
each other out to develop a tool without considering what use the tool 
might be used for. There's a purity to that, which I find refreshing. 
It's about pure information." 

That attitude is naive--even dangerous--in a society that must deal 
with the risk of cyberterrorism, the cost of identity theft, and the 
loss of essential services such as electricity and telephones caused 
by a tool that was developed without considering what the tool might 
be used for. 

The changing views of acceptable behavior have even reached college 
campuses. Actions that were once accepted, or at least tolerated, at 
universities are not considered cool any longer, students say. Eric 
Ogren, a computer-science major at Stanford University, says breaking 
into computer systems, even without doing any damage, is "pretty 
frowned upon now around here." But Ogren says there are still plenty 
of students who hack their own systems and software to learn or to 
improve security. "There's a lot of that going on, especially here 
with research into security or just seeing how things work," he says. 
But the Digital Millennium Copyright Act has changed the way students 
and others view their activities. "I don't know too many fans of the 
DMCA," Ogren says. 

Kennesaw State's Mattord agrees. "There's no age that's too early to 
start, and it would help some students on the edge from going over," 
he says. 

A few who spent their teenage years hacking doubt that education would 
make a difference. "A lot of people doing this stuff like doing it 
because they're doing something illegal or edgy. It's about the thrill 
of it," eEye Digital's Maiffret says. "I don't think it's the same 
thrill to break into some university system where you're allowed." 

The need for that edginess may provide additional insight into the 
thought process of hackers--and people attracted to work in security. 
"It takes a certain mind-set to understand security," says Bruce 
Schneier, founder and chief technology officer at Counterpane Internet 
Security Inc., a security-services firm. "I can't walk into a store 
without figuring out how to steal something. I can't walk into a 
voting booth without seeing if I can vote twice. Normal people think 
about how systems work. Security people think about how systems can be 
forced to fail." 

Richard Thieme, who writes and lectures about computer security and 
has spoken at numerous hacker and security conventions, agrees. "You 
can't be a good security person or good cop unless you know how a 
criminal thinks, and you can't know how a criminal thinks unless at 
least part of your heart is devoted to the black arts of larceny," he 
says. "It's all about how you choose to channel and harness that 
energy." 

To Thieme, hacker means "unconventional thinkers, people who are 
unconventional in every way and who refuse to accept no. If they're 
told the machine wasn't meant to do something, they figure out a way." 

Maiffret thinks most hackers will follow their own paths no matter 
what. But people shouldn't assume that hackers are automatically bad. 
He cites a recent case of a 17-year-old who E-mailed eEye about a 
security flaw he believed he found in Microsoft software. "He wanted 
to know if it was exploitable and how to work with Microsoft," 
Maiffret says. 

It turns out that the teenager had in fact found a real security hole 
that needs to be patched. "We introduced him to the right people at 
Microsoft," Maiffret says. "It's his bug, so we're just following 
along to make sure it's all handled properly." 

A nice story. But it's small comfort for business-technology managers 
worried about someone getting access to sensitive customer data or 
battling wave after wave of worms and viruses that threaten critical 
systems and networks and drain their budgets. Until this onslaught is 
brought under control, hacker will continue to be a dirty word to most 
business-technology and computer-security professionals. 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.