Hackers: Under the hood - Raven Alder

[InfoSec News <isn () c4i org>]

http://www.zdnet.com.au/insight/security/0,39023764,39116620-2,00.htm

Name: Raven Alder 
Handle(s): Raven 
Age: 28 
Place of birth: Mississippi, USA 
Marital status: Single 
Current residence: Maryland, USA 
Job: Security consultant, True North Solutions 
First computer: Home-built 8088 machine in 1988 or so 
Best known for: Tracing spoofed distributed denial of service attacks 
Area(s) of expertise: ISP backbone networking, protocol decoding and 
design, Linux/BSD security, and cryptography 

What's the difference between male and female hackers?

If you ask Raven Alder, she might let out a string of expletives
because gender is a non-issue.

Alder was the first woman to deliver a technical presentation at the
famed DefCon hacker conference in Las Vegas. But don't harp on it. If
there's one thing she hates, it's being type-cast as a "chick hacker".

"If I never read another 'she's going to save the Internet' article or
have a reporter wanting me to pose by the pool at DefCon with a life
preserver, it will be too soon.

"One popular magazine's 'do you think girl hackers should date boy
hackers?' left a bad taste in my mouth, too. Nobody asks the guys this
stuff, and finding myself a 'boy hacker' is not really tops on my list
of things to do this weekend," Alder said.

Born into a fairly well-to-do family, it was clear that Alder was a
brainiac from a young age.

"I skipped three grades and was taking college classes at 12,
graduated high school at fourteen and college at eighteen," she said.  
"My parents very much encouraged my sister, brother and me to be
academic achievers."

Alder has the markings of an uber geek, but her lifestyle is far from
sedentary.

"Mom put all three of us through martial arts [Shorin Ryu Matsumura
discipline] for at least a year. She wanted us to be able to defend
ourselves. After that, it was our decision whether or not to
continue," she explained. "My kid sister quit and did gymnastics
instead, making it almost all the way to being an Olympic-class
gymnast before quitting to become the captain of her high school
cheerleading squad ... [but] I continued."

Alder first dabbled with computers in 1985, fiddling with her school's
Apple II, but didn't get serious until after graduate school.

"I went to Virginia Tech in an entirely unrelated discipline, but you
can't attend that school without becoming at least basically
technically competent," she explains.

Despite becoming quite involved with geekish pursuits, Alder says her
social life hasn't suffered at all.

"If anything, it's made it more to my tastes. I like geeks," she
confessed. "I'm far more likely to enjoy the company of the folks I
see at dc-securitygeeks meetings than I am of the people I'd see at my
neighbourhood bar. I've met a variety of fascinating people through
hacking, and some of them are now close friends."

Alder hasn't taken a holiday "that didn't involve computer security"  
for around five years. "Most of my vacations are something like, 'Oh,
I'll go to Ottawa Linux Symposium, that will be fun!'," she said.

While her parents have been supportive, Alder's father is sometimes
rattled by the idea of his child hanging around with "hacker types".  
When she called to tell him she'd be presenting at a computer security
conference "he went to brag to his security officer friends". But the
thrill didn't last too long.

"DEFCON? Do you know what that is? It's full of HACKERS!" her father
said.

It took her 30 minutes to deliver the "hackers-are-not-bad" speech.

But it's not all smiles and sunshine in the security business for
Alder -- she once found a serious vulnerability in a "very popular
security product".

"I wrote up some proof of concept exploit code, and took it to my
boss," she explained. The makers of the product didn't really seem to
care about the issue nor want to fix it.

"I carefully explained the importance of the problem, and the possible
ramifications of exploiting it. People are trusting this product with
their security data, and if the product itself is [insecure], it's
un-trustable and you can't have faith in the veracity of that data,"  
she said. Still, the vendor was unmoved, claiming no one would ever
find the glitch.

Alder was by this point annoyed. She had found the problem, so others
could too. But the vendor simply refused to fix the problem.

"Now, if I had been doing this as an independent researcher, I would
have posted [it] to Full Disclosure (a security mailing list) at that
point. However, since I was working for a company, disclosure was in
their hands and not mine, and they chose not to say anything. So the
vulnerable product is still out there.

"I was explicitly told that I would be sued to the tune of several
million dollars if I ever violated my NDA [non-disclosure agreement]
and revealed the vulnerability. This is why closed source security is
bad. Lesson learnt ... any vulnerability research I do from here on
out is my own, and I will be answerable to nobody but myself for
disclosure," she said.

It could be this experience which has dimmed her view of the industry
as a whole. There are good people in the security space, she says, but
there are also some bad eggs.

"The root problem that the security industry has is ... unscrupulous
people selling to an uninformed market. The managers buying security
products don't understand security at all, and so they trust the
vendors to tell them what is best," Alder argued. "And somehow,
conveniently, what is best has a great overlap with whatever that
particular vendor happens to be selling."

However, it's not just the vendors who are to blame. To a certain
extent, Alder said, end-users engage in an "ignorance is bliss"  
management philosophy.

"Many companies just want to be able to throw money at a product and
feel secure. They're uninterested in understanding security or
changing their habits and environment.

Unfortunately, that's not the way that a successful security program
works. People who understand security are necessary, and in
chronically short supply," she said.

"[Companies] have the latest and greatest firewall that nobody has
ever bothered to configure, or a very expensive intrusion detection
system (IDS) that nobody has the understanding to tune."

Alder monitors the nessus.org IDS. Nessus is an open-source
vulnerability scanner, so one might expect some sophisticated attacks
against that domain but this is not always the case.

"Sadly, most of the attacks that people threw at it were pretty stupid
-- 'Oooh, I downloaded Nessus! Hey, I'll run Nessus against Nessus!'.  
I did see some exploit attempts that were fairly similar to the
successful attacks against Debian and Gentoo at about the same time,
though, so that was neat. And they didn't get in!," she recalled.

It seems Alder genuinely enjoys her work, and gets some thrills
through some unlikely pursuits. "Hiking, rock climbing, camping. I'm
also an avid reader -- I have a taste for science fiction and fantasy,
but I'm also fond of archaeology, linguistics, history, particle
physics, and biology," she said.

In her spare time, she downs chai while arguing philosophy with
friends.

To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or
the internals of your operating system of choice. Ideally, learn both.  
Don't just be a script-kiddie who downloads an attack program off the
Internet and think that's cool.

"Understanding what you're doing is more cool. Having the know-how to
develop a new and innovative attack or to develop a creative defence
is a lot more impressive than 'dude, I sniffed your Hotmail
password'." -- Patrick Gray.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org