San Diego Reader

Like many hackers, David Nakamura Hulton goes by more than one name. His other one, his handle, is h1kari. Some people say you shouldn’t ask a hacker what his handle means. Handles aren’t always meant to be serious. Sometimes they’re designed to foil any journalist who assumes a handle is a window into a hacker’s soul. At the least, your inquiry indicates you’re a rube in hacker circles. But when Hulton greets me at the far end of the Starlight Ballroom one Friday evening in September, he offers both names, along with a handshake, and, unprompted, says of his handle’s homonym, hikari, “It’s a Japanese word. It means ‘divine light’ or ‘enlightenment.’ ”

The Starlight Ballroom is on the ninth floor of downtown’s Bristol Hotel. If this seems like an odd place for a weekend hacker conference to hold its opening party, maybe it isn’t any odder than a hacker conference in the first place.

The lights are low; so is the music. Attendance is sparse, maybe 75 people, but the night is young, as are most of the attendees. The atmosphere is reminiscent of a college mixer, one where the women largely haven’t showed. Young men sit or stand in clusters. At the far end of the ballroom, where I am standing with Hulton, the roof is rolled open to the sky, above what must normally be used for a dance floor. The opening line of William Gibson’s seminal cyberpunk novel, Neuromancer (1984), describes a sky “the color of television, tuned to a dead station.” The sky above the Bristol, try as I may to see it differently, is an ordinary dark navy blue.

In 1999, Hulton and a friend co-organized this annual event, called ToorCon. Hackers gather at “cons” in many other parts of the country, but the one in San Diego is their only venue on the West Coast. def con, which is held in Las Vegas every August, is more of a convention than conference — “the largest hacker convention on the planet,” says its website, www.DEFCON.org. Ten years ago, def con’s originators named it in mock homage to the military term “DEFense CONdition.” It was popularized by the movie War Games (1983), in which a teenage hacker played by Matthew Broderick accidentally hacks into the North American Aerospace Defense Command and nearly starts a nuclear war. Movie viewers watch the situation proceed from def con5 (“normal peacetime readiness”) to def con1 (“maximum force readiness”) before the hacker’s mistake is discovered. The hackers I’ve met consider laughable most Hollywood depictions of their activities. War Games is one tolerable exception, which they credit for managing to portray accurately at least some technical aspects of hacking. As for def con the convention, they consider it a must-do, no matter how many regional cons they attend. Last summer, at def con, attendance was over 6000. But popularity has its drawbacks. By all accounts, what began as a weekend of good technical talks for the computer underground has devolved into a bacchanalia attracting too many hangers-on and hacker wannabes.

ToorCon, meanwhile, has acquired a reputation of its own. It’s considered to be a con for the serious-minded hacker, a place to learn, exchange information, and party a little, but not on the grand scale of def con. “We’ve heard that ToorCon is the pg version of def con,” a La Jolla father of a 13-year-old boy told me. The two would attend ToorCon 2002 together. The boy, who wore his blond hair in choirboy bangs and had braces on his teeth, reluctantly revealed his handle: “Qwertykey.” Proud father patted son’s shoulder: “He’s my budding geek.”

When I first spoke to Hulton, he didn’t mention his h1kari persona and didn’t exactly say he was a hacker. This was on the phone three years ago, when he was looking to get publicity for ToorCon 2000. His press release said it was a “computer security expo.” There would be booths and speakers as at any trade show, Hulton said. (True, some speakers had strange nicknames, like “Simple Nomad” and “palante,” but I still didn’t get it.) Hulton himself did “a lot of computer-security consulting in the San Diego area.” He and the same friend who had started the conference with him ran a computer-security business, Nightfall Security Solutions. It sounded like a good name for a burglar-alarm company.

I asked Hulton during that initial conversation what “ToorCon” meant. “ ‘Toor’ is ‘root’ spelled backwards,” he said. “And ‘root’ means ‘full administrative privileges on the system,’ so if you gain root, you have full access.” Root is the goal for those who compete as intruders in RootWars, a computer game co-invented by Hulton that people play at the conference. (At def con, there is a similar game, Capture the Flag.) Other RootWars players, called servers, run the systems the intruders attempt to invade. A third group plays as investigators. They watch the networks, run their intrusion detectors, and hope to catch the highest number of intrusion attempts.

As we talked that day, about how some people break into machines and others try to thwart them — in the real world, not just while playing RootWars — I realized the truth. Is it correct to say that the anti-hackers are themselves hackers? I asked. To catch a thief, as the saying goes?

“How people usually put it is, you know, like the locksmith?” Hulton said. “The locksmith knows everything about how locks work, but there’s this code of ethics, where you don’t use your knowledge to break into anybody’s house. Some people out there think that all hackers are bad,” he acknowledged. “They think hackers just break into things and divert funds into their own bank accounts. And there are people who do malicious stuff and who call themselves hackers. But actually hackers are people who write the programs and do the testing that can help secure everybody’s systems.”

Maybe there should be two different words, I suggested, one for the bad guys and one for the rest?

“Originally ‘hacker’ just meant people who wrote code,” said Hulton. “And then there came around the term ‘cracker,’ which means people who break into systems. But then they just got melded together after a while.”

Did he think hacking was a fairly prevalent activity?

“I think it’s a lot more prevalent than people realize. Like, on Attrition?” He was referring to www.attrition.com. “Attrition is mainly known for its huge mirror of hacked websites. If a website gets hacked, people usually notify Attrition, and it grabs a copy of the page while it’s hacked and posts it. They keep a record of everything. Last year, they got around 3000 hacked websites mirrored on their page. And that’s only the reported ones. I’m sure plenty more were hacked, but smart people don’t want others to know their systems got broken into.”

What motivates these hackers? I asked Hulton.

“Partly, the thrill of showing their friends, ‘Hey, look what I can do.’ The hackers who are actually beneficial to the community write programs to patch vulnerabilities. Many of them are very well known programmers. For example, you may have heard of the L0pht?” He spelled it, so I would know the second character was a zero, not the letter O, and later I looked it up on the Internet; L0pht Heavy Industries was a noted computer-security firm based in Boston. “They’ve given a couple of talks in front of Congress. I guess Congress asked them how long they’d need to take down the Internet. And they said, ‘About 30 minutes.’ The head of it just got appointed director of research and development at this new corporation. He’s written a ton of really robust programs.”

Simple Nomad was on a par with hackers from L0pht, Hulton said. “He makes tons of contributions to the computer-security community. He finds lots of vulnerabilities in operating systems. You can go on nmrc.org and check out all the things he’s written. He works for BindView.” (That is, BindView Security: Proactive Security Management Software and Services.) “He has a real name, but everybody knows him as Simple Nomad.”

The hacker known as palante was impressive too, said Hulton. “He has won the [Capture the Flag] server award at def con for three years in a row. He makes modifications to the operating system, so that people who gain root on the system are still restricted. It’s really advanced stuff.”

Another hacker who was scheduled to speak in 2000 had no handle; he was already famous as plain old Mike Hudack. “When he was 15, the nsa [National Security Agency] attempted to recruit him,” said Hulton. “He had a website they would visit every couple of days. He’s working for a computer-security think tank now, in Connecticut.” (Later, Hudack confirmed these statements via e-mail from his office at the Knowledge Propulsion Laboratory.)

What was Hudack’s present age? Did Hulton know? “By now I think he’s 17.”

College was on hold for him, presumably?

Hulton laughed — a quick, low-voiced, telegrammatic heh-heh-heh-heh. “He kind of graduated early from high school too,” he said.

< Previous Next >