Like many hackers, David Nakamura Hulton goes by more than one name. His other one, his handle, is h1kari. Some people say you shouldn’t ask a hacker what his handle means. Handles aren’t always meant to be serious. Sometimes they’re designed to foil any journalist who assumes a handle is a window into a hacker’s soul. At the least, your inquiry indicates you’re a rube in hacker circles. But when Hulton greets me at the far end of the Starlight Ballroom one Friday evening in September, he offers both names, along with a handshake, and, unprompted, says of his handle’s homonym, hikari, “It’s a Japanese word. It means ‘divine light’ or ‘enlightenment.’ ”
The Starlight Ballroom is on the ninth floor of downtown’s Bristol Hotel. If this seems like an odd place for a weekend hacker conference to hold its opening party, maybe it isn’t any odder than a hacker conference in the first place.
The lights are low; so is the music. Attendance is sparse, maybe 75 people, but the night is young, as are most of the attendees. The atmosphere is reminiscent of a college mixer, one where the women largely haven’t showed. Young men sit or stand in clusters. At the far end of the ballroom, where I am standing with Hulton, the roof is rolled open to the sky, above what must normally be used for a dance floor. The opening line of William Gibson’s seminal cyberpunk novel, Neuromancer (1984), describes a sky “the color of television, tuned to a dead station.” The sky above the Bristol, try as I may to see it differently, is an ordinary dark navy blue.
In 1999, Hulton and a friend co-organized this annual event, called ToorCon. Hackers gather at “cons” in many other parts of the country, but the one in San Diego is their only venue on the West Coast. def con, which is held in Las Vegas every August, is more of a convention than conference — “the largest hacker convention on the planet,” says its website, www.DEFCON.org. Ten years ago, def con’s originators named it in mock homage to the military term “DEFense CONdition.” It was popularized by the movie War Games (1983), in which a teenage hacker played by Matthew Broderick accidentally hacks into the North American Aerospace Defense Command and nearly starts a nuclear war. Movie viewers watch the situation proceed from def con5 (“normal peacetime readiness”) to def con1 (“maximum force readiness”) before the hacker’s mistake is discovered. The hackers I’ve met consider laughable most Hollywood depictions of their activities. War Games is one tolerable exception, which they credit for managing to portray accurately at least some technical aspects of hacking. As for def con the convention, they consider it a must-do, no matter how many regional cons they attend. Last summer, at def con, attendance was over 6000. But popularity has its drawbacks. By all accounts, what began as a weekend of good technical talks for the computer underground has devolved into a bacchanalia attracting too many hangers-on and hacker wannabes.
ToorCon, meanwhile, has acquired a reputation of its own. It’s considered to be a con for the serious-minded hacker, a place to learn, exchange information, and party a little, but not on the grand scale of def con. “We’ve heard that ToorCon is the pg version of def con,” a La Jolla father of a 13-year-old boy told me. The two would attend ToorCon 2002 together. The boy, who wore his blond hair in choirboy bangs and had braces on his teeth, reluctantly revealed his handle: “Qwertykey.” Proud father patted son’s shoulder: “He’s my budding geek.”
When I first spoke to Hulton, he didn’t mention his h1kari persona and didn’t exactly say he was a hacker. This was on the phone three years ago, when he was looking to get publicity for ToorCon 2000. His press release said it was a “computer security expo.” There would be booths and speakers as at any trade show, Hulton said. (True, some speakers had strange nicknames, like “Simple Nomad” and “palante,” but I still didn’t get it.) Hulton himself did “a lot of computer-security consulting in the San Diego area.” He and the same friend who had started the conference with him ran a computer-security business, Nightfall Security Solutions. It sounded like a good name for a burglar-alarm company.
I asked Hulton during that initial conversation what “ToorCon” meant. “ ‘Toor’ is ‘root’ spelled backwards,” he said. “And ‘root’ means ‘full administrative privileges on the system,’ so if you gain root, you have full access.” Root is the goal for those who compete as intruders in RootWars, a computer game co-invented by Hulton that people play at the conference. (At def con, there is a similar game, Capture the Flag.) Other RootWars players, called servers, run the systems the intruders attempt to invade. A third group plays as investigators. They watch the networks, run their intrusion detectors, and hope to catch the highest number of intrusion attempts.
As we talked that day, about how some people break into machines and others try to thwart them — in the real world, not just while playing RootWars — I realized the truth. Is it correct to say that the anti-hackers are themselves hackers? I asked. To catch a thief, as the saying goes?
“How people usually put it is, you know, like the locksmith?” Hulton said. “The locksmith knows everything about how locks work, but there’s this code of ethics, where you don’t use your knowledge to break into anybody’s house. Some people out there think that all hackers are bad,” he acknowledged. “They think hackers just break into things and divert funds into their own bank accounts. And there are people who do malicious stuff and who call themselves hackers. But actually hackers are people who write the programs and do the testing that can help secure everybody’s systems.”
Maybe there should be two different words, I suggested, one for the bad guys and one for the rest?
“Originally ‘hacker’ just meant people who wrote code,” said Hulton. “And then there came around the term ‘cracker,’ which means people who break into systems. But then they just got melded together after a while.”
Did he think hacking was a fairly prevalent activity?
“I think it’s a lot more prevalent than people realize. Like, on Attrition?” He was referring to www.attrition.com. “Attrition is mainly known for its huge mirror of hacked websites. If a website gets hacked, people usually notify Attrition, and it grabs a copy of the page while it’s hacked and posts it. They keep a record of everything. Last year, they got around 3000 hacked websites mirrored on their page. And that’s only the reported ones. I’m sure plenty more were hacked, but smart people don’t want others to know their systems got broken into.”
What motivates these hackers? I asked Hulton.
“Partly, the thrill of showing their friends, ‘Hey, look what I can do.’ The hackers who are actually beneficial to the community write programs to patch vulnerabilities. Many of them are very well known programmers. For example, you may have heard of the L0pht?” He spelled it, so I would know the second character was a zero, not the letter O, and later I looked it up on the Internet; L0pht Heavy Industries was a noted computer-security firm based in Boston. “They’ve given a couple of talks in front of Congress. I guess Congress asked them how long they’d need to take down the Internet. And they said, ‘About 30 minutes.’ The head of it just got appointed director of research and development at this new corporation. He’s written a ton of really robust programs.”
Simple Nomad was on a par with hackers from L0pht, Hulton said. “He makes tons of contributions to the computer-security community. He finds lots of vulnerabilities in operating systems. You can go on nmrc.org and check out all the things he’s written. He works for BindView.” (That is, BindView Security: Proactive Security Management Software and Services.) “He has a real name, but everybody knows him as Simple Nomad.”
The hacker known as palante was impressive too, said Hulton. “He has won the [Capture the Flag] server award at def con for three years in a row. He makes modifications to the operating system, so that people who gain root on the system are still restricted. It’s really advanced stuff.”
Another hacker who was scheduled to speak in 2000 had no handle; he was already famous as plain old Mike Hudack. “When he was 15, the nsa [National Security Agency] attempted to recruit him,” said Hulton. “He had a website they would visit every couple of days. He’s working for a computer-security think tank now, in Connecticut.” (Later, Hudack confirmed these statements via e-mail from his office at the Knowledge Propulsion Laboratory.)
What was Hudack’s present age? Did Hulton know? “By now I think he’s 17.”
College was on hold for him, presumably?
Hulton laughed — a quick, low-voiced, telegrammatic heh-heh-heh-heh. “He kind of graduated early from high school too,” he said.
How old was Hulton himself? Despite his occasional “like” and “you know,” I estimated late 20s, early 30s. After all, he ran a conference as well as his own business.
“I’m 17. Almost 18 — next year.” No man of the world, he still lived at home with his mother in University City. (His parents were divorced; his father lived in Vista.)
And had he graduated from high school?
“Yeah. There’s a test, the California High School Proficiency Examination. Me and my friend took it on the same day last November and got out of high school that way.”
That friend, Ben Greenberg, was the cofounder of ToorCon and Nightfall Security Solutions, as well as co-inventor of RootWars. But Greenberg would soon leave the San Diego area. “He’s moving to Israel,” said Hulton, “to become a rabbi.”
Would Greenberg be at the upcoming ToorCon?
“Maybe on Sunday. He’s ultraorthodox or whatever, so he can’t be there on Friday night or Saturday morning. So he handed the whole thing over to me.”
When I got off the phone with Hulton, I called one of the people scheduled to speak that year. Like Hudack, Ron Gula used no handle. A 31-year-old communications-systems engineer, he had been trained by the United States Air Force; Gula, along with his wife, was cofounder of Network Security Wizards of Columbia, Maryland, and ToorCon was paying his way to San Diego.
“Yeah, hire a thief to catch a thief,” Gula conceded. “One of the main things Security Wizards does is reverse engineering of the hacker technique.” Beyond that, however, he hesitated to differentiate between good and bad hackers. “I personally don’t like to classify people. Traditionally ‘white-hat hackers’ are the good kind, and ‘black-hat hackers’ are bad.” Lately, however, he said he had been hearing the term “gray-hat hacker.” He had also heard people allude to black-hat hackers without really saying they were bad. “They just mean ‘very talented.’ Someone will say, ‘Well, nobody could break into this system except maybe a black-hat hacker.’ But that’s just lingo. None of it is well-defined. Some people consider hackers to be merely interested in how things work, like auto enthusiasts who soup up old Ford V-8 Mustangs. You’ve heard of the whole cracker-versus-hacker thing? But is a cracker a virus writer or what? It’s hard to say.”
And whom did Gula expect to be in attendance at ToorCon? This would be Gula’s first ToorCon, so that was hard to say too, except that the conference had been described to him as a hacker con. He guessed attendees would be similar to those at def con, where “50 to 75 percent — maybe more — have high-paying, commercial jobs.” Others who didn’t were looking for jobs. Hackers, he said, were increasingly being hired by corporations and institutions who realized they were vulnerable to attack and who knew that hackers were the people who could protect them.
Hacked by Doctor Nuker
PHC
Founder Pakistan Hackerz Club
[email protected]
Kashmiris are NOT Terrorists
Greetings from Mr_Sweet, AntiChrist, Devil-C, s0ften, 139_r00ted, FUBY, flipz, fuqrag, GOD, bl0wteam, v00d00, Hi-Tech Hate, hackernews.com, and all the others I miss. #:0)
— hacked website of Shore Intermediate Maintenance Activity (sima), San Diego, by Pakistan Hackerz Club, October 30, 1999.
i shit on you i shit on interpol i shit on the israeli’s who are looking for me i shit on interpol who are looking for me i shit on blackdog because he talks to much ..trace me find me and finally 0wn me -eth1cal.
— hacked website of Fleet Area Control and Surveillance Facility, San Diego, www.facsfacsd.navy.mil, by eth1cal, on February, 7, 2001.
From archives of www.attrition.org
After my conversations with Hulton and Gula, I mostly forgot about hackers. One night, I logged onto eBay and, instead of its home page, I saw an ugly cartoon face and the caption “HACKED!” (Startled, I instantly logged out. When I logged back in, a few minutes later, it was gone.) Still, I didn’t think hackers’ activities would ever affect me. If I thought about them at all, it was in the same vague way that I thought about burglars. I have a burglar alarm installed in my house and Norton AntiVirus software installed on my computer. The horn on my house, I know, is loud, and once, after I mistakenly triggered the silent alarm that alerts the police down at the station, they arrived. That was reassuring. I sometimes wondered if Norton would actually protect me from a virus. Eventually, I found out. I began to receive virus-laden e-mail attachments, and the system started deflecting them. I received viruses more than once a week, sometimes more than once a day. Most of the accompanying messages were written by people who couldn’t speak English very well. “I would like you nice surprise,” one said. “Hope you enjoy this girlie-girls,” said another. Sometimes the e-mail senders were, ostensibly, people I knew; that is, a familiar name was in the sender line. Occasionally, the subject line reflected an interest of mine or my husband’s. (Bob is a clockmaker, and one bogus subject line said, “Nice Clock Website.”) Norton always warned me to delete these e-mails without opening them, which, of course, I already knew I should.
Then, one day last summer, Bob was at Home Depot using our credit card when a cashier told him the transaction had been rejected. Bob paid for the item in cash and called the company. The card had been canceled, the representative said. Some unusual and hefty purchases had been made with it. Bob was asked if he had bought $10,000 worth of items from Emperor Clothes in the Netherlands. He was asked about a few more recent charges. Some were our purchases; others weren’t. The representative said we would receive a new card in the mail shortly. She was so matter-of-fact, we figured this must be a fairly common situation. We wondered if it was related to our Internet use and what we could do to prevent it from happening again.
Since the events of September 11, there have been news commentaries about the possibility of cyberterrorism. That has made me additionally wonder: Could computer-savvy terrorists knock out water supplies or electrical grids? Could they disrupt air traffic or the 911 emergency system? And will it be up to hackers to prevent them?
I called Hulton, who didn’t return my phone call for a while; he was on vacation in Hawaii and not checking his messages much. Business must be good, I said. He laughed his economical heh-heh-heh-heh in reply. I began to ask questions about hackers — too many to be answered in a single phone call. Hulton suggested I attend ToorCon 2002; the press was welcome. Could he give me a list of San Diego–based hackers to interview beforehand? He told me to start with his new business partner, Tim Minh Huynh (the last name was pronounced “win,” he said) at Nightfall’s downtown office.
The building at 906 Tenth Avenue was formerly a Baptist church. Even without the crosses, its architecture would have an ecclesiastical look. Maybe former occupants had holy protectors; the new ones wanted visitors to be buzzed in. My appointment, for 10:00 a.m., had been arranged by Hulton from Hawaii. The buzzer got me no answer, but someone entering the building let me enter with him, and I found suite 101 at basement level.
That morning’s Wall Street Journal lay at the door. Huynh must not have arrived yet. Or maybe he’d arrived before the paper was delivered. I knocked. No answer. Hadn’t he got word of the appointment from Hulton? Finally, a sleepy Huynh appeared.
He looked like a renegade monk. His head was shaved, giving his wide, round face a Buddha look, but his T-shirt said something about tequila. He wore black shorts and black running shoes without socks. If he’d been barefoot, I might have worried that I’d roused him out of bed — for this space was Nightfall as well as home for Hulton and Huynh. (In fact, like many hackers, Huynh usually did work in the quiet of the night, he told me. A few weeks later, he answered an e-mail at 7:00 a.m. The time raised a question. Had his hours changed? No: he had sent the message just before turning in.)
The ceilings in this building are double-high, and the floor plan is open. (The square footage is 1450, according to the building’s management, which refers to these spaces, including the basement ones, as “lofts.”) There were apparently times for work and for play at Nightfall. At one end of the space was a pool table, elaborately leveled with magazines. At the other, a Ping-Pong table, similarly sturdied. On a wall, a dart board. On another wall, a corporate touch: a shiny white wallboard and notations in felt-tipped pen. In the middle of everything, on a raised platform, many, many computers. Huynh offered me a seat in the “office” — three La-Z-Boys arranged in a circle.
I asked Huynh about the term “hacker.” How did he define it? “It’s some guy pretty much trying to learn everything he can about something,” he said. “It’s not so much a slick guy. It’s a guy who says, ‘I want to know everything about this. I want to use this thing to its 100 percent potential.’ ” He related it to cars, as Ron Gula had. “You discover that if you jiggle the key a certain way… It’s like figuring out a secret.”
And was a hacker always a “guy,” a young guy? “I’ve seen some talented ladies,” said Huynh. “Young ladies, older ladies. Older men.”
How many women had attended ToorCon last year? “We had one. She took a Greyhound from Phoenix.”
How did somebody get good at hacking? Was lots of equipment required? “What you need is lots of persistence. You don’t need anything fancy. It requires sitting down, reading, meeting people, learning from others, picking up things on the job. And you can’t be afraid to try things. Experimentation. You can’t be afraid of opening up your box.” He smiled to himself. “The first time I did it, I short-circuited something and it cost me a whole bunch of money.” But he chalked it up. “I just said to myself, ‘Well, I won’t do it that way again.’ Just playing around — that’s how hacking starts for everybody.”
Huynh obliged me with some personal details. He was 22 years old and born in Vietnam. He and his parents left their homeland in 1981. His father went by foot to Thailand; Huynh, who was still an infant, went with his mother and her brother by boat to a refugee camp in Singapore. The family was reunited in New York but didn’t stay there long. “It was pretty cold.” Instead, they came to San Diego — Normal Heights first, then Mira Mesa. After graduating from Scripps Ranch High School, Huynh entered the United States Air Force Academy. He stayed only two years, finding it tough, not physically but scholastically. He had intended to major in computer science and did well in that area; otherwise, his grades were “abysmal,” he said. English and history — “those things that fill up your day” — were the worst. “I actually like history, but I don’t like reading about it.” And he didn’t like writing papers. Not that graduates of military academies shouldn’t have “well-rounded educations,” he said.
Huynh had enjoyed the military’s structured life. “I don’t mind following orders.” In fact, after leaving, he thought about enlisting. “I want to give back. I know how lucky I am to be here.” But he was talked out of that idea. Instead, he did web development, volunteered for ToorCon 2001, then began to work and live with Hulton at Nightfall.
Huynh’s father works in sheet metal; his mother is a housewife. Were his parents pleased by his current career path? Huynh said they were, even though “what we do here is not what a person typically does.” Huynh’s handle, “nfiltr8” (read: “infiltrate”), was one of those joke handles: he credited his parents for his “morals.” As he put it, “If my parents weren’t the way they are, and if I hadn’t been brought up the way I was brought up, being taught right and wrong, I’d be in a hovel somewhere, trying to break into the Pentagon.”
Should we be worried that people are trying to break into the Pentagon? How vulnerable are we? And is it going to get worse, or better, as computer technology progresses?
“It’s not the technology; it’s the human factor,” said Huynh. That’s what makes us vulnerable. The same for a company’s security. “You can lock down the machines, but one disgruntled employee can decide to wipe you out if he gets mad and goes postal on your network. Companies may invest all they like in security, but what they really should be doing is investing time and money in their people.”
Huynh’s statement was not a selling point for Nightfall’s services. But then, its business model didn’t seem to be the corporate one. If moneymaking were the main object, Hulton and Huynh wouldn’t run ToorCon. “It’s not profitable — it’s more of a community service. We’re lucky to break even,” said Huynh.
But running a conference is so —
“Stressful. But I’m pretty stress-driven.” Today would be a “pretty low-stress day,” Huynh said, despite his appointment later in the day with a potential Nightfall client.
Would he give an actual sales pitch? “We don’t do the sales thing,” said Huynh. “Mostly they’re approaching us, anyway. So we don’t talk so much about the ‘why,’ but rather about the ‘what.’ ”
These days, the “what” was mostly preventive. “People are getting smarter. Others call and say, ‘We think we’re already in trouble.’ ”
After the initial consultation, Nightfall charges an hourly fee, which Huynh preferred not to reveal. He and Hulton give no guarantees. “We’d be shooting ourselves in the head if we did, because we don’t know what’s going to be developed” — by crackers. What Nightfall can do, he said, is “lock down everything, address all the known exploits, and try to keep up with all the advisories issued” by websites like www.bugtraq.com. They also exchange information with other hackers at places like ToorCon.
Would I understand the talks when I attended ToorCon in a few weeks? Some of them, he said. I must have looked doubtful. “Everybody has a little hacker in them,” he said to reassure me.
Before I left that morning, I asked about further contacts. He suggested I e-mail any speaker or volunteer on the ToorCon website. I also asked about Ben Greenberg. Was he still in Israel? I was intrigued by someone who would switch from hacking to holy work. Huynh said he’d heard that Israel had become too violent for Greenberg, and he’d left. But he hadn’t returned to San Diego or hacking; as far as Huynh knew, his predecessor was now living and studying at a college somewhere in New York.
I went to the library and returned home with a stack of books. Secrets & Lies: Digital Security in a Networked World (2000) by Bruce Schneier. Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals by Paul Mungo and Bryan Clough (1992). CyberShock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Disruption (2000) by Winn Schwartau… Most of them were filled with doom, along with a fair amount of questionable psychologizing. (“The computer underworld is populated with young men, and almost no women, mostly single, who live out their fantasies of power and glory on a keyboard. That some young men find computing a substitute for sexual activity is probably incontrovertible.” — Approaching Zero.)
I also bought a dictionary — The New Hacker’s Dictionary, compiled by Eric S. Raymond. Despite its heft — 547 pages — it was filled with much lighter material.
“Autobogotiphobia.” I began to read like a traveler preparing for a trip to a foreign country. “See bogotify.”
“Bogotify: To make or become bogus. A program that has been changed so many times as to become completely disorganized has become bogotified. If you tighten a nut too hard and strip the threads on the bolt, the bolt has become bogotified and you had better not use it anymore. This coinage led to the notional autobogotiphobia defined as ‘the fear of becoming bogotified’; but is not clear that the latter has ever been ‘live’ jargon rather than a self-conscious joke in jargon about jargon.”
“Copious free time,” I read on, for it defined phrases and idioms, along with single words. “A mythical schedule slot for accomplishing tasks held to be unlikely or impossible. Sometimes used to indicate that the speaker is interested in accomplishing the task, but believes that the opportunity will not arise. ‘I’ll implement the automatic layout in my copious free time.’ Time reserved for bogus or otherwise idiotic tasks, such as the stroking of suits. ‘I’ll get back to him on that feature in my copious free time.’ ”
I laughed. I laughed a lot as I continued to read selections. “Drool-proof paper: Documentation that has been obsessively dumbed down, to the point where only a cretin could bear to read it, is said to have succumbed to the ‘drool-proof paper syndrome’ or to have been ‘written on drool-proof paper.’ For example, this is an actual quote from Apple’s LaserWriter manual: ‘Do not expose your LaserWriter to open fire or flame.’ ”
Hackers love acronyms, almost as much as bureaucrats do. The dictionary explained many of them, although some definitions were themselves acronym-laden. “emacs [from Editing MACroS]: The ne plus ultra of hacker editors, a programmable text editor with an entire lisp system inside it. It was originally written by Richard Stallman in teco under its at the mit ai lab…”
In certain cases, a common acronym was redefined by my new favorite book. “fm: Not ‘Frequency Modulation,’ but rather an abbreviation for ‘Fucking Manual.’ ” (“rtfm,” “Read the Fucking Manual,” was compared to “rtbm,” “Read the Bloody Manual,” in the hacker jargon used in the British Commonwealth.)
I was surprised to read the hacker origins of some widely used expressions. “Get a life!” was one that some people claimed to have been invented by hackers. “Hacker-standard way of suggesting that the person to whom it is directed has succumbed to terminal geekdom (see computer geek).… This exhortation was popularized by William Shatner on a ‘Saturday Night Live’ episode in a speech that ended ‘Get a life!’, but some respondents believe it had been in use before then. It was certainly in wide use among hackers at least five years before achieving mainstream currency in 1992.”
The definition of “hairball” was another kind of revelation. “A large batch of messages that a store-and-forward network is failing to forward when it should. Often used in the phrase ‘Fido coughed up a hairball today,’ meaning that the stuck messages have just come unstuck, producing a flood of mail where there had previously been drought.” I found the situation frustrating whenever I encountered it. I hadn’t thought to cope by naming it.
The dictionary’s definition of “hacker” was multiple: “1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in ‘a Unix hacker.’ (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. The correct term for this is cracker.”
A discussion of the “hacker ethic” followed, beginning with “free software distribution.” Most hackers were for it. The discussion segued into ethics — that is, “the belief that system-cracking for fun and exploration is okay as long as the cracker commits no theft, vandalism, or breach of confidentiality.” The book explained that some hackers considered the act of cracking itself to be unethical, like breaking and entering. “But the belief that ‘ethical’ cracking excludes destruction at least moderates the behavior of people who see themselves as ‘benign’ crackers.”
Hmmm. Benign crackers. Yet another shade of gray. I suddenly remembered that two freshman boys at the boarding school where I used to teach had hacked into the school’s computer. Had they defaced the school’s home page? Had they tried to change their grades (as the protagonist in War Games had done for himself and his girlfriend)? Or had they merely “explored”? I never learned the true nature of their crime. Confronted with such a novelty, the school’s headmaster could think of no more creative punishment than expulsion. We faculty members never heard another wisp of news about them.
Q: What’s your official title?
A: I’m a senior network-security engineer. I do mostly penetration testing, intrusion-detection-system installation, and all things security.
Q: Is it fun?
A: Oh, it definitely is. I think it’s fun breaking into people’s stuff. Yeah, it’s not good for the company if we can do it, but at least they have hired us to come and take care of it. So, you know, yeah, I do get a thrill out of it.
Q: Can you talk about what you did in Alaska?
A: Not specifically. But mostly I was working with a company that has some responsibility for the Trans-Alaskan Pipeline.
Q: Can you say if they had a problem?
A: They had a problem, yes. Someone had attempted to do a break-in, but the security controls that were in place, from some previous work we had done, had shut down the full exploit.
Q: If they had succeeded, what would they have gotten, data or oil?
A: [Laughs.] I can’t say.
— author’s conversation with San Diego–based hacker, Klinge-C01
Emboldened by my book-learning, I e-mailed one of ToorCon’s speakers, Peter Bartoli, who agreed to a pre-con phone interview. The title of his talk was daunting: “The Requiem Project: Systems Hardening and Policy Rollout in Heterogeneous Environments.” But when I looked at his website — www.alphafight.com — I found it engaging — and somewhat comprehensible to a nonhacker. Designed to advertise Bartoli’s new computer-security firm, Alphafight Heavy Industries, the site opens with an animation. The Greek letter a is kicked martial-arts style by the grunting letter f in “fight.” The a is spun and spun by the force of the blow. The slogan beneath the fighting letters says, “We think you’ll like our kung fu.” The contact page has an additional slogan: “Quality security consulting, by hackers, for business.”
“I’m running with the negative connotations, confronting them, and hoping to turn them into a little marketing steam,” Bartoli told me from his condominium on Eighth Avenue, near the El Cortez. “True, ‘hacker’ has become a bad word, and as much as I hate to say it, it’s because of the media. They only say ‘hacker.’ They forget to put in the modifier ‘malicious,’ just as they water down the technical details. ‘What do you mean there are good ones and bad ones and ones with their own agendas and that it’s not the knowledge but how you use it?’ Everyone thinks ‘hacker’ means ‘computer criminal,’ and it’s not true.”
Bartoli used to work for the Science Applications International Corporation, better known as saic. Former technical director of its security-analysis division, he has always been “good with computers,” he said.
From the cradle? “You might say that.” He was born in Los Angeles in 1973. He started breaking into systems as an eight-year-old. “I was breaking into computer games to extend my allowance and to feed a bad gaming habit. They used to have all kinds of copy-protection routines back in the late ’70s, early ’80s. So I would sharpen my knife, if you will, on the games, making sure they copied right. I started to get into bulletin board systems too. But then my mother and I saw War Games, and after that I was not allowed to have a modem.”
(Bartoli’s mother, who grew up in San Diego, confirmed the War Games story. She also told me this: “Before the John Badham movie, something else happened. When online banking had just begun, there was a sample computer in the lobby of Bank of America, where I’ve banked forever. While I waited in line to make a deposit, Peter went over to the computer. Peter’s thing about programs was, he always wanted to know what made them work. This was true even with the games. When he got a new one, he wanted to know how it worked before he played it. So Peter at the bank that day went right into the bank’s programs. And when I got out of line and went over to him, he said, ‘Look, Mom!’ We called the manager, who said, ‘You’re not supposed to be able to do that!’ ”)
Bartoli learned to program in the computer lab of his private elementary school and from computer manuals. His parents thought he would become a programmer.
“Programming can be fun, but it can also be terribly boring,” said Bartoli. “Simply stated, programming is piling up pieces of logic, one on top of another on top of another. It’s adding ‘two and two,’ and ‘and’s and ‘nor’s, and ‘if’s and ‘not’s in order to build something useful. It can be tedious, and I didn’t see much out there in computing besides programming at the time when I first thought about careers.”
He entered ucla as a journalism major. “I wanted to be a sports writer and get paid for watching baseball.” He had also discovered that being a geek wasn’t popular with girls. But the Internet lured him back to computers. “When it started to explode, I began to see all kinds of job possibilities besides programming. I tried to switch to computer science, but the department was impacted. So midway through my second year, I just gave up and got booted.”
Bartoli transferred to the University of Texas in Edinburg — “pretty much because they would take me.” (Relatives had connections.) “It’s wa-a-a-ay down at the bottom, near Brownsville, far from any city. Until then I had spent my whole life in the shade of the Hollywood Hills. I knew from the start that moving there was going to suck but that it was going to be a character-building kind of hell. Now I see my parents’ design in it, and I’m grateful for it.”
As a part-time job, Bartoli worked for the Edinburg police. You could call it a foreshadowing of his security career. “I set up their first dedicated Internet connection and their parking ticketing database.”
Did the twain ever meet between Bartoli and the police? “Are you asking if there was a culture conflict? Of sorts. I was young. I had long hair. I didn’t picture myself working for the police, but they were good people. And there was no culture conflict in terms of cops and a hacker, because I didn’t consider myself one at the time.”
With his penance completed after two years in Edinburg, Bartoli transferred to sdsu. “[The computer science program at UCSD] had the reputation, but the curriculum was too steeped in theory for my tastes.”
He also began to work at Millennianet, a local Internet provider, and by graduation was its head system administrator. “I was also head of support staff and the last line of technical support, should anybody have problems.”
The system had problems aplenty. “I got hacked! All the time! Despite the best of teachers, there’s a lot they can’t fit into those four-year degrees, and how to secure your system is one of them.”
The book-smart Bartoli learned what to do as he went along. “More often than not, I’d have to hack the system myself to figure out how they got in. You have to, especially if you have a large system.”
The process isn’t easy. “Finding a vulnerability in a piece of code is akin to finding a needle in a haystack. It’s tenacity that gets you there. Then imagine the needle as a key that, when found, allows you unauthorized access to every door it fits.”
Malicious hackers exploit the vulnerabilities they find. “Ethical” hackers — the term Bartoli prefers over “white-hat hackers” — are conflicted over what they should do with their finds. Would more people get hurt by immediate disclosure, or would fewer?
“Ultimately what one does with the knowledge,” said Bartoli, “depends on one’s scruples, motives, and beliefs. That’s why all the various ‘hat’ terms are unhelpful — because scruples, etc., run the gamut.”
It’s also why the federal government has taken steps to prevent anybody except vendors from finding any more holes. “The DMCA? Digital Millennium Copyright Act?” The bill became a law in 1998. “It’s what the riaa [Recording Industry Association of America] and everybody else are using to quash piracy in pretty questionable ways. It’s something very big in the radar of all hackers, because among its provisions, the DMCA provides criminal penalties for reverse engineering!”
The special hacker term for the time between the discovery of a hole in a program and its disclosure is “0-day” (spoken as “zero day”), Bartoli told me. “Every day is 0-day until the exploit is made public.” And until it’s not 0-day anymore, things can get pretty hairy. “One droplet of knowledge in the wrong hands is enough to bring everybody down, and there’s nothing the wisest of ethical hackers can do could prevent that right now. Nothing can stop a naked piece of vulnerable software from getting owned.”
Did being a hacker, ethical or otherwise, mean never getting hacked oneself?
On the contrary. “A couple of friends of mine were interviewed about a malicious hacker group that targets ethical hackers. The malicious ones are quite pissed off at ethical hackers and the state of the computer-security business in general.”
The state of the business can be measured at the cons, said Bartoli, who goes to def con and ToorCon “to shop for hardware for my development labs” and “to talk with all these crazy geniuses. As many of them that are antisocial and don’t present themselves very well, there are plenty that do, and those guys make it worthwhile.”
(Bartoli later asked me not to quote him on the hacker personality. Instead of erasing his words, I convinced him to expand on the theme, for any caricature contains an element of truth. He e-mailed this clarification: “There is this stigma-like perception of hackers as being teenage Lex Luthors [Superman’s arch enemy, a boy genius who uses his gifts for evil] with thick glasses and no social skills save those they develop online. And sadly, as you say, there is some element of truth to it. Some people are in computers because they communicate better with computers than they do with people. Mafiaboy [the handle of the unnamed 15-year-old who was convicted in Canada of attacks against eBay, Yahoo, Amazon, and other major Internet sites] fit the bill when he got busted. As did I back in the Apple II days, when I spoke and read machine language. I was owned by the machine rather than vice-versa. However, like any stereotype, it’s nothing more than a generalization. It’s not a one-size-fits-all, no more than black, white, or gray for ethics. There are many more of us that are business-savvy and for whom computers are a means to an end.”)
Probably in the sixth or seventh grade, around 1986 or 1987, I started programming by getting code out of something that I found at the library — basically just writing my own games, text kind of stuff. Pretty boring, but I started doing that, progressed, mostly by just playing around on the computer. I joined the United States Air Force in 1992 and got my first taste of unix operating system and tcp/ip networking — just as a user. I really didn’t understand it at all at the time. But as part of a classified reporting system, we obviously had to use it. So I became familiar with different network protocols for basic communication — you know, e-mail and remote command line interface to other computers on the network. I had graduated from a Commodore to a 286 architecture with, like, Microsoft Windows 2.1, I think in, I guess, probably 1990. After the Internet, in 1995, I immediately began looking at people’s computers. I got a book on tcp/ip, in order to understand how the communication worked, and immediately began trying to figure out how to break into people’s machines. So I think within about ten minutes of being connected [to the Internet], I was doing that.
— Klinge-C01
When talking to computer-security professionals, it’s easy to forget that computers also need external security — the kind that prevents them from being walked off with. I was reminded when I noticed on ToorCon’s website a person in charge of physical security for the con. I e-mailed “BasharTeg,” whose real name is Jeremiah Gowdy.
Watching the hardware? Was that what his job entailed? I asked Gowdy when we spoke. “Right,” he said. “People bring expensive hardware — multithousand-dollar laptops, routers. Things get stolen every year, even with our best efforts.”
What about hiring security guards? “Any kind of rent-a-cop wouldn’t fit in with the atmosphere.”
Gowdy, who is 22, lives at home with his parents in San Marcos. At the time of our conversation, he was finishing his associate’s degree at Palomar junior college. He also worked full-time as a senior software engineer at FreedomVoice Systems, a telecommunications company in Encinitas.
“The first year, I was just assisting with physical security,” said Gowdy. “I wasn’t in charge. But because of the nature of my personality, I kind of, like, took over. My mom’s a lifeguard and very assertive. She knows how to handle crisis situations. Growing up under that, I’m good at handling crisis situations too. I mean, the average computer guy, when something goes wrong? He freezes up. ‘What do we do now?’ It’s part of being a nerd, and we’re all nerds.”
A staff of “three or four” helped Gowdy “secure by presence” at ToorCon. “I’m six three and 255 pounds. So I’m a big guy, especially compared to most nerds. I’m actually familiar with some of the known thieves and whatnot, although I don’t understand why we can’t exclude them. It just comes down to, like, a scene thing. But the people I suspect as being thieves, along with the people that look shady and whatnot? We try to psychologically intimidate, so they think it’s just not worth it. But we’ve had other issues too. We’ve had people cause problems with the power. We’ve had people interfere with our walkie-talkies. That’s hacker stuff. But what I tell them is, ‘You can hack at the conference, but you can’t hack the conference’ — at least not while I’m running security.”
Gowdy obviously didn’t object to the term “hacker” but agreed the term was problematic. “It’s been ‘villainified,’ ” he said. “But I’m not one of these people who want everybody to conform to my definition. If somebody says ‘hacker’ and means somebody doing something wrong, that’s what they mean. You can usually tell by the context, so who cares? ‘Hacker’ isn’t a sacred word.”
As for his own definition, he said, “I personally view a hacker as anybody who codes, anybody who does programming and explores systems beyond what you learn from a textbook.”
He started learning when he was 12 years old. “I didn’t have any books, and I had one cheap little basic compiler — a compiler is a program that turns source code into a program — and I learned how to do it on my own.”
Well, not quite. “When I was 11, my neighbor in San Marcos had a computer. He was a year older than me. His computer was a real piece of junk, but it did a lot of neat stuff, and I was impressed, because he was writing games, and that’s what sucked me in. That’s what sucked in a lot of people from my generation. When you’re a little kid, you’ve got a hundred ideas for games of your own.”
At San Marcos High School, Gowdy took computer science. “I don’t want to put down my school, but it was an easy A for some of us,” he said. “And the teacher, Mr. Ehrenfeld, was a great guy as far as allowing people who were beyond the curriculum to work on independent projects. We used to mess with his server — do a little generic ‘hacking’ on his network. And he’d put up with it, because he knew he had a good generation of students there.”
I mentioned to Gowdy the lack of women in his field. “I know. It’s a bummer.” Why did he think there were so few? “I can tell you from a college student’s viewpoint there are plenty of girls in the entry-level classes. Then they hit the ‘filter’ classes. The filter classes in computer science are data structures and assembly language or machine language, and when you hit them, you have to decide if you just thought computers were neat or if you really have talent. I’ve taken those classes and there were a few girls in each of them, four or five at most, but I didn’t see them in classes afterwards.”
They didn’t grow up with it, was the main trouble, said Gowdy. “They were not part of the Nintendo generation, and the ones who were part of it are the few you see succeed, because obviously there are some female computer scientists. But they’re rare, and beyond that I won’t reveal any opinion on the stereotypes of girls and math and logic and whatnot.”
In sports, I offered, those who start early have an edge. “Yeah, and it’s weird. We had this one kid at ToorCon last year. He couldn’t have been more than 10 — his dad had to drive him — and he was amazing. We’ve got these 16-year-olds that we consider the youth, and they’re looking at this 10-year-old and thinking, ‘Je-e-ezzz.’ He participated in RootWars for three days. We were blown away. Can you imagine? If I was such a computer guy that I was hacking at 10, by now I would have taken over the world.”
Had he ever done anything that would be considered illegal?
“Not really. But I don’t have any big problem with people who do. If people deface websites, good for them. Occasionally I have said, ‘You know, such-and-such a website could certainly use a beat-down.’ But I don’t hack websites, because people who do don’t invent the hacks they use. They go to script sites and download the script that somebody else wrote. So there’s no talent to [defacements], except in determining what programs a server is running and determining what exploits will work on it, and then finding the exploits, and then going at it. Okay? But that talent is limited, compared to the one that enabled somebody to write the exploit in the first place. That’s why they call those people [who merely download somebody else’s program] ‘script kiddies.’ For me, hacking and programming are the same thing. And it doesn’t have anything to do with being a script kiddie.”
Some script kiddies claimed to be politically motivated, said Gowdy. “They do it in the name of ‘hacktivism.’ ”
Would any hacktivists be at ToorCon? “I’m sure. But I don’t think they’ll identify themselves to you, because that would mean admitting doing something illegal.” But would they have an obvious political bent? “Everybody at ToorCon has an obvious political bent. We get a whole lot of people who are wa-a-a-a-ay beyond the left. Computer people and nerds in general are, because most have naïve thought patterns that result in the belief that we can reach euphoria. It’s better to find a computer guy that’s a realist than a computer guy that wants to make the world a better place.”
How did Gowdy characterize his own politics? “I used to consider myself a conservative. I hated people who would rant and rave about government paranoia crap. I voted for George Bush and I’d vote for him again. But I’m not pleased with what the Bush administration is doing right now. John Ashcroft? I cannot stand the man. His solution to the terrorist problem is for him to be able to do whatever he wants. I think it’s disgusting that people are taking advantage of September 11 to forward their police-type agendas.”
(Note: I also asked Peter Bartoli about the political affiliations of hackers. He said, “Ninety percent of hackers are libertarians” — like himself. In the end, I agreed with another hacker, who told me that generalizing about hacker politics is impossible. “I have seen people in chats going ballistic butting heads over politics,” he said; hackers were stubbornly individualistic about all aspects of their lives. For example, he wanted to do more traveling, but certainly not to touristy places. He wanted to go to places that were “not even the next Prague.” He wanted to go to places that would be deemed trendy after the post-Prague places were trendy no longer.)
Gowdy leapt to another governmental pet peeve: “I don’t appreciate the DMCA at all. And now the government is trying to pass this cbdt deal [the Consumer Broadband and Digital Television Promotion Act] by [U.S. Senator Fritz Hollings], where he wants to put chips in my computer.” The chips would be federally mandated, antipiracy copyright-protection systems. “Let me tell you: it will never happen. I mean, I’m a guy who’s built his own computer. And the thing is, it’s just like outlawing guns. Only legitimate people buy gun licenses. People who kill people don’t license their guns. So what good does it do to make it so hard to license a gun? It’s the same thing. Hackers are not going to tolerate somebody else’s chip in their computer.”
And everyone else would ask their friendly hacker to help them remove it? “Yeah, we’ll help them pop out the chip. It could become a big thing: ‘chipping.’ That’s what we’ll call it. Hey, put a date on that — I just coined a term.”
As part of my continuing education and preparation for ToorCon, I not only read books and looked at websites; I also watched hacker movies, the good, the bad, and the horrendous. In addition to War Games, I saw another with a better than average hacker approval rating, Matrix, whose protagonist’s handle is “Neo.” Played by Keanu Reeves, Neo is a computer-company drone named Tomas Anderson by day and a computer hacker by night.
I remembered Neo when Peter Bartoli put me in touch with a hacker named “Geo,” who agreed to be interviewed as long as I used only his handle. In an e-mail exchange in which we arranged a time for our phone interview, I asked if his handle was meant to be a cinematic allusion. No, he said, it was “just a happy coincidence.”
Geo grew up in Los Alamos, New Mexico. (“Yes, the famous Los Alamos,” where the first atomic bombs were created.) He is in his early 30s. After spending his summers in San Diego as a kid, he settled here about a dozen years ago. He has his own computer-security consulting business; he is also director of information technology for a San Diego–based pharmaceutical-device research-and-development company. He did not intend to make computers his career, he told me. “It was kind of the path of least resistance. My degrees are in philosophy and psychology. It just so happens that during college I found gainful employment doing computer-oriented work and discovered that it paid more than, for example, pursuing a career as a philosopher. So my status, my career path right now, allows me to be at least a freelance philosopher.”
Geo’s computer interest began at age ten or so, when his father brought home the family’s first computer. Much before that, however, he was a hacker in the broader sense. “When we were kids, we loved taking stuff apart,” he said. “Take it apart, figure out what it does, and then put it back together. It’s the same with computer programs or anything. I’ve taken apart chunks of my car. If there are screws involved? And I have a screwdriver handy? Generally, I have probably fiddled with it at some point.”
Where did he — or any hacker — find the confidence to engage disassemblies? “Things make sense. If you’re taking apart a car, you can’t reinstall one of the tires in the engine compartment. That just doesn’t work and the car wouldn’t go. I think part of the confidence comes from the nature of reality — things are what they are. Because of the law of identity, a thing is that which it is and is not that which it is not. Therefore, it has specific traits and properties, and these define what it is and how it interacts with the other parts.”
Geo obviously also enjoyed playing with language. I mentioned my dictionary. That’s when I learned about a hacker dialect, spoken (or, more commonly, written) by script kiddies, called “leet speak.” He asked if I had noticed his other handle, on his e-mail address. I had noticed a string of letters and numbers — “4mn0t1337.” But they hadn’t meant anything to me. “In leet speak, or script-kiddie speak, that translates as ‘am not leet.’ ” Or: “I am not elite” in plain English. “The ‘4m’ is ‘I am.’ (Fours are a’s in script-kiddie language.) The ‘n0t’ is ‘not.’ And ‘1337’ is, of course, ‘leet.’ ” (Ones are l’s; threes are e’s; sevens are t’s.) “So ‘am not leet’ is just a thumb in the face of these people who spend so much time talking about exactly how elite they are. It’s an attempt to differentiate myself as much as possible.”
Script kiddies, said Geo, were typically younger males, 14 or 15 years old, who have too much time on their hands and just enough skill to go to the Internet, download a couple of utilities or scripts, and deploy them. “Typically, too, they have a tendency to band together in a self-deluded sense of grandeur as part of some cyber gang that’s ‘kewler’ ” — that is, “cooler” — “than any other script kiddie gang.”
Would I be able to pick script kiddies out of the crowd at ToorCon? “You can kind of tell who these people are,” he said. “They’ve got a false sense of bravado and a malformed sense of identity that needs constant external validation, i.e., they’re always trying to prove something. They have not necessarily the highest sense of self-worth and do what they can to pump up their own self-image and that’s usually by talking about how ‘leet’ they are.”
Geo wasn’t irritated only by script kiddies, however; he had equally harsh words for their prey — the ignorant general public. “Most people don’t understand that computer security is an issue. It’s hard enough to explain to someone that it’s probably not a wise idea to make your password ‘p-a-s-s-w-o-r-d.’ It’s more common than you would imagine — that one, along with ‘,’ chosen by people who think they’re being clever.” He outlined unpleasant scenarios. “Say, for example, you get a brand spanking new cable connection and you’re thinking, ‘Oh, goodie. I can download e-mail real quick. I can download all my porn much faster than before.’ And you plug in the connection without any thought of what that connection might be capable. Then along comes some kiddie down the street, across the country, across the globe, who finds your machine wide open and naked. They can wipe out your entire hard drive. They can hijack your machine and set it up as a client of their own. After that, they can use it for a million nefarious purposes. And if you are engaged in said purposes, you don’t want items traceable back to you. But if you can capture a couple of hundred other machines and have them do your bidding, it’s not only harder to trace, it’s also a lot more difficult to circumvent.”
Script kiddies were certainly a threat to computer security, said Geo, but there was one consolation: their hits were random. “Unless you cut them off on the freeway, they’re not going to go after your personal system. If they happen to run across your machine, it’s kind of too bad for you, and you have to deal with it, and it’s a hassle. But typically you won’t be targeted by them unless you” — he laughed — “sit here talking about how inept they are.”
The bigger threat, said Geo, were the black hats, of course. He used the term advisedly. The colors were becoming meaningless. Many black hats were being hired as computer-security professionals like himself, and white hats were “crossing certain ethical boundaries.”
Looking but not doing? Was that what he meant? Not exactly. “Finding an open hole in a machine and jumping in, not necessarily to read people’s mail but to check out the network, to see what the security is configured like — that might fall on the black side; it might fall on the white side. There are certainly people out there who take the time either to fix the hole or notify the system administrator, saying, ‘Hey, you need to update patch X, because you’ve got this glaring hole in your system.’ Unfortunately, in the last eight months to a year, there have been a number of prosecutions on this kind of cyber trespassing, even if the intent was to try and fix things up. Seems like biting the hand that feeds you…”
7h15 15 g3771ng 71r350m3, pr073c7 j00r 5y573m5 — hyrax was there.
— hacked website of California Division of the State Architect, www.dsa.ca.gov, by hyrax, on January 9, 2000 (Translation: “This is getting tiresome, protect your systems.”)
who hacked the military with no skillz? i did baybee, i did. keep a lid on things while your gone….keep a lid on things..... ssssssh hyrax wuz not here.
—hacked website of Naval Command, Control, and Oceanic Surveillance Center, www.environ.nosc.mil, by hyrax, on the same day.
From archives of www.attrition.org
Hackers like Geo enjoy imagining systems that don’t exist yet. He told me about small, privately sponsored, periodic gatherings where he and other hackers speculate together on the future of systems. One of them takes place in the apartment of a hacker named “jsyn” (pronounced “Jason,” which does happen to be his first name). He lives in Orange County but has connections to the wider hacking community, including San Diego’s. Geo compared these meetings at jsyn’s and elsewhere to “the salons of the 1920s in Paris” for writers and artists. “It’s a bunch of people sitting around and discussing in some practicality and some theoretical aspects the problems in security and how to rectify them.” Keep in mind that jsyn’s apartment, for example, holds only 10 or 15 guys at once, he said. “But this is the kind of scale where all things start. Think of what came out of Paris in relation to the art movement.” Occasionally, Hulton and Huynh invited people to discussions at their loft. But jsyn’s was the prime regional example, in Geo’s opinion.
From both Geo and Peter Bartoli (who goes to the hackathons too) I received jsyn’s contact information. We had a phone conversation before we met at ToorCon.
“I was born and raised a missionary kid,” jsyn told me. “My parents were missionaries in a place called Miguel Alemán, Tamaulipas, Mexico. We have missionaries there from every different background. So I was born into that environment, in a small Texas border town called McAllen.”
Low-tech, was it? “The streets weren’t paved until recently.” Still, said jsyn, “I was always into technology. I always thought it was cool. When I was very young, we had a family friend in Chicago who ran an electronics shop. He supported us in our mission and would send us big boxes of spare components. And so, from about age six, I was taking these components and trying to build things.”
Much of what he built was related to physical security — that is, alarms. It’s a focus he attributes to growing up where he did. “An estimated 85 percent of all businesses in our county were drug fronts,” he said. “We were the number-two entry point for drugs into the nation, just behind Miami, and drug culture pervaded the community. I was exposed to lots of raids — fbi, atf. Friends and their families got raided all the time. And so I made elaborate alarm systems for my bedroom when I was about seven years old.”
At the time, said jsyn, “There was no way my family could have afforded to buy a computer. We’re talking the late ’80s” — he was born in 1979 — “when a 30-megabyte hard drive was running about $7000. But then [the friend in Chicago] sent an old Commodore 64. I was 9 years old. My first computer. Sixty-four kilobytes of ram. A very minimal machine. And I totally took to it. I learned the programming language that was built into it, which was basic. I spent time just playing with it. And that started it all. A few years later, when I was 12, we got our first ibm-compatible computer — a pc xt. I was always insanely curious about how things worked. And one night, just a few weeks after my dad bought it — for a lot of money, it was a $1000 machine — my cousin and I disassembled the entire thing. My dad walked in and he couldn’t believe it. So we had better figure out how to put this thing back together.”
Besides being a missionary, jsyn’s father was an entrepreneur. “My dad’s got an mba. He has other degrees too, and one of them is in hospital administration.” (His mother was trained as a therapeutic optometrist.) “At some point, my dad started founding companies — home health-care agencies, nursing homes, day-care centers, adult day-care centers. He ran them on the U.S. side while still being a missionary in Mexico. There was a need for these things, and they all tied into each other.” But the big reason why he started the companies was because people needed work.
“People were getting saved — they’d come to know God — and there was no legal employment for them. They couldn’t get out of moving drugs for a living. So within three weeks of getting cleaned up, they had to move in order to find work. So the church was never growing, until my dad’s businesses began to employ many lesser-skilled people.”
The companies needed a computer network. The nearest contractors were in Alice, Texas — three hours away. “They’d come in, and then, in my after-school hours — I’m still in junior high at this point — I’d look at what they’d done and play around with the stuff.” When the second computer network was needed, jsyn asked his father if he could set it up. “I wanted the contract. I said, ‘Dad, I think I could do this one.’ ” He was 13 years old.
“And so I did it. And that trend continued, to the point where, when I was 15 and got my driver’s permit, my dad helped me start my first network-consulting company. I began to set up networks for businesses all over the region. I’d be all over the place, getting paid very well — a lot more than I am now, because there was such a demand. Back then, I could easily get $125 an hour.”
And school didn’t suffer? “I ended up missing a lot of school. Teachers were fine with it, as long as I did my work. And when I graduated, I was salutatorian.”
jsyn went to college “at a whole number of places,” after starting out as a triple major — physics, computer science, and business administration — at Oral Roberts University in Tulsa, Oklahoma. The list of places where he has taken classes since then is long: Tulsa Community College, Jerusalem University College, University of Texas at Tyler and at Austin. “I even took a web course from Brigham Young University,” said jsyn, who expects to get his diploma any day now from Tyler.
Would it be correct to say that he had “hacked” his education? (“Hacking: making a terrifically complex system do what it was not intended to do.” — Cybershock.)
jsyn, whose triple-major idea had been nixed by the business department at Oral Roberts, said yes. “I have been somewhat disgruntled by the whole educational system all along. I wish it worked differently. It’s hard for hackers to stay in school. It’s so boring. It seems like such a waste of time. It’s so academic, not practical, especially in computer science, but I understand it’s that way in many fields.”
His college dorm room was the first place jsyn held a hackathon. “For years now I’ve held hackathons wherever I have lived. I still hold them every month and a half. We’ll get together and hack on something for, usually, a 17-hour period. People come over at around three on a Saturday afternoon and stay until eight or so the following morning. We discuss brand-new attack concepts; we design new defenses. We discuss new ideas for pieces of code or build better security-analysis tools. Everyone brings their laptops. We have a lot of machines there. Just in my apartment living room right now I’ve got about 45 servers. The number has been much higher. When I was living in the dorms, I often had 70 machines in my dorm room.”
Why the marathon aspect of hackathons? “With hacking, you get into a groove, where you have loud techno [music] in the background, and you’re hacking away at the thing. It’s taken you 8 hours just to get the focus and your head wrapped around a specific piece of code, and you don’t want to lose that focus. So then you might just continue working on it for another 20 hours.”
It sounded like the creative process.
“I’m a musician,” he said. “I play about eight instruments. I’ve had formal training on the piano, which I never liked, but my mom forced it upon me, and now I’m not sorry, because I absorbed a lot of theory through it. I mostly play bass guitar now and sing. I also do turntablism. It’s the whole percussion through scratching. [He imitated the noise with his voice.] Really advanced scratching. I have a small studio in my apartment, where I can work on that stuff.”
jsyn told me he was a skateboarder too. What he was really trying to say was this: “I’m definitely not a geek. I don’t like the idea of geeks. I don’t spend social time on my machines. I use machines as a tool to do other things. And I try to get other hackers not to be geeks. It’s not about computers for the sake of computers, or technology for the sake of technology. It’s what you do with it — accomplishing a larger mission, whether it’s political, social, whatever. So I’m about bringing people over to the more serious side.”
To get hackers to be less geeky, jsyn invented something he calls the Cypherpunk Wargames. “It’s a type of training event. It’s an all-out Capture the Flag, both over the network and physically. It’s training for being a hacker and thinking like one in real-world environments.” The next one would take place in Julian. “You’re out there with wild animals, snakes, whatever. You get very little sleep, maybe an hour or two or three a night. We’ll take up to 60 people, with six diesel generators and 70 machines.”
jsyn was frustrated, however. “I usually come up with ideas that are a lot bigger than me, and I can’t just do them by myself. But I find there aren’t that many committed people willing to join me.”
Information about the Cypherpunk Wargames was posted on jsyn’s website, www.nthought.com. The domain name is short for his think tank’s actual name, Network Thought Co. Through it, jsyn gets his paying gigs. At the time of our conversation, he was six months into a one-year contract with a company that I agreed not to name. In general, he said, “I work for myself, doing enterprise network design for, maybe, 50,000 computers, very large-scale stuff for which I design the security architecture.”
Did he find that computer crime was increasing? “It’s hard to say, because it’s hard to say what a crime is. That’s a big sticking point for most hackers. I look at it this way. Two people could do the same thing, and one would be committing a crime and one wouldn’t be. For example, bringing down some remote server through a security test you were running, as opposed to intentionally bringing it down to cause harm to the company.”
jsyn began to complain about buggy programs. “The big problem is, we’ve got a massive software industry that’s developing software as rapidly as possible. Developers who don’t know anything about security are writing code. Or if they do know something, it’s not enough. Or if they know enough, they’re pressured to get things out so fast, they’re not doing the quality-assurance testing to make sure it’s reliable.”
They’re producing faulty equipment? “Listen to this analogy. I didn’t come up with it. But I think it works. Say you have a vehicle; it’s a Pinto. And if someone rear-ends you, the car will explode.”
And your enemy knows the weakness and rear-ends you.
“So who’s at fault? Well, sure, it’s a shared fault. But if you’re the manufacturer, you shouldn’t keep producing the Pinto. The question is: Why hasn’t the public rallied up a cry against software vendors for liability? I think the vendors should be liable if their programs cause customers to lose data, etc. But when you purchase a copy of whatever, as you install it, you’ve got to click through a disclaimer. And so more and more, inferior software is being produced, and it’s very hard to do security right.”
If programs weren’t buggy, would we be able to achieve real computer security? “I debate this a lot, within myself and with my girlfriend,” said jsyn. “She’s not from a technical background, but she’s very smart. Sometimes I take the view that the security industry in general takes, which is ‘We are about building protocol, building systems, mechanisms for doing things such that they cannot be subverted.’ But, you know, that isn’t real life. In real life, we have no physical security such that it can’t be subverted. Not to be sensationalist, but we cannot protect the United States from terrorism, for example. There is no way we can ever stop it. Terrorism by its nature is always going to win. If I wanted to blow up some building, any building in the U.S., pretty much right now I could. I’m not saying that as a threat or that I have the specific knowledge. But a determined individual willing to risk suicide could carry that out. It’s the exact same thing with network security: if you wanted to attack any major company, you could. You would get through; you would succeed.”
And you wouldn’t even have to lose your life. “You never have to be somewhere physically in this networked realm. And there are always things you can do to make sure you aren’t detected. If you don’t have an ego problem, if you don’t have a pride problem, if you don’t talk about it, there are many ways through the networks that keep you entirely anonymous.”
Was the situation apt to get better? “I look at the general state of our society, and I don’t have a very bright depiction of the future. It will always be interesting. There’ll be tons of stuff to hack on. But I don’t see things getting any better. And sure, we have bright moments, and I try to help bring us there. I’m involved in lots of efforts. I’m involved with outreach that is very unlike what traditional churches do. It’s more like just trying to follow basic tenets: show love, show kindness, be helpful.”
jsyn said he realized some people thought his hacking activities conflicted with his spirituality. “People think the two are mutually exclusive. ‘How can you be involved in something where some of the people are associated with criminality?’ Except that I don’t see it that way. I see it as being a science or an art. It’s just like anything else: there are morals to it. There are ethics. So I try to follow mine. I also try to not let hacking consume me. While I want to stay passionate about it, I want to make sure I spend time with my other interests and with what really matters — my family, my friends, and God.”
Q: What do you think about the possibility of computer terrorism?
A: Yeah, I guess it’s possible. I mean, I’ve done some health-care stuff, and hopefully it’s being cleaned up by now, but you know, just an example, there was a company that is probably one of the biggest 911 response providers in the United States. They do ambulances, things like that. I went to one of their key offices to do an assessment. I wasn’t even in the building yet — I was out in the parking lot. I turned on my laptop, put in a wireless network card, and a couple of tools. David Hulton wrote this code called DStumbler. I used that to scan the network to see what was going on. I found this wireless access point, accessed a network operations center for this particular company, and took over a 911 call system. I also gained access to all the patient data.
Q: You hadn’t even introduced yourself?
A: Well, we had told them we were coming. But yeah, before I stepped foot in the building, I could have inputted audio into a telephone conversation, or I could have just stolen whole conversations, or ended a conversation if I had wanted to.
Q: Or edited one?
A: Yeah, exactly. You can use your imagination with what you could really do with all that. And since this company had a wireless access point? Anybody with a similarly configured laptop could discover it. The tools are freely available. A lot of people hook up a gps [global positioning system] on their laptop, put in the wireless network card, drive around, and when they pick up a radio signal with a station identifier for this particular access point, they get an input from the gps device that tells them the specific coordinates. And then a lot of time people post those to a website. So then you can just go browse your particular geographic area, find out what access points are around, and go investigate them yourself.
— author’s conversation with Klinge-C01
A few nights after my conversation with jsyn, and the night before ToorCon 2002 was set to begin, a hacker named “prole” — short for “proletariat” — agreed to meet me at a coffeehouse in Pacific Beach on his way home from work. Geo had provided me with “clearance.” prole was another security professional, but there was something about his website, www.redgeek.net, that made him seem more mysterious than the others. For one thing, I couldn’t get past the entrance. It was for invitees only. And when he asked me not to use his real name, he explained his reasoning obliquely: “I don’t use a handle to protect myself. I use it to distance myself from people who don’t know me. Those who do know me know where to find me.”
Geo had told me that prole possessed “mad” skills, meaning a set of pretty impressive ones. At def con, prole’s team had won the Capture the Flag competition more than once. In fact, last time they had not competed; instead, they had run the contest. I had asked Geo for a physical description of prole. He said, “He’s five eleven, has a little goatee, and the last I saw, his hair was cut short and it was blondish brown.” When I arrived at the coffeehouse about ten minutes early, I saw someone with a goatee sitting at an outside table eating a muffin and drinking coffee as he read. But, well, he just didn’t look like a nerd. (I mean, the average computer guy, when something goes wrong? He freezes up. “What do we do now?” It’s part of being a nerd, and we’re all nerds. — Jeremiah Gowdy.) This guy was muscular. He had a well-developed upper body, a chiseled jaw, good posture. He did not look like someone who would ever ask anybody, “What do we do now?”
Anyway, I didn’t recognize him, and taking a seat at a table a few feet away, I waited for the appointed hour: eight o’clock. On the dot, my neighbor made a call on his cell phone; mine rang. Yes, it was prole calling my number, with a satisfied smile, his small experiment having proved his hypothesis. (Later, relating this to other hackers, I would be told, “That’s a very hackerish thing to do, you know.”)
prole came to San Diego from his hometown of Phoenix in 1994 for the five-year computer science degree at UCSD. Currently he is in charge of security work for a company in which he is part owner. “This is about the eighth startup I’ve been involved with since I was 18,” said prole, who is 26. “Some have fizzled on the spot, some have gone on for a while, some I’ve sold off.” He also said, “I like working with small groups, setting my own hours.” He claimed to work as little as possible, yet he hadn’t taken more than three- or four-day vacations since leaving college.
prole said he began coding in basic when he was six, creating “small adventures” for himself on the computer. He had already mastered all his computer games. “I only had five of them. I didn’t have the money to buy new ones, and my parents wouldn’t buy them for me. It ended up being good for me,” since he learned to invent his own. His only sibling, a younger sister, “is not as much of a geek as I am, but she has some geek blood in her,” said prole.
We talked about the tendency of hackers to take things apart. “I broke so many toys,” said prole. “But my parents were smart. They made sure to buy me lots of Legos and Erector sets. They’re built to be broken.” (Later, he would make this comparison: “Programming is like building something with a bunch of invisible Legos — an infinite supply of them, more than in any Legoland.”)
Like jsyn, prole stressed his interests beyond computers. Ten to 20 hours a week, he said, he trains in shorinjin ryu saito ninjitsu. He has studied other martial arts. “But if there’s one I’ll study for the rest of my life, ninjitsu would be it.”
(Not a few other hackers, I would discover, have an interest in martial arts.)
I mentioned to prole one similarity between martial arts and computer security: the offense-defense aspect. “But that’s just the external manifestation,” said prole. It was “a side effect.” What interested him in each pursuit was “the internal gratification.” There was “a mental component” to both, and both involved “adaptive problem solving.”
I asked prole about his ethics. “I’m sure I’ve been places I wasn’t supposed to be,” he said without elaborating. But he was never interested in “breaking into a machine” for the sake of the data, he said. For him the reward was his discovery of how a system worked rather than the potential capture of some content-quarry.
Content is, of course, what many of his company’s clients want him to protect. “Trade secrets, financial data, human resources information, programs they have written… There are also large data stores, like mailing lists and weird collections of information on consumer habits that it cost these entities a lot of money to compile and they don’t want it available to people who have not paid them for it.”
“Data harvesting” is the term hackers use to describe the act of stealing company secrets. Black-marketing the harvest comes next.
These companies must have faith in prole, since they give him the keys to the kingdom. (Of course, he really doesn’t need them.) “A lot of legal faith is what it comes down to,” he said. “There are boilerplate contracts stating what we are allowed to do and what we aren’t.” Some contracts, for example, state that “only sanitized versions of data” can be taken away from the site — that is, a pseudonym must replace the company name and fictional substitutions made for telltale descriptives.
It seemed right: multiple identities for a company being protected by a hacker, since the hacker probably had multiple identities too. Not that prole got into a shirt and tie for work. He was wearing a black T-shirt and black shorts with sandals. (Black is the default color of clothing for hackers, I would deduce at ToorCon, no matter what a hacker’s ethical persuasion.)
In contrast to prole’s small company, some large computer-security firms boast that they don’t hire hackers. We agreed that they probably did. (Other hackers would tell me the same thing: “Companies who claim they don’t hire hackers, do,” said one. “Or else they’re lying. Or else their definition of ‘hacker’ is ‘someone who’s been caught.’ But,” he added, “they have to hire hackers because the competent people are the hackers.”)
prole said there was confusion here, because some people were “concerned about the morality of the industry as a whole.” prole himself was not concerned. Nor was he concerned about the morality of any other hacker except himself. He likened the hacker world to a party, where some people might be there merely to try to pick someone up, while others were in the bathroom snorting coke. Same party. Different levels of activity and illegality. “It’s an anarchistic world.”
But all these people could be anarchistic, individualistic, suspicious of authority and the mainstream, and all the rest that seemed to be true of all hackers — but without tying it together with computers, couldn’t they? True, but all the members of this group liked “to play with things in their head while maintaining a degree of communication with similar-minded people.” They were, after all, social beings, just like the rest of us. And computers were a “communicative” medium. “That’s what makes them viral.”
Viruses reminded me of the script kiddies. Since they sounded so thoroughly obnoxious, I wondered how hackers like prole tolerated their presence at places like ToorCon. prole said they did because a script kiddie here or there might “get it” and become a real hacker. prole found their presence useful for another reason: they were “something to check myself against.” For example, hearing some braggadocio of his own, he might remark, “ ‘Did I just say that? I sound like a script kiddie.’ ”
In any case, he said, it was the nature of script kiddies not to last long on the scene. They went on to something else, another pursuit, where they would seek again the respect they sought among hackers but had failed to get because of lack of skill. “Technically they are weak.”
And the technically adept? They could be either good guys or bad guys? Yes.
And like rival team members, they respected one another? Yes, again.
Speaking of rival teams, I asked about RootWars. Should I spend much time watching it? He said that all I would see would be “a bunch of people in a room typing. It’s not a spectator sport.”
Nor is hacking. Maybe I could have arranged to watch a penetration test or something; but I sensed it would have been like watching someone type, or read, or think, or all three at once, at best. (Or worst.) So I never sought an invitation. I didn’t yet know it, but in the end, I would truly see…nothing. Nobody ever does, except the hackers themselves. (Hence, the need for boasting.) The rest of us see only the results.
Hackers are like God, I was beginning to realize. God, the ultimate hacker, has hacked into all of us. Of course, some believe He’s only watching, not directing…
For a while that evening, prole and I struggled to find an analogy for computer hijacking. It wasn’t exactly as if a person had used another’s car to commit a crime. He agreed, “because you can still be driving it at the same time as the hijacker.”
Analogies failed me all along in attempts to understand hacking in the world of computers; car analogies notwithstanding, there simply has never been anything quite like this in the physical world. If you get under the hood of your car and tweak something, it’s going to affect only your car; it won’t affect anybody else’s.
As prole and I stood in front of the coffeehouse, ready to say good-bye, I asked a final, offhand question: what kind of car did he drive? I was suddenly curious about what a hacker would choose.
“A reliable one,” prole said with a smile before he turned and walked down the block into the darkness.
And so, as prepared as I would ever be, I went to ToorCon 2002. An hour or so into the opening party at the Bristol on that Friday night last September, the noise level rose. Someone had set up a laptop and was projecting video images onto the back wall of the ballroom. A group gathered under the rolled-back roof to watch old footage of the Sex Pistols; a karate chimp; a penguin waddling along, then falling through the ice.
One longer clip showed a breakfast scene in Japan, in which a family got ready for school and work. Into the kitchen walked the teenage son, a rap artist. He wore the clothes, made the moves as he rapped. “Nigger” and “bitch” were frequently among the subtitled lyrics. Soon the whole family had joined him, rapping.
The crowd found it very funny.
Another clip showed Christmas morning in an American household. The family opened gifts. A little boy in a bathrobe unwrapped a saber made of light. He started slashing the air; cut his grandmother to ribbons. A crowd favorite, the Christmas clip ran repeatedly. “That’s beautiful. Everyone should have one of those,” somebody said.
I surveyed my fellow partygoers. Who were the good guys? Who were the bad? Who were in-between?
Looking for clues, I read T-shirts, many of them black, naturally. (“def con iii. Why? Because We Can.”) Tim Huynh, behind the welcome desk near the elevator, was handing out black ToorCon 2002 T-shirts to every registrant. Only he and Hulton wore ones that were bright blue. And all the security guys wore red ones.
When Peter Bartoli arrived, he pointed out the red-shirted Jeremiah Gowdy. (I had met Bartoli for the first time a few nights earlier, when he invited me for sushi.) Gowdy was, indeed, a big guy but looked as if he had grown big only recently and was still getting used to it. His hair was trimmed close to his head; his mustache seemed like a new one — very sparse. He swaggered like a rookie cop.
Bartoli has a small build. His style is clean-cut, albeit with an earring in one upper lobe. He knows how to make good corporate eye contact. On this evening, he was dressed as he was when we had gone out for sushi — simple jeans, polo shirt, running shoes — as if collegiate had been a habit of his for years. In actuality, he told me, “I used to dress like a punk rocker — purple hair, the whole bit.”
We discussed words. We discussed the word “underground” and what it meant. It was not synonymous with “malicious.” Still, he said, “you shy a little bit away from it.”
I told Bartoli I had met prole. Did he know him? He did. “He’s very smart — someone who has ideas that are newer and fresher than those of the rest of us. He’s one of the GhettoHackers, you know.”
Bartoli told me about this group, headquartered in Seattle, with members worldwide, several in San Diego. “You have to be invited to join.” Bartoli had not been invited but wanted me to know that he had set up their sound system at def con when they ran Capture the Flag last August.
It sounded to me like a hacker fraternity. “The hacker world is one of the most intellectually snobby,” said Bartoli. “It’s all about knowing more than the guy next to you. ‘Are you up to snuff?’ ”
Or maybe: “Are you leet?” (Am not leet. — Geo.) Apparently, prole truly was leet.
Bartoli didn’t stay long. He needed to distribute invitations to his Alphafight launch party to be held the following evening. He planned to go from bar to bar. He wanted women to come. “I don’t want it to be a sausage party,” he said. Before he left, he introduced me to Geo.
Geo was wearing a sophisticated black leather coat. His hair was dyed blond. He had a goatee, much like prole’s. As he watched the penguin fall through the ice, he laughed, then apologized for being amused. “It wasn’t funny until the third time.”
I thanked him for the introduction to prole the GhettoHacker. I asked Geo if he was one. He said no, adding with concern, “You shouldn’t ask people that, you know.”
Why not? Geo really didn’t say. He didn’t want to talk about the GhettoHackers, but I persisted. I wanted to learn more. The group seemed to be an important aspect of the hacker story — being “leet” and all that.
Geo said he would make inquiries to see if one might speak to me over the next couple of days.
…A lot of people in the community are paranoid. Really paranoid. But sometimes they’re paranoid for no reason.
Q: But why are they paranoid at all?
A: Because they don’t want to end up being on some blacklist somewhere. And I wouldn’t be surprised if my name was on that list.
Q: But where is such a list?
A: Maybe in the government somewhere. I couldn’t tell you. I’ll just give you one little example. There’s this one San Diego hacker type and we could probably consider him part of our clique, because he’s very academic, master’s degree from UCSD and things of that sort, but he is so paranoid that he will not use his real social security number for anything. When he spoke at the Black Hat Briefings in Las Vegas, he asked me if I could register his room for him, so he wouldn’t have to give them his real name. And also, with Black Hat, they pay the speakers $1000 apiece. He didn’t even want Black Hat to know his real name, so he went to our other friend and asked him to set up a corporation, so he could launder the money through the company, so he didn’t have to have his name on there. It was something really radical and strange, and my friend told him to forget it.
— author’s conversation with San Diego–based hacker “bind”
At the opening party, I also met another ToorCon speaker, Saqib Khan, a 34-year-old hacker from Miami Beach who runs his own computer-security business, Security V, Inc. He uses “Khan” as his handle, since “people think it’s an alias anyway,” he said. He was born in Pakistan, grew up in Alabama, and has degrees in electrical engineering and computer engineering from Alabama’s Auburn University.
Khan was suave in sloganless black. But I couldn’t help imagining that he hadn’t been quite so suave in Alabama as a new immigrant. He had arrived in this country when he was an adolescent.
The subject of his talk, he said, was “stealth data dispersal.” It would cover something called “Moon-Bounce,” according to the ToorCon 2002 program in my hand.
“It’s about virtual storage, using the Internet’s own traffic,” said Khan. “The data is not in our physical space. The data itself is virtual. Say you have a file that you don’t want to keep in any one place, in case, God forbid, something happens to that place. This technique drops it on the wire and keeps it bouncing around. You can get it possibly to bounce infinitely. In testing I bounced things off Fiji and New Zealand, China and Mongolia. There’s a trick where you can double the bounces —”
Who had a need for this? It seemed like a simple question, but to Khan it wasn’t.
“That’s a good one,” he said, laughing.
Well, would it be someone with legitimate purposes, or — ?
“That’s like asking, if I gave somebody a handgun, was it legitimate for him to have it.”
But who might be out there waiting for this tool?
“It’s not just bad guys,” said Khan. “When your civil rights get infringed upon, you might want to use this yourself. As things get out of hand, as government and other agencies are becoming more proactive in monitoring communications, people are diving deeper into the innards of the Internet to hide or submerge data. But I didn’t say one night, ‘Hmmm, I’m going to develop this, because X, Y, & Z need it.’ ”
He had just been playing around? (Just playing around — that’s how hacking starts for everybody. — Tim Huynh.) “Yes, completely. Plus, I was tired of hearing the same old crap, being on all these mailing lists. ‘We’ve just done this.’ ‘We’ve broken into that, and used these tools.’ ‘Oh, we found another vulnerability and have exploited it.’ Big deal. I mean, if you take a hammer to a house all day, sooner or later, something’s going to give. That kind of thing is seriously frowned upon by all real researchers, by the way.”
I told Khan I had been wondering about cyberterrorists. What was his perspective? “I think there’s not more than several hundred people on this planet who are capable of wreaking havoc in the Armageddon sense,” he said. “I could be dead wrong, because nobody advertises. But I’ve seen something called the Honeynet Project, which is a system that looks like a normal system; it’s set up to watch hackers attack. I’ve read some of their data, and there are very few people who specifically know what they’re doing. The rest are script kiddies.” Still, said Khan, “it’s my understanding that most countries now have cyberwarfare teams in place.”
Even ours? “Of course. We invented the stuff. We’d better have one. One thing I noticed at def con was lots of Israelis around. Many of them wouldn’t admit that’s where they were from, though.”
As Khan continued to talk about “geopolitical ramifications,” my mind wandered off to Ben Greenberg. Had he really gone to rabbinical school in Israel? Maybe he hadn’t. Maybe he had become a hacker for Israel… But if he had, why had he returned?
“All the smart people are already doing it,” Khan was saying when I tuned back in. “I remember bidding on a job at Raytheon, and the first thing they said was, ‘We don’t want Checkpoint Firewall.’ Why? ‘Because it’s made in Israel. We can’t trust security software not made by us or unavailable for review by us.’ That’s an important statement. What should happen is that anybody with any smarts will want their own encryption people. It’s like the Enigma stuff from World War II, you know? If you’re at war —”
You don’t want your enemy to have made your Enigma machine.
“And if it can make your Enigma machine, you’re in big trouble. And there’s nobody talking about this stuff, and it’s definitely happening.”
I met a few more people that evening, two of them former saic colleagues of Peter Bartoli’s. (“My boss would not come to a hacker conference,” one said. “Mine would,” said the other, “except he’s too busy. But he’s glad I’m here. He knows I’ll have my ear to the ground.”) But I didn’t hang around. The room was too big for a party, at least one like this, that had no center; most of the 250 attendees weren’t arriving until tomorrow, anyway; and the talks would begin fairly early in the morning.
On my way out I saw David Hulton walking purposefully somewhere, shoulders slightly hunched: a meditative operator. I asked him how to reach Ben Greenberg. It would be good to get his perspective on ToorCon’s beginnings. Hulton whipped out a tiny cell phone and read me Greenberg’s New York number from his palm. The two friends obviously were still in pretty close touch.
Q: Do you feel you’re part of the computer underground?
A: Yes.
Q: But you work for a corporation now. So you really have a conflict.
A: I know.
Q: It can’t last.
A: It’s called denial.
— author’s conversation with bind
ToorCon’s Saturday and Sunday events — the talks and RootWars — took place a few blocks away from the Bristol, at the Westin Horton Plaza hotel, second level. When I reached the top of the stairs on the first morning, I saw a sign on an easel. It was an announcement of a presentation sponsored by Bayer, the pharmaceutical company. “All Your Ibuprophen Are Belong To Us,” someone had scrawled across the sign, in the manner of hackers who deface websites.
(I thought, like any uninformed person would, that the graffito was a grammatical misstatement; actually, it’s a takeoff on a line from a badly translated Japanese computer game. The original was “All Your Base Are Belong To Us.” It’s been turned into a variable slogan by the ever-language-conscious hackers.)
On a table nearby I saw name tags; but they had nothing to do with ToorCon; they were name tags for MDs. What misfortune for the doctors who occupied space adjacent to the hackers. A conference on infectious diseases was in town.
Jeremiah Gowdy had walked up the stairs behind me. He laughed when he saw the Bayer sign. “Excedrin is my hero,” he said. Then he mumbled: “That lady was mean to us.”
Two vendors, guys named “Bodoman” and “Mother,” were set up in the hallway to sell computers, computer parts, and other junk, new and used. Another vendor was selling T-shirts: “Talk Nerdy To Me,” “Carpe Noctern (Seize the Night),” “Your Computer Sucks,” and “Got Root?”
I recognized some people from last night; others I had not seen before. A few of them had spiked hair and metal-studded jailhouse pants; one or two looked like middle-school students. Several resembled characters from Fight Club, the 1999 movie. Based on the Chuck Palahniuk novel, it portrays Project Mayhem, which is a plot to destroy the financial system. Guys who joined Project Mayhem wore black paramilitary garb, blew up things, and beat up each other as a way of bonding. Their leader, played by Ed Norton, was a split personality; Brad Pitt was his alter ego, as cool as Norton was nerdy.
I had been reading about el8 (read: “elate,” a play on the word “elite,” perhaps), the malicious hacker group that targets ethical ones for spoiling all the fun; the web news stories said they had adopted Fight Club mentality and motifs. They even called their project “Project Mayhem.”
I studied my program. In addition to RootWars, ToorCon sponsored a scavenger hunt. Items could either be collected or captured by a camera. Collectible ones included “left-handed mouse,” “fbi badge,” “pink wig.” Those that needed to be photographed included “downtown view from the Hyatt hotel roof” and “someone dry-humping the Cabrillo statue.” In the case of the downtown view, getting to the roof was the tricky part. In the case of the statue, it was convincing someone to perform the dry-hump. In each instance, successful scavengers would need to be skilled at “social engineering” of a kind. (From my hacker dictionary: “Social engineering: Term used among crackers for cracking techniques that rely on weaknesses in wetware [i.e., human beings] rather than software; the aim is to trick people into revealing passwords and other information that compromises a target system’s security.” It was, in other words, a hacker con game.)
Hulton and Huynh had rented three large rooms — one for RootWars and two others for the talks in two tracks. In the room designated for the keynote address, people had already taken scattered seats at long narrow tables covered in white tablecloths. Many in the audience had laptops open, screens glowing. On somebody’s closed laptop cover, I read, “Cryptography is not a crime.” On the back of a T-shirt I read, “www.3L3M3NT.com,” proud of my ability to translate “3L3M3NT” as “element.” I took a seat behind the La Jolla father and Qwertykey.
Hulton hurried to the front of the room, his tiny cell phone to his ear. He was still talking on it as he reached the podium to introduce Jay Dyson, a senior security engineer for the National Aeronautics and Space Administration’s Jet Propulsion Laboratory in Pasadena. The program also described him as someone who “spends most of his spare time collecting viruses and worms for fun and entertainment.”
“I’m David Hulton — h1kari,” said our leader, who introduced Dyson as someone who had spoken at ToorCon 1999 and at the last one. “He’s a really knowledgeable guy,” said Hulton. (Introductions would never be much longer at ToorCon.)
Dyson’s topic was “The Myth of Cyberterrorism.” His black T-shirt said, “Know Your Limitations. We Already Do.” It was the slogan of his website clearinghouse of security information, Treachery Unlimited — www.treachery.net. His paunch and out-of-date glasses pegged him as a ToorCon oldster, but his haircut was a boyish sugar bowl.
He illustrated his talk with visuals displayed on a screen by his laptop, as at many a corporate seminar. His main point was, “Blowing up things is easier than hacking,” and it’s worse on the victims. Not to mention the survivors. He showed gruesome images of the work of suicide bombers in the Middle East. He also showed a screen that was two abbreviations only: “wtc vs. wtf” — the World Trade Center versus “what the fuck?”
“We all know what happened on 9/11,” he said, but how many of us remembered what happened on 9/18? “It was the worst netwide attack in history. Nimbda [the worm] hit. But it has left no impression.”
Dyson said he agreed with William Church [of the Centre for Infrastructural Warfare Studies, with offices in London, Singapore, and Buenos Aires, Argentina]: “Terrorists aren’t ready for infoterror.”
“Terrorists,” said Dyson, “don’t experiment with or trust new or unfamiliar technologies.” The Irish Republican Army had “computer-oriented cells. They are capable of infowar but don’t choose to use these tools.” Like our own current foes, they were “antitechnology.”
What we have to fear, in his opinion, is the “Incredibly Big and Scary Nothing.” He blamed the media for sensationalism: “If it’s not pedophiles on the Internet, it’s terrorists.” And although the audience was full of computer-security-industry people, he added, “Nobody in the know is panicking unless they’re selling something.”
Script kiddies weren’t terrorists, and what they did was merely annoying, not terrifying, said Dyson. He went on, familiarly, about vendors who sold bad hole-filled programs and stupid users who didn’t protect themselves. “Users are still held blameless for their conduct,” he said, decrying their “learned helplessness.” All that had to change.
A question-and-answer period followed, but most people were mute. Khan pointed out that computer-savvy people were engaged in the ongoing India-Pakistan conflict. Dyson brushed the comment aside: “Just kiddies picking off the low-hanging fruit,” he said.
Outside in the hallway, I didn’t see the doctors’ conference people or their table anymore. I did see jsyn. Someone had pointed him out to me at the Bristol the night before, but I would have recognized him anyway from photos of hackathons that he had e-mailed to me. He wore beads around his neck and a woolen cap snugged down on his head; it was like the cap he was wearing in all the e-mailed photos. I asked him about a comment Dyson had made in passing about hackers mostly being atheists. “Well, the truth is, they are,” he said. He had a trim, muscular body, smooth-shaven face, and gentle manner. I would see him off and on over the weekend, on the sidelines by himself, quietly observing. Like Khan, the immigrant in Alabama, jsyn had been an “other” in Texas — one of only two or three non-Hispanics in his graduating class, he had told me. I had read on jsyn’s website that Cypherpunk Wargames players were not allowed to bring alcohol and drugs. In a world where indulgence was the norm, that, too, would set him apart. And hackers were indulgers. From prole I had heard a warning about alcohol: “Be prepared to see a lot of drinking at ToorCon.” I was already beginning to notice early drinking upstairs in the conference rooms themselves and downstairs in Westin’s pub. And Peter Bartoli had made this point about hackers’ favorite drugs: “Everything from ecstasy to cocaine. Hackers are inquisitively minded. They don’t go in for conventional wisdom, and they are experimenters.”
I tagged Khan and asked him what he had thought of Dyson. “That guy’s smoking crack. I trade daily. What would be the impact of hackers on the nyse [New York Stock Exchange]? They wouldn’t have to disrupt the trading. All they would have to do is interrupt the climate control. If they raised the heat, the computers would cease to function. It would be havoc and ruin.” Financial ruin. “The people who can do real harm are choosing not to do it.”
We entered the room next door, where the RootWars players were competing. Yup. Just people typing. They sat at round tables, groups of young men and a few boys. While some typed, others leaned over their shoulders, watching, not speaking, like people watching chess players in the park. Low-volume music was coming out of somebody’s laptop speakers. Khan said, “Watch the quiet, more low-key group.” But every group seemed quiet and low-key. “Just sit.” We sat at one of the unoccupied tables. “It’s about power,” he said. “See those guys? They’ve already figured out how to get up on the roof of this building. I was up there with them. They’ve also already gotten into Westin’s lan [local area network], so they’re using it for free. See this?” He held up a white computer cable lying on the table; it was meant to be used for Internet connection. “You should never plug a laptop into any connection at a conference like this, unless you’re heavily encrypted. People are always sniffing the traffic at these things.”
Was Khan encrypted?
“I don’t use it. There is no need for me. There’s nothing I’m discussing that’s of any nature that needs to be encrypted. Even if I did, I wouldn’t be discussing it with anybody.” He laughed. “But even if you encrypt it, the nsa [National Security Agency], as I’m sure you’re aware, has more than enough power to decrypt most things. To be encrypting things is asking for trouble nowadays.”
He could encrypt just to annoy them?
“I don’t like to annoy people, so I’m fine.” More laughing. “There’s no reason to annoy anybody.” He continued laughing. “You know, being a Pakistani-American, and with all this crazy stuff going on over there, and the icing on the cake is that I’m involved in some interesting aspects of technology, I wouldn’t be surprised if, you know —” Yet more laughing.
Was his laugh a nervous laugh?
“Well, I mean, we all laugh about it.”
Because everybody needed to keep a sense of humor? Or because —
“Yeah, well, I mean, what are you gonna do? It’s a very interesting situation. And one never knows.”
We looked again at the “quiet, low-key” group. They did not appear to be guys you would want to bring home to meet the family. One skinny guy wore a woolen cap, something like jsyn’s, except it was dirty looking; he was also wearing wraparound sunglasses in a room that was dimly lit to begin with. His whisker-peppered chin was as pointy as a sinister Dick Tracy’s. On the table beside him was a small dish antenna, its diameter about the size of a pie plate.
Khan started to explain about what that dish could do, then interrupted himself. “See that kid?” He referred to a chubby boy at the elbow of the guy with the dish. “He’s 13. The kid knows what he’s doing,” said Khan. “I can see from here he knows.” Apparently, hackers saw things I didn’t. “But see that other guy in the green baseball cap? He won’t talk to you, but he’s the one you should try to talk to. His name is Dorian.”
When Dorian walked by our table a few minutes later, I pursued him. “I’m sorry, I can’t talk to the press,” Dorian said politely, as if he had spoken the line many times before; he didn’t break stride.
I returned to Khan. We surveyed the rest of the room for other prospects. Khan predicted that none of them would be game for an interview either, and his prediction turned out to be correct. “Some of these guys have real jobs, and it’s a no-no for them to be doing some of this stuff,” he said. Then, under his breath: “I’ll shoot myself if I have to get a real job again.”
Beer Patrol. This year all the proceeds from drunken whores shirts sales, will go to the DrunkenWhores beer patrol, more or less there will be at least one person manning a portable keg, during all major defcon events… how can you enjoy defcon without beer? and how can you enjoy beer when it’s $4 a bottle? well, you can enjoy it when DrunkenWhores gives it out for free. Also on a side note, if all goes well I will be speaking on Windows Internet Server Security, so everyone check that out-Humperdink
From www.DrunkenWhores.com (“where liquor and mischief fuck”)
Throughout my two days at ToorCon, I bypassed talks that sounded over-the-top technical — for example, “ike Security Problems with ipsec vpns” — even though they were given by the colorfully handled likes of “tommEE pickles,” “DJSweetSensation,” and “Mr. Rufus Faloofus.” Instead, I chose to hear one given by a hacker who wanted only to be known as “Jon.” (It wasn’t his handle; nor was it his real first name. He didn’t want either associated with what he had to say.) The talk promised a narrative. It was titled “Forensic Shortcomings in the Prosecutorial System (Why Not to Get Prosecuted 101).” It was to be the story of his prosecution for a computer crime he had committed in San Diego County.
Of all ToorCon attendees, Jon looked the least likely to have had trouble with the law. In shorts and T-shirt, with his brown hair neatly trimmed, he looked like an earnest college student on a study break. In fact, he is 28, with a wife and two children; he was 23 when his legal troubles began in North County.
He had been helping a former coworker at one of the North County municipalities — he didn’t name it. (Later, however, he revealed to me that it was Vista.) While showing his former coworker some “basic security components,” a server crashed. No matter that it was down for only an hour; Jon had caused it. What followed was “an avalanche.” He was charged with two felonies. After a plea bargain in which the charges were reduced to “attempted unauthorized access” and fines and attorney’s fees were tallied (total: $35,000), he had some advice for local hackers. “Do not maintain informal relationships” was one. “Get everything in writing” was another. Not doing so was his first mistake when he had decided to test the Vista system for security weaknesses. Beware of a legal system that is “not technically proficient,” said Jon. “You could see their eyes glaze over” during the legal proceedings. And yet: “Technical assessments are key to determining whether someone has done something wrong.”
During the question-and-answer period, Jon was asked: Did his accusers intimate what his motives for crashing the site might have been? No, said Jon, “It didn’t come up. It was irrelevant to them.”
What had happened to the former coworker? “Nothing.”
Would Jon have done anything differently if he could do his defense all over again? “I would have hired more lawyers.” As it was, Jon had hired an attorney from the Bay Area: Jennifer Granick. Litigation director of the Center for Internet and Society at Stanford University Law School, Granick has a private practice defending people accused of computer crimes.
Why hadn’t he hired a local lawyer who could have played the game? “Because,” said Jon, “I didn’t know there was a game to be played.”
Out in the hallway, I ran into one of the preteens from the RootWars room. “Do you have an fbi badge?” he asked me hopefully. He made a little rectangle with his hands to show me what he meant. Oh, for the scavenger hunt. I was sorry to disappoint him.
I took another peek into the RootWars room, where a movie was being projected on the wall while play continued. Someone told me it was the 1992 movie Sneakers, starring Robert Redford as a fugitive phone phreak turned pseudonymous computer-security professional. It must be another accepted member of the cinematic canon.
In one of the talk audiences after lunch, I saw prole listening, arms crossed like Mr. Clean’s, his sunglasses hooked onto the front of his shirt. He waved at me congenially. I resisted walking up to him to ask about the GhettoHackers, however. If it happened through Geo’s channels, it would happen.
At the end of the first day, as many people were getting ready to party, I got ready to go home. On my way down the hallway, I passed by a huddle. Three or four conferees were surrounding someone on a cell phone. “Hey, Amber!” one from the huddle shouted in the direction of the cell phone mouthpiece. “We love your boobs!”
Breaking into a computer is a pretty gray area. I think it’s acceptable, personally, I think, if somebody wanted to take down the site of a child-porn ring.
— Klinge-C01
Your Webpage and All Accounts Associated With It Have Been Compromised And Deleted, For Crimes Against The Human Race, by s c r e a m of the OLM (OnLine Mafia) and H.A.R.P.
(Hackers Against Racist Parties).
“If you prick us, do we not bleed? If you tickle us, do we not laugh? If you poison us, do we not die? And if you wrong us, shall we not revenge?”
— William Shakespeare, The Merchant of Venice —
Read it and weep you racist fuckers.........
The Rest Of You Hate Groups Better Tighten Up Your Security.... Cos We’re Coming For Ya!
— hacked website of the Ku Klux Klan
From the files of www.2600.org
On Sunday morning, I noticed that the reception table for the doctors’ convention had been moved downstairs to the Westin lobby. A proper-looking, middle-aged woman in a black business suit was seated behind it. I asked her if she’d had trouble with the hackers. She said: “They put graffiti on my sign. They put their sign over mine. I had the doctors’ badges all lined up and they took them and were wearing them, pretending to be the doctors.” I looked at her name tag. “Bunnye,” it said. Bunnye didn’t seem upset; she was merely stating facts. “They also took over one of the phone lines and were using it at our expense. It was inappropriate behavior. It was like dealing with 12- and 13-year-olds. It’s fine behavior if you’re at McDonald’s… The security person should have made sure they were behaving appropriately. His job is not only to make sure that the merchandise is secure. The hotel is working with me to make amends. I doubt the hackers will be invited back next year.”
Upstairs in the ToorCon spaces, it was pretty quiet. First talk of the morning was Jeremiah Gowdy’s “Fundamental Flaws in Network Operating System Design.” He was waiting in the back of the room, talking about last night’s drinking with some other hackers. “When I was 18,” he said, “I lost my license for a year, and I rode the bus. It gets old after two weeks. It was for having a beer on the Fourth of July.” He yawned and stretched.
He spoke about the inferiority of most familiar operating systems. It must have been another happy coincidence, but Geo’s T-shirt this morning said, “Your Favorite OS Sucks.”
Gowdy denigrated “people making a living off the errors of programmers” and praised what’s called Openbsd [Berkeley Software Distribution], the free operating system developed by volunteers. (jsyn is one.) “The guys who work on this system are really fricking smart,” said Gowdy, “and I have a lot of respect for them.” He praised the level of security offered by Openbsd. “They’re at the forefront. They’re number one.” But, he cautioned, “It’s like being on a team that never loses. They’re overconfident, and someday they will lose. It might be the best, but it’s not perfect.”
People trickled in while the talk was in progress. At the end, they trickled out. Everything was in slow motion all day Sunday.
The RootWars room was very quiet too, except for the voice of tommEE pickles, who was holding forth about something. His hair was dyed fuchsia. His T-shirt said, “Free the West Memphis Three.” (The West Memphis Three, the Internet told me later, were Satanists convicted of a triple rape and murder of three eight-year-old boys.) “This shit is so fuckin’ simple, when you get right down to it, you’ve basically got to be a real moron not to understand how it works,” he said.
At the end of yesterday’s session, the vendors had moved their stuff in here, for (physical) security’s sake, and now had not bothered to move it back out into the hallway. They would sell it from here.
The guy with the dish antenna was at my elbow, looking at the stuff for sale. I asked him what the dish did. “Oh, this? It doesn’t even work. I bought it for a buck in Portland.” He had an accent, but from where? Transylvania was my guess, but I didn’t ask him to confirm.
When I took a seat in one of the talk rooms to hear a hacker called Little W0lf, I noticed the kid who yesterday had asked me for an fbi badge. He was drinking from a big plastic cup of water. I asked him his name. Vanya Sergeeb, he told me. He was 12 years old and had lived in Russia, the Netherlands, and Iowa. Now he lived here and attended Carmel Valley Middle School. His mother was born in Moscow. “She works in biotech and is looking for a cure for cancer.” His father was born in Europe and was a computer programmer. His sister, 15, “also likes science stuff.” She wanted to become a vet; his goal was to become a computer scientist. After school, he worked as an intern at Booz Allen Hamilton. Several other people were here from Booz Allen, and he had accompanied them to this, his second ToorCon. (Booz Allen has what’s called a “strategic security division.” Nonetheless, in April and May 2002, hackers gained access to its network. At the time, the firm was developing a public website for spawar — the Space and Naval Warfare Systems Command. spawar’s site was one of those defaced. Responsibility for the attacks was claimed by the “Deceptive Duo.” One message read: “We are two US Citizens that understand how sad our country’s cyber-security really is… This situation proves that we are all still vulnerable even after 9/11.”)
When Little W0lf began to speak, I didn’t listen; mostly, I watched Vanya. He sat through the entire presentation without fidgeting. Afterwards I asked him if he had understood what Little W0lf had said. He nodded and told me all about “php authentication management.”
During Little W0lf’s presentation, I also watched three guys I had not noticed yesterday. They were sitting in the row in front of me. One of them had an iron cross on his baseball cap. Could he, could they, be neo-Nazis? They were dressed like rednecks. Each had a composition notebook, brand-new looking, unopened, on the table.
I tried to eavesdrop. I heard one say something about guns from U.S. government surplus. Otherwise, it was impossible. They were speaking much too softly and not very much. All three smiled in the same chilling way.
While I waited for something listed in the program as the “Fed Panel,” prole sat down backwards in a chair to face me, arms crossed over the backrest. “I heard you wanted to talk to somebody about the GhettoHackers.” There was a grin on his face and a big red dragon on his T-shirt.
He told me that the group started four years ago, with the Capture the Flag team at def con. “They were called the GhettoHackers because they wrote their notes on bar napkins, using broken pencils, and their gear was half falling apart,” he said. “I actually wasn’t a member yet but the next year, through various friends, ended up hanging out with them. Two years ago I was voted in or whatever. It’s just that we were hanging out all the time, anyway. So they said, ‘You’re a GhettoHacker now.’ ”
While cyberspace was their virtual frat house, they also had a rented space in Seattle for the locals. “They’ve moved some stuff in,” said prole. “Pool table, makeshift bar, DJ gear, lots of computers and network gear.” He guessed there were 40 members total, but he couldn’t say for sure. “No one knows everyone else.”
Was there a secret handshake?
“No, and I know it sounds like a secret club, but the main requirement is that you get along socially. I mean, everyone that I’ve met through it is just really smart and has his own skill sets that are — Everyone does something that everyone else can’t.”
So the combined skill level was “copious”?
“Copious would be accurate.”
What did they use the skills to do? prole wasn’t at liberty to say. “When [San Diego members] get together here, sometimes we hack something; other times it’s just ‘Let’s go to the beach.’ ” At the places they met, most people had the capability for multiple machines. “They have a hub or a wireless where everyone can at least plug in laptops. We meet to discuss issues — everything from upcoming or ongoing projects, to posing technical problems to each other, to making sure everyone’s pitching in for their portion of the bills.”
What did members of GhettoHackers do for a living? “A lot of people have done work for companies — big, large-scale, important, impressive projects.” Which projects, he couldn’t divulge. “Most of them work in the computer industry — either software or hardware — or they work in computer security — at a firm or do independent consulting. Others are programmers or administrators or — The ones that disclose their jobs, that is. I don’t know the real names of a lot of them.”
After all, he never had to send any of them a letter.
“You just hop online and say, ‘What’s up? Who’s here?’ ”
Did he even have their phone numbers?
“Some of them. But the numbers are given out on a need-to-know basis. Out of courtesy you don’t pass along phone numbers or e-mail addresses to other people, even if they’re acquainted, because people have different degrees of need for security — and privacy.”
I told prole that it sounded very civilized.
“It’s one of the closest things I’ve seen to civil anarchy. The world’s not civilized enough for anarchy. If it were, I think anarchy would be great.”
Did anyone ever leave the GhettoHackers?
“I think some people may have lost network status for doing something stupid. Maybe they tried to attack a machine from our network. We don’t attack machines [as a group]. If a member decides to attack something on his own, that’s his own deal. He shouldn’t even tell the rest of the group about it, as it has nothing to do with the GhettoHackers. Of course, some of us do attack machines legally, as part of our jobs or within our own networks to hone our skills.”
One aspect of the GhettoHackers that prole could be more specific about was their “mentoring.” “Some of us mentor people who show promise. They are encouraged to hang around. Say, you run into someone at the local 2600 meeting.” (According to www.2600.org, 2600 meetings “exist as a forum for all interested in technology to meet and talk about events in technology-land, learn, and teach.” They take place all over the country on the first Friday of every month, from 5:00 p.m. to 8:00 p.m. local time unless otherwise noted. San Diego’s 2600 meetings are at Leucadia Pizzeria, 7748 Regents Road, La Jolla. The name 2600 derives from the 2600-hertz tone generated by early phone phreaks, using a toy whistle from a cereal box, in order to make free phone calls. The founding of the San Diego 2600 chapter is one more contribution of Hulton and Ben Greenberg.) “And he’s a smart guy with no direction, you maybe talk to him and say, ‘Hey, what would you do with this?’ Or, ‘I’ve been working on a problem and I might need some help.’ And then if it works out, he may get access to the GhettoHackers’ networks so that he can interact.”
It seemed like a good time to mention the immature element at ToorCon — the one who defaced the Bayer sign, the ones who pulled the fire alarm.
“The immature element here is not nearly as great as the one that’s at def con,” prole assured me.
The real question was, how did he tolerate them? Considering the elite nature of the GhettoHackers, that is.
“It’s a combination of things. There’s ‘Boys will be boys’ — not to be gender specific. Another part of it is, you don’t want to pay too much attention, negative or positive, because you don’t want to encourage it, right? And the other thing is, you’re watching out for the sharp people [who may be among them] and who you think don’t have direction — people who get caught up in the vandalistic side of things. A friend of mine pulled me aside recently and told me that last year at ToorCon a 16-year-old kid got in trouble. Some unethical people did some stuff — I don’t want to get more specific than that — and pointed the finger at him. He was just a kid and didn’t know what was happening. He ended up moving. And my friend said, ‘He’s a good guy. He needs direction. If you see him online, hang out.’ ” prole looked around the room that was beginning to fill up for the Fed Panel. “These conferences remind me of high school or even grade school sometimes, you know? There is a certain kind of lost quality about some of the people.”
I see in fight club the strongest and smartest men who have ever lived — an entire generation pumping gas and waiting tables; or they’re slaves with white collars. Advertisements have them chasing cars and clothes, working jobs they hate so they can buy shit they don’t need. We are the middle children of history, with no purpose or place. We have no great war, or great depression. The great war is a spiritual war. The great depression is our lives. We were raised by television to believe that we’d be millionaires and movie gods and rock stars — but we won’t. And we’re learning that fact. And we’re very, very pissed off.
— from Fight Club screenplay, by Jim Uhls
The Fed Panel, ToorCon 2002’s finale, featured Amanda Rankhorn, special agent, Federal Bureau of Investigation, founding member of the Computer and Technology Crime High-Tech (catch) task force, covering San Diego, Imperial, and Riverside Counties. Rankhorn was flanked by two others on the dais, but in ToorCon fashion, their names were not listed on the program and the introductions didn’t give many details about them. One was a computer forensics expert, I gathered; the other was a lawyer. The way I discovered Rankhorn’s name and title was by grabbing the information from her business card.
The format was questions and answers only; no prepared speeches. The audience had plenty they wanted to ask. A sampling:
War driving? (That is, locating and exploiting security-exposed wireless lans, or local area networks; also called war chalking.)
“There is nothing illegal about it, until you try to exploit the open connections.”
What if you sniffed a wireless and you sat there listening?
“That would be bad. It’s been made illegal.”
Were they prosecuting more these days?
“Just as regular people are doing much more on the Internet, so are criminals.”
Could hackers here legally attack the computers of a nation we’re at war with?
“It’s only a crime in the United States.” But, they suggested, “Pick your country carefully.”
What was the choice operating system for criminals these days?
“Windows 98.”
Explosive laughter from the audience.
“And they’re generally aol users as well.”
Catcalls.
How did the fbi usually catch people?
“They end up telling someone — they can’t resist telling everybody how cool they are. You’re gonna tell somebody, and once you do, the game is just about up.”
One more question: Were they hiring?
Password Cracker: With these programs one doesn’t have to worry about passwords anymore. Learn how it is possible to access password protected areas for internet sites. XXX sites for example. Forgot your password? No problem with the password cracker… Just hack it. ;)
— from www.hackertoolz.org
One morning, a few weeks after ToorCon, I phoned Jeremiah Gowdy at work. How had ToorCon gone for him, physical security-wise?
“Well, we had vandalism on the doctors’ sign,” he said right up front, “and we thought it was real funny at first, and then we realized we had to deal with them and the hotel staff, who were not entertained. And the doctors had to move downstairs and all that. So we had to, kind of, get people under control on that one.”
And then, he said, “We had to deal with the DrunkenWhores group. They’re one of the groups that show up. They kept bringing alcohol up on the floor, which at first we were going to, like, allow, if they kept it really calm. Then it turned out that the hotel had major problems with it. Anyway, it was kind of difficult to deal with people that — They run security at the major conferences and they think real big of themselves. And to take away their vodka wasn’t easy. We had to deal with a couple of guys who were holding down a few drinks.”
I told him I hadn’t seen any commotion.
He seemed pleased. “That’s because we keep it quiet when we have this kind of hassle. And most of [the DrunkenWhores] are pretty cool. Mostly we have decent people who go to ToorCon who, even though they want to have a good time and drink and everything, are willing to work with us.”
That same day, I waited until 1:00 p.m. to call Tim Huynh, who was just waking. We spoke as he lay in bed.
Who had won RootWars and the scavenger hunt? I asked.
“Unfortunately,” he said, “nobody really played the games.”
But something had been going on in that room.
“Well, they were just, kind of, hanging out and learning off each other, doing different things. Plus, we had Internet connectivity. So people were searching the net and all that kind of stuff.”
I knew better than to ask for specifics. Instead, I asked in general about the infamous gray area. I had come to understand it in one sense and wanted to confirm it with Huynh. Was it that some gray-area activities were illegal but maybe the hacker didn’t think they should be? That is, they were illegal but, in the hacker’s opinion, not wrong?
“That’s a really legitimate way of saying it,” Huynh said. “There’s a whole set of ideals and principles involved in the things they do — hackers, crackers, whatever. It’s interesting: you think you’re in a crowd of criminals, but you could say they’re revolutionaries. It’s like, ‘Well, we don’t believe this is right. So our little protest is, we’re doing this or that.’ ”
He gave an example: “There’s a German hacker who’s relatively famous — he’s, like, a multimillionaire. His name is ‘Kimble.’ The guy is just filthy, filthy rich. And during the whole September 11 thing, he offered a multimillion-dollar reward to anyone who could seize the terrorists’ assets.”
Huynh had his problems with Kimble’s offer, however. “It’s a good end, but you’re going to destroy a lot in the process of trying to achieve it. I think that’s an extremely gray area, because you’re down to hacking legitimate stuff.”
Just going into, say, a bank site could be damaging to it?
“It’s a possibility, if you don’t know the system well enough. Also, let’s say you think you have this terrorist’s account and you start deleting, and it ends up not being a terrorist’s. Well, you could put to ruin somebody who’s benevolent. So it’s kind of, like, you can do it poorly, and it’s a mess.”
Another idea I was having trouble coming to grips with was ToorCon’s “inclusiveness,” as they say. Everyone — hackers, crackers, kiddies, even the feds — had tread the same turf that weekend. Where did all that magnanimity come from?
“I think,” said Huynh, “everybody has an open mind.” He expressed this same thought in several ways: “It’s acceptable to think differently. Everybody already thinks differently and everybody there is smart enough to realize it. Everybody already thinks out-of-the-norm. So if somebody thinks differently than I, who am I to persecute them?”
It sounded like democracy.
“With any democracy, it’s all about the involvement of the populace. And so it does work, but it totally relies on the populace actually applying itself.”
I asked about what Huynh was up to now. He and Hulton were rolling out a new product, called Nightvision, he said. “Pretty much it’s a firewall ids — intrusion detection system. It’s a wall that blocks specific incoming traffic, and outgoing traffic, too, if you want. So it’s a filter for network traffic. It’s all dependent on your paranoia level. It creates a footprint of the signatures, cataloging any intrusion attempts, so you’ll be able to look back and see what’s been going on. It also will be able to tell you if it was a real intrusion attempt, or just a hiccup, or if it was just a scan, say, which occurs when somebody just looks at what you’re running, so they might go for a bigger attack later. And then if the client wants actually to pursue it legally, they have evidence.”
Only one other product on the market was similar. “And it’s a lot more expensive. The main selling point of ours is that the operating system runs off a CD. You can’t write to it. You can’t alter it. Tomorrow we’ll be installing one at a client’s.”
I asked about Hulton, and he got on the phone next, to tell me about his Dstumbler, the tool that Klinge-C01 had used with success in the parking lot outside the company that provides 911 response.
“The whole package that I sell is called bsd AirTools,” said Hulton. “And Dstumbler is part of it. AirTools is a complete wireless auditing tool set. Hackers and attackers can use it to get access to people’s wireless networks. Normal people can use it too, to see how prone they are to attack. There’s another application that lets you crack webs on the wireless networks, so you can check whether your network can easily be attacked that way. Dstumbler will show you what networks are around an area and also lets you see what machines are connected to the network. And there are a couple of different things you can do with that. Like, if you’re an attacker, you can use it to map out somebody’s wireless network and figure out which machines are in which areas of the building and base your attack on that. Or, let’s say you’re a system administrator and you notice that some malicious person has attached himself to your network. You can use one of the features to trace him down. So there are a number of different things you can do with it, both on the white-side and the black-hat side.”
I noted that he had created something, like any weapon, that could be used for good or ill.
“Whatever people have a use for…”
And he didn’t lie awake at night worrying about its potentially evil uses?
There was that laugh again. Heh-heh-heh-heh.
Hulton was still a kid when his professional life began. He started at Hughes Network Systems as an intern while he was in high school. Had he been treated like a kid there?
“No, everybody treated me just like a normal worker.”
Hulton also began doing web design as a teenager. It was his good luck to get a contract with South Park Studios. “That’s South Park, the TV show, and Comedy Central. So I ended up developing the whole database backend for their website. You can actually see it at southparkstudios.com. When it was all finished, I had a bunch of money from that, so it’s what I used to move here.”
When exactly was that?
“March 20 in 2001. I had just turned 18 the day before.”
I asked Hulton if he could tell me anything about Nightfall’s clients.
“We work for some companies whose names people would recognize immediately — they’re that large — and some that are kind of vague whose names nobody would recognize.”
So he continues to interact with corporations some of the time. Would he ever take a job with any of them?
“I’ve been offered jobs,” he said, “but if I took one, I’d be thinking of it as a temporary job in order to do something like what I’m doing right now. So I don’t want to go that route. I want to keep on doing this. I really enjoy what we’re doing now. And I don’t think I would be challenged as much if I were in a corporate job, or feel I’d be using my time as well.”
I remembered, then, to call Ben Greenberg. When I reached him, he was at the Lander College for Men, in Queens, New York, still studying to be a rabbi, but closer to home, away from the violence in Israel, at the urging of his parents.
I asked him how he and Hulton had met.
“We were friends back at Standley Middle School, many, many years ago,” said Greenberg, who is 20. “And we both had a very big interest in computers. We were also very much entrepreneurial. And taking those two things together, we developed projects, ToorCon being one. And David and I to this day are very good friends, even though we’re currently separated by 3000 miles.”
I mentioned that someone had told me there had been a lot of Israelis at def con last year.
“Well, of course. High-tech is vast in Israel. Many secular Israelis are into computer businesses.”
When he was in Israel, had he been involved with computers?
“I went to computer meetings. It was nice, because I was able to develop my Hebrew. But, I mean, computers are everywhere. You can’t avoid them. If you think they’re integrated into American life, they’re twice as much integrated into the life of Israel.” Besides, he said, “Once you have computers in your life, it’s very hard to disengage from them. I still try to keep up to date on everything that’s happening in the security world. I talk regularly with David. I have several computers in my apartment. It’s a fact of life. I still to this day do programming in my free time, just to make sure I’m not losing my abilities. Just in case I need to get a job someday” — he laughed — “it’s a good skill to keep.”
I was wondering what Greenberg looked like. Since I wouldn’t have a chance to meet him, I thought I might elicit the information by asking him if he had undergone a physical metamorphosis since his ToorCon days.
“Well, I used to look like a kid, even though I never dressed obscenely weird. I was always pretty conservative — T-shirt and jeans. And if I had to go to a business meeting, khakis or whatever. But now I dress kind of ‘rabbinical’: a black jacket, white shirt, black hat. And a beard.”
Did it surprise people when he returned home to San Diego?
“A little bit, I would say. It’s not what people expect — a rabbinical hat, you know?”
One thing could be said for it: it gave new meaning to the term “black hat.”
Not long ago, in an office building right around the corner from the Bristol, I bought myself a router. (It was sold to me by a city employee, an electrical inspector, with a business on the side; this was during business hours — but that’s another story.) My computer guy, Patrick, installed the router for me here at home, where Bob and I have two computers. Patrick, prole, and others had told me it could act as a simple firewall, preventing our network from catching the flu, so to speak; if it caught anything, it would merely be a cold.
That protects me personally from minor disasters. What will protect us all from major ones? It certainly has been unsettling to note on attrition.org how many military websites have been hacked. And, as David Hulton pointed out, those mirrors represent only the ones that were grabbed.
I feel a little safer, having met the likes of Hulton, prole, Bartoli, jsyn, and the rest of the ethical hackers.
But then I remember the guy wearing the iron-cross symbol. Truth to tell, I am bothered a lot more by him and his friends than I am by the Transylvanian.
Hamlet doesn’t believe in moral absolutes. “For there is nothing either good or bad, but thinking makes it so,” he says. But look where that sentiment gets him.
J. Robert Oppenheimer, who directed the Los Alamos lab, recognized evil when he saw it. “In some sort of crude sense,” he said, “which no vulgarity, no humor, no
“With any democracy, it’s all about the involvement of the populace. And so it does work, but it totally relies on the populace actually applying itself.”
I asked about what Huynh was up to now. He and Hulton were rolling out a new product, called Nightvision, he said. “Pretty much it’s a firewall ids — intrusion detection system. It’s a wall that blocks specific incoming traffic, and outgoing traffic, too, if you want. So it’s a filter for network traffic. It’s all dependent on your paranoia level. It creates a footprint of the signatures, cataloging any intrusion attempts, so you’ll be able to look back and see what’s been going on. It also will be able to tell you if it was a real intrusion attempt, or just a hiccup, or if it was just a scan, say, which occurs when somebody just looks at what you’re running, so they might go for a bigger attack later. And then if the client wants actually to pursue it legally, they have evidence.”
Only one other product on the market was similar. “And it’s a lot more expensive. The main selling point of ours is that the operating system runs off a CD. You can’t write to it. You can’t alter it. Tomorrow we’ll be installing one at a client’s.”
I asked about Hulton, and he got on the phone next, to tell me about his Dstumbler, the tool that Klinge-C01 had used with success in the parking lot outside the company that provides 911 response.
“The whole package that I sell is called bsd AirTools,” said Hulton. “And Dstumbler is part of it. AirTools is a complete wireless auditing tool set. Hackers and attackers can use it to get access to people’s wireless networks. Normal people can use it too, to see how prone they are to attack. There’s another application that lets you crack webs on the wireless networks, so you can check whether your network can easily be attacked that way. Dstumbler will show you what networks are around an area and also lets you see what machines are connected to the network. And there are a couple of different things you can do with that. Like, if you’re an attacker, you can use it to map out somebody’s wireless network and figure out which machines are in which areas of the building and base your attack on that. Or, let’s say you’re a system administrator and you notice that some malicious person has attached himself to your network. You can use one of the features to trace him down. So there are a number of different things you can do with it, both on the white-side and the black-hat side.”
I noted that he had created something, like any weapon, that could be used for good or ill.
“Whatever people have a use for…”
And he didn’t lie awake at night worrying about its potentially evil uses?
There was that laugh again. Heh-heh-heh-heh.
Hulton was still a kid when his professional life began. He started at Hughes Network Systems as an intern while he was in high school. Had he been treated like a kid there?
“No, everybody treated me just like a normal worker.”
Hulton also began doing web design as a teenager. It was his good luck to get a contract with South Park Studios. “That’s South Park, the TV show, and Comedy Central. So I ended up developing the whole database backend for their website. You can actually see it at southparkstudios.com. When it was all finished, I had a bunch of money from that, so it’s what I used to move here.”
When exactly was that?
“March 20 in 2001. I had just turned 18 the day before.”
I asked Hulton if he could tell me anything about Nightfall’s clients.
“We work for some companies whose names people would recognize immediately — they’re that large — and some that are kind of vague whose names nobody would recognize.”
So he continues to interact with corporations some of the time. Would he ever take a job with any of them?
“I’ve been offered jobs,” he said, “but if I took one, I’d be thinking of it as a temporary job in order to do something like what I’m doing right now. So I don’t want to go that route. I want to keep on doing this. I really enjoy what we’re doing now. And I don’t think I would be challenged as much if I were in a corporate job, or feel I’d be using my time as well.”
I remembered, then, to call Ben Greenberg. When I reached him, he was at the Lander College for Men, in Queens, New York, still studying to be a rabbi, but closer to home, away from the violence in Israel, at the urging of his parents.
I asked him how he and Hulton had met.
“We were friends back at Standley Middle School, many, many years ago,” said Greenberg, who is 20. “And we both had a very big interest in computers. We were also very much entrepreneurial. And taking those two things together, we developed projects, ToorCon being one. And David and I to this day are very good friends, even though we’re currently separated by 3000 miles.”
I mentioned that someone had told me there had been a lot of Israelis at def con last year.
“Well, of course. High-tech is vast in Israel. Many secular Israelis are into computer businesses.”
When he was in Israel, had he been involved with computers?
“I went to computer meetings. It was nice, because I was able to develop my Hebrew. But, I mean, computers are everywhere. You can’t avoid them. If you think they’re integrated into American life, they’re twice as much integrated into the life of Israel.” Besides, he said, “Once you have computers in your life, it’s very hard to disengage from them. I still try to keep up to date on everything that’s happening in the security world. I talk regularly with David. I have several computers in my apartment. It’s a fact of life. I still to this day do programming in my free time, just to make sure I’m not losing my abilities. Just in case I need to get a job someday” — he laughed — “it’s a good skill to keep.”
I was wondering what Greenberg looked like. Since I wouldn’t have a chance to meet him, I thought I might elicit the information by asking him if he had undergone a physical metamorphosis since his ToorCon days.
“Well, I used to look like a kid, even though I never dressed obscenely weird. I was always pretty conservative — T-shirt and jeans. And if I had to go to a business meeting, khakis or whatever. But now I dress kind of ‘rabbinical’: a black jacket, white shirt, black hat. And a beard.”
Did it surprise people when he returned home to San Diego?
“A little bit, I would say. It’s not what people expect — a rabbinical hat, you know?”
One thing could be said for it: it gave new meaning to the term “black hat.”
Not long ago, in an office building right around the corner from the Bristol, I bought myself a router. (It was sold to me by a city employee, an electrical inspector, with a business on the side; this was during business hours — but that’s another story.) My computer guy, Patrick, installed the router for me here at home, where Bob and I have two computers. Patrick, prole, and others had told me it could act as a simple firewall, preventing our network from catching the flu, so to speak; if it caught anything, it would merely be a cold.
That protects me personally from minor disasters. What will protect us all from major ones? It certainly has been unsettling to note on attrition.org how many military websites have been hacked. And, as David Hulton pointed out, those mirrors represent only the ones that were grabbed.
I feel a little safer, having met the likes of Hulton, prole, Bartoli, jsyn, and the rest of the ethical hackers.
But then I remember the guy wearing the iron-cross symbol. Truth to tell, I am bothered a lot more by him and his friends than I am by the Transylvanian.
Hamlet doesn’t believe in moral absolutes. “For there is nothing either good or bad, but thinking makes it so,” he says. But look where that sentiment gets him.
J. Robert Oppenheimer, who directed the Los Alamos lab, recognized evil when he saw it. “In some sort of crude sense,” he said, “which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.” By that time, it was, in other words, too late.
“Words, words, words.” It’s another one of Hamlet’s cheerless utterances.
I saw a tabloid headline recently. It said, “Three More Commandments Discovered.” Our cyberized world could use some new ones, I thought to myself. But what exactly would they say? It would take other than a human, hacker or not, to write them.
Like many hackers, David Nakamura Hulton goes by more than one name. His other one, his handle, is h1kari. Some people say you shouldn’t ask a hacker what his handle means. Handles aren’t always meant to be serious. Sometimes they’re designed to foil any journalist who assumes a handle is a window into a hacker’s soul. At the least, your inquiry indicates you’re a rube in hacker circles. But when Hulton greets me at the far end of the Starlight Ballroom one Friday evening in September, he offers both names, along with a handshake, and, unprompted, says of his handle’s homonym, hikari, “It’s a Japanese word. It means ‘divine light’ or ‘enlightenment.’ ”
The Starlight Ballroom is on the ninth floor of downtown’s Bristol Hotel. If this seems like an odd place for a weekend hacker conference to hold its opening party, maybe it isn’t any odder than a hacker conference in the first place.
The lights are low; so is the music. Attendance is sparse, maybe 75 people, but the night is young, as are most of the attendees. The atmosphere is reminiscent of a college mixer, one where the women largely haven’t showed. Young men sit or stand in clusters. At the far end of the ballroom, where I am standing with Hulton, the roof is rolled open to the sky, above what must normally be used for a dance floor. The opening line of William Gibson’s seminal cyberpunk novel, Neuromancer (1984), describes a sky “the color of television, tuned to a dead station.” The sky above the Bristol, try as I may to see it differently, is an ordinary dark navy blue.
In 1999, Hulton and a friend co-organized this annual event, called ToorCon. Hackers gather at “cons” in many other parts of the country, but the one in San Diego is their only venue on the West Coast. def con, which is held in Las Vegas every August, is more of a convention than conference — “the largest hacker convention on the planet,” says its website, www.DEFCON.org. Ten years ago, def con’s originators named it in mock homage to the military term “DEFense CONdition.” It was popularized by the movie War Games (1983), in which a teenage hacker played by Matthew Broderick accidentally hacks into the North American Aerospace Defense Command and nearly starts a nuclear war. Movie viewers watch the situation proceed from def con5 (“normal peacetime readiness”) to def con1 (“maximum force readiness”) before the hacker’s mistake is discovered. The hackers I’ve met consider laughable most Hollywood depictions of their activities. War Games is one tolerable exception, which they credit for managing to portray accurately at least some technical aspects of hacking. As for def con the convention, they consider it a must-do, no matter how many regional cons they attend. Last summer, at def con, attendance was over 6000. But popularity has its drawbacks. By all accounts, what began as a weekend of good technical talks for the computer underground has devolved into a bacchanalia attracting too many hangers-on and hacker wannabes.
ToorCon, meanwhile, has acquired a reputation of its own. It’s considered to be a con for the serious-minded hacker, a place to learn, exchange information, and party a little, but not on the grand scale of def con. “We’ve heard that ToorCon is the pg version of def con,” a La Jolla father of a 13-year-old boy told me. The two would attend ToorCon 2002 together. The boy, who wore his blond hair in choirboy bangs and had braces on his teeth, reluctantly revealed his handle: “Qwertykey.” Proud father patted son’s shoulder: “He’s my budding geek.”
When I first spoke to Hulton, he didn’t mention his h1kari persona and didn’t exactly say he was a hacker. This was on the phone three years ago, when he was looking to get publicity for ToorCon 2000. His press release said it was a “computer security expo.” There would be booths and speakers as at any trade show, Hulton said. (True, some speakers had strange nicknames, like “Simple Nomad” and “palante,” but I still didn’t get it.) Hulton himself did “a lot of computer-security consulting in the San Diego area.” He and the same friend who had started the conference with him ran a computer-security business, Nightfall Security Solutions. It sounded like a good name for a burglar-alarm company.
I asked Hulton during that initial conversation what “ToorCon” meant. “ ‘Toor’ is ‘root’ spelled backwards,” he said. “And ‘root’ means ‘full administrative privileges on the system,’ so if you gain root, you have full access.” Root is the goal for those who compete as intruders in RootWars, a computer game co-invented by Hulton that people play at the conference. (At def con, there is a similar game, Capture the Flag.) Other RootWars players, called servers, run the systems the intruders attempt to invade. A third group plays as investigators. They watch the networks, run their intrusion detectors, and hope to catch the highest number of intrusion attempts.
As we talked that day, about how some people break into machines and others try to thwart them — in the real world, not just while playing RootWars — I realized the truth. Is it correct to say that the anti-hackers are themselves hackers? I asked. To catch a thief, as the saying goes?
“How people usually put it is, you know, like the locksmith?” Hulton said. “The locksmith knows everything about how locks work, but there’s this code of ethics, where you don’t use your knowledge to break into anybody’s house. Some people out there think that all hackers are bad,” he acknowledged. “They think hackers just break into things and divert funds into their own bank accounts. And there are people who do malicious stuff and who call themselves hackers. But actually hackers are people who write the programs and do the testing that can help secure everybody’s systems.”
Maybe there should be two different words, I suggested, one for the bad guys and one for the rest?
“Originally ‘hacker’ just meant people who wrote code,” said Hulton. “And then there came around the term ‘cracker,’ which means people who break into systems. But then they just got melded together after a while.”
Did he think hacking was a fairly prevalent activity?
“I think it’s a lot more prevalent than people realize. Like, on Attrition?” He was referring to www.attrition.com. “Attrition is mainly known for its huge mirror of hacked websites. If a website gets hacked, people usually notify Attrition, and it grabs a copy of the page while it’s hacked and posts it. They keep a record of everything. Last year, they got around 3000 hacked websites mirrored on their page. And that’s only the reported ones. I’m sure plenty more were hacked, but smart people don’t want others to know their systems got broken into.”
What motivates these hackers? I asked Hulton.
“Partly, the thrill of showing their friends, ‘Hey, look what I can do.’ The hackers who are actually beneficial to the community write programs to patch vulnerabilities. Many of them are very well known programmers. For example, you may have heard of the L0pht?” He spelled it, so I would know the second character was a zero, not the letter O, and later I looked it up on the Internet; L0pht Heavy Industries was a noted computer-security firm based in Boston. “They’ve given a couple of talks in front of Congress. I guess Congress asked them how long they’d need to take down the Internet. And they said, ‘About 30 minutes.’ The head of it just got appointed director of research and development at this new corporation. He’s written a ton of really robust programs.”
Simple Nomad was on a par with hackers from L0pht, Hulton said. “He makes tons of contributions to the computer-security community. He finds lots of vulnerabilities in operating systems. You can go on nmrc.org and check out all the things he’s written. He works for BindView.” (That is, BindView Security: Proactive Security Management Software and Services.) “He has a real name, but everybody knows him as Simple Nomad.”
The hacker known as palante was impressive too, said Hulton. “He has won the [Capture the Flag] server award at def con for three years in a row. He makes modifications to the operating system, so that people who gain root on the system are still restricted. It’s really advanced stuff.”
Another hacker who was scheduled to speak in 2000 had no handle; he was already famous as plain old Mike Hudack. “When he was 15, the nsa [National Security Agency] attempted to recruit him,” said Hulton. “He had a website they would visit every couple of days. He’s working for a computer-security think tank now, in Connecticut.” (Later, Hudack confirmed these statements via e-mail from his office at the Knowledge Propulsion Laboratory.)
What was Hudack’s present age? Did Hulton know? “By now I think he’s 17.”
College was on hold for him, presumably?
Hulton laughed — a quick, low-voiced, telegrammatic heh-heh-heh-heh. “He kind of graduated early from high school too,” he said.
How old was Hulton himself? Despite his occasional “like” and “you know,” I estimated late 20s, early 30s. After all, he ran a conference as well as his own business.
“I’m 17. Almost 18 — next year.” No man of the world, he still lived at home with his mother in University City. (His parents were divorced; his father lived in Vista.)
And had he graduated from high school?
“Yeah. There’s a test, the California High School Proficiency Examination. Me and my friend took it on the same day last November and got out of high school that way.”
That friend, Ben Greenberg, was the cofounder of ToorCon and Nightfall Security Solutions, as well as co-inventor of RootWars. But Greenberg would soon leave the San Diego area. “He’s moving to Israel,” said Hulton, “to become a rabbi.”
Would Greenberg be at the upcoming ToorCon?
“Maybe on Sunday. He’s ultraorthodox or whatever, so he can’t be there on Friday night or Saturday morning. So he handed the whole thing over to me.”
When I got off the phone with Hulton, I called one of the people scheduled to speak that year. Like Hudack, Ron Gula used no handle. A 31-year-old communications-systems engineer, he had been trained by the United States Air Force; Gula, along with his wife, was cofounder of Network Security Wizards of Columbia, Maryland, and ToorCon was paying his way to San Diego.
“Yeah, hire a thief to catch a thief,” Gula conceded. “One of the main things Security Wizards does is reverse engineering of the hacker technique.” Beyond that, however, he hesitated to differentiate between good and bad hackers. “I personally don’t like to classify people. Traditionally ‘white-hat hackers’ are the good kind, and ‘black-hat hackers’ are bad.” Lately, however, he said he had been hearing the term “gray-hat hacker.” He had also heard people allude to black-hat hackers without really saying they were bad. “They just mean ‘very talented.’ Someone will say, ‘Well, nobody could break into this system except maybe a black-hat hacker.’ But that’s just lingo. None of it is well-defined. Some people consider hackers to be merely interested in how things work, like auto enthusiasts who soup up old Ford V-8 Mustangs. You’ve heard of the whole cracker-versus-hacker thing? But is a cracker a virus writer or what? It’s hard to say.”
And whom did Gula expect to be in attendance at ToorCon? This would be Gula’s first ToorCon, so that was hard to say too, except that the conference had been described to him as a hacker con. He guessed attendees would be similar to those at def con, where “50 to 75 percent — maybe more — have high-paying, commercial jobs.” Others who didn’t were looking for jobs. Hackers, he said, were increasingly being hired by corporations and institutions who realized they were vulnerable to attack and who knew that hackers were the people who could protect them.
Hacked by Doctor Nuker
PHC
Founder Pakistan Hackerz Club
[email protected]
Kashmiris are NOT Terrorists
Greetings from Mr_Sweet, AntiChrist, Devil-C, s0ften, 139_r00ted, FUBY, flipz, fuqrag, GOD, bl0wteam, v00d00, Hi-Tech Hate, hackernews.com, and all the others I miss. #:0)
— hacked website of Shore Intermediate Maintenance Activity (sima), San Diego, by Pakistan Hackerz Club, October 30, 1999.
i shit on you i shit on interpol i shit on the israeli’s who are looking for me i shit on interpol who are looking for me i shit on blackdog because he talks to much ..trace me find me and finally 0wn me -eth1cal.
— hacked website of Fleet Area Control and Surveillance Facility, San Diego, www.facsfacsd.navy.mil, by eth1cal, on February, 7, 2001.
From archives of www.attrition.org
After my conversations with Hulton and Gula, I mostly forgot about hackers. One night, I logged onto eBay and, instead of its home page, I saw an ugly cartoon face and the caption “HACKED!” (Startled, I instantly logged out. When I logged back in, a few minutes later, it was gone.) Still, I didn’t think hackers’ activities would ever affect me. If I thought about them at all, it was in the same vague way that I thought about burglars. I have a burglar alarm installed in my house and Norton AntiVirus software installed on my computer. The horn on my house, I know, is loud, and once, after I mistakenly triggered the silent alarm that alerts the police down at the station, they arrived. That was reassuring. I sometimes wondered if Norton would actually protect me from a virus. Eventually, I found out. I began to receive virus-laden e-mail attachments, and the system started deflecting them. I received viruses more than once a week, sometimes more than once a day. Most of the accompanying messages were written by people who couldn’t speak English very well. “I would like you nice surprise,” one said. “Hope you enjoy this girlie-girls,” said another. Sometimes the e-mail senders were, ostensibly, people I knew; that is, a familiar name was in the sender line. Occasionally, the subject line reflected an interest of mine or my husband’s. (Bob is a clockmaker, and one bogus subject line said, “Nice Clock Website.”) Norton always warned me to delete these e-mails without opening them, which, of course, I already knew I should.
Then, one day last summer, Bob was at Home Depot using our credit card when a cashier told him the transaction had been rejected. Bob paid for the item in cash and called the company. The card had been canceled, the representative said. Some unusual and hefty purchases had been made with it. Bob was asked if he had bought $10,000 worth of items from Emperor Clothes in the Netherlands. He was asked about a few more recent charges. Some were our purchases; others weren’t. The representative said we would receive a new card in the mail shortly. She was so matter-of-fact, we figured this must be a fairly common situation. We wondered if it was related to our Internet use and what we could do to prevent it from happening again.
Since the events of September 11, there have been news commentaries about the possibility of cyberterrorism. That has made me additionally wonder: Could computer-savvy terrorists knock out water supplies or electrical grids? Could they disrupt air traffic or the 911 emergency system? And will it be up to hackers to prevent them?
I called Hulton, who didn’t return my phone call for a while; he was on vacation in Hawaii and not checking his messages much. Business must be good, I said. He laughed his economical heh-heh-heh-heh in reply. I began to ask questions about hackers — too many to be answered in a single phone call. Hulton suggested I attend ToorCon 2002; the press was welcome. Could he give me a list of San Diego–based hackers to interview beforehand? He told me to start with his new business partner, Tim Minh Huynh (the last name was pronounced “win,” he said) at Nightfall’s downtown office.
The building at 906 Tenth Avenue was formerly a Baptist church. Even without the crosses, its architecture would have an ecclesiastical look. Maybe former occupants had holy protectors; the new ones wanted visitors to be buzzed in. My appointment, for 10:00 a.m., had been arranged by Hulton from Hawaii. The buzzer got me no answer, but someone entering the building let me enter with him, and I found suite 101 at basement level.
That morning’s Wall Street Journal lay at the door. Huynh must not have arrived yet. Or maybe he’d arrived before the paper was delivered. I knocked. No answer. Hadn’t he got word of the appointment from Hulton? Finally, a sleepy Huynh appeared.
He looked like a renegade monk. His head was shaved, giving his wide, round face a Buddha look, but his T-shirt said something about tequila. He wore black shorts and black running shoes without socks. If he’d been barefoot, I might have worried that I’d roused him out of bed — for this space was Nightfall as well as home for Hulton and Huynh. (In fact, like many hackers, Huynh usually did work in the quiet of the night, he told me. A few weeks later, he answered an e-mail at 7:00 a.m. The time raised a question. Had his hours changed? No: he had sent the message just before turning in.)
The ceilings in this building are double-high, and the floor plan is open. (The square footage is 1450, according to the building’s management, which refers to these spaces, including the basement ones, as “lofts.”) There were apparently times for work and for play at Nightfall. At one end of the space was a pool table, elaborately leveled with magazines. At the other, a Ping-Pong table, similarly sturdied. On a wall, a dart board. On another wall, a corporate touch: a shiny white wallboard and notations in felt-tipped pen. In the middle of everything, on a raised platform, many, many computers. Huynh offered me a seat in the “office” — three La-Z-Boys arranged in a circle.
I asked Huynh about the term “hacker.” How did he define it? “It’s some guy pretty much trying to learn everything he can about something,” he said. “It’s not so much a slick guy. It’s a guy who says, ‘I want to know everything about this. I want to use this thing to its 100 percent potential.’ ” He related it to cars, as Ron Gula had. “You discover that if you jiggle the key a certain way… It’s like figuring out a secret.”
And was a hacker always a “guy,” a young guy? “I’ve seen some talented ladies,” said Huynh. “Young ladies, older ladies. Older men.”
How many women had attended ToorCon last year? “We had one. She took a Greyhound from Phoenix.”
How did somebody get good at hacking? Was lots of equipment required? “What you need is lots of persistence. You don’t need anything fancy. It requires sitting down, reading, meeting people, learning from others, picking up things on the job. And you can’t be afraid to try things. Experimentation. You can’t be afraid of opening up your box.” He smiled to himself. “The first time I did it, I short-circuited something and it cost me a whole bunch of money.” But he chalked it up. “I just said to myself, ‘Well, I won’t do it that way again.’ Just playing around — that’s how hacking starts for everybody.”
Huynh obliged me with some personal details. He was 22 years old and born in Vietnam. He and his parents left their homeland in 1981. His father went by foot to Thailand; Huynh, who was still an infant, went with his mother and her brother by boat to a refugee camp in Singapore. The family was reunited in New York but didn’t stay there long. “It was pretty cold.” Instead, they came to San Diego — Normal Heights first, then Mira Mesa. After graduating from Scripps Ranch High School, Huynh entered the United States Air Force Academy. He stayed only two years, finding it tough, not physically but scholastically. He had intended to major in computer science and did well in that area; otherwise, his grades were “abysmal,” he said. English and history — “those things that fill up your day” — were the worst. “I actually like history, but I don’t like reading about it.” And he didn’t like writing papers. Not that graduates of military academies shouldn’t have “well-rounded educations,” he said.
Huynh had enjoyed the military’s structured life. “I don’t mind following orders.” In fact, after leaving, he thought about enlisting. “I want to give back. I know how lucky I am to be here.” But he was talked out of that idea. Instead, he did web development, volunteered for ToorCon 2001, then began to work and live with Hulton at Nightfall.
Huynh’s father works in sheet metal; his mother is a housewife. Were his parents pleased by his current career path? Huynh said they were, even though “what we do here is not what a person typically does.” Huynh’s handle, “nfiltr8” (read: “infiltrate”), was one of those joke handles: he credited his parents for his “morals.” As he put it, “If my parents weren’t the way they are, and if I hadn’t been brought up the way I was brought up, being taught right and wrong, I’d be in a hovel somewhere, trying to break into the Pentagon.”
Should we be worried that people are trying to break into the Pentagon? How vulnerable are we? And is it going to get worse, or better, as computer technology progresses?
“It’s not the technology; it’s the human factor,” said Huynh. That’s what makes us vulnerable. The same for a company’s security. “You can lock down the machines, but one disgruntled employee can decide to wipe you out if he gets mad and goes postal on your network. Companies may invest all they like in security, but what they really should be doing is investing time and money in their people.”
Huynh’s statement was not a selling point for Nightfall’s services. But then, its business model didn’t seem to be the corporate one. If moneymaking were the main object, Hulton and Huynh wouldn’t run ToorCon. “It’s not profitable — it’s more of a community service. We’re lucky to break even,” said Huynh.
But running a conference is so —
“Stressful. But I’m pretty stress-driven.” Today would be a “pretty low-stress day,” Huynh said, despite his appointment later in the day with a potential Nightfall client.
Would he give an actual sales pitch? “We don’t do the sales thing,” said Huynh. “Mostly they’re approaching us, anyway. So we don’t talk so much about the ‘why,’ but rather about the ‘what.’ ”
These days, the “what” was mostly preventive. “People are getting smarter. Others call and say, ‘We think we’re already in trouble.’ ”
After the initial consultation, Nightfall charges an hourly fee, which Huynh preferred not to reveal. He and Hulton give no guarantees. “We’d be shooting ourselves in the head if we did, because we don’t know what’s going to be developed” — by crackers. What Nightfall can do, he said, is “lock down everything, address all the known exploits, and try to keep up with all the advisories issued” by websites like www.bugtraq.com. They also exchange information with other hackers at places like ToorCon.
Would I understand the talks when I attended ToorCon in a few weeks? Some of them, he said. I must have looked doubtful. “Everybody has a little hacker in them,” he said to reassure me.
Before I left that morning, I asked about further contacts. He suggested I e-mail any speaker or volunteer on the ToorCon website. I also asked about Ben Greenberg. Was he still in Israel? I was intrigued by someone who would switch from hacking to holy work. Huynh said he’d heard that Israel had become too violent for Greenberg, and he’d left. But he hadn’t returned to San Diego or hacking; as far as Huynh knew, his predecessor was now living and studying at a college somewhere in New York.
I went to the library and returned home with a stack of books. Secrets & Lies: Digital Security in a Networked World (2000) by Bruce Schneier. Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals by Paul Mungo and Bryan Clough (1992). CyberShock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Disruption (2000) by Winn Schwartau… Most of them were filled with doom, along with a fair amount of questionable psychologizing. (“The computer underworld is populated with young men, and almost no women, mostly single, who live out their fantasies of power and glory on a keyboard. That some young men find computing a substitute for sexual activity is probably incontrovertible.” — Approaching Zero.)
I also bought a dictionary — The New Hacker’s Dictionary, compiled by Eric S. Raymond. Despite its heft — 547 pages — it was filled with much lighter material.
“Autobogotiphobia.” I began to read like a traveler preparing for a trip to a foreign country. “See bogotify.”
“Bogotify: To make or become bogus. A program that has been changed so many times as to become completely disorganized has become bogotified. If you tighten a nut too hard and strip the threads on the bolt, the bolt has become bogotified and you had better not use it anymore. This coinage led to the notional autobogotiphobia defined as ‘the fear of becoming bogotified’; but is not clear that the latter has ever been ‘live’ jargon rather than a self-conscious joke in jargon about jargon.”
“Copious free time,” I read on, for it defined phrases and idioms, along with single words. “A mythical schedule slot for accomplishing tasks held to be unlikely or impossible. Sometimes used to indicate that the speaker is interested in accomplishing the task, but believes that the opportunity will not arise. ‘I’ll implement the automatic layout in my copious free time.’ Time reserved for bogus or otherwise idiotic tasks, such as the stroking of suits. ‘I’ll get back to him on that feature in my copious free time.’ ”
I laughed. I laughed a lot as I continued to read selections. “Drool-proof paper: Documentation that has been obsessively dumbed down, to the point where only a cretin could bear to read it, is said to have succumbed to the ‘drool-proof paper syndrome’ or to have been ‘written on drool-proof paper.’ For example, this is an actual quote from Apple’s LaserWriter manual: ‘Do not expose your LaserWriter to open fire or flame.’ ”
Hackers love acronyms, almost as much as bureaucrats do. The dictionary explained many of them, although some definitions were themselves acronym-laden. “emacs [from Editing MACroS]: The ne plus ultra of hacker editors, a programmable text editor with an entire lisp system inside it. It was originally written by Richard Stallman in teco under its at the mit ai lab…”
In certain cases, a common acronym was redefined by my new favorite book. “fm: Not ‘Frequency Modulation,’ but rather an abbreviation for ‘Fucking Manual.’ ” (“rtfm,” “Read the Fucking Manual,” was compared to “rtbm,” “Read the Bloody Manual,” in the hacker jargon used in the British Commonwealth.)
I was surprised to read the hacker origins of some widely used expressions. “Get a life!” was one that some people claimed to have been invented by hackers. “Hacker-standard way of suggesting that the person to whom it is directed has succumbed to terminal geekdom (see computer geek).… This exhortation was popularized by William Shatner on a ‘Saturday Night Live’ episode in a speech that ended ‘Get a life!’, but some respondents believe it had been in use before then. It was certainly in wide use among hackers at least five years before achieving mainstream currency in 1992.”
The definition of “hairball” was another kind of revelation. “A large batch of messages that a store-and-forward network is failing to forward when it should. Often used in the phrase ‘Fido coughed up a hairball today,’ meaning that the stuck messages have just come unstuck, producing a flood of mail where there had previously been drought.” I found the situation frustrating whenever I encountered it. I hadn’t thought to cope by naming it.
The dictionary’s definition of “hacker” was multiple: “1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in ‘a Unix hacker.’ (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. The correct term for this is cracker.”
A discussion of the “hacker ethic” followed, beginning with “free software distribution.” Most hackers were for it. The discussion segued into ethics — that is, “the belief that system-cracking for fun and exploration is okay as long as the cracker commits no theft, vandalism, or breach of confidentiality.” The book explained that some hackers considered the act of cracking itself to be unethical, like breaking and entering. “But the belief that ‘ethical’ cracking excludes destruction at least moderates the behavior of people who see themselves as ‘benign’ crackers.”
Hmmm. Benign crackers. Yet another shade of gray. I suddenly remembered that two freshman boys at the boarding school where I used to teach had hacked into the school’s computer. Had they defaced the school’s home page? Had they tried to change their grades (as the protagonist in War Games had done for himself and his girlfriend)? Or had they merely “explored”? I never learned the true nature of their crime. Confronted with such a novelty, the school’s headmaster could think of no more creative punishment than expulsion. We faculty members never heard another wisp of news about them.
Q: What’s your official title?
A: I’m a senior network-security engineer. I do mostly penetration testing, intrusion-detection-system installation, and all things security.
Q: Is it fun?
A: Oh, it definitely is. I think it’s fun breaking into people’s stuff. Yeah, it’s not good for the company if we can do it, but at least they have hired us to come and take care of it. So, you know, yeah, I do get a thrill out of it.
Q: Can you talk about what you did in Alaska?
A: Not specifically. But mostly I was working with a company that has some responsibility for the Trans-Alaskan Pipeline.
Q: Can you say if they had a problem?
A: They had a problem, yes. Someone had attempted to do a break-in, but the security controls that were in place, from some previous work we had done, had shut down the full exploit.
Q: If they had succeeded, what would they have gotten, data or oil?
A: [Laughs.] I can’t say.
— author’s conversation with San Diego–based hacker, Klinge-C01
Emboldened by my book-learning, I e-mailed one of ToorCon’s speakers, Peter Bartoli, who agreed to a pre-con phone interview. The title of his talk was daunting: “The Requiem Project: Systems Hardening and Policy Rollout in Heterogeneous Environments.” But when I looked at his website — www.alphafight.com — I found it engaging — and somewhat comprehensible to a nonhacker. Designed to advertise Bartoli’s new computer-security firm, Alphafight Heavy Industries, the site opens with an animation. The Greek letter a is kicked martial-arts style by the grunting letter f in “fight.” The a is spun and spun by the force of the blow. The slogan beneath the fighting letters says, “We think you’ll like our kung fu.” The contact page has an additional slogan: “Quality security consulting, by hackers, for business.”
“I’m running with the negative connotations, confronting them, and hoping to turn them into a little marketing steam,” Bartoli told me from his condominium on Eighth Avenue, near the El Cortez. “True, ‘hacker’ has become a bad word, and as much as I hate to say it, it’s because of the media. They only say ‘hacker.’ They forget to put in the modifier ‘malicious,’ just as they water down the technical details. ‘What do you mean there are good ones and bad ones and ones with their own agendas and that it’s not the knowledge but how you use it?’ Everyone thinks ‘hacker’ means ‘computer criminal,’ and it’s not true.”
Bartoli used to work for the Science Applications International Corporation, better known as saic. Former technical director of its security-analysis division, he has always been “good with computers,” he said.
From the cradle? “You might say that.” He was born in Los Angeles in 1973. He started breaking into systems as an eight-year-old. “I was breaking into computer games to extend my allowance and to feed a bad gaming habit. They used to have all kinds of copy-protection routines back in the late ’70s, early ’80s. So I would sharpen my knife, if you will, on the games, making sure they copied right. I started to get into bulletin board systems too. But then my mother and I saw War Games, and after that I was not allowed to have a modem.”
(Bartoli’s mother, who grew up in San Diego, confirmed the War Games story. She also told me this: “Before the John Badham movie, something else happened. When online banking had just begun, there was a sample computer in the lobby of Bank of America, where I’ve banked forever. While I waited in line to make a deposit, Peter went over to the computer. Peter’s thing about programs was, he always wanted to know what made them work. This was true even with the games. When he got a new one, he wanted to know how it worked before he played it. So Peter at the bank that day went right into the bank’s programs. And when I got out of line and went over to him, he said, ‘Look, Mom!’ We called the manager, who said, ‘You’re not supposed to be able to do that!’ ”)
Bartoli learned to program in the computer lab of his private elementary school and from computer manuals. His parents thought he would become a programmer.
“Programming can be fun, but it can also be terribly boring,” said Bartoli. “Simply stated, programming is piling up pieces of logic, one on top of another on top of another. It’s adding ‘two and two,’ and ‘and’s and ‘nor’s, and ‘if’s and ‘not’s in order to build something useful. It can be tedious, and I didn’t see much out there in computing besides programming at the time when I first thought about careers.”
He entered ucla as a journalism major. “I wanted to be a sports writer and get paid for watching baseball.” He had also discovered that being a geek wasn’t popular with girls. But the Internet lured him back to computers. “When it started to explode, I began to see all kinds of job possibilities besides programming. I tried to switch to computer science, but the department was impacted. So midway through my second year, I just gave up and got booted.”
Bartoli transferred to the University of Texas in Edinburg — “pretty much because they would take me.” (Relatives had connections.) “It’s wa-a-a-ay down at the bottom, near Brownsville, far from any city. Until then I had spent my whole life in the shade of the Hollywood Hills. I knew from the start that moving there was going to suck but that it was going to be a character-building kind of hell. Now I see my parents’ design in it, and I’m grateful for it.”
As a part-time job, Bartoli worked for the Edinburg police. You could call it a foreshadowing of his security career. “I set up their first dedicated Internet connection and their parking ticketing database.”
Did the twain ever meet between Bartoli and the police? “Are you asking if there was a culture conflict? Of sorts. I was young. I had long hair. I didn’t picture myself working for the police, but they were good people. And there was no culture conflict in terms of cops and a hacker, because I didn’t consider myself one at the time.”
With his penance completed after two years in Edinburg, Bartoli transferred to sdsu. “[The computer science program at UCSD] had the reputation, but the curriculum was too steeped in theory for my tastes.”
He also began to work at Millennianet, a local Internet provider, and by graduation was its head system administrator. “I was also head of support staff and the last line of technical support, should anybody have problems.”
The system had problems aplenty. “I got hacked! All the time! Despite the best of teachers, there’s a lot they can’t fit into those four-year degrees, and how to secure your system is one of them.”
The book-smart Bartoli learned what to do as he went along. “More often than not, I’d have to hack the system myself to figure out how they got in. You have to, especially if you have a large system.”
The process isn’t easy. “Finding a vulnerability in a piece of code is akin to finding a needle in a haystack. It’s tenacity that gets you there. Then imagine the needle as a key that, when found, allows you unauthorized access to every door it fits.”
Malicious hackers exploit the vulnerabilities they find. “Ethical” hackers — the term Bartoli prefers over “white-hat hackers” — are conflicted over what they should do with their finds. Would more people get hurt by immediate disclosure, or would fewer?
“Ultimately what one does with the knowledge,” said Bartoli, “depends on one’s scruples, motives, and beliefs. That’s why all the various ‘hat’ terms are unhelpful — because scruples, etc., run the gamut.”
It’s also why the federal government has taken steps to prevent anybody except vendors from finding any more holes. “The DMCA? Digital Millennium Copyright Act?” The bill became a law in 1998. “It’s what the riaa [Recording Industry Association of America] and everybody else are using to quash piracy in pretty questionable ways. It’s something very big in the radar of all hackers, because among its provisions, the DMCA provides criminal penalties for reverse engineering!”
The special hacker term for the time between the discovery of a hole in a program and its disclosure is “0-day” (spoken as “zero day”), Bartoli told me. “Every day is 0-day until the exploit is made public.” And until it’s not 0-day anymore, things can get pretty hairy. “One droplet of knowledge in the wrong hands is enough to bring everybody down, and there’s nothing the wisest of ethical hackers can do could prevent that right now. Nothing can stop a naked piece of vulnerable software from getting owned.”
Did being a hacker, ethical or otherwise, mean never getting hacked oneself?
On the contrary. “A couple of friends of mine were interviewed about a malicious hacker group that targets ethical hackers. The malicious ones are quite pissed off at ethical hackers and the state of the computer-security business in general.”
The state of the business can be measured at the cons, said Bartoli, who goes to def con and ToorCon “to shop for hardware for my development labs” and “to talk with all these crazy geniuses. As many of them that are antisocial and don’t present themselves very well, there are plenty that do, and those guys make it worthwhile.”
(Bartoli later asked me not to quote him on the hacker personality. Instead of erasing his words, I convinced him to expand on the theme, for any caricature contains an element of truth. He e-mailed this clarification: “There is this stigma-like perception of hackers as being teenage Lex Luthors [Superman’s arch enemy, a boy genius who uses his gifts for evil] with thick glasses and no social skills save those they develop online. And sadly, as you say, there is some element of truth to it. Some people are in computers because they communicate better with computers than they do with people. Mafiaboy [the handle of the unnamed 15-year-old who was convicted in Canada of attacks against eBay, Yahoo, Amazon, and other major Internet sites] fit the bill when he got busted. As did I back in the Apple II days, when I spoke and read machine language. I was owned by the machine rather than vice-versa. However, like any stereotype, it’s nothing more than a generalization. It’s not a one-size-fits-all, no more than black, white, or gray for ethics. There are many more of us that are business-savvy and for whom computers are a means to an end.”)
Probably in the sixth or seventh grade, around 1986 or 1987, I started programming by getting code out of something that I found at the library — basically just writing my own games, text kind of stuff. Pretty boring, but I started doing that, progressed, mostly by just playing around on the computer. I joined the United States Air Force in 1992 and got my first taste of unix operating system and tcp/ip networking — just as a user. I really didn’t understand it at all at the time. But as part of a classified reporting system, we obviously had to use it. So I became familiar with different network protocols for basic communication — you know, e-mail and remote command line interface to other computers on the network. I had graduated from a Commodore to a 286 architecture with, like, Microsoft Windows 2.1, I think in, I guess, probably 1990. After the Internet, in 1995, I immediately began looking at people’s computers. I got a book on tcp/ip, in order to understand how the communication worked, and immediately began trying to figure out how to break into people’s machines. So I think within about ten minutes of being connected [to the Internet], I was doing that.
— Klinge-C01
When talking to computer-security professionals, it’s easy to forget that computers also need external security — the kind that prevents them from being walked off with. I was reminded when I noticed on ToorCon’s website a person in charge of physical security for the con. I e-mailed “BasharTeg,” whose real name is Jeremiah Gowdy.
Watching the hardware? Was that what his job entailed? I asked Gowdy when we spoke. “Right,” he said. “People bring expensive hardware — multithousand-dollar laptops, routers. Things get stolen every year, even with our best efforts.”
What about hiring security guards? “Any kind of rent-a-cop wouldn’t fit in with the atmosphere.”
Gowdy, who is 22, lives at home with his parents in San Marcos. At the time of our conversation, he was finishing his associate’s degree at Palomar junior college. He also worked full-time as a senior software engineer at FreedomVoice Systems, a telecommunications company in Encinitas.
“The first year, I was just assisting with physical security,” said Gowdy. “I wasn’t in charge. But because of the nature of my personality, I kind of, like, took over. My mom’s a lifeguard and very assertive. She knows how to handle crisis situations. Growing up under that, I’m good at handling crisis situations too. I mean, the average computer guy, when something goes wrong? He freezes up. ‘What do we do now?’ It’s part of being a nerd, and we’re all nerds.”
A staff of “three or four” helped Gowdy “secure by presence” at ToorCon. “I’m six three and 255 pounds. So I’m a big guy, especially compared to most nerds. I’m actually familiar with some of the known thieves and whatnot, although I don’t understand why we can’t exclude them. It just comes down to, like, a scene thing. But the people I suspect as being thieves, along with the people that look shady and whatnot? We try to psychologically intimidate, so they think it’s just not worth it. But we’ve had other issues too. We’ve had people cause problems with the power. We’ve had people interfere with our walkie-talkies. That’s hacker stuff. But what I tell them is, ‘You can hack at the conference, but you can’t hack the conference’ — at least not while I’m running security.”
Gowdy obviously didn’t object to the term “hacker” but agreed the term was problematic. “It’s been ‘villainified,’ ” he said. “But I’m not one of these people who want everybody to conform to my definition. If somebody says ‘hacker’ and means somebody doing something wrong, that’s what they mean. You can usually tell by the context, so who cares? ‘Hacker’ isn’t a sacred word.”
As for his own definition, he said, “I personally view a hacker as anybody who codes, anybody who does programming and explores systems beyond what you learn from a textbook.”
He started learning when he was 12 years old. “I didn’t have any books, and I had one cheap little basic compiler — a compiler is a program that turns source code into a program — and I learned how to do it on my own.”
Well, not quite. “When I was 11, my neighbor in San Marcos had a computer. He was a year older than me. His computer was a real piece of junk, but it did a lot of neat stuff, and I was impressed, because he was writing games, and that’s what sucked me in. That’s what sucked in a lot of people from my generation. When you’re a little kid, you’ve got a hundred ideas for games of your own.”
At San Marcos High School, Gowdy took computer science. “I don’t want to put down my school, but it was an easy A for some of us,” he said. “And the teacher, Mr. Ehrenfeld, was a great guy as far as allowing people who were beyond the curriculum to work on independent projects. We used to mess with his server — do a little generic ‘hacking’ on his network. And he’d put up with it, because he knew he had a good generation of students there.”
I mentioned to Gowdy the lack of women in his field. “I know. It’s a bummer.” Why did he think there were so few? “I can tell you from a college student’s viewpoint there are plenty of girls in the entry-level classes. Then they hit the ‘filter’ classes. The filter classes in computer science are data structures and assembly language or machine language, and when you hit them, you have to decide if you just thought computers were neat or if you really have talent. I’ve taken those classes and there were a few girls in each of them, four or five at most, but I didn’t see them in classes afterwards.”
They didn’t grow up with it, was the main trouble, said Gowdy. “They were not part of the Nintendo generation, and the ones who were part of it are the few you see succeed, because obviously there are some female computer scientists. But they’re rare, and beyond that I won’t reveal any opinion on the stereotypes of girls and math and logic and whatnot.”
In sports, I offered, those who start early have an edge. “Yeah, and it’s weird. We had this one kid at ToorCon last year. He couldn’t have been more than 10 — his dad had to drive him — and he was amazing. We’ve got these 16-year-olds that we consider the youth, and they’re looking at this 10-year-old and thinking, ‘Je-e-ezzz.’ He participated in RootWars for three days. We were blown away. Can you imagine? If I was such a computer guy that I was hacking at 10, by now I would have taken over the world.”
Had he ever done anything that would be considered illegal?
“Not really. But I don’t have any big problem with people who do. If people deface websites, good for them. Occasionally I have said, ‘You know, such-and-such a website could certainly use a beat-down.’ But I don’t hack websites, because people who do don’t invent the hacks they use. They go to script sites and download the script that somebody else wrote. So there’s no talent to [defacements], except in determining what programs a server is running and determining what exploits will work on it, and then finding the exploits, and then going at it. Okay? But that talent is limited, compared to the one that enabled somebody to write the exploit in the first place. That’s why they call those people [who merely download somebody else’s program] ‘script kiddies.’ For me, hacking and programming are the same thing. And it doesn’t have anything to do with being a script kiddie.”
Some script kiddies claimed to be politically motivated, said Gowdy. “They do it in the name of ‘hacktivism.’ ”
Would any hacktivists be at ToorCon? “I’m sure. But I don’t think they’ll identify themselves to you, because that would mean admitting doing something illegal.” But would they have an obvious political bent? “Everybody at ToorCon has an obvious political bent. We get a whole lot of people who are wa-a-a-a-ay beyond the left. Computer people and nerds in general are, because most have naïve thought patterns that result in the belief that we can reach euphoria. It’s better to find a computer guy that’s a realist than a computer guy that wants to make the world a better place.”
How did Gowdy characterize his own politics? “I used to consider myself a conservative. I hated people who would rant and rave about government paranoia crap. I voted for George Bush and I’d vote for him again. But I’m not pleased with what the Bush administration is doing right now. John Ashcroft? I cannot stand the man. His solution to the terrorist problem is for him to be able to do whatever he wants. I think it’s disgusting that people are taking advantage of September 11 to forward their police-type agendas.”
(Note: I also asked Peter Bartoli about the political affiliations of hackers. He said, “Ninety percent of hackers are libertarians” — like himself. In the end, I agreed with another hacker, who told me that generalizing about hacker politics is impossible. “I have seen people in chats going ballistic butting heads over politics,” he said; hackers were stubbornly individualistic about all aspects of their lives. For example, he wanted to do more traveling, but certainly not to touristy places. He wanted to go to places that were “not even the next Prague.” He wanted to go to places that would be deemed trendy after the post-Prague places were trendy no longer.)
Gowdy leapt to another governmental pet peeve: “I don’t appreciate the DMCA at all. And now the government is trying to pass this cbdt deal [the Consumer Broadband and Digital Television Promotion Act] by [U.S. Senator Fritz Hollings], where he wants to put chips in my computer.” The chips would be federally mandated, antipiracy copyright-protection systems. “Let me tell you: it will never happen. I mean, I’m a guy who’s built his own computer. And the thing is, it’s just like outlawing guns. Only legitimate people buy gun licenses. People who kill people don’t license their guns. So what good does it do to make it so hard to license a gun? It’s the same thing. Hackers are not going to tolerate somebody else’s chip in their computer.”
And everyone else would ask their friendly hacker to help them remove it? “Yeah, we’ll help them pop out the chip. It could become a big thing: ‘chipping.’ That’s what we’ll call it. Hey, put a date on that — I just coined a term.”
As part of my continuing education and preparation for ToorCon, I not only read books and looked at websites; I also watched hacker movies, the good, the bad, and the horrendous. In addition to War Games, I saw another with a better than average hacker approval rating, Matrix, whose protagonist’s handle is “Neo.” Played by Keanu Reeves, Neo is a computer-company drone named Tomas Anderson by day and a computer hacker by night.
I remembered Neo when Peter Bartoli put me in touch with a hacker named “Geo,” who agreed to be interviewed as long as I used only his handle. In an e-mail exchange in which we arranged a time for our phone interview, I asked if his handle was meant to be a cinematic allusion. No, he said, it was “just a happy coincidence.”
Geo grew up in Los Alamos, New Mexico. (“Yes, the famous Los Alamos,” where the first atomic bombs were created.) He is in his early 30s. After spending his summers in San Diego as a kid, he settled here about a dozen years ago. He has his own computer-security consulting business; he is also director of information technology for a San Diego–based pharmaceutical-device research-and-development company. He did not intend to make computers his career, he told me. “It was kind of the path of least resistance. My degrees are in philosophy and psychology. It just so happens that during college I found gainful employment doing computer-oriented work and discovered that it paid more than, for example, pursuing a career as a philosopher. So my status, my career path right now, allows me to be at least a freelance philosopher.”
Geo’s computer interest began at age ten or so, when his father brought home the family’s first computer. Much before that, however, he was a hacker in the broader sense. “When we were kids, we loved taking stuff apart,” he said. “Take it apart, figure out what it does, and then put it back together. It’s the same with computer programs or anything. I’ve taken apart chunks of my car. If there are screws involved? And I have a screwdriver handy? Generally, I have probably fiddled with it at some point.”
Where did he — or any hacker — find the confidence to engage disassemblies? “Things make sense. If you’re taking apart a car, you can’t reinstall one of the tires in the engine compartment. That just doesn’t work and the car wouldn’t go. I think part of the confidence comes from the nature of reality — things are what they are. Because of the law of identity, a thing is that which it is and is not that which it is not. Therefore, it has specific traits and properties, and these define what it is and how it interacts with the other parts.”
Geo obviously also enjoyed playing with language. I mentioned my dictionary. That’s when I learned about a hacker dialect, spoken (or, more commonly, written) by script kiddies, called “leet speak.” He asked if I had noticed his other handle, on his e-mail address. I had noticed a string of letters and numbers — “4mn0t1337.” But they hadn’t meant anything to me. “In leet speak, or script-kiddie speak, that translates as ‘am not leet.’ ” Or: “I am not elite” in plain English. “The ‘4m’ is ‘I am.’ (Fours are a’s in script-kiddie language.) The ‘n0t’ is ‘not.’ And ‘1337’ is, of course, ‘leet.’ ” (Ones are l’s; threes are e’s; sevens are t’s.) “So ‘am not leet’ is just a thumb in the face of these people who spend so much time talking about exactly how elite they are. It’s an attempt to differentiate myself as much as possible.”
Script kiddies, said Geo, were typically younger males, 14 or 15 years old, who have too much time on their hands and just enough skill to go to the Internet, download a couple of utilities or scripts, and deploy them. “Typically, too, they have a tendency to band together in a self-deluded sense of grandeur as part of some cyber gang that’s ‘kewler’ ” — that is, “cooler” — “than any other script kiddie gang.”
Would I be able to pick script kiddies out of the crowd at ToorCon? “You can kind of tell who these people are,” he said. “They’ve got a false sense of bravado and a malformed sense of identity that needs constant external validation, i.e., they’re always trying to prove something. They have not necessarily the highest sense of self-worth and do what they can to pump up their own self-image and that’s usually by talking about how ‘leet’ they are.”
Geo wasn’t irritated only by script kiddies, however; he had equally harsh words for their prey — the ignorant general public. “Most people don’t understand that computer security is an issue. It’s hard enough to explain to someone that it’s probably not a wise idea to make your password ‘p-a-s-s-w-o-r-d.’ It’s more common than you would imagine — that one, along with ‘,’ chosen by people who think they’re being clever.” He outlined unpleasant scenarios. “Say, for example, you get a brand spanking new cable connection and you’re thinking, ‘Oh, goodie. I can download e-mail real quick. I can download all my porn much faster than before.’ And you plug in the connection without any thought of what that connection might be capable. Then along comes some kiddie down the street, across the country, across the globe, who finds your machine wide open and naked. They can wipe out your entire hard drive. They can hijack your machine and set it up as a client of their own. After that, they can use it for a million nefarious purposes. And if you are engaged in said purposes, you don’t want items traceable back to you. But if you can capture a couple of hundred other machines and have them do your bidding, it’s not only harder to trace, it’s also a lot more difficult to circumvent.”
Script kiddies were certainly a threat to computer security, said Geo, but there was one consolation: their hits were random. “Unless you cut them off on the freeway, they’re not going to go after your personal system. If they happen to run across your machine, it’s kind of too bad for you, and you have to deal with it, and it’s a hassle. But typically you won’t be targeted by them unless you” — he laughed — “sit here talking about how inept they are.”
The bigger threat, said Geo, were the black hats, of course. He used the term advisedly. The colors were becoming meaningless. Many black hats were being hired as computer-security professionals like himself, and white hats were “crossing certain ethical boundaries.”
Looking but not doing? Was that what he meant? Not exactly. “Finding an open hole in a machine and jumping in, not necessarily to read people’s mail but to check out the network, to see what the security is configured like — that might fall on the black side; it might fall on the white side. There are certainly people out there who take the time either to fix the hole or notify the system administrator, saying, ‘Hey, you need to update patch X, because you’ve got this glaring hole in your system.’ Unfortunately, in the last eight months to a year, there have been a number of prosecutions on this kind of cyber trespassing, even if the intent was to try and fix things up. Seems like biting the hand that feeds you…”
7h15 15 g3771ng 71r350m3, pr073c7 j00r 5y573m5 — hyrax was there.
— hacked website of California Division of the State Architect, www.dsa.ca.gov, by hyrax, on January 9, 2000 (Translation: “This is getting tiresome, protect your systems.”)
who hacked the military with no skillz? i did baybee, i did. keep a lid on things while your gone….keep a lid on things..... ssssssh hyrax wuz not here.
—hacked website of Naval Command, Control, and Oceanic Surveillance Center, www.environ.nosc.mil, by hyrax, on the same day.
From archives of www.attrition.org
Hackers like Geo enjoy imagining systems that don’t exist yet. He told me about small, privately sponsored, periodic gatherings where he and other hackers speculate together on the future of systems. One of them takes place in the apartment of a hacker named “jsyn” (pronounced “Jason,” which does happen to be his first name). He lives in Orange County but has connections to the wider hacking community, including San Diego’s. Geo compared these meetings at jsyn’s and elsewhere to “the salons of the 1920s in Paris” for writers and artists. “It’s a bunch of people sitting around and discussing in some practicality and some theoretical aspects the problems in security and how to rectify them.” Keep in mind that jsyn’s apartment, for example, holds only 10 or 15 guys at once, he said. “But this is the kind of scale where all things start. Think of what came out of Paris in relation to the art movement.” Occasionally, Hulton and Huynh invited people to discussions at their loft. But jsyn’s was the prime regional example, in Geo’s opinion.
From both Geo and Peter Bartoli (who goes to the hackathons too) I received jsyn’s contact information. We had a phone conversation before we met at ToorCon.
“I was born and raised a missionary kid,” jsyn told me. “My parents were missionaries in a place called Miguel Alemán, Tamaulipas, Mexico. We have missionaries there from every different background. So I was born into that environment, in a small Texas border town called McAllen.”
Low-tech, was it? “The streets weren’t paved until recently.” Still, said jsyn, “I was always into technology. I always thought it was cool. When I was very young, we had a family friend in Chicago who ran an electronics shop. He supported us in our mission and would send us big boxes of spare components. And so, from about age six, I was taking these components and trying to build things.”
Much of what he built was related to physical security — that is, alarms. It’s a focus he attributes to growing up where he did. “An estimated 85 percent of all businesses in our county were drug fronts,” he said. “We were the number-two entry point for drugs into the nation, just behind Miami, and drug culture pervaded the community. I was exposed to lots of raids — fbi, atf. Friends and their families got raided all the time. And so I made elaborate alarm systems for my bedroom when I was about seven years old.”
At the time, said jsyn, “There was no way my family could have afforded to buy a computer. We’re talking the late ’80s” — he was born in 1979 — “when a 30-megabyte hard drive was running about $7000. But then [the friend in Chicago] sent an old Commodore 64. I was 9 years old. My first computer. Sixty-four kilobytes of ram. A very minimal machine. And I totally took to it. I learned the programming language that was built into it, which was basic. I spent time just playing with it. And that started it all. A few years later, when I was 12, we got our first ibm-compatible computer — a pc xt. I was always insanely curious about how things worked. And one night, just a few weeks after my dad bought it — for a lot of money, it was a $1000 machine — my cousin and I disassembled the entire thing. My dad walked in and he couldn’t believe it. So we had better figure out how to put this thing back together.”
Besides being a missionary, jsyn’s father was an entrepreneur. “My dad’s got an mba. He has other degrees too, and one of them is in hospital administration.” (His mother was trained as a therapeutic optometrist.) “At some point, my dad started founding companies — home health-care agencies, nursing homes, day-care centers, adult day-care centers. He ran them on the U.S. side while still being a missionary in Mexico. There was a need for these things, and they all tied into each other.” But the big reason why he started the companies was because people needed work.
“People were getting saved — they’d come to know God — and there was no legal employment for them. They couldn’t get out of moving drugs for a living. So within three weeks of getting cleaned up, they had to move in order to find work. So the church was never growing, until my dad’s businesses began to employ many lesser-skilled people.”
The companies needed a computer network. The nearest contractors were in Alice, Texas — three hours away. “They’d come in, and then, in my after-school hours — I’m still in junior high at this point — I’d look at what they’d done and play around with the stuff.” When the second computer network was needed, jsyn asked his father if he could set it up. “I wanted the contract. I said, ‘Dad, I think I could do this one.’ ” He was 13 years old.
“And so I did it. And that trend continued, to the point where, when I was 15 and got my driver’s permit, my dad helped me start my first network-consulting company. I began to set up networks for businesses all over the region. I’d be all over the place, getting paid very well — a lot more than I am now, because there was such a demand. Back then, I could easily get $125 an hour.”
And school didn’t suffer? “I ended up missing a lot of school. Teachers were fine with it, as long as I did my work. And when I graduated, I was salutatorian.”
jsyn went to college “at a whole number of places,” after starting out as a triple major — physics, computer science, and business administration — at Oral Roberts University in Tulsa, Oklahoma. The list of places where he has taken classes since then is long: Tulsa Community College, Jerusalem University College, University of Texas at Tyler and at Austin. “I even took a web course from Brigham Young University,” said jsyn, who expects to get his diploma any day now from Tyler.
Would it be correct to say that he had “hacked” his education? (“Hacking: making a terrifically complex system do what it was not intended to do.” — Cybershock.)
jsyn, whose triple-major idea had been nixed by the business department at Oral Roberts, said yes. “I have been somewhat disgruntled by the whole educational system all along. I wish it worked differently. It’s hard for hackers to stay in school. It’s so boring. It seems like such a waste of time. It’s so academic, not practical, especially in computer science, but I understand it’s that way in many fields.”
His college dorm room was the first place jsyn held a hackathon. “For years now I’ve held hackathons wherever I have lived. I still hold them every month and a half. We’ll get together and hack on something for, usually, a 17-hour period. People come over at around three on a Saturday afternoon and stay until eight or so the following morning. We discuss brand-new attack concepts; we design new defenses. We discuss new ideas for pieces of code or build better security-analysis tools. Everyone brings their laptops. We have a lot of machines there. Just in my apartment living room right now I’ve got about 45 servers. The number has been much higher. When I was living in the dorms, I often had 70 machines in my dorm room.”
Why the marathon aspect of hackathons? “With hacking, you get into a groove, where you have loud techno [music] in the background, and you’re hacking away at the thing. It’s taken you 8 hours just to get the focus and your head wrapped around a specific piece of code, and you don’t want to lose that focus. So then you might just continue working on it for another 20 hours.”
It sounded like the creative process.
“I’m a musician,” he said. “I play about eight instruments. I’ve had formal training on the piano, which I never liked, but my mom forced it upon me, and now I’m not sorry, because I absorbed a lot of theory through it. I mostly play bass guitar now and sing. I also do turntablism. It’s the whole percussion through scratching. [He imitated the noise with his voice.] Really advanced scratching. I have a small studio in my apartment, where I can work on that stuff.”
jsyn told me he was a skateboarder too. What he was really trying to say was this: “I’m definitely not a geek. I don’t like the idea of geeks. I don’t spend social time on my machines. I use machines as a tool to do other things. And I try to get other hackers not to be geeks. It’s not about computers for the sake of computers, or technology for the sake of technology. It’s what you do with it — accomplishing a larger mission, whether it’s political, social, whatever. So I’m about bringing people over to the more serious side.”
To get hackers to be less geeky, jsyn invented something he calls the Cypherpunk Wargames. “It’s a type of training event. It’s an all-out Capture the Flag, both over the network and physically. It’s training for being a hacker and thinking like one in real-world environments.” The next one would take place in Julian. “You’re out there with wild animals, snakes, whatever. You get very little sleep, maybe an hour or two or three a night. We’ll take up to 60 people, with six diesel generators and 70 machines.”
jsyn was frustrated, however. “I usually come up with ideas that are a lot bigger than me, and I can’t just do them by myself. But I find there aren’t that many committed people willing to join me.”
Information about the Cypherpunk Wargames was posted on jsyn’s website, www.nthought.com. The domain name is short for his think tank’s actual name, Network Thought Co. Through it, jsyn gets his paying gigs. At the time of our conversation, he was six months into a one-year contract with a company that I agreed not to name. In general, he said, “I work for myself, doing enterprise network design for, maybe, 50,000 computers, very large-scale stuff for which I design the security architecture.”
Did he find that computer crime was increasing? “It’s hard to say, because it’s hard to say what a crime is. That’s a big sticking point for most hackers. I look at it this way. Two people could do the same thing, and one would be committing a crime and one wouldn’t be. For example, bringing down some remote server through a security test you were running, as opposed to intentionally bringing it down to cause harm to the company.”
jsyn began to complain about buggy programs. “The big problem is, we’ve got a massive software industry that’s developing software as rapidly as possible. Developers who don’t know anything about security are writing code. Or if they do know something, it’s not enough. Or if they know enough, they’re pressured to get things out so fast, they’re not doing the quality-assurance testing to make sure it’s reliable.”
They’re producing faulty equipment? “Listen to this analogy. I didn’t come up with it. But I think it works. Say you have a vehicle; it’s a Pinto. And if someone rear-ends you, the car will explode.”
And your enemy knows the weakness and rear-ends you.
“So who’s at fault? Well, sure, it’s a shared fault. But if you’re the manufacturer, you shouldn’t keep producing the Pinto. The question is: Why hasn’t the public rallied up a cry against software vendors for liability? I think the vendors should be liable if their programs cause customers to lose data, etc. But when you purchase a copy of whatever, as you install it, you’ve got to click through a disclaimer. And so more and more, inferior software is being produced, and it’s very hard to do security right.”
If programs weren’t buggy, would we be able to achieve real computer security? “I debate this a lot, within myself and with my girlfriend,” said jsyn. “She’s not from a technical background, but she’s very smart. Sometimes I take the view that the security industry in general takes, which is ‘We are about building protocol, building systems, mechanisms for doing things such that they cannot be subverted.’ But, you know, that isn’t real life. In real life, we have no physical security such that it can’t be subverted. Not to be sensationalist, but we cannot protect the United States from terrorism, for example. There is no way we can ever stop it. Terrorism by its nature is always going to win. If I wanted to blow up some building, any building in the U.S., pretty much right now I could. I’m not saying that as a threat or that I have the specific knowledge. But a determined individual willing to risk suicide could carry that out. It’s the exact same thing with network security: if you wanted to attack any major company, you could. You would get through; you would succeed.”
And you wouldn’t even have to lose your life. “You never have to be somewhere physically in this networked realm. And there are always things you can do to make sure you aren’t detected. If you don’t have an ego problem, if you don’t have a pride problem, if you don’t talk about it, there are many ways through the networks that keep you entirely anonymous.”
Was the situation apt to get better? “I look at the general state of our society, and I don’t have a very bright depiction of the future. It will always be interesting. There’ll be tons of stuff to hack on. But I don’t see things getting any better. And sure, we have bright moments, and I try to help bring us there. I’m involved in lots of efforts. I’m involved with outreach that is very unlike what traditional churches do. It’s more like just trying to follow basic tenets: show love, show kindness, be helpful.”
jsyn said he realized some people thought his hacking activities conflicted with his spirituality. “People think the two are mutually exclusive. ‘How can you be involved in something where some of the people are associated with criminality?’ Except that I don’t see it that way. I see it as being a science or an art. It’s just like anything else: there are morals to it. There are ethics. So I try to follow mine. I also try to not let hacking consume me. While I want to stay passionate about it, I want to make sure I spend time with my other interests and with what really matters — my family, my friends, and God.”
Q: What do you think about the possibility of computer terrorism?
A: Yeah, I guess it’s possible. I mean, I’ve done some health-care stuff, and hopefully it’s being cleaned up by now, but you know, just an example, there was a company that is probably one of the biggest 911 response providers in the United States. They do ambulances, things like that. I went to one of their key offices to do an assessment. I wasn’t even in the building yet — I was out in the parking lot. I turned on my laptop, put in a wireless network card, and a couple of tools. David Hulton wrote this code called DStumbler. I used that to scan the network to see what was going on. I found this wireless access point, accessed a network operations center for this particular company, and took over a 911 call system. I also gained access to all the patient data.
Q: You hadn’t even introduced yourself?
A: Well, we had told them we were coming. But yeah, before I stepped foot in the building, I could have inputted audio into a telephone conversation, or I could have just stolen whole conversations, or ended a conversation if I had wanted to.
Q: Or edited one?
A: Yeah, exactly. You can use your imagination with what you could really do with all that. And since this company had a wireless access point? Anybody with a similarly configured laptop could discover it. The tools are freely available. A lot of people hook up a gps [global positioning system] on their laptop, put in the wireless network card, drive around, and when they pick up a radio signal with a station identifier for this particular access point, they get an input from the gps device that tells them the specific coordinates. And then a lot of time people post those to a website. So then you can just go browse your particular geographic area, find out what access points are around, and go investigate them yourself.
— author’s conversation with Klinge-C01
A few nights after my conversation with jsyn, and the night before ToorCon 2002 was set to begin, a hacker named “prole” — short for “proletariat” — agreed to meet me at a coffeehouse in Pacific Beach on his way home from work. Geo had provided me with “clearance.” prole was another security professional, but there was something about his website, www.redgeek.net, that made him seem more mysterious than the others. For one thing, I couldn’t get past the entrance. It was for invitees only. And when he asked me not to use his real name, he explained his reasoning obliquely: “I don’t use a handle to protect myself. I use it to distance myself from people who don’t know me. Those who do know me know where to find me.”
Geo had told me that prole possessed “mad” skills, meaning a set of pretty impressive ones. At def con, prole’s team had won the Capture the Flag competition more than once. In fact, last time they had not competed; instead, they had run the contest. I had asked Geo for a physical description of prole. He said, “He’s five eleven, has a little goatee, and the last I saw, his hair was cut short and it was blondish brown.” When I arrived at the coffeehouse about ten minutes early, I saw someone with a goatee sitting at an outside table eating a muffin and drinking coffee as he read. But, well, he just didn’t look like a nerd. (I mean, the average computer guy, when something goes wrong? He freezes up. “What do we do now?” It’s part of being a nerd, and we’re all nerds. — Jeremiah Gowdy.) This guy was muscular. He had a well-developed upper body, a chiseled jaw, good posture. He did not look like someone who would ever ask anybody, “What do we do now?”
Anyway, I didn’t recognize him, and taking a seat at a table a few feet away, I waited for the appointed hour: eight o’clock. On the dot, my neighbor made a call on his cell phone; mine rang. Yes, it was prole calling my number, with a satisfied smile, his small experiment having proved his hypothesis. (Later, relating this to other hackers, I would be told, “That’s a very hackerish thing to do, you know.”)
prole came to San Diego from his hometown of Phoenix in 1994 for the five-year computer science degree at UCSD. Currently he is in charge of security work for a company in which he is part owner. “This is about the eighth startup I’ve been involved with since I was 18,” said prole, who is 26. “Some have fizzled on the spot, some have gone on for a while, some I’ve sold off.” He also said, “I like working with small groups, setting my own hours.” He claimed to work as little as possible, yet he hadn’t taken more than three- or four-day vacations since leaving college.
prole said he began coding in basic when he was six, creating “small adventures” for himself on the computer. He had already mastered all his computer games. “I only had five of them. I didn’t have the money to buy new ones, and my parents wouldn’t buy them for me. It ended up being good for me,” since he learned to invent his own. His only sibling, a younger sister, “is not as much of a geek as I am, but she has some geek blood in her,” said prole.
We talked about the tendency of hackers to take things apart. “I broke so many toys,” said prole. “But my parents were smart. They made sure to buy me lots of Legos and Erector sets. They’re built to be broken.” (Later, he would make this comparison: “Programming is like building something with a bunch of invisible Legos — an infinite supply of them, more than in any Legoland.”)
Like jsyn, prole stressed his interests beyond computers. Ten to 20 hours a week, he said, he trains in shorinjin ryu saito ninjitsu. He has studied other martial arts. “But if there’s one I’ll study for the rest of my life, ninjitsu would be it.”
(Not a few other hackers, I would discover, have an interest in martial arts.)
I mentioned to prole one similarity between martial arts and computer security: the offense-defense aspect. “But that’s just the external manifestation,” said prole. It was “a side effect.” What interested him in each pursuit was “the internal gratification.” There was “a mental component” to both, and both involved “adaptive problem solving.”
I asked prole about his ethics. “I’m sure I’ve been places I wasn’t supposed to be,” he said without elaborating. But he was never interested in “breaking into a machine” for the sake of the data, he said. For him the reward was his discovery of how a system worked rather than the potential capture of some content-quarry.
Content is, of course, what many of his company’s clients want him to protect. “Trade secrets, financial data, human resources information, programs they have written… There are also large data stores, like mailing lists and weird collections of information on consumer habits that it cost these entities a lot of money to compile and they don’t want it available to people who have not paid them for it.”
“Data harvesting” is the term hackers use to describe the act of stealing company secrets. Black-marketing the harvest comes next.
These companies must have faith in prole, since they give him the keys to the kingdom. (Of course, he really doesn’t need them.) “A lot of legal faith is what it comes down to,” he said. “There are boilerplate contracts stating what we are allowed to do and what we aren’t.” Some contracts, for example, state that “only sanitized versions of data” can be taken away from the site — that is, a pseudonym must replace the company name and fictional substitutions made for telltale descriptives.
It seemed right: multiple identities for a company being protected by a hacker, since the hacker probably had multiple identities too. Not that prole got into a shirt and tie for work. He was wearing a black T-shirt and black shorts with sandals. (Black is the default color of clothing for hackers, I would deduce at ToorCon, no matter what a hacker’s ethical persuasion.)
In contrast to prole’s small company, some large computer-security firms boast that they don’t hire hackers. We agreed that they probably did. (Other hackers would tell me the same thing: “Companies who claim they don’t hire hackers, do,” said one. “Or else they’re lying. Or else their definition of ‘hacker’ is ‘someone who’s been caught.’ But,” he added, “they have to hire hackers because the competent people are the hackers.”)
prole said there was confusion here, because some people were “concerned about the morality of the industry as a whole.” prole himself was not concerned. Nor was he concerned about the morality of any other hacker except himself. He likened the hacker world to a party, where some people might be there merely to try to pick someone up, while others were in the bathroom snorting coke. Same party. Different levels of activity and illegality. “It’s an anarchistic world.”
But all these people could be anarchistic, individualistic, suspicious of authority and the mainstream, and all the rest that seemed to be true of all hackers — but without tying it together with computers, couldn’t they? True, but all the members of this group liked “to play with things in their head while maintaining a degree of communication with similar-minded people.” They were, after all, social beings, just like the rest of us. And computers were a “communicative” medium. “That’s what makes them viral.”
Viruses reminded me of the script kiddies. Since they sounded so thoroughly obnoxious, I wondered how hackers like prole tolerated their presence at places like ToorCon. prole said they did because a script kiddie here or there might “get it” and become a real hacker. prole found their presence useful for another reason: they were “something to check myself against.” For example, hearing some braggadocio of his own, he might remark, “ ‘Did I just say that? I sound like a script kiddie.’ ”
In any case, he said, it was the nature of script kiddies not to last long on the scene. They went on to something else, another pursuit, where they would seek again the respect they sought among hackers but had failed to get because of lack of skill. “Technically they are weak.”
And the technically adept? They could be either good guys or bad guys? Yes.
And like rival team members, they respected one another? Yes, again.
Speaking of rival teams, I asked about RootWars. Should I spend much time watching it? He said that all I would see would be “a bunch of people in a room typing. It’s not a spectator sport.”
Nor is hacking. Maybe I could have arranged to watch a penetration test or something; but I sensed it would have been like watching someone type, or read, or think, or all three at once, at best. (Or worst.) So I never sought an invitation. I didn’t yet know it, but in the end, I would truly see…nothing. Nobody ever does, except the hackers themselves. (Hence, the need for boasting.) The rest of us see only the results.
Hackers are like God, I was beginning to realize. God, the ultimate hacker, has hacked into all of us. Of course, some believe He’s only watching, not directing…
For a while that evening, prole and I struggled to find an analogy for computer hijacking. It wasn’t exactly as if a person had used another’s car to commit a crime. He agreed, “because you can still be driving it at the same time as the hijacker.”
Analogies failed me all along in attempts to understand hacking in the world of computers; car analogies notwithstanding, there simply has never been anything quite like this in the physical world. If you get under the hood of your car and tweak something, it’s going to affect only your car; it won’t affect anybody else’s.
As prole and I stood in front of the coffeehouse, ready to say good-bye, I asked a final, offhand question: what kind of car did he drive? I was suddenly curious about what a hacker would choose.
“A reliable one,” prole said with a smile before he turned and walked down the block into the darkness.
And so, as prepared as I would ever be, I went to ToorCon 2002. An hour or so into the opening party at the Bristol on that Friday night last September, the noise level rose. Someone had set up a laptop and was projecting video images onto the back wall of the ballroom. A group gathered under the rolled-back roof to watch old footage of the Sex Pistols; a karate chimp; a penguin waddling along, then falling through the ice.
One longer clip showed a breakfast scene in Japan, in which a family got ready for school and work. Into the kitchen walked the teenage son, a rap artist. He wore the clothes, made the moves as he rapped. “Nigger” and “bitch” were frequently among the subtitled lyrics. Soon the whole family had joined him, rapping.
The crowd found it very funny.
Another clip showed Christmas morning in an American household. The family opened gifts. A little boy in a bathrobe unwrapped a saber made of light. He started slashing the air; cut his grandmother to ribbons. A crowd favorite, the Christmas clip ran repeatedly. “That’s beautiful. Everyone should have one of those,” somebody said.
I surveyed my fellow partygoers. Who were the good guys? Who were the bad? Who were in-between?
Looking for clues, I read T-shirts, many of them black, naturally. (“def con iii. Why? Because We Can.”) Tim Huynh, behind the welcome desk near the elevator, was handing out black ToorCon 2002 T-shirts to every registrant. Only he and Hulton wore ones that were bright blue. And all the security guys wore red ones.
When Peter Bartoli arrived, he pointed out the red-shirted Jeremiah Gowdy. (I had met Bartoli for the first time a few nights earlier, when he invited me for sushi.) Gowdy was, indeed, a big guy but looked as if he had grown big only recently and was still getting used to it. His hair was trimmed close to his head; his mustache seemed like a new one — very sparse. He swaggered like a rookie cop.
Bartoli has a small build. His style is clean-cut, albeit with an earring in one upper lobe. He knows how to make good corporate eye contact. On this evening, he was dressed as he was when we had gone out for sushi — simple jeans, polo shirt, running shoes — as if collegiate had been a habit of his for years. In actuality, he told me, “I used to dress like a punk rocker — purple hair, the whole bit.”
We discussed words. We discussed the word “underground” and what it meant. It was not synonymous with “malicious.” Still, he said, “you shy a little bit away from it.”
I told Bartoli I had met prole. Did he know him? He did. “He’s very smart — someone who has ideas that are newer and fresher than those of the rest of us. He’s one of the GhettoHackers, you know.”
Bartoli told me about this group, headquartered in Seattle, with members worldwide, several in San Diego. “You have to be invited to join.” Bartoli had not been invited but wanted me to know that he had set up their sound system at def con when they ran Capture the Flag last August.
It sounded to me like a hacker fraternity. “The hacker world is one of the most intellectually snobby,” said Bartoli. “It’s all about knowing more than the guy next to you. ‘Are you up to snuff?’ ”
Or maybe: “Are you leet?” (Am not leet. — Geo.) Apparently, prole truly was leet.
Bartoli didn’t stay long. He needed to distribute invitations to his Alphafight launch party to be held the following evening. He planned to go from bar to bar. He wanted women to come. “I don’t want it to be a sausage party,” he said. Before he left, he introduced me to Geo.
Geo was wearing a sophisticated black leather coat. His hair was dyed blond. He had a goatee, much like prole’s. As he watched the penguin fall through the ice, he laughed, then apologized for being amused. “It wasn’t funny until the third time.”
I thanked him for the introduction to prole the GhettoHacker. I asked Geo if he was one. He said no, adding with concern, “You shouldn’t ask people that, you know.”
Why not? Geo really didn’t say. He didn’t want to talk about the GhettoHackers, but I persisted. I wanted to learn more. The group seemed to be an important aspect of the hacker story — being “leet” and all that.
Geo said he would make inquiries to see if one might speak to me over the next couple of days.
…A lot of people in the community are paranoid. Really paranoid. But sometimes they’re paranoid for no reason.
Q: But why are they paranoid at all?
A: Because they don’t want to end up being on some blacklist somewhere. And I wouldn’t be surprised if my name was on that list.
Q: But where is such a list?
A: Maybe in the government somewhere. I couldn’t tell you. I’ll just give you one little example. There’s this one San Diego hacker type and we could probably consider him part of our clique, because he’s very academic, master’s degree from UCSD and things of that sort, but he is so paranoid that he will not use his real social security number for anything. When he spoke at the Black Hat Briefings in Las Vegas, he asked me if I could register his room for him, so he wouldn’t have to give them his real name. And also, with Black Hat, they pay the speakers $1000 apiece. He didn’t even want Black Hat to know his real name, so he went to our other friend and asked him to set up a corporation, so he could launder the money through the company, so he didn’t have to have his name on there. It was something really radical and strange, and my friend told him to forget it.
— author’s conversation with San Diego–based hacker “bind”
At the opening party, I also met another ToorCon speaker, Saqib Khan, a 34-year-old hacker from Miami Beach who runs his own computer-security business, Security V, Inc. He uses “Khan” as his handle, since “people think it’s an alias anyway,” he said. He was born in Pakistan, grew up in Alabama, and has degrees in electrical engineering and computer engineering from Alabama’s Auburn University.
Khan was suave in sloganless black. But I couldn’t help imagining that he hadn’t been quite so suave in Alabama as a new immigrant. He had arrived in this country when he was an adolescent.
The subject of his talk, he said, was “stealth data dispersal.” It would cover something called “Moon-Bounce,” according to the ToorCon 2002 program in my hand.
“It’s about virtual storage, using the Internet’s own traffic,” said Khan. “The data is not in our physical space. The data itself is virtual. Say you have a file that you don’t want to keep in any one place, in case, God forbid, something happens to that place. This technique drops it on the wire and keeps it bouncing around. You can get it possibly to bounce infinitely. In testing I bounced things off Fiji and New Zealand, China and Mongolia. There’s a trick where you can double the bounces —”
Who had a need for this? It seemed like a simple question, but to Khan it wasn’t.
“That’s a good one,” he said, laughing.
Well, would it be someone with legitimate purposes, or — ?
“That’s like asking, if I gave somebody a handgun, was it legitimate for him to have it.”
But who might be out there waiting for this tool?
“It’s not just bad guys,” said Khan. “When your civil rights get infringed upon, you might want to use this yourself. As things get out of hand, as government and other agencies are becoming more proactive in monitoring communications, people are diving deeper into the innards of the Internet to hide or submerge data. But I didn’t say one night, ‘Hmmm, I’m going to develop this, because X, Y, & Z need it.’ ”
He had just been playing around? (Just playing around — that’s how hacking starts for everybody. — Tim Huynh.) “Yes, completely. Plus, I was tired of hearing the same old crap, being on all these mailing lists. ‘We’ve just done this.’ ‘We’ve broken into that, and used these tools.’ ‘Oh, we found another vulnerability and have exploited it.’ Big deal. I mean, if you take a hammer to a house all day, sooner or later, something’s going to give. That kind of thing is seriously frowned upon by all real researchers, by the way.”
I told Khan I had been wondering about cyberterrorists. What was his perspective? “I think there’s not more than several hundred people on this planet who are capable of wreaking havoc in the Armageddon sense,” he said. “I could be dead wrong, because nobody advertises. But I’ve seen something called the Honeynet Project, which is a system that looks like a normal system; it’s set up to watch hackers attack. I’ve read some of their data, and there are very few people who specifically know what they’re doing. The rest are script kiddies.” Still, said Khan, “it’s my understanding that most countries now have cyberwarfare teams in place.”
Even ours? “Of course. We invented the stuff. We’d better have one. One thing I noticed at def con was lots of Israelis around. Many of them wouldn’t admit that’s where they were from, though.”
As Khan continued to talk about “geopolitical ramifications,” my mind wandered off to Ben Greenberg. Had he really gone to rabbinical school in Israel? Maybe he hadn’t. Maybe he had become a hacker for Israel… But if he had, why had he returned?
“All the smart people are already doing it,” Khan was saying when I tuned back in. “I remember bidding on a job at Raytheon, and the first thing they said was, ‘We don’t want Checkpoint Firewall.’ Why? ‘Because it’s made in Israel. We can’t trust security software not made by us or unavailable for review by us.’ That’s an important statement. What should happen is that anybody with any smarts will want their own encryption people. It’s like the Enigma stuff from World War II, you know? If you’re at war —”
You don’t want your enemy to have made your Enigma machine.
“And if it can make your Enigma machine, you’re in big trouble. And there’s nobody talking about this stuff, and it’s definitely happening.”
I met a few more people that evening, two of them former saic colleagues of Peter Bartoli’s. (“My boss would not come to a hacker conference,” one said. “Mine would,” said the other, “except he’s too busy. But he’s glad I’m here. He knows I’ll have my ear to the ground.”) But I didn’t hang around. The room was too big for a party, at least one like this, that had no center; most of the 250 attendees weren’t arriving until tomorrow, anyway; and the talks would begin fairly early in the morning.
On my way out I saw David Hulton walking purposefully somewhere, shoulders slightly hunched: a meditative operator. I asked him how to reach Ben Greenberg. It would be good to get his perspective on ToorCon’s beginnings. Hulton whipped out a tiny cell phone and read me Greenberg’s New York number from his palm. The two friends obviously were still in pretty close touch.
Q: Do you feel you’re part of the computer underground?
A: Yes.
Q: But you work for a corporation now. So you really have a conflict.
A: I know.
Q: It can’t last.
A: It’s called denial.
— author’s conversation with bind
ToorCon’s Saturday and Sunday events — the talks and RootWars — took place a few blocks away from the Bristol, at the Westin Horton Plaza hotel, second level. When I reached the top of the stairs on the first morning, I saw a sign on an easel. It was an announcement of a presentation sponsored by Bayer, the pharmaceutical company. “All Your Ibuprophen Are Belong To Us,” someone had scrawled across the sign, in the manner of hackers who deface websites.
(I thought, like any uninformed person would, that the graffito was a grammatical misstatement; actually, it’s a takeoff on a line from a badly translated Japanese computer game. The original was “All Your Base Are Belong To Us.” It’s been turned into a variable slogan by the ever-language-conscious hackers.)
On a table nearby I saw name tags; but they had nothing to do with ToorCon; they were name tags for MDs. What misfortune for the doctors who occupied space adjacent to the hackers. A conference on infectious diseases was in town.
Jeremiah Gowdy had walked up the stairs behind me. He laughed when he saw the Bayer sign. “Excedrin is my hero,” he said. Then he mumbled: “That lady was mean to us.”
Two vendors, guys named “Bodoman” and “Mother,” were set up in the hallway to sell computers, computer parts, and other junk, new and used. Another vendor was selling T-shirts: “Talk Nerdy To Me,” “Carpe Noctern (Seize the Night),” “Your Computer Sucks,” and “Got Root?”
I recognized some people from last night; others I had not seen before. A few of them had spiked hair and metal-studded jailhouse pants; one or two looked like middle-school students. Several resembled characters from Fight Club, the 1999 movie. Based on the Chuck Palahniuk novel, it portrays Project Mayhem, which is a plot to destroy the financial system. Guys who joined Project Mayhem wore black paramilitary garb, blew up things, and beat up each other as a way of bonding. Their leader, played by Ed Norton, was a split personality; Brad Pitt was his alter ego, as cool as Norton was nerdy.
I had been reading about el8 (read: “elate,” a play on the word “elite,” perhaps), the malicious hacker group that targets ethical ones for spoiling all the fun; the web news stories said they had adopted Fight Club mentality and motifs. They even called their project “Project Mayhem.”
I studied my program. In addition to RootWars, ToorCon sponsored a scavenger hunt. Items could either be collected or captured by a camera. Collectible ones included “left-handed mouse,” “fbi badge,” “pink wig.” Those that needed to be photographed included “downtown view from the Hyatt hotel roof” and “someone dry-humping the Cabrillo statue.” In the case of the downtown view, getting to the roof was the tricky part. In the case of the statue, it was convincing someone to perform the dry-hump. In each instance, successful scavengers would need to be skilled at “social engineering” of a kind. (From my hacker dictionary: “Social engineering: Term used among crackers for cracking techniques that rely on weaknesses in wetware [i.e., human beings] rather than software; the aim is to trick people into revealing passwords and other information that compromises a target system’s security.” It was, in other words, a hacker con game.)
Hulton and Huynh had rented three large rooms — one for RootWars and two others for the talks in two tracks. In the room designated for the keynote address, people had already taken scattered seats at long narrow tables covered in white tablecloths. Many in the audience had laptops open, screens glowing. On somebody’s closed laptop cover, I read, “Cryptography is not a crime.” On the back of a T-shirt I read, “www.3L3M3NT.com,” proud of my ability to translate “3L3M3NT” as “element.” I took a seat behind the La Jolla father and Qwertykey.
Hulton hurried to the front of the room, his tiny cell phone to his ear. He was still talking on it as he reached the podium to introduce Jay Dyson, a senior security engineer for the National Aeronautics and Space Administration’s Jet Propulsion Laboratory in Pasadena. The program also described him as someone who “spends most of his spare time collecting viruses and worms for fun and entertainment.”
“I’m David Hulton — h1kari,” said our leader, who introduced Dyson as someone who had spoken at ToorCon 1999 and at the last one. “He’s a really knowledgeable guy,” said Hulton. (Introductions would never be much longer at ToorCon.)
Dyson’s topic was “The Myth of Cyberterrorism.” His black T-shirt said, “Know Your Limitations. We Already Do.” It was the slogan of his website clearinghouse of security information, Treachery Unlimited — www.treachery.net. His paunch and out-of-date glasses pegged him as a ToorCon oldster, but his haircut was a boyish sugar bowl.
He illustrated his talk with visuals displayed on a screen by his laptop, as at many a corporate seminar. His main point was, “Blowing up things is easier than hacking,” and it’s worse on the victims. Not to mention the survivors. He showed gruesome images of the work of suicide bombers in the Middle East. He also showed a screen that was two abbreviations only: “wtc vs. wtf” — the World Trade Center versus “what the fuck?”
“We all know what happened on 9/11,” he said, but how many of us remembered what happened on 9/18? “It was the worst netwide attack in history. Nimbda [the worm] hit. But it has left no impression.”
Dyson said he agreed with William Church [of the Centre for Infrastructural Warfare Studies, with offices in London, Singapore, and Buenos Aires, Argentina]: “Terrorists aren’t ready for infoterror.”
“Terrorists,” said Dyson, “don’t experiment with or trust new or unfamiliar technologies.” The Irish Republican Army had “computer-oriented cells. They are capable of infowar but don’t choose to use these tools.” Like our own current foes, they were “antitechnology.”
What we have to fear, in his opinion, is the “Incredibly Big and Scary Nothing.” He blamed the media for sensationalism: “If it’s not pedophiles on the Internet, it’s terrorists.” And although the audience was full of computer-security-industry people, he added, “Nobody in the know is panicking unless they’re selling something.”
Script kiddies weren’t terrorists, and what they did was merely annoying, not terrifying, said Dyson. He went on, familiarly, about vendors who sold bad hole-filled programs and stupid users who didn’t protect themselves. “Users are still held blameless for their conduct,” he said, decrying their “learned helplessness.” All that had to change.
A question-and-answer period followed, but most people were mute. Khan pointed out that computer-savvy people were engaged in the ongoing India-Pakistan conflict. Dyson brushed the comment aside: “Just kiddies picking off the low-hanging fruit,” he said.
Outside in the hallway, I didn’t see the doctors’ conference people or their table anymore. I did see jsyn. Someone had pointed him out to me at the Bristol the night before, but I would have recognized him anyway from photos of hackathons that he had e-mailed to me. He wore beads around his neck and a woolen cap snugged down on his head; it was like the cap he was wearing in all the e-mailed photos. I asked him about a comment Dyson had made in passing about hackers mostly being atheists. “Well, the truth is, they are,” he said. He had a trim, muscular body, smooth-shaven face, and gentle manner. I would see him off and on over the weekend, on the sidelines by himself, quietly observing. Like Khan, the immigrant in Alabama, jsyn had been an “other” in Texas — one of only two or three non-Hispanics in his graduating class, he had told me. I had read on jsyn’s website that Cypherpunk Wargames players were not allowed to bring alcohol and drugs. In a world where indulgence was the norm, that, too, would set him apart. And hackers were indulgers. From prole I had heard a warning about alcohol: “Be prepared to see a lot of drinking at ToorCon.” I was already beginning to notice early drinking upstairs in the conference rooms themselves and downstairs in Westin’s pub. And Peter Bartoli had made this point about hackers’ favorite drugs: “Everything from ecstasy to cocaine. Hackers are inquisitively minded. They don’t go in for conventional wisdom, and they are experimenters.”
I tagged Khan and asked him what he had thought of Dyson. “That guy’s smoking crack. I trade daily. What would be the impact of hackers on the nyse [New York Stock Exchange]? They wouldn’t have to disrupt the trading. All they would have to do is interrupt the climate control. If they raised the heat, the computers would cease to function. It would be havoc and ruin.” Financial ruin. “The people who can do real harm are choosing not to do it.”
We entered the room next door, where the RootWars players were competing. Yup. Just people typing. They sat at round tables, groups of young men and a few boys. While some typed, others leaned over their shoulders, watching, not speaking, like people watching chess players in the park. Low-volume music was coming out of somebody’s laptop speakers. Khan said, “Watch the quiet, more low-key group.” But every group seemed quiet and low-key. “Just sit.” We sat at one of the unoccupied tables. “It’s about power,” he said. “See those guys? They’ve already figured out how to get up on the roof of this building. I was up there with them. They’ve also already gotten into Westin’s lan [local area network], so they’re using it for free. See this?” He held up a white computer cable lying on the table; it was meant to be used for Internet connection. “You should never plug a laptop into any connection at a conference like this, unless you’re heavily encrypted. People are always sniffing the traffic at these things.”
Was Khan encrypted?
“I don’t use it. There is no need for me. There’s nothing I’m discussing that’s of any nature that needs to be encrypted. Even if I did, I wouldn’t be discussing it with anybody.” He laughed. “But even if you encrypt it, the nsa [National Security Agency], as I’m sure you’re aware, has more than enough power to decrypt most things. To be encrypting things is asking for trouble nowadays.”
He could encrypt just to annoy them?
“I don’t like to annoy people, so I’m fine.” More laughing. “There’s no reason to annoy anybody.” He continued laughing. “You know, being a Pakistani-American, and with all this crazy stuff going on over there, and the icing on the cake is that I’m involved in some interesting aspects of technology, I wouldn’t be surprised if, you know —” Yet more laughing.
Was his laugh a nervous laugh?
“Well, I mean, we all laugh about it.”
Because everybody needed to keep a sense of humor? Or because —
“Yeah, well, I mean, what are you gonna do? It’s a very interesting situation. And one never knows.”
We looked again at the “quiet, low-key” group. They did not appear to be guys you would want to bring home to meet the family. One skinny guy wore a woolen cap, something like jsyn’s, except it was dirty looking; he was also wearing wraparound sunglasses in a room that was dimly lit to begin with. His whisker-peppered chin was as pointy as a sinister Dick Tracy’s. On the table beside him was a small dish antenna, its diameter about the size of a pie plate.
Khan started to explain about what that dish could do, then interrupted himself. “See that kid?” He referred to a chubby boy at the elbow of the guy with the dish. “He’s 13. The kid knows what he’s doing,” said Khan. “I can see from here he knows.” Apparently, hackers saw things I didn’t. “But see that other guy in the green baseball cap? He won’t talk to you, but he’s the one you should try to talk to. His name is Dorian.”
When Dorian walked by our table a few minutes later, I pursued him. “I’m sorry, I can’t talk to the press,” Dorian said politely, as if he had spoken the line many times before; he didn’t break stride.
I returned to Khan. We surveyed the rest of the room for other prospects. Khan predicted that none of them would be game for an interview either, and his prediction turned out to be correct. “Some of these guys have real jobs, and it’s a no-no for them to be doing some of this stuff,” he said. Then, under his breath: “I’ll shoot myself if I have to get a real job again.”
Beer Patrol. This year all the proceeds from drunken whores shirts sales, will go to the DrunkenWhores beer patrol, more or less there will be at least one person manning a portable keg, during all major defcon events… how can you enjoy defcon without beer? and how can you enjoy beer when it’s $4 a bottle? well, you can enjoy it when DrunkenWhores gives it out for free. Also on a side note, if all goes well I will be speaking on Windows Internet Server Security, so everyone check that out-Humperdink
From www.DrunkenWhores.com (“where liquor and mischief fuck”)
Throughout my two days at ToorCon, I bypassed talks that sounded over-the-top technical — for example, “ike Security Problems with ipsec vpns” — even though they were given by the colorfully handled likes of “tommEE pickles,” “DJSweetSensation,” and “Mr. Rufus Faloofus.” Instead, I chose to hear one given by a hacker who wanted only to be known as “Jon.” (It wasn’t his handle; nor was it his real first name. He didn’t want either associated with what he had to say.) The talk promised a narrative. It was titled “Forensic Shortcomings in the Prosecutorial System (Why Not to Get Prosecuted 101).” It was to be the story of his prosecution for a computer crime he had committed in San Diego County.
Of all ToorCon attendees, Jon looked the least likely to have had trouble with the law. In shorts and T-shirt, with his brown hair neatly trimmed, he looked like an earnest college student on a study break. In fact, he is 28, with a wife and two children; he was 23 when his legal troubles began in North County.
He had been helping a former coworker at one of the North County municipalities — he didn’t name it. (Later, however, he revealed to me that it was Vista.) While showing his former coworker some “basic security components,” a server crashed. No matter that it was down for only an hour; Jon had caused it. What followed was “an avalanche.” He was charged with two felonies. After a plea bargain in which the charges were reduced to “attempted unauthorized access” and fines and attorney’s fees were tallied (total: $35,000), he had some advice for local hackers. “Do not maintain informal relationships” was one. “Get everything in writing” was another. Not doing so was his first mistake when he had decided to test the Vista system for security weaknesses. Beware of a legal system that is “not technically proficient,” said Jon. “You could see their eyes glaze over” during the legal proceedings. And yet: “Technical assessments are key to determining whether someone has done something wrong.”
During the question-and-answer period, Jon was asked: Did his accusers intimate what his motives for crashing the site might have been? No, said Jon, “It didn’t come up. It was irrelevant to them.”
What had happened to the former coworker? “Nothing.”
Would Jon have done anything differently if he could do his defense all over again? “I would have hired more lawyers.” As it was, Jon had hired an attorney from the Bay Area: Jennifer Granick. Litigation director of the Center for Internet and Society at Stanford University Law School, Granick has a private practice defending people accused of computer crimes.
Why hadn’t he hired a local lawyer who could have played the game? “Because,” said Jon, “I didn’t know there was a game to be played.”
Out in the hallway, I ran into one of the preteens from the RootWars room. “Do you have an fbi badge?” he asked me hopefully. He made a little rectangle with his hands to show me what he meant. Oh, for the scavenger hunt. I was sorry to disappoint him.
I took another peek into the RootWars room, where a movie was being projected on the wall while play continued. Someone told me it was the 1992 movie Sneakers, starring Robert Redford as a fugitive phone phreak turned pseudonymous computer-security professional. It must be another accepted member of the cinematic canon.
In one of the talk audiences after lunch, I saw prole listening, arms crossed like Mr. Clean’s, his sunglasses hooked onto the front of his shirt. He waved at me congenially. I resisted walking up to him to ask about the GhettoHackers, however. If it happened through Geo’s channels, it would happen.
At the end of the first day, as many people were getting ready to party, I got ready to go home. On my way down the hallway, I passed by a huddle. Three or four conferees were surrounding someone on a cell phone. “Hey, Amber!” one from the huddle shouted in the direction of the cell phone mouthpiece. “We love your boobs!”
Breaking into a computer is a pretty gray area. I think it’s acceptable, personally, I think, if somebody wanted to take down the site of a child-porn ring.
— Klinge-C01
Your Webpage and All Accounts Associated With It Have Been Compromised And Deleted, For Crimes Against The Human Race, by s c r e a m of the OLM (OnLine Mafia) and H.A.R.P.
(Hackers Against Racist Parties).
“If you prick us, do we not bleed? If you tickle us, do we not laugh? If you poison us, do we not die? And if you wrong us, shall we not revenge?”
— William Shakespeare, The Merchant of Venice —
Read it and weep you racist fuckers.........
The Rest Of You Hate Groups Better Tighten Up Your Security.... Cos We’re Coming For Ya!
— hacked website of the Ku Klux Klan
From the files of www.2600.org
On Sunday morning, I noticed that the reception table for the doctors’ convention had been moved downstairs to the Westin lobby. A proper-looking, middle-aged woman in a black business suit was seated behind it. I asked her if she’d had trouble with the hackers. She said: “They put graffiti on my sign. They put their sign over mine. I had the doctors’ badges all lined up and they took them and were wearing them, pretending to be the doctors.” I looked at her name tag. “Bunnye,” it said. Bunnye didn’t seem upset; she was merely stating facts. “They also took over one of the phone lines and were using it at our expense. It was inappropriate behavior. It was like dealing with 12- and 13-year-olds. It’s fine behavior if you’re at McDonald’s… The security person should have made sure they were behaving appropriately. His job is not only to make sure that the merchandise is secure. The hotel is working with me to make amends. I doubt the hackers will be invited back next year.”
Upstairs in the ToorCon spaces, it was pretty quiet. First talk of the morning was Jeremiah Gowdy’s “Fundamental Flaws in Network Operating System Design.” He was waiting in the back of the room, talking about last night’s drinking with some other hackers. “When I was 18,” he said, “I lost my license for a year, and I rode the bus. It gets old after two weeks. It was for having a beer on the Fourth of July.” He yawned and stretched.
He spoke about the inferiority of most familiar operating systems. It must have been another happy coincidence, but Geo’s T-shirt this morning said, “Your Favorite OS Sucks.”
Gowdy denigrated “people making a living off the errors of programmers” and praised what’s called Openbsd [Berkeley Software Distribution], the free operating system developed by volunteers. (jsyn is one.) “The guys who work on this system are really fricking smart,” said Gowdy, “and I have a lot of respect for them.” He praised the level of security offered by Openbsd. “They’re at the forefront. They’re number one.” But, he cautioned, “It’s like being on a team that never loses. They’re overconfident, and someday they will lose. It might be the best, but it’s not perfect.”
People trickled in while the talk was in progress. At the end, they trickled out. Everything was in slow motion all day Sunday.
The RootWars room was very quiet too, except for the voice of tommEE pickles, who was holding forth about something. His hair was dyed fuchsia. His T-shirt said, “Free the West Memphis Three.” (The West Memphis Three, the Internet told me later, were Satanists convicted of a triple rape and murder of three eight-year-old boys.) “This shit is so fuckin’ simple, when you get right down to it, you’ve basically got to be a real moron not to understand how it works,” he said.
At the end of yesterday’s session, the vendors had moved their stuff in here, for (physical) security’s sake, and now had not bothered to move it back out into the hallway. They would sell it from here.
The guy with the dish antenna was at my elbow, looking at the stuff for sale. I asked him what the dish did. “Oh, this? It doesn’t even work. I bought it for a buck in Portland.” He had an accent, but from where? Transylvania was my guess, but I didn’t ask him to confirm.
When I took a seat in one of the talk rooms to hear a hacker called Little W0lf, I noticed the kid who yesterday had asked me for an fbi badge. He was drinking from a big plastic cup of water. I asked him his name. Vanya Sergeeb, he told me. He was 12 years old and had lived in Russia, the Netherlands, and Iowa. Now he lived here and attended Carmel Valley Middle School. His mother was born in Moscow. “She works in biotech and is looking for a cure for cancer.” His father was born in Europe and was a computer programmer. His sister, 15, “also likes science stuff.” She wanted to become a vet; his goal was to become a computer scientist. After school, he worked as an intern at Booz Allen Hamilton. Several other people were here from Booz Allen, and he had accompanied them to this, his second ToorCon. (Booz Allen has what’s called a “strategic security division.” Nonetheless, in April and May 2002, hackers gained access to its network. At the time, the firm was developing a public website for spawar — the Space and Naval Warfare Systems Command. spawar’s site was one of those defaced. Responsibility for the attacks was claimed by the “Deceptive Duo.” One message read: “We are two US Citizens that understand how sad our country’s cyber-security really is… This situation proves that we are all still vulnerable even after 9/11.”)
When Little W0lf began to speak, I didn’t listen; mostly, I watched Vanya. He sat through the entire presentation without fidgeting. Afterwards I asked him if he had understood what Little W0lf had said. He nodded and told me all about “php authentication management.”
During Little W0lf’s presentation, I also watched three guys I had not noticed yesterday. They were sitting in the row in front of me. One of them had an iron cross on his baseball cap. Could he, could they, be neo-Nazis? They were dressed like rednecks. Each had a composition notebook, brand-new looking, unopened, on the table.
I tried to eavesdrop. I heard one say something about guns from U.S. government surplus. Otherwise, it was impossible. They were speaking much too softly and not very much. All three smiled in the same chilling way.
While I waited for something listed in the program as the “Fed Panel,” prole sat down backwards in a chair to face me, arms crossed over the backrest. “I heard you wanted to talk to somebody about the GhettoHackers.” There was a grin on his face and a big red dragon on his T-shirt.
He told me that the group started four years ago, with the Capture the Flag team at def con. “They were called the GhettoHackers because they wrote their notes on bar napkins, using broken pencils, and their gear was half falling apart,” he said. “I actually wasn’t a member yet but the next year, through various friends, ended up hanging out with them. Two years ago I was voted in or whatever. It’s just that we were hanging out all the time, anyway. So they said, ‘You’re a GhettoHacker now.’ ”
While cyberspace was their virtual frat house, they also had a rented space in Seattle for the locals. “They’ve moved some stuff in,” said prole. “Pool table, makeshift bar, DJ gear, lots of computers and network gear.” He guessed there were 40 members total, but he couldn’t say for sure. “No one knows everyone else.”
Was there a secret handshake?
“No, and I know it sounds like a secret club, but the main requirement is that you get along socially. I mean, everyone that I’ve met through it is just really smart and has his own skill sets that are — Everyone does something that everyone else can’t.”
So the combined skill level was “copious”?
“Copious would be accurate.”
What did they use the skills to do? prole wasn’t at liberty to say. “When [San Diego members] get together here, sometimes we hack something; other times it’s just ‘Let’s go to the beach.’ ” At the places they met, most people had the capability for multiple machines. “They have a hub or a wireless where everyone can at least plug in laptops. We meet to discuss issues — everything from upcoming or ongoing projects, to posing technical problems to each other, to making sure everyone’s pitching in for their portion of the bills.”
What did members of GhettoHackers do for a living? “A lot of people have done work for companies — big, large-scale, important, impressive projects.” Which projects, he couldn’t divulge. “Most of them work in the computer industry — either software or hardware — or they work in computer security — at a firm or do independent consulting. Others are programmers or administrators or — The ones that disclose their jobs, that is. I don’t know the real names of a lot of them.”
After all, he never had to send any of them a letter.
“You just hop online and say, ‘What’s up? Who’s here?’ ”
Did he even have their phone numbers?
“Some of them. But the numbers are given out on a need-to-know basis. Out of courtesy you don’t pass along phone numbers or e-mail addresses to other people, even if they’re acquainted, because people have different degrees of need for security — and privacy.”
I told prole that it sounded very civilized.
“It’s one of the closest things I’ve seen to civil anarchy. The world’s not civilized enough for anarchy. If it were, I think anarchy would be great.”
Did anyone ever leave the GhettoHackers?
“I think some people may have lost network status for doing something stupid. Maybe they tried to attack a machine from our network. We don’t attack machines [as a group]. If a member decides to attack something on his own, that’s his own deal. He shouldn’t even tell the rest of the group about it, as it has nothing to do with the GhettoHackers. Of course, some of us do attack machines legally, as part of our jobs or within our own networks to hone our skills.”
One aspect of the GhettoHackers that prole could be more specific about was their “mentoring.” “Some of us mentor people who show promise. They are encouraged to hang around. Say, you run into someone at the local 2600 meeting.” (According to www.2600.org, 2600 meetings “exist as a forum for all interested in technology to meet and talk about events in technology-land, learn, and teach.” They take place all over the country on the first Friday of every month, from 5:00 p.m. to 8:00 p.m. local time unless otherwise noted. San Diego’s 2600 meetings are at Leucadia Pizzeria, 7748 Regents Road, La Jolla. The name 2600 derives from the 2600-hertz tone generated by early phone phreaks, using a toy whistle from a cereal box, in order to make free phone calls. The founding of the San Diego 2600 chapter is one more contribution of Hulton and Ben Greenberg.) “And he’s a smart guy with no direction, you maybe talk to him and say, ‘Hey, what would you do with this?’ Or, ‘I’ve been working on a problem and I might need some help.’ And then if it works out, he may get access to the GhettoHackers’ networks so that he can interact.”
It seemed like a good time to mention the immature element at ToorCon — the one who defaced the Bayer sign, the ones who pulled the fire alarm.
“The immature element here is not nearly as great as the one that’s at def con,” prole assured me.
The real question was, how did he tolerate them? Considering the elite nature of the GhettoHackers, that is.
“It’s a combination of things. There’s ‘Boys will be boys’ — not to be gender specific. Another part of it is, you don’t want to pay too much attention, negative or positive, because you don’t want to encourage it, right? And the other thing is, you’re watching out for the sharp people [who may be among them] and who you think don’t have direction — people who get caught up in the vandalistic side of things. A friend of mine pulled me aside recently and told me that last year at ToorCon a 16-year-old kid got in trouble. Some unethical people did some stuff — I don’t want to get more specific than that — and pointed the finger at him. He was just a kid and didn’t know what was happening. He ended up moving. And my friend said, ‘He’s a good guy. He needs direction. If you see him online, hang out.’ ” prole looked around the room that was beginning to fill up for the Fed Panel. “These conferences remind me of high school or even grade school sometimes, you know? There is a certain kind of lost quality about some of the people.”
I see in fight club the strongest and smartest men who have ever lived — an entire generation pumping gas and waiting tables; or they’re slaves with white collars. Advertisements have them chasing cars and clothes, working jobs they hate so they can buy shit they don’t need. We are the middle children of history, with no purpose or place. We have no great war, or great depression. The great war is a spiritual war. The great depression is our lives. We were raised by television to believe that we’d be millionaires and movie gods and rock stars — but we won’t. And we’re learning that fact. And we’re very, very pissed off.
— from Fight Club screenplay, by Jim Uhls
The Fed Panel, ToorCon 2002’s finale, featured Amanda Rankhorn, special agent, Federal Bureau of Investigation, founding member of the Computer and Technology Crime High-Tech (catch) task force, covering San Diego, Imperial, and Riverside Counties. Rankhorn was flanked by two others on the dais, but in ToorCon fashion, their names were not listed on the program and the introductions didn’t give many details about them. One was a computer forensics expert, I gathered; the other was a lawyer. The way I discovered Rankhorn’s name and title was by grabbing the information from her business card.
The format was questions and answers only; no prepared speeches. The audience had plenty they wanted to ask. A sampling:
War driving? (That is, locating and exploiting security-exposed wireless lans, or local area networks; also called war chalking.)
“There is nothing illegal about it, until you try to exploit the open connections.”
What if you sniffed a wireless and you sat there listening?
“That would be bad. It’s been made illegal.”
Were they prosecuting more these days?
“Just as regular people are doing much more on the Internet, so are criminals.”
Could hackers here legally attack the computers of a nation we’re at war with?
“It’s only a crime in the United States.” But, they suggested, “Pick your country carefully.”
What was the choice operating system for criminals these days?
“Windows 98.”
Explosive laughter from the audience.
“And they’re generally aol users as well.”
Catcalls.
How did the fbi usually catch people?
“They end up telling someone — they can’t resist telling everybody how cool they are. You’re gonna tell somebody, and once you do, the game is just about up.”
One more question: Were they hiring?
Password Cracker: With these programs one doesn’t have to worry about passwords anymore. Learn how it is possible to access password protected areas for internet sites. XXX sites for example. Forgot your password? No problem with the password cracker… Just hack it. ;)
— from www.hackertoolz.org
One morning, a few weeks after ToorCon, I phoned Jeremiah Gowdy at work. How had ToorCon gone for him, physical security-wise?
“Well, we had vandalism on the doctors’ sign,” he said right up front, “and we thought it was real funny at first, and then we realized we had to deal with them and the hotel staff, who were not entertained. And the doctors had to move downstairs and all that. So we had to, kind of, get people under control on that one.”
And then, he said, “We had to deal with the DrunkenWhores group. They’re one of the groups that show up. They kept bringing alcohol up on the floor, which at first we were going to, like, allow, if they kept it really calm. Then it turned out that the hotel had major problems with it. Anyway, it was kind of difficult to deal with people that — They run security at the major conferences and they think real big of themselves. And to take away their vodka wasn’t easy. We had to deal with a couple of guys who were holding down a few drinks.”
I told him I hadn’t seen any commotion.
He seemed pleased. “That’s because we keep it quiet when we have this kind of hassle. And most of [the DrunkenWhores] are pretty cool. Mostly we have decent people who go to ToorCon who, even though they want to have a good time and drink and everything, are willing to work with us.”
That same day, I waited until 1:00 p.m. to call Tim Huynh, who was just waking. We spoke as he lay in bed.
Who had won RootWars and the scavenger hunt? I asked.
“Unfortunately,” he said, “nobody really played the games.”
But something had been going on in that room.
“Well, they were just, kind of, hanging out and learning off each other, doing different things. Plus, we had Internet connectivity. So people were searching the net and all that kind of stuff.”
I knew better than to ask for specifics. Instead, I asked in general about the infamous gray area. I had come to understand it in one sense and wanted to confirm it with Huynh. Was it that some gray-area activities were illegal but maybe the hacker didn’t think they should be? That is, they were illegal but, in the hacker’s opinion, not wrong?
“That’s a really legitimate way of saying it,” Huynh said. “There’s a whole set of ideals and principles involved in the things they do — hackers, crackers, whatever. It’s interesting: you think you’re in a crowd of criminals, but you could say they’re revolutionaries. It’s like, ‘Well, we don’t believe this is right. So our little protest is, we’re doing this or that.’ ”
He gave an example: “There’s a German hacker who’s relatively famous — he’s, like, a multimillionaire. His name is ‘Kimble.’ The guy is just filthy, filthy rich. And during the whole September 11 thing, he offered a multimillion-dollar reward to anyone who could seize the terrorists’ assets.”
Huynh had his problems with Kimble’s offer, however. “It’s a good end, but you’re going to destroy a lot in the process of trying to achieve it. I think that’s an extremely gray area, because you’re down to hacking legitimate stuff.”
Just going into, say, a bank site could be damaging to it?
“It’s a possibility, if you don’t know the system well enough. Also, let’s say you think you have this terrorist’s account and you start deleting, and it ends up not being a terrorist’s. Well, you could put to ruin somebody who’s benevolent. So it’s kind of, like, you can do it poorly, and it’s a mess.”
Another idea I was having trouble coming to grips with was ToorCon’s “inclusiveness,” as they say. Everyone — hackers, crackers, kiddies, even the feds — had tread the same turf that weekend. Where did all that magnanimity come from?
“I think,” said Huynh, “everybody has an open mind.” He expressed this same thought in several ways: “It’s acceptable to think differently. Everybody already thinks differently and everybody there is smart enough to realize it. Everybody already thinks out-of-the-norm. So if somebody thinks differently than I, who am I to persecute them?”
It sounded like democracy.
“With any democracy, it’s all about the involvement of the populace. And so it does work, but it totally relies on the populace actually applying itself.”
I asked about what Huynh was up to now. He and Hulton were rolling out a new product, called Nightvision, he said. “Pretty much it’s a firewall ids — intrusion detection system. It’s a wall that blocks specific incoming traffic, and outgoing traffic, too, if you want. So it’s a filter for network traffic. It’s all dependent on your paranoia level. It creates a footprint of the signatures, cataloging any intrusion attempts, so you’ll be able to look back and see what’s been going on. It also will be able to tell you if it was a real intrusion attempt, or just a hiccup, or if it was just a scan, say, which occurs when somebody just looks at what you’re running, so they might go for a bigger attack later. And then if the client wants actually to pursue it legally, they have evidence.”
Only one other product on the market was similar. “And it’s a lot more expensive. The main selling point of ours is that the operating system runs off a CD. You can’t write to it. You can’t alter it. Tomorrow we’ll be installing one at a client’s.”
I asked about Hulton, and he got on the phone next, to tell me about his Dstumbler, the tool that Klinge-C01 had used with success in the parking lot outside the company that provides 911 response.
“The whole package that I sell is called bsd AirTools,” said Hulton. “And Dstumbler is part of it. AirTools is a complete wireless auditing tool set. Hackers and attackers can use it to get access to people’s wireless networks. Normal people can use it too, to see how prone they are to attack. There’s another application that lets you crack webs on the wireless networks, so you can check whether your network can easily be attacked that way. Dstumbler will show you what networks are around an area and also lets you see what machines are connected to the network. And there are a couple of different things you can do with that. Like, if you’re an attacker, you can use it to map out somebody’s wireless network and figure out which machines are in which areas of the building and base your attack on that. Or, let’s say you’re a system administrator and you notice that some malicious person has attached himself to your network. You can use one of the features to trace him down. So there are a number of different things you can do with it, both on the white-side and the black-hat side.”
I noted that he had created something, like any weapon, that could be used for good or ill.
“Whatever people have a use for…”
And he didn’t lie awake at night worrying about its potentially evil uses?
There was that laugh again. Heh-heh-heh-heh.
Hulton was still a kid when his professional life began. He started at Hughes Network Systems as an intern while he was in high school. Had he been treated like a kid there?
“No, everybody treated me just like a normal worker.”
Hulton also began doing web design as a teenager. It was his good luck to get a contract with South Park Studios. “That’s South Park, the TV show, and Comedy Central. So I ended up developing the whole database backend for their website. You can actually see it at southparkstudios.com. When it was all finished, I had a bunch of money from that, so it’s what I used to move here.”
When exactly was that?
“March 20 in 2001. I had just turned 18 the day before.”
I asked Hulton if he could tell me anything about Nightfall’s clients.
“We work for some companies whose names people would recognize immediately — they’re that large — and some that are kind of vague whose names nobody would recognize.”
So he continues to interact with corporations some of the time. Would he ever take a job with any of them?
“I’ve been offered jobs,” he said, “but if I took one, I’d be thinking of it as a temporary job in order to do something like what I’m doing right now. So I don’t want to go that route. I want to keep on doing this. I really enjoy what we’re doing now. And I don’t think I would be challenged as much if I were in a corporate job, or feel I’d be using my time as well.”
I remembered, then, to call Ben Greenberg. When I reached him, he was at the Lander College for Men, in Queens, New York, still studying to be a rabbi, but closer to home, away from the violence in Israel, at the urging of his parents.
I asked him how he and Hulton had met.
“We were friends back at Standley Middle School, many, many years ago,” said Greenberg, who is 20. “And we both had a very big interest in computers. We were also very much entrepreneurial. And taking those two things together, we developed projects, ToorCon being one. And David and I to this day are very good friends, even though we’re currently separated by 3000 miles.”
I mentioned that someone had told me there had been a lot of Israelis at def con last year.
“Well, of course. High-tech is vast in Israel. Many secular Israelis are into computer businesses.”
When he was in Israel, had he been involved with computers?
“I went to computer meetings. It was nice, because I was able to develop my Hebrew. But, I mean, computers are everywhere. You can’t avoid them. If you think they’re integrated into American life, they’re twice as much integrated into the life of Israel.” Besides, he said, “Once you have computers in your life, it’s very hard to disengage from them. I still try to keep up to date on everything that’s happening in the security world. I talk regularly with David. I have several computers in my apartment. It’s a fact of life. I still to this day do programming in my free time, just to make sure I’m not losing my abilities. Just in case I need to get a job someday” — he laughed — “it’s a good skill to keep.”
I was wondering what Greenberg looked like. Since I wouldn’t have a chance to meet him, I thought I might elicit the information by asking him if he had undergone a physical metamorphosis since his ToorCon days.
“Well, I used to look like a kid, even though I never dressed obscenely weird. I was always pretty conservative — T-shirt and jeans. And if I had to go to a business meeting, khakis or whatever. But now I dress kind of ‘rabbinical’: a black jacket, white shirt, black hat. And a beard.”
Did it surprise people when he returned home to San Diego?
“A little bit, I would say. It’s not what people expect — a rabbinical hat, you know?”
One thing could be said for it: it gave new meaning to the term “black hat.”
Not long ago, in an office building right around the corner from the Bristol, I bought myself a router. (It was sold to me by a city employee, an electrical inspector, with a business on the side; this was during business hours — but that’s another story.) My computer guy, Patrick, installed the router for me here at home, where Bob and I have two computers. Patrick, prole, and others had told me it could act as a simple firewall, preventing our network from catching the flu, so to speak; if it caught anything, it would merely be a cold.
That protects me personally from minor disasters. What will protect us all from major ones? It certainly has been unsettling to note on attrition.org how many military websites have been hacked. And, as David Hulton pointed out, those mirrors represent only the ones that were grabbed.
I feel a little safer, having met the likes of Hulton, prole, Bartoli, jsyn, and the rest of the ethical hackers.
But then I remember the guy wearing the iron-cross symbol. Truth to tell, I am bothered a lot more by him and his friends than I am by the Transylvanian.
Hamlet doesn’t believe in moral absolutes. “For there is nothing either good or bad, but thinking makes it so,” he says. But look where that sentiment gets him.
J. Robert Oppenheimer, who directed the Los Alamos lab, recognized evil when he saw it. “In some sort of crude sense,” he said, “which no vulgarity, no humor, no
“With any democracy, it’s all about the involvement of the populace. And so it does work, but it totally relies on the populace actually applying itself.”
I asked about what Huynh was up to now. He and Hulton were rolling out a new product, called Nightvision, he said. “Pretty much it’s a firewall ids — intrusion detection system. It’s a wall that blocks specific incoming traffic, and outgoing traffic, too, if you want. So it’s a filter for network traffic. It’s all dependent on your paranoia level. It creates a footprint of the signatures, cataloging any intrusion attempts, so you’ll be able to look back and see what’s been going on. It also will be able to tell you if it was a real intrusion attempt, or just a hiccup, or if it was just a scan, say, which occurs when somebody just looks at what you’re running, so they might go for a bigger attack later. And then if the client wants actually to pursue it legally, they have evidence.”
Only one other product on the market was similar. “And it’s a lot more expensive. The main selling point of ours is that the operating system runs off a CD. You can’t write to it. You can’t alter it. Tomorrow we’ll be installing one at a client’s.”
I asked about Hulton, and he got on the phone next, to tell me about his Dstumbler, the tool that Klinge-C01 had used with success in the parking lot outside the company that provides 911 response.
“The whole package that I sell is called bsd AirTools,” said Hulton. “And Dstumbler is part of it. AirTools is a complete wireless auditing tool set. Hackers and attackers can use it to get access to people’s wireless networks. Normal people can use it too, to see how prone they are to attack. There’s another application that lets you crack webs on the wireless networks, so you can check whether your network can easily be attacked that way. Dstumbler will show you what networks are around an area and also lets you see what machines are connected to the network. And there are a couple of different things you can do with that. Like, if you’re an attacker, you can use it to map out somebody’s wireless network and figure out which machines are in which areas of the building and base your attack on that. Or, let’s say you’re a system administrator and you notice that some malicious person has attached himself to your network. You can use one of the features to trace him down. So there are a number of different things you can do with it, both on the white-side and the black-hat side.”
I noted that he had created something, like any weapon, that could be used for good or ill.
“Whatever people have a use for…”
And he didn’t lie awake at night worrying about its potentially evil uses?
There was that laugh again. Heh-heh-heh-heh.
Hulton was still a kid when his professional life began. He started at Hughes Network Systems as an intern while he was in high school. Had he been treated like a kid there?
“No, everybody treated me just like a normal worker.”
Hulton also began doing web design as a teenager. It was his good luck to get a contract with South Park Studios. “That’s South Park, the TV show, and Comedy Central. So I ended up developing the whole database backend for their website. You can actually see it at southparkstudios.com. When it was all finished, I had a bunch of money from that, so it’s what I used to move here.”
When exactly was that?
“March 20 in 2001. I had just turned 18 the day before.”
I asked Hulton if he could tell me anything about Nightfall’s clients.
“We work for some companies whose names people would recognize immediately — they’re that large — and some that are kind of vague whose names nobody would recognize.”
So he continues to interact with corporations some of the time. Would he ever take a job with any of them?
“I’ve been offered jobs,” he said, “but if I took one, I’d be thinking of it as a temporary job in order to do something like what I’m doing right now. So I don’t want to go that route. I want to keep on doing this. I really enjoy what we’re doing now. And I don’t think I would be challenged as much if I were in a corporate job, or feel I’d be using my time as well.”
I remembered, then, to call Ben Greenberg. When I reached him, he was at the Lander College for Men, in Queens, New York, still studying to be a rabbi, but closer to home, away from the violence in Israel, at the urging of his parents.
I asked him how he and Hulton had met.
“We were friends back at Standley Middle School, many, many years ago,” said Greenberg, who is 20. “And we both had a very big interest in computers. We were also very much entrepreneurial. And taking those two things together, we developed projects, ToorCon being one. And David and I to this day are very good friends, even though we’re currently separated by 3000 miles.”
I mentioned that someone had told me there had been a lot of Israelis at def con last year.
“Well, of course. High-tech is vast in Israel. Many secular Israelis are into computer businesses.”
When he was in Israel, had he been involved with computers?
“I went to computer meetings. It was nice, because I was able to develop my Hebrew. But, I mean, computers are everywhere. You can’t avoid them. If you think they’re integrated into American life, they’re twice as much integrated into the life of Israel.” Besides, he said, “Once you have computers in your life, it’s very hard to disengage from them. I still try to keep up to date on everything that’s happening in the security world. I talk regularly with David. I have several computers in my apartment. It’s a fact of life. I still to this day do programming in my free time, just to make sure I’m not losing my abilities. Just in case I need to get a job someday” — he laughed — “it’s a good skill to keep.”
I was wondering what Greenberg looked like. Since I wouldn’t have a chance to meet him, I thought I might elicit the information by asking him if he had undergone a physical metamorphosis since his ToorCon days.
“Well, I used to look like a kid, even though I never dressed obscenely weird. I was always pretty conservative — T-shirt and jeans. And if I had to go to a business meeting, khakis or whatever. But now I dress kind of ‘rabbinical’: a black jacket, white shirt, black hat. And a beard.”
Did it surprise people when he returned home to San Diego?
“A little bit, I would say. It’s not what people expect — a rabbinical hat, you know?”
One thing could be said for it: it gave new meaning to the term “black hat.”
Not long ago, in an office building right around the corner from the Bristol, I bought myself a router. (It was sold to me by a city employee, an electrical inspector, with a business on the side; this was during business hours — but that’s another story.) My computer guy, Patrick, installed the router for me here at home, where Bob and I have two computers. Patrick, prole, and others had told me it could act as a simple firewall, preventing our network from catching the flu, so to speak; if it caught anything, it would merely be a cold.
That protects me personally from minor disasters. What will protect us all from major ones? It certainly has been unsettling to note on attrition.org how many military websites have been hacked. And, as David Hulton pointed out, those mirrors represent only the ones that were grabbed.
I feel a little safer, having met the likes of Hulton, prole, Bartoli, jsyn, and the rest of the ethical hackers.
But then I remember the guy wearing the iron-cross symbol. Truth to tell, I am bothered a lot more by him and his friends than I am by the Transylvanian.
Hamlet doesn’t believe in moral absolutes. “For there is nothing either good or bad, but thinking makes it so,” he says. But look where that sentiment gets him.
J. Robert Oppenheimer, who directed the Los Alamos lab, recognized evil when he saw it. “In some sort of crude sense,” he said, “which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.” By that time, it was, in other words, too late.
“Words, words, words.” It’s another one of Hamlet’s cheerless utterances.
I saw a tabloid headline recently. It said, “Three More Commandments Discovered.” Our cyberized world could use some new ones, I thought to myself. But what exactly would they say? It would take other than a human, hacker or not, to write them.
Comments