Anti-hacker site raises hackles of online underworld

"It's my job to catch them, so it's like a cocaine dealer and a cop," said Vranesevich, the lanky 21-year-old founder of AntiOnline.com. The Web site, once a place where hackers bragged about their exploits, is now an online security site used to catch them.

"It's not surprising that they wouldn't like me or what I'm doing," said Vranesevich, who wears the hacker community's disdain like a crown and considers it a necessary evil of his work.

Vranesevich and his Web site have drawn not only notoriety in hacker and security circles but have brought in an undisclosed amount of venture capital financing. The Web site also has advertising revenue from mainstream sources such as Microsoft and VeriSign.

According to the Web site, Vranesevich and his co-workers are working on several government contracts. In the past, they have worked with the Army, Air Force, Department of Defense and the FBI. Last March, Vranesevich lectured at the FBI's academy in Quantico, Va. He's also been quoted widely in the media, from The New York Times and CNN to The British Broadcasting Corporation and National Public Radio.

It wasn't always like this.

Vranesevich, dubbed the Cyber Sherlock Holmes by the media, once moved easily in the hacker community, interviewing and writing stories about computer attackers for his Web site, which was then a Web information source on hackers and online security.

AntiOnline was a place where hackers could explain their motivations, voice their opinions, and even brag about their exploits. For Vranesevich, the relationship brought traffic to the site and intensifying media coverage.

But one day in September 1998, he found himself telling the story of a California hacker who had promised to sell information about how to navigate U.S. military networks to an alleged terrorist. What seemed like harmless fun had suddenly turned into international espionage.

Vranesevich says he became disillusioned after he heard about the deal made by the California hacker. Soon after that, he started to help government officials investigate people accused of malicious hacking. He turned over information to the FBI that led them to hackers in connection with an attack on The New York Times' Web site also in September 1998.

Vranesevich said he once thought hackers were right in their efforts to expose security holes but said he later realized that they were malicious and selfish.

Turning over a new leaf
So he crossed over--helping the government take down hackers by using some of the same techniques to hunt them down that he once used to follow and publicize their exploits.

Today, he's also selling his services to private corporations that want to protect their systems. Currently, he is working with Klein Associates, a consulting firm near Dayton, Ohio, which advises companies on decision-making techniques.

His new line of work has drawn the wrath of some hackers who say they feel betrayed. In fact, his Web site is attacked constantly. A live tally on the Web site shows the probes and attacks--by midmorning today, the site had already been hit eight times.

Vranesevich "largely gets a lot of half-cocked notions in his head and takes them as fact," said Jay Dyson--a.k.a. Cancer Omega--a member of Attrition.org, which has spearheaded an effort to discredit Vranesevich.

"He has always been considered a poser by most hackers, and someone who is out to make a name for himself at the expense of others," Dyson said.

Dyson said he was one of the members who were investigated by the FBI in connection with the New York Times hack. Though he was never arrested or charged and denies involvement in the attack, he said the controversy cost him a job at the National Aeronautics and Space Administration (NASA).

Attrition.org members have posted messages on its Web site saying Vranesevich has made false statements about hackers. And they say Vranesevich paid a hacker to break into the Web site of the U.S. Senate so that AntiOnline could be the first to report it--an accusation Vranesevich denies.

"Read AntiOnline. What do you see? Libel and lots of it," reads a message on Attrition.org. "You see them denying links from sites that disagree with them, accusing their competitors of a wide range of absurd actions, and worse, absolutely no proof of their claims."

Of course, not many hackers step up to offer information connecting them to the attacks.

All in a day's work
Vranesevich doesn't take it too hard. "I'm out there trying to catch them and helping others protect their systems from their attacks. It's to be expected," he said.

He actually started out as a white hat in the computer game: In junior high school, Vranesevich had to rehabilitate the school's computers after a hacker attack.

"You could say I got started in this business as a victim," he says with a laugh.

Vranesevich started AntiOnline while he was in junior high, sharing the information he learned about computing and network security. He left the University of Pennsylvania in his freshman year to devote himself completely to the Web site.

"John has been successful as an information outlet and tracking expert for the media and government agencies. He also understands who is who in the hacker underground," said Chris Rouland, director of the research and development arm of Internet Security Systems, an electronic security management firm. "There is a real value there. It is an important intelligence service."

Vranesevich said most people get the hacker bug to be part of a group, like a youth joining a gang.

"There are also those who are politically motivated or driven by some sort of cause," he said. And there are those looking for cash. "There are people who have broken into systems to steal credit card numbers or take part in corporate espionage."

Although recent attacks on big e-commerce sites like eBay, Amazon.com, Buy.com and Yahoo got a lot of publicity, Vranesevich said the largest hacker attacks are the ones that aren't publicized.

"There are those attacks that happen behind the scenes, like hacker attacks on top-secret computers or terrorist activities," that the government doesn't want to publicize because of = news="" 0-1007-201-1545382-0.html="">national security concerns, he said.

A new threat
Cyberterrorism is the new threat to both businesses and governments, he said. "Before, terrorists blew up buildings. Now, the Internet provides a tool to do things on a national level. Individuals who have a gripe can do damage that has a national impact."

Cyberterrorism and national security aside, Vranesevich said the reason his site has become so popular is because everyone from systems administrators to "soccer moms" have questions about online security.

"People want to go to a site that has accurate and professional information. We strive to educate the average user on security," he said. One example is Ask Bub, where visitors type in questions for the virtual security consultant, "Bub," a gray-haired gentleman in a suit.

AntiOnline has five full-time employees and 11 part-time employees working in flashy new offices in downtown Beaver, Pa. The company has transitioned itself from tracking and visiting hacker chat rooms to developing software that automates the process of monitoring Web sites.

In the next few years, Vranesevich said he sees his company doing more consulting work within the government sector and expects the company to go public within five years.

"I see privacy as being the next big thing in the security field, as individuals, companies and of course government will look to protect information from each other and other individuals," he said. "It will be up to the national media to cover the ways in which people can protect their own information."