X

When hackers become The Man

An older generation of hackers has grown, gotten good jobs, and started raising kids. What do they have to say to the new kids on the block?

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
7 min read
 
Ten-year-old hacker CyFi discovered her first zero-day exploit earlier this year, and presented her findings at the first DefCon Kids this year.
Ten-year-old hacker CyFi discovered her first zero-day exploit earlier this year, and presented her findings at the first DefCon Kids this year. Seth Rosenblatt/CNET

At DefCon III in 1995, the young crowd of 470 spent their time jamming a local radio station broadcast and playing Hacker Jeopardy at midnight when they couldn't drink at the bar. "Free Kevin" stickers were plastered everywhere protesting the jailing of fugitive hacker Kevin Mitnick, and a 14-year-old ran away from home to attend the event. (I know because I was there.)

At DefCon 19 this year, plenty of the nearly 12,000 attendees had gray hair, most work as security professionals, and some even brought their children. Mitnick was there signing copies of his latest book, "Ghost in the Wires," and posing for photographs, before appearing as a guest on "The Colbert Report" last week.

A community is growing and growing up.

In the early years, DefCon founder Jeff Moss used to say "if you're 20 and you're working for The Man, you're a loser," Richard Thieme, author of "Mind Games" and a professional speaker, recounted in his DefCon talk this year and in an interview with CNET afterward. "Ten years ago, Moss said 'if you're 30 and you're not working for The Man, you're a loser.' And now he agreed that at 40 he is The Man.'"

Moss, aka "Dark Tangent," started DefCon in 1993 as a farewell party to a buddy, only to have it become the world's largest hacker conference. He sold off the more commercial Black Hat security conference, which frees him up for public service--he serves on the Homeland Security Advisory Council and was named the chief security officer for the non-profit Internet Corporation for Assigned Names and Numbers (ICANN) earlier this year.

Another hacker role model who is having a very direct impact on U.S. cyber security policies and funding is Peiter Zatko, who was better known as "Mudge" when he was a member of The Cult of the Dead Cow (CDC) and L0pht hacker groups in the 1990s. He presented at a session on password cracking and holes in Microsoft software at DefCon in 1996. This year, he gave a keynote talk at Black Hat about his plans as program manager for the information innovation office at the Defense Department's DARPA (Defense Advances Research Projects Agency) to fund hacker spaces and small security start-ups.

Related stories:
'Anonymous' hacker quits, burns bridges on way out
ICANN hires Defcon founder as security chief
Hacker 'Mudge' gets DARPA job
Q&A: Kevin Mitnick, from ham operator to fugitive to consultant

With many hackers having families of their own, it was only a matter of time until there was DefCon Kids. (There's also a separate event, HacKid.) This was the first year for DefCon Kids. About 100 kids learned how to hack circuit boards, pick locks, and participated in a social engineering contest. One 10-year-old even revealed a zero-day flaw in a mobile game. The moral and legal considerations of the newfound skills are as important, or more, than the technical know-how.

"It was significantly different when I was doing it [hacking as a teen]," said Jericho, founder of the Attrition.org site and president of the Open Security Foundation nonprofit. For instance, "it wasn't a felony to have log-ins and passwords. Then it became a felony to have possession of an illegal access device."

The legal ramifications are more serious for hackers now than they were in the past, and getting in trouble can seriously hinder a hacker's ability to get a coveted job in security. It's also easier to get into hacking, with readily available exploits for all kinds of attacks.

"There is still a moral or ethical boundary, even if you are not breaking the law," said Jericho, who said he wasn't too concerned with the consequences when he first started hacking. "I was working in a minimum-wage job and hacking was something that fascinated me and I wanted to learn," he said, adding that "In my mind, I didn't have much to lose." That changed when he got a job in security. "That's when we said wait, now if I get busted there are more serious consequences," he said.

"There really weren't a lot of laws against this. You could look but not touch. As long as you didn't damage anything, anything goes," said Moss. "Now, if you download an exploit tool and run a scanner ...you could be violating all kinds of laws and really wreck your future."

In the broader historical context, hacking is still in its infancy and there isn't a lot of institutional memory for young hackers to draw from, he said. "So what we're seeing is these [older] hackers are starting that...They're trying to create for the kids what they wish they had when they were starting out," Moss said.

What once was an unexplored digital playground for curious hackers seeking intellectual stimulation and a challenge has become over-run by criminals who have turned online theft and online scams into well-oiled money machines.

"You were younger and who cared if you piss someone off. Now, you've got a career, reputation, and income. Now the real interests have moved in, organized crime, nation-states...," he said. "It's not just you and a couple of your hacker friends making up a hacker crew. The big boys are out there too. That's changed the nature of things."

Anonymous sparks debate
And then there are the online activists who are using denial-of-service attacks and Web site defacements to embarrass targets and send a message, distracting people from the weightier scourge of corporate and government-backed espionage and sabotage that is happening all the time under the radar.

Veteran hackers had some words of caution to Anonymous at DefCon this year but almost unintentionally. A panel that was originally envisioned as a discussion about how white hat hackers end up doing black hat activity as part of work for the intelligence community--titled "Whoever Fights Monsters...Aaron Barr, Anonymous and Ourselves"--turned into a debate about the controversial actions of members of the Anonymous online activist group. In an effort to shame victims and expose alleged shady practices of security firms that serve as defense and government contractors, Anonymous compromised HBGary Federal earlier this year. The group leaked personal information on then-CEO Aaron Barr and e-mails that ostensibly revealed plans to use social media to manipulate public opinion by creating numerous fake accounts.

Joshua Corman, director of security intelligence for Akamai, listens to a question from an audience member about the online activist group Anonymous at DefCon 19 in Las Vegas. On his arm is a Guy Fawkes mask as depicted in the comic strip and movie "V for Vendetta," which Anonymous members have appropriated as a logo. Corman is not affiliated with Anonymous.
Joshua Corman, director of security intelligence for Akamai, was on a panel session about the online activist group Anonymous at DefCon 19 in Las Vegas. On his arm is a Guy Fawkes mask as depicted in the comic strip and movie "V for Vendetta," which Anonymous members have appropriated as a logo. Corman is not affiliated with Anonymous. Seth Rosenblatt/CNET

Barr had agreed to be on the panel but backed out after being threatened with legal action by HBGary Federal. So instead of discussing the "dark side" of security professionals doing ethically dubious actions, the discussion focused on Anonymous' attack on HBGary Federal and numerous other targets (included in this chart).

Members of the panel suggested that any noble free speech or other messages Anonymous participants wish to relay with their activism is getting lost in a jumble of numerous attacks and overshadowed by data leaks that harm innocent people. For example, the group gained some support recently (since DefCon) when it took on the San Francisco Bay Area subway system (BART) for trying to stop a protest of police violence by temporarily shutting down cell phone service. But then Anonymous was criticized for releasing information of subway riders pilfered from a compromised BART server.

Panelists asked why not redact data of innocent people? And wouldn't child exploitation sites or security vendors that threaten to sue researchers disclosing security holes be better targets than some of the targets chosen by Anonymous and its former LulzSec spinoff?

"You can still be effective without causing as much collateral damage with your actions," Jericho said during the session. "I'm not passing moral judgment," he said in a recent interview. "Personally, some of what they're doing is wrong, but on the other hand some of what they're doing is well deserved."

Part of the problem is the group's lack of leadership and direction. Anonymous doesn't have a hierarchy or set structure, which means that any one individual can pretend to speak and act for the group as a whole. It's very project focused, with volunteers joining different campaigns based on target and not on any real overriding philosophy, according to panelist Josh Corman, director of security intelligence at Akamai. "I'd like to see more mentoring or Sherpa guiding," he said in an interview. "That doesn't mean you're going to eliminate the chaotic or evil faction... but you can get the disenfranchised kids, and it would be better for achieving beneficial goals for the community. That's preferential to random chaos."

Some bad apples may just be spoiling it for the rest of the group. Recently there has been public dissent from people associated with Anonymous who think things have gone too far. Last week, someone who had previously considered himself part of Anonymous said he was quitting and cited the release of data belonging to innocent bystanders. Another supporter pleaded with the group to stop doing "violent protests" online and "releasing innocent customers' information." And someone running the AnonyOps Twitter account also disagreed with the exposure of subway rider information, telling CNET that the move was "grossly irresponsible."

In a recent posting titled "Anonymous is not Unanimous," the AnonyOps Twitter account holder wrote: "Most people think we're a group of shadowy hackers. This is a fundamental flaw. Anonymous is *groups* of shadowy hackers, and herein lies the problem. Anonymous has done a lot of good in just the past 9 months...Don't let the actions of a few skew your perception of hackers as a whole."

Pre-Internet, marginalized youth would listen to punk rock, spray paint slogans on walls, or march in the streets. Today, the tools for wreaking more financial and emotional havoc on society are a few mouse clicks away and able to hit targets anywhere in the world and anonymously. At the same time, there's a growing class of people who can't find jobs and a restless population that is bombarded with negative news about the economy, environment, human rights, civil justice and the increasing use of online surveillance and other blows to individual right to privacy, said Thieme.

"It was inevitable that LulzSec and Anonymous and other hackers would feel that their only way to fight back against such concentrated power would be to use the technology itself to assert their own identity and authority," he said. This lets them prove that 'I'm not a number. I'm not a data point. I'm a human and I can take you down.'"