CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Hacking their image

Code warriors or criminals? An underground school of "ethical" hackers works to reprogram its bad reputation and be known as the good guys.

Hacking their image
 
By Rob Lemos
Staff Writer, CNET News.com
August 2, 2002, 4:00 a.m. PT

SEATTLE--At a typical Wells Fargo branch here, employees and customers do business each day oblivious to a beehive of activity in the basement.

There, five blue-walled rooms serve as makeshift classrooms for other tenants in the building who are light years from the world of banking: an organization of some of the most talented computer hackers in the country.

Hacker groups:
GhettoHackers
The L0pht (now @Stake)
2600

Other links:
IBM paper on ethical hacking
Paper on computer hacking and ethics

As menacing as this juxtaposition might seem, the group insists that its work is harmless and, in fact, is dedicated to doing good. The founders of GhettoHackers, as the group is called, say its 30-odd members teach others how to crack security only to find flaws so that defenses can be hardened.

"The Ghetto are good guys. So I guess the way to look at us is (as) the boot camp for the people growing up to protect the world," said "Caezar," a 28-year-old security consultant and founding member, whose appearance--which includes two spikes angling from his lip, as well as several body piercings--might otherwise evoke unease in the buttoned-down culture one floor up.

GhettoHackers is one of several groups trying to change the way society views hackers, as stereotypical malcontents interested only in crashing systems, stealing credit cards and releasing computer viruses. While cybercrime arrests make headlines regularly, groups like GhettoHackers are aiming to help those curious about information security get hands-on experience without doing harm to others.

As unconventional as it may be, the underground school is serious about its curriculum. Homework assignments frequently mark up the white boards that face clusters of bean-bag chairs, making it look sort of like a clubhouse for adults.

"We've put a password file on the server," challenged a recent lesson on the boards. "Grab the file and run a password breaker against it."

To the several men and two women of GhettoHackers, this is "home." The hands-on approach appears to work.

"I'm learning more doing what I'm doing right now than I would in school," said one student, who goes by "Zsnark" because a more common moniker might undercut his credibility in this anarchical world. At 18, he's put college on hold to study security here.

The group's work was even more frenetic than usual this week as it prepared for Defcon, a controversial annual hacker convention that begins Friday in Las Vegas and that, in past years, has hosted people on the FBI's wanted list. Having won Defcon's "Capture the Flag" hacking tournament for three years running, GhettoHackers has been put in charge of the event this year and must act as its system administrator, keeping the network running despite rampant hacking activity.

The contest will stress the group's philosophy that hacking can be a positive act, especially for those still at an impressionable age.

Typically, two types of people are drawn to hacking: those who want to learn and those who want to express power over their environment.

Growing up, Caezar found himself flirting with the dark side. But after playing around with a telephone card scheme that let him make unlimited calls, a visit from two anonymous officials telling him to stop abusing the phone network scared him enough that he stopped. Now, he pegs himself as knowledge-driven and hopes to save like-minded hackers from his experience, or worse.

"It's hard to tell the difference between a police academy and a terrorist training camp if you don't know the social structure they are in," Caezar said, using the analogy to explain why many people fail to distinguish a "good" hacker from a "bad" one. "They both learn target practice and 'how do we defeat things that are coming at us?' These are things that are common between the good guys and the bad guys."


Special report
Why hackers escape
Computer crime
is paying off


That philosophy can be seen in the development of young people like Zsnark, the newest member of the group. He is able to ask for help from experts on hand without getting the common "RTFM" dismissal (Read the F***ing Manual). "If I have a question, there is someone here that can answer it."

For the older members, it's a matter of legitimacy. Aside from some security consulting firms that employ them for their knowledge and ability to attract media attention, most reputable companies won't hire people who label themselves "hackers."

"Some people can make money off their name as a hacker. But most of the time, calling yourself one is a liability," said "md5," a 27-year-old member of the group and the CEO of his own consulting firm. "Most companies don't care if you are into stamp collecting or rock climbing, but tell a client that you like to hack and they don't call you anymore."

Md5's company employs several of the young hackers he teaches, but he doesn't bring up their hobbies with clients who depend on them to secure their networks. Both activities are important to security, he said, "both knowing how to find weakness and how to secure information."

And both pursuits will be represented Friday at Defcon, which has become over the past 10 years a popular mainstream event attracting news media from around the world. For all its publicity, however, companies still don't understand that hackers are not necessarily malicious in nature or intent.

That's unlikely to change anytime soon, said Chris Wysopal, director of research and development for digital security firm @Stake.

"Ethical hacking means different things to different people," he said. "To some, it means hacking for security's sake. For others, it is more hacktivism. Then there is hacking for the pure pursuit of research."


Special report
Passwords: The weakest link?
Hackers can crack most
in less than a minute


Still, he respects GhettoHackers for trying to change the culture from within, as well as educate the public at large.

"The traditional way that a lot of hacking skills have been handed down is the apprentice-master way of teaching," said Wysopal, a one-time member of the Cambridge, Mass., ethical hacking group known as The L0pht. "In that case, it's important for the people who are teaching to be teaching ethics as well."

Which is precisely what GhettoHackers is preaching.

"It's all about teaching the younger people by giving them access to the hardware that 10 years ago they would have been stealing," Caezar said. "We just help bring people up in what's a really freaky landscape right now." 

 
Related news
"Ethical" hacking is not always viewed as a beneficial service, as these recent cases show.

Security researcher or software ripper?
Hewlett Packard has threatened to sue a team of researchers who publicized a vulnerability in the company's Tru64 Unix operating system. In a letter sent Monday, an HP vice president warned SnoSoft, a loosely organized research collective, that its members "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing information on a bug that lets an intruder take over a Tru64 Unix system.

Consultant highlighting problems or hacking?
A Texas grand jury indicted Stefan Puffer, a self-styled computer consultant, on two counts of computer fraud this week after he allegedly broke into the Harris County Clerk office's wireless network to demonstrate its insecurity to a reporter and the office's system administrator. It is the first known indictment against a person for wireless hacking.

Elcomsoft: Hacker or legitimate helper?
A year ago, the FBI arrested programmer and hacker Dmitri Sklyarov on the Monday following Defcon 9 for violations of the DMCA. They charged him and his company, Elcomsoft, with creating a program that broke the copy protections on Adobe eBook files. Elcomsoft has pleaded innocent, claiming the program, the Advanced eBook Processor, is a legitimate utility that allows backups.

Professor or copy protection scofflaw?
After the Recording Industry Association of America, which represents major music labels, sent him a letter threatening legal action if he published his research, Princeton University professor Edward Felten sued. A New Jersey judge dismissed the charges, however, saying that a letter from the RIAA could not be considered a threat.

Related news

Security czar points finger of blame

Security warning draws DMCA threat

Hollywood hacking bill hits House

Could Hollywood hack your PC?

Selling secure laptops no open-shut case

Taking a stand for PC security

Group offers computer security standard

Hack attacks on Linux on the rise

Homeland defense focus shifts to tech

Homeland security plan skimps on tech

Why hackers are a step ahead of the law

Cracking the nest egg

Anatomy of a hacking

Cyberwar games: Cadets hone their skills

Security confab calls for U.S. spending

Security czar: Button up or get hacked

Security, security, security!

Deciphering the hacker myth

Silicon Valley given call to arms

Russian crypto expert arrested at Defcon

Defcon grows up

Editors: Mike Yamamoto, Lara Wright
Design: Ellen Ng
Production: Mike Markovich