X

Shades of gray at security conference

Black and white meet at CanSecWest in Vancouver, as hackers mix with law enforcement officials, government agents and network-protection experts to discuss security.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
3 min read
VANCOUVER, British Columbia--Near a table laden with coffee, tea and croissants, David Dittrich, senior security engineer for the University of Washington, discusses the newest tools of the trade with a hacker-cum-security-consultant known as "K2."

They're a study in opposites: K2, stocky and jovial, has created, among other things, a "rootkit"--a tool for locking down unauthorized control of a server after an initial hack. Dittrich, tall and mainly serious, found K2's rootkit on several systems at UW, put there by a hacker who grabbed K2's tool off the Net.

Was he angry? "I mainly thought it was funny," Dittrich said.

In fact, the two--who some might think should be on opposite sides of the computer-security fight--actually work together. They're both involved in a project aimed at creating networks that act as an electronic bell jar, putting network attackers and their techniques under observation.

The relationship between Dittrich, who is widely considered a "white hat" security expert--one of the good guys--and K2, who some consider a "black hat," is typical of many who have met here at the CanSecWest security conference.

Despite the Sept. 11 terrorist attacks and the renewed suspicion that many security experts feel is directed at their profession, the hackers and security gurus that attend CanSecWest haven't quietly gone away.

While attendees mostly consist of independent security experts--in other words, hackers gone legit--a large portion of industry experts and a handful of law enforcement and government agents are also attending.

Among the topics on the agenda: vulnerabilities in Microsoft's .Net software-as-a-service plan; university networks as a playground for online vandals; and the legal ramifications of monitoring hacker activity.

Though the opposite sides mix, they don't always mingle, said K2. "A lot of the government people don't talk about what they are doing, so in some cases, it's one-sided," he said. "It needs to be a two-way street."

"Simple Nomad," an old-school hacker who works for security company BindView, had an animated discussion with a small bevy of government workers and law enforcement officers about government security.

Collegial? Perhaps. Yet, later in the day, Simple Nomad gave a presentation on the various ways terrorists--and the average Joe--could secretly communicate information to each other and managed to jokingly thumb his nose at the government in the process.

But while the new concerns brought on by the World Trade Center attack haven't driven the crowd here underground, they have changed things.

In the shadow of the attacks, security consultants and tool hackers have, in many ways, dialed down their activities a notch, said Dragos Ruiu, an independent security consultant and the organizer for the CanSecWest conference.

"You might as well be an assassin," Ruiu said. "The penalties are smaller to kill someone nowadays than hacking into a computer."

The problem, Ruiu says, is that the tools created by hackers have two uses: They can be used to compromise systems, but they can also be used to secure them. Most people don't understand that and would rather clump any who use the tools together in the same "bad guy" category.

"People distrust things they don't understand," Ruiu said. "The black magic factor is high."

Ruiu said he expected that most people at the conference would fall into the white hat--or security-conscious hacker--category, but there was no way to be sure.

"You never know who the threats are," Ruiu said. "You really can't tell who the people are that do the bad stuff."