Hacking their image

As menacing as this juxtaposition might seem, the group insists that its work is harmless and, in fact, is dedicated to doing good. The founders of GhettoHackers, as the group is called, say its 30-odd members teach others how to crack security only to find flaws so that defenses can be hardened.

"The Ghetto are good guys. So I guess the way to look at us is (as) the boot camp for the people growing up to protect the world," said "Caezar," a 28-year-old security consultant and founding member, whose appearance--which includes two spikes angling from his lip, as well as several body piercings--might otherwise evoke unease in the buttoned-down culture one floor up.

GhettoHackers is one of several groups trying to change the way society views hackers, as stereotypical malcontents interested only in crashing systems, stealing credit cards and releasing computer viruses. While cybercrime arrests make headlines regularly, groups like GhettoHackers are aiming to help those curious about information security get hands-on experience without doing harm to others.

As unconventional as it may be, the underground school is serious about its curriculum. Homework assignments frequently mark up the white boards that face clusters of bean-bag chairs, making it look sort of like a clubhouse for adults.

"We've put a password file on the server," challenged a recent lesson on the boards. "Grab the file and run a password breaker against it."

To the several men and two women of GhettoHackers, this is "home." The hands-on approach appears to work.

"I'm learning more doing what I'm doing right now than I would in school," said one student, who goes by "Zsnark" because a more common moniker might undercut his credibility in this anarchical world. At 18, he's put college on hold to study security here.

The group's work was even more frenetic than usual this week as it prepared for Defcon, a controversial annual hacker convention that begins Friday in Las Vegas and that, in past years, has hosted people on the FBI's wanted list. Having won Defcon's "Capture the Flag" hacking tournament for three years running, GhettoHackers has been put in charge of the event this year and must act as its system administrator, keeping the network running despite rampant hacking activity.

The contest will stress the group's philosophy that hacking can be a positive act, especially for those still at an impressionable age.

Typically, two types of people are drawn to hacking: those who want to learn and those who want to express power over their environment.

Growing up, Caezar found himself flirting with the dark side. But after playing around with a telephone card scheme that let him make unlimited calls, a visit from two anonymous officials telling him to stop abusing the phone network scared him enough that he stopped. Now, he pegs himself as knowledge-driven and hopes to save like-minded hackers from his experience, or worse.

"It's hard to tell the difference between a police academy and a terrorist training camp if you don't know the social structure they are in," Caezar said, using the analogy to explain why many people fail to distinguish a "good" hacker from a "bad" one. "They both learn target practice and 'how do we defeat things that are coming at us?' These are things that are common between the good guys and the bad guys."

By Rob Lemos Staff Writer, CNET News.com August 2, 2002, 4:00 a.m. PT SEATTLE--At a typical Wells Fargo branch here, employees and customers do business each day oblivious to a beehive of activity in the basement. There, five blue-walled rooms serve as makeshift classrooms for other tenants in the building who are light years from the world of banking: an organization of some of the most talented computer hackers in the country.

Hacker groups: GhettoHackers The L0pht (now @Stake) 2600 Other links: IBM paper on ethical hacking Paper on computer hacking and ethics

		Special report Why hackers escape Computer crime is paying off

That philosophy can be seen in the development of young people like Zsnark, the newest member of the group. He is able to ask for help from experts on hand without getting the common "RTFM" dismissal (Read the F***ing Manual). "If I have a question, there is someone here that can answer it."

For the older members, it's a matter of legitimacy. Aside from some security consulting firms that employ them for their knowledge and ability to attract media attention, most reputable companies won't hire people who label themselves "hackers."

"Some people can make money off their name as a hacker. But most of the time, calling yourself one is a liability," said "md5," a 27-year-old member of the group and the CEO of his own consulting firm. "Most companies don't care if you are into stamp collecting or rock climbing, but tell a client that you like to hack and they don't call you anymore."

Md5's company employs several of the young hackers he teaches, but he doesn't bring up their hobbies with clients who depend on them to secure their networks. Both activities are important to security, he said, "both knowing how to find weakness and how to secure information."

And both pursuits will be represented Friday at Defcon, which has become over the past 10 years a popular mainstream event attracting news media from around the world. For all its publicity, however, companies still don't understand that hackers are not necessarily malicious in nature or intent.

That's unlikely to change anytime soon, said Chris Wysopal, director of research and development for digital security firm @Stake.

"Ethical hacking means different things to different people," he said. "To some, it means hacking for security's sake. For others, it is more hacktivism. Then there is hacking for the pure pursuit of research."

		Special report Passwords: The weakest link? Hackers can crack most in less than a minute

Still, he respects GhettoHackers for trying to change the culture from within, as well as educate the public at large.

"The traditional way that a lot of hacking skills have been handed down is the apprentice-master way of teaching," said Wysopal, a one-time member of the Cambridge, Mass., ethical hacking group known as The L0pht. "In that case, it's important for the people who are teaching to be teaching ethics as well."

Which is precisely what GhettoHackers is preaching.

"It's all about teaching the younger people by giving them access to the hardware that 10 years ago they would have been stealing," Caezar said. "We just help bring people up in what's a really freaky landscape right now." 

 

"Ethical" hacking is not always viewed as a beneficial service, as these recent cases show. Security researcher or software ripper? Hewlett Packard has threatened to sue a team of researchers who publicized a vulnerability in the company's Tru64 Unix operating system. In a letter sent Monday, an HP vice president warned SnoSoft, a loosely organized research collective, that its members "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing information on a bug that lets an intruder take over a Tru64 Unix system. Consultant highlighting problems or hacking? A Texas grand jury indicted Stefan Puffer, a self-styled computer consultant, on two counts of computer fraud this week after he allegedly broke into the Harris County Clerk office's wireless network to demonstrate its insecurity to a reporter and the office's system administrator. It is the first known indictment against a person for wireless hacking. Elcomsoft: Hacker or legitimate helper? A year ago, the FBI arrested programmer and hacker Dmitri Sklyarov on the Monday following Defcon 9 for violations of the DMCA. They charged him and his company, Elcomsoft, with creating a program that broke the copy protections on Adobe eBook files. Elcomsoft has pleaded innocent, claiming the program, the Advanced eBook Processor, is a legitimate utility that allows backups. Professor or copy protection scofflaw? After the Recording Industry Association of America, which represents major music labels, sent him a letter threatening legal action if he published his research, Princeton University professor Edward Felten sued. A New Jersey judge dismissed the charges, however, saying that a letter from the RIAA could not be considered a threat.

Security czar points finger of blame Security warning draws DMCA threat Hollywood hacking bill hits House Could Hollywood hack your PC? Selling secure laptops no open-shut case Taking a stand for PC security Group offers computer security standard Hack attacks on Linux on the rise Homeland defense focus shifts to tech Homeland security plan skimps on tech Why hackers are a step ahead of the law Cracking the nest egg Anatomy of a hacking Cyberwar games: Cadets hone their skills Security confab calls for U.S. spending Security czar: Button up or get hacked Security, security, security! Deciphering the hacker myth Silicon Valley given call to arms Russian crypto expert arrested at Defcon Defcon grows up

Editors: Mike Yamamoto, Lara Wright Design: Ellen Ng Production: Mike Markovich