VANCOUVER, B.C.--Black hat or white hat?
That was the seemingly innocuous question that greeted attendees at the
CanSecWest conference this week: Do you want the white baseball cap
or the black one? (Gray caps were reserved for speakers.)
Yet within the security community, the question is a litmus test that
differentiates between those who use their knowledge to improve computer
security--the white hats--and those who use it to break into computer
systems--the black hats.
Despite the fact that most of the attendees came from reputable
companies, the black caps were gone by the second day.
"When you get down to it, these guys are really all the same personality
type," said Martin Roesch, president of SourceFire and the creator of a
popular open-source intrusion detection system called Snort.
After a day at the conference, just what that personality type was
seemed clear: Not good or bad, just monomaniacally curious.
That curiosity first focused on the hotel's high-speed network.
By registration time, an attendee had already gotten the password to the
hotel's phone system (but didn't use it), and a day later, the hotel's
high-speed Internet system had been accidentally crashed by another
attendee who had taken over the hardware connecting the hotel to the
Internet. (It was resurrected soon after.)
Richard Johnson, security administrator for the National Center for
Atmospheric Research, connected an Apple Airport wireless hub to his room's
high-speed Internet port, so he could wander around his room and still
use the Internet. Within five minutes, he said, a handful of hackers from
nearby rooms had hitched a ride on his connection as well.
"They're just playing," he said. "We're all having a good time
That sort of curiosity made the conference's wireless network a
security nightmare. Almost every person on it was either scanning every
other person's computer or just passively listening to what the other
computers were doing.
The scanning set off digital burglar alarms, called intrusion
detection systems, run by many of the security specialists.
Normally, a typical user with a personal firewall might see a handful of
alerts every hour, on a busy day. SourceFire's Roesch, sporting a black
cap, said he saw 2,300 alerts on his computer in less than five minutes.
By the end of the conference, paranoia had set in. Type a password into
Yahoo? Someone most likely knows it. Send an e-mail to a friend?
Someone's reading it right now.
Suddenly, the Internet seemed a lot less safe. Of course, that's the
whole point of what these people do.