The Mind of a Hacker

Marc Maiffret is a hacker. Maiffret started hacking about six years ago, at age 16, when a friend at school introduced him to computers, and he got hooked on a digital-age narcotic: information. He consumed what he could about the Internet, computers, networks, and phone systems. "I wanted to learn more," says the guy whose teenage handle was "Chameleon" and whose hair color shifts from black to green to blue. Maiffret says some of his actions back then wouldn't meet with widespread approval. "When I was younger, I was up to no good," he admits.

Today, Maiffret could be considered one of the good guys. In 1998, when he was 17, Maiffret co-founded eEye Digital Security, which makes security software that has been adopted by companies such as Prudential Financial. Now he has the title of chief hacking officer, and he and his co-workers help to discover security flaws in software.

Hacker is a loaded word. The hacker community--and it's a thriving online community--includes technophiles, curiosity seekers, cybervandals, and outright thieves and fraudsters. The technophiles love to take apart software to see how it works or what they can make it do. Some write tools and applications such as password crackers, vulnerability scanners, and anonymity tools, and make them freely available on the Internet or hacker Web sites and message boards. Some devote long hours to uncovering flaws in software that make systems less secure by allowing destructive worms and viruses to gain access.

The others--the intruders, vandals, virus writers, and thieves--are criminals, pure and simple. At their most benign, they are trespassers, rummaging through proprietary systems and databases. Hackers also are responsible for Web defacements, denial-of-service attacks, and identity theft. Some see themselves as rebels or revolutionaries, "hactivists" spreading a message of anarchy and freedom. Some are simple mercenaries who write tools, known as exploits, to take advantage of security flaws and make it easier to penetrate systems. In some cases, they sell that information to spammers, organized crime, other hackers, or the intelligence services of foreign countries.

Hackers are blamed for unleashing worms and viruses that have cost businesses billions of dollars a year in damages. The problems they cause have gotten so bad that Microsoft last week created a $5 million fund to provide rewards for information leading to the capture of the people responsible for those attacks. Fed up with the damage done to its reputation and, increasingly, to its revenue stream, Microsoft, working with the FBI, the U.S. Secret Service, and Interpol, is offering a bounty of $250,000 to people who help capture those responsible for the Blaster worm and the Sobig virus, which wreaked havoc this past summer on systems and networks worldwide.Hacker is a term with negative connotations for most of the technology community. "I used to call myself a hacker in the sense that I like to twiddle with stuff, but I don't use that word to mean that any more," says Marcus Ranum, senior scientist at TruSecure Corp., a risk-management and security vendor. "That word has been ruined by little selfish punks."

It's more than a question of semantics. Some of the positive that hacking represents--intellectual curiosity, tech savvy, innovative thinking--is overshadowed by its criminal aspects--the potential for grave harm and mass destruction--but it's a difficult line, especially for young people, who need to be encouraged to embrace technology and its potential. Also, recent laws such as the Digital Millennium Copyright Act and the USA Patriot Act may criminalize what some security researchers see as legitimate avenues of inquiry, limiting the technology industry's ability to help itself and eliminating necessary research or driving it further underground.

That's why it's illuminating to inquire about hackers: Who they are, what they do, and why.

Chris Wysopal is a hacker. Wysopal, VP of research and development at security consulting firm @stake Inc., advises businesses and government agencies how to better secure their computer networks and systems. He has also held jobs at GTE Internetworking and Lotus Development Corp.

Wysopal used to be known as "Weld Pond," a member of security-research group L0pht Heavy Industries, a legitimate but unconventional business that made its name in the 1990s by uncovering and disclosing software vulnerabilities. In 1997, it released L0phtCrack, a tool that could be used to audit and reveal Windows passwords. L0pht (pronounced "loft") was condemned for releasing the password cracker, but Wysopal says the group's mission was misunderstood. The goal of L0pht was to raise security awareness and to provide security professionals with tools "as powerful as the tools people use to break into things," he says. And some organizations saw the advantage. "I think the General Accounting Office was our first paying customer."The distinction between hacker and legitimate security researcher can be difficult to make. In 2001, Maiffret's firm, eEye Digital Security, found a weakness in Microsoft's Internet Information Services server software. The security firm notified Microsoft about the flaw, and Microsoft issued a patch. But a month later, the notorious Code Red worm raced through the Internet and attacked hundreds of thousands of unpatched systems around the globe by taking advantage of the security weakness eEye discovered.

The hacker community itself makes that distinction by referring to white-hat and black-hat hackers, which reflects what sociologist Bernhardt Lieberman refers to as the "dual nature of hacking." There are hackers who are enthusiasts who try to push technology as far as it can go to learn how things work, and there are hackers who are serious threats to businesses and systems, whose intrusions and malicious code cause great pain.

The terms hack and hacker originated in the 1950s at The Model Railroad Club at the MIT. The image of the computer hacker has been romanticized in popular culture in movies such War Games and Hackers. Today, however, the word hacker is commonly used to refer to criminal--or at least arrant--activity. "It's come to mean anyone who works their way around legitimate controls in systems," says Herb Mattord, an information systems instructor at Kennesaw State University in Georgia.

Those clinging to a less-tainted definition of hacker don't think of themselves as criminals. Most say they just want to learn more about computers, says sociologist Lieberman, director of the research firm Social Inquiry and professor emeritus of sociology at the University of Pittsburgh. Lieberman has conducted detailed interviews with 42 hackers, analyzed the content of 2600: The Hacker Quarterly magazine, and attended hacker gatherings.

When asked about their motives for hacking, nearly 100% say they hack for intellectual challenge, to increase knowledge, to learn about computers and computing, or to understand how things work. However, 14% cite attacking authority and the government among their motivations. And 7% say it's to attack capitalism, break the law, or become well-known.InformationWeek posted a series of questions on hacker bulletin boards and Web sites seeking to understand why hackers hack. The responses were illuminating, yet sometimes troubling. "Hacking to me is a way of life. The infinite quest for knowledge is quite stimulating," says Bio_XP. "Being a hacker forces you to think outside the box and look at problems (computer-related or not) in a whole new way. Hackers solve problems that affect us as well as others. By developing software, patches, etc., we help many people, [and] in addition, we help technologies improve and therefore progress."

Another, called LiquidFish, says he hacks because he's always thinking about the vulnerabilities of things and how they can be exploited. "It's just part of who I am," he says. "This extends to every new thing I'm introduced to, not just computer related."

One hacker, whose handle is "unnamed," says motivations vary with each person. "Some like to hack to test their skills and knowledge or just to outsmart an admin," he says. "Others just are adrenaline junkies that like the rush."

One teenage hacker complains that society and the media lump criminals, vandals, and virus writers in with young tech lovers who try to stay within the bounds of the law. "I try not to break the law," he says. "I don't break into networks, though if you look around there are plenty wide open." But today's computer security and copyright laws make it "hard to tell what you're allowed to do and not allowed to do even with the software you buy. Just trying to study the software and write about the security holes you find could land you in jail."

He knows that hacking has a bad reputation. "When I say in class that my hobby is hacking, the teachers always look at me with disapproving eyes like I'm automatically a criminal," the hacker says. "I do not steal data or release a virus. That's all lame and not what I think it's all about."Still, the criminal aspect of hacking is pervasive--and profitable. "Some security companies are paying for vulnerability information, the spamming industry is paying for zero-day exploits, upwards of $5,000, and there are elements of organized crime looking for expertise," says Mark Loveless, senior security analyst at security vendor BindView Corp. Zero-day exploits are software tools or applications that take advantage of undisclosed, unpatched software vulnerabilities. The term refers to the worst-case scenario: a worm or other attack that strikes a vulnerability that no one knew about or could prepare a patch to defend against. "Hackers are attacking hackers and raiding other hackers' zero-day libraries," he says.

Loveless, also known as Simple Nomad, is founder of a hacker lab called Nomad Mobile Research Centre, which provides a way for interested parties to anonymously discuss and share information about computer-security issues "without fear of personal retribution from others." The lab seeks to protect hackers from legal action from software vendors whose code they've reverse-engineered or from government agencies.

Loveless argues that laws such as the Digital Millennium Copyright Act and the USA Patriot Act, combined with the new push to criminalize what he calls "security research," will push even more of this activity underground. The DMCA prohibits any hardware or software that can circumvent copy-protection schemes for digital media such as music, movies, and E-books. Hackers fear that vendors will use these and other laws to prevent them from conducting security research and publicizing the flaws they discover.

"The underground is doing just that, going completely underground," Loveless says. "A lot of things we used to do for research--research that was once questionable--can now be considered a criminal act."

As a result, information about software vulnerabilities and hacking techniques that was once shared in a somewhat open fashion on Web sites, in E-mail mailing lists, and in newsletters and magazines is increasingly being shared among smaller invitation-only groups and through encrypted mailing lists or networks. "The underground is the stuff you don't hear about in the press. It's conversations in encrypted channels about security, security tools, exploits, and vulnerabilities," Simple Nomad says. "The underground is about helping each other out to develop a tool without considering what use the tool might be used for. There's a purity to that, which I find refreshing. It's about pure information."That attitude is naive--even dangerous--in a society that must deal with the risk of cyberterrorism, the cost of identity theft, and the loss of essential services such as electricity and telephones caused by a tool that was developed without considering what the tool might be used for.

The changing views of acceptable behavior have even reached college campuses. Actions that were once accepted, or at least tolerated, at universities are not considered cool any longer, students say. Eric Ogren, a computer-science major at Stanford University, says breaking into computer systems, even without doing any damage, is "pretty frowned upon now around here." But Ogren says there are still plenty of students who hack their own systems and software to learn or to improve security. "There's a lot of that going on, especially here with research into security or just seeing how things work," he says. But the Digital Millennium Copyright Act has changed the way students and others view their activities. "I don't know too many fans of the DMCA," Ogren says.

The DMCA has tempered discussion of security research since its passage in 1998. Researchers began pulling some security tools off their Web sites following the arrest of Russian programmer Dmitry Skyarov at the DefCon security convention in July 2001. Skyarov developed a program published by ElcomSoft Ltd. that made it possible to convert encrypted Adobe Acrobat eBook Reader files into unprotected Adobe PDF files.

A few months earlier, a team of security researchers from Princeton University, Rice University, and Xerox decided not to publicly present research that they had completed on circumventing watermark techniques for digital music. The research was the result of a challenge issued by the Secure Digital Music Initiative, a consortium of companies trying to create open protection specifications. The SDMI tried to block disclosure of the research, saying the DMCA might be applied if the research were disclosed.

In August 2002, Hewlett-Packard sent a memo to a security-research firm, Secure Network Operations Inc. (better known as SnoSoft), citing the DMCA and threatening legal action after the group published code that exposed a serious hole in HP's Tru64 Unix operating system. Ultimately, HP took no legal action.Despite the DMCA, a lot of hacking information can still be found on the Internet. Some sites contain reports about newfound vulnerabilities and research about security flaws. The information that's available includes instructions on "How To Become A Hacker," detailed data on the inner workings of phone and PBX systems, virus-writing manuals, links to Web sites with free security tools used to find vulnerable systems, and application-password crackers. There's everything from serious discussions about newsworthy events relevant to hackers, such as successful legal defenses, to handy tidbits about the inner workings of most operating systems to nostalgic threads titled "My First Hack."

Most security and business-technology professionals have little patience with the argument that hackers help make computer systems and networks more secure. "These chumps have nothing to offer. They have no valuable security contribution at all," says TruSecure's Ranum, who has developed security software since the 1980s and is the author of The Myth Of Homeland Security (John Wiley & Sons, 2003).

But not all. "Bug hunters are absolutely essential [for] keeping systems clean, semi-free of code defects, but most importantly they keep software vendors honest," says a security analyst at a major manufacturer.

Ranum has challenged hackers--at their own gatherings--to prove that they care about improving security. "I told them that if they are so smart, why don't they do something useful. If you want to be cool, write a better antivirus tool. Or if you want to make a wonderful free tool, write a tool that blocks the ability for Windows to run executable programs on your system until you have authorized that it is OK to run that executable."

Ranum laughs at the idea that it takes a hacker to stop a hacker. "They often make the analogy that if you want to build a strong safe, you need to hire a safecracker," he says. "That's pure nonsense."Researcher Lieberman would like to see kids taught about the ethics of computer use and hacking and says businesses should be willing to foot the bill. "The government is busy chasing terrorists, but financial institutions are losing millions," he says. Schools should develop courses to channel the desire to learn about computing into positive avenues, and businesses should be willing to finance those efforts. "With financial institutions losing millions to hackers, they ought to be funding the development of special learning programs," he says.

Kennesaw State's Mattord agrees. "There's no age that's too early to start, and it would help some students on the edge from going over," he says.

A few who spent their teenage years hacking doubt that education would make a difference. "A lot of people doing this stuff like doing it because they're doing something illegal or edgy. It's about the thrill of it," eEye Digital's Maiffret says. "I don't think it's the same thrill to break into some university system where you're allowed."

The need for that edginess may provide additional insight into the thought process of hackers--and people attracted to work in security. "It takes a certain mind-set to understand security," says Bruce Schneier, founder and chief technology officer at Counterpane Internet Security Inc., a security-services firm. "I can't walk into a store without figuring out how to steal something. I can't walk into a voting booth without seeing if I can vote twice. Normal people think about how systems work. Security people think about how systems can be forced to fail."

Richard Thieme, who writes and lectures about computer security and has spoken at numerous hacker and security conventions, agrees. "You can't be a good security person or good cop unless you know how a criminal thinks, and you can't know how a criminal thinks unless at least part of your heart is devoted to the black arts of larceny," he says. "It's all about how you choose to channel and harness that energy."To Thieme, hacker means "unconventional thinkers, people who are unconventional in every way and who refuse to accept no. If they're told the machine wasn't meant to do something, they figure out a way."

Maiffret thinks most hackers will follow their own paths no matter what. But people shouldn't assume that hackers are automatically bad. He cites a recent case of a 17-year-old who E-mailed eEye about a security flaw he believed he found in Microsoft software. "He wanted to know if it was exploitable and how to work with Microsoft," Maiffret says.

It turns out that the teenager had in fact found a real security hole that needs to be patched. "We introduced him to the right people at Microsoft," Maiffret says. "It's his bug, so we're just following along to make sure it's all handled properly."

A nice story. But it's small comfort for business-technology managers worried about someone getting access to sensitive customer data or battling wave after wave of worms and viruses that threaten critical systems and networks and drain their budgets. Until this onslaught is brought under control, hacker will continue to be a dirty word to most business-technology and computer-security professionals.

HACKERS FACE LONGER SENTENCES

Convicted virus writers and hackers face stiffer penalties under federal sentencing guidelines to take effect November 2003. Members of Congress had called for longer prison terms for cybercriminals, and earlier this year the U.S. Sentencing Commission obliged them with new guidelines for a variety of computer-related crimes. For example, a hacker who deletes medical records, disables emergency systems such as 911, or causes death or serious injury now faces 20 years to life in prison. The maximum jail sentence for most other computer crimes ranges from one year to 15 years.Those convicted of creating a computer worm or writing a virus can expect 50% more time behind bars than those who committed their crimes before Nov. 1. Hackers who share the information they steal on the Internet will see their prison time doubled. Hackers convicted of stealing personal data or taking over an E-mail account will see 25% more time tacked on at sentencing.

"The government is saying that invasions of privacy are serious crimes and need to be treated like other forms of theft," says Mark Rasch, former head of the Justice Department's computer crimes division and now senior VP and chief security counsel at security vendor Solutionary Inc. "They're also sending a message that interfering with critical infrastructure will have serious consequences."

In August, authorities arrested Jeffrey Parson for allegedly writing and releasing the Blaster-B worm variant. Parson faces up to 10 years in prison and a $250,000 fine if convicted. Under the new sentencing guidelines, he could have faced up to 15 years if convicted.

Serial hacker Adrian Lamo, who gained attention for breaking into the computer systems of large companies and then offering to help fix the security flaws for free, surrendered to authorities last month. A federal complaint alleges he illegally accessed The New York Times' network and racked up a $300,000 tab for searching LexisNexis and altered a database containing the personal information of editorial page contributors. Lamo faces up to 15 years in prison and a $500,000 fine. He would have faced 25% more time under the new guidelines.

It's a big change from 1988 when Cornell University grad student Robert Morris released a worm that infected 6,000 systems on the Internet. He was sentenced to three years probation and 400 hours of community service and was fined $10,000.