It takes a hacker to catch a hackerPart 1: Security experts flock to Las Vegas to recruit hackers
Part 2: Beyond the pranks
Part 3: Merging with the enemy
Part 4: In full swing
Published: August 10, 1997
Special to the Mercury News West magazine
I'M IN A rental car with a couple of beefy computer hackers headed for the Las Vegas desert. The guy at the wheel looks like a cross between Jerry Garcia and an aging Rambo. In the trunk is a Russian-designed, Chinese-made semi-automatic rifle, several 9mm semi-automatic handguns and enough ammunition to wage an assault on a casino.
Two motorcycle cops are circling back, accelerating toward our car. Rambo is muttering. He wanted to eat breakfast at Taco Bell but we preferred McDonald's. There was a last-minute lane change, and the cops are pulling us over. Rambo gets out slowly, leaning heavily on a wooden cane. His straggly gray hair is so long it nearly covers up the words on the back of his T-shirt, ``Hard Glock Cafe.'' On the front of his shirt there's a picture of the Glock handgun, right there for the officer to see.
Rambo can't find his registration. He's tearing through the glove compartment, the back seat, the sunglassed motorcycle cop watching every move. What if he asks to look in the trunk?
If the scene sounds strange, consider this: Rambo and the guy in the back seat next to me are premier corporate hackers, technical top guns who earn thousands of dollars to attack giant information systems and find vulnerabilities. To understand how the guns and cops fit in, you need to know what drew these hackers to the desert.
But Def Con is different this year -- and not only because 1,000 people have come, and ABC's ``Prime Time Live'' is filming it. Kids with backward baseball caps still show up, but now so do the major leaguers -- guys like Rambo, who works for IBM. And more than a few of the longhairs and kids with dyed do's at the conference are earning six-figure incomes for hacking or programming -- without the benefit of a college education. Hacking isn't just cool -- it's also profitable and, increasingly, respectable.
Computer security is big business -- and a growing worry for corporate and government types. In a reversal of company policy, Microsoft sent senior staffers to Vegas to break bread with hackers (I'm speaking literally: Microsoft picked up a $600-plus restaurant tab at the glitzy New York, New York hotel and casino) and attend briefings with hackers skilled at finding bugs in operating systems and software. Representatives from Cisco, Goodyear, IBM, the Army and the National Security Agency made the trip, too.
And no wonder. Recent headlines and studies suggest computer systems are more porous than ever and attacks are on the rise. Earlier this summer Mountain View's Netscape was embarrassed by a hacker who discovered a major bug in its browser and then demanded hush money -- or he'd go to the media with the flaw. San Jose's Netcom was taunted by a teenager who revealed to the press that he'd been eavesdropping on the Internet service provider's voice mail since he was 13. Web sites have become favorite targets of the computer underground, and in the last year Web pages at the Justice Department, CIA and Air Force have been tampered with.
``Half of all reported break-ins are what we call hit and run attacks, graffiti attacks,'' says Eugene Schultz, director of SRI International's information security consulting practice in Menlo Park. ``The goal is disruption or destruction.'' But Schultz and others say these mostly amateur attacks are part of a broader problem. A 1997 Computer Crime and Security Survey by the San Francisco-based Computer Security Institute, with the assistance of the FBI, found that corporate financial losses from computer security breaches are common. Seventy-five percent of the nearly 250 organizations that responded to the survey reported financial losses -- everything from financial fraud to theft of proprietary information, sabotage and computer viruses. The estimated total losses: more than $100 million.
``Network security was bad enough before electronic commerce,'' says Richard Power, director of the Computer Security Institute. ``Then companies opened their enterprises to the Internet.'' Power recommends companies test their security by hiring IBM, SRI International and other reputable firms to do ``tiger'' or penetration testing. Think of it as like paying a professional safecracker to break into a bank vault: Experts try a number of methods to hack into a company's computer network, and then prepare reports showing where weaknesses lie. ``It provides empirical proof of a company's security or insecurity,'' says Schultz, who heads a 14-member tiger team. ``In other words it's a wake-up call to management.''
Security checkups range from a few thousand dollars to check a single network server to hundreds of thousands for enterprise-wide, monthslong investigations. Top penetration experts earn more than $200,000 a year. Although experts warn against hiring hackers with a criminal past or underground connections, people who fit the broader definition of hacker (clever programmers who don't know the meaning of impossible) and computer security professionals are meeting, comparing notes, finding new common ground and career opportunities.
``I used to look at these conferences as events for kids in black T-shirts,'' says Michael Harris, a vice president of IT security consulting at Wells Fargo Bank in San Francisco. ``Now I think of it as a nice quality-testing environment for improving software.''
Part 2: Beyond the pranks