The last word: Meet the hackers
I have just found a new best friend and his name is Pyr0. I didn’t choose him because he is entertaining or fun to be with—although he is both. Nope, it’s just that, more than anything, you wouldn’t want Pyr0 to be your enemy. Got anthrax in your laboratory? Pyr0 could steal it. Millions of dollars in a virtual bank account? He could spirit it away. A custom Ferrari guarded by invisible motion sensors? It’s gone in less than 60 seconds. Pyr0 is a hacker. In fact, he is just about the scariest hacker you could possibly imagine, a man who can get into any computer, past any security system, and through any door just for fun.
With his sidekicks Ryan Jones, 33, and Chris Nickerson, 29, Pyr0—aka 30-year-old Luke McOmie, of Denver—has breached security at banks, biolabs, hospitals, financial trading houses, law firms, and multimillion-dollar companies from Beverly Hills to New York. If you are a mover and shaker in the world of security, these guys are your worst nightmare—or, perhaps, the answer to your prayers.
Because, while he once flirted with the seamier side of the hacker world, Pyr0 is now one of the good guys, a man paid tens of thousands of dollars a week to put his knowledge of the dark arts to use in capers that wouldn’t look out of place in a Mission: Impossible movie.
I find Pyr0 in Las Vegas, milling around Defcon, the annual gathering of hackers from all over the world. This is where you come if you’re a novice hoping to hone your skills; a security consultant eager to warn of a new threat; a Black Hat hacker looking for a fresh criminal enterprise; or an undercover spook seeking solutions to the Next Big Thing, the smart threat that could take down a country’s infrastructure.
This year, its 16th, Defcon is held at the Riviera Hotel and Casino on Las Vegas Blvd. Some 8,000 individuals, mostly white males dressed in combat pants and black T-shirts, are here to hack and play. At a gathering like this, there is a whiff of anarchy in the air. These guys might look geeky but they’re smart, and they know it. There are pony-tailed consultants made rich on the ignorance and paranoia of the rest of us. There are wan “basement bunnies”—kids with “I live in my parents’ basement” stickers on their Apple Macs or “Carpe Noctem” emblazoned on their T-shirts. There are talks and workshops in which the jargon could turn a hyperactive child into a narcoleptic (Time-Based Blind SQL Injections Using Heavy Queries: A Practical Approach to MS SQL Server, MS Access, Oracle, MySQL Databases and Marathon Tool, anyone?). There are parties with naked table dancers and competitions at which hackers hack hackers or try to spot undercover FBI agents.
It all sounds like fun, and it is. But underlying all this chaos is something serious, something that goes to the heart of all our lives, to commerce, industry, and travel, to communications, health, and entertainment: the survival and viability of the World Wide Web. Because unbeknown to most of us, there is a constant battle between the forces of good and evil over how the Internet and its attendant technology should be used or abused. This annual gathering is one of the reasons why, so far, the forces of good are on top.
Hark back 25 years to the movie War Games—in which a computer geek gets inside a U.S. Department of Defense missile control center, sparking the threat of global thermonuclear war. That film spawned what we imagine a hacker to be. The Internet made it real and the proliferation of home computers made it potentially dangerous.
Mostly for fun, curious youngsters would try to crack passwords into self-contained systems and have a look around. But that was before the Internet spelled commerce; and that, of course, equaled credit card payments, money, and fraud.
With the advent of the profit motive came new definitions of the word. There are now White Hat, Black Hat, and Gray Hat hackers. The Whites do legal stuff for good reasons, the Blacks do it for criminal financial gain, and the Grays sometimes do bad things with good motives.
In between the games, partying, and gambling, I try to persuade Black Hats to show me some cool stuff, but there are problems. The usual response is: “Are you wearing a wire?” but the difficulty is more fundamental than that. If they do something they shouldn’t (which they do all the time), they are committing a federal offense, and if they show me, I am committing an offense if I don’t immediately call the cops.
So I meet Loki, a systems administrator with a big Minnesota corporation, in a darkened hotel room, to see exactly what a hack is. Because of the legal constraints, what he does is small beer, but as a demonstration it works for me. He takes us into a university—outside the U.S.—to show how we could, for instance, change someone’s grades or even look at people’s credit card details.
Hackers look for vulnerabilities in programming and when they find them, they write instructions into that program, making it possible for them to execute commands. This is called an exploit. Previous successful exploits are sometimes posted on archive websites such as Milw0rm.com so that they can be used again and again on vulnerable websites. It’s a bit like buying an off-the-rack suit.
In our case, Loki finds out from Google that the university, let’s call it the Foxtrot Academy, invites students to post photographs on one of its servers using a photo-sharing program called Coppermine. Some time ago, someone found a fault in Coppermine and wrote an exploit, which he put on Milw0rm for everybody else to use.
Loki gets a copy of the exploit, sends it through to the Foxtrot Academy website and, bingo, he is inside as if he were an administrator with limited access. He then adapts another off-the-rack exploit to bypass the need for passwords and, suddenly, we are looking at files entitled Finance, Housing, Market, and so on. We don’t open any of them, but it’s a fair bet that Market contains details of sales of university sweatshirts and paraphernalia, possibly with customer and credit card details. Accomplished hackers write their own exploits. Individuals who simply use off-the-rack exploits, without ever adapting them or writing their own, are called script kiddies.
As more and more individuals and institutions do business over the Internet and make increasing use of wireless networks, their vulnerabilities increase. One way to find out just how vulnerable they are is to hire Gray Hat hackers. Pyr0 tells me about one of his cases involving Symbolic Motors in La Jolla, Calif. Symbolic, which supplies Ferraris, Aston Martins, and Bentleys to the stars, is arguably the most lucrative dealership in the U.S. It wanted to find out just how good its multimillion-dollar security system was, so Pyr0 and his friends Jones and Nickerson, who call themselves ethical hackers, went to work.
“First we did a bit of Dumpster-diving, looking in their trash, to find out who their computer company was,” says the spiky-haired Pyr0. “Then I paid a visit, posing as one of their technicians and got access to Symbolic’s servers. I secretly installed a wireless network behind a desk while I was there, which allowed Ryan, who was in a car outside, to begin hacking into their computer system remotely.” While Jones was downloading Symbolic’s files—details of sales, prices, film-star customers, and so on—Pyr0 was wandering around the building taking pictures. There was no alarm security above the ground-floor showroom and the roof skylights were not alarmed. In the showroom, he worked out the blind spots in an array of motion sensors.
Meanwhile, Nickerson, posing as a potential customer, was taking pictures with a camera disguised as a Zippo lighter. He stuck a tiny wireless camera to the back of a Bentley advertising display aimed at the keypad that switched the alarm system on and off. Outside in the car, Jones zoomed in on his computer and captured the code when a member of the staff punched it in.
That night, they broke in through the unalarmed skylights, exploited the motion sensors’ blind spots, crawled to the alarm keypad, and switched off the system. They opened the showroom doors, drove out a Lotus, and returned it—parking it the wrong way round.
“The owner was pissed off when he came in the next morning, but then he realized that he ought to take better advice over his security,” says Pyr0. “When I was a kid, I used to do some dark stuff—mostly trying to get free phone or Internet time. I think growing up and having two sons changed me and made me more responsible. I still get to face tough hacking challenges, but now I do it for good reasons.”
The White Hat star of this year’s Defcon show is Dan Kaminsky, the 29-year-old director of penetration testing at IOActive, a Seattle-based security consultancy. Several months ago, Kaminsky realized that the system that turns website names into numbers that computers read (the Domain Name System) was flawed across the entire Internet and had been for years. It meant that you might type in your bank’s website address but be redirected by crooks to a spoof site on which you would innocently type in all your secret details. And almost every site on the Internet was vulnerable.
Some hackers I speak to estimate that Kaminsky could have sold his discovery to organized crime rings for as much as $10 million. Instead, he secretly called together all the major Internet players and kept his discovery quiet until a remedial “patch,” a temporary programming solution, could be found and distributed. Some say he saved the Internet as we know it.
“It was amazing to see how everyone worked together to find a temporary solution to the problem,” says Kaminsky. “It isn’t completely fixed yet, but it will be. And a year or so down the line, the Internet will be more secure than it has ever been. I feel very proud to have played a part in that.”
So, what are we to think of the Defcon hackers? According to the Pentagon, they were once a hindrance, but now, collectively, they’re viewed as a huge unpaid resource. As a measure of just how seriously they are taken, the Defense Department was joined at Defcon this year by officials from the Department of Homeland Security, the National Security Agency, the Federal Bureau of Investigation, and the Internal Revenue Service. Each agency had at least one officer on the floor wearing a badge, but they all had undercover agents here, too. Says Jim Christy, director of future exploration at the Defense Department’s Cyber Crime Center: “These guys have become our eyes and ears.”
Hackers are sometimes rightly vilified. The basement bunnies and script kiddies give the pastime a bad name, while organized crime lures the Black Hats with the promise of easy money.
But when, by contrast, you hear how great the good guys are, you realize that hackers reflect nothing more than society at large. Some of them are good, and some of them are bad. On the whole, I take my (white) hat off to them.
From a story by Steve Boggan originally published by the London Times. Used with permission. All rights reserved.