Monday, August 04, 2003
Copyright © Las Vegas Review-Journal
COMPUTER SECURITY: Searching for the full truth
DefCon attendees say their work helps make computers more secure
By MATTHEW CROWLEY
REVIEW-JOURNAL
Hackers
Bruce Potter, left, and Pravir Chandra participate in a computer
hacking competition during Saturday's DefCon conference at the Alexis
Park. Photo by Christine H. Wetzel.
Roberto
Preatoni, founder of zone-h.org, discussed a glitch a beta Windows
product during a session at Saturday's DefCon conference at Alexis Park. Photo by Christine H. Wetzel.
|
Don't
let all the black T-shirts fool you, Steve Orrin said. Being a computer
hacker isn't about pursuing evil intent. It's about finding the black
and white, the truth.
This year's annual DefCon computer hacking convention, which wrapped up
its 11th annual rendition at Alexis Park on Sunday, came amid
heightened panic over the quality of Internet security.
Last month, network administrators had to scramble to patch systems
when a serious security flaw surfaced in a version of the Microsoft
Windows operating system. Left unpatched, the flaw could have let
remote attackers control systems they invaded and run malicious code on
affected machines.
Because of the vulnerability, the U.S. Department of Homeland Security
issued an updated advisory last week about possible hacker attacks on
Windows-based computers.
With this scare fresh in the news, Orrin, chief technology officer for
a Sanctum, a Santa Clara, Calif., application security firm, said idea
sharing at the three-day DefCon convention is as important as ever. By
networking with code-writing peers and hearing lectures by security
experts, he said, hackers can gather the truth: information necessary
to build safer systems and to push for better security.
"Security isn't a technology or a procedure, it's a process," Orrin
said. "A few years ago, everybody thought firewalls would save you.
Then it was public key infrastructure (a system of digital
certification and encryption). But there is no one solution. There is
no silver bullet."
Orrin said consciousness-raising by dedicated hackers may have inspired
schools to develop secure-code writing into their curriculums.
"If you looked five years ago, or even two years ago, you probably
couldn't find many schools offering courses in secure coding," he said.
"Now there are probably about 25 schools offering them."
Hackers, people out to understand systems to their fullest, are good,
Orrin said, unlike crackers, who are malicious system crashers bent on
system damage and data destruction.
Glen Hastings, business development director for Online Security, a Los
Angeles-based consulting company, said discussing trends at forums like
DefCon matters particularly because security always shifts. Yesterday's
threats evolve away, replaced by something new.
"You find a patch for one problem and something else comes up," Hastings said.
A
DefCon attendee who called himself Deviant Ollam said knowing the truth
is important even if it's ugly, or scary. In one notably frightening
Saturday session, Roberto Preatoni, founder of zone-h.org,
a Web site posting the observations of hackers, crackers and Internet
spammers, discussed a glitch in the beta Windows webserver for Pocket
PCs that allowed an invader full remote access. With the access, he
said, invaders could tap into maps Pocket PC users made with satellite
positioning mapping technology and track those users' whereabouts. If
the software were on a combination cell phone and handheld computer,
Preatoni said, an invader could steal a user's stored phone numbers or
hear a user's stored messages.
"I would rather know the naked truth about what's wrong than not know,
no matter how painful that truth is," Ollam said. "Only through a full
understanding of security can you understand its faults."
Cindy Cohn, legal director for the Electronic Frontier Foundation, a
nonprofit group aiming to protect Americans' digital rights, said
DefCon helps inspire hackers to share information they understand with
less-aware technology users for the greater public good.
For example, she said, an audience of computer programmers and tech
experts at a recent University of California, Berkeley forum roared
with laughter at the idea of expecting accurate results from new
digital voting machines. The audience knew a system flaw would make it
easy to manipulate vote counts and alter an election's outcome, she
said.
"That's something this community knows, but the rest of the world
doesn't," Cohn said. "And that's the kind of information that's
desperately important to get to other people so they can understand it,
because our democracy is at stake."
With DefCon attendees' well-meaning spirit, Ollam said, no one should
mistake hacker black for a symbol of ill intent. It's just a fashion
statement.
"Black is slimming," he said.
|