reviewjournal.com -- Business: COMPUTER SECURITY: COMPUTER SECURITY

.	.	BUSINESS
.	.	.	Today's Headlines • Inside Gaming • Online Guy • AP MoneyWire • Bloomberg LV index • Credit Card Offers • Press Releases • Gaming/Casinos • Nevada • Stock Portfolio • Gaming Wire
.	.
.	.




	CHANNEL DIRECTORY

	Arts & Entertainment
	Auto Guide
	Books
	Casinos & Hotels
	Community
	E-forums
	Employment
	Food & Dining
	Fun & Games
	Health & Fitness
	Home & Garden
	Legal Center
	Money
	Obituaries
	Personals
	Real Estate
	Recreation
	Relocation
	Shopping & Coupons
	Technology
	Traffic & Transportation
	Travel
	Weather
	Weddings
	About the site

Contact the R-J

• Subscribe
• Report a delivery problem
• Put the paper on hold
• Advertise with us
• Report a news tip/press release
• Send a letter to the editor
• Print the announcement forms
• Jobs at the R-J

Monday, August 04, 2003
Copyright © Las Vegas Review-Journal

COMPUTER SECURITY: Searching for the full truth

DefCon attendees say their work helps make computers more secure

By MATTHEW CROWLEY
REVIEW-JOURNAL

Hackers Bruce Potter, left, and Pravir Chandra participate in a computer hacking competition during Saturday's DefCon conference at the Alexis Park.
Photo by Christine H. Wetzel.

Roberto Preatoni, founder of zone-h.org, discussed a glitch a beta Windows product during a session at Saturday's DefCon conference at Alexis Park.
Photo by Christine H. Wetzel.

Don't let all the black T-shirts fool you, Steve Orrin said. Being a computer hacker isn't about pursuing evil intent. It's about finding the black and white, the truth.

This year's annual DefCon computer hacking convention, which wrapped up its 11th annual rendition at Alexis Park on Sunday, came amid heightened panic over the quality of Internet security.

Last month, network administrators had to scramble to patch systems when a serious security flaw surfaced in a version of the Microsoft Windows operating system. Left unpatched, the flaw could have let remote attackers control systems they invaded and run malicious code on affected machines.

Because of the vulnerability, the U.S. Department of Homeland Security issued an updated advisory last week about possible hacker attacks on Windows-based computers.

With this scare fresh in the news, Orrin, chief technology officer for a Sanctum, a Santa Clara, Calif., application security firm, said idea sharing at the three-day DefCon convention is as important as ever. By networking with code-writing peers and hearing lectures by security experts, he said, hackers can gather the truth: information necessary to build safer systems and to push for better security.

"Security isn't a technology or a procedure, it's a process," Orrin said. "A few years ago, everybody thought firewalls would save you. Then it was public key infrastructure (a system of digital certification and encryption). But there is no one solution. There is no silver bullet."

Orrin said consciousness-raising by dedicated hackers may have inspired schools to develop secure-code writing into their curriculums.

"If you looked five years ago, or even two years ago, you probably couldn't find many schools offering courses in secure coding," he said. "Now there are probably about 25 schools offering them."

Hackers, people out to understand systems to their fullest, are good, Orrin said, unlike crackers, who are malicious system crashers bent on system damage and data destruction.

Glen Hastings, business development director for Online Security, a Los Angeles-based consulting company, said discussing trends at forums like DefCon matters particularly because security always shifts. Yesterday's threats evolve away, replaced by something new.

"You find a patch for one problem and something else comes up," Hastings said.

A DefCon attendee who called himself Deviant Ollam said knowing the truth is important even if it's ugly, or scary. In one notably frightening Saturday session, Roberto Preatoni, founder of zone-h.org, a Web site posting the observations of hackers, crackers and Internet spammers, discussed a glitch in the beta Windows webserver for Pocket PCs that allowed an invader full remote access. With the access, he said, invaders could tap into maps Pocket PC users made with satellite positioning mapping technology and track those users' whereabouts. If the software were on a combination cell phone and handheld computer, Preatoni said, an invader could steal a user's stored phone numbers or hear a user's stored messages.

"I would rather know the naked truth about what's wrong than not know, no matter how painful that truth is," Ollam said. "Only through a full understanding of security can you understand its faults."

Cindy Cohn, legal director for the Electronic Frontier Foundation, a nonprofit group aiming to protect Americans' digital rights, said DefCon helps inspire hackers to share information they understand with less-aware technology users for the greater public good.

For example, she said, an audience of computer programmers and tech experts at a recent University of California, Berkeley forum roared with laughter at the idea of expecting accurate results from new digital voting machines. The audience knew a system flaw would make it easy to manipulate vote counts and alter an election's outcome, she said.

"That's something this community knows, but the rest of the world doesn't," Cohn said. "And that's the kind of information that's desperately important to get to other people so they can understand it, because our democracy is at stake."

With DefCon attendees' well-meaning spirit, Ollam said, no one should mistake hacker black for a symbol of ill intent. It's just a fashion statement.

"Black is slimming," he said.