‘Hacking Ain’t What It Used to Be’

It’s 2 o’clock in the morning and up on the 25th floor of the Aladdin Hotel, Deth Veggie, who is 23, and Grandmaster, 27, are feeling their age. They’re reminiscing about the good old days of computer hacking and they’re growing rueful. Young hackers, they complain, have no idea what the older generation went through.

“In our day, you had to stumble onto the Net. Now, it’s in your face,” says Grandmaster, who in 1984 published one of the world’s first electronic magazines from his Lubbock, Texas, bedroom by uploading his musings on life, music and hackers to pirate bulletin boards.

“That’s right,” agrees Deth Veggie. “We had to walk 10 miles uphill through the snow to use the Net and then crank the handle, give a push and run and jump on. And remember when it was 110-baud, GM?”

Grandmaster shakes his head. “Yeah, man, it was bells and whistles and string and Pringles cans. Oh, we had it rougher than kids today.”

Grandmaster laughs at his geezer impersonation, but at the Aladdin on July 12, site of DefCon, the hackers’ fifth annual convention, not all laments for the pioneering past are ironic. Often they preface ageless gripes about contemporary shortcomings.

“Kids today, they’re in for the thrill, not the knowledge,” says se7en, at 28 a veteran hacker from the Bay Area. “They don’t want to spend 10 to 12 hours a day in a dark room for 10 years learning about systems. They say, ‘Show me how to grab this file or crash that server. Oh, that’s neat. Now show me something else cool.’ ”

Se7en’s handle derives from seven-digit telephone numbers--he’s an old phone “phreaker.” In ancient times, more than 15 years ago, he’d sneak through phone lines onto the Internet, then the Department of Defense-funded preserve of Cold War eggheads.

Now point-and-click technology ushers millions onto the Net. Companies compete desperately to produce operating systems, servers, data bases. Kids today can “recipe hack”--instead of cooking up strategies, they download readily available hacker tools and then joy ride through systems.

“Hacking,” se7en sighs, “ain’t what it used to be.” These days, he is not so much se7en, hacker, as Christian Valor, computer-security specialist, who is hired by companies around the country to break into their systems and show them how to plug the holes.

Valor says he charges $2,800 a day. At least once a month, he says, an agent from the FBI’s National Computer Crime Squad asks him to lunch and picks his brain. He goes, he says, “as a public service.”

Many of the hackers’ refrains have a civil-service ring. They say they get no respect. Stereotyped as criminals, maligned in the media, “exploited” by employers--hackers, you might say, are smartin’.

“No matter what we do, we’re the bad guys. They say, ‘We can’t trust you, you’re going to break our system,’ ” says Sluggo, a 30-year-old Canadian who’s a good candidate for the Hacker Hall of Fame and an employee of an international information-security company.

Sluggo would like to integrate his Batman and Bruce Wayne personas. “I’m tired of the cloak of darkness. We should be able to stand up and say, ‘Here’s who I am, this is my real name, here’s where I work and we’re great and we’re doing you a service.’ Everybody is so stinking excited about getting on the Net and getting their piece of the action and it’s full of holes.”

*

You could also say that some hackers are conflicted. Technical vulnerabilities are a multibillion-dollar-a-year problem, says Ira Winkler, director of technology for the National Computer Security Assn. in Pennsylvania. Many top hackers now work on anti-hacking projects. Poachers may now be gatekeepers, but their bosses remember that not long ago they were climbing over the fences.

“If you hide your whole hacker background--which is how you got to know so much more cool stuff than a lot of people--you get further ahead,” says Dark Tangent. “You have to say, ‘I have an intrinsic knowledge of Sun-OS,’ when everybody knows that really means, ‘I can break into Sun-OS.’ ”

Some newly legitimate hackers, especially those who have accumulated some of life’s accouterments--such as children--manage to reconcile cashing the checks and trashing the product. “It’s all changing. We all work for large companies. We all have as much access as we want,” says daemon9, a.k.a. Route, whose mother calls him Michael. He’s 23, lives in the Bay Area and is editor of Phrack, an online magazine. “We grew up, got richer and learned that everybody’s paranoid.”

DefCon, named after the Strategic Air Command alert conditions, is where hackers who have made friends electronically meet face to face, share secrets, get drunk. In the Aladdin’s Magic Carpet Room, about 1,000 guys, mostly under 25, mostly white and mostly dressed in black, discuss their concerns, among them the “Newbie” question: “Should they be handed information or learn on their own?”

Conventioneers play “Hacker Jeopardy” and “Spot the Feds” (hint: khaki shorts, clean white Reeboks, ankle socks). The goal in games of hacker-style “Capture the Flag” is to bring down everyone else’s server while protecting your own.

A new spirit of cooperation between hacker and his natural-born foe, Fed, was evident this year. The first-ever “Black Hat Briefings,” presented by DefCon organizer Dark Tangent / Jeff Moss of Seattle, introduced “white hats” to the hackers. About 35 from the Pentagon, FBI, CIA and National Security, and an additional 65 from banks, corporations and universities, paid $1,000 each to listen to 22 hackers expose up-to-the-nanosecond technical vulnerabilities.

Most hackers are benign, says Richard Thieme of Milwaukee, a former Episcopal priest who has become an online pundit of hacker culture. “It’s the same old story,” Thieme says. “It’s not what you do that’s a problem. It’s your perceived allegiance.”

In some ways, the subculture has changed very little, says Douglas Thomas, a USC communications professor writing a book about hackerdom. Many of the hackers from the mid-’80s are still active. At 23 or 24 they are elder statesmen to a generation of 14- and 15-year-olds, and the principle that guides them lives on from that prehistoric period, the 1960s: Information wants to be free. “First and foremost hacking is about learning and boundless curiosity, and breaking into systems is almost incidental,” Thomas says.

Most of the estimated 50,000 hackers in the U.S., claims the National Computer Security Assn.’s Winkler, are “clueless teenagers” who rely on tools that everyone has. Of the 1,000 hackers at DefCon, he says, a dozen are skilled enough to take down the Internet. With another eight or so, they make up a core group of high-level hackers who go into systems and break software and then are nice enough to tell everyone, hoping that the vendors will make the fixes.

“They are not so much interested in protecting the system from other hackers as protecting the public from Microsoft and other vendors,” Thomas says.

*

Some hackers, of course, do go bad. They’re the “crackers” who destroy files for malice or steal them with crime in mind. Crackers have given all hackers a bad name.

Opiate, 22, who works in information security in Canada, takes a harder line. Now when anyone can go online, cracking, he says, is the act of going into files without permission. In these days of Linux, a Unix clone that runs on a PC, hackers don’t need to go “outside.” They can do research on their own network of computers.

That’s how the L0pht in Boston works. For example, Mudge and others from his group never hacked Microsoft to expose the weaknesses in Windows NT that they broadcast on their Web site. Instead, they did research on about 60 computers built from scraps.

“Hackers are almost a consumer watch group,” Mudge says. “If I buy a car and the thing falls apart, I can go back and demand repairs. In the software world, everybody is complacent. Vendors say, ‘Hey, you weren’t suppose to close the door so hard.’ ”

Part of the problem, says Hobbit, also of L0pht, comes from the pressure to get products on the market. “The only way to make companies do something is to post some sort of working exploit and make a big splash,” Hobbit says. “It’s a horrible way to do things, but one of the few that actually gets the attention of the manufacturers.”

This technique prompted the recent security scares on ESPN Sportszone and NBA.com. An anonymous organization “seeking to make the Internet a safe place . . . to do business” sent e-mail messages to customers of the Web sites, which were accused of “a careless abuse of privacy and security.” Recipients were sent the last eight digits of their credit card.

Cryptographer Bruce Schneier remembers when tinkering with computers wasn’t cutthroat. “It was all kind of fun 10 years ago when it wasn’t important and only the Feds really cared. But the Web has changed everything.” Now that it’s about real money, everybody cares, he says.

“You can be in St. Petersburg and attack Citibank,” Schneier says, citing the case of Vladimir Levin, Russia’s most famous hacker. “Things are nastier now that the Net allows you to automate your attacks. You don’t need skills. What you need is ethics.”

An unwritten code of ethics, in fact, does exist, says se7en / Valor, an apostle of hacker responsibility. Look but don’t touch, that’s the Golden Rule. Cruising systems is OK for knowledge, not for profit. Never destroy data. And, a nod to the younger generation, do your own work.