A Haute Commodity

In the world of computer hacking, DEF CON--an annual two-day fest of beer drinking, tech talk and conspiracy theory--was once the center of it all. Hackers would gather amid the swirling excess of Las Vegas and for $40 revel in a low-budget locale where discussing radio scanners and Windows NT security weaknesses was considered a great way to spend the weekend.

But now the center of the hacking world has clearly shifted. Just before the convention, which runs through Sunday at the Plaza hotel, the organizers of DEF CON put on a related event, the Black Hat Briefings--a $995 affair held in the opulent environs of Caesar’s Palace designed to teach corporate executives, government officials and system administrators how to protect their systems from hacker attacks. It was a rousing success, drawing 350 people mostly in suits, military uniforms and polo shirts as opposed to DEF CON’s typical T-shirts, tennis shoes and body rings.

“For me, Black Hat is where the interesting stuff is now,” said Jeff Moss, the organizer of both Black Hat and DEF CON. “Interesting isn’t beating your head in for four days trying to break into a company.”

Boosted by the growth of the Internet and the prospect of billions of dollars through online sales, the art of hacking--once a craft largely practiced by only the military and the technological counterculture--has become big business.

*

Hacking has gradually changed into a legitimate field known in the computer industry as “information security.” Hackers, the technological equivalent of the hippies of yore, are now called “penetration testers” and “vulnerability analysts.” Corporate headhunters prowl the DEF CON convention floors, offering salaries as high as $90,000 for penetration testers with just a few years of corporate experience.

Information security is now a huge industry, encompassing the development of protective network firewalls, secure electronic commerce systems, virus prevention and detection software, encryption and user authentication systems.

With the tidal flow of dollars--and the development of powerful hacking tools that even a child can use--a subtle pressure has also been exerted on the culture of hacking, drawing off the best of the older generation of hackers into the corporate world and swelling the ranks with hordes of new arrivals sporting DEF CON T-shirts and tattered copies of the hacker magazine 2600.

“Any hacker who learned something either ends up now working for a company or as a consultant,” said Christian Valor, a 30-year-old former hacker who now runs a security consulting firm in San Francisco. “It’s where all old hackers go to die. We gave up our 2600 T-shirts and don Armani.”

DEF CON was created in 1993 to commemorate the passing of another generation of hackers. Moss, then 22, had once run a computer bulletin board--a kind of electronic meeting place--for hackers and wanted to throw a party for a group that was disbanding.

Moss, known on the networks as Dark Tangent, thought it was time for everyone to meet face to face after years of knowing each other only through electronic messages. He named the event DEF CON--referring both to the Strategic Air Command’s defense alert conditions and to the event being a “def,” as in good, convention. The first event was attended by 110 people, and it has been growing ever since.

Moss, who now works as director of security assessment services for San Jose-based Secure Computing, said he began to sense a change in the hacker underground about two years ago when representatives from large computer companies began appearing at DEF CON, searching for experienced hackers who could navigate the arcane world of network security systems.

Karan Khanna, product manager for Microsoft’s Windows NT security systems, said that in the past, companies largely viewed network security as a time-consuming money pit of development. It was just a necessary feature of network operating systems, like a radiator in a car.

The rise of the Internet transformed the equation. Information security has become one of the key pieces in constructing the economy of the future, necessary for everything from online buying to secure e-mail.

The Internet was also bringing a large number of new hobbyists into play. Unlike an earlier generation that had to discover the workings of the electronic world on their own, the new hackers found a variety of software tools, such as L0phtcrack and Satan, that essentially reduced hacking to a form of recipe following. These were simple tools that could wreak havoc on a network.

Khanna said maintaining an adversarial relationship with all hackers was futile. His group began to reach out to the most skilled hackers through conventions such as Black Hat.

The appearance of DEF CON has changed little over the years, despite its growth and the influx of corporate dollars. It is still largely a gathering of young, male computer users who see DEF CON as the modern equivalent of an antiwar march.

This year, about 2,000 are attending the conference. Vendors are doing a brisk business in everything from OpenBSD T-shirts to retina scanners. There are more books for sale on creating a new identity and using a scanner than any person would ever want to read in a lifetime.

Moss said that the crowd has changed a bit over time, becoming less elite and more of a party than before. The hacker’s quest for technical knowledge has become overwhelmed by the cookbook power of modern hacking tools. The clearest sign of the change was seen in the T-shirt slogan for this year’s DEF CON. Six years ago, the first convention used a satirical version of the 1st Amendment showing government and big business appropriating the Constitution for their own purposes. The fourth convention had the simple, but cocky: “Why? Because we can.” Standing in the midst of the DEF CON chaos with an eight-inch, spiked Mohawk, 20-year-old Sebastian Lenoir spoke nostalgically about the old days. “It’s no longer profitable to be idealistic,” he said. “If I go to a company for a job, I go in a suit. Buzz goes the Mohawk.”

Lenoir, who sets up network security systems, said computer crime has become a bit tired. “I can either hack a system or sit there and work for a company to help test their system,” said Lenoir, who goes by the computer handle Mr. Mojo. “It’s the same thing, except one is legal and one is not.”

But like any movement, there are always those who continue on the old path long after others have departed.

*

One of the most famous of those groups is a Boston collective of seven friends known as the L0pht, a hacker-ish distortion of the word “loft,” which describes their makeshift workplace. The L0pht was created by a hacker known only as Mudge, or Dr. Mudge, as most call him these days. Mudge still hews to the old style of not disclosing his real name or age. It’s just a policy with him.

Mudge is best known in recent times for his creation of L0phtcrack, which exploits a once-obscure but now widely known weakness in Windows NT that allows hackers to read user passwords.

Mudge works for a large technology firm during the day and dedicates his nights to understanding the deeper workings of technologies. Windows NT is boring now, he said. He has moved on to studying wireless communications.

He does it for the same reason he started hacking years ago--a pursuit of the deeper reality of technology. In many ways he sees himself in the mold of ‘60s radical Abbie Hoffman, the classic free spirit. The hacker world, Mudge said, is filling with Jerry Rubins. Rubin, another ‘60s radical, eventually joined the establishment.

“For every Abbie Hoffman, there’s a bunch of Jerry Rubins, but you only need that one Abbie Hoffman,” Mudge said. “If you don’t have that Abbie Hoffman, the world would be a futile place.”

* LOWS IN SILICON VALLEY: Key sectors of Silicon Valley have crash-landed. A1