Hacking Culture and the Hunger for Knowledge

Designing the Future
by Richard Thieme

Former hackers are designing the landscape of the future.

Once shaped by their interaction with a technology that now defines the global business environment, they illuminate the contours of that landscape for business and government clients.

But do hackers provide more value than traditional security consultants? If so, what exactly is it?

The Professional Services Division of Secure Computing Corporation includes a number of former "underground hackers" who work on a team of thirty (eighteen are CISSPs) with experienced business professionals, academics, and intelligence professionals, overseen by John Sekevitch, vice president and general manager of professional services.

Sekevitch strives to maintain a culture in which his unconventional team can thrive. "He asks what we need and then provides it," says Mike Bednarczyk, Worldwide Director, Intrusion Services. "He creates the space in which we can be productive."

What do they need? The freedom to sustain a culture that thrives on challenge, novelty, and a hunger for pushing their knowledge to the limits. Hackers, as Edward O. Wilson wrote of the most creative scientists, share a passion for knowledge, a tendency toward obsession, and great daring.

"It's the best of both worlds," says Mark Fabro, Worldwide Director of Professional Services. "We can feed our addiction and make a valuable contribution at the same time."

About the time that computer games spread to PCs, the network itself became the game. Playing on that network designed the minds of these young adepts. A network designed to be open, evolving, and free has become the infrastructure of the world.

So the network had better be secure.

Enter the former hackers. They bring a unique skill set, but more than that, they bring a mind set that enhances their value for clients. If Fritz Perls is right, that anxiety plus oxygen equals excitement, these hackers know how to add the oxygen. They understand how to understand a system, and when they communicate that deeper understanding to clients, they are not just fixing holes - they are sharing their knowledge of how the infrastructure works.

Because the only way to learn how complex systems work is to get inside them, hackers learn to listen carefully as they explored. They never know if those virtual footsteps behind them are real or imagined. Which is exactly the posture in which businesses competing in a global knowledge economy had better operate.

"We can't believe what we find," said Fabro. "A large financial organization, working with billions of dollars, uses an open system to communicate critical information. They're complacent because they haven't experienced any consequences yet."

United by an unbridled passion for finding solutions in the security space, the team does not try to teach a business its business - they try to communicate their enthusiasm for seeing the system in its entirety, expanding the client's vision so the architectonic structure of their enterprise comes into sharp focus.

Jeff Moss, founder of DefCon and the Black Hat Briefings, says that hackers are not constrained by the institutional mind-set of their clients. They're empiricists, adds Rich Friedeman, a network security specialist. "They look at systems as they're used in real life. They describe what they see, not what they have been taught to see."

"Hackers do not follow an outline," says Robyn Ulmer, who recently left the DOD in search of a less constrained mind set. Ulmer was trained as a theoretical mathematician. "They didn't learn by following the rules, so their minds don't map a system the way you move from box to box on a flow chart. They leap into the flow of the information and swim. They leave room for possibilities."

A large government agency asked the team to assess its current state of security by evaluating each part of the enterprise as an individual piece. There were numerous vulnerabilities - from telephone systems to the intranet to the extranet. When the team issued a report, individual departments acted predictably. They defended their turf and blamed one another.

The team could have left it at that, but instead they suggested that the agency look at the entire system AS a system. They showed them how all of the vulnerabilities were interconnected. The team delivered an actual life cycle of vulnerabilities in the system as each impacted and led to the other. More important, the event became a catalyst for a team-building project. Individual managers saw that the only way to develop an integrated approach to solving security problems was to work on the entire network - the human as well as the computer - to think, in short, as hackers think.

Hackers have that broad perspective, according to Moss, because they've been doing what they love for years. They didn't just decide to get interested in security. Their shared passion and the bonds they've developed over the years make the team cohesive. The network that connects them to each other and to others still in the underground is the real source of their power.

Security professionals who try to stay abreast of developments simply by attending conferences or following lists are always behind.

"Exploits become dangerous in days, not weeks or months," said Fabro.

"By the time it's the subject of a seminar, it's old news. We have identified exploits for clients a few hours after they surface."

Their information is current because they stay connected to the underground, a loose self-regulating network, which they are constantly filtering for new recruits. They want expertise but not aberrant behavior. They keep one another accountable and have near-zero tolerance for mistakes. This provides quality control and also intensifies the all-for-one-and-one-for-all environment in which they thrive.

Because most of them have been at it for years, the team has historical depth that conventional businesses often lack.

"Someone may have been in a large organization for just two or three years," says Fabro. "They may not even know about the flaws in their numerous legacy systems."

Sometimes a primitive weapon is more effective than a smart bomb. The intrusion team once carried out a massive attack on such an organization using war dialing, coming in through back doors that were eight years old. That might not have been attempted by someone who hadn't been inside the older system and knew its weakness.

"Hackers tend to be very focused and goal oriented," said George Jelatis, director of security architecture services, and they expect their clients' enemies to be equally focused. They share an appropriate paranoia with members of the intelligence community.

Traditional business people don't suspect everyone who walks in or try every single way to get into a system. But hackers do.

"Social engineering," the exploitation of a trusting relationship to elicit information, is often one of the weakest links in a company's defense. The trick is to disappear into the background so completely that you show up as if you belonged. It doesn't take complex hacking tools to pull it off.

Rob Stonehouse, an information security professional, used a piece of birthday cake.

Stonehouse rode the elevator until he heard two employees discussing a birthday party. He asked what floor it was on and arrived, smiling. "Is this the party?" he asked, stepping onto a floor that required security clearance. Given a piece of cake, he went to the coffee station and photocopied company mail, gained access to the company's check printer, and sat happily munching at a terminal with direct access to the company's databases using default passwords.

Is it necessary to suspect that everyone might be a spy?

Yes, says Ray Kaplan, one of the "gray hairs" who emphasizes the depth of experience and synergy among disciplines in the division. Kaplan thinks a lot of companies that scoop up hackers and go into the security business do not understand the kind of rigorous discipline necessary to manage hackers and balance their culture with other cultures in the company. "Older professionals can serve as hard headed mentors to the younger hackers, bringing values, experience, and understanding to the mix."

The culture is a meritocracy where technical expertise is valued. "It's half a skill set, half a way of life," says John Sekevitch. "They don't value structural authority so much as your ability to do the job. Yes, their skepticism and questioning can border on paranoia, but that's precisely the personality and mind set we're trying to develop in our clients."

The professionals at Secure can not name clients or elaborate on successes but count on clients to do it for them. They work mostly with organizations that have lots to lose, like financial institutions and government agencies. Their reputation is fifteen years deep with DOD and the NSA.

The feedback when a client breaks through to an aha! is often immediate. In one case, the intrusion team hacked into a bank and found that an external router was vulnerable. They bypassed controls to see the entire network, including internal hosts, and immediately informed the client. Ten minutes later the hole was plugged.

They often run into the ego of a company. Working with an organization that was proud of their expensive firewall, they discovered that a network that led to the internal network was on the same network as the firewall. Because it was misconfigured it was trivial to bypass the firewall and go inside, where they copied documents, organizational charts, and security badges, which they wore the next day to a meeting. The client was not amused, but got the point.

The team does not like to define its value simply in terms of intrusion. "We try to serve as catalysts for change by illuminating the system," Jelatis said. That way they can help clients broaden their vision and develop solutions scalable to every level of the network.

"We were recently hired to do a job," said Ulmer, " but the way they defined it was not what needed to be done. We could have done what they asked, but we wanted to deliver something of more value. We wanted to produce a deliverable that made a difference. The client does not always know how to define that without our assistance."

They see the entire world as their play space, but it’s not just grandiosity. "There's no such thing anymore as being the best in only one country," Fabro says. "Secure began as a division of Honeywell, founded and funded by the NSA, which is nothing if not global. We have thought in terms of the world since the beginning. Corporations like Bechtel - where do they begin? what are the boundaries? The technology itself has delivered the entire world as the space in which we must operate."

Turning anxiety into excitement. Living on the edge. And late at night when a puzzle they can’t solve is driving them on, everyone in the lab brainstorming, trying to define a security solution for a complex space, one of them becomes aware suddenly that this select group, with its roots in the past in the dark, is making a difference now and creating value far beyond themselves — and just for a moment, their boundaries dissolve in the flow of energy and information flashing through the system and they realize what an opportunity they have been given.

Originally published in Forbes Digital Tool, February 1999

1999

BACK

TOP
©2001 Richard Thieme. All Rights Reserved.