|
A Note About Se7en These two interviews with Se7en were conducted and published when I was still giving Se7en the benefit of the doubt. I knew he stretched the truth when he described his life in a grandiose way but I took him at his word as to his hacking past. That was a mistake. Subsequent events proved Se7en more adept at social engineering than at hacking. While he does credibly describe in these interviews one way that some hackers evolve, it is doubtful that he is talking about things he has done himself. Fact is, there's no way to know. But it is a fact that Se7en's subsequent claims to lead a vigilante posse online against internet pornographers evaporated into thin air. It simply never happened. So ... I was snookered. As I said in "Stalking the UFO Meme on the Internet" ... let the buyer beware.... ------ An
Interview with Se7en: Part Two Se7en is out
in the light and air now, up from seventeen years underground. He's
one of the new variety of human being -- homo sapiens hackii --
who has learned from working with computers at every level, from
code language to point-and-click, to think in ways that fit how
computers organize information.
Se7en is on the road
now, delivering seminars to technicians about hackers -- how they
think, how they behave. He works with organizations that are favorite
targets of hackers because of their work or status.
He speaks to groups
of 30-50 people at a time, cross-disciplinary groups consisting
of engineers, security personnel, administrators -- people who deal
with the Internet on a daily basis. Naturally, they're concerned
about security.
On his first round of
talks, he discussed basic security, making his clients aware of
what's out there. He helped them distinguish hackers in search of
trophies from thieves working for governments and businesses.
On his second round
of seminars, Se7en is focused on the details of security, the technical
end. The technicians are set up in networks and shown how to scan
their own services, searching their networks for security holes.
"Basically we set up
our own network of fifteen machines and taught them how to break
root, showing them how easy it was with UNIX. It was important for
them to get hands on experience, get the feel of it. We showed them
how to grab a password file and run it through Crack. We introduced
them to SYN flooding and explained the concept behind it. We showed
them some of the scripts that are NOT available out there. We didn't
launch an attack, because that would have been lethal, but we got
them to the point from which they could launch it."
They set up encrypted
Internet sessions and ran them through the whole gamut of hacker
behaviors. It was all hands-on, technical training.
The engineers are learning
a lot. They return to work more capable of securing their systems
and also better equipped to talk to the managers who make decisions.
Se7en believes as a
result of his experience on the road that the hands-on technical
people who work on the front lines of the Internet and understand
it are seldom promoted into management positions where decisions
are made. So managers often lack experience on the front lines.
Because they don't deal with the issues on a day to day basis, they
often don't understand the problems brought to them. Ironically
that makes them hesitant to promote technical experts into management
positions. They would leave no one to fix things when they break.
Se7en is seeing similar
problems at all of the places he visits. Most come from outsiders
scanning the system, port-sniffing, testing for vulnerabilities.
It's a big inconvenience. The systems operated by multi-national
corporations or government organizations are immense, incorporating
numerous protocols and computers. They're too complicated for fledgling
hackers to penetrate as a rule. Even more experienced ones have
trouble getting in. That means that the ones who do break through
are seriously talented hackers. The ones to watch are the ones you
never hear about.
Se7en thinks hackers
in the "visible underground" make an essential contribution to computing.
He laughed at some of the conversation among technicians about firewalls,
because he knows that systems always have holes.
Hacking organizations
such as the LOpht, TNo, and the Guild (the current publishers of
Phrack Magazine) release UNIX security vulnerability scripts to
the public all the time. Their research into SecurID's (a one-time
password hardware product) and most recently, the SYN flooder script,
have been devastating. Now they're looking into Windows NT. They
promise results.
These genuinely "elite"
groups have friendly script wars with one another. They compete
to see who can release the most scripts the fastest. The LOpht in
particular has promised to put out five new vulnerability scripts
per week. They accumulate scripts, waiting until they have about
a dozen, then drop them in one big bombshell.
Companies like Microsoft
know, of course, that there are numerous holes in their operating
systems, but don't know what they are. As applications are developed,
working versions are periodically compiled for testers. The testers
try to find as many bugs as they can, but the testing environment
can never reveal the problems that will be found in the real world.
A million people using Windows NT for a year will turn up bugs that
a controlled environment will never find.
Mainstream hackers keep
the global network as clean and secure as it can be kept. It's a
yin yang kind of thing.
If hackers didn't know
that and wanted to keep vulnerabilities from the companies themselves,
they wouldn't release scripts publically through so many different
loops.
When the Guild discovered
the SYN flood exploit and wrote the corresponding script for it,
for example, they published it in Phrack, on the Internet, and in
other magazines. That's not something a hacker would do if he's
looking for a way to exploit the vulnerability.
The Network, then, including
the Internet, is the REAL testing environment, and that's where
groups like the LOpht are performing a valuable service. Either
the holes will be found by groups looking for them and making them
public or they'll be found by more dangerous crackers working behind
the scenes.
Hard core crackers,
engaging in serious crime and espionage, will not publish articles
in 2600 or Phrack. That's why, Se7en says, you never hear of the
people who do hard crime. When someone is forced to the surface,
he says, it's always someone the underground has never heard of
before. After years in the business, he knows the rosters as well
as anyone.
Se7en described an intrusion
of a particular server in detail, then went on to discuss the organizational
response. He was not surprised when they responded the way Se7en
and his friends responded when someone tried to mailbomb their list.
The organization asked
them politely to stop their annoying activity, and when they didn't,
they cut them off.
The best way to respond
to nuisance intrusions is the legitimate way. Try to reason with
the intruders, then talk to the systems administrators in charge
of the computers they're using. Most often, the sysadmins don't
know what's going on, and once they find out, they shut them down.
Se7en lived and worked
in South Africa when he was younger and thinks the "official" (i.e.
non-governmental) hacking scene is just coming alive.
South Africans have
not generally had wide access to the Internet or hacking publications,
Now everyone has access to hacker web sites, but Se7en thinks most
of those are a waste of time -- links to other sites, doctrinal
positioning, and a lot of old warez for "warez puppies" to download
and use without creativity or insight. Contrary to the image of
hackers as anti-social, Se7en is keenly aware of the social systems
that keep the flow of information free and open -- frequent hacking
conventions, mailing lists, magazines, and the vast informal network
of contacts.
Some of the resources
on the Net are useful, but the good ones are harder and harder to
find. Se7en finds five or six useful web sites or mailing lists
in a year, and he has to wade through a lot of garbage to get there.
But that's no different,
he acknowledges, than the hours he spent sifting through trash in
rubbish bins.
Persistence! he says,
sounding like an experienced businessman. "Honestly, that's what
it takes: Persistence. Doing it weekend after weekend after weekend,
every Sunday night, going through the trash knowing that if you
miss a week, that's the week when all the dial-ins for the switches
are thrown away. Eventually you'll find some gold that you can use.
The same thing goes for web searches. You have to wade through tons
of garbage, but if you're persistent and just keep at it and at
it and at it, eventually you'll find little gold nuggets here and
there."
He has been impressed
with the increasing number of South Africans interfacing with the
mailing lists. They're connecting with people who have been hacking
ten or fifteen years, he cautions. Naturally, with only one or two
years experience, they have a lot of questions. He understands where
they are -- he remembers being there himself -- but has some advice
for those who encounter flames when they ask too many questions
or the wrong ones.
Basic netiquette requires
that you research thoroughly everything you can before you ask questions.
RTFM. Read the fucking manual. Learn everything you can FIRST, and
only when you're stuck, ask a question. Do your best to answer it
yourself before putting it on a mailing list going to fifteen hundred
people. Don't expect others to do your homework. Tell the list you
tried to find the answer and couldn't. Don't just go out there saying,
where can I find this or that? That's a sure way to get flamed.
In the end, it comes
down to people, not technology.
Ultimately, Se7en says
with a laugh, computer security is a hopeless pursuit. The Internet
is just too big, too complicated, too specialized, for every system
to be secure. Security is inconvenient, and inconvenience makes
people uncomfortable. It's always a trade off between convenience
and security. The moment you allow legitimate users onto a site
from outside the system, you're doomed. All someone has to do is
duplicate what that legitimate user is allowed to do.
The weakest link in
any chain is and always has been people.
"You can have the most
secure system in the world, and if I call up and pretend to be from
the help desk and ask for your log-in password, and you give it
to me, then the best security in the world won't help you. "If you
don't know anything about computers, and don't know that the System
Administrator never needs to know your password, how can you know
if someone's conning you?"
It comes down, Se7en
says, to awareness and accountability -- managers who understand
the real issues and insist on accountability throughout the system
for knowledge about the network and procedures that must be followed.
Without that, all it takes is a little "social engineering" and
the most expensive firewall won't mean a thing.
1996 |
|
©2001 Richard Thieme. All Rights Reserved. |