Hacker school teaches the good guys
Published: 06 Aug 2002 09:33 BST
At a typical Wells Fargo branch in Seattle, employees and customers do business each day oblivious to a beehive of activity in the basement. There, five blue-walled rooms serve as makeshift classrooms for other tenants in the building who are light years from the world of banking: an organisation of some of the most talented computer hackers in the country.
As menacing as this juxtaposition might seem, the group insists that its work is harmless and, in fact, is dedicated to doing good. The founders of GhettoHackers, as the group is called, say its 30-odd members teach others how to crack security only to find flaws so that defenses can be hardened.
"The Ghetto are good guys. So I guess the way to look at us is (as) the boot camp for the people growing up to protect the world," said "Caezar," a 28-year-old security consultant and founding member, whose appearance -- which includes two spikes angling from his lip, as well as several body piercings -- might otherwise evoke unease in the buttoned-down culture one floor up.
GhettoHackers is one of several groups trying to change the way society views hackers, as stereotypical malcontents interested only in crashing systems, stealing credit cards and releasing computer viruses. While cybercrime arrests make headlines regularly, groups like GhettoHackers are aiming to help those curious about information security get hands-on experience without doing harm to others.
As unconventional as it may be, the underground school is serious about its curriculum. Homework assignments frequently mark up the white boards that face clusters of bean-bag chairs, making it look sort of like a clubhouse for adults.
"We've put a password file on the server," challenged a recent lesson on the boards. "Grab the file and run a password breaker against it."
To the several men and two women of GhettoHackers, this is "home." The hands-on approach appears to work.
"I'm learning more doing what I'm doing right now than I would in school," said one student, who goes by "Zsnark" because a more common moniker might undercut his credibility in this anarchical world. At 18, he's put college on hold to study security here.
The group's work was even more frenetic than usual this week as it prepared for Defcon, a controversial annual hacker convention that begins Friday in Las Vegas and that, in past years, has hosted people on the FBI's wanted list. Having won Defcon's "Capture the Flag" hacking tournament for three years running, GhettoHackers has been put in charge of the event this year and must act as its system administrator, keeping the network running despite rampant hacking activity.
The contest will stress the group's philosophy that hacking can be a positive act, especially for those still at an impressionable age.
Typically, two types of people are drawn to hacking: those who want to learn and those who want to express power over their environment.
Growing up, Caezar found himself flirting with the dark side. But after playing around with a telephone card scheme that let him make unlimited calls, a visit from two anonymous officials telling him to stop abusing the phone network scared him enough that he stopped. Now, he pegs himself as knowledge-driven and hopes to save like-minded hackers from his experience, or worse.
"It's hard to tell the difference between a police academy and a terrorist training camp if you don't know the social structure they are in," Caezar said, using the analogy to explain why many people fail to distinguish a "good" hacker from a "bad" one. "They both learn target practice and 'how do we defeat things that are coming at us?' These are things that are common between the good guys and the bad guys."
That philosophy can be seen in the development of young people like Zsnark, the newest member of the group. He is able to ask for help from experts on hand without getting the common "RTFM" dismissal (Read the F***ing Manual). "If I have a question, there is someone here that can answer it."
For the older members, it's a matter of legitimacy. Aside from some security consulting firms that employ them for their knowledge and ability to attract media attention, most reputable companies won't hire people who label themselves "hackers."
"Some people can make money off their name as a hacker. But most of the time, calling yourself one is a liability," said "md5," a 27-year-old member of the group and the chief executive officer of his own consulting firm. "Most companies don't care if you are into stamp collecting or rock climbing, but tell a client that you like to hack and they don't call you anymore."
Md5's company employs several of the young hackers he teaches, but he doesn't bring up their hobbies with clients who depend on them to secure their networks. Both activities are important to security, he said, "both knowing how to find weakness and how to secure information."
And both pursuits will be represented Friday at Defcon, which has become over the past 10 years a popular mainstream event attracting news media from around the world. For all its publicity, however, companies still don't understand that hackers are not necessarily malicious in nature or intent.
That's unlikely to change anytime soon, said Chris Wysopal, director of research and development for digital security firm @Stake.
"Ethical hacking means different things to different people," he said. "To some, it means hacking for security's sake. For others, it is more hacktivism. Then there is hacking for the pure pursuit of research."
Still, he respects GhettoHackers for trying to change the culture from within, as well as educate the public at large.
"The traditional way that a lot of hacking skills have been handed down is the apprentice-master way of teaching," said Wysopal, a one-time member of the Cambridge, Massachusetts, ethical hacking group known as The L0pht. "In that case, it's important for the people who are teaching to be teaching ethics as well."
Which is precisely what GhettoHackers is preaching.
"It's all about teaching the younger people by giving them access to the hardware that 10 years ago they would have been stealing," Caezar said. "We just help bring people up in what's a really freaky landscape right now."
Did you find this article useful?
35 out of 70 people found this useful
- Share this article:
