Back To Main                                          

                                                       

The Code of the Hacker
Those Who Broke In When The Web First Was Spun Say
'Script Kiddies' Are Ruining Their Image

By Libby Copeland
Washington Post Staff Writer
Friday, February 18, 2000; Page C01

Sometimes when he's playing pool, the answers come.

He gets a Bass Ale and a cue. He and his roommate play this complicated version--instead of predicting the next shot, each has to predict the next three shots--and as the white ball spins and Jeff Fay racks up points, he gets these epiphanies.

Like, how to crack a certain e-commerce site. Say a hacker intercepted a customer making purchases at an Internet commerce site, and he wants to figure out the password that would let him sneak into the system and access the company's financial information. He's got a computer hooked up to run all the possible passwords in hopes of finding the one, but the process takes so darn long, the customer will probably log off before the hacker cracks the code.

Here's where Jeff Fay's revelation comes in. What if the interloper could inject a packet of information that would temporarily pause the connection between the customer and the company? Through a series of these pauses, the hacker could slow the customer's transaction--possibly buying himself enough time to crack the code.

Voila.

"I think it's fairly elegant," Fay says, the dimple on his right cheek twinkling as he stands by his gray office cubicle in Reston. He's flush with pride, even though he'll never carry out this scheme. It's just the way his mind works: He loves a puzzle; he loves math. He takes pleasure in having a fast, tensile mind. He finds a nice piece of code aesthetically satisfying.

All of which makes the denial-of-service attacks that hit Yahoo, CNN, E-trade and other sites last week particularly abhorrent to him.

"A bunch of script kiddies flexing their muscles," Fay says, his disdain evident. There's little commonality between true hackers and "the14-year-old who can't spell Windows NT."

Fay considers himself a true hacker. His work, he says, derives from technical expertise and creative inspiration. He and others, who came of age in the early- and mid-'90s, when the Internet was still nascent, see a gulf between themselves and younger Net newbies, who don't seem to respect the technology.

Those "script kiddies." You know the stereotype: the lonely, acne-encrusted teen with little technical skill but plenty of vengeance who uses tools written by others to muscle into Web sites. Fay and others scoff when folks call these kids "hackers." The culprits in last week's Web  attacks may or may not fit this description. The motive could have been political, rather than adolescent thrill-seeking, and experts quibble over the culprits' technical expertise. But many hackers say a great amount of Internet vandalism is juvenile stuff, the equivalent of picking a
sprung lock.

The beauty of hacking is lost on these low-level intruders, Fay says. Fay  himself earned his street credibility by dabbling in underground ("black hat") hacking in college, and now, as a "white-hat" hacker, he earns money defending the security of Web sites and software.

His complaints sound like the familiar tale of one generation denigrating the next, except he is only 24--not much older than the kids he scoffs at. But generational differences can develop in just a few years in the collapsed chronology of the cyberworld. This is about the old--no, older--hackers vs. the new.

Hacking is not a phenomenon of the Internet age. In his 1984 book, "Hackers: Heroes of the Computer Revolution," Steven Levy writes of the original computer hackers, MIT University students who in the late '50s and early '60s secretly infiltrated an IBM mainframe to learn its inner workings. Their definition of the hack--"imbued with innovation, style, and technical virtuosity," as Levy writes--formed the intellectual soil upon which Internet age hacking would grow.

A fine mind and a criminal intention are not mutually exclusive. Some good hackers have also been good thieves. In 1994 a Russian hacker transferred millions of dollars out of Citibank into various accounts. Last year a hacker (also Russian) stole credit card numbers off a music retailer's site and tried to ransom them.

There have also been plenty of politically motivated attacks, not the least of which may have been last week's. Bruce Sterling, one of the early chroniclers of hacker culture, says the Yahoo bombardment takes a page from '60s dissidents like Abbie Hoffman, who once dropped money onto the floor of the New York Stock Exchange. The brokers dove for the money. It proved, to Hoffman, their crass materialism.

Nevertheless, Sterling adds, in terms of technical expertise, last week's attacks were "as dumb as a bag of hammers."

"Most of the attacks tend to be not really highly sophisticated," says Elias Levy, chief technology officer with SecurityFocus.com, a West Coast company. As for motivation, Levy says, "most of the attacks tend to be for pure acceptance within the hacker community. Sadly, a lot of the time the political message is only an afterthought."

It's not surprising that the hacking culture is changing. In the early '90s, those who had access to the developing Internet were often university students with connections to computer science. Nowadays, the pool of Internet users is far greater, and, as Sterling points out, unfettered access  to the Internet is the province of middle- and upper-class teenagers.

Once, says Jeff Moss, who runs the West Coast hacker conventions DefCon and Blackhat, hackers were a community. There was a give-and-take. There were relationships. "Nobody would share information with you if you didn't share information back," he says. "Now the problem is, knowledge isn't being traded as little tidbits. It's available for free, and so there's no natural screening process. And there's no socialization."

Imagine. Hackers--who usually seem to operate outside the law--preaching socialization and all its implications: responsibility, ethics.

This is a familiar plot: The aristocracy crumbles when the gates open and commoners rush in. In the words of Jim Thomas, a professor at Northern Illinois University who also runs an online journal of the computer underground, you "have a diversity of people, and unfortunately they begin to reflect the general population much more. You get your bozos."

There's no denying that hackerdom has long offered a mystique, and mystique is the equivalent of catnip for teenagers. To be righteous, misunderstood and powerful--that amounts to glory in the adolescent world.

So, to amend a phrase from the ever-popular show, "Who Wants to Be a Hacker"?

Check the search engines. The Web is rife with Net newbies begging, "Teach me how to hack." Among the letters to the editor in the latest issue of the online hacker magazine Phrack, they plead:

"Hi, I am a wannabe hacker . . . Where will i find material describing typical methods to test the systems for security[?]" Or, "i'm a future hacker to be for now i need info about a free server." Or, "I found my schools dial-up and I want you guys to try and hack it if you can . . . [Mess] it up as much as possible please!"

When they do acquire tools, they often deface Web sites, leaving messages complete with misspellings, expletives and shout-outs that are reminiscent of early '80s graffiti wars.

The paradox is that true hackers have provided the entry into this vandalism. "Gray hat" hackers, like the legendary group L0pht, which has now joined with the security firm @Stake in Cambridge, Mass., have frequently posted scripts that others used to break into Web sites. Jeff Fay himself has poked around for software bugs and posted them publicly--a common practice among hackers.

Critics say this is like breaking into someone's house and leaving the door open, while robbers mill about on the street outside. But like most true hackers, Fay abides by the dictum "information wants to be free." Hackers, he says, do everyone a favor by pointing out soft spots and putting pressure on otherwise lax security administrators or software creators to fix things.

"The people who are developing attacks and posting them, I don't consider them evil," he says. "They're really doing quality control," he says. In any case, many hackers say all of this is peripheral to their original intention. In the beginning, says Brian Martin, who is an editor with the  hacker site attrition.org, "the whole goal [of hacking] was not to be discovered. . . . To go in, figure out how a system worked, and leave, just as quietly." The purpose was understanding.

Fay understands these ambiguities. He's working for Infrastructural Defense, a company that provides Internet security. He and many of his hacker friends are now paid to hunt for vulnerabilities on behalf of their clients, and to fix them. On a shelf in his cubicle, he keeps "Cryptography" and "Applied Cryptography."

But he knows his roots originate in a smaller, more elite--and perhaps disappearing--society of hackers. Atop his wispy blond hair he wears a black cap that reads "2600," the name of a well-respected online hacker magazine. He also wears a hacker T-shirt that sarcastically reads, "I {heart} Feds."

Until, that is, he finds out that someone wants to interview him, and he dashes home to Kingstown to change into a plain white turtleneck. As if to reinforce the legitimacy of his art.

© Copyright 2000 The Washington Post Company