NETCOM HACKING NEWS

Tuesday, September 30, 2008

Hacker Interview (IBM's Dr. Charles Palmer)

Q&A with IBM's Charles Palmer

Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit.

1. How do you define hacking?

Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)

2. Are there appropriate forms of hacking?

Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target.

3. What do you and the other members of your team do?

(We) work with IBM Consulting and its customers to design and execute thorough evaluations of their computer and network security. Depending on the evaluation they request (ranging from Web server probes to all-out attacks), we gather as much information as we can about the target from publicly available sources. As we learn more about the target, its subsidiaries and network connectivity, we begin to probe for weaknesses. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. As we find and exploit vulnerabilities, we document if and how we gained access, as well as if anyone at the organization noticed. (In nearly all the cases, the Information Syhstems department is not informed of these planned attacks.) Then we work with the customer to address the issues we've discovered.

4. What is the background of the people on your team?

We have Ph.D.s in physics, computer scientists, and even one former photographer with a fine arts degree. They are all well-known, highly respected system security professionals from around the world. Most of them did not start their careers in this area, but ended up doing computer and network security because they were provoked by hackers at one time. Once they started on the road to improving security, they got hooked on the challenges it presents.

5. In "Helpful Hacking" from IBM Research magazine in 1997, you are quoted as saying you don't hire reformed hackers and "there's no such thing." Could you explain?

The number of really gifted hackers in the world is very small, but there are lots of wannabes.... When we do an ethical hack, we could be holding the keys to that company once we gain access. It's too great a risk for our customers to be put in a compromising position. With access to so many systems and so much information, the temptation for a former hacker could be too great -- like a kid in an unattended candy store.

6. Is it fair to say that you are opposed to hacking?

As I said before, hacking is a felony -- for good reason. Some of the "joyriders" -- hackers who access systems just for the challenge -- think it's harmless since they usually don't "do" anything besides go in and look around. But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless? These joyriders could be causing damage inadvertently since just by their presence they are using system resources.

7. Do you think hacking can be useful?

Hacking can be useful in a controlled environment where there are ground rules and contractual agreements.

8. Do you have a profile of the typical hacker?

The profile has broadened in the last couple of years to include many types of people, which makes it very difficult to call out a "typical" hacker. The motivations behind hacking have changed (see Answer No. 11 below). No longer are hackers limited to the teen-age, soda-slurping misfits, although they're probably the majority. There are girls and even younger kids. Many companies think all hackers come from outside, but surveys continue to show that the threat from inside an organization is greater than from outside. So if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you.

9. There have been reported instances where corporate security personnel have tracked hacking back to the source, broken in and stolen computers, or even used force. Do you endorse "vigilantism" as a response to hacking?

I've heard those stories, too, and I don't believe most of them. It makes zero sense to respond to an illegal attack with another illegal attack. First of all, it can be very difficult to accurately determine where an attack comes from. Whether they end up retaliating against the right or wrong person, they've committed a felony and are just as guilty as the original perpetrator. It's no different than other forms of vigilante justice.

10. What about attacking Web sites that list hacking scripts?

Again, any attack is a felony. It's a First Amendment rights issue as well. Where do you draw the line? Attacking adult sites? Attacking spammers? It makes more sense for corporations, schools and other organizations to try to block access to those sites.

11. Can you characterize the nature of most hacking attacks?

A few years ago, the original motivations were pursuit of knowledge and the desire to "show off" one's skills. Now, there are new lures of money and power. However, the statistics can be misleading, so many of these incidents go unreported due to lack of detection or fear of further losses due to tarnished image and credibility.

I believe that the majority of hacks are still motivated by curiosity and a desire to point out system weaknesses. However, as organizations have been finding, most of today's threats come from within the organization. According to a recent META Group study, current figures indicate that recent breaches of security within Information Technology organizations occur internally 58 percent of the time. The threat from the outside is rising at a steady rate, though.

12. Is there a trend in these attacks?

Denial-of-service attacks and macro-viruses are the most popular hacker activities. The denial-of-service attacks are fairly easy for hackers of all skill levels -- from "script-kids" to professionals -- to launch. This is a situation where a company's Web site or online service is simply made unavailable by a hacker overtaxing the system resources. It doesn't sound that harmful, but there can be serious monetary and image losses attached to this. If you want to buy a book and you go to a popular book-selling Web site and find that site unavailable, chances are you'll try the next most popular book Web site. There's simply too much competition on the Internet right now to overlook security needs. These denial-of-service attacks are particularly troubling because they are hard to defend against. There are defenses available with firewall products from IBM and other companies, but there can be denial-of-service attacks from inside as well, which lends credence to the argument for Intranet firewalls.

13. Where does the real threat of hacking lie: in the private sector, in government or somewhere else?

The widely reported attacks against government sites are troubling, but it's a good bet that the government would not have any sensitive information on a machine connected to the Internet. An unfortunate side effect of these reports is that people end up thinking that securing systems and networks is hard. It's not hard, but it does take time and training, and it's an ongoing process to stay one step ahead of the bad guys.

Corporate espionage is also a threat, but not in the glamorous way portrayed in the movies. There, the threat is from the inside. There have been many reports of employees purposely sending proprietary information outside the company to other companies, perhaps just before they themselves move to that company. The greater connectivity that employees have today also leads them to inadvertent leaks via e-mail.

14. To what extent is cyberterrorism a genuine concern?

There is little motivation for industrial control systems like those running nuclear plants or airports to be on the open Web. They may have dial-up access or private networks within the organization that would be susceptible to attack from the inside. IBM has found that it can be quicker and cheaper to attack a target physically, rather than digitally -- we've nonchalantly walked into businesses, snooped around, and walked out with confidential material (once with the security guard holding the door for us!). And there are many examples of unfortunate accidents that resulted in very effective "attacks." The most common example is the "backhoe attack," where an errant heavy-equipment operator accidentally cut a communications cable.

... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action.

15. What about responses such as the recent Pentagon counteroffensive that redirected hackers' attack to an applet that caused their browsers to crash? Is that an appropriate response to hackers?

Anytime you acknowledge the hacker, you run the risk of heightening his or her interest. If you change the game from solitaire to a real poker game with human opponents, it becomes more interesting to most hackers. Such retaliation is also short-lived, since countermeasures will quickly be developed and publicized around the Web. In my opinion, this is not an effective usage of limited security personnel.

16. Are anti-hacking measures improving?

The most important improvement is in the area of awareness. ... Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race.

17. If attacks can only take place on computers that are online, to what extent could hacking be mitigated by keeping sensitive materials, data, etc., offline?

One of my colleagues at IBM likes to say, "only trust physics." My version is that the only 100 percent, truly secure system is one that is powered-off and filled with concrete. The military has long understood the security of an "air gap" (where a secure machine has no connection whatsoever to an unsecured machine), and we recommend to our customers that they consider such an arrangement for their most secure systems. This comes down to risk-analysis -- that is, weighing the cost in convenience and availability against the threat of having a system online.

If it's important to ... your business to have data available online inside the company, then protecting it with an internal firewall makes sense. ... If you have a Web server you want your customers to access, you can't hide it behind your corporate firewall because they won't be able to get to it. There are network designs that will enable you to position the Web server on the "outside," while securely maintaining a connection between it and, perhaps, a server behind the firewall.

18. What is the long-term outlook for hacking?

As long as there are unsecured computers with interesting stuff on them, there will be hackers. Law enforcement agencies have stepped up their facilities and training programs to meet the demand for computer and network security.

Moving toward technologies that use strong encryption will greatly improve the overall security of systems. Virtual Private Networks are a fantastic tool for companies and governments to protect their systems and networks while taking advantage of the low-cost, high-availability offered by the Internet. Internet standards bodies are also moving toward designing security into new standards.

Most kids today know much more about computers than their parents do, and some start "messing around" at earlier ages than in the past. The best thing we can do is to show them how interesting it can be to work at protecting systems and networks.

19. What about the outlook for computer security?

While better security technologies are appearing all the time, education and awareness will continue to be the limiting factor. System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities (like choosing good passwords, not installing unauthorized modems, etc.). ... Innovations like biometrics and smart cards will go a long way toward making security easier for the end user as well as for the system administrators.

Hacker Interview (Emmanuel Goldstein)

Q&A with Emmanuel Goldstein of 2600: The Hacker's Quarterly

Emmanuel Goldstein is the editor-in-chief of 2600: The Hacker Quarterly and hosts a weekly radio program in New York called "Off the Hook."

1. How do you define hacking?

Hacking is, very simply, asking a lot of questions and refusing to stop asking. This is why computers are perfect for inquisitive people -- they don't tell you to shut up when you keep asking questions or inputting commands over and over and over. But hacking doesn't have to confine itself to computers. Anyone with an inquisitive mind, a sense of adventure and strong beliefs in free speech and the right to know most definitely has a bit of the hacker spirit in them.

2. Are there legal or appropriate forms of hacking?

One of the common misconceptions is that anyone considered a hacker is doing something illegal. It's a sad commentary on the state of our society when someone who is basically seeking knowledge and the truth is assumed to be up to something nefarious. Nothing could be further from the truth.

Hackers, in their idealistic naiveté, reveal the facts that they discover, without regard for money, corporate secrets or government coverups. We have nothing to hide, which is why we're always relatively open with the things we do -- whether it's having meetings in a public place or running a system for everyone to participate in regardless of background. The fact that we don't "play the game" of secrets also makes hackers a tremendous threat in the eyes of many who want to keep things away from the public.

Secrets are all well and good, but if the only thing keeping them a secret is the fact that you say it's a secret, then it's not really a very good secret. We suggest using strong encryption for those really interested in keeping things out of the hands of outsiders. It's interesting also that hackers are the ones who are always pushing strong encryption -- if we were truly interested in getting into everyone's personal affairs, it's unlikely we'd try and show them how to stay secure. There are, however, entities who are trying to weaken encryption. People should look toward them with concern, as they are the true threat to privacy.

3. What in your mind is the purpose of hacking?

To seek knowledge, discover something new, be the first one to find a particular weakness in a computer system or the first to be able to get a certain result from a program. As mentioned above, this doesn't have to confine itself to the world of computers. Anyone who's an adventurer or explorer of some sort, or any good investigative journalist, knows the feeling of wanting to do something nobody has ever done before or find the answer despite being told that you can't. One thing that all of the people involved in these endeavors seem to share is the feeling from outsiders that they're wasting their time.

4. Are you a hacker? Why? Or why not?

Absolutely. It's not something you can just erase from your personality, nor should you want to. Once you lose the desire to mess around with things, tweak programs and systems, or just pursue an answer doggedly until you get a result, you've lost a very important part of yourself. It's quite possible that many "reformed" hackers will lose that special ingredient as they become more and more a part of some other entity that demands their very souls. But for those who can resist this, or figure out a way to incorporate "legitimacy" into their hacker personalities without compromising them, there are some very interesting and fun times ahead.

5. What kind of hacking do you do?

My main interest has always been phones and rarely does a day pass when I don't experiment in some way with a phone system, voice mail system, pay phone, or my own telephone. I've always been fascinated by the fact that we're only a few buttons away from virtually anyone on the planet and I hope that I never lose that sense of marvel.

One of the most amazing things I ever got involved in was routing phone calls within the network itself -- known as blue-boxing. You can't do that as easily any more, but it was a real fun way to learn how everything was connected -- operators, services, countries, you name it. And in the not-too-distant past, there were so many different sounds phones made depending on where you were calling. Now they tend to be standardized rings, busies, etc. But the magic hasn't disappeared, it's just moved on to new things ... satellite technology, new phone networks and voice recognition technologies.

Many times these new technologies are designed by the very people who were hacking the old technologies. The result is usually more security and systems that know what people will find useful. While I've spent a great deal of time playing with phones, I get the same sense of fun from computer systems and have invested lots of time exploring the Internet. It would fill a book to outline all of the hacker potential that exists out there. And, of course, there's radio hacking, which predates a lot of the current technology. It's gotten to the point where simply listening to a certain frequency has become a challenge. It's hard to believe that it's actually turned into a crime to listen to some of these non-scrambled radio waves. But this is the price we pay when people with no understanding of technology are the ones in charge of regulating it.

6. How much time do you spend at it a week?

That's like asking how much time you spend breathing. It's always with you, you do more of it at certain times, but it's always something that's going on in your head. Even when I sleep, I dream from a hacker perspective.

7. Do you have a certain kind of site or "target" sites that most attract you?

We don't sit around with a big map and a list of targets. In fact, we don't even sit around together. Most hacking is done by individuals who simply find things by messing around and making discoveries. We share that info and others add input. Then someone tells the press and the government that we're plotting to move satellites and all hell breaks loose.

I think most of us tend to be drawn to the sites and systems that are said to be impossible to access. This is a normal human reaction to being challenged. The very fact that we continue to do this after so many of us have suffered so greatly indicates that this is a very strong driving force. When this finally becomes recognized as a positive thing, perhaps we'll really be able to learn from each other.

8. What, in general, do you think attracts people to hacking?

People have always been attracted to adventure and exploration. Never before have you been able to get this without leaving your house and without regard to your skin color, religion, sex, or even the sound of your voice. On the Internet, everyone is an equal until they prove themselves to be a moron. And even then, you can always start over. It's the ability to go anywhere, talk to anyone, and not reveal your personal information unless you choose to -- or don't know enough not to -- that most attracts people to the hacker culture, which is slowly becoming the Internet culture.

We find that many "mainstream" people share the values of hackers -- the value of free speech, the power of the individual against the state or the corporation, and the overall sense of fun that we embrace. Look in any movie where an individual is fighting a huge entity, and who does the audience without exception identify with? Even if the character breaks the rules, most people want him/her to succeed because the individual is what it's all about.

9. Do you know enough hackers personally to know what personality traits they share, if any?

Hackers come from all different backgrounds and have all kinds of lifestyles. They aren't the geeks you see on television or the cyberterrorists you see in Janet Reno news conferences. They range in age from under 10 to over 70. They exist in all parts of the world, and one of the most amazing and inspiring things is to see what happens when they come together. It's all about technology, the thrill of discovery, and sharing information. That supersedes any personality issues that might be an issue in other circumstances.

10. Do you think hackers are productive and serve a useful purpose?

I think hackers are necessary, and the future of technology and society itself (freedom, privacy, etc.) hinges on how we address the issues today that hackers are very much a part of. This can be the dawning of a great era. It can also be the beginning of true hell.

11. What percentage would you say are destructive as opposed to those in it out of intellectual curiosity or to test their skills?

This raises several points that I feel strongly about. For one thing, hacking is the only field where the media believes anyone who says they're a hacker. Would you believe someone who said they were a cop? Or a doctor? Or an airline pilot? Odds are they'd have to prove their ability at some point or say something that obviously makes some degree of sense. But you can walk up to any reporter and say you're a hacker and they will write a story about you telling the world that you're exactly what you say you are without any real proof.

So every time a movie like "Hackers" comes out, 10 million people from AOL send us e-mail saying they want to be hackers, too, and suddenly, every 12-year-old with this sentiment instantly becomes a hacker in the eyes of the media and hence, the rest of society. You don't become a hacker by snapping your fingers. It's not about getting easy answers or making free phone calls or logging into someone else's computer. Hackers "feel" what they do, and it excites them.

I find that if the people around you think you're wasting your time but you genuinely like what you're doing, you're driven by it, and you're relentless in your pursuit, you have a good part of a hacker in you. But if you're mobbed by people who are looking for free phone calls, software or exploits, you're just an opportunist, possibly even a criminal. We already have words for these people and it adequately defines what they do. While it's certainly possible to use hacking ability to commit a crime, once you do this you cease being a hacker and commence being a criminal. It's really not a hard distinction to make.

Now, we have a small but vocal group who insist on calling anyone they deem unacceptable in the hacker world a "cracker." This is an attempt to solve the problem of the misuse of the word "hacker" by simply misusing a new word. It's a very misguided, though well-intentioned, effort. The main problem is that when you make up such a word, no further definition is required. When you label someone with a word that says they're evil, you never really find out what the evil was to begin with. Murderer, that's easy. Burglar, embezzler, rapist, kidnapper, all pretty clear. Now along comes cracker and you don't even know what the crime was. It could be crashing every computer system in Botswana. Or it could be copying a single file. We need to avoid the labeling and start looking at what we're actually talking about. But at the same time, we have to remember that you don't become a hacker simply because you say you are.

12. Do people stay in hacking a long time, or is it the kind of thing that people do for a few years and then move on to something else?

It can be either. I tend to believe that it's more of a philosophy, a way of looking at something. When you have the hacker perspective, you see potential where others don't. Also, hackers think of things like phones, computers, pagers, etc., as toys and things to be enjoyed whereas others see work and responsibility and actually come to dread these things. That's why hackers like to hold onto their world and not become part of the mainstream. But it certainly can and does happen.

13. What is the future of hacking?

As long as the human spirit is alive, there will always be hackers. We may have a hell of a fight on our hands if we continue to be imprisoned and victimized for exploring, but that will do anything but stop us.

14. Given increased attention to corporate and government security, is it getting tougher to hack or not?

Hacking isn't really about success -- it's more the process of discovery. Even if real security is implemented, there will always be new systems, new developments, new vulnerabilities. Hackers are always going to be necessary to the process and we're not easily bored.

15. Is the possibility of being identified and even prosecuted an issue for most hackers?

Hackers make very bad criminals. This is why we always wind up being prosecuted. We don't hide very well or keep our mouths sealed shut to protect corporate or government interests. But the same security holes would exist even if we weren't around, so I think the hackers should be properly seen as messengers. That doesn't mean that you should expect them to just hand over all of their knowledge -- it's important to listen and interpret on your own, as any hacker would.

16. Are there hackers who are up for hire? What are they paid? Who hires them, and for what?

Just as you can use hacker ability to attain a life of crime, you can use that ability to become a corporate success. Some are able to hold onto their hacker ideals. Others, sadly, lose them. It's especially hard when young people who haven't worked it all out yet are approached and tempted with huge amounts of money by these entities. It can be very hard to resist and the cost is often greater than anticipated.

17. Have you had any contact with people you consider cyberterrorists? Do you endorse what they do?

In all of the time I've been in the scene, which is a pretty long time, I've never come across anyone I consider to be a "cyberterrorist," whatever that is. Most people who talk of such creatures either have something to sell or some bill to pass. This is not to say that such a concept is impossible. But I believe the current discussions aren't based in reality and have very suspicious ulterior motives.

18. What about the people who hack into Pentagon sites? Do you think they should be punished?

According to the Pentagon, there is no risk of anything classified being compromised because it's not on the Internet. If they were wrong, I would like to see someone prove that. If a non-classified site is hacked, I don't see the harm unless something is damaged in some way. Remember, the security hole was already there. If a hacker finds it, it's far more likely the people running the system will learn of the hole. If a criminal or someone with an ulterior motive (espionage, etc.) finds the hole first, it's likely to remain secret for much longer and the harm will be far greater.

While you may resent the fact that some 14-year-old from Topeka proved your security sucks, think of what could have happened had you not learned of this and had someone else done it instead. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offender is a true risk to society. The great majority of these cases do not involve damage or vandalism, a fact that largely goes unreported. What people have to remember is that most of the time, this is simply an example of kids being kids and playing games like they have always done.

Obviously, the tools have changed, but that's really not something the kids are responsible for. If some kid somewhere can access your medical records or your phone records, he or she is not the one who put them there. The true violator of your privacy is the person who made the decision to make them easily accessible.

19. Your real name is Eric Corley. Why do you use the name Emmanuel Goldstein?

I believe everyone should be given the opportunity to name themselves. That name should reflect something about who you are and what you believe in and stand for. Emmanuel Goldstein is that for me, and for those who want to learn why, get a copy of George Orwell's "1984" and see for yourself. Interestingly, our first issue of 2600 was published in January 1984. A complete coincidence.

'South Park' Trojan Horse can create e-mail storms

(IDG) -- A Trojan Horse dubbed "South Park" that made its first appearance on the Internet last June is on the loose again, antivirus software vendors warned last week.

The Trojan Horse spreads by sending itself as an e-mail attachment to all the addresses listed in a user's Outlook Express program. It attempts to do this every 30 minutes, and has the potential to cause storms of e-mail that can clog up company's network, the vendors said.

The attachment contains an icon of the character Kyle from the cult cartoon series "South Park," and will appear as though it has come from someone known to the recipient, vendors said.

The Trojan Horse has been reported on Windows NT and 9x machines at dozens of large corporations, government organizations, universities and Internet companies, primarily in the U.S. but also in Asia and Europe, said Martin Skov, a product-marketing manager with Network Associates' McAfee software division.

Known as W32/Pretty.worm.unp, the Trojan is a variant of the W32/PrettyPark.worm that first surfaced last June and has been dormant for the most part ever since. The new variant differs in that it is not compressed, which made it a little harder to detect initially, Skov said.

The Trojan Horse may also try to connect to an Internet relay chat server, and could potentially use the connection to get information such as the computer name and registered owner, as well as dial up networking and user names stored on that computer, Skov said. Network Associates hasn't received a report of that happening yet, he added.

While its payload isn't considered too severe, in the sense that it doesn't delete data, antivirus vendors upgraded their rating on the Trojan Horse from medium to high risk, primarily because of its ability to spread quickly and clog networks. Network Associates received 70 reports of it in the first four days of the week, compared with 150 reports in the prior two-week period. The company first discovered it in mid-February.

"It's not limited to one industry sector; it's hit pretty much across the board," Skov said.

The number of reports subsided somewhat and Network Associates hopes to downgrade it to medium risk soon, Skov said. Network Associates has classified seven Trojan Horses and viruses as high risk in the past year, he added.

Outlook Express users should be aware of e-mails that carry the subject line, "C:/coolprogs/prettypark.exe." File attachments are called "Pretty park.exe" and in some cases "Pretty~1.exe."

Scenes From a mall (Friday Night)

Friday night by the Cinnabon with the 'hacker underground'

The following is an account of an informal, public meeting of self-described hackers. This article is an account of the event, not an endorsement of hacking.

It's Friday night, and the hackers are out. At the mall.

The Atlanta chapter of 2600, a loosely knit international organization of self-described hackers, meets in the food court of Lenox Square, a huge Atlanta shopping mall. Their meetings are planned and publicized -- first Friday of the month, some time between 6 and 8 p.m.

Few of the 20 or so participants at this meeting refuse to be photographed, though all give their online handles rather than real names. That's not just because there's a reporter present; it's par for the course.

"Some of these guys know my real name, some don't," shrugs Low Tek, one of the more outspoken members of the group.

The group looks like it could be in a high school or college cafeteria: its members are overwhelmingly young, and they come in a variety of shapes, sizes, clothes and hair lengths. JLee, a visitor from Chattanooga, has spiky, fuschia hair. Squirrel, a tall, heavyset young man, wears a T-shirt with an anatomically explicit photo of a squirrel. Several have piercings, but nothing particularly startling.

If this does not fit your notion of hackers, that's part of the point. The consensus among the 2600ers is that the mass media -- and people who get their information from the mass media -- Just Don't Get It. Press coverage is "more to scare you than it is to inform you nowadays," Low Tek says.

Aside from "They Just Don't Get It," there are few points of universal assent among hackers. This is an anarchic, argumentative group, the atmosphere polite but contentious. The first of many arguments, and the first of many to remain unresolved, is over the fundamental question of what a hacker is.

'A bunch of different meanings...'

"The word 'hacker' has a bunch of different meanings," one participant says. A bunch of different meanings are then offered.

"Most hackers in the scene today are ... White Hats," one says. "They don't break into systems."

"That's bull----," counters JLee. "Hacking is hacking. Hacking means breaking into systems."

Whatever a hacker is, the consensus is that a "hacker ethic" exists. Hackers are driven by curiosity, exploring computers the way kids climb over fences. "Hacking, at its basic level, is the pursuit of knowledge," Dos Spider says. "How does it work?"

In the broadest sense, "hacking" means digging for information in ways the holders of information never intended -- JLee mentions Abbie Hoffman's "Yippies" of the 1960s as an influence. The hacker is an ordinary person who, for once, has an advantage over the system -- "It's someone watching the watchers, basically," says Empress.

But hacking, they say, is not stealing; there's a general scorn for computer criminals who abuse the knowledge developed by "real" hackers. The people who break into machines to steal are often labeled "Black Hats" -- though, again, there's no consensus on the definition.

Social engineering: Are you being hacked?

Several of the hackers mention "social engineering," a high-tech name for the ancient process of asking questions. "When I talk to you, and I get you to say information, I'm hacking your brain," Low Tek says. "When you shook my hand, I was social engineering you."

"Uh-oh, you've been hacked," a bystander laughs.

"The only true form of hacking that's still going to be here when computers come to an end is social engineering," Low Tek says. "There's always going to be a weak link in the chain -- it's always going to be operated by a human."

Lithium says credit card security, a common worry on the Internet, is an illusion even for those who don't own a computer.

"If someone wants to get your credit card information, they're going to get it, whether you like it or not," says Lithium, one of the youngest-looking members of the group.

"It is scary," he says, though he seems more resigned than frightened.

Who's watching the hackers?

The philosophy that information is inherently insecure breeds an odd sort of paranoia -- not the fear of being watched, but a near-certainty.

Throughout the meeting, rumors surface: People spotted lurking nearby are recognized from past meetings and marked as plainclothes mall security, local police or even feds. 2600ers have become more attentive to such signs since The Incident.

The Incident, as it is called, was a 2600 meeting whose participants were hassled by security and run out of the mall, accused of trading pornography. "Some people today believe that it was a way to get pictures [of group members], or a way to get names," Low Tek says. "Other people just think it was a misunderstanding."

There's a strong sense of hacker history here, a belief that the best days of hacking have come and gone. "The '80s to early '90s were definitely the Golden Age," Low Tek says. "It was before everybody started locking down ... before security started getting smart."

"Any one of us here would give a ... pint of blood to live in the early '80s with the knowledge that we have now," Low Tek says.

Hacking Hollywood, and the cyberpolitics of gender

Favorite hacker movies among hackers? "Sneakers" is a hands-down choice, followed by "WarGames" as a time capsule of the Golden Age. The recent film "Hackers" is blasted in every respect except the casting of Angelina Jolie. Which brings up another observation -- the hackers at this meeting were nearly all male.

"Being a woman in this type of thing, you get recognized all the time," says Empress, the only woman at the meeting. "I've been coming to these meetings for a long time ... since '95."

Had there not been a reporter present, the 2600ers say, the meeting would have been a primarily social event. "Some of these guys here, I'll hang out at a club, go to a rave with, do the occasional drug..." Low Tek says.

"We didn't come here as part of some big scheme to overthrow the government like everyone thinks," Lithium says. "That's what my Mom thought."

As the meeting breaks up, Low Tek gets down to business: "So, what's everybody doing tonight?"

It is, after all, Friday night.

No Defense

No one connected to a computer network is really safe from hackers. Luckily, most invasions or infections don't result in serious injury to the system that has been attacked.

The only real defense is limiting your risk by using virus scanners and enforcing security measures on network computers. But in the end, hackers see security systems as a challenge, not an obstacle.

For more information on hacking and security, take a look at these sites:

Technology and Society at the World Wide Web Consortium (W3C) -- The W3C tries to set and maintain standards for the portion of the Internet people are most familiar with, the World Wide Web. The Technology and Society domain seeks to influence public and private policy on issues, including security, arising out of the development of Web technology. The articles may be a little dry, but the information is good.

Electronic Freedom Foundation -- An organization dedicated to keeping the Internet an uninhibited medium for information, the EFF is an excellent source of information about security issues and legislation that affects the Internet.

Virus Builders

Some hackers are also virus builders. Viruses, worms, Trojan horses and logic bombs are all forms of programs that can invade a system. Some are malicious, some aren't.

A virus is a program that may or may not attach itself to a file and replicate itself. It may or may not corrupt the data of the file it invades. It may or may not try to use all of the computer's processing resources in an attempt to crash the machine. If that seems vague, it's because viruses are tricky. They may be simple notes that say "Hello" -- or they may attack and corrupt the files at the core of the system, causing it to crash.

Worms invade a computer and steal its resources to replicate themselves. They use networks to spread themselves.

A Trojan horse appears to do one thing but does something else. The system may accept it as one thing, but upon execution it may release a virus, worm or logic bomb.

A logic bomb is an attack triggered by an event, like the computer clock reaching a certain date. It might release a virus or be a virus itself.

Software Crackers

Application software, such as programs for word processing or graphics, puts the power of a personal computer in the hands of a user, even one who doesn't know how the computer works. It's often expensive and, like anything else that's useful but expensive, there's bound to be someone who wants to get it free of charge. That's where "crackers" -- hackers who break software security -- come in.

These hackers develop their own software that can circumnavigate or falsify the security measures that keep the application from being replicated on a PC. For instance, you have a piece of software that requires a serial number to install. A software hacker does this in much the same way that network hackers attack network security. They may set up a serial number generator that tries millions of combinations of numbers and letters until it finds one that matches. The hacker could also attack the program at the assembly-code level, finding and altering the security measures.

One note: A software hacker is not necessarily a software pirate. A hacker may break the security and use the software, but a true pirate would also replicate and sell the cracked software.