Desirable Undesirables
"last night, I stayed up until 6 o'clock figuring out how to do this,"
says Riley "Caezar" Eller, a slender and bookish 27-year-old.
Scribbling furiously on a dry-erase board covered with boxy diagrams
representing a pair of networked computers, Eller maps out a novel
cyberattack-a method of disabling a supposedly impregnable system
with a few clever lines of code. His listeners nod each step of the
way, occasionally grunting their approval. When the presentation is
over and the imaginary defenses have all been surmounted, they
break into polite applause.
Such demonstrations are part of the standard
curriculum at the major security consultancies.
But Eller isn't giving this lecture in a sterile
conference room at PricewaterhouseCoopers
or Deloitte & Touche. The setting is a
subterranean hideout that closely resembles
a frat house, complete with lava lamps and a rickety bar that reeks of
week-old spilled Smirnoff. His cohorts-sworn enemies of office
cubicles and Brooks Brothers suits-are members of an invite-only
group of ace programmers, cryptography enthusiasts, and hardware
wizards. Their think tank-cum-social club is known as the Ghetto
Hackers.
They're a brash, fun-loving lot who revel in their notoriety as
two-time champions of Capture the Flag, the Daytona 500 of the
computer underground. They also enjoy a measure of renown as
hosts of a celebrated bacchanal-a combination trivia contest and
Animal House-style beer blast-at Def Con, the annual hacker
convention. In their civilian lives, however, these self-taught
technophiles make a mint locking down servers and designing
hard-to-crack networks.
Publicly, Corporate America expresses nothing but scorn for the
denizens of this wired-world counterculture. Yet the Ghetto Hackers
and their ilk are coveted-if controversial-players in the battle against
cybercrime. While most of the major security firms insist on a
hacker-free work force, even flaunting their purity in sales pitches, a
host of smaller shops are scrambling to enlist the assistance of Eller
and his associates. They reason that hacker talent of their high
caliber is too precious to ignore.
bad news is good news
Hiring philosophies aside, security firms large and small agree that
cybercrime has reached alarming levels. Internet security breaches
cost businesses around the world upwards of $15 billion a year,
according to the research firm Datamonitor. In one recent survey,
conducted by the Computer Security Institute and the FBI, 85 percent
of respondents reported at least one attack. High-profile debacles
such as last February's Yahoo! takedown have exposed the Net's
soft underbelly for all to see.
The resulting hysteria, coupled with a severe shortage of talent, has
been a boon to savvy job-seekers, including some with the kind of
after-hours hobbies that the leading lights of the security
establishment claim to abhor. With security services projected to
become an $8.2 billion industry by 2004-up from just $2.8 billion in
1999-even low-tier workers expect base pay to average more than
$75,000 a year. And the Ghetto Hackers are taking full advantage of
a hot market.
Michael "Koresh" Bednarczyk-at 30, one of the group's elder
statesmen-is chief scientist at the Internet Security Advisors Group
(known as ISAG), a highly regarded firm headed by Ira Winkler. (See
"The Social Engineer") Drew "Ender" Miller, 23, a specialist in
algorithms, recently left a longtime post at Datalight, an
embedded-software developer, to become a programmer at
LapLink.com. Eller, for his part, is the senior architect at
ClicktoSecure, which makes a security scanning program called
Hailstorm. Ghetto's ranks even include a high-level Microsoft
employee, although his identity is well guarded. "They would
recognize the name, and he positively would be fired," Eller says.
Microsoft is not alone among technology titans in its low regard for
job candidates with experience on what some call "the other side."
At most of the top companies, official policy bars anyone linked to the
underground scene, whether by attendance at an event like Def Con
or by the act of swapping hacker tools over the Internet. "I don't
believe in it, because they never go straight," says Tom J. Talleur,
managing director of KPMG's forensics technology services division.
"The problem is one of trust. It's one thing to give someone the keys
to your house, it's another to give him complete root access-access
to all of your secrets." So great is the threat, Talleur says, that even
guilt by association can disqualify a job candidate, no matter how
exceptional his skills or clean his rap sheet.
But jobs with KPMG and other old-school industry mainstays don't
necessarily tempt today's rising security experts. "I know the Big Five
employed hackers in the past," says Eller, referring to the sizable
security practices operated by the major accounting firms. "But I
don't know if there are any really left. All the ones I know of have left
for smaller, lighter, faster companies where they get meaningful
amounts of equity."
Ghetto's members also take issue with the logic of the Big Five's top
brass. Eller and his friends view themselves as hackers in the purest
sense of the word: People who satisfy an innate curiosity by
determining how systems work from the inside out. "Intimately tied
to learning how things come apart is learning how to put them
together so they don't come apart," Eller insists. The hacker
mentality espoused by Ghetto is an elegant spin on the credo of the
Russian anarchist Mikhail Bakunin: "The passion for destruction is
also a creative passion." Though many learned their crafts as
mischievous kids-futzing with high school networks, probing obscure
NASA servers-they are now self-professed law abiders one and all.
the legal tightrope
To the average American still grappling with the Paste command in
Microsoft Word, hacker is synonymous with hoodlum. Hackers are
commonly viewed as terrorists, says "Rizzo," the group's resident
wireless expert, and one of several members who asked to be
identified only by nickname. "They think it's evil little guys sitting in
basements, basically punks." The real punks, he adds, are unskilled
teens who use pre-programmed hacking tools to deface Webpages
by filling them with Limp Bizkit lyrics.
The Ghetto Hackers do not pretend to be candidates for sainthood,
however. Many learned their trade while walking a legal tightrope.
The son of a trainer on the horse-show circuit, Eller spent his
self-described "white trash" childhood bouncing around the Rockies
and Cascades, attending school with kids who did not take kindly to
his gangly limbs, dark garb, and classroom smarts. As an 11-year-old
martial arts expert, he saved up enough cash to purchase a plane
ticket to Toronto for a tournament. But a premeet sprained ankle
forced him to seek a life-altering refund. "I walked into the travel
agent and begged a little and convinced them to give me my money
back," Eller recalls. "And when I got out, across the street they were
selling Commodore 64s."
With the aid of a friendly employee who gave him a steep discount,
he purchased one of the low-powered machines "and basically spent
the next five years locked in my room." Since there were few
tech-savvy teachers in Everett, Wash., Eller used bulletin boards to
communicate with French and German hackers who taught him the
programming ropes. A run of steep long-distance bills forced him to
indulge in what he characterizes as "basic telco fraud," fiddling with
phone cards to make them everlasting. It was that interval of
law-bending that led to what he calls "The Visit"-Eller's only legal
scrape. "I had a panic button wired up," he explains, "and as soon as
I saw [the cops] out there, I hit it and fried all my disks." The
experience, he sheepishly adds, scared him straight.
The Visit was only a minor obstacle for Eller. He learned database
programming as a teenage salesman at a mom-and-pop computer
shop. As an entry-level worker at Datalight, Eller quickly ascended
the salary ladder, maxing out at $72,000 per year after Def Con 7.
Though coy about his current income, he is the proud owner of a
high-tech condo in downtown Seattle, a domicile stocked with
rack-mounted computers, a massive flat-screen Sony Trinitron, and
an encyclopedic porn collection. Though the stereotypical tech worker
may be a 100-hour-a-week drone, Eller will have none of that. "I'm all
down with not working," he says. He dreams of cashing out in a few
years ("I'm looking at 37"), possibly to become a college professor-a
lofty aim for someone who dropped out of the Everett Community
College business program before earning an associate's degree.
In his lack of formal education, Eller typifies the security elite. It's a
profession in which hands-on talent tends to gestate outside
traditional channels. "With the proliferation of information we have
now, a 5-year-old has access to all the same information as a
college-level undergraduate," says Miller, a Ghetto Hacker who
estimates that he is 85 percent self-taught. "People don't need to go
to college; they need to apprentice, like blacksmiths or whatever.
Find something you like, find someone else who is good at it, hang
out with them for a couple of years.... You can have that Dairy Queen
job and then turn around and be programming computers someday. I
think that's awesome. Obviously, that's what I did."
A native of tiny Marysville, Wash., Miller first met Eller through the
local Assembly of God church. "My parents knew I was into
computers, and his parents knew he was into computers, so they
kind of hooked us up," he recalls. "I would take my systems over to
his house and we'd share the latest and greatest stuff."
At 15, Miller left home after a falling-out with his folks over
religion-"My father basically gave me a mandate and just said, 'Our
way or the highway,' so I took the highway." He begged Eller, five
years his senior, for shelter. "I proposed to him some sort of deal
like, I'd be his slave if he'd let me live with him," says Miller. "I
cooked, cleaned, did his laundry, got into fights with his girlfriend,
bummed cigarettes off of him." Another of Miller's responsibilities was
to download free software from so-called warez sites-clearinghouses
for the latest hacker paraphernalia.
Eller encouraged his protege to sharpen his coding skills by writing
elementary games. "I wrote Tic Tac Toe," Miller says with a bit of
embarrassment. "It took about two weeks and 10 pages of code.
And then Caezar sat down and said, 'Watch this,' and about 15
minutes later it was a page-and-a-half of code. I didn't understand
any of it."
Those mystifying tutorials taught Miller more than any high school
Basic class ever could. At 17, he got a job as a quality assurance
tester at Datalight, where he quickly proved his worth. After several
months, "I got to the point where I was going in and finding the bugs
in the tests that were testing the operating systems," he says. He
boasts of making more money than his father. In his spare time, he
writes algorithms for prime-number generators.
don't ask, don't tell
The Ghetto Hackers' digital "street smarts" serve them well in their
white-collar pursuits. They have a knack for solving complex security
riddles-sniffing out a previously unknown vulnerability, for example,
or analyzing the behavior of an intelligent virus. Last November,
acting on a tip from a Cambridge, Mass.-based hacker, Eller figured
out a way for advanced cybervandals to use "stack overflows" to
disable a theoretically secure machine. Before his research, the
brightest computer scientists had dismissed the possibility of such an
attack; Eller needed just two days to disprove the conventional
wisdom.
"The people who spend their mornings up until 6 a.m. trying to learn
how something is broken or learn some new way to cause problems
or fix problems, those are the people that are changing the world,"
says Eller, whose skill has earned him invitations to
corporate-security conferences as far afield as Singapore. "That
talent can't be measured in the kind of suit they wear."
George Kurtz, founder of Foundstone Security and a former pooh-bah
at PricewaterhouseCoopers and Ernst & Young, agrees about
underground-bred employees in general, and the Ghetto Hackers in
particular. "In terms of talent, they are exceeding what you're going
to find at the Big Five," he says. "These guys are really, really sharp
folks."
Despite their supposed contempt for the underground, many big
firms secretly side with Kurtz. They're willing, even anxious, to bring
hackers into their ranks, as long as their nocturnal activities are kept
hush-hush-a New Economy version of "Don't ask, don't tell." Any firm
that claims never to hire such people "is either lying or doesn't have
any expertise on staff," Rizzo says. "If you want to do something
right," he adds, "you're going to hire an expert, right? What firms
want to avoid is the appearance of having a bunch of law-breaking
hooligans that are uncontrollable on their staff."
Several firms, in fact, covertly wade through the underground in
search of untapped talent. The Ghetto Hackers have been persistent
targets of corporate recruiters, especially since their successive
victories at Def Con's Capture the Flag event, a 48-hour digital joust
in which teams score points by hacking rivals' machines. "After we
won at Def Con 7 [in 1999], we got tons of job offers," says Eller,
who himself became the object of a bidding war that led to a 20
percent raise. "And all because of something that only took us a
couple of hours."
Corporations that shun underground talent are only cheating
themselves, says "Palante," a Ghetto Hacker who works in the
information security consulting division of a corporation he declines to
name. "When it comes to hiring hackers, remember that we're talking
about a company paying someone to tell it about risks it may not
even know exist," he wrote in a response to an antihacker screed
published in the Toronto Globe and Mail last August. "The more a
company's consultant knows about such 'black arts,' the fewer
unknown risks there will be." KPMG's Talleur chortles at that
assertion. Demolition experts, he argues, don't necessarily make the
best architects. "The wonderful, colorful moniker of the hacker, going
around with his cape flying? It's bullshit," he says. "They're not that
smart.... Just because they're great at breaking into systems doesn't
mean they're great at fixing them."
Venture capitalists are beginning to believe otherwise. Last January,
a renowned group of Boston-area hackers known as L0pht Heavy
Industries was acquired by security startup @Stake for $10 million.
The L0pht, home to such famed hackers as "Space Rogue," "Dildog,"
and "Mudge," gained notoriety by authoring password-cracking tools
for Windows; as a division of @Stake, the crew now charges
megabucks to help companies design secure products.
The Ghetto Hackers seem a bit too pleasure-oriented to attract that
sort of financial support. The group originated three years ago as an
impromptu band of revelers at Def Con, which attracts thousands of
hackers to Las Vegas each summer for three days of technical
lectures, trick swapping, and carousing. The founders met by a stroke
of fate as they downed drinks at the same table. On a lark, one
celebrant registered them for the Capture the Flag contest.
Inebriated beyond recognition and competing as "Team Boozer," the
seat mates were stomped by a Scandinavian outfit calling themselves
the Mad Swedish Hackers. The only good thing to emerge from that
year's convention was the group's catchy moniker; the words first
spewed from the mouth of a member known as "Shrub," who
objected to his colleagues' habit of writing code on cocktail napkins.
"What are we," he sneered, "a bunch of ghetto hackers?"
Amid the alcoholic haze, however, they developed a sense of
camaraderie-and a thirst for redemption. "It didn't matter who won
at Def Con 7, but the Mad Swedish Hackers weren't going to win,"
says Miller. Ghetto considered a wide variety of revenge strategies,
including abduction and "paying very beautiful women to seduce
them." Eventually, Miller and his friends settled on the
uncharacteristically mundane approach of trying to boost their own
performance.
Predominantly Seattleites, they kept in touch over the ensuing year,
drawing other security-obsessed geeks into their clique. After their
Capture the Flag triumph in 1999, Ghetto coalesced, renting
workspace downtown before moving into their current basement
quarters-beneath a bank on the Emerald City's outskirts-last spring.
The new digs include an abandoned vault, which now houses a
battery of servers behind a heavy iron door.
Beyond harboring their weekly brainstorming sessions and the
occasional gala, the 3,000-square-foot space serves as a laboratory
for advanced research into everything from cryptography to phone
systems. Satellite labs in San Francisco and San Diego, where several
affiliates live, are set to open soon. The group, says Eller, is "really
designed to be a think tank-a place where people can come together
and share different ideas and come up with a kind of synergy."
The Ghetto Hackers range in age from late teens to 30s, but they all
share two key traits: technical prowess and a taste for hedonism.
Plenty of people have the intellectual credentials to win Ghetto
membership, "but they're sticks-in-the-mud," Eller says. Constantly
on the lookout for kindred gearheads, Ghetto does a fair amount of
recruiting at local hacker get-togethers known as 2600 meetings
(named after a hacker magazine celebrated for its anticopyright
activism). Prospects get invited to what Eller calls a "2621 party,"
where the real testing occurs. "If somebody can hang out and be
mellow, not make a fool of themselves," Eller explains, "then we can
say, 'OK, we should take this person's money.'" The monthly dues of
$180 pay for rent, bandwidth, and special events, such as the
screening of The Matrix that drew 450 of the group's closest friends
to the Cinerama theater in downtown Seattle.
Still, a few ambitious members foresee a day when the Ghetto
Hackers may replace Ernst & Young on the speed dials of hip,
security-conscious chief technology officers. In recent months,
Bednarczyk has been lobbying his cohorts to transform Ghetto into a
security startup. "We've got a diverse skill set in the group, and
we've got some definite leaders in the up-and-coming technology,"
he says. "Probably more goes on in our meetings than in most
boardrooms.... I see this group really turning into a consulting house.
There's no reason it's not going to happen." Bednarczyk wants to
form a limited partnership and establish a common bank account,
perhaps offshore, so the group can take on odd jobs securing ISPs or
conducting penetration tests.
"I think there's a good chance that something will come of it," Miller
says. But money, he adds, is not their only motivation. "Most people
here have really good jobs, so the issue of making a million dollars on
network security-nobody's worried about that." Some members
prefer the idea of forming a nonprofit organization, permitting them
to bid for government research grants. With Uncle Sam's sensitivities
in mind, there's even talk of adopting a pseudonym, such as "Security
Consortium," for official dealings.
Meanwhile, Ghetto has a more pressing matter to consider: Def Con
9 and the prospect of a Capture the Flag three-peat. After the
Tuesday meetings, they spend hours debating tactics and perfecting
attacks on practice networks. Next month, the group will strut into
Las Vegas' Alexis Park Resort-scene of this year's convention-with
the cockiness of champions.
"We've pretty much determined that we're never going to lose
again," Miller says. "So most of the people here, they actually take
time in the off-season to do things like download the latest patches."
In an industry where notoriety can be parlayed into big-time bucks,
spending the time to hone one's hacker chops is clearly a sound
investment.
