"Who do you want to learn how to protect your system from?" Valor said. "Some corporate guy, or me -- a guy who's actually" hacked into your computer network?
Corporations and governments are spending megabucks these days to learn to guard networks from vandals, terrorists and punks with computer programming skills and too much time on their hands. This week in San Francisco, the authorities learned it first hand: from hackers themselves.
The idea of hackers using their expertise to instruct industry is not common, but it is not a new phenomenon either. What this group brings to the table is first-hand insight into the methods of crackers -- hackers who use their skills maliciously to infiltrate government and corporate computer systems. These presenters say they have eschewed that life to preach for profit to the government and private sectors.
As if hearing about car theft tactics from retired felons, the attendees learned not just the gritty technical details of attacks, but about cultural aspects too -- why crackers use their skills maliciously, which systems they crack, some of the tragically petty reasons they decide to target a company or individual. And ruin their lives.
The former members of the hacker underground sought to downplay the "hysteria" they say exists about hackers -- many of whom they say are pretenders -- and to point out that many government and corporate systems can be cracked. Valor told how gangs of crackers warring for bragging rights last year hacked into 363 major Web sites, including ABC News, the Naval Dental Center, Amnesty International and the Army Information Center.
A hacker calling himself Michael Diamond -- a 25-year-old who wears bleached blond hair, earrings in both ears, a tongue bar and a tattoo on his left arm -- told the audience of the planning that goes into the attack. Then he launched into a technical description of the programming language of attacks and described what security experts should look for to determine if, and how, they've been hit.
The 17 attendees of the workshop on Monday and Tuesday hailed from NASA, the Army, the Department of Energy and the Seattle Police Department, among other groups. Much of the material was old hat to some of the more seasoned security personnel, but at least one said that the presentation -- and others like it -- have an edge over more traditional talks.
"True hackers have told us about problems that we never hear about from high-placed consultants in the mainstream," said Seattle Police Detective Greg Roberts.
The information exchange owes its existence to Fred Villella, a retired Army colonel who spent several of the Reagan years an executive secretary to the national security adviser.
After he left government, Villella in 1985 founded New Dimensions International, focusing on corporate and government security issues. Three years later, he offered his first computer security curriculum, and in 1995, he started to focus on the threat, hosting his first symposium on "hackers, crackers and sniffers."
Initially, he hired standard security types from the software and corporate world to present the material. Then, in 1996, he attended Def.Con, the annual hacker get-together in Las Vegas and had an epiphany. "There was a world that those of us in the professional training environment just are not aware of," Villella said. "It was a revelation."
Even as he began recruiting hackers, it was not a world that Villella felt entirely comfortable with, nor one he thought the corporate world would readily receive. Villella couldn't sleep the night before one of the first conferences knowing one hacker liked to present bare-footed and another had "frosted hair."
The feeling was mutual. The hacker community is inherently suspect of the government and corporations. Authorities are seen by the more immature crackers simply as targets -- the way egg-tossing teens look at cars -- and by mature hackers and crackers as an ideological foe -- that endanger our collective security and private data by failing to protect computer networks.
Villella is somewhat vague about the success of the operation. He said New Dimensions made roughly 20 presentations in 1997, traveling around the country to talk with NASA, the Army, the Department of Defense and other government and corporate entities. The workshops generally run $695 per person for two days or $995 for four days. In San Francisco, there were 17 attendees for the first two days, although Villella said the workshop was free for 11 of the attendees because he was testing new curriculum.
They are not without competition. Hackers even have testified before Congress to explain the extent of the vulnerabilities.
Meanwhile, Villella now acts as something of an uncle for his particular group. He keeps them on schedule -- including getting one notorious late sleeper out of bed -- pays for their appearances and expenses, and tries to keep the peace among the hackers. It's clear he faces a balancing act. The hackers can be touchy -- fiercely independent, highly intelligent, sometimes arrogant and demanding. (Says one hacker jarringly during his talk: "It's my talk, Fred, don't interrupt me.") "It's my role," says the soft-spoken Villella, who calls himself "Uncle Fred." "It's one I've come to accept."
The first day of the workshop belongs to Diamond, editor of Phrack magazine, a technical and respected quarterly online hacking journal. ("It's supposed to be quarterly," Diamond said. "But it comes out when I get around to it.")
Diamond gives what in many quarters would be a highly technical talk, explaining the programming language behind various hacker attacks. He touches on such techniques as tunneling, fragmentation, sniffing and spoofing attacks. He explains the programming language hackers use to find their way to the "root" of a system, which is essentially the highest level of access.
The audience varies in its level of comprehension. The guys from the Army, who are relatively new to computer security, look dumbfounded. In reality, though, the talk mostly validates the types of attacks that more experienced security personnel have come to expect, said Phil Cox, with the Computer Incident Advisory Capability team of the Department of Energy. Cox said the Department of Energy gets about an "incident a day" of an attempted hack.
On the third day of the workshop, the class will hear from Jordan Payne, a well-known female hacker. On the fourth day, they'll hear from Peter Shipley, who will expound on Web security. He said he plans to tell attendees that they cannot expect networks to be secure, just because they use an expensive secure server. They need to audit the entirety of their systems to look for vulnerabilities, he said.
The second day belongs to the Valor, 29, who announced his "retirement" last year from malicious attacks. Because he has some extra time, though, he tells the audience about his exploits as a phone freak, which is someone who learns to manipulate the telephone system to pull pranks.
The stories sound as if they are mostly an annoyance to victim individuals and companies, such as when Valor and his friends dumped the telephone charges of Kaiser Permanente, a major hospital chain, onto the bill of a local CBS affiliate (Valor said the phone freakers were upset at CBS for failing to run a story about them). But he said the experiences show how unprepared corporations are for attack, and what they can learn from the crackers' exploits.
"Crackers have contributed more to computer security than any other person from any company," he insisted.