Nothing makes hackers happier than breaking into a computer that another hacker set up, especially when an appreciative audience is watching. Small surprise, then, that there were plenty of grins at last weekend's Beyond HOPE hacker convention in New York City.
The first break-in attempt came at about 4 a.m. on Friday when a huge, tattoo-encrusted Englishman named Cyberjunkie ran a utility that probed the network of HOPE's Dutch sister conference, Hacking In Progress. The plan: to expose any weaknesses, then peel away the security measures of the target computer like the layers of an onion. The program quickly found several obvious security holes. "So I had to do something," Cyberjunkie says. "It's a bit like waving a red flag at a bull, isn't it?" Like the encierro at Pamplona, Cyberjunkie sent a stampede of null information into one of the server's memory buffers until it choked and overloaded.
Quietly attached at the end was a simple script that granted him the access he wanted. (In hacker argot, this is known as an IMAP exploit.)
Because hacking is not only encouraged but rewarded at HOPE -- which conference organizer Emmanuel Goldstein revived this summer after a three-year hiatus -- each of the thousands of participants received an IP address with which they could glom onto the Puck Building's 10-megabit network and connect to the rest of the world. The Pittsburgh-based DataHaven Project provided 15 public terminals, but Ethernet hub plugins were plentiful. Confused? No problem.
The 13-year-old with braces in the next chair was glad to help out. After all, he'd already hooked his ancient DEC, Hewlett-Packard or portable IBM onto the Net and was busily trying to gain root access.
When you'd tired of chatting on IRC #hope (topic at 4:11 p.m. on Saturday: "HOPE is a commercial enterprise full of bullshit"), you could browse through the various kinds of phone equipment, T-shirts or software that were on sale.
Ether Bunny sold $250 worth of lineman's equipment (including several Southwestern Bell hard hats) in just over an hour. There was, of course, a constant stream of panels to attend: Tiger Teaming (better known as security consulting); cryptography; how to hack Windows NT; Metrocard hacking; a prisoner panel that included Bernie S. and Phiber Optik; and an amazing talk on privacy given by investigator Steve Rambam.
Best known for tracking down 161 Nazi war criminals hiding in Canada, Rambam is a consummate connoisseur of databases. "It is true that I can go online and reliably determine if you are a homosexual or a lesbian. It is true that I can go online and determine your religion. I can go online and, without breaking a sweat or getting carpal tunnel syndrome, find what movies you rent at Blockbuster," he said.
Yet Rambam takes an unlikely stance on the privacy issue, especially in a room full of paranoids. Closing off databases, he says, will not adversely affect his work -- since he'll always be able to buy the information from someplace. "It will harm the ability of the average person to control their lives; to check up on government to see if they are lying to him, to check up on big business to see if they are lying to him, to check up on the guy next door and see if he is an ax murderer," he said.
Now Rambam may be biased, for he operates a billion-record database that is accessible online to subscribers (he refused to give the URL for fear of hacking attacks). Nevertheless, it was rare to see so many teenagers taking copious notes, noted fellow attendee Shabbir Safdar. The audience couldn't get enough of Rambam, who looked more like a fed than a hacker in his custom-made Hong Kong suit. (A big hit was when he detailed how to turn a dead man's identity into your own.) But ultimately, Rambam questioned why anyone would want to: "The fact of the matter is that there is no real reason to hide who you are and what you do."
It's an unfortunate but true statement about the state of hacking today. Where have all the good hacks gone? Three years later and the flimsy Metrocard is still impenetrable. A panel of hackers turned security consultants showed that one of the biggest challenges for today's data cowboys was changing the preconceived notions of hackers held by the corporations they work for.
Keynote speaker Brock Meeks went so far as to admonish the crowd for their low hacker batting average (only 20 percent of all government computer systems have been hacked). His address was putatively a history of hacking in America, but it sounded more like a call to arms for the audience. "You're going to have to learn how to hack the media, because you haven't been doing a good job of it," Meeks said.
Indeed, hackers get their share of bad press, and they gripe about it to no end. And HOPE highlighted the split personality hackers bring to their relationship with the media. Like most groups, they lambaste journalists. Yet their keynote speaker wasn't an agent provocateur, but a member of the press (albeit an esteemed one who champions the hacker cause). There was a panel discussion (which I participated in) where hackers could finally turn the tables on the media in attendance. "No weapons allowed," said the schedule of events. Yet only one of the audience's questions criticized the press, specifically noting John Markoff and his book on Kevin Mitnick. There was even a "Media Portrayal of Hackers" survey being distributed by a University of Tennessee sociology student as part of his master's thesis.
Perhaps it's useless to analyze hacker-vs.-media stereotypes. After all,
the hacker community has shown that it can successfully run its own magazines,
pirate radio stations and web sites. If it's true that information technology
is going to obliterate old media, the horsemenof the apocalypse are more
likely riding from alt.2600 than from Wired. "The whole 2600 thing
is a media hack," admitted Goldstein. And the success of this year's
HOPE showed not only that Goldstein knows how to co-opt the media but that
he might be a damn good entrepreneur as well.