Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, the first major hacker conference and the largest in the world, as well as Black Hat, its more corporate counterpart. And now he is helping the U.S. government, as a member of the Homeland Security Advisory Council.
Moss talked to CNET News during National Cyber Security Awareness Month about his digital coming-of-age and how Google, Yahoo, Facebook, and other sites are putting consumer privacy at risk and jeopardizing social-justice movements around the world.
This is the final installment of a two-part Q&A with Moss. Part 1 ran on Friday.
Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened in '93.
So, things were different then. Can you talk about how the landscape has changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and once money was involved it changed everything. Actually that's not true. Technology grew up. So two things: money and technology. Technology grew up and a lot of the original motivations for hacking sort of changed, at least for my generation. When Internet access is essentially free and Unix is free and phone calls are essentially free and pennies on the minute, not dollars on the minute, why do you need to steal a phone call when it's free? Why do you need to break into a university to read man (manual) pages on Unix when you can download free security guides online?
You had to work so hard to learn something, and once you learned it you felt like it was yours. You made it yours by discovering it and figuring it out and sharing it with your friends. But now it's basically just handed to you on a Google search page so that motivation is just different now. Now it's not a question of figuring out how the SS7 phone switching network works. You can download 50 documents that tell you how it works. It's more about now the information is basically free what do you do with the information? How do you use it? Before it was about the quest for information; just getting your hands on the information was a victory.
As soon as people started making money on the Net...during the dot-com boom, that's when you could see the impact. Everybody needed somebody with Internet skills. And at that time it was hackers and early adopters. So all the early adopters could go out and get paid for their hobbies. That changed the nature of it too. It became a job as opposed to a hobby. When the criminals finally caught on that there was some real money with low risk and potential high reward...once nation states and organized crime groups got involved, that was the end of the age of innocence. It happened really quickly; 10 years or so. It used to be that you could probably defend against the bored college student and a couple of his buddies and you could do some defensive maneuvers and watch your log and know when somebody is poking around (your network) and have a pretty good handle on things.
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (3MB)
But the amount of noise and the amount of scanning and the amount of resources that people can put against you now, its kind of...(laughs) I used to always say that large governments, military, and an EDS or a Microsoft, they've got the in-house talent to defend themselves and the budget to do it if they have to. But the SMBs, the small and medium businesses, they don't have the talent or the budget or the experience, so those poor companies are at a disadvantage in this kind of world... The technology hasn't matured to where you just plug it in and it works. You still need a certain amount of high-end talent if you want to be secure. So we're not at the point where you buy aand you've got the air bag. We're not there yet. Every year the bar keeps getting raised and it's a little bit harder to break in. But that just means that the better-funded organized crime groups and governments could potentially be the last ones left standing. And when the attacks get so sophisticated and so subtle your average sec guy is not going to necessarily have the computer skills to protect against it.
Is that an argument then for managed security services?
Moss: Hmm. Do you mean something like a Counterpane, the sort of centralized log management where they analyze everything?
Moss: That's essentially (similar to the idea of putting) your eggs in less baskets and have experts watch the logs. The DHS (Department of Homeland Security) is trying to do that with Einstein. It seems like that's a rational response to the problem. I'll have to think about that. The problem is by the time they notice something is the damage already done if they're infiltrating secrets, say, versus defacing your home page? If you look at the nature of the problems the organized crime groups generally want money and the government wants secrets and they go about their business differently because the goals are different. Maybe centralized services like that work better against one group than the other.
How did you first get into hacking and on to computer security? What got you interested in all this?
Moss: It was kind of random. My dad was a doctor at the University of San Francisco and the university was offering some discount if you bought an IBM, you could get it at some kind of educational discount...so they bought a pretty expensive computer back then for me and my sister to play with.
How old were you?
Moss: I was right around 12 or 13.
And you are how old now?
Moss: Thirty-nine. And my sister wasn't interested in it. She ended up getting into music and it turned into my computer instead of the family's computer. I started off as a software pirate. You're 13 years old and your buddy gets a game for his birthday and I've got a game and there just weren't that many games on the PC back then. You could either just straight copy the game or if there was some sort of copy protection you saved up and bought a copy of 'Copy to PC' and you could copy each others' games. You would try to figure out why did that work. There wasn't a whole lot of programming books back then so I learned BASIC and I started learning assembly language.
And then to upgrade the machine you had to learn how to take apart the machine and it was much cheaper to buy memory and install it yourself than to buy a memory card. I had no money as a kid. So there were these overclocking kits you could buy for like $50 or $60. You could overclock your CPU to make it go 30 or 40 percent faster. Instead of going something like 6.55 or whatever megahertz, you could make it go 8 megahertz and that was awesome. So then you would figure out why does that work? What's going on there?
And then the huge revelation for me was getting a modem. Once I got an acoustic coupler modem, a 300-baud modem, that was the beginning of the end for me because all of a sudden I got to communicate (with others online). It started with my friends who had modems and I would use them over at their house and eventually I saved up and got my own. And you would be on these message bulletin board systems talking with people in the Bay Area. They didn't know your age or your gender or your education or anything and you're having conversations with grownups about grownup topics, drugs, technology, music, whatever it is. The sort of conversations you didn't have with your parents. You could overhear other people having conversations about (things). It was this great glimpse into the bigger world that was out there. And that really opened up my eyes. It was different from what we talked about at school. It was different from what you talked about with your friends, your parents. It was a whole other world and it just made you want to find more and more bulletin boards and more and more people. And that led to phone phreaking, trying to figure out how the phone systems worked and how to call longer distance and the cheapest way to do it. It was that exploration.
And it was all very random for me. I knew about the phone systems because I ran a bulletin board and I spent a lot of time dialing long distance to get onto different bulletin boards. And I knew about software programming but I didn't really know about hacking until a chance encounter with someone. And he had the opposite experience. He didn't know anything about phones and he didn't know anything about copy protection or reverse engineering that way, but he knew all about hacking. He knew all about networking, which is something I didn't know about because I didn't have a network in my house. Everything was point-to-point dial-up. Nothing was a network. So through him I learned about networking.
Things happened in my life at certain times. Very random. It was luck. I was lucky my parents bought that computer. It was lucky I learned about the modem and lucky I ran into that guy who taught me about hacking. I would love to say it was some master plan on my part, but it was a happy set of circumstances.
That reminds me of the Malcolm Gladwell book "Outliers" that I'm reading right now. It's very relevant to what you're talking about--that it's not just intelligence, but also opportunities that give people the ability to accomplish things.
Moss: Is that the book that talks about the 10,000 hours (the amount of time it takes to practice something in order to become a success at it)?
Moss: Somebody told me about that and I totally believe it. If I think about it, I put in thousands and thousands and thousands of hours just talking to people and reading and programming and screwing around with computers and trial and error on phones and everything until it became sort of second nature. If you think about people who are really good with musical instruments, they put in tens of thousands of hours. Or (people) working on cars. I have a friend who is fantastic car guy and he grew up with a wrench in his hand. He innately understands how mechanical things work.... (These people) see the world differently (and have) developed a sixth sense toward it.
Do you have a sixth sense toward hacking?
Moss: Well, you have a sixth sense toward looming problems. Somebody announces an (integration) project and you just think to yourself "Oh, that's going to be a problem. How are they going to do that?" From a technology standpoint how are they ever going to get all those systems to work and from an HR or organizational standpoint, you just know it's not going to happen...
In the back of my head I wonder if we haven't embraced the Internet technologies (too) quickly. If you're going to touch these critical systems you need a different mentality. You need a different skill set. I don't know. For example, SCADA (Supervisory Control and Data Acquisition) systems are starting to be hooked up to Web interfaces and it makes central management really easy and it makes understanding and visualizing the process flow information really easy. So the managers hear that and think cost savings and ease of management and ease of visibility. I hear that and I think "Whoops, that's going to be a problem." You're joining these two networks with Web protocols that are essentially inherently insecure or are difficult to secure and then you go and listen to Moxie Marlinspike talk about the problems with SSL and you think to yourself, "That's a problem." You just get a sixth sense about things like that.
So we've covered a lot of ground here. Is there anything else to discuss about computer security, cybersecurity, your background?
Moss: I have a current rant I've been going on about. It's my low-hanging fruit rant. Six months ago there was an open letter to Google asking them to please make everything HTTPS (Hypertext Transfer Protocol Secure) by default and I was a signer on that letter. It was another one of those (proposals that) made total sense. Why isn't there a push to just make everything HTTPS by default? Because everybody's browsers work with it. Computers are fast enough now. Home PCs are fast enough that the extra encryption doesn't even faze them. Why not start getting rid of HTTP and moving to HTTPS? That seems like a pretty low-hanging fruit, easy to do. If you can't do that what makes you think you are going to be able to do more complicated things?
And if you look at what we rely on, we rely on the Web, which isn't secure. We rely on DNS (domain name system), which isn't secure and we rely on e-mail, which isn't secure. The three foundational things we've been using since the dawn of time aren't secure and there doesn't seem to be a big push to fix any of it. These big companies that are encouraging us to put our lives online, the Yahoos, the YouTubes of the world, they're not doing their bit to secure it.
The thing that really kind of pissed me off, during the whole Iranian revolution or protest over the election you saw all these people just pouring their hearts out on these different social sites and their political beliefs out over unsecured http. And the government is sitting there just collecting it all, recording it. And sooner or later they'll come knock on people's doors. It really drove home we are beyond sharing pictures of fluffy cats and the social sites are now being used to organize political movements and social-justice issues.
If that kind of stuff is going to happen you've got to do it in a secure fashion or you're being negligent. Because if it was SSL (Secure Sockets Layer) between say the dissidents in Iran and some social site they would know your IP (Internet Protocol) address connected to Facebook, for example. And they would know that you transferred a couple hundred thousand bytes (of data) but they wouldn't know your log in, they wouldn't know your friends, they wouldn't see what you are posting. They wouldn't know any of that. That seems like a good thing if you are concerned about the well-being of your citizens. A lot of problems would go away if everything were just SSL by default. A lot of the privacy concerns would go away. Every time I get a chance to talk to somebody at one of the big social sites I give them some grief and say, "How come you aren't doing this? Why do you protect my log in but you don't bother to protect the rest of my session?" It's super frustrating.