March 30, 2001 12:45 PM PST
Curiosity kills network at security confab
That was the seemingly innocuous question that greeted attendees at the CanSecWest conference this week: Do you want the white baseball cap or the black one? (Gray caps were reserved for speakers.)
Yet within the security community, the question is a litmus test that differentiates between those who use their knowledge to improve computer security--the white hats--and those who use it to break into computer systems--the black hats.
Despite the fact that most of the attendees came from reputable companies, the black caps were gone by the second day.
"When you get down to it, these guys are really all the same personality type," said Martin Roesch, president of SourceFire and the creator of a popular open-source intrusion detection system called Snort.
After a day at the conference, just what that personality type was seemed clear: Not good or bad, just monomaniacally curious.
That curiosity first focused on the hotel's high-speed network.
By registration time, an attendee had already gotten the password to the hotel's phone system (but didn't use it), and a day later, the hotel's high-speed Internet system had been accidentally crashed by another attendee who had taken over the hardware connecting the hotel to the Internet. (It was resurrected soon after.)
Richard Johnson, security administrator for the National Center for Atmospheric Research, connected an Apple Airport wireless hub to his room's high-speed Internet port, so he could wander around his room and still use the Internet. Within five minutes, he said, a handful of hackers from nearby rooms had hitched a ride on his connection as well.
"They're just playing," he said. "We're all having a good time learning."
That sort of curiosity made the conference's wireless network a security nightmare. Almost every person on it was either scanning every other person's computer or just passively listening to what the other computers were doing.
The scanning set off digital burglar alarms, called intrusion detection systems, run by many of the security specialists.
Normally, a typical user with a personal firewall might see a handful of alerts every hour, on a busy day. SourceFire's Roesch, sporting a black cap, said he saw 2,300 alerts on his computer in less than five minutes.
By the end of the conference, paranoia had set in. Type a password into Yahoo? Someone most likely knows it. Send an e-mail to a friend? Someone's reading it right now.
Suddenly, the Internet seemed a lot less safe. Of course, that's the whole point of what these people do.