By Rob Lemos
Staff Writer, CNET News.com
August 2, 2002, 4:00 a.m. PT
SEATTLE--At a typical Wells Fargo branch here, employees and customers do business each day oblivious to a beehive of activity in the basement.
There, five blue-walled rooms serve as makeshift classrooms for other tenants in the building who are light years from the world of banking: an organization of some of the most talented computer hackers in the country.
As menacing as this juxtaposition might seem, the group insists that its work is harmless and, in fact, is dedicated to doing good. The founders of GhettoHackers, as the group is called, say its 30-odd members teach others how to crack security only to find flaws so that defenses can be hardened.
"The Ghetto are good guys. So I guess the way to look at us is (as) the boot camp for the people growing up to protect the world," said "Caezar," a 28-year-old security consultant and founding member, whose appearance--which includes two spikes angling from his lip, as well as several body piercings--might otherwise evoke unease in the buttoned-down culture one floor up.
GhettoHackers is one of several groups trying to change the way society views hackers, as stereotypical malcontents interested only in crashing systems, stealing credit cards and releasing computer viruses. While cybercrime arrests make headlines regularly, groups like GhettoHackers are aiming to help those curious about information security get hands-on experience without doing harm to others.
"We've put a password file on the server," challenged a recent lesson on the boards. "Grab the file and run a password breaker against it."
To the several men and two women of GhettoHackers, this is "home." The hands-on approach appears to work.
"I'm learning more doing what I'm doing right now than I would in school," said one student, who goes by "Zsnark" because a more common moniker might undercut his credibility in this anarchical world. At 18, he's put college on hold to study security here.
The group's work was even more frenetic than usual this week as it prepared for Defcon, a controversial annual hacker convention that begins Friday in Las Vegas and that, in past years, has hosted people on the FBI's wanted list. Having won Defcon's "Capture the Flag" hacking tournament for three years running, GhettoHackers has been put in charge of the event this year and must act as its system administrator, keeping the network running despite rampant hacking activity.
The contest will stress the group's philosophy that hacking can be a positive act, especially for those still at an impressionable age.
Typically, two types of people are drawn to hacking: those who want to learn and those who want to express power over their environment.
"It's hard to tell the difference between a police academy and a terrorist training camp if you don't know the social structure they are in," Caezar said, using the analogy to explain why many people fail to distinguish a "good" hacker from a "bad" one. "They both learn target practice and 'how do we defeat things that are coming at us?' These are things that are common between the good guys and the bad guys."
For the older members, it's a matter of legitimacy. Aside from some security consulting firms that employ them for their knowledge and ability to attract media attention, most reputable companies won't hire people who label themselves "hackers."
"Some people can make money off their name as a hacker. But most of the time, calling yourself one is a liability," said "md5," a 27-year-old member of the group and the CEO of his own consulting firm. "Most companies don't care if you are into stamp collecting or rock climbing, but tell a client that you like to hack and they don't call you anymore."
And both pursuits will be represented Friday at Defcon, which has become over the past 10 years a popular mainstream event attracting news media from around the world. For all its publicity, however, companies still don't understand that hackers are not necessarily malicious in nature or intent.
That's unlikely to change anytime soon, said Chris Wysopal, director of research and development for digital security firm @Stake.
"Ethical hacking means different things to different people," he said. "To some, it means hacking for security's sake. For others, it is more hacktivism. Then there is hacking for the pure pursuit of research."
"The traditional way that a lot of hacking skills have been handed down is the apprentice-master way of teaching," said Wysopal, a one-time member of the Cambridge, Mass., ethical hacking group known as The L0pht. "In that case, it's important for the people who are teaching to be teaching ethics as well."
Which is precisely what GhettoHackers is preaching.
"It's all about teaching the younger people by giving them access to the hardware that 10 years ago they would have been stealing," Caezar said. "We just help bring people up in what's a really freaky landscape right now."