By Grant Gross
A "Black Hat and White Hat" panel discussion at the 23rd National Information Systems Security Conference in Baltimore this week showed two cultures clashing, although they weren't exactly the cultures in the title of the debate.
Moderator G. Mark Hardy of digital security company Guardent started the discussion by saying he couldn't get any self-admitted Black Hats to volunteer for the panel. But the audience, mostly middle-aged corporate and government information systems specialists in suits or khakis, seemed to look for enemies in the mostly young, black-wearing panelists, some of whom may have cracked systems in their past, but are now corporate security consultants.
The message from the corporate crowd: Why can't these kids who like to play with computers play nice and keep their mouths shut? Some panelists answered: Maybe it's not the kids you need to worry about.
One audience member, who said she worked for the government, chided panelist Jeff Moss, organizer of DefCon, for continuing to have "a meeting where you give out a lot of software to kids. You know full well they're going to be using to spread as much trouble as they can," she said. "I propose you change the tenor of the conference, to make it more constructive."
She admitted, however, she'd never been to the conference, when another audience member said the vibe at DefCon wasn't about people in corners exchanging cracking information.
Moss defended himself by saying DefCon is filled with people from government and corporate America. "One side is desperately trying to figure out what the other side is up to," he said. "The way I try to set the tenor there is I try to select speakers who aren't going get up there and tell people to do anything criminal. The only way I can set the tone is by my speakers and the behavior of my staff. I can't stop two guys from exchanging illegal information in the hallway.
"It's the double-edged sword of information," he added. "I can't censor who's allowed to have information and who's not. If I put myself into the censorship business; it's a recipe for disaster. All this information is available on the Web, it's available at my show, or it's available at the library."
Be an example
Another audience member ripped on the 2600 community. "I know where to go every month to a 2600 meeting," he said. "Where do we send the kids who want to go someplace to learn our moral framework?"
A couple of panelists talked about how the growth of the technology community makes it harder to mentor young computer enthusiasts and to self-police, but panelist Peter Shipley asked the questioner if he'd been to a 2600 meeting. "Maybe you should," he said. "You'll be an influence there and fix the problem. Show up there and when a kid wants to learn how to break into a computer, give him a choice. If you're not there, maybe a malicious kid is going to show him how to be malicious, or you can be there and say, 'What do you really want to learn how to do? Here's how to do it and not get arrested.' "
Another audience member asked Ray Kaplan of Guardent, the only panelist with the proverbial gray beard, about his efforts to arrange anonymous "Meet the Enemy" security forums. "How do you reach people whose frontal lobes are not fully yet developed?" the audience member asked. "The developmental stages make it very hard for a 13-year-old to grasp concepts like social responsibility, and if they can launch a denial-of-service attack with a 300-baud modem from a basement, we have a problem."
Panelists talked about adult computer users being good role models to young computer users. "Kids will copy what you do, " Hardy said. "If you break into things, steal software, break copy protections, kids figure out pretty quickly, that you're saying, with a wink of an eye, it's OK."
To which one of the corporates in the audience muttered, "Like Napster."
But Shipley said most young computer users won't respond to a series of commandments from adults in suits. "When people ask for advice, I say, 'Don't be malicious,' " he said. "Don't give a long set of rules -- 'You can't break into this machine, you can't touch this machine, you can't do that.' I say, 'Don't be malicious, and pay attention to what you're doing.' "
Why's more sexy: Defending or cracking?
Hardy and Moss told the audience they have to pitch the White Hat, defending role in security as being as sexy as being someone who gets national press for changing a Web site. "The people who sacked Rome don't need the same skill sets as those who built Rome," Hardy said. "If you want to make yourself elite, come work on the good side, build the fences, build products that work."
Moss added: "Among people who know what they're doing, it's sexy to be a defender, because you normally have access to more resources and more cool tools."
Watch out for 10 guys with a budget
One message back to the suits from the panelists: The script kiddies aren't your most serious problem.
Hardy went into a long history of computer security: "When I started ... there was a real strong ethic that said, 'This is a victimless thing, we're not trying to hurt anybody. It's an intellectual puzzle, and as soon as you solve the puzzle, game over.'
"In the '80s we started seeing some of the maliciousness ... the pranksters, and the '90s got nasty," he added. "Now we're starting to see more of the malicious stuff. We're gonna start to see the emergence of things such as organized crime, nation-states going after information warfare objectives, and the entire complexity is going to change. It's going to go from Ozzie-and-Harriet 1950s rural America where you don't lock your front door, you can leave your keys on the front seat of your car ... to where you lock your door, take your keys, set the alarm, and have guard dogs everywhere. It's sort of an urbanization of the Internet."
One audience member said he was more concerned about company-to-company or international spying than the "cute" antics from script kiddies.
Moss said he used to be recruited by what seemed to be organized crime, but the offers have stopped after he refused a couple of times. However, he and other panelists said the threat of organized security attacks is quite real.
"When you're working in the commercial environment, your threat model is not organized crime or organized governments," he said. "Your threat model is, 'Hey, we're gonna go public and we don't want some kid to deface this.' They're mission is not to look foolish publicly, so all their defenses seem to be oriented around that."
He added: "When they're concerned about, 'Can a lone college teenager in his spare time break into my system,' and that's it, then that's where they spend their money. They're not worried about 10 guys with a budget. They're nowhere near being able to defend against 10 guys with a budget."
Moss said he's talked to someone who watched the edges of DefCon for people working for foreign governments and other organized groups.
Many corporations are living in denial about organized attacks, Hardy said. He told a story about a company he was consulting for, and he stayed late one night with no more access than the cleaning crew. "The next morning, I showed him ... the inbox of his email, showed him an email he hadn't read yet; we took a look at the salary and promotion recommendations for his senior and executive vice presidents; we found the financials for one of their privately held subdivisions they were trying to sell; and just for fun, from H.R., produced a list of all the people scheduled for termination the next month and had not yet been notified."
Hardy fixed the security hole. "It could've just as easily been somebody in the same uniform as a person cleaning the place," he said. "I've heard cases of organized crime employing computer-literate people to work in these [cleaning] places. 'Well, kid, the job only pays $12 a hour, but we give $1,000 cash for every goodie you come out with.' "