What is the role of hackers on the internet?

Historically, hackers have played a number of roles--some good, some bad. On the one hand, hackers find vulnerabilities and point them out, and this results in improved security. We're sitting in a world where often hackers are the only ones holding up their hands and saying, "Look, this isn't any good. You're being sold a bill of goods. This isn't really security." And they perform a very necessary function doing that.

On the other hand, hackers also write tools to break into systems, which, when they fall in the wrong hands, cause insecurity. So there's a balance. There's good hacking and there's bad hacking. . . . And you can use your skills for good, or you can use them for bad. And this is true for most every other aspect of society. If you're a demolitions expert, you can blow up bridges for fun, or you can do it because you're hired. The skill set is the same. Hacking is a very important skill set in our society, because these are the experts in how the systems work and how the systems fail. The people who use that expertise for bad are bad people. People who use that expertise for good are good people.



Founder, President and Chief Executive Officer of Open Source Solutions, Inc. (OSS).

What is the role of hackers in all of this?

. . . One of the reasons that I support hackers is that they have been telling us for over 10 years that the emperor is naked. It's very erroneous to think of hackers as criminals--that's not the case. Hackers are more like astronauts pushing the edge of the envelope. Hackers have been identifying major vulnerabilities in Microsoft products and Sun products and Dell products and all kinds of computer and communications products. And nobody has wanted to listen. . . .

Your view of hackers will come as a surprise, I think, to a lot of viewers, who view them as greasy-haired, goth louts who are spending too much time in front of a computer screen.

Well, I myself have participated in a very well attended debate on whether hackers were a national resource--which is my position--or whether they are pathological scum. I would say to you that it is the media's fault that hackers are seen in this light. And it is the fault of the US Secret Service, and it is the fault of certain governments around the world who chose to treat hackers as a threat because they didn't understand hackers; they didn't understand the electronic environment that that hackers were addressing.

The bottom line is that hackers are the pioneers in this electronic frontier. They are way out in front of the rest of the world. They are seeing the dangers, the vulnerabilities, the shoddy, unethical, inappropriate business behavior by communications and computing companies. They're basically saying, "Hey, look what we found." And everyone wants to shoot the messenger. . . .

Give me your portrait of today's hacker.

I will give you Sherry Turkle's portrait of a hacker. Sherry Turkle wrote a wonderful book called [The Second Self:] Computers and the Human Spirit. It was about the original hackers. The original hackers were MIT students, individuals vastly endowed with great intelligence, selected by MIT as the best and the brightest in the nation. And they began playing with the first Dell computer. They began discovering that there were new and unusual things that you could do with computers that once were things that punched cards.

Hacking is about exploring. Hacking is about going where no one else has gone before. It is about finding new corners in cyberspace. It is about discovering new worlds, and finding different solutions. A good hack is about doing something better than it's ever been done before. That's why I'm here at the "Hackers in the Twenty-first Century" conference. And that's why I'm very upset that people don't understand that hackers are, in fact, a national resource. You can't create a hacker. Hackers are born; they are very special people. When the Israelis catch a hacker, they give him a job. When the Americans catch a hacker, they kick him in the teeth and throw him in jail. And that's not good.

Have you noticed a change from the early days of the hacker community?

I've noticed two changes. The first change is within the hacker community itself. I am stunned to find that these thousand people who normally would have slept through the day and been a disorganized mob started this conference on time, had a program, and had mainstream speakers. Hackers have come of age. Hackers are now a power unto themselves, as a community--not an illegal community, not an unethical community--but as a community of vibrant knowledge that is able to express its views to the media and to others in articulate, structured way.

I've also seen a change in the private sector and in government. They still don't understand hackers. They still don't understand the communications and computing environment as well as they should. We've talked here about the abysmally ignorant federal regulators and the federal regulations that are completely inappropriate--1950s regulations for 1990s and year 2000 technology. But I clearly see that government and industry understand that hackers and the views that hackers represent are a force to be reckoned with. Therefore, over the next five to ten years, I anticipate that hackers will have a very beneficial influence on the safety and stability of cyberspace.



Giovagnoni is the Executive Vice-President for Strategic Relations for iDEFENSE, a private agency specializing in information intelligence.

How big a problem are hackers?

. . . I find hacking an interesting development in understanding the system. All of these hackers that we deal with today were growing up on the internet when it was more open. Ten, fifteen years ago, they were at home on their computer, playing. And most of us learned what's right and what's wrong from our parents. They tell us, "Don't put your hand on the stove or you'll get it burned," or, "You shouldn't tell a lie." . . . That didn't take place on the internet.

So a Lord of the Flies-type of environment was created there, because there were no restraints. No one looking over their shoulders to tell them what's right and wrong. And now we have industry coming on in, and saying, "We need to make this secure and you shouldn't do this because it hurts others." And that creates a problem for the hackers that are out there, because their sense of what's right and wrong is different than the sense of what industry believes is right or wrong. . . .

Hackers are a problem, for business and for my personal use of the internet, because they raise the cost of me having access to it. It raises the cost of doing business, and that's a concern. But on the other side, young hackers have a problem, because we're taking away something that they feel, at this point, is theirs--something that was open and free. . . .

What do you think of these hackers? What do you think of these counterculture people who think that you're a big bully, who think that your company is going to steal democracy out of the system?

I think again, with them, it's an education and awareness. I think what you're dealing with here is that we are moving in on what they consider their territory, and we have to find an accord to educate them. Because right now, industry does have, and we, the American people, do have a valid stake in this, and they have to make room to play. And until they all can use it effectively, until we can educate them as to what should and shouldn't take place, it's a problem.

It's a problem, because to catch one young hacker probably takes the resources of 30 or 40 government individuals, or private sector individuals, four to five man-weeks, and what are you going to do? Are we ready to drop the hammer on a 17-year-old, 13-year-old, 15-year-old, when we really don't have a lot of guidelines as to what they should or shouldn't have been doing?

And you're not entirely sure whether he's really out to get you, or is he just playing around?

That's true. In many cases, the ones we catch are the ones that are playing. . . .

What kind of an impression have they individually made on you when you find and meet one?

They're very interesting people. I find that as you get to know them and you garner their trust, they will give you their trust if you have a sincere interest in what they're doing--and I do. They share with you what they've done. They're willing to tell you what they do, and how they do it, because this is their life, and it's a solitary life. When you spend hours and hours in front of a screen, hacking, or whatever it is that you're doing on the system . . . you're there alone. And when someone actually walks in . . . they finally have someone to talk to, and they want to be recognized for what they've accomplished. But I don't think they're going to be different than the rest of us. It's just driven by different life experience, and that they've spent so much time in front of the screen. . . .



Chief of the Justice Department's Computer Crime and Intellectual Property Section.

The hacker phenomenon keeps raising in my mind the question of whether or not hackers are a problem, or are hackers are a symptom of an intrinsic problem in this whole new technology.

And the intrinsic problem would be the security of the network?

The security of the network, the universal accessibility of it and the democracy of it.

Okay. Well, if you ask me which is it, my answer is yes, it's both.

. . . It's important to understand that networks, like streets, like automobiles, are never going to be perfectly secure. We want them to be as secure as they can be and that's rational; that's a reasonable expectation. But we then introduce people into that environment. And, you know, people break into houses. People break into banks. And they steal things, and it's very clear to the society that that's not permitted, that's not okay. And I think we need to inculcate the same ethic into technology users. It's not okay to do things just because it's possible, just because we can.

What about the argument that hackers are kind of like the Ralph Naders vis a vis the automobile industry, pointing out weaknesses that we should know about?

I hear that argument a lot, and I have to say that I think it's a very silly one. It seems to me that thanking hackers who violate the privacy of networks or network users for pointing out to us our vulnerabilities is a little bit like sending thank-you notes to burglars for pointing out the infirmity of our physical alarms. That's silly.

. . . If these folks are really trying to assist with network security, then what I suggest is that they get a job with somebody who's working on that problem or study in a university and write papers on that problem, and offer your solutions to the community. . . .



Lipner is a senior security analyst for the Microsoft Corporation.

Hackers frequently find bugs in Microsoft products before you do. How important are those hackers in the whole picture?

We want to find vulnerabilities and issues in our product from any source, and we want to take action to keep our customers safe. We welcome the reports from those customers. They send mail to secure@Microsoft.com. We correspond with them. We evaluate every report that comes in, and if it is a bona fide vulnerability, we fix it. So they're a real source of information and ways that we can help keep our customers safe.

We do ask them when they report to keep those vulnerabilities private until we can fix the problem, assuming there is one. We do that because we think our customers are best served by having a complete packaged finished solution that we put out on our web site. If the hacker, if the security researcher works with us, we acknowledge him in the bulletin that results. Microsoft works with hackers to protect our customers, and we like protecting our customers.

I started off this whole project with the sense that a hacker was a kind of graffiti spray painter, or vandal. What is a realistic profile of the hacker community?

The hacker community is so wide, so varied in composition, competence, and motivation, that it is not possible to generalize, to put sort of a sound bite of the hacker or the hacker community. There is a wide range of folks. We work very cooperatively with a lot of them. Others do things that we wish they would not, but our bottom line is protecting our customers, and we will work with anybody who reports information to us that we need to know to protect our customers.



Reid and Count Zero are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control any computer running Windows 95 or later.

How should the public view hackers like you? Are you demons, are you crusaders, should we be embracing you, should we be attacking you?

Reid: I think the first misconception that people have about hackers is that it's a giant political party, or it's a voting bloc, or it's organized somehow. And it's not. It's like asking what should people think about carpenters. It's just a very loosely defined group of people. In fact, we can't even seem to agree on a definition of hacker most of the time.

. . .

Count Zero: It implies curiosity, and looking at how you can use tools in different ways and how you can think of new tools to extend people's abilities to do things. But the best definition I heard of a hacker was just someone who . . . if they saw something closed and it was doing something, they just wanted to open it up to see how it was working, and then how to maybe play with it a little bit to make it work a little better. . . . It's just a general loose sort of mentality based on focusing on technology.

. . . I don't think the public should be afraid. I think hackers in general are explorers. They're exploring new territory. And of course when you're exploring territory, some people are going to cut down all the trees and screw up the environment, and other people are going to catalogue all of the wildlife and create very useful scientific resources. . . . The key thing that you'll find probably at conferences like this is that hackers like to talk about what they're finding. . . . So as long as people continue to engage with the "hacker community," then we can all learn and move the whole society forward and continue to expand the frontiers of the digital world. . . .