The View of a Fed (Summer, 1992) -------------------------------- By The Fed Why don't they understand? Why do both sides think they understand? I never dreamed when I began a journey to obtain my first "hacker magazine," specifically Phrack, that my days would end up much like they are today. Let me explain. I am a computer security specialist for a division of the United States Federal government, which will go unnamed. I am not writing this article as a government representative, but as an individual. I had been a computer security analyst for a couple of years before obtaining my first modem. I spent most of my day massaging our mainframe security software to ensure our more than 8,000 users could obtain and maintain their necessary access. I didn't have time to worry about hackers and really didn't understand much about what the press talked about anyway. Hackers seemed to be these super-intelligent, terrifying individuals I couldn't compare with in regards to technical knowledge and I wasn't about to try. It didn't seem to apply to our systems anyway. After I started calling other computers and interacting with individuals, I decided to try to get a copy of Phrack, the magazine that super-hacker Knight Lightning published and was arrested for, mostly for publishing the 911 computer program (well at least that is what I thought at the time, based on things I had read and heard). It was frightening to even decide to pursue this venture. I had read that hackers could break into any computer system and that they were constantly breaking into credit reports and messing up people's lives. I wasn't anxious to become a target of the "underground." What I realize now is that most of the underground could care less about me and my ventures. I was simply flattering myself by believing that I was important enough to become a target...who gives a damn about me? The Fed ego is something else, eh? It's out there though, thick as ever. I see it mostly when I try to introduce folks to "hacker material" such as 2600. I once told a whole conference room full of security folks about 2600 and the benefits of receiving it. The responses from the audience were things like, "Yeah, but don't use your real name when you subscribe, these are hackers you know." One man even told me he was going to set up a fake name with a P.O. Box before ordering 2600, to protect himself. I find it amazing that people think a magazine that supports itself from subscriptions is out to destroy its subscription base. In my travels, I also wasn't sure if I should be honest about my position or assume a hidden identity. I mean, I could call a "hacker BBS" and say, "Hi, my name is... and I am a Fed. Can I have a copy of all your files? I just want to read them. Honest." I wasn't sure that I would get much success from that, but at the same time I was afraid if I did try to hide my real identity, those evil hackers would find out and destroy me. So, I signed on a BBS and said, "Hi, I'm a Fed." You know what, it worked. I found out by being honest and to the point, folks were very helpful. The more I learned from interacting with the underground, the more I realized just how deceptive the government had been in a lot of regards (I don't trust mirrors in hotels anymore!). I was hoping, by being honest, that others would realize that fed was not always equal to deception. You know what else I found out? There are evil hackers, but they seem to be few and far between (of course these evil ones are the ones that have hacked my account!). Matter of fact, other hackers didn't even seem to accept them. Know what else I found out? The Secret Service really messed up on the Phrack case. Knight Lightning was patient enough to explain his side of the story to me and has filled me in on things the press "neglected to mention." Know what else? I realize now how clueless I was in regards to a lot of computer security issues. I know I am still clueless in a lot of regards and will always be, but I have learned so much over these past years that I now want to make an effort to educate others in the computer security arena of the benefits of knowing both sides of the story. Believe it or not, I am actually getting a chance to do that. I have been contacted by Federal agencies that have learned of "my contacts in the underground" and wanted to use me as a buffer between them and the hacker community. One agency was interested in hiring some of "my trusted hacker friends" while another was interested in learning about hackers and "getting inside their heads." Additionally, non-government agencies have contacted me for much the same reasons. I'm not sure how the word of my interactions got around (well, I have a pretty good idea), but I actually think it funny in many ways. I see the same naive fear in these folks that I experienced myself when I started my journey to learn "the other side of the story." Now, I interact with as many if not more hackers during the day as I do security professionals and, as a result, my knowledge of the holes that exist in computer systems has increased immensely. I even learned enough to hack into one of our computer systems, expose our security holes, and get them fixed. As a security specialist, that is priceless to me. I was only able to do that because of the training I received from these so called notorious malicious hackers. Hackers helping to improve the security of government computer systems, hmmmmmm, seem suspect to you? Not to me. If I found a security weakness in a computer and wrote articles about it, published and sent it out so that thousands of folks could get it, I would expect the hole to be fixed. If I found that hole still open, I may become just a bit upset or assume it was an open invitation to violate the system. While underground files that explain these techniques have become a routine part of my day, there was a time I didn't even know they existed and certainly didn't know they existed to the extent they do. So part of the issue as to why they don't listen is that most of us have never heard the message. I have accidentally tripped over holes in systems before and disseminated the information, only to be told that we could not put those controls in place because it would impact the operations of the organization, which it very well may do. It's a judgment call for management. Many security professionals are viewed as having tunnel vision (many of them do) and not understanding the operational end of the business. While many understand the holes that exist and have made every effort to get them fixed, management just won't let them. One other thing I have learned by interacting with the computer underground is that sometimes we security folks aren't the only ones who are clueless. I have heard from hackers who said to me that they did not understand our side of many of the issues. One view that seems the most prevalent is that a security professional's real job is to keep people out of computer systems. That is a small part of what we do but the largest part of our job is ensuring that authorized users get the access they need to do their daily jobs. The main reason access is controlled on our systems is to ensure the integrity of the data we process. We want to ensure that our data is accurate. This is done by limiting the number of users that have certain access rights to it. Privacy is always an issue with sensitive data but we don't spend our days thinking "keep 'em out, keep 'em out." We are thinking, "Gotta give our users the access they need." Sometimes we just don't have the time to do anything else. That is why we don't always discover security holes in our systems. That is why many of them go unfixed. That is why picking up a magazine, like Phrack or 2600, and learning the holes hackers are using to violate the systems we are trying to protect is so helpful. We may not have known that such holes existed without the underground's help. What is even better than reading it in an underground publication is having an e-mail address of the author so that you can contact them and get further assistance. It has been an amazing tool for me. I am going to continue to interact with the underground as long as I am able and will continue to lead other security professionals to that same interaction. I think only then does a person really begin understanding the true issues involved in security. I think only through this type of interaction does a person learn the rest of the story. It has made me realize more than anything else that both sides don't understand the factors affecting the others. Usually the main factor involved in preventing this is the ego and arrogance of the individuals on both sides, each of the players saying, "they just don't listen."