Just to make sure, organizers asked the telephone company to shut off the main room's phone jacks, removing a tempting route for attendees to freely hack into the outside world's computers.

Yet many of the techno-rebels at the Manhattan conference that ended Sunday said there was nothing to fear: Good hackers don't crash computers. Exposing flaws in high-tech security is more important than undermining it.

"Crashing the system should not be your objective. It had been in the past. That's the playground bully," said a veteran hacker known in the community only as Cheshire, sporting a big grin that tells you how he got his code name.

"Now it's no longer cool. Anyone can crash a system. It's more clever to find out how to make it NOT crash."

Such protests are routinely overshadowed by negative press. Technogeeks are accused of using their computer skills to post obscene messages on Web sites, launch attacks on e-mail services and even destroy computer files. Ever since the 1983 movie "War Games" depicted a boy cracking the Pentagon's computers -- nearly dragging the world into a nuclear war -- hacking has appealed to youngsters who may be too young to know when they're flirting with law-breaking -- or too cool to care.

Balancing a more positive message against hacker mischief was a main challenge for organizers at the Hackers on Planet Earth conference.

When conference leaders showed, on an overhead screen, a Web site run by a sister conference taking place at the same time in the Netherlands, the presentation prompted laughter and applause from the audience.

It turned out the Web site had been broken into by hackers who altered its description of conference events. "All our computers were taken over by agents of a hostile power..." said the site's text, painting a fictional takeover by aliens.

The dichotomy was evident inside the building's high-ceiling rooms, which were snaked with black cables that linked rows of computers for attendees to explore the limits of the internal network. Adorning the mostly twenty-something attendees were so many nose-rings, tatoos and black T-shirts that the place seemed more like a heavy-metal concert than a high-tech conference.

After informing hackers that the phone jacks in the main room were shut off -- keeping them from hacking into the outside world -- conference organizer Pamela Finkel recalls the response: "People said, 'Where's the basement?"'

Many hackers began as teen-agers who preferred riding the Internet to riding their bicycles. They traversed the Web and shared computer codes with like-minded jocks, enabling them to visit forbidden places like e-mail data-bases. Some even changed what authority figures had created.

But after much negative press, hackers today like to think of themselves as insanely curious explorers whose antics help point out security holes in the World Wide Web and other systems. Anything less would be to wrongly lump them with "crackers" -- hackers who have strayed into high-tech lawlessness.

"I kind of want to mock them in a way that's not morally wrong," said a 20-year-old hacker known as Rixoff, who also wanted to keep his identity secret. Rixoff was describing why he wore a Nynex hard hat at the conference when he doesn't work for the phone company, but it also described his attitude toward hacking.

All this and more is understood by veterans like Cheshire, who acknowledges he himself had crossed that line of temptation.

His eyes gleaming like liquid crystal behind a mop of prematurely white hair, Cheshire admitted as much to the small crowd of kids that had gathered about in a corner of the room.

"I just don't believe that a computer is unhackable," he said. "It's just another machine."

[Copyright 1997 Nando.net]
[Copyright 1997 The Associated Press]

Facilities
A large campsite, not far from Amsterdam in the Flevoland polder (reclaimed from the sea only this century) A 1000 seater circus tent 24 hour bar and main computer network pavilion, 6Mbs Internet access via a Microwave link 100Mbs fibre optic backbone to the campsite fields, UTP and BNC to the tents & caravans 2 x 440Kw modern diesel electric generators provided the power

Clean showers and toilets that worked most of the time

1800 plus registered visitors, from Netherlands, Germany, USA, UK, Sweden, France, Belgium, Poland, Hungary, Portugal Slovenia, Korea, Singapore, Japan etc.

Over 1200 separate MAC addresses i.e. ethernet cards were detected on the LAN

There were large army tents and various caravans with more computers than a cyber cafe or many companies.

Some people were determined not to rough it too much, and brought their espresso machines and satellite tv dishes with them.

HIP97 website hack (sort of)

The opening video conference with Beyond Hope in New York had problems with the audio (perhaps they should have used CU-SeeMe instead of Intel Proshare ?)

However, after the customary exchange of greetings, the Beyond Hope crew showd off a HIP97 web page now "owned" by Beyond Hope The credit for this was pointed to someone who looked not entirely unlike Cyberjunkie - beard, dark glasses, tattoos, could have been anyone really. This set people from the UK speculating as to bail conditions and USA visa requirements. This was, of course, legal hacking, the more so since the actual server amended was not the main HIP97 one, but one of the 600 or so machines already set up by then in a tent.

Sniffers

Packet sniffing - many people were trying out the new version of Snifit for Linux etc. or their own favourite packet analysers and password sniffers - hundreds of POP3 email accounts etc. were vulnerable some of these were anonymous/throwaway accounts, but there will be a sizeable minority who should probably change their passwords

One fool telneted in to his system en clair, and then ran secure shell to another system. Another changed his password online, whilst a sniffer was being filmed by a German TV crew (I wonder if they will edit this out on transmission ?)

Pheds

There were rumours of policemen from as far afield as Slovenia, and from the UK , there could have been a representative from the dark mysterious realm of the West Midlands Computer Crime Unit, but they were not having as much obvious phun as their Dutch collegues.

The Dutch Computer Crime Unit (12 strong) wore distinctive orange badges (which eventually got cloned) and had a large RAID disk array in their tent, what could they have been monitoring ? They also had top of the range radio scanners, but seemed human enough, playing Quake till the wee hours and consuming vast quantities of beer. Perhaps they were working, judging from exclamations such as "XXXX has just logged into hotmail and we have his user id and password !"

Phonez

On Sunday, the Dutch PTT payphones onsite somehow developed a programming error: emergency calls gave you a dialtone and phree phonez to anywhere in the world - was this anther demonstration of traffic analysis/intelligence gathering in action ?

Cipherpunks

Several well known Cypherpunks from the USA came to HIP97 and gave interesting talks on encryption, spamming, free speech (including those of neo-nazis etc. whose views one does not necessarily share)

One of their main reasons for being there was also to compile PGP ver 5, entirely in Holland. The source code was proof read by non-USA nationals, and so this version should be freely exportable around the world.

van Eck monitoring

It was nice to see a real demonstration of analog van Eck monitoring of a standard PC , which meets all the normal shielding and emmission control standards, via an aerial, via the power suppy and via the surface waves induced in earthing cables, water pipes etc. Even this simple equipment can distinguish individual machines of the same make and model in a typical office building, from 50 to 150 metres, or more with extra signal amplification.

The US Cypherpunks and German Chaos Computer Club extended the discussion afterwards with details of more modern Digital Signal Processor approaches and experience of Tempest shielding

Smart Cards

The Dutch demonstrated some glaring weaknesses in the security and confidentiality of one of their smart chip bank payment cards and the many possible attacks on Satellite TV cards were discussed

Semafoon

The heavy handed arrest / legal harrassment of one of the Dutch people who produced the first POCSAG pager decoder was highlighted. This seems to be yet another case of empire building/budget battles for those in authority whose job it is to combat so called high tech criminals. The implications of innocent phunsters being targeted alongside drug smugglers etc. is a trend that needs to be resisted.

HIPcar

A web page and radio controlled wheelchair with a vision system went trundling about. The sundrenched vistas and strange lifeforms visible drew comparison with NASA's Mars probe.

Bill Gates Tombstone

There was a photo opportunity for all at the Bill Gates tombstone (real polished granite), which got adorned with various, sometimes, funny tributes. The overall effect was akin to some Voodoo shrine.

After the power failures (caused by people inevitably tripping over power cables, not due to the generators), the merry sound of Windows and NT machines re-starting could be heard over the curses of the Linux fans hoping that their file systems had not been corrupted, so perhaps not everyone considers Bill Gates to be dead just yet. Some people hold to the theory that he may be one of the Undead ....

Riskiest seminar followup

The establishment of an encrypted "Don't try this at home" discussion list on the topic of Electro Magnetic Pulse weaponry - can a compressed flux or magento hydrodynamics based pulse generator really be so simple to design ?

Overall behaviour

Lost wallets were handed in intact, millions of pounds worth of computer equipment was not damaged or stolen. This could not happen at say DefCon in Las Vegas, where this year two hotels had Satellite dishes removed from their roofs (one apparently did credit card authorisation for the casino) and where people with more money than sense drove out to Area 51 and succeeded, with the help of bin liners filled with helium and flashing lights to get F16 jets scrambled, black helicopters launched, etc.

The weather was very hot, but the various nationalities dealt with it in their customary fashion, some of the Germans taking to naturism, the Dutch to jumping in the local canal, and the Brits trining to avoid sunburn.

There were certainly a good proportion of women present, and even a few children too.

T shirts

Never having been considered to be at the bleeding edge of fashion, it came a a pleasant suprise to many participants that the obscure T shirt designs that they were sporting should be of such interest. At least two sets of people were keepining a photographic or video record of unusual T shirt designs. Were these "street fashion" scouts or just anthropological specimen collectors ? The Tamagotcha design depicting a slain digital pet was quite amusing.

HIP 97 must have had some impact on the Dutch population, since during the obligatory trip to Amsterdam's red light district (where every other voice seemed to be from the UK), my old 2600@ph.uk T shirt elicited an offer of a "Discount for hackers ! Come inside away from your computer screens !"

Not HIP

Topics which were not covered at HIP included: Viruses - they have exactly not gone away since HEU in 1993, Public CCTV monitoring (not quite as bad in Holland as in the UK, although they did manage to get a Webcam in one of the toilets !)

In one sense HIP97 showed that those interested in computer security, phones, smartcards and other high tech tools/threats are not alone in Europe. To put it into perspective, however, on the Saturday, on the other side of Amsterdam, over 15000 people attended a rock against racism type music concert, so HIP is still an elite sport.

There is due to be another such event in 4 years time in the the year 2001 - time to start saving up for an air conditioned mobile home.

2600 London

Web server cracked in contest By Joanna Pearlstein August 19, 1997 6:11 AM PDT

An Australian hacker won a contest this week when he broke into a Mac Web server, and two software companies are revising their products as a result.

The Crack a Mac contest, which was being hosted at http://hacke.infinit.s e and was scheduled to run July 4 through Oct. 15, was designed to prove that M ac OS Web servers are secure. It was the contest's second run; in the first rou nd this spring, no one succeeded in breaking into the server. The contest's rule prohibited participants from physically attacking the server, and hackers were not allowed to target other servers in the same domain.

Last week, an Australian man calling himself Starfire broke into the site . The server, an Apple Workgroup Server 9650/233, was running Mac OS 8; File Sh aring; Open Transport 1.2; StarNine WebStar 2.1; Blue World Communications Inc.' s Lasso, a utility tying Claris FileMaker Pro databases to the Web; and Pac ific Coast Software's SiteEdit Pro, a Web site management tool. Lasso and Site Edit Pro were being used for a guest book. No fire wall or additional security devices were in place.

Joakim Jardenberg, CEO of Infinit Information AB, the Genarp, Sweden, com pany that hosted the contest, said Starfire hacked into the server by creating a customized search form whose results pointed to the SiteEdit passwords fi le. Then, Jardenberg said, Starfire accessed the users and groups settings in SiteEdit, logged onto the server, and changed the contents of the Web sit e's index page.

Many Web server products store sensitive information in file types called WWW =BD, or WWW Omega. WebStar does not serve those files, but a security fla w allowed Lasso to return WWW =BD files - in this case, the SiteEdit passwo rds file. To address the problem, Blue World last week posted a free patch to Lasso on its Web site; it is available from http://www.blueworld.com/lasso/security_update.html. Blue World recommend s that all Lasso users update their software.

Blue World President Bill Doerrfeld said that while WebStar protects agai nst serving WWW =BD files, other servers, including Social Engineering Inc.'s Quid Pro Quo, do not; he added that other CGIs and plug-ins could also be susceptible to this problem.

"This is a complex issue," Doerrfeld said. "We did introduce a security f ix that denies Lasso the ability to serve up a response file that has the WW W =BD creator code assigned to it. No Lasso customer that we're aware of has ha d their Web server compromised."

In addition, Pacific Coast also plans to update SiteEdit Pro. John Hill, Pacific Coast vice president of marketing, said the company will release a patch that will store passwords in a file's resource fork, which Hill sai d will protect the passwords even if a user is able to download the WWW BD file.

Chuck Shotton, an author of StarNine WebStar and vice president of Quarte rdeck Corp. of Marina del Rey, Calif., said the hack was an "isolated, obscure case." Shotton said the hack demonstrated a flaw in server add-ons such as CGIs, plug-ins and scripts and stressed that the break-in could have occurred o n any platform.

"The OS and server can be as secure as possible, but the minute you let s ervers execute external applications, you're at the mercy of that application," Shotton said. He noted that only someone very familiar with Lasso could h ave found the flaw and commended Blue World for quickly fixing the problem.

For his efforts, Starfire will win 100,000 Swedish kronor (approximately $12,350). Blue World is offering the prize, Jardenberg said.

In the original contest, which was held Feb. 10 to April 10, the server w as configured similarly but lacked SiteEdit Pro and Lasso (see 04.21.97, Pag e 18). That time, the server survived more than 220,000 hacking attempts.

The Crack a Mac contest will continue. "We are back on track again," Jard enberg said, "even more secure and confident."