 |
(CNN) -- The word "hacker" evokes all kinds of scary images.
But Jeff Moss says hackers are exactly what the world needs more of, because they can make the Internet safer for the rest of us.
"Hacking is sort of a skill set -- it's neutral. You can be a criminal hacker or you can be a noncriminal hacker," Moss said on the eve of two of the world's biggest hacker conferences, Black Hat and DEF CON, which he founded. Both gatherings take place this week in Las Vegas casinos.
"If those are the people who are most interested, those are probably the people who you want to get involved."
Moss stands as an example of this idea. Working under the hacker "handle" Dark Tangent, he used to break into phone systems to make free calls.
Now he's on the Homeland Security Advisory Council, which gives advice and recommendations to the federal government on matters related to national security.
Moss talked with CNN about all things hacking -- from the recent attacks by groups called LulzSec and Anonymous, which he thinks aren't that frightening, to what motivates today's hackers.
The following is an edited transcript:
CNN: How did Black Hat and DEF CON get started?
Moss: The two are definitely interconnected. DEF CON started several years before Black Hat did because there was just no market for a commercial-type security con. Everything was underground or much more informal and when the Internet started growing up then all of a sudden companies were looking around for security information. A friend of mine suggested I should charge a lot more money and make a professional version of DEF CON.
DEF CON pretty much embraces all of hacking -- social engineering and lock picking, taking apart your Xbox, traditional network attacks and hardware attacks -- the whole strain, conspiracy theory and everything.
Black Hat is much more focused on practical information security.
We never did much advertising and for the first 10 years it all just grew by word of mouth. I never thought of myself as a security-conference guy, I just happened to do conferences people wanted to come to. I didn't have mailing lists or anything
CNN: What is your background? You have a history in hacking yourself, right?
Moss: I got my first computer at, I don't know, when I was 11 years old? 10?
It fascinated me because you weren't old enough to drive a car or do anything or vote, but you could engage in adult conversation with people all over the country on topics you never heard your parents talk about or your friends talk about, so it was this much wider world you were exposed to where it was the quality of your ideas and your arguments that counted. Nobody knew how old you were or what gender you were.
That deeply influenced me at an early age because for the rest of my life it was the quality of the log that counted, not whether you had blue hair or were 99 years old.
CNN: Do you think that's been lost in the age of Facebook?
Moss: One of the greatest parts about the hacking culture was that you have these hacking handles and if you really screw up and do something bad or make some bad choices or insulted people -- you could do a do-over. You kind of got a mulligan just by changing your handle.
It was a lot of energy to create a handle and get friends. But if you wanted to burn all that and start over you could. You can't really do that today if you follow the terms and conditions of Facebook. Your mistakes get to follow you for the rest of your life. I don't know if that's good for people who are young and are just starting to explore the Internet.
CNN: What's your handle and did you ever change it?
Moss: I changed it to the Dark Tangent from another one. I got my do-over.
CNN: What happened?
Moss: Well, I'm not gonna tell you.
(Laughs)
But I had one handle that I had for years, and I learned the whole scene and grew up with. And then I wanted to make a change -- to start over, avoid the people who I didn't want to associate with anymore and didn't want them to know who I was.
CNN: When you were in the hacker world, what were you doing exactly?
Moss: In the early days it was disassembly and trying to remove copyright protection. In the early days copy protection was pretty bad. If you bought a game on one computer and you bought a new disk drive or something, often the game just wouldn't work.
People were interested in figuring out how did the copy protection work and how to get around it. Some of the software companies would prevent you from making backup copies, and that of course pissed people off and so you figured out ways to get around copy protection. Through that, I met people who were exploring the phone system. It just went on and on. But that was the beginning of my journey.
CNN: What's the draw of hacking for you? Is it the challenge?
Moss: If you look at what drove geohot (hacker George Hotz) to reverse engineer the Sony PlayStation stuff, some of that was Sony removing functionality that he wanted.
What drove people to hack the iPhone? It was people who wanted to use that phone on other carriers, not just on AT&T. So that desire to take it apart and make it do what you want it to. Who's telling me I can't use a feature I paid for? They're taking it back.
CNN: There's been a lot of news lately about "hacktivists," who say they're leaking data for good -- or to make a political point. What do you make of that argument?
Moss: I don't think their arguments are very rigorous or logical. I almost get the impression that they're trying to wrap themselves in a banner of hacktivism. If you ask them, 'Well what's your manifesto, what's your plank?' -- you ask five people and you'll get five different answers. It's like a brand, in my opinion. Anybody can be part of the brand, you just have to stick that label on yourself.
They could have said, 'Hey Sony, we've got the e-mail of your customers' -- and not released those e-mails. I don't know what you gain by dumping it publicly. The company's equally humiliated either way, now you've got a bunch of innocent people dragged into it. You can make your point without punishing innocent people.
CNN: Those groups that have emerged lately -- like Anonymous -- do they worry you?
Moss: No. Their attacks are not cutting edge compared to what our speakers are revealing at these conferences. Which is fine. It's just that they have the eye of the media right now.
Try to go have a conversation with organized crime -- they're doing far more damage; stealing far more information. Try to have a conversation with a nation-state that's stealing defense secrets.
CNN: So what does worry you?
Moss: It's worrisome that companies are having so much difficulty with organizations like LulzSec. You would expect that kind of attack. And if you can't defend against that kind of an attack then you're not going to do any better with, say, industrial espionage, or a more dedicated hacker with a budget. These are drive-by attacks.
CNN: What's the most memorable moment from a Black Hat or DEF CON event in the past?
Moss: There's been several. One was the Dan Kaminsky DNS bug (See Wired's profile of Kaminsky, who is heralded as the man who saved the Internet). That got so much attention and it really brought public awareness to this issue. It was the first time a huge, global, coordinated patch had happened. Everyone involved kept their mouths shut and it didn't leak. It never made it out to the bad guys before everyone had patched it, and that was just a huge success on so many levels. To have it announced and go public at Black Hat was just pretty amazing. That really signified a growing up of security researchers.
The most memorable moment, personally, was when I was sued by Cisco and ISS over a talk. That got us mentioned on the front page of The Wall Street Journal. When your mom's friends are asking her about the convention or about security, you know you're starting to reach prime time.
CNN: What was the subject of that lawsuit?
Moss: One of our presenters was basically going to talk about a bug in the Cisco IOS that basically allowed you to get remote on almost every Cisco router in the world, which would be kind of doom and gloom for the whole Internet. ... He quit Cisco and gave the talk anyway, and there was a giant federal injunction and stuff. They were claiming that because Black Hat was giving him the stage, we're somehow responsible for what comes out of the mouth of the speaker, which doesn't make a lot of sense to me.
CNN: So he did give the talk?
Moss: He did give the talk. They said if you give the talk you're fired. So he pre-emptively quit and then gave the talk.
CNN: At these events, you get hackers -- who may be doing things that are illegal -- and then you have security professionals and people from the government. Is there any tension between those groups?
Moss: If you're an organized criminal and you're actually doing stuff that's pretty bad, you probably can find everything you need to know online ... and you probably don't go to a conference that's full of feds and do-gooders and people who are trying to catch the bot-net herders. I'm sure there's bad guys there, I just think it's probably not as many as you'd expect.
If you're a tax thief, you probably don't go to the IRS auditors convention.
CNN: So what's up with the rules -- that you pay only in cash and don't pre-register for the DEF CON event? Those seem designed to give people anonymity while they're at the conference.
Moss: Anonymity for them, and less lawsuits of subpoenas and search warrants for me.
If they show up and we're like "Who are you?" And they're like, "Well, Dark Ninja Lord." OK, so let me see your ID so I can see the guy behind you is not Dark Ninja Lord. And then you'd have to get real people's names for them to register online. You'd have to get their identities. No, it's just too much information, and too much of a hassle.
Some other hacker conventions have had pre-registration and they've had all kinds of people attacking their systems.
CNN: I got an e-mail warning me about all kinds of security risks involved with attending DEF CON and Black Hat. Are these events actually dangerous?
Moss: I don't think it's dangerous. People don't fall down empty elevator shafts or anything. They don't program the air conditioning to freeze you to death at night. That's the hotel's doing. But I think what they're doing is raising your awareness.
If you have a proximity card, someone in an elevator can clone your proximity card with the right equipment in their briefcase. They don't even have to get into your wallet. Your cell phone can be rerouted through someone's micro-cell and they can listen to all your phone calls and record all of your text messages. It's not black magic voodoo. It's all totally possible. People can demonstrate it -- and do that.
It's about safe computing and trying to make sure you have all the facts to make a smart decision.
CNN: How do you personally handle that in your everyday life? I could see that leading to paranoia at a certain point, if you think that at any moment any electronics could be compromised.
Moss: Paranoia is an irrational fear. I don't think it's paranoia when you know for a fact it can happen because you've seen the demonstrations.
If you don't really know the risks, how can you manage them or how can you mitigate them? The only people who are talking publicly about this stuff are security researchers.
CNN: Are you a private person?
Moss: I do Facebook and Twitter and LinkedIn when I have time. But I have no illusions. I assume every single thing I post anywhere is public record forever. That's just the nature of the beast. If you want to keep something private, say it in person.
CNN: So that's the only secure form of communication?
Moss: When I started working with people in Washington, D.C., they would say, 'If you can say it on the phone instead of e-mail, say it on the phone. And if you can say it in person instead of on the phone, say it in person.' That's just how it works.
If you look at the laws, you have less protection on a text message than you do for a voice mail. So if it's important you'll say it on a voice mail rather than a text message, because that has even less protection legally.
CNN: Should U.S. privacy laws be changed?
Moss: I would love it if we in the United States had a federally recognized right to privacy. But we don't.
I know that sooner or later Sony or someone else that I give my information to is going to get broken into. Yet, if I want to use the product I just used hundreds of dollars for, they demand that I give them my information. So the consumer is put in the position of having to lie and violate these user agreements. Why does, for example, Sony need my real birth date and name and address and everything in order to let me play online games?
I have to now lie if I want to have some amount of privacy or protect myself from a future breach. And it turns out, sure enough, their information was stolen and spread everywhere. So who was safe? Only the people who lied and violated the terms of the agreement. Who was the most harmed? The people who played by the rules.
It shouldn't be that way. The people who play by the rules should be protected.
CNN: When you sign up for online services, you always use a fake name?
Moss: Up to the point that you have to pay for something.
CNN: Is it a common thing for a hacker to be pulled into the government? Is it because people from the hacking community have the best information?
Moss: They grew up with it. They've been around security their whole careers. It's a passion of theirs. So they're probably more personally interested and motivated.
If those are the people who are most interested, those are probably the people who you want to get involved. I never thought I was going to have the opportunity to donate my time to the government, but I was pleasantly surprised. I've met some smart people doing security work in the government, and they're starting to reach out to a broader audience, which I think is a good thing.
CNN: What about people who have broken laws -- should they be able to work in the security industry or in the government?
Moss: The government has never hired anyone with a criminal background, there's just no way. I guess it depends on your definition of a hacker. I'm talking about nonfelons.
CNN: How do you define "hacker"?
Moss: They take technology and make it do things it wasn't originally designed to do.
CNN: What about people who are breaking laws?
Moss: I call computer criminals computer criminals. Hacking is sort of a skill set -- it's neutral. You can be a criminal hacker or you can be a noncriminal hacker.
CNN: Were you involved on the criminal side of things?
Moss: I always stayed away from that stuff. The people who always ran into trouble were those people. That was the division in the hacking world: There were people who were exploring it and the people who were trying to make money from it. And, generally, you stayed away from anyone who was trying to make money from it.
CNN: If you had one tip for consumers -- how to make their online lives safer -- what would that be?
Moss: One tip. Let me see. The way they're going to be broken into is either going to be an attachment they download or a malicious link they click on. So you have to be very careful about what you open. It's the same advice we've been giving for years: You have to be careful where you go. The bad guys are very clever. They'll make websites that look legitimate, they'll send you e-mails that look legitimate and you have to be very careful about that.
Here's one: If you're going to go to your bank (website), log out of your browser, open up your browser from scratch, type in the URL of your bank, do your banking, close your browser, re-open your browser, and then do whatever you want. That will avoid a lot of the problems.
CNN: How come? What does that do?
Moss: If you have many windows open and you're running Java or even sometimes Flash and you're' jumping between windows and one of those windows happens to be your bank, then sometimes malicious Java script in another window can get access to your keystrokes and see that you have a bank open in the other window -- and they can force keystrokes into that other window and they can hijack that account, or hijack that session.
If the only session in your browser that's executing is the bank instance of Java script, then there is no potential interference. Then if you close your browser and clear your cookies and you clear the state and session data then you should be fine.
When I see friends who have had their e-mail accounts hacked and send out spam, it's because they had many windows open and clicked on a (malicious) link. If they had logged into Yahoo with Internet Explorer and had been doing the other stuff on Firefox, they would have been fine.
