Security News > 2001 > March > The hacking hobbyist

The hacking hobbyist
2001-03-17 02:35

http://www.nandotimes.com/technology/story/0,1643,500464331-500708815-503896284-0,00.html SAN FRANCISCO (March 16, 2001 2:19 p.m. EST http://www.nandotimes.com) - Jeff Baker hacks into corporate computer networks for fun - period. Baker, a 24-year-old systems programmer, is part of a group of computer experts who spend their free time trying to figure out potential Internet security threats to large networks. Over the last year, Baker's hobby has led him to technology security lapses at E*Trade, the Charles Schwab brokerage concern, Wells Fargo bank and the Critical Path e-mail service. "It's fun in the same way chess is fun," Baker explained. "It's also productive. I look into these systems and find out more about how people are programming." "Most other professionals have journals and conferences," Baker added. "We don't; we poke around other people's systems." Baker is a member of a clan known as "gray-hat" hackers, who occupy the ethical territory between the malicious "black hats" and the "white hats," hired by companies to check their own systems' security. Gray Hat protocol is to first notify hacked companies of possible network flaws, and then possibly posting the flaw on Web sites where gray hats exchange trade gossip, as Baker did when he discovered the E*Trade network security hole. The company quickly vowed to clean up the matter after reporters called. In a world where hackers are either jailed or earn thousands in consulting fees, Baker's hobby is puzzling. "There is a community of people that want to know how systems work," said Bruce Schneier, founder of Counterpane Internet Security and author of the network security book "Secrets and Lies." "They want to take a system and tweak it for maximum performance and figure out how it works and how it fails and what the loopholes are." The online gatherings for this community are places like Bugtraq, run by Virginia-based SecurityFocus.com. Five to 10 network vulnerabilities can be posted on Bugtraq in just one day, said chief technology officer Elias Levy, who estimates the gray hat community numbers 10,000 people, ranging from researchers at well-known labs and universities to amateurs. "Most security vulnerabilities are found because there are people who enjoy poking around systems ... and we are all better for it," Schneier said. As part of his campaign for safer computers, Baker chooses to "select sites that people will really notice." And there's no shortage of candidates. "People make targets of themselves," said Baker, who says he gave E*Trade months to address the issues before posting vulnerabilities. "If there isn't any press, there isn't any action. It is the key to making the whole plan work." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.nandotimes.com/technology/story/0,1643,500464331-500708815-503896284-0,00.html