Hackers: Under the hood

special report Adrenalin pumping through their veins as lines of code are crunched to perfection. Well, that's how it is in the movies anyway.

ZDNet Australia Hackers Special Report

special report Adrenalin pumping through their veins as lines of code are crunched to perfection. Well, that's how it is in the movies anyway. Welcome to the real world of hackers.

ZDNet Australia&nbsp went on the hunt to track down some of the world's most prominent (and notorious) hackers. In this five-part series, we delve into the lives of five prominent hackers who reveal issues close to their heart.

Raven Alder, the first woman to deliver a technical presentation at the famed DefCon hacker conference, talks about "gender wars" in the hacking realm.

"One popular magazine's 'do you think girl hackers should date boy hackers?' left a bad taste in my mouth, too. Nobody asks the guys this stuff, and finding myself a 'boy hacker' is not really tops on my list of things to do this weekend," Alder says.

Kevin Mitnick shares his experience behind bars and recalls the days when he was treated like "Osama bin Mitnick".

For Adrian Lamo, the so-called "homeless hacker", there was no turning back after discovering how to make both sides of a 5.25in floppy disk writable at the tender age of eight.

Attrition.org co-founder Brian Martin aka Jericho, who dropped out of college during his second year at architecture school, shares his silliest hacks.

Peiter Mudge Zatko, better known simply as Mudge, talks about the origins of L0pht Crack -- a password cracker for Windows-based systems which he wrote to "prove a point and not for commercial purposes."

Hackers are often perceived as shady characters but securing your perimeter is about anticipating and understanding all forms of threats -- the good, the bad and the ugly -- to your network. Whatever their motives, we hope you will gain some insights into the psyche of a hacker.


Raven Alder

Best known for tracing spoofed distributed denial of service attacks.
 


Jericho

Creating computer security Web site attrition.org.
 


Adrian Lamo

Best known for hacking into The New York Times network.
 


Kevin Mitnick

Best known for being imprisoned three times for hacking.
 


Mudge

Best known for creating L0phtCrack.
 

First profile: Raven Alder

Name: Raven Alder
Handle(s): Raven
Age: 28
Place of birth: Mississippi, USA
Marital status: Single
Current residence: Maryland, USA
Job: Security consultant, True North Solutions
First computer: Home-built 8088 machine in 1988
Best known for: Tracing spoofed distributed denial
of service attacks
Area(s) of expertise: ISP backbone networking,
protocol decoding and design, Linux/BSD security,
and cryptography

What's the difference between male and female hackers?

If you ask Raven Alder, she might let out a string of expletives because gender is a non-issue.

Alder was the first woman to deliver a technical presentation at the famed DefCon hacker conference in Las Vegas. But don't harp on it. If there's one thing she hates, it's being type-cast as a "chick hacker".

"If I never read another 'she's going to save the Internet' article or have a reporter wanting me to pose by the pool at DefCon with a life preserver, it will be too soon.

"One popular magazine's 'do you think girl hackers should date boy hackers?' left a bad taste in my mouth, too. Nobody asks the guys this stuff, and finding myself a 'boy hacker' is not really tops on my list of things to do this weekend," Alder said.

Born into a fairly well-to-do family, it was clear that Alder was a brainiac from a young age.

"I skipped three grades and was taking college classes at 12, graduated high school at fourteen and college at eighteen," she said. "My parents very much encouraged my sister, brother and me to be academic achievers."

Alder has the markings of an uber geek, but her lifestyle is far from sedentary.

"Mom put all three of us through martial arts [Shorin Ryu Matsumura discipline] for at least a year. She wanted us to be able to defend ourselves. After that, it was our decision whether or not to continue," she explained. "My kid sister quit and did gymnastics instead, making it almost all the way to being an Olympic-class gymnast before quitting to become the captain of her high school cheerleading squad ... [but] I continued."

Alder first dabbled with computers in 1985, fiddling with her school's Apple II, but didn't get serious until after graduate school.

"I went to Virginia Tech in an entirely unrelated discipline, but you can't attend that school without becoming at least basically technically competent," she explains.

Despite becoming quite involved with geekish pursuits, Alder says her social life hasn't suffered at all.

Raven Alder in first grade
"If anything, it's made it more to my tastes. I like geeks," she confessed. "I'm far more likely to enjoy the company of the folks I see at dc-securitygeeks meetings than I am of the people I'd see at my neighbourhood bar. I've met a variety of fascinating people through hacking, and some of them are now close friends."

Alder hasn't taken a holiday "that didn't involve computer security" for around five years. "Most of my vacations are something like, 'Oh, I'll go to Ottawa Linux Symposium, that will be fun!'," she said.

While her parents have been supportive, Alder's father is sometimes rattled by the idea of his child hanging around with "hacker types". When she called to tell him she'd be presenting at a computer security conference "he went to brag to his security officer friends". But the thrill didn't last too long.

"DEFCON? Do you know what that is? It's full of HACKERS!" her father said.

It took her 30 minutes to deliver the "hackers-are-not-bad" speech.

But it's not all smiles and sunshine in the security business for Alder -- she once found a serious vulnerability in a "very popular security product".

"I wrote up some proof of concept exploit code, and took it to my boss," she explained. The makers of the product didn't really seem to care about the issue nor want to fix it.

"I carefully explained the importance of the problem, and the possible ramifications of exploiting it. People are trusting this product with their security data, and if the product itself is [insecure], it's un-trustable and you can't have faith in the veracity of that data," she said. Still, the vendor was unmoved, claiming no one would ever find the glitch.

Alder was by this point annoyed. She had found the problem, so others could too. But the vendor simply refused to fix the problem.

"Now, if I had been doing this as an independent researcher, I would have posted [it] to Full Disclosure (a security mailing list) at that point. However, since I was working for a company, disclosure was in their hands and not mine, and they chose not to say anything. So the vulnerable product is still out there.

"I was explicitly told that I would be sued to the tune of several million dollars if I ever violated my NDA [non-disclosure agreement] and revealed the vulnerability. This is why closed source security is bad. Lesson learnt ... any vulnerability research I do from here on out is my own, and I will be answerable to nobody but myself for disclosure," she said.

It could be this experience which has dimmed her view of the industry as a whole. There are good people in the security space, she says, but there are also some bad eggs.

"The root problem that the security industry has is ... unscrupulous people selling to an uninformed market. The managers buying security products don't understand security at all, and so they trust the vendors to tell them what is best," Alder argued. "And somehow, conveniently, what is best has a great overlap with whatever that particular vendor happens to be selling."

However, it's not just the vendors who are to blame. To a certain extent, Alder said, end-users engage in an "ignorance is bliss" management philosophy.

"Many companies just want to be able to throw money at a product and feel secure. They're uninterested in understanding security or changing their habits and environment.

Raven Alder
Unfortunately, that's not the way that a successful security program works. People who understand security are necessary, and in chronically short supply," she said.

"[Companies] have the latest and greatest firewall that nobody has ever bothered to configure, or a very expensive intrusion detection system (IDS) that nobody has the understanding to tune."

Alder monitors the nessus.org IDS. Nessus is an open-source vulnerability scanner, so one might expect some sophisticated attacks against that domain but this is not always the case.

"Sadly, most of the attacks that people threw at it were pretty stupid -- 'Oooh, I downloaded Nessus! Hey, I'll run Nessus against Nessus!'. I did see some exploit attempts that were fairly similar to the successful attacks against Debian and Gentoo at about the same time, though, so that was neat. And they didn't get in!," she recalled.

It seems Alder genuinely enjoys her work, and gets some thrills through some unlikely pursuits. "Hiking, rock climbing, camping. I'm also an avid reader -- I have a taste for science fiction and fantasy, but I'm also fond of archaeology, linguistics, history, particle physics, and biology," she said.

In her spare time, she downs chai while arguing philosophy with friends.

To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or the internals of your operating system of choice. Ideally, learn both. Don't just be a script-kiddie who downloads an attack program off the Internet and think that's cool.

"Understanding what you're doing is more cool. Having the know-how to develop a new and innovative attack or to develop a creative defence is a lot more impressive than 'dude, I sniffed your Hotmail password'." -- Patrick Gray. Second profile: Brian Martin aka Jericho

Name: Brian Martin
Handle(s): Jericho, Security Curmudgeon
Age: 30
Place of birth: South Carolina, USA
Marital status: Single
Current residence: Colorado, USA
Job: Independent security consultant
First computer: Tandy TRS-80
Best known for: Creating computer security Web site attrition.org
The name Brian Martin might not ring a bell in the security sphere but "Jericho" certainly would.

Martin is known for his work behind attrition.org, an online resource famous for cataloguing defaced Web sites and security vulnerabilities.

He cheerfully admits to "hacking his brains out" in the past. If he was a burglar, Martin would be the type who'd break in and clean up your house.

College life was cut short in his second year at architecture school. "I dropped out because I thought the program was horrid and they weren't modern," he said. Despite studying architecture and drafting, he wasn't allowed to use a computer to complete assignments.

One of his silliest hacks, he told ZDNet Australia&nbsp, was "breaking into a machine to run 'satan' [a vulnerability scanner] after its release only to find that we had to install Perl and a new gcc [compiler] for the admin because satan wouldn't compile."

"You could tell a hacker [was in] a system back then ... it ran smoother than any other on the network. Every system we hacked was made more secure, stuff fixed and upgraded, and boxes were more streamlined.

"It took us a full day to get the machine [to] run satan. We ran it once, laughed, and never used it again," he said.

One time, paranoia got the better of him.

"I hacked into the phone switch to see if there was a trace on my line ... if there was, my 'investigation' would have been recorded. Back then, half the phone switches had no login. [You'd] connect, ctrl-d to 'wake it up', and you'd have access to 200,000 phone lines," he recalled.

Jericho

But those were memories from a bygone era. Today, he's a reformed character.

Sharing his life with three cats, Martin works as a freelance security consultant. But, he's damning in his condemnation of the security industry.

"I think the industry sucks. It's self destructing and over run with criminals of one type or another," he said. "Everyone is out for a dollar, they don't care about security any more. It's all about name recognition, egos and cheating people out of money. [It] has been for a while ... to the point where I just don't like it."

It's the dishonesty and lack of "real" skills that annoys him the most. Then there's the rampant practise of overcharging for products which Martin describes as "shoddy, band-aid solutions".

"Think about it. Consultants are hired to tell customers what security they need but they overcharge these clients, lie about the solutions ... that's fraud ... the industry is full of criminals," he said.

Thumbing through his resume is a sobering experience. As a supporter of infamous hacker Kevin Mitnick -- who has been imprisoned three times for computer crime -- Martin sifted through 10 gigabytes of electronic evidence and 1,600 pages of witness testimony in his role as a technical consultant for the defence team.

As testament to his versatility as a public speaker, Martin has also delivered presentations to law enforcement agencies, at the famous DefCon hacker conference, and Blackhat briefings.

Despite his accomplishments, he once thought about throwing it all away but realised he couldn't bring himself to disconnect from the industry completely. "I like osvdb, and I like my friends in the industry, and working a few days a month to live comfortably is nicer than 40 hours a week in a store," he says.

Osvdb is the Open Source Vulnerability Database, a vast online archive of security vulnerabilities, maintained in part by Martin, who formed many of his friendships online.

"I'm still good friends with people I met online as far back as 1995," he said. "I met all of the attrition staff online at first, [and] eventually in person. It started out with a few mails, turned into chat for most of the day and eventually led to meeting."

"Attrition started with two or three of us, and the rest got involved as they found a piece they wanted to help with," he added.

Martin draws no distinction between online communications and face-to-face interaction, and believes anyone who thinks it strange just doesn't understand.

"If you meet someone and become good friends through talking and hanging out, then he moves across the country, do you stop being friends with him? Of course not.

"Is it really any different that instead of a face-to-face chat, it's done via text? Does it invalidate our conversations, what we talk about, how we choose to bond, and how we become friends?"

Friends for life is obviously his mantra ... be they virtual or otherwise. -- Patrick Gray. Third profile: Adrian Lamo

Name: Adrian Lamo
Handle(s): None
Age: 23
Marital status: "Dating for over a year"
Current residence: Living in exile in Sacramento, Ca., USA
Job: Staff writer, American River Current and freelance journalist
First computer: Commodore 64
Best known for: Hacking into The New York Times network
Area(s) of expertise: "Seeing things differently"
Don't let his baby face fool you. Adrian Lamo started hacking even before he could legally drive.

Lamo's first thrill from a hack came when he figured out how to make both sides of a 5.25in floppy disk writable while playing around with his first computer -- a Commodore 64 he got when he was eight.

"It was quite the discovery for me," he said.

Unlike many so-called hackers, Lamo was never interested in impressing his peers.

"I became deeply interested in the hacker culture, reading everything I could about it before ever actually encountering it," he said. "Once I encountered it, I was turned off by it, so I chose to go solo. Exploration need not be competition," he told ZDNet Australia&nbsp in an interview last month.

At 18, his parents decided to move to Sacramento from San Francisco but Lamo decided to stay put.

He was the lead network administrator for a law firm at the time. "I stayed with friends, sometimes in abandoned buildings, sometimes in storage areas of office buildings I had access to. Sometimes, I'd just nod off at my desk," he recalled.

After a while, he dipped into his savings and hit the road, spending the next two years wandering around the United States.

"There's a lot to be said for just having your clothes, a backpack, and the ability to buy a bus ticket and not have anything to tie you down.

A young Adrian Lamo
"I spent time in New York, Washington DC, Philadelphia, Pittsburgh, Ohio, parts of California, Virginia, and points in between -- usually because I knew people there, or wanted to see the city, or other circumstances," he said.

Lamo has travelled far and wide but ranks his time in Philadelphia as the best.

"I'd wake up early, go for a walk, check my e-mail wirelessly from a window ledge that had a clear shot to an unsecure 802.11 [wireless network], wander around with friends and hack from university libraries, Kinkos, coffee shops, read in the sun all day, or just explore the city physically. I loved it."

Over the years, Lamo has carved a reputation as someone who didn't care much for rules. He used his skills to gain access into high-profile networks owned by America Online, Microsoft, and many others.

But there was never any malicious intent. After penetrating these networks, Lamo would contact the network maintainers and tell them how he did it.

This modus operandi worked well for a while ... up until the time he hacked into The New York Times' network in 2002 and accessed its contributor database.

It's important to remember that the average contributor to The New York Times isn't Joe Bloggs from down-the-road. Lamo reportedly accessed the social security numbers of many high profile public figures, including former US president Jimmy Carter, Hollywood actors Robert Redford and Warren Beatty, and former United Nations weapons inspector Richard Butler. Some of the entries in the database included home phone numbers.

The Times, one of the world's most influential publications, was not impressed. US authorities issued a warrant for Lamo, who turned himself in and pleaded guilty to one charge of computer crime. Sentencing has been postponed until June.

"I'll either get prison, or house arrest," Lamo predicts, before becoming philosophical. "I hope for the best ... [and] will make the best possible experience out of any sentence that's handed down. No experience we ever have is wasted."

When he was arrested, he was dubbed the "homeless hacker" by media outlets due to the nature of his nomadic lifestyle. "I've never described myself as 'homeless'. It's something the media picked up," Lamo insisted.

Adrian Lamo accessing the Internet for the first time
Lamo is currently living with his parents in Sacramento by order of the court. He draws parallels between his chosen lifestyle offline and his activities online. "I didn't, and don't, draw a clear distinction between the two kinds of exploration. I try to see things differently, no matter what venue I'm in. I'd be just as likely to spend the morning talking to a stranger who just got out of city jail, buy him breakfast, and learn about his life, as i would be to break into a company ... or just randomly explore the Net. It's all the same principle, the same desire to see things that other people gloss over in their daily lives."

It's this curious mind that has led Lamo to his new passion -- journalism. He's currently a staff writer for the American River Current, a bi-weekly Californian newspaper, and a freelance writer on the side.

"I'm interested in journalism because it's an extension of what i do: exploring, finding angles for things that others miss, sharing the uniqueness of the world. That's especially why i try to do my own photos when possible. It lets me capture moments in time in ways that words sometimes fail," he revealed.

A similar path was taken by the legendary hacker Kevin Poulsen, who is now the editor of online security portal SecurityFocus.com -- which was acquired by anti-virus maker Symantec in 2002. Poulsen was best known for hacking a telephone system in order to rig a radio contest. He won a Porsche 944 S2 before being caught and eventually spent some time in prison. He delved into journalism after his release.

Writing about security seems to hold less interest for Lamo. "I look to him [Poulsen] as a model of what I don't aspire to be: typecast, and locked into a one-trick career," Lamo said, while acknowledging his respect for Poulsen as a journalist.

Lamo doesn't want to work in the security industry either, believing that accepting payment for his talents would amount to "whoring himself".

"I don't believe it's an honest industry, which is why I've declined all security jobs offered to me. Journalism isn't an honest industry either, but at least I have some personal control over the degree of dishonesty levelled against my victims," he joked.

It's no surprise that Lamo is accustomed to the lifestyle of a nomad -- which began from a relatively young age. During the interview, he eluded to, at least, some degree of financial hardship -- riches-to-rags style. "We were well-off, we were poor, we had a house, then we had a tiny apartment," he recalled.

His parents have always been supportive, Lamo said, despite their concern over his chosen lifestyle.

"My parents are well-educated. My dad has a degree in anthropology and intercultural administration; my mom is a former English teacher. We moved around a lot, and they both tried to provide me a content-rich environment in which to grow up," he said.

Lamo with Kevin Mitnick and Poulsen
If you think that using "content-rich environment" sounds like a peculiar way to describe up-bringing, just remember that Linux creator Linus Torvalds captioned a photograph of his daughter "Linus v2.0" on his Web-site. In fact, Lamo insists he's not a "dork".

"My curiosity isn't purely technological. Quite the opposite; I don't consider myself a tech person, I just see things differently and apply that to any environment I'm in. I spend a lot of time on my photography these days ... it acts as something of a surrogate to network intrusion," he said.

For now Lamo awaits his sentence but remains fatalistic.

"Actions have consequences. I never thought it was inevitable, but I always knew that something like that could happen." -- Patrick Gray Fourth profile: Kevin Mitnick

Name: Kevin Mitnick
Handle(s): Condor, from the movie
Three Days of the Condor
Age: 40
Place of birth:California, USA
Marital status: Divorced. Now lives with girlfriend
and her eight year-old daughter
Current residence: Las Vegas, USA
Job: Chief executive of Defensive Thinking
First computer: Toshiba 4400 SX laptop
Best known for: His notoriety
Area(s) of expertise: Social engineering

"Even though I was a hacker since the 70s, I used other people's computers," confessed Kevin Mitnick. He didn't have to buy his own computer until 1992!

Perhaps the best known computer criminal in the world, Mitnick has used his mastery of social engineering -- or plain trickery -- to illegally penetrate networks all across the globe. His misdeeds was the subject of a book and subsequent movie of the same name, Takedown.

After being imprisoned three times for hacking -- the third time spending four and a half years behind bars -- Mitnick has gone straight. He now writes books about security, travels the world as a professional speaker and runs Defensive Thinking, the company he built on the back of his notoriety.

It's easy to picture him as a leather-clad cyberpunk or a narcissistic, cold, calculating cybervillain.

So frankly it's a little disappointing to speak with him.

Mitnick is -- on the telephone at least -- one of the least offensive or aggressive subjects one is likely to encounter. He is pleasant and polite, and considering his reputation as a master of deception, fairly easy to read.

His generally upbeat demeanour doesn't waver, even when speaking of the hardest times in his life -- like when he spent around eight months in solitary confinement because a US court was convinced he could start a nuclear war by whistling into a telephone.

As you speak to Mitnick, you get the impression his mild manner isn't obscuring from view a malicious menace to society, but someone who feels victimised. Someone who feels he was in the wrong place at the wrong time, and paid too high a price for his mistakes.

Starting out as a prankster while in high school in the late 70s, Mitnick fell in love with phreaking -- hacking the public phone network -- before being drawn into hacking computers.

Young Kevin Mitnick
"I was involved in phone phreaking before I was into computers. This was before AT&T was deregulated. I was pulling pranks on friends and family," Mitnick told ZDNet Australia&nbsp in a recent interview. "I met this other kid, who knew about my shenanigans, who thought computers would interest me because phone companies were going from magnetic switches to computerised systems."

While still in high school, his first hack came in the form of a login simulator he authored. When run, the program would display a normal login prompt, but when a user name and password was entered, the details would be captured before logging the user on. Mitnick used this technique to obtain his teacher's username and password.

Looking back, he says he has been described as someone who had a terrible addiction to hacking, an all-consuming passion that wrecked his life. That's a bit of a stretch, he said.

"I'd spend a great deal of time on it ... it was my hobby. I wouldn't characterise it as heroin. I spent more hours than the average person would spend on the computer though," he said. To him, Mitnick exhibited the same sort of enthusiasm as a child hooked on an Xbox or Playstation.

He said his family has always been supportive of his passion for technology. "They encouraged it. They didn't know I was doing anything wrong until I got a visit from the FBI," he said. "I was in high school, I think I was 17. I don't remember why he visited me ... he didn't have any evidence, it was a part of an investigation."

Unlike many of his ilk, Mitnick came from a working-class background. His mother worked long hours as a waitress to support him.

These are details one never forgets ... and then some -- he recalls being locked up for the first time when he was "around 17 or 18".

"I went to the California Youth Authority," he said, his tone shifting slightly. "It wasn't fun, it wasn't like what you see in the movies. It was like being in a brig."

In 1988, he was back in the slammer for hacking into Digital Equipment -- which was acquired by Compaq Computer in 1998 -- to steal operating system source code. During that time he spent eight months in solitary confinement and until today, he attributes that stint to the failure of his marriage.

Things went seriously pear-shaped for Mitnick in the early 90s. He went on the run after realising that authorities were investigating him for parole violation. While on the run, he used various aliases such as Eric Weiss -- which was the real name of legendary magician and escape artist Harry Houdini -- to gain employment. He even spent a considerable amount of time working as a systems administrator for a law firm.

When the law caught up with him, he was thrown into prison for four and a half years. According to the US Department of Justice, Mitnick admitted to stealing software from Motorola, Novell, Fujitsu, Sun Microsystems, and Nokia. It's probably why he takes such a dim view of the imprisonment of terrorist suspects held -- without charge -- in Guantanamo Bay, Cuba by American authorities.

Kevin Mitnick
"The United States is a police state. 9-11 was a horrible tragedy for the world, and the Department of Justice has used it to trample on [our] rights," he said. "[Now] the government makes the call as to whether you qualify for certain rights."

The tale of the hunt for Mitnick and his subsequent capture was documented into a book by security consultant Tsutomo Shimomura -- one of Mitnick's victims, and The New York Times journalist John Markoff.

Mitnick attributes his rough treatment by the US authorities in part to the publicity generated by Markoff in both writing about his exploits for the New York Times and co-authoring Takedown with Shimomura. "They turned me into 'Osama bin-Mitnick,'" he said.

"Not only did it demonise me, it was libellous," Mitnick said, obviously still annoyed over the way he was portrayed. "The only reason I didn't sue was because I was in custody at the time."

But Mitnick's patience bore fruit.

"What ended up happening is the movie came out in 1998 and I was able to get an attorney. I settled out of court for a large sum of money. Markoff is lucky, and Shimomura is lucky that there's a one year statute of limitations [on libel cases]," he explained. "They exploited me to make millions of dollars."

After his release from prison, Mitnick started working on a book titled The Art of Deception&nbsp, centred around social engineering -- the technique he mastered that allowed him to trick system administrators and others into divulging information he shouldn't have been allowed to have. This included usernames and passwords, system dial-in numbers and much, much more.

He also wrote about his experience with Markoff and Shimomura, however his publisher refused to print the material. It has since found its way on to the Internet, known as the "Forbidden Chapter".

Mitnick has come a long way since his days in incarceration.

Currently working on his next book, tentatively called The Art of Intrusion&nbsp, Mitnick is a sought-after public speaker and runs Defensive Thinking, a consultancy specialising in minimising the risks posed by social engineering. He freely admits that his notoriety is a big part of his recent success, but says his recent good fortune is what he's most proud of in life.

Now living in "sin-city" Las Vegas, Mitnick enjoys the simple things in life. "I like travelling, going to movies and shows ... I'm going to Metallica [concert] this Saturday. Woz is coming up, we're going together," he said. And he certainly has some interesting friends . "Woz " is Apple co-founder Steve Wozniak.

But what he relishes the most is spending time with his girlfriend and her daughter. "My best accomplishment was the ability to take all this negativity and completely turn my life around," he said. -- Patrick Gray Fifth profile: Peiter Mudge Zatko

Name: Peiter Mudge Zatko
Handle(s): Mudge, PeiterZ
Marital status: Single
Current residence: New England, USA
Job: Chief Scientist, Intrusic
First computer: Tektronix 4051
Best known for: Creating L0phtCrack
Area(s) of expertise: "Thinking outside of the box"

It's hard to tell if Peiter Mudge Zatko was born eccentric or whether he's just a stickler for privacy.

Take the response to ZDNet Australia's&nbsp request for his age as an example: "[I'm] not trying to be coy, but my age, race, religion, etcetera, are always items I try not to divulge. The rationale is probably quite different than what most people infer. It is as follows: without irrelevant information such as skin colour and the aforementioned items, people are stripped of data that normally would encourage functional fixation."

It seems Zatko's brain has been over-clocking from a very young age.

"When I was growing up, around the age of five or so, I couldn't wrap my head around 'life'.

"The notion of death being an accepted unknown without any further details drove me bonkers," he told ZDNet Australia.

Some may argue that existentialist dilemmas such as these belong to adults, or at the very least in the adolescent domain. But Zatko was introduced to a myriad of advanced concepts at an extremely tender age.

"In my crib, as an infant, my father sanded down the edges of early 60s-type computer components ... like the face plates of systems with glowing [amber] numeric 'vacuum tube style' readouts," he recalled.

The way Zatko speaks of him suggests that his father was his mentor in life.

"I asked my father what he believed in -- what his religious beliefs were. He refused to tell me. Instead, he started taking me to churches of different denominations each Sunday and would ask me what my interpretations were.

Zatko with Bill Clinton
"Several years later I came up with my own 'codified' religious beliefs," Zatko said.

And he's fanatical about getting the job done. "Anything that I do, I must engross myself in totally," he said.

To Zatko, there's no distinction between work and personal life, and readily admits that his life knows no balance. "There's also no difference between business and personal relationships. When I decided to get into Golden Gloves Boxing and Muay Thai [boxing] it was to master them. When I deal with computers it is to entirely comprehend the socio-psychological interactions and weaknesses they introduce," he revealed.

His parents, while educated, came from fairly blue-collar backgrounds. He said his mother "experienced the depression" while his father grew up working on a farm. As a child, Zatko was given musical training, and was taught science and mathematics while maintaining a "respect for manual labour and living off the land".

He still holds dear to his heart the values his parents instilled in him while growing up. "I was intentionally given freedom and a feeling of independence at a young age. In looking back the rationale was obvious: learn decision making and life choices while you are still able to be protected paternally," he explained. "I watched people self destruct at the tail-end of high school and in college -- where it was obvious that that was their first taste of freedom."

In 2000, Zatko was invited to participate in a security summit chaired by former US President Bill Clinton. "I was afforded the rare opportunity to hang out with him afterwards and engage in some private conversations," he said. "I have tons of stories but they're too long."

Pieter Mudge Zatko
As one of the founding members of grey hat outfit L0pht Heavy Industries -- which later became the foundation for security firm @Stake -- he was responsible for the creation of L0phtCrack, a product still sold by @Stake.

L0pht Crack is a simple product and a remarkably affective password cracker for Windows-based systems. Zatko insists he wrote it to prove a point and not for commercial reasons.

"When I first created and wrote it, one of the goals was to show that the Microsoft systems being deployed could not embody 'secure' encrypted passwords ... not that there were some passwords that were stronger than others.

"This didn't mean that people should not use Microsoft technology but rather they should understand where their security perimeters needed to be in order to take advantage of the [Microsoft] platform without exposing undue risk to infrastructures," he said.

"Is something like L0phtCrack still useful? Yes. Is this an example of people misinterpreting what a tool is showing them and potentially having a false sense of security because of it? Unfortunately, the answer is again yes," he added.

Zatko believes that example -- the misuse of a tool like L0phtCrack -- applies to many security products. He has some advice to help improve the situation, though: "Share, be open, communicate, ask questions to all, share the answers that help you with [everyone], do not think in black and white, do not hurt others or yourself. Improve the world, not your own self image -- the former is possible, and the latter is not accomplished without being a part of the former." -- Patrick Gray

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All