Everybody does it; nobody wants to talk about it. Computer hackers - "white hat" or "black hat" - are among the brightest minds in the software industry, so many are hired by big-name software companies.
Then they dance the awkward dance of dual identities, engineer by day, hacker by night. The consequences of a misstep in that dance can be severe, as a hacker calling himself "VallaH" learned last week. In his case, a visit from the FBI meant the end of his career at Microsoft (Nasdaq:MSFT), embarassment for the largest software company in the world, and a new focus on the role of hackers at work.
Jeffrey Roberson, 19, was a self-described "angry little kid" two years ago, fairly well-known as VallaH on the hacking scene, dabbling in writing hacker software tools. At his worst, he says, he participated in relatively benign "denial-of-service" attacks - coordinated efforts to try to overwhelm a Web site with hits so it becomes unavailable. Then a Microsoft employee saw his programming code, was duly impressed and invited VallaH to Redmond, Wash. Over time, Roberson was convinced to put his skills to good use and took the job. He's spent the past year working on Windows 2000, testing for interoperability with Unix systems - his specialty.
(Note: Microsoft is a partner in MSNBC.)
But he also stayed involved in the hacker "scene." He says he hadn't done anything illegal since taking his job at Microsoft; in fact he says he spent his time trying to convince other "angry little kids" that they could be creative instead of destructive. "I talked to them because I wanted to try to help them program."
But someone passed his "handle" to the FBI recently. Then his Seattle-area apartment was raided May 26 in the hacker sweep, and VallaH's life instantly changed. He was immediately fired by Microsoft and went back home to his parents in the Baltimore area.
I'm ashamed they're involved
"It's Microsoft policy; I understand where they're coming from," Roberson said of his dismissal. He was actually a contractor at Microsoft, working through the Volt Computer agency. "I'm more of a liability than an asset.... I owe a great debt to Microsoft, and I'm really ashamed that they're involved."
Are other "hackers" working at Microsoft? Does the company recruit in the underbelly of the Internet, places like Internet Relay Chat rooms set up for hackers? The company wouldn't say.
"We don't recruit people who are involved in illegal activities," spokesman Adam Sohn said. "But did one computer scientist see [VallaH's code] and thought, gee, this is ... great work, we should get this person? Surely that may happen."
Other software firms wouldn't discuss company policies about hiring hackers when contacted for this article - but hackers say the practice is common and complicated.
It's only natural
"It is only natural to assume that someone who defaces Web pages at night also works for a computer-related company," said a man calling himself Space Rogue. Rogue works for L0pht Heavy Industries, a company of "professional hackers" that is hired by firms to test corporate system security.
"Last place I worked I tried to keep my involvement with L0pht and stuff quiet. Then word got around, as it always does. Then I get treated like royalty, and people tell me all the dirty deeds they have done to the company systems. Back doors, reading the boss's e-mail, all kinds of s***. I just shake my head and wonder.
"The issue is most employers have no idea what the background is of their employees. I mean, it's not like you're going to put 'defaced 150 Web sites' on your resume. And unless you have been arrested, no background check is going to turn anything up."
Find a hole, get a job
On the other hand, exposing security holes in front of the world is even better than a resume, said Russ Cooper, who moderates the most popular information service covering Windows NT security. His NTBugTraq mailing list has 25,000 subscribers, and his Web site gets 2 million hits a month.
"A lot of people release exploit information to get jobs," Cooper says. Posting an exploit, or a security hole, to his list is one sure way to get the attention of software firms. "Certainly I know of people who have posted and gotten job offers. Companies are interested in people who have demonstrated an aptitude for discovering problems. Finding people with skills is hard."
But is it worth the risk? No, says Christopher Klaus, who founded Internet Security Systems Inc. The company writes software designed to automatically test for exploitable security holes, so-called scanning software. For ISS software to work, his programs must imitate the thought process of hackers - still Klaus says he ignores the resumes he gets from hackers.
"We find we have more success finding people with a networking background, people who know Unix and can program in C++, then train them in security. That works better than the other way around," he said.
Having a hacker on staff
Having a hacker on staff
Having a hacker on staff is complicated because of the vague distinctions often made between "white hat," "black hat," hackers and crackers. Anyone involved in computer security might be called a hacker (in fact, many say anyone involved in any kind of progamming is a hacker). Computer security administrators consider hacker mailing lists, Web pages and even chat rooms as part of their daily reading material, a requirement for keeping their systems secure against the latest exploits.
And there's all manner of playful "hacking" that goes on inside a company. One Microsoft employee told MSNBC that groups within the company sometimes hack each other's Web pages, a harmless form of taunting.
But when does that kind of playfulness cross the line, become harmful? Many hackers don't believe temporarily defacing a Web page is destructive, though it is illegal. But what of the authoring of hacker "tools," which are not illegal? For example, there are software packages used to scan Web sites for vulnerabilities; they are equally useful to security administrators testing their own systems and hackers looking for open doors. Other software simply makes it easy for someone who's less skilled to hack into Web sites. That's what Roberson was writing when Microsoft contacted him - he was one of many coders who write and distribute software that can be used to crack Web sites, then share it with a wink, saying they're not responsible for how others use it.
Among the most popular examples is NetBus, which allows a hacker to control a victim's PC from anywhere on the Internet, right down to opening and closing the CD-ROM door. Its author, Carl-Fredrik Neikter, said he wrote NetBus "solely to have a fun program. What's more fun than a buddy's reaction when the CD-drive door is opened mysteriously. :) I didn't think about trojans or a hacking tool." He's now trying to market the tool as commercial shareware.
Others who write such tools say they're doing it to draw attention to security holes - that was the motivation behind Back Orifice, written by members of the Cult of the Dead Cow, according to member Sir Dystic.
While writing such software is not illegal, it's also not the kind of moonlighting many companies would be proud of. But how much control does a company have over its employees' activity outside of work?
According to Roberson, his Microsoft employers knew he came "from the scene," even knew he still communicated with hackers. Only the embarrassment of the raid cost him his job - and he now regrets his past as a hacker.
"I wish I didn't talk to these people," he said. "But I grew up in the scene, it was all I knew, it was who I was." So he felt an obligation to keep up friendships and "help these kids."
But in the end those friendships cost him his job - and, says Roberson, others involved in the raids are facing similar consequences.
"Some people who had absolutely nothing to with with hacking at all [were raided]," he said. "People with things going for them, innocent people, who are going to face consequences." He says others raided last week got in trouble with school officials and employers but declined to elaborate.
Such consequences - and even threats of prosecution and computer seizure made by the White House, CIA and FBI - don't seem to be deterring many hackers, who on Wednesday continued to deface government Web sites.