It is motivation that drives hackers: Tom Cervenka

[William Knowles <wk () C4I ORG>]

http://www.ciol.com/content/news/interviews/100083101.asp

Hackers love to understand how technology works. They like to explore
what the system will do if pushed in different directions. And, that
needs a complete grasp of technology, says the hacker who has done it
all.

Thursday, August 31, 2000
Krithi Aiyappa and Reena Ganesh

A white hat hacker, who has given sleepless nights to Net security
professionals working for some of the biggest names in the dotcom
world, was in Bangalore last week. Tom Cervenka, who is popularly
known as the Blue adept in the hacker community, is now an Internet
Security Expert in iCMG. He offers inputs to firms on preventive
measures against hacking. He doubles as a Java/Perl instructor for the
Object Technologies programs at the University of Alberta and the
Simon Fraser University. Tom has found security loopholes in sites
such as Hotmail, eBay, Excite, Zkey, Yahoo and Lycos. In a
freewheeling interview with CIOL Bureau, Tom discussed several issues
that plague not just those who face the threat of getting hacked but
also the hackers themselves.

Lets start with your name. Why the nickname Blue Adept?

The name Blue Adept comes from a Piers Anthony book called Blue Adept.
I read and liked the book. Interestingly, the actual character Blue
Adept is not the main character in the book. That is where the name
came from.

How can anyone be sure that a person is a black or a white hat hacker?

How can anyone be sure that I have never done anything like black hat
hacking? Well you dont. Its like you dont know whether I have murdered
a person. If you have found out that I had murdered someday then Ill
be put away for murder.

Like a rose by any other name, a hacker is a hacker, be it black or
white. How do you react to this perception?

Once, when I faced such a question in a debate, I said that the
difference between white hat hacking and black hat hacking is like the
difference between an apple and an orange.

What is the psyche of a hacker?

The motivation, which drives all hackers I think is the love to
understand how technology works. It is to see what the system will do
if they pushed it in different directions. It really is an experience
like you start exploring the security of the system. It is not
something you can do unless you fully understand what the related
technology is. Doing it is really a self-educational, fun and
interesting process. Once you start getting into the system, it
becomes like a puzzle and you really want to reach the end. If you do
reach you feel really cool like reaching the top of the mountain. It
is a great challenge.

Have you hacked any government sites?

Yes, I have hacked into the Indian government sites (laughing). That
was a joke. No, I have not hacked any government site.

Is JavaScript the most favorite language of the hackers?

No, the kind of security holes that I find is not the typical kinds of
holes that people look for when they go and look for Web services.
Unfortunately, what that means is that in a lot of Web services there
is a class of security holes that most people tend to look for. This
is what most people identify as hacking. But, the kind of hole I
usually find is the kind of hole that does not deal with accessing the
system at the network level. Its an uncommon way of breaking into the
system. A lot of services never even thought that JavaScript could be
used to get the user name and password.

The reaction to your hacking eBays site was not very favorable. Did
they take any action against you?

No, but at the time I showed that there was a problem with eBays site
they denied it. Every time a reporter called them and asked they would
deny that any problem existed. But that didnt work very well because
on my side I had a working demonstration of how people could steal
passwords. It was a situation where the reporter would come to me and
ask whether there was a problem. I would ask them to go into the
service and I will show them their username and password and then they
were convinced and went to eBay. They took a long time to fix the
problem.

Of all the sites you have tested till date, who gave you the most
positive feedback? Who gave the most negative response?

The most positive feedback was from Zkey. They acted in a way that was
in everybodys best interest. When I found a hole, they were interested
to find out what the problem was. They put a lot of people into fixing
it right away. And the negative feedback was from eBay.

On what basis do you choose to hack a site?

I dont actually choose a site to hack to see that it does have a
security problem or does not have. In my work, I just stumble across a
hole or just flip across many times the services I am using myself.
This was the case with Hotmail, eBay and also Zkey. I was the user of
the service. Take Zkey for example. After I had uploaded my own
business data I started to think "how secure is this anyway. Let me
just try and see."

Is credit card transaction safer over the Net and do you use your
credit card on any kind of transaction over the Net?

It can be done safely. In general I could say "yes" normally. No, I
dont use my credit card over the Net.

The US government had given an open invite to hackers to join the main
stream. How have the hackers responded to that?

Well, we dont need an invitation when we have the option. When we find
a security hole, some tell the world about it, some keep it as a
secret. Invitation or no invitation we are going to find security
holes one way or the other. It is not that the US government is
offering to change the behavior of the individual or something. It is
not like black hat hackers will change into white hat hackers. I think
people who have been doing white hat hacking are the people who enjoy
doing it and people who keep it to them, keep it to themselves. Thats
the way it is going to be. What the society can do is to engage people
to do the good kind of hacking. What would be more effective than
issuing invitation is a change in rules.

What do you think are the most important utilities any organization
should have to prevent hacking/unauthorized access?

The kinds of problem I deal with are the specific kind of problem that
a lot of major service providers have. So I dont pretend to be able to
tell people how to completely secure their site. There is no such
thing as 100 per cent security. But, what I recommend is that they pay
very careful attention to instances where they allow the person to
write in some content, which then becomes a part of the site itself
that others will view. If you have something like a message board,
tech support form or auction or e-based mail, in all those cases you
have to be very certain that you carefully examine what the user wants
to post and how it will look. And make sure that it doesnt contain any
malicious code. JavaScript is just one of them. They can use VBScript,
Java Macromedia, Shockwave, XSS style sheets, Flash etc. So, you have
to be up on all the technologies and make sure that none of them are
being snuck onto you.

What are the aspects of keeping a secure site?

Keeping a secure site is a matter of constantly adapting new
technology because you have to make sure that your current version of
the browser should be on par with the new technology/software products
which are constantly changing without even knowing it. Because your
software product runs through the browser, you have to keep updating
to keep up with the technology.

How can you best prevent hacking?

There are intrusion detection software that you can buy and install
and that kind of software will help you find whether something has
been changed or not, or somebody is accessing certain files that you
thought shouldnt be accessed. It can eliminate the vast number of most
common security problems. One thing you could also do is keep up with
some of the work the white hat hackers are doing. You could also do
the normal stuff like finding the right software, the right hardware
and also have a security auditor etc and see to it that your site is
safe.

How do you rate the level of security in Indian sites?

Some of them have rigid security rules. Some of them are vulnerable,
but most of them are OK. I think now they are doing much better jobs.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".