------------------------------ Date: Thu, 08 Oct 90 12:01:45 CDT From: Gordon Meyer (CuD Co-moderator) Subject: 13th Annual National Computer Security Conference (Part 1) ******************************************************************** *** CuD #2.07: File 5 of 8: NCSC Conference (part 1) *** ******************************************************************** 13th Annual National Computer Security Conference October 1-4, 1990 Omni Shoreham Hotel Washington, D.C. Reported by Gordon Meyer Dr. Dorothy Denning's presentation, "Concerning Hackers Who Break Into Computer Systems", was part of the 'ethics' session held the afternoon of Oct 3rd. Denning's presentation consisted mainly of data, in the form of quotation and observations, taken from her recent interviews with approximately ten self-identified computer hackers. While her paper offers some suggestions on how the computer security community could assimilate some of the information hackers have available, her presentation instead focused on several thematic concerns she found to be prevalent in the computer underground. This was a wise tactical decision on her part, as her argument that hackers can be of some use to computer security professionals is not only somewhat unique, but must be considered only after the anti-hacker stereotypes have been methodically shattered. Trying to accomplish this in a 20 minute verbal presentation would be unrealistic. However, it should be pointed out that each of the conference attenders did receive the full text of Denning's paper (in fact, all the papers presented at all the sessions) in the two-volume proceedings book for the conference. The data presented at the session highlighted the CU's concern for ethical and legal issues related to information security. A large number of the quotes were taken from Denning's interview with Frank Drake (publisher of the defunct W.O.R.M. magazine), and focused, in part, on the ethics of large corporate data bases on individuals, and the NSA's role in providing standards for data encryption. Denning also utilized some quotes from PHRACK Inc (specifically the infamous 'Phoenix Project' announcement) and a quote concerning the recent spate of CU busts as reported in a past issue of CuD. Other excerpts were taken from The Mentor's Guide to Hacking, and various other statements from her interviews with unidentified hackers. The overall thrust of all of this was to show that hackers can be concerned with information technology ethics, their own actions while on a system, and the future of information technology and the CU in general. Denning's presentation appeared to be well received by the audience. By presenting the actual words of the subjects, rather than summarizing her findings, the CU was brought to life in a way that most likely many of the attenders had never seen before. (Each quote, by the way, was shown on an overhead projector and dramatically read by Dorothy's husband, Peter Denning.) The audience reactions during the presentations where quite interesting to observe. Outward displays of hostility, disbelief, and amusement were common, usually in reaction to statements of freedom, power, and tales of busts respectively. After Denning's presentation there was time for a few questions and audience comments. One comment was from a West German attender and concerned the Chaos Club. He told of Cliff Stoll's hacker adversary and how "three disks of VMS information was sold to the KGB" despite denials that such a thing had been done. His conclusion, emphatically stated, was that "you can't believe what hackers tell you, you can't trust them!". This comment received an enthusiastic burst of applause from the crowd. The panel session, "Hackers: Who Are They?", was held Thursday morning. The session was moderated by Denning, and consisted of the following panelists: Katie Hafner, author. Currently writing a book on Mitnick, Pengo, and Morris. Frank Drake, former publisher of W.O.R.M. magazine. Emmanuel Goldstein, publisher of 2600 magazine. Craig Neidorf, former co-publisher of PHRACK Inc. Sheldon Zenner, defense attorney in the Neidorf/Phrack case. Gordon Meyer, co-moderator of Computer Underground Digest. Denning opened the session by stating that although her initial intentions were to bring actual hackers in for the session, criticisms that doing so would be giving "aid and comfort to the enemy" convinced her that the next best thing, utilizing people who were closely associated with the CU, would be more prudent. This theme, aggrandizing computer criminals, would surface two or three more times during the session. Denning started the session off by presenting each panelist with one or two questions to answer. These questions served to introduce both the speaker and various aspects of the computer underground. Her first question was to Hafner, and addressed the concern that by writing about hackers, impressionable young readers might be attracted to the "fame and glory" of the enterprise. Hafner's answer essentially focused on the hardship and emotional/financial loss each of her subjects had suffered as a result of their activities. Hardly a glorified or attractive picture of hacking. Other introductory questions dealt with Zenner's summary of the Neidorf/Phrack case, Frank Drake defined "cyberpunk" and his motives in founding W.O.R.M. magazine, Goldstein discussed 2600 magazine, Neidorf on PHRACK Inc, and Meyer on CuD and defining the computer underground. A number of themes emerged from the questions that were asked by the conference attenders: First Amendment rights, and the publication of stolen information. Morality of publishing information that could be used to break the law. Possible implications of hacking into a system that would threaten the life and/or safety of others. (such as a hospital computer) The obligation of companies to secure their own systems, and possible legal complications that could arise if they fail to do so. The perception that corporations overstate the financial impact of CU activity. How much does it really cost you for a hacker to "steal" 3 seconds of CPU time? Possible use of CU members or skills by organized crime. Ways in which companies or organizations could provide a means for CU members to provide information on security holes, without risking reprisal. There were many more questions and comments, but unfortunately the session was not recorded. Perhaps what was even more interesting than the comments and answers themselves was the emotional reaction of the audience. Of the approximately 1600 people that registered for the conference around 250 attended this session. Scheduled to run about an hour and half, it lasted nearly two hours with a number of questions still remaining to be asked. Audience attention and participation was high, but couldn't be described as very "friendly" at times. Subjects that seemed especially "hot" included the financial impact of hacking, and the ease of reading and utilizing information found in personal email. The session went quite well, with many ideas and views being exchanged on both sides. There was a feeling that some good ideas and concepts had surfaced, and perhaps both sides had learned something about the other. There was, however, a definite adversarial feeling in the air. The panelists did, for the most part, manage to keep from being cast as apologists for the CU and were straight forward with their views and opinions. Goldstein and Drake in particular served to "ease over" a couple of tough questions with the application of appropriate humor. (eg: Hey, if it wasn't for hackers some of you wouldn't have a job!) Denning should be congratulated and thanked for her efforts to bring some dialogue between the CU and security professionals. This session should be an example of the mutual benefit such meetings can bring about. If the further efforts in this direction are made, rather than worrying about the politics and appearances of meeting with hackers, perhaps some moderation can be brought to both sides of the issue. Hyperbole and hysteria are hardly productive for either group, and only by shattering stereotypes and finding common ground will any resolution be possible. Let's hope that future meetings of the profession will allow for further discussions of this type. Postscript: It was great to meet the many CuD readers that came up and introduced themselves after the session. Thanks for your comments and kind words. Also, welcome to the new CuD subscribers that were picked up as a result of this conference. Additional comments and observations regarding any aspect of the conference are most welcome from any CuD reader, send them in! ******************************************************************** >> END OF THIS FILE << *************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+