Hackers hold key to computer security, conference told

Hackers can help companies improve security and force vendors to acknowledge holes in their software, representatives of the dark IT art said yesterday.

At the Compsec 99 conference in London, convicted US hacker Kevin Poulsen, who served a five-year prison sentence for his activities, and white hat hacker Sir Dystic, who is best known as the author of the trojan horse program Back Orifice, told a packed house of delegates about how and why they do what they do.

Gaining illegal entry to other people's computer systems, known as hacking, remains one of the more publicly exciting aspects of a profession that is popularly perceived to be short on glamour and long on geek factor.

While curiosity is the prime motivation for most programmers to start hacking, Poulsen explained how he crossed the moral and legal divide when he was on the run from the FBI for some illegal but harmless out of hours hacking he had engaged in, while in the employ of a contractor to the US defence department.

During this period, he supported himself by tapping into radio stations' competition lines to win luxury cars, holidays and other prizes for himself and his friends.

Now a consultant and writer, Poulsen played down the suggestion that hackers were a key weapon in the corporate espionage game.

"I don't think hacking is the best way to gather economic intelligence," he said. "If you want to get specific information from specific companies, you're better off getting a job as a temp or a janitor. "Except for websites, hacking is an engagement - it's relatively rare and it's an ongoing 'dance'."

"I don't think big-time hacking is happening on a corporate level," he added.

For all their paranoia about other companies stealing their secrets, many organisations were not concerned about the prospect of gaining illegal entry to others' systems, provided they could remain undetected, Sir Dystic claimed.

He said he had been asked by many organisations to do so, and had refused.

"Most companies just want the information, they don't care if illegal means are used to get it," Sir Dystic said.

He said white hat hackers could play a legitimate role in raising public awareness of security breaches in commercially available software, which the vendors would prefer to ignore.

Following his release of Back Orifice, which allows users to take control of Windows machines remotely, Microsoft programmers had privately commended his actions, Sir Dystic claimed.

"Companies' marketing departments won't allow them to fix these problems until they become public," he said.

One delegate from Fuji Bank backed up these assertions. Only by showing senior executives some hacker tools and the ease with which they could be used to gain access to corporate systems, had the organisation been persuaded to improve its security policy, he claimed.