'We're the good guys' claim hackers

Hackers claimed today to be allies of the security industry without whom a vast number of potentially devastating exploits would go unnoticed.

"Most innovations in security come from hackers," said self-styled Sir Dystic, author of the infamous Back Orifice tool and member of hacker group, the Cult of the Dead Cow (CdC), as he addressed an audience of security experts at the Infosec conference in London today.

"Hackers raise the bar for security and find holes that wouldn't otherwise be found," said Kent Browne of Condemned.org, a group of volunteer hackers that target child pornography sites.

Browne said even the best intrusion detection tools identify only about 50 per cent of these exploits. The so-called zero day exploit list, which is circulated between elite hackers, features a minimum of 100 fresh vulnerabilities a week, he claimed.

Sir Dystic also said that all the hackers active five years ago are now working for security firms. He also controversially claimed that his Back Orifice program was only perceived as a hacking tool - and not remote administration software - because it is free.

"The CdC are perceived as bad guys, but they are helping business raise attention to issues," said Sir Dystic, who said the software had been used internally by many systems administrators who could not get the money for commercial products.

Echoing statements from Microsoft about problems in its code, Sir Dystic said that "people are using bugs in the code of Back Orifice as features".

When questioned on the security of Windows products compared to Linux, Sir Dystic said Microsoft's poor security record with its products was a good argument for open source, but he admitted there was always a trade-off between security and usability.

Marc Rogers, security consultant at Closed Networks, said that "if Microsoft released its source code as open source it would show the security bugs that routinely allow hackers to gain access to systems".

Whilst emphasising their positive role, Sir Dystic admitted there were malicious people in the digital underground, particularly the Russian mafia which is actively recruiting hackers.

"I don't consider the Russian mafia to be hackers - they're just criminals breaking into a new field," said Sir Dystic, who added that script kiddies "who deserve a good smacking" and disaffected employees are a far more serious problem for companies.

The possibility that data could be corrupted or 'poisoned' was a far greater threat than denial of service attacks, he added.