IDG logo

Advertise with InfoWorld

SiteMapNewsTest CenterOpinionsForumsCareersStock QuoteSubject IndexesAbout UsSearch SubscribeHome
This way to >>>
[Security Watch]
August 17, 1998

Black Hat: We have seen the enemy and they are ... being interviewed on CNN

One of the oldest guidelines for establishing strong corporate information security is proper risk assessment. Otherwise, a company can spend an exorbitant amount of money on technology to defend its network from less than worthy adversaries.

The InfoWorld Security Team recently journeyed to the infamous DefCon annual hackers conference (, taking place amidst the shimmering heat and jingling slot machines of Las Vegas. This year's sixth iteration was accompanied for the second time by a peripheral event of a different sort: The Black Hat Briefings (

Promoted by Secure Computing's Jeff Moss, who founded the original DefCon gathering, Black Hat is dedicated to training IT professionals who may not otherwise get the nod to attend the more notorious DefCon.

The Black Hat concept is a worthy one at first glance: Gather hackers and corporate adversaries into one room so both sides can properly size each other up. In this environment, the potential for real-world risk assessment and quantifying security threats is greater: There are few forums in which one can get up close and personal with renowned members of the hacking community whom you hear so much about but still can't quite identify with. The experience is truly fascinating, but the resulting conclusions of this meeting of the minds may surprise security-minded networking folk who stay up late at night worrying about those omnipotent hackers emphatically stalking them over the wires.

The threat is real

It turns out most of the big names in hacking happen to be human. While hackers such as Mudge, Dildog, and Hobbit are undeniably dedicated tinkerers and provocative thinkers, they exhibit typical human frailties that suggest the threat may be somewhat overestimated. For the most part, this is an eccentric and egotistical bunch, quick to play insider/outsider with their knowledge and skills. They rely heavily on creating the perception of omnipotence with all things digital, projecting an undeservedly fearsome reputation.

In many ways, it's hard to take some of these individuals seriously when they're spreading gloom about inherent vulnerabilities in low-level operating system code one moment and hyping their latest Microsoft exploit program in front of CNN's klieg lights the next. We're all for the release of such utilities into the public domain (assuming proper protocols are followed), but it still rubs us the wrong way when we see such tools blatantly pushed into the public's face on national television. The release of Cult of the Dead Cow's new Windows 95/Windows 98 exploit, Back Orifice, is a primary example of this phenomenon. (See and the related links on their homepage to CNN, MSNBC, and others.)

The Back Orifice software is being tested in our labs and will be detailed in next week's column, but appears to take advantage of the numerous insecure aspects of the Windows 95/Win 98 API set.

Although the theatrics of hacker groups sometimes masks their important work, the hyped threat is as much noise as substance. Listening to the cacophony coming out of major media outlets, one can easily get the impression that hackers are the enemy of network administrators everywhere. As their trade gains more exposure and legitimacy in the mainstream, this viewpoint will no doubt continue to be blown out of proportion.

Ironically, these folks are doing more than any vendor to further the goals of secure computing, performing valuable functions for the IT community by pointing out unforgivable design flaws in so-called "secure" products. Understanding the hackers who attend Black Hat and DefCon -- who are fueled by ego and motivated by curiosity -- is a key to putting the threats into perspective. Who do you trust to tell the truth about product security -- hackers or vendors? Let us know at

Test Center Support Manager Stuart McClure and Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.

Missed a column? Go back for more.

Copyright © 1998 InfoWorld Media Group Inc.


Copyright © 2004. InfoWorld Media Group, Inc. is a member of complies with the ASME guidelines with IDG extensions For New media.