==Phrack Inc.==
Volume Three, Issue Thirty-five, File 3 of 13
-*[ P H R A C K XXXV P R O P H I L E ]*-
-=>[ Presents ]<=-
Sincerely Yours, Chris Goggans
-===--===--===--===--===--===-
by S. Leonard Spitz
Associate Publisher
INFOSecurity Product News
"A provocative interview with a former member of the "Legion of Doom" suggests that the ethics of hacking (or cracking) are often in the eye of the beholder."
Malicious hackers, even though most operate undercover, are often notorious for the colorful pseudonyms they travel under. Reformed hackers, however, prefer a low profile so as to shed their image of perceived criminality. Kevin Mitnick, infamous for the DEC caper, is one of the foremost advocates of this strategy.
Now comes Chris Goggans, trailing his former "Legion of Doom" moniker, Erik Bloodaxe, behind him, to try it his way. Goggans insists that where once he may have bent the rules, he is now ready to give something back to society. And coming across with a high degree of sincerity, he affirms his intention to try. Are he and his colleagues, wearing their newly acquired information security consultants hats, tilting at windmills, or does their embryonic, cracker-breaking start-up, Comsec Data Security Co., stand a fighting chance? We thought we would ask him.
ISPNews: I am going to ask several legitimate questions. Please answer them completely, truthfully, and honestly.
Chris Goggans: OK.
JUDGEMENT BY THE MEDIA
ISPNews: Would you react to Computerworld's July 29 piece, "Group Dupes
Security Experts,"
CG: We were all amazed that something like that would ever be printed
because, as we understand common business practices, we weren't doing
anything unusual.
ISPNews: Computerworld reported that the Legion of Doom was "one of the nation's most notorious hacker groups, according to federal law enforcers." Can you respond to that?
CG: Notorious is a relative term. There has always been a shroud of
mystery covering the Legion of Doom, because it was an organization
whose membership was private. When you keep people in the dark about
the activities of something, there is always going to be the
perception that more is going on than there really is.
ISPNews: Would you say then that the characterization of being notorious is unfair?
CG: To some degree, yes. There certainly was activity going on within
the group that could be considered illegal. But most of this was
taking place when members of the group were all between the ages
of 14 and 17. While I don't want to blame immaturity, that's
certainly a factor to be considered.
The Legion of Doom put out four <issues of an> on-line electronic
newsletter <called the Legion of Doom Technical Journals> composed
of different files relating to various types of computer systems
or netware. They explained different operating systems or
outlined different procedures used by networks. They were always
informative and explained how to use a computer. We never said
"This is a computer and this is how to break into it."
Colorful names and words used to describe groups also add to
notoriety. If we had been the "Legion of Flower Pickers," the
"Legion of Good Guys," or the "SuperFriends," there probably
wouldn't be this dark cloud hanging over the group.
ISPNews: Could you be charged with intent to provide information to others which would make it easier to gain unauthorized access?
CG: I don't see how that could be a charge. There's the first amendment.
I maintain that talking about something and encouraging or forcing
someone to do it are completely different.
EARNING AN "A" IN INFOSECURITY
ISPNews: What attracted you to computer security?
CG: The same thing that would attract anybody to being a hacker. For
half of my life I've been in front of a computer every day.
Sometimes from early in the morning until the wee hours of the night.
And my particular focus has been on computer security.
ISPNews: At least the dark side of that coin.
CG: I wouldn't say the dark side. I'd say the flip side. If you do
something for 11 years, you are going to pick up a lot of knowledge.
And I've always wanted to find some kind of productive career that I
thoroughly enjoyed. So this was just an obvious progression. No one
wants to be a 40-year-old hacker living in fear of the Secret
Service.
ISPNews: When you first applied to enter college, did you feel that it was the right place to learn about information security?
CG: Yes, I thought it was the right place, mainly because college is the
most obvious choice to pursue an education in any field. I just
assumed that I would be able to find formal training leading to
certification or a degree in this field. Yet, at the University of
Texas, there wasn't anything along those lines.
ISPNews: Did you graduate from the University of Texas?
CG: No, I changed majors and then moved to Houston. I had started out in
computer science but it was completely unrelated to any kind of
career I wanted to pursue. I eventually changed my major to
journalism. There are only two things I like to do: Work on
computers, and write. So, if I wasn't going to get a degree in one,
it was going to be in the other. I'm a semester away, and I do plan
on finishing.
ISPNews: If you were to structure a college curriculum for studies in information security, would you design it to focus on technical issues, ethics, business issues, or legal matters?
CG: I would try to focus on all of these. If you don't have a technical
background, you can't understand the way the operating system works,
and you really can't focus on some of the issues that need to be
addressed with information security.
Ethics certainly come into play ass well for obvious reasons. I
don't think hackers are going to go away. Even with the advent of
newer technology, there are always going to be people who have an
interest in that technology and will learn how to manipulate it.
ETHICS, INTELLECTUAL PROPERTY RIGHTS, AND THE LAW
ISPNews: What is your definition of a hacker?
CG: A Hacker is someone who wants to find out everything that there is to
know about the workings of a particular computer system, and will
exhaust every means within his ability to do so.
ISPNews: Would you also comment on the ethics of hacking?
CG: There is an unwritten code of ethics that most people tend to adhere
to. It holds that: no one would ever cause damage to anything; and
no one would use any information found for personal gain of any kind.
For the most part, the only personal gain that I have ever seen from
any sort of hacking activity is the moderate fame from letting others
know about a particular deed. And even in these cases, the total
audience has been limited to just a few hundred.
ISPNews: Are you unaware of hackers who have in fact accessed information, then sold it or massaged it for money?
CG: No, certainly not. I am just acknowledging and defining a code of
ethics. We of the Legion of Doom tried to adhere to that code of
ethics. For example, members of the original nine who acted
unethically were removed from the group.
ISPNews: Do you believe that penetrating a computer system without either making changes or removing information is ethical, or a least is not unethical?
CG: At one time in the past I may have held that belief, but now I
certainly must not, because the whole idea of being involved in the
formation of my new company, Comsec Data Security, would show
otherwise.
ISPNews: So today, you believe that unauthorized entry is unethical.
CG: Exactly. As a hacker, I didn't particularly hold that. But as
things such as invasion of privacy, even though I never caused any
damage, and breach of trust became more apparent to me, I was able to
step back, see the picture, and realize it was wrong.
ISPNews: Can I conclude that you are speaking for you company and its principals?
CG: Yes, I am speaking for all of the principals.
ISPNews: What are your views on the ownership of information?
CG: I feel that proprietary information, national-security-related
information, information that could be considered a trade secret, all
definitely have ownership, and access should be restricted.
In the past, I felt that information that affected me or had some
relevance to my life should be available to me. I felt that
information should be available to the people it affected, whether
that be phone company information, credit bureau information, banking
information, or computer system information in general. I am saying
this in the past tense.
In the present tense, I feel that the public is entitled only to
information in the public domain. Information not available legally
through normal channels is just going to have to be left at that.
ISPNews: Do you believe that software should always be in the public domain.?
CG: No, I do not. If I wrote something as wonderful as Lotus, or any of
the Microsoft programs, or Windows, I would want people to pay for
them.
ISPNews: Then you do believe in private ownership of and protection for software?
CG: Yes, definitely.
ISPNews: What are you views on current U.S. Computer crime laws?
CG: I think that the current laws are too broad. They do not make
distinctions between various types of computer crimes. I consider
breaking into a computer akin to trespassing. If someone simply
walks across my lawn, I might be upset because they trampled my
grass, but I would leave it at that. If someone drives across my
lawn and leaves big trenches, and then comes over and kicks down my
rosebush, well that's another thing. Then, if someone drives up my
steps, goes through my house, through my kitchen, steals all my
silverware, and then leaves, that's something completely different.
And while these physical representations of trespassing can't be
applied directly to an electronic format, distinctions are still
necessary.
ISPNews: And the present computer crime laws do not make these distinctions?
CG: I am no lawyer, but from my understanding they do not. They need to
be brought into focus.
ISPNews: If they were brought into the kind of focus you suggest, would they be fair and equitable?
CG: Definitely, depending on the punishment that went along with them. I
don't think that people who own and operate computer systems would
view someone who has logged into their system using a guest account
that was deliberately left with no password to be as serious an
intrusion as someone who got the system administrator password and
then went through and deleted all the files. I don't think that
simple intrusion would be considered as serious as unauthorized
penetration along with the wholesale theft and sale to a competitor
of marketing information, and advertising plans, and financial
projections for the next quarter.
ISPNews: What are your views on security training for users?
CG: People need to be taught what the computer operating system is and
how it works. After that, they need to establish some sort of
channel by which information can be transmitted to others. Direct
physical contact between communicating parties, covered by official,
standard company procedures, is the best way to do this.
People need to be aware that their account, no matter the level of
importance, is a link in a chain that makes up the security of the
system. Information from one account can be used as a springboard to
other, more powerful accounts. All users within a network must
understand that their information is just as important in the
security chain as is that of the next person.
ISPNews: Given where you are coming from, why should a potential client trust you?
CG: I know that is a natural question. Just the very nature of creating
a company should project an image that we are trying to come out of
the shadows, out of the underground. We are saying, "Look everybody,
we've been doing this for a long time, now we want to help. We have
11 years of working information about how people compromise existing
security, and we can help with your particular situation."
ISPNews: I am sure that you understand the natural suspicion that people have.
CG: No, that's what I don't understand. If we at Comsec were out to
compromise information from an existing company's computer network,
we wouldn't have incorporated. We could have done that, and someone
else out there probably has already done so. Then the information
would be available to from one hacker to another.
ISPNews: Are you suggesting there is no system out there that you can't break into?
CG: No, I'm not suggesting that. But I am saying the vast majority can
be penetrated.
ISPNews: Which system is easiest to crack; and which is most difficult?
CG: It is hard to say which system is more inherently penetrable than
another. From the initial log-in, it's not the operating system;
rather it's the system's operating environment that is the problem.
Users may not have addressed security measures. Certain types of
security holes may not have been closed. That's where a technical
background comes into play: to understand the way the applications
work; how different systems are accessed; to close holes in the
system which have become apparent. You have to deal with human
factors and technical issues. You must understand the way the
computer works and the way programs are run.
ISPNews: What is the best way to foil hackers?
CG: It depends on the hacker. There are different types. Some people
hack with modems. The casual hacker may just stumble across your
particular computer system, and may be foiled with something as
simple as good external security. He may be turned off by physical
security devices such as a call-back modem, some sort of code access,
or smart card.
These measures will not stop a serious hacker who is after your
company specifically. In this case, you have to beef up security,
and take additional steps to ensure the safety of your computer. And
you must make certain that security on the inside is as tight as on
the outside.
ISPN Editor's Note: Chris Goggans will respond, in every other issue of ISPNews, to your questions on hacking computer systems. His answers promise to be problem-solving, interesting, and even entertaining. We invite you to write Chris c/o:
"Hackers' Mailbag"
ISPNews
498 Concord Street
Framingham, MA 01701-2357