==Phrack Inc.== Volume Three, Issue Thirty-five, File 3 of 13 -*[ P H R A C K XXXV P R O P H I L E ]*- -=>[ Presents ]<=- Sincerely Yours, Chris Goggans -===--===--===--===--===--===- by S. Leonard Spitz Associate Publisher INFOSecurity Product News "A provocative interview with a former member of the "Legion of Doom" suggests that the ethics of hacking (or cracking) are often in the eye of the beholder." Malicious hackers, even though most operate undercover, are often notorious for the colorful pseudonyms they travel under. Reformed hackers, however, prefer a low profile so as to shed their image of perceived criminality. Kevin Mitnick, infamous for the DEC caper, is one of the foremost advocates of this strategy. Now comes Chris Goggans, trailing his former "Legion of Doom" moniker, Erik Bloodaxe, behind him, to try it his way. Goggans insists that where once he may have bent the rules, he is now ready to give something back to society. And coming across with a high degree of sincerity, he affirms his intention to try. Are he and his colleagues, wearing their newly acquired information security consultants hats, tilting at windmills, or does their embryonic, cracker-breaking start-up, Comsec Data Security Co., stand a fighting chance? We thought we would ask him. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISPNews: I am going to ask several legitimate questions. Please answer them completely, truthfully, and honestly. Chris Goggans: OK. JUDGEMENT BY THE MEDIA ISPNews: Would you react to Computerworld's July 29 piece, "Group Dupes Security Experts," in which members of your organization were accused of masquerading as potential customers to obtain information, proposals, and prices from other security consultants? CG: We were all amazed that something like that would ever be printed because, as we understand common business practices, we weren't doing anything unusual. ISPNews: Computerworld reported that the Legion of Doom was "one of the nation's most notorious hacker groups, according to federal law enforcers." Can you respond to that? CG: Notorious is a relative term. There has always been a shroud of mystery covering the Legion of Doom, because it was an organization whose membership was private. When you keep people in the dark about the activities of something, there is always going to be the perception that more is going on than there really is. ISPNews: Would you say then that the characterization of being notorious is unfair? CG: To some degree, yes. There certainly was activity going on within the group that could be considered illegal. But most of this was taking place when members of the group were all between the ages of 14 and 17. While I don't want to blame immaturity, that's certainly a factor to be considered. The Legion of Doom put out four on-line electronic newsletter composed of different files relating to various types of computer systems or netware. They explained different operating systems or outlined different procedures used by networks. They were always informative and explained how to use a computer. We never said "This is a computer and this is how to break into it." Colorful names and words used to describe groups also add to notoriety. If we had been the "Legion of Flower Pickers," the "Legion of Good Guys," or the "SuperFriends," there probably wouldn't be this dark cloud hanging over the group. ISPNews: Could you be charged with intent to provide information to others which would make it easier to gain unauthorized access? CG: I don't see how that could be a charge. There's the first amendment. I maintain that talking about something and encouraging or forcing someone to do it are completely different. EARNING AN "A" IN INFOSECURITY ISPNews: What attracted you to computer security? CG: The same thing that would attract anybody to being a hacker. For half of my life I've been in front of a computer every day. Sometimes from early in the morning until the wee hours of the night. And my particular focus has been on computer security. ISPNews: At least the dark side of that coin. CG: I wouldn't say the dark side. I'd say the flip side. If you do something for 11 years, you are going to pick up a lot of knowledge. And I've always wanted to find some kind of productive career that I thoroughly enjoyed. So this was just an obvious progression. No one wants to be a 40-year-old hacker living in fear of the Secret Service. ISPNews: When you first applied to enter college, did you feel that it was the right place to learn about information security? CG: Yes, I thought it was the right place, mainly because college is the most obvious choice to pursue an education in any field. I just assumed that I would be able to find formal training leading to certification or a degree in this field. Yet, at the University of Texas, there wasn't anything along those lines. ISPNews: Did you graduate from the University of Texas? CG: No, I changed majors and then moved to Houston. I had started out in computer science but it was completely unrelated to any kind of career I wanted to pursue. I eventually changed my major to journalism. There are only two things I like to do: Work on computers, and write. So, if I wasn't going to get a degree in one, it was going to be in the other. I'm a semester away, and I do plan on finishing. ISPNews: If you were to structure a college curriculum for studies in information security, would you design it to focus on technical issues, ethics, business issues, or legal matters? CG: I would try to focus on all of these. If you don't have a technical background, you can't understand the way the operating system works, and you really can't focus on some of the issues that need to be addressed with information security. Ethics certainly come into play ass well for obvious reasons. I don't think hackers are going to go away. Even with the advent of newer technology, there are always going to be people who have an interest in that technology and will learn how to manipulate it. ETHICS, INTELLECTUAL PROPERTY RIGHTS, AND THE LAW ISPNews: What is your definition of a hacker? CG: A Hacker is someone who wants to find out everything that there is to know about the workings of a particular computer system, and will exhaust every means within his ability to do so. ISPNews: Would you also comment on the ethics of hacking? CG: There is an unwritten code of ethics that most people tend to adhere to. It holds that: no one would ever cause damage to anything; and no one would use any information found for personal gain of any kind. For the most part, the only personal gain that I have ever seen from any sort of hacking activity is the moderate fame from letting others know about a particular deed. And even in these cases, the total audience has been limited to just a few hundred. ISPNews: Are you unaware of hackers who have in fact accessed information, then sold it or massaged it for money? CG: No, certainly not. I am just acknowledging and defining a code of ethics. We of the Legion of Doom tried to adhere to that code of ethics. For example, members of the original nine who acted unethically were removed from the group. ISPNews: Do you believe that penetrating a computer system without either making changes or removing information is ethical, or a least is not unethical? CG: At one time in the past I may have held that belief, but now I certainly must not, because the whole idea of being involved in the formation of my new company, Comsec Data Security, would show otherwise. ISPNews: So today, you believe that unauthorized entry is unethical. CG: Exactly. As a hacker, I didn't particularly hold that. But as things such as invasion of privacy, even though I never caused any damage, and breach of trust became more apparent to me, I was able to step back, see the picture, and realize it was wrong. ISPNews: Can I conclude that you are speaking for you company and its principals? CG: Yes, I am speaking for all of the principals. ISPNews: What are your views on the ownership of information? CG: I feel that proprietary information, national-security-related information, information that could be considered a trade secret, all definitely have ownership, and access should be restricted. In the past, I felt that information that affected me or had some relevance to my life should be available to me. I felt that information should be available to the people it affected, whether that be phone company information, credit bureau information, banking information, or computer system information in general. I am saying this in the past tense. In the present tense, I feel that the public is entitled only to information in the public domain. Information not available legally through normal channels is just going to have to be left at that. ISPNews: Do you believe that software should always be in the public domain.? CG: No, I do not. If I wrote something as wonderful as Lotus, or any of the Microsoft programs, or Windows, I would want people to pay for them. ISPNews: Then you do believe in private ownership of and protection for software? CG: Yes, definitely. ISPNews: What are you views on current U.S. Computer crime laws? CG: I think that the current laws are too broad. They do not make distinctions between various types of computer crimes. I consider breaking into a computer akin to trespassing. If someone simply walks across my lawn, I might be upset because they trampled my grass, but I would leave it at that. If someone drives across my lawn and leaves big trenches, and then comes over and kicks down my rosebush, well that's another thing. Then, if someone drives up my steps, goes through my house, through my kitchen, steals all my silverware, and then leaves, that's something completely different. And while these physical representations of trespassing can't be applied directly to an electronic format, distinctions are still necessary. ISPNews: And the present computer crime laws do not make these distinctions? CG: I am no lawyer, but from my understanding they do not. They need to be brought into focus. ISPNews: If they were brought into the kind of focus you suggest, would they be fair and equitable? CG: Definitely, depending on the punishment that went along with them. I don't think that people who own and operate computer systems would view someone who has logged into their system using a guest account that was deliberately left with no password to be as serious an intrusion as someone who got the system administrator password and then went through and deleted all the files. I don't think that simple intrusion would be considered as serious as unauthorized penetration along with the wholesale theft and sale to a competitor of marketing information, and advertising plans, and financial projections for the next quarter. ISPNews: What are your views on security training for users? CG: People need to be taught what the computer operating system is and how it works. After that, they need to establish some sort of channel by which information can be transmitted to others. Direct physical contact between communicating parties, covered by official, standard company procedures, is the best way to do this. People need to be aware that their account, no matter the level of importance, is a link in a chain that makes up the security of the system. Information from one account can be used as a springboard to other, more powerful accounts. All users within a network must understand that their information is just as important in the security chain as is that of the next person. ISPNews: Given where you are coming from, why should a potential client trust you? CG: I know that is a natural question. Just the very nature of creating a company should project an image that we are trying to come out of the shadows, out of the underground. We are saying, "Look everybody, we've been doing this for a long time, now we want to help. We have 11 years of working information about how people compromise existing security, and we can help with your particular situation." ISPNews: I am sure that you understand the natural suspicion that people have. CG: No, that's what I don't understand. If we at Comsec were out to compromise information from an existing company's computer network, we wouldn't have incorporated. We could have done that, and someone else out there probably has already done so. Then the information would be available to from one hacker to another. ISPNews: Are you suggesting there is no system out there that you can't break into? CG: No, I'm not suggesting that. But I am saying the vast majority can be penetrated. ISPNews: Which system is easiest to crack; and which is most difficult? CG: It is hard to say which system is more inherently penetrable than another. From the initial log-in, it's not the operating system; rather it's the system's operating environment that is the problem. Users may not have addressed security measures. Certain types of security holes may not have been closed. That's where a technical background comes into play: to understand the way the applications work; how different systems are accessed; to close holes in the system which have become apparent. You have to deal with human factors and technical issues. You must understand the way the computer works and the way programs are run. ISPNews: What is the best way to foil hackers? CG: It depends on the hacker. There are different types. Some people hack with modems. The casual hacker may just stumble across your particular computer system, and may be foiled with something as simple as good external security. He may be turned off by physical security devices such as a call-back modem, some sort of code access, or smart card. These measures will not stop a serious hacker who is after your company specifically. In this case, you have to beef up security, and take additional steps to ensure the safety of your computer. And you must make certain that security on the inside is as tight as on the outside. ISPN Editor's Note: Chris Goggans will respond, in every other issue of ISPNews, to your questions on hacking computer systems. His answers promise to be problem-solving, interesting, and even entertaining. We invite you to write Chris c/o: "Hackers' Mailbag" ISPNews 498 Concord Street Framingham, MA 01701-2357 _______________________________________________________________________________