"we won't hire you if you have a record"





When Fred Rica attended his first "Def Con," the annual computer hacker confab in Las Vegas, a teenage boy stopped him outside the convention hall.

"I found the fed! I found the fed!" the youth exclaimed, as a scruffy crowd, mostly young and male, gathered around the clean-cut figure with the square jaw of a federal agent.

Rica was indeed an outsider in the world of underground computing, but he's no fed. He was attending the hacker get-together on business _ the business of computer security.

Over the past eight years, Rica has worked for the accounting firm Price Waterhouse practicing a rare art best described as preventive computer hacking.

Price Waterhouse clients hire Rica's Morristown-based group to break into their own systems, then recommend ways to keep outsiders from doing the same.

It's like a bank hiring a couple of safecrackers to consult on robbery prevention _ except that Rica is quite clear on the difference between his group and the forces of hackerdom.

"It's our integrity," he says. "We don't hire ex-hackers. We don't hire people who put down on their resume that they hacked their high school grading system and changed their grades."

[And no hacker would ever omit their deeds on a resume in order to get a high paying job. The level of naivety Rica and PWC show is amazing.]

These are hackers you can trust, and they're not the only ones. Dozens of companies, ranging from prestigious firms such as Price Waterhouse to one-person outfits, are now offering paid advice on computer security.

And the reason isn't hard to see. One survey, by researchers at Michigan State University, found that 99 percent of all companies have experienced at least minor breaches of computer security over the last five years.

That may sound hard to believe, until you consider that more than three-quarters of all security problems come from the inside. Disgruntled ex-employees, agents of corporate espionage, and basically innocent but curious computer users who mistakenly delete the wrong file can be the culprits.

WarRoom Research, a Baltimore consulting firm, surveyed more than 200 companies last year and found that 15 percent reported "internal security breaches" resulting in losses greater than $1 million.

The job of safeguarding security is difficult, and often beyond the scope of most companies^ in-house computer talent. It takes a special kind of dedication to immerse oneself in the technology and culture of computer hacking _ which Rica believes is the only way to do the job.

"You can't learn how to do this in school," he says.

Rica's unit, one of several Price Waterhouse has across the country, has been hired to break into the computer systems of more than 100 companies. Each "attack and penetration" mission has yielded the same result: The system is broken into, and Rica's crew breaks into a "touchdown" victory dance.

"We'll be at a client's office working for two weeks in a conference room and getting nowhere," Rica says. "Then we'll have a breakthrough, and it's such a great feeling. Sometimes we'll be hooting and hollering so much that someone will have to tell us to keep it down."

Even though they're working for the forces of good, the hired hackers experience the same intellectual exhilaration that inspires many in the computer underground to attempt computer break-ins.

While many people often equate computer hackers with criminality, the reality is much more complex, Rica says. The majority, he says, including some of the most elite hackers in the world, are in the game merely for sport, driven by their dogged curiosity about the way computers work.

Like university researchers reporting in an academic journal, elite hackers like to tell of their latest discoveries in underground computer publications and on the Internet. This knowledge helps computer professionals such as Rica and computer software companies plug security gaps.

"We have a lot of respect for these guys," Rica says. "If they really wanted to do this for a financial gain, they wouldn't be running around in tie-dye, they'd be off on some island somewhere. But that still doesn't mean it's OK to let them into your system."

By now, many top figures in the computer underground know the top people in computer security, and the respect has become mutual. At this year's Def Con, Rica and his team again tried to pick the brains of the hacking elite.

"These guys will talk to you if you show them you know what you're talking about," says George Kurtz, another member of the Price Waterhouse team. "So we spent a lot of time at Def Con this year chatting with the really smart guys."

Like a football team, the computer security squad at Price Waterhouse comprises members with different skills and positions. Kurtz is the Internet specialist, which means he doesn't keep regular hours. In addition to studying how hackers can exploit the Internet as a passage into a company's computer system, Kurtz knows all the dark corners where hackers congregate to swap tips. And hackers don't keep 9-to-5 hours.

"I'm usually the one who comes in to work with bags under my eyes," Kurtz says.

So how does one launch a preemptive attack on a computer system? Very scientifically, Rica says.

First the team tests a company's computer system to determine possible points of entry. These could be modems that employees use to log on from home. Or computers the company has hooked into the Internet. Large companies often have trouble keeping a complete inventory.

Once all of the intrusion points are cataloged, the team runs a slew of tests based on frequently encountered security flaws. For example, most software programs come with a generic password built in. If the system manager forgets to change the password, any hacker who knows the generic can waltz right onto the company network.

Once inside the system, Rica's team sees just how deep it can go.

"A very common problem is that companies will put up a good hard shell on the outside but be very soft on the inside," Rica says. He remembers once being able to have the full run of a company's network just because a single work station _ one of hundreds _ was misconfigured.

Gaining entry may be all an outsider needs to cause trouble. A joy-riding hacker might not be interested in stealing information, but still can cause problems.

"Once they break in, it might be hard to get anything," Kurtz says, "so then they'll just wreck the system instead."

Many young hackers say they don't mean any harm by their dalliances, and some say they want to work in computer security when they grow up.

Rica has this advice for them: Stay clean.

"You can be the best hacker in the world," he says, "but we won't hire you if you have a prison record."

[Wait.. they just said they don't hire hackers. Now they don't hire hackers with records... so if they got away with heinous crimes, all good!]

main page ATTRITION feedback