SUMMERCON, a hackers' conference conducted in the past on an "invitation only" basis, was opened to the public this year as SUMMERCON '95, sponsored by Phrack Magazine and Computer Security Technologies. Because of this new open format and some mainstream speakers (e.g., Winn Schwartau and Bob Stratton), I decided to attend and record the event for dissemination to the Information Systems Security community.
Chris Goggans, editor of Phrack, opened the conference Saturday morning, June 3, and introduced the first speaker, Robert Steele. Mr. Steele talked about hacking from an intelligence prospective. He said that with all of the security problems we currently have, industry is criminally negligent. He compared the security posture of the United States to the emperor without clothes whose nakedness almost everyone fears to declare. He suggested that hackers seek jobs either in the military or in companies where they can apply their skills in small doses. Mr. Steele said that he wants to highlight the security problems we have through publicity and litigation. He said that we have information systems with no safety net and that we could lose systems for weeks. He proposed that workers make vulnerabilities public. He further stated that unprotected systems are inviting the hacker in, and the hackers should not be prosecuted. He said that he was not as concerned about foreign countries as he is about international crime organizations. The US is not prepared, and no one in Washington is in charge, according to him. The DOD is working the problem, but the intelligence community is out of control. Mr. Steele then asked, "When is healthy misconduct good for society?" and he said that when he thinks of that question he thinks of hackers. He said that we currently occupy a house built over a sink-hole.
Eric Hughes spoke next, describing a remailer used to conceal the identity of the sender. He said that there are 20 remailers running with three-fourths of them in the US. Mr. Hughes said that many people will be performing international electronic financial transactions within a couple of years. The number of off-shore bank accounts is increasing, he said, because of relaxed regulations, and this will result in new security issues that must be addressed. He cited the Swiss as an example and said that if it is not illegal under Swiss law you do not have a problem. Bermuda, which plans to install high speed lines to the US, Venezuela, and Spain, is another example. "Regulatory arbitrage" is an important term to remember, he said. Countries work with each other based on anarchy even though there is international law. This makes international arbitrage easy on the Internet because of "locational ambiguity," and he recommends that money remailers be locationally ambiguous. This service requires remote auditing using encryption, he said, and many banks in the Caribbean will fail as the bank officials embezzle their clients' money, because they will not want to be audited so tightly.
"Unauthorized Access," a video on hacking told from the hacker's perspective, was next presented by its maker, Annaliza Savage. The video started with one hacker contending that phone and communications companies take advantage of consumers. Phyber Optic was then interviewed and said that he was just "checking out things just like others." He contended that he was used to send a message and that he is mad about it. The commentator then said that Secret Agent turned state's evidence but is still on the run for credit card fraud. Noah's parents were interviewed next and said that Noah was visited by the Secret Service, but they did not understand, because they equated what he did to petty crimes, like vandalism. The Secret Service used too heavy a hand, according to them. Noah's mother said that if she had known what he was doing, she would have done whatever it would take to stop him. Next, the video showed someone breaking into a server, a phone phreaking session, and several people searching through the trash, followed by a 2600 sequence and a HoHoCON sequence. Several European sequences followed, including one on Hack-Tic. Even though this video was developed from the hacker's perspective, it is a good security awareness tape. Ms. Savage can be contacted through the web at URL: http://bianca.com/bump/ua/ [This didn't work for me --CEL]
A pirate tape of three people breaking into a phone company Electronic Switching Station was shown next. The three wore masks and ran through the station, playing with the equipment. At one point, one accessed a database and gave some phone additional calling features for free. Another called a 900 line using a maintenance phone. Most of the time was just spent clowning around, but the intruders did show a very good understanding of the ESS.
Bob Stratton then discussed Internet issues. He discussed TCP/IP protocols and their impact on Internet security. The Internet is a net of nets and no one is running it: all hosts are equal and you need to learn whom you can trust. We cannot depend on IP addresses, because they can be spoofed. Security is moving from being a restrictive technology to an enabling technology, he said. Encryption should be like a feature on a stereo in that a light comes on when it's working (i.e., transparent to user). Internet Protocol version 6 (IPv6) will bring security features: IP Security Authentication Header, Encapsulating Security Payload, Security Associations/Security Parameter Index, and Key Management. He said that security will become transparent to the user with IPv6. Mr. Stratton also stressed the point made by Robert Steele that vendors have been grossly negligent.
Winn Schwartau spoke next on electromagnetic eavesdropping. He said NSA had a classified program called TEMPEST and that it only came out of the closet after a paper was written in Europe. He then played a tape produced by the BBC on electronic eavesdropping. While the film was somewhat dated, it showed the threat to totally unprotected commercial systems is real. Even with this demonstration, the British had a hard time generating a commercial market for TEMPEST products. Mr. Schwartau then discussed Magnetic Weapon Systems, such as HERF guns. He distributed a drawing of a 16 megawatt HERF gun that he contended could take down systems up to 100 feet away. He then showed another video on EMI at low levels. The video presented many serious EMI problems related to airlines and hospitals, such as wheelchairs out of control. Many of the people attending the conference found these stories funny. Mr. Schwartau then said the rumor that we used a virus in a printer to defeat Iraqi air defenses during the Gulf War was incorrect; instead we used magnetic weapon systems on cruise missiles to jam the Iraqi air defenses. He concluded by saying that we must consider some terrorist organization using magnetic weapon systems to damage our financial systems.
Chris Goggans concluded the conference with a discussion on international hacking. He said that the hacker community is anarchist and attacks in all directions. He suggested that the community needed focus and recommended that they all get together and attack some foreign country, such as France.
While I have attended conferences like this in the past and have found them useful for gaining a better understanding of one's adversary, this conference offered something new. This conference attracted more mainstream security professionals and I saw some real exchange of understanding on both sides. This exchange is important because ethics and moral behavior are not paramount concerns of most of the crackers. They see themselves on some moral mission to crack the systems they encounter. They have the anti-establishment mentality of the 60's hippie generation. If our goal is to make our systems as secure as possible, then we need to also work on changing attitudes. I do not think that any miracles occurred along those lines at SUMMERCON '95, but some important steps were taken.