Australian Share/Guide Conference
Sunday March 6th 1994
Sheraton Hotel - Brisbane
Second Draft
© Copyright 1994 - I'll Do Anything
For Money Pty Ltd
All rights reserved
SUGGESTED INTRODUCTION: The theme of this conference "Protecting your IT
investment" can be approached from many different angles, not only limited to
the topics that will be discussed over the next few days. In recent years many
people have used their considerable computing and, dare I say it, hacking skills
to benefit the computer community. This evening our guest speaker is going to
address us from that point of view, the person who was once our enemy but is
now our ally. The last few years have seen him become a leading consultant to
industry in information protection, and I can personally vouch for his effectiveness.
Would you please welcome our key-note speaker who I am sure you are going to
find interesting and informative, Mr David Hanwood.
Thank you .................. Everything you said about me in your introduction
is true, and I should know, I wrote it.
Good evening Ladies and Gentlemen. It is a pleasure for me to be here tonight
addressing and apparently being welcomed by a group of people from whom I used
to go to great lengths to avoid being detected by. For those of you who I have
met before, greetings again. I say that knowing well that I have most definitely
met some of you before, although possibly you would not make the connection.
It might have been a friendly little note left in the admin area of your system
or a playful prank that appeared on your screens on April Fool's Day.
However, I can assure you that while you may have had reason to curse me
for my appearance in your systems, at no time did I give you cause to despise
me for doing malicious damage to data or software. I was primarily an explorer,
attracted by the challenge, or lack thereof, offered by computer security. Of
course, I was not the first, nor will I be the last person to attempt to breach
a computer's security, hence me making a living out of working on the other
side, your side, these days. However, during my wayward days, I was regarded
as tenacious and skilful and occasionally read of my deeds in magazines and
newspapers, including the computer section of the Australian.
Once again I must emphasise that the incidents I was involved with that made
it into the press were mischievous rather than destructive. In retrospect, the
one thing I regret, was not leaving a distinctive calling card so I could capitalise
on my notoriety. In fact since there was no way to link any of the episodes
to a single person it was made to appear that there were many hackers out there,
thereby providing fuel for the media to capitalise on when talking about computer
crime or suchlike. I also had to chuckle to myself when someone else would boast
of a deed for which I knew I was responsible. I guess I was lucky. Having wealthy
parents gave me all the time and resources I could want, for that reason it
was easy to indulge in what was becoming a compulsive activity. I was bored
with games like Leisure Suit Larry and wanted some real challenges.
To me, hacking was like a big computer game and the security systems were
just part of the puzzles to be figured out. We all know that "practice makes
perfect' and I honed my hacking skills to the point where I was pretty damned
good, if I do say so myself. I had the ability to get into almost any system
I tried and in the process I spent a lot of time exploring various gateways
and data connections. I chatted in real time with other hackers and in various
public networks around the world. The best part was, it didn't cost me a cent.
This skill gave me a unique opportunity to put various systems to the test and
compare them. As you would all be aware, in many cases, security is no more
than a pathetic joke, but I will come to that later.
Hacking remained a game for quite a while. After all, I reasoned, the worst
thing that could happen and had ever happened was that I would be locked out
of the system. But usually, after four or five visits I would want to move on
to the next system and challenge anyway. It was all cruising along until one
day there was an unexpected twist in the sequence of events. I was caught, but
instead of the usual instant lock out, the system administrator made contact
with me. I must admit I felt a little foolish when I discovered I was being
watched. I didn't think the host had noticed my comings and goings - the hunter
being hunted, so to speak. This guy was impressed with what he had observed
as he watched me poke around his system. He had sat watching or had logged my
actions and noticed that I didn't do any damage, didn't try to download files,
set up back doors, apart from the one I used, and didn't mess with e-mail or
any of the like.
One day I logged on and there was a message for me. It read "The security
and complexity of this system is obviously no challenge to you. Interested in
trying to get into another? One thousand Australian dollars if you can beat
it. This is not a set-up, I need it tested. Reply to " - and left an address
that I tracked down to a very secret area that only he had access to. This guy
might have even been craftier than me. As an added safeguard he had included
a routine to wipe the whole area if anyone tried to force their way in through
the front door.
I can't tell you who or where that was because I have no doubt there would
be some uncomfortable questions asked about why I was allowed free and easy
access without any effort being made to track me down. I also can't tell you
the nature of the system because that might give clues. I can tell you that
I was $1000 richer within a week. Having passed and been paid for this "test"
I was then offered a job designing an unbeatable security system. Obviously,
something designed by someone who knew how to beat a system had a much better
chance of being impregnable. The end result is that after about 8 months work
in a darkened room I had created such a formidable security system that if I
forgot my own password, I would not be able to regain access without re-initialising
certain parameters that would set off alarm bells across half the western world.
Part of the deal was that I would have no ownership rights to whatever was
developed. In return I was paid a very good wage and many unimaginable perks.
Don't forget, this was the mid 1980's, but the agreement was that I would have
absolutely no rights in the works I created. My patron stood to make a small
fortune if it was accepted, I was just a contract programmer and system designer.
A quick show of hands, how many of you think that I probably wrote either
a time-bomb, worm, virus, back-door or other such device in the system? How
many of you would trust me not to? How many of you have no idea what I am talking
about? Just kidding, I won't ask for your opinions to be shown publicly, I do
ask you all to make up your mind whether you think I left a nasty in the software
or not. I am going to leave you guessing for now and ask you again at the end
of my speech and see what you say then.
I am not going to try to sell you this product, and unfortunately, I can't
even show it to you here, in fact I can't even tell you what it is called. It
will be released in about a month and then you will know what I am talking about.
So, that's a bit of my background and how I got to be here tonight, but let's
move on to the point of my speech. Why security? Just how much is not enough?
The "why security" is obvious - to protect the data within your system. The
ultimate reason data needs to be protected is because it is unique and the cost
of replacing it, if it is indeed replaceable might be too expensive to contemplate,
unless it is in a form where the recording can be done in a manner where the
obvious need for ongoing external support is minimised.
This leads to what the primary role of the system is, to maintain accurate
records of the dealings of the users as input by those users. Of course
this brings us back to programming, but that's another problem. Do you
know how many programmers it takes to change a light bulb? None, that's
a hardware problem. While I won't have the opportunity to be here for the
whole of the conference, I have little doubt that much emphasis will be
put on security, especially since that is what this conference is all about.
Protecting your investment. You will want to be 100% sure that you are
using every available and affordable method of protecting your IT investment.
In the extreme there is the hot-link. How many of you have a hot link as
your primary means of safeguarding the integrity of your system? How many
of you regard a hot link as the most foolproof and dependable, if not expensive
option available? Tonight I am going to take the opportunity of shattering
a few of the "hot-link is God" myths that might have you scuttling back
to work and put in a few changes. In case anyone is not sure, a hot link
is where the primary computer is connected to a second computer, usually
of equal power, sometimes, but not always shared by several users also
using the facility as a hot link.
This second computer is usually identical in it's system structure and
is constantly updated by the primary computer in real-time. Thus, should
the primary system fail for any reason, the back-up computer will be automatically
switched in and there might be no more than a momentary hiccup that made
some people go, "what happened then?". In simple terms, it is a real-time
back-up that can be called on instantly if needed. Most often, apart from
the direct hot-links, these computers are intentionally isolated to minimise
the opportunities for anyone to compromise their integrity. So, what is
security? The Macquarie Dictionary defines security as a "freedom from
danger, risk etc. Something that secures or makes safe, protection. Protection
from or measures taken against espionage, theft, infiltration, sabotage
or the like". In a slightly different direction, but one that's also appropriate,
security is also defined by Macquarie as "an assurance or guarantee".
I think this adequately sums up the reason why most security is employed,
just in the definition. The definition certainly makes us feel comfortable
- "I have security, I must be free from all those problems". But there
is no measure of how adequate a particular security system is for its needs
and the needs of those who are depending on it. This determination can
only be understood in the context of the threat that is perceived as a
compromising of that security.
So what happens when there is a break-down of a security system, on whatever
level? When there is a breach of security, common sense tells us one thing.
The source is from either inside or outside the system. You don't need
to be as smart as me to figure that one out for yourself. Usually, it is
not too difficult to determine the source of the breach. I wonder how many
of you would be honest enough to admit your system's security has been
breached intentionally? Often, no-one is willing to admit it in case you
are the only person in the room who puts up their hand and then everyone
else might think you are the only one in the whole world it happened to
and you will feel humiliated. Then you discover, when people tell the truth,
that everybody is hiding the fact that it happened to them, too. It's like
getting people to admit that they masturbate.
If the offending call comes from outside your system, you are limited to
either discovering which gateway it was through or whether it came in on
a modem. Unless there is extra-ordinary co-operation between system administrators.
The recent security breach on Internet highlights the extent of the problem
when users have access to parts of the system where they can do damage.
In this case a program was written to trap the first 64 or so bytes of
every message that passed through various gateways. The major problem with
this is that contained in that string, along with the address and other
such information is the user's password. Using this net, someone, and I
can assure you that the person is close to being caught, managed to capture
into a secret file, the passwords and user names of thousands of people.
I doubt that I have to outline the extent of the havoc this could lead
to.
While this type of disruption is not harmful in itself, it lays bare the
vulnerability of the system and all systems in general. Imagine, if you
will, if this person chose instead, to insert a piece of code into the
headers that automatically pulled a virus program into the remote computer
system. A cunningly written virus will then replicate itself within the
new host and send itself out when files are being transfered. Hence the
virus is spread, probably benignly, to many sites. At a predetermined time,
whether it be a date, a certain system process or whatever, the virus comes
to life and inflicts whatever damage or joke it was programmed carry out
on an unsuspecting system administrator. The reason you are here is to
get a handle on the latest techniques, problems, progress and whatever
associated with security. The fact that you are here underlines your commitment
to ensuring the integrity of your system in the face of a continued and
more sophisticated onslaught. Either that or you are here for a bit of
a bludge. I sincerely hope not, because there is much to be gained from
attending the sessions here.
Whether your system is open or distributed, the security options that are
available can cause both confusion and uncertainty. Ultimately, the fundamental
paradigm associated with electronic information processing perpetuates
the illusion constructed in an attempt to alleviate problematic obstacles
tentatively countered at strategic opportunities underlying the proximity
of previously understood and initially dominant circumstances described
articulately but forcefully in dominant but somewhat rhetorical ambiguities.
In other words, don't trust the bastards despite what they tell you. It
is not enough to simply implement such precautions. Police departments
spend much of their resources developing profiles of offenders and likely
offenders, so let's take a look at who you are at most at risk from.
I started my career in computers in a simple way. It was magazine ads that
attracted me and I wanted to increase the abilities of my modest system.
I had seen an ad for the 100 megabyte Impulse hard drive, a SCSI drive,
designed so that when you have more than one they can be daisy chained
to give up to ten gigabytes of storage. I thought, this would look impressive
on my Commodore 64, and was hooked from then on.
This is a typical pattern of introduction into computing by young people,
mostly males. It is symbolic of a desire for power. You should be on the
lookout for intelligent, pale, introverted males, who eat lots of pizza
and say things like "I can break into any system in 10 minutes", because
they usually can. So, how are we going to beat the bastards? What new tool
are we going to come up with if we are serious about protecting our IT
investment? More to the point, how can we make ourselves indispensable
and further justify our high wages?
Folks, listen closely because I am going to tell you how. Tonight I am
going to make an announcement about something that will interest even those
of you whom I have been boring half to death up until now. I am pleased
to present this! The ultimate, new, state-of-the-art, whizz-bang, gotta-have,
ultimate, latest, fashionable tool for those serious about security...send
no money, we'll bill you later. Forget image processing. Toss out your
obsolete voice recognition systems. Don't even think about finger-print
or retina patterns.
Ladies and gentlemen, this is multimedia and beyond. It's called optiprobe
and it is a neurally-networked-innovation based on fibre-optic technology
and interactive laser-driven, super-conducting, bundled, open-designed,
EDI-based options never before seen at this level. Basically, the data
is sent via laser pulses along fibre-optic cables. It is then stored briefly
for processing in a fashion that makes it possible to regenerate them at
a later date. In more simple terms.
If your computer detects some trouble from the other end, if the two services
are linked by fibre optics, the remote computer will transmit a picture
of the person typing on the keyboard to the host computer. Several have
been secretly installed in automatic banking machines so that they will
create an image of every person who approaches the machine, whether or
not they make a transaction. Remember, that vandalism is not caused by
the people who actually use the machine. Optiprobe is at the forefront
of the next wave of computer technology, beyond multi-media it is becoming
known as mega-media.
Psychologists have worked hard on the profile of the average hacker in
an attempt to discover them before they commence their actions. One of
the things that has been determined is that they are unusually dextrous
compared to others of their age-group. Using this knowledge we have devised
an accurate method of screening high school students for potential to become
hackers. Under the guise of a skills training program we hold innocuous
juggling lessons and then focus further on the individuals who learn to
juggle in under 25 minutes.
Let me show you what I mean.
At this point I launched into my hilarious (as usual) comedy
show...