Three Minutes With Jeff Moss
Hackers' convention founder discusses security, ethics, and getting along with the feds.Kim Zetter, PCWorld.com
Jeff Moss is the 30-year-old founder of Def Con, an annual
hackers' convention held in Las Vegas since 1993, as well as BlackHat, a
convention for security professionals. A former hacker, in high school Moss was
a phone phreaker--someone who cracks into phone systems to make free calls. He
was a law student for two years before switching to computer studies, and
worked as a security consultant before focusing on conferences full time. We
spoke with him about the state of Internet security and the role of Def Con in
mentoring young hackers to be more ethical. This interview was conducted over
two sessions, one of which was in a forum with other journalists.
PCW: How did you get into the hacking scene?
Moss: I didn't know there was really a scene until probably about my junior year in high school. Somebody called me up one day from the other side of the country. I was asking him how he could afford the call, and he just laughed and said, "You're joking, right?" And he started to explain how phone systems work and how you can phone for free. That was the peeling back of the veneer.
PCW: Why did you stop hacking?
Moss: You can only stand by and watch so many people you know get busted. Sooner or later you catch on that... there's a limited life span to doing this kind of stuff. So before I got out of high school that was pretty much it.
PCW: How has the hacking community changed since you founded Def Con in 1993?
Moss: There are more hackers employed now. Now you look around at all your friends... and they're heads of security at big companies.
And the motivations for hacking have changed. When I was growing up, we were the first generation to really have computers, and it was a big deal to have one. Now we have the Nintendo generation who have always grown up with a computer, video games. There's nothing special about it to them.
PCW: How has this affected their motivations?
Moss: It used to be that if you were a hacker you were motivated by intellectual challenge. Hacking was a way of figuring out how things worked--there were no manuals. Nowadays everything is a simple search on the Web. It's already provided for you and analyzed for you and written out in ten easy, bulleted points. But when I was growing up, if you wanted to know how something worked, you had to figure it out yourself or find someone who knew more who was willing to teach you.... And if you behaved inappropriately, you'd be pretty much cut off--no more information for you.
PCW: What was considered inappropriate?
Moss: Say you learned how to place free phone calls. But instead of placing free calls to chat with your friends in the hacking community and learn more, you started selling free phone calls to everyone walking by. As soon as you did anything to make money... it moved you into the category of criminal, and no one wanted anything to do with you. People who looked like they had a criminal bent were ostracized. Nowadays that doesn't happen. The underground is way too huge. It can't self-police.
PCW: What's the story behind Art Money, the Assistant Secretary of Defense, coming to Def Con last year to recruit hackers to work for the government?
Moss: I was trying to attract speakers to Black Hat [and Def Con], and next thing I know somebody... passed it up the food chain and got Art Money's assistant, who thought Art would be interested.... We said to him, "You don't have to go to Def Con as well if you don't want to." And I think his response was something like, "Hell, yes, I do."
PCW: Were you surprised that he wanted to speak at Def Con?
Moss: The [government's] appearance at Def Con was partially a public relations move and partially a public awareness thing--trying to get hackers to realize there are consequences for their actions.... But I was surprised [by the recruiting]. At Black Hat, Money made a crack like--Oh, I'll just have a Marine down there, and we can just ship them all down to the Marine recruiter. And everybody laughed. But I showed up [that] morning, and there was the Marine recruiter ready to sign up hackers.
PCW: Did they get any takers?
Moss: I didn't hear about any. They weren't looking for just anybody. They wanted elite hackers. But one of my friends who spoke at Def Con got a job afterward working for a huge defense contractor doing stuff for the military.
PCW: It seems that the undercover FBI and military agents take the annual Spot-the-Fed game very good-naturedly.
Moss: In the past, secret service and FBI were showing up at Def Con anyway; they were just being sneaky about it. So I thought, why not invite them and make it a friendly environment for them? And the feds now go out of their way to make sure they get spotted. It's gotten to the point where they show up with a bag of goodies they want to trade you.
PCW: You had hackers, government officials, and security professionals talking in one room; have we arrived at the point where wea??re all getting along?
Moss: That was the whole point of Def Con in the first place.... I thought, let's get some real authorities... to talk about what they do and dispel a lot of the myths. So for that first Def Con we had Gail Thackeray, the prosecutor who had just done Operation Sundevil and busted a whole bunch of bulletin board operators... to tell people what's really legal and what isn't. It really pissed some people off. But it was a perspective that they'd never been exposed to, and it forced them to think through some things. We're trying to make them realize that there's a larger world out there and there are larger consequences.
PCW: So are you trying to mentor younger hackers?
Moss: I don't think you can force morals on people. But if the young hackers respect the old hackers, and the old hackers are telling them to just do good stuff, then a certain percentage of them will emulate the good people.
PCW: How do you explain Back Orifice then? When Cult of the Dead Cow members (CDC) unveiled this Trojan horse program at Def Con in 1998, they handed it out to the audience for free on CD-ROMs.
Moss: Microsoft SMS [Systems Management Server] does the same thing as Back Orifice; it installs secretly, it allows remote access to the computer, and anyone can get it. The only difference is that Microsoft sells it to you for $2000 and CDC gave theirs away.
PCW: But it's a question of availability. A 16-year-old isn't likely to pay $2000 for SMS. CDC, on the other hand, gave it out for free, like candy to kids, and said basically "have at it."
Moss: Well, I don't necessarily agree with doing that. But I don't think there's anything wrong with the technology.... It's just the spin they put on it that makes it slightly offensive. For instance, you could say a vulnerability exists in a phone switch, and if you do this and this, then you can get free phone calls. Another way of presenting it is, "Hey kids, here's three easy steps to commit toll fraud."
PCW: But that's like Loompanics [a publisher of how-to books for making bombs and other illegal activity] including a disclaimer in their books saying, "Here's information about how to steal identities, but we don't intend for you to actually use it for that purpose." Isn't this a bit disingenuous?
Moss: I guess the difference is whether you read an academic security paper that tells you about the latest vulnerability, or you download the latest tool that has it all programmed for you.... It's not the content that seems to bother people, it's the presentation.
You could buy the same book on how to steal identities, but it could be labeled Criminal Investigator's Guide to How People Are Committing Identity Theft, and it would be fine. But if it were Everybody's Guide to Stealing Identities Easily, then all of a sudden it's bad. Because one is pitched to the police, and one is pitched to the criminal, suddenly the same information inside the book turns from being good to bad.
PCW: Some hackers claim they're benefiting security by hacking into systems and exposing vulnerabilities. Do you agree?
Moss: I don't think that's valid. If you want to learn how to break into systems, you and your friends have enough computers that... you can build a network and break into it all day long without affecting anybody. You can simulate it.
PCW: Do hackers provide any benefit to security?
Moss: All the older old-school hackers are now working for big corporations or governments or their own start-ups. Look at L0pht [a group of hackers behind the Boston-based consulting company @Stake]; their members are briefing the vice president and Congress, and that's probably beneficial to the country. But [hackers are] not beneficial by distracting the military or by trying to break into government sites all day long.
PCW: You had said that you thought things were going to get worse in security before they'd get better.
Moss: Well, I'm in the mind-set now that things will never get better. Things will get progressively worse.
PCW: But if we're discovering vulnerabilities and patching them up...
Moss: No, no. It's a losing battle. Back in the old days when there were only two or three operating systems, there were fewer things out there that could be vulnerable. Now you have people cranking out ICQ and Napster. One day it's an obscure program, and the next day its Gnutella and it's on every system in the world.
The problem is that there are more people coming out of college who know how to program--but not securely--than there are people who know how to program securely and know how to find the problems and fix them.
PCW: So are we looking at an FDA-type of organization to monitor a standard for more secure coding?
Moss: That's not going to work either, because then everyone will just code overseas.
For years a couple of companies were selling Trust Operating Systems--TOS--also called compartmentalized operating systems or secure operating systems. These are operating systems that are built at the B level of security, and almost every attack I can think of would fail on these Trust Operating Systems. They've been available from a number of vendors, but nobody in corporate America buys them.
PCW: Why aren't they buying them?
Moss: Well, if a company's VP is having lunch with a senior sales rep at Microsoft and he's telling the VP that Microsoft is the way to go, that's what [the company] will buy. If the decision comes from the top down onto the technical people, instead of the technical people doing the research and informing management what they think the best product is, you end up with a lot of bad product decisions. If people were really concerned about security they would have bought Trust Operating Systems, and a lot of the problem would have gone away.
It's like the FTP protocol. We've been using this insecure protocol that was written 25 to 30 years ago, with all its known security problems. When somebody ported it from IPX over to IP, it would have been very simple for that person to... add strong security, strong authentication. But they didn't. So instead of taking two days to port it, they took half an hour. And we've been living with the consequences ever since.
PCW: So what should companies do?
Moss: If you have administrators that constantly read their log files, half these [hacking] attacks would never succeed. It's just that a lot of these people are overworked. And even if they see something suspicious in a log file, they might not understand what it means. So a lot of solutions lie in employee training and security awareness in general. But those are really difficult and expensive problems to solve. It's more attractive to a company to buy Magic Firewall 1.0 for $100,000, write it off as a one-time business expense, plug it into the network, and think that they're secure.
PCW: Has security improved at all?
Moss: This has been the year that I think people are finally catching on. Before it was all the techie people who talked about security, now it's on Oprah. Marcus Ranum [the inventor of the firewall] said it at Black Hat: When Joe America is connected to the network through his persistent broadband connection, and evil hackers start breaking into his own house... when the mass public gets pissed off, things change. So there's starting to be more attention placed on security; but we'll never have the problem completely solved.