What I Learned at Hacker Camp

(page 2 of 2)

If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys want to see some more scary stuff?"

OPEN TO ALL.

It wasn't a real bank's site I was hacking into. And I was pretty much typing instructions written out for me. Still, Whitaker says there's an enormously large number of sites with these types of basic vulnerabilities, largely because database administrators don't know security -- and the security administrators don't know databases. If I could master basic database hacking in an hour, how much damage could a truly technically proficient person do?

So, do ethical hackers go bad, I wonder aloud? Whitaker says he knows of a few cases, but companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks. In any case, the sad truth is that anyone who wants to be a hacker can do so these days -- with or without these classes.

A large percentage of the materials used to train ethical hackers are freely available over the Web. Just like the mainstream software world has been turned on its head by the open source revolution of coders creating free databases and operating systems, there's a whole open source world of viruses and trojans.

BEAUTY AND THE BEAST.

After about six hours of crash training, the class embarks as a team "capture the flag hacking challenge" that entails stealing credit card numbers from a fictional bank and posting all the numbers to the site. It gives pupils a chance to apply all the skills learned over the week.

I must concede it's too sophisticated for my grade-school BASIC skills and a half day of hacking tips, so I hang back as Whitaker shows me how he infected another machine with a trojan called "Beast."

Beast was written by a college guy in love with a girl who didn't love him back. So he did what any lonely geek would do. He wrote a vicious program that could control her dorm room Web cam. Beast can also control your CD drive, Internet browser, and chat windows -- anything on your machine. And you can download it free on the Web today. Sure, most security software can catch it -- but nearly half of PCs in the U.S. don't have basic security software. And for just a few hundred bucks, mercenaries will write you a new, undetectable version.

FACT AND FICTION.

According to research by Symantec, most hacking activity goes on Monday through Friday from 9 a.m. to 5 p.m. -- it's a career for some. "We were stunned by their brazen indifference to law enforcement and the extent to which they emulate a sophisticated economy," says David Cole, director of Symantec's security response team, who spent months watching hacker activities online.

Earlier in the day, I ask Whitaker if he's seen the recent movie Firewall, where Harrison Ford portrays a security specialist forced to rob the bank he's protecting so he can save the life of his kidnapped son. "Yeah, it's not really like that in the real world," Whitaker says, condescendingly. After a day at hacker camp, I agree. The real world is scarier.

Lacy has been a business reporter for 10 years, most recently covering technology for BusinessWeek. Her book, Once You're Lucky, Twice You're Good: The Rebirth of Silicon Valley and the Rise of Web 2.0, will be published by Gotham Books in May, 2008. She is also Silicon Valley host of Yahoo Finance's Tech Ticker.