[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Part 2: Q&A with Jeff Moss on computer hacking
By Elinor Mills
October 19, 2009
Like many young hackers, Jeff Moss got his start copying computer games,
learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and
social-networking skills into a business. He founded Defcon, the first
major hacker conference and the largest in the world, as well as Black
Hat, its more corporate counterpart. And now he is helping the U.S.
government, as a member of the Homeland Security Advisory Council.
Moss talked to CNET News during National Cyber Security Awareness Month
about his digital coming-of-age and how Google, Yahoo, Facebook, and
other sites are putting consumer privacy at risk and jeopardizing
social-justice movements around the world.
This is the final installment of a two-part Q&A with Moss. Part 1 ran on
Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened
So, things were different then. Can you talk about how the landscape has
changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and
once money was involved it changed everything. Actually that's not true.
Technology grew up. So two things: money and technology. Technology grew
up and a lot of the original motivations for hacking sort of changed, at
least for my generation. When Internet access is essentially free and
Unix is free and phone calls are essentially free and pennies on the
minute, not dollars on the minute, why do you need to steal a phone call
when it's free? Why do you need to break into a university to read man
(manual) pages on Unix when you can download free security guides
You had to work so hard to learn something, and once you learned it you
felt like it was yours. You made it yours by discovering it and figuring
it out and sharing it with your friends. But now it's basically just
handed to you on a Google search page so that motivation is just
different now. Now it's not a question of figuring out how the SS7 phone
switching network works. You can download 50 documents that tell you how
it works. It's more about now the information is basically free what do
you do with the information? How do you use it? Before it was about the
quest for information; just getting your hands on the information was a
As soon as people started making money on the Net...during the dot-com
boom, that's when you could see the impact. Everybody needed somebody
with Internet skills. And at that time it was hackers and early
adopters. So all the early adopters could go out and get paid for their
hobbies. That changed the nature of it too. It became a job as opposed
to a hobby. When the criminals finally caught on that there was some
real money with low risk and potential high reward...once nation states
and organized crime groups got involved, that was the end of the age of
innocence. It happened really quickly; 10 years or so. It used to be
that you could probably defend against the bored college student and a
couple of his buddies and you could do some defensive maneuvers and
watch your log and know when somebody is poking around (your network)
and have a pretty good handle on things.
But the amount of noise and the amount of scanning and the amount of
resources that people can put against you now, its kind of...(laughs) I
used to always say that large governments, military, and an EDS or a
Microsoft, they've got the in-house talent to defend themselves and the
budget to do it if they have to. But the SMBs, the small and medium
businesses, they don't have the talent or the budget or the experience,
so those poor companies are at a disadvantage in this kind of world...
The technology hasn't matured to where you just plug it in and it works.
You still need a certain amount of high-end talent if you want to be
secure. So we're not at the point where you buy a car and you've got the
air bag. We're not there yet. Every year the bar keeps getting raised
and it's a little bit harder to break in. But that just means that the
better-funded organized crime groups and governments could potentially
be the last ones left standing. And when the attacks get so
sophisticated and so subtle your average sec guy is not going to
necessarily have the computer skills to protect against it.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News