For his next trick, Wayne Burke will demonstrate how to begin hacking NATO. Theoretically, of course. If one were into that sort of thing. But first, a mic check.
"Are there any government guys in the audience?" asks Burke as he scans the dozens of computer geeks assembled in a conference room at the Ameristar Casino in St. Charles last month.
Staring back are Polo-and-Dockers middle- management types and surly looking hackers in black T-shirts who've traveled from around the country for TakeDownCon, the St. Louis area's first-ever cybersecurity convention.
As one of the superstars in the field, Burke has just spent the past half-hour regaling the crowd with the intensity of a late-night TV pitchman.
His thesis: Hacking is no longer just for basement-dwelling obsessives. Already he has shown off a pair of cheap, miniaturized supercomputers that can launch attacks for the industrious, on-the-go hackers of today. Now he's demonstrating a suite of automated tools that go out and scour the Internet for data, providing breadcrumbs that can lead to a successful exploit. The North Atlantic Treaty Organization is next on his hit list.
Thankfully, there are no self-identified government agents in the room. Burke, the founder of the international security consulting firm Sequrit CSi, continues.
He's using a program called "FOCA," which when filtered through Burke's outrageous South African-Dutch-Texan accent sounds like a barroom insult.
FOCA uses Google and Bing to search through all the documents hosted on a given website. Each one of these documents is rich with "metadata," or the kind of mundane stuff that a computer logs whenever someone creates or modifies a document, such as when it was created, the last user who touched it and so forth.
That same metadata can point a hacker on the hunt to some real treats: IP addresses, e-mails, even data on printers can become a potential point of entry. This treasure trove of data takes only a few select clicks to uncover. As several members of the audience would undoubtedly joke, even Mac users with their style-over-substance computers could figure most of this stuff out.
"This is not rocket science anymore," Burke declares. "I didn't even have to go down to the zeroes and ones!"
Despite his apparent cavalier attitude toward rifling through NATO documents via a rather public wireless network, Burke keeps this phase of his presentation brief. He runs FOCA just long enough to demonstrate that it is actually harvesting metadata from the mighty political and military alliance (a few NATO e-mails and usernames flash across the screen), before ending with a disclaimer for those government guys who are surely not in the room:
"Did I mention that I'm a Dutch resident?"
As daring as this little demonstration might seem, it's not a how-to guide. Burke is play-acting like a bad guy so as to bring his colleagues inside the mind of a malicious attacker.
With an increasingly easy-to-use arsenal of tools at their disposal, hooligan hackers don't have to be experts to make bad things happen. But the people in this room have to be.
They are a breed apart: "ethical hackers."
For a lay public weaned on trashy cyber-punk films and scare pieces on TV, hackers make for convenient boogeymen. They can dive into the great digital ocean of data that underpins everyday order and create ripples that grow into tsunamis of chaos: crashed systems, stolen identities, blank checks. And it's not just governments and multinational firms that can find themselves within a hacker's cross hairs.
Earlier this year, St. Louis' own Schnucks grocery chain announced that a cyber attack may have compromised the bank and credit-card accounts of some 2.4 million customers.
In a post-WikiLeaks, post-Edward Snowden world, it can sometimes seem like personal privacy is nothing more than collateral damage in a greater war. Everything is fair game. And even with the government cracking down on whatever offenders it can collar, technology is allowing hackers to become more nimble and evasive than ever.
While these nefarious hackers tend to be the ones who capture media attention, there's a growing class of strait-laced professionals who have built hacking into an upright industry. Instead of adopting colorful pseudonyms and congregating on message boards, they exchange business cards and wolf down buffet lunches at events like TakeDownCon.
These "white-hat" hackers, as they bill themselves, still have a spiritual kinship with their less scrupulous cousins. All of them get a similar rush from digital trespassing, like kids with flashlights breaking into the old haunted mansion at the end of block. The harder it is to get in, the greater the joy of discovery. The only difference: Once ethical hackers are in position to pull the trigger — to bring a business or government organization to its knees — they disengage and then report the vulnerabilities they've discovered to the proper authorities.
To walk that line, it takes a tremendous amount of discipline. In more ways than one, ethical hackers gotta have a code. And in St. Louis, perhaps no one wears his white hat more proudly than Dave Chronister of Parameter Security.
It's Chronister who brought TakeDownCon to town after the roving convention made previous pit stops in Dallas and Las Vegas. And while the St. Louis region isn't necessarily seen as a tech hub, the Schnucks case demonstrates that there's a growing need for guys like Chronister everywhere, including flyover country.
Chronister has seen firsthand how well St. Louis companies have prepared themselves for potential cyber attacks. And the results ain't pretty.
Even if corporations have a functional security infrastructure, Chronister can crack many companies by simply calling up, pretending to be an IT guy and asking for a password. Yes, this works. It's called "social engineering" in ethical hacker jargon, and it doesn't take much super spy training to figure out.
Some ethical-hacking pros even refer to people as "wetware." It sounds condescending, but it's true. Humans are squishy, malleable and eager to come across as helpful. They're even more eager to spew their personal vitals all over social media. While most office drones imagine it's some unseen code monkey's responsibility to keep their company's data safe, it's the rank and file who are often the weakest links in the chain. They make it easy.
"Sometimes you step back out of this ethical-hacking world and think, 'My God, we are screwed,'" Chronister, 37, says. "It's really, really easy to break in. You forget how scary it is to someone outside of it."
Dave Chronister made his first hack at age eight while pecking away at his father's Tandy 1000 EX. For the early '80s, it was a gem of a computer: blazing 8MHz speed, 256KB of RAM and a 300-baud modem. Some 30 years later, Chronister reminisces about this machine the way some guys brag about their first car.
It was the height of the "war games" era, birthed by the 1983 Matthew Broderick film in which an enterprising young man hacks his way into nearly starting World War III. Just as Broderick's Ferris Bueller's Day Off would later inspire a generation of wannabe adolescent rebels, WarGames was a cultural touchstone for every computer geek who grew up around the time of its release. It's an irresistible power fantasy: sparking an international incident from the comfort of one's bedroom.
The movie also inspired the name of a little hacking trick called "war dialing," which Chronister was trying out for the first time. A war dialer was a straightforward program that would call a range of telephone numbers in succession via a computer's modem. The idea was to hopefully dial up a computer system that accepted incoming calls, which was a long shot at best.
But sure enough, Chronister hit pay dirt: He stumbled upon the portal for a St. Louis car dealership's mainframe. "Please enter username or 'guest' to continue," the screen instructed. Instead, Dave ran to confess what he had done to his father: a six-foot-two, 250-pound-plus cop.
"He told me to disconnect from that; you're not allowed to look at that," Chronister recalls. "Then he joked and said something along the lines of, 'I brought you into this world, and I can bring you out.'"
The law-and-order view of the world his father instilled in him has never really left Chronister. In a profession packed with self-styled antiheroes, he is an admitted "goody two-shoes."
Chronister and his wife, Renee, operate Parameter Security above a Celtic pub on St. Charles' historic Main Street. Inside, the vibe is a strange mix of Midwestern homeyness and Silicon Valley flair. The couple's two basset hounds amble aimlessly through the office space while Dave, dressed in a T-shirt and cargo shorts, fiddles on a keyboard. Between his goatee and sardonic sense of humor, he has an odd resemblance to a younger Louis C.K. Renee is redheaded, excitable and always appears to be mentally juggling three other projects while talking about another.
The two launched their cybersecurity business in 2007 after spending the previous Christmas Eve enjoying generous portions of Jack Daniel's (for him) and Budweiser (for her) while bitching about their jobs. David worked in IT at a bank in Troy. Renee was with a marketing firm. They decided to ditch both and start their own venture together.
From boozy beginnings came a company with a very sober grip on hacker morality. Borrowing a page from Dungeons & Dragons and its complex alignment system, Chronister describes his hacking philosophy as "lawful good."
According to the highly reputable D&D Wiki, a "lawful good" hero combines a commitment to oppose evil with the discipline to fight relentlessly. In other words: "She tells the truth, keeps her word, helps those in need and speaks out against injustice."
Even when he is breaking into a company's servers, or phishing its employees via a dummy webpage, or infiltrating its headquarters through a low-grade subterfuge ("Hey, I'm the bug guy. Where can I start spraying?"), there is little moral ambiguity in any of this for Chronister. This is purely transactional. A company comes to him looking to get its systems tested, they sign a contract (complete with non-disclosure agreement), and Chronister and his team set to work cracking their assigned target.
In the past six years, the Chronisters have surrounded themselves with a small group of similarly principled party members at Parameter. While it might make for a sexier story, there are no reformed bad-guy hackers in the bunch.
"Once a criminal, always a criminal, in my opinion," Chronister says. "If you break the law once, how do I know you're not going to do it with my client's information?"
Parameter job applicants have bragged about their illegal exploits in the past. Chronister has shown them the door.
If Chronister is a hacker bound by a "lawful good" code of conduct, his peer Charlie Miller is what you might call a practitioner of "chaotic good." (D&D Wiki: "...acts as his conscience directs him with little regard for what others expect of him.") Miller doesn't do any of this social engineering or dummy webpage crap. The 40-year-old St. Louisan attacks hardware directly, often finding elegant and ingenious ways around the traps that developers have built to protect their product. What those developers think about his work doesn't enter into the equation.
This approach has built him into a hacking folk hero. He's the first person to remotely hack the iPhone (in 2007), a serial-hacking competition champion and a member of Twitter's security team. The fact that he worked in the NSA between 2000 and 2005 only adds to his mystique. His LinkedIn profile simply states: "During this time, [Miller] identified weaknesses and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets." (Miller adds that he did not spy on Americans, nor did he know anyone who did at the NSA.)
He calls himself a "black-and-white person." He tried studying philosophy during his college years at Truman State University but got sick of all the vagaries, all the games of twisting words to suit an argument. He hated that he could never prove conclusively that he was right and the other side was wrong. That's what led him to the clean rules and logic of mathematics, then to the NSA and the hacking world.
What he sees as "white-hat" hacking doesn't always jibe with mega corporations like Apple. The company infamously kicked him out of its iOS Developer Program in 2011 for knowingly submitting a booby-trapped program to its App Store. Apple, despite its quality assurances to keep the App Store safe from bugged content, let the app stay up for two months before Miller announced what he had done. To Miller, this was a benign experiment, a "proof of concept" designed to demonstrate a crucial vulnerability.
"Really, I'm trying to protect myself," Miller says. "I am an iPhone user. I don't give a shit if [Apple's] stock price goes down. I just want them to fix it and fast.... I only have so many hours in a day. If it will take two hours of wrangling with bug reports over the phone, then I just won't do it."
He jokes that one day he'll be as good as the hackers on TV, the kind who sit down at a computer, jab at the keyboard for 3.4 seconds and declare, "I'm in!"
In reality, one of Miller's investigations can take up to nine months of false starts and dead ends. If a team of engineers devoted that kind of time to every little idiosyncrasy of a new smartphone, the thing would be out of date by the time it hit store shelves. And often enough, Miller will report a bug only to find that software engineers already have identified it.
Still, Miller doesn't extend much sympathy to anyone he's pantsed over the years.
"To me, the ethical problems fall into the laps of the people making the software," Miller says. "Once I find a vulnerability, I should be able to do what I want with it. It's like something I found in the street. Writing better software shouldn't rely on some dude in St. Louis."
Whether the rising generation of hackers ends up following the example of Chronister, Miller or the black hats of the world might depend on who trains them.
When Chronister decided to launch Parameter and hone his infiltration skills into an art, he went to study at the foot of hacking guru Ralph Echemendia, one of the featured speakers at last month's TakeDownCon.
Chronister refers to Echemendia as his "cyber-sensei." He's a man who comes from an old-school hacker mentality, earning his bona fides during a time when the field was an open-ended Wild West. It was lawless but not necessarily lawbreaking. People who knew how to navigate between modems would go out and see what they could get away with and then report back to their fellow enthusiasts.
In the long decades since then, Echemendia has built himself into a high-profile Hollywood security consultant, protecting films from bootleggers and advance leaks. He even got his fifteen seconds of celluloid fame with a brief cameo in Oliver Stone's 2012 hack-and-shoot thriller Savages. But he's more proud of his work as a consultant on the film, ensuring that the usual Hollywood hacker bullshit didn't make it into the script.
Despite that level of hard-earned legitimacy, Echemendia says he has had to stay on top of developments in both the white- and black-hat hacking worlds. It's very much a Sun Tzu, "know the enemy and know yourself" type of philosophy. Although Echemendia has quite literally gone Hollywood, he still has a well of hacking contacts that extends deep underground.
For the many white-hat hackers whom he has met and trained, ethics is a matter of what they do at the keyboard when no one's looking. The best of them have a ravenous intellectual hunger, and they'll seek sustenance wherever they can find it.
"Even some of the hackers who work for government organizations still do bad things on their own time, because they can," Echemendia says. "I've known some kids where that structured, 'do this' environment is not enough for their intellectual evolution."
There is indeed a bit of an arms race for those young hackers Echemendia is referring to. Cybersecurity firms and the government/military complex recruit budding geeks with promises of perks, salary and, yes, security. Hacking, long a bastion for those who see themselves as apart from society, is becoming a structured career path.
In St. Louis this fall, Fontbonne University is launching an undergraduate program in cybersecurity, while Washington University is introducing a cybersecurity master's degree. Both universities see the field as a potential jackpot growth industry. According to InformationWeek's IT Salary Survey 2013, cybersecurity staff members earn a median of $90,000, while managers earn around $120,000 a year. Businesses need people who can speak the language of electronic defense and react to attacks with a cool head.
"We want to produce leading professionals in the field," says Jack Zaloudek, director of the cybersecurity management master's program at Wash. U. "When companies experience a denial of service attack or discover malware, they don't want a bunch of Chicken Littles running around shouting, 'The sky is falling! We need to shut down the entire system to scrub it down.' When you're at a place like Express Scripts, where you're expected to generate $40 million a day, you just can't do that."
Among those who had a hand in designing the Wash. U. program is Jerry Hoff, who previously taught for seven years at the university's Center for the Application of Information Technology. He believes the best way to stop a young hacker from breaking bad is to diagram the illegal stuff and sap it of its mystery. Hoff, now in California with WhiteHat Security, has even developed a Web application called WebGoat that allows hackers to do just that. WebGoat serves as an online piñata — of sorts — a program riddled with common script vulnerabilities for students to hack to shreds.
"We try to shine a light on the problem," Hoff says of his app and dozens like it. "We want to cut out the mystique and make it common knowledge. That way, we can satisfy people's curiosity so that they don't have to take illegal steps to find out 'What happens when I do X?'"
Chronister has also gotten into the business of training tomorrow's white hats. His Parameter Security now has an in-house "Hacker University," where local IT professionals can earn official certification as ethical hackers. They learn security from both the offensive and defensive sides, training themselves to think as attackers would.
"The vendors out there want to build up their walls and say their system is perfect," says Chronister. "They're not testing it the way offensive guys are testing it."
In 1986 an individual under the handle of "The Mentor" wrote the highly influential "Hacker Manifesto." After 27 years, an eternity in the tech world, the creed remains relevant.
"Yes, I am a criminal. My crime is that of curiosity," reads its most famous passage. "My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for."
It makes for compelling recruiting material, but Chronister is adamant: The romance of these digital Robin Hoods lasts only as long as they can sell their philosophy to the public. In April, the hacking community Anonymous launched an online salvo that crippled the Westboro Baptist "God Hates Fags" Church. Their cyber attack was generally celebrated. But who does Anonymous have a beef with next? And what if it's an organization that at least a few rational people could support? What gives a hacking collective carte blanche to play at being vigilante lawmen?
"You may agree with what Anonymous is doing, but at some point they're going to cross your lines, and you'll see them as criminals," Chronister says.
Ethical hacking might not come with the same underground street cred, but Chronister believes it's a more rewarding line of work. Every day he's testing his curiosity by probing security systems in an attempt to outwit the black hats.
"I get to be a criminal, legally. Legally!" says Chronister. "How much more fun can it be?"
