Geek Vs Renegeek, Getting A Lock On Security At Cyber-Terrorism Seminar

9/22/99

Geek Vs Renegeek, Getting A Lock On Security At Cyber-Terrorism Seminar

Another day, another stab against cyber-terrorism for a 54-year-old man in a blue suit, blandly handsome, talking excitedly, rushing around early one morning last week in front of a typically identity less ballroom in the belly of the Grand Hyatt Hotel near the Convention Center. He is getting ready to present his briefing, "CyberTerrorism: A Reality Check and Essential Security Actions," and for your 45 bucks, you'd want there to be a feeling of secrets, something "Spy vs. Spy"-no, wait, something Bionic Man. But wonkish nightmares, even the apocalyptic variety, always unfold on the edge of the mundane. "I'm a little aflurry right now," he says, and turns to a hotel employee setting up coffee and bagels. "Excuse me-can you please have them send someone down from AV?"

But for an extension cord, it's a monumental day in the overhead-projection life of Alan Paller, who runs the SANS Institute, a Bethesda research firm that does nothing but arrange vaguely frightening seminars for the good geeks of the world, teaching them how to protect their vulnerable computer networks. He's here to rally the shy but brilliant grunts who dwell in systems offices everywhere, the unlikely knights of the coming cyber-struggle. He is trying to keep a step ahead of the renegeeks who would bring the world to its knees with a double-click.

Good, evil, whatever: For the moment Paller is more obsessed with the slide show. "For 27 years now I have tried different ways, different kinds of projectors, overheads, everything. You said you like history? Way back then, to do a presentation you had to have someone else stand there at the projector and fix each and every slide," he says, in the lickety-split manner of a man who keypunched his own lines of computer code onto antediluvian cards back at Cornell and MIT in the pioneer 1960s and never looked back as the revolution took hold. "Then there was a long, sad period of doing presentations where everything projected on the screen looked pale and blurry-you had to have just the right light."

Now we live in dangerous times. Man has perfected the slide show-Paller is gaga for the new Proxima projector connected to his ThinkPad laptop ("this is going to be so great")-but do not forget that civilization is also wide open to peril.

The small threat is teenage hackers who toss pornography onto corporate Web sites like an endless game of ring-and-run, or that miscreant in New Jersey who is charged with spreading the Melissa virus, naming it after a stripper. Then there's something more sinister. In his teachings, Paller conjures up radicals who want to clog up the floodgates of large dams until they burst upon an unwitting populace. (It nearly happened, Paller says, in California, seven years ago. No prosecution.) Or the kid who shut down control tower communications at the Worcester, Mass., airport. (It happened, last year. Ended in plea bargain.) Or the time someone replaced Attorney General Janet Reno's picture on the Department of Justice Web site with a picture of Adolf Hitler. (You chuckle, but it was, Paller believes, a defining moment that raised the Justice Department's desire to prosecute Internet crime.)

And how about an all-out cyber-war between political factions, between countries, with targets such as banks, power plants and, oh jeez, news organizations? So many shadows to cast on the wall, and it could all be brewing as we dawdle, the whims of terrorists who likely sit around in their underwear.

A hundred people turn up at Paller's show.

You know these guys-there are few women-if you work in an office of almost any kind. Rumpled, scary smart, with their pleated-pants solutions to things, scratching their beards. Through no fault of their own, fate determined them to be the computer guys, and has now miscast them as heroes. They are most affectionately known as "sysadmins," and if the pay is pretty good, the respect is low.

"They're one group, and the other group in the room would be the security officers," Paller says. "Usually what happens is they aren't the best of friends with sysadmins. I ask the security people, 'When was the last time you took the sysadmin to lunch?' and they can't answer. But they need to work together, since there is this common enemy out there." One thing that unites such conflicted and paranoid computer experts is not so much the fear of threats they know, but the threats they've not yet heard about.

In this crowd, there are military personnel and security chiefs from defense contractors, even a couple from No Such Agency, the NSA. They're all a little cagey about talking about their jobs, or especially their systems. One man, who runs computer security for a large insurance company, says he worries a lot, "but not a consuming, stay-awake-at-night worry," even as he considers that he has 15,000 employees using computers. The worst incidents, he reminds himself, usually come from within, from the sneaky and disgruntled.

Paller's seminar is a frenetic barrage of potential cyber-disasters. The delivery, the slickness of it, is a cross between infomercial (lots of questions designed to get the people in the audience to raise their hands) and an afternoon shooting the breeze at the comic book store (lots of neat, weird what-ifs). The slide show has been given sound effects. Streams of computer type fly by as we watch how easy it is to get past firewalls, to send spoof e-mail, to crack log-ons. Long gone are the days where you had to know how to program a computer in order to break into one. But Alan Paller isn't selling doom and gloom.

"It seems to me that if one uses scare tactics, then one has a responsibility to suggest remediation that is credible and functional," he says, and naturally, his remediation would encourage the audience to sign up for several days' and weeks' worth of SANS classes. "The purpose of raising adrenaline levels is to cause action."

One man attending the seminar, Bob McNeal, is a 34-year-old computer security engineer with a ponytail and a beard-a former sysadmin-type for the Department of Defense and others. He says he's here to see who else showed up, and what they seemed to know. And maybe he's lonely: "The real reason I'm here," McNeal admits, "is that I just don't get out much. I usually just stay in the lab and do my stuff."

In his time rescuing systems from attacks, McNeal says, probably the scariest thing he's seen is blackmail: "When a corporate VP gets a piece of snail mail from someone who says, 'We are inside your machines, and if you don't send x amount of money, we're going to act and something bad will go wrong with your machines.' This happens a lot, and it can take a while to verify if someone is really inside the system or not. Each case we walk into is different."

Paller destroys the world in a curt 12 minutes. It's a simulation, so he likes to remain perky, upbeat. He is almost like a marriage counselor, trying to get the sysadmins and the security wonks on the same page, encouraging them to express themselves to impatient CEOs "in a way that doesn't bore or anger their bosses," and trying to get them to see their own character flaws: He asks the crowd, "Do sysadmins and chief information security officers always have to sound so whiny?"

Probably they do. That is the life of the underappreciated guys in white hats, who, if they get angry enough, can just as easily go home to their basements, turn on the computer and become the villain in the black hat. For the morning anyway, the fate of the world is in their hands.

After everyone has gone, Paller is heady with the thrill of having given a two-hour speech about computer systems and having the new projector work perfectly. You wonder if, in all his years in cyberland, he's ever been the victim.

"The answer is yes," he says. It happened nearly three years ago, when someone hacked into the SANS Institute and sent out pornographic pictures to each and every SANS subscriber. (Currently they number around 74,000.) "It was embarrassing, but we immediately seized on it as a way of making our point. If it could happen to us, and we spend all our time teaching people about computer security, then it could happen to anyone," he says. "I think that's what the hacker was trying to say by doing it. That doesn't mean that I wasn't humiliated by it. There was this horrible, pit-of-the-stomach feeling."

What kind of porn? What were the pictures like? He won't say. On this point, he performs a simple systems correction. He has constructed a firewall around his mind, restricted the access to that moment, blocked out the evil that other nerds may do. "I really don't remember," he says. "I don't need the sadness of the memory to tell you. I block it. I forget things like that." Securely, he charges into the rain.

By Hank Stuever.
WASHINGTON POST 21/09/1999