Why we need hackers

It’s not always independent researchers who spend their days trying to break software and digital security mechanisms — sometimes the vendors get in on the action as well.

Cryptographer Scott Fluhrer, who works for Cisco, is probably best known for being one of the team responsible for sending the Wired Equivalent Privacy (WEP) standard to the computing graveyard.

WEP was the default standard for wireless network encryption, but a paper published in 2001 by Fluhrer and two Israeli researchers, Weaknesses in the Key Scheduling Algorithm of RC4, showed just how flawed the encryption scheme is.

You may be asking, at this point, why on Earth vendors are still shipping wireless networking equipment with WEP "security" built in? Well, one reason is for backwards compatibility, and the other is that it’s "better than nothing", but only marginally.

Thanks to Fluhrer and a few others, cracking WEP is trivial.

This means you can access your next door neighbour’s access point for free Internet access, or even sniff their data as it flies back and forth. Why you’d want to read your next door neighbour’s email is anyone’s guess, but you get the drift: WEP is useless.

If you want real wireless security, you’ll need WPA, or Wi-Fi Protected Access.

So what was Fluhrer’s motivation? He happily admits ego was involved, which makes one wonder: if someone admits to being motivated by ego, does that make them humble?

'As much as I’d like to say "it’s to make the world a more secure place", well, that really wasn’t my main goal,' he wrote in an email to PC Authority. 'Ultimately, I suspect it was that I could, and to show people I could.'

At least he’s honest.
Still, there were also some altruistic motives at play; Fluhrer says it’s important to research weaknesses in security schemes and make them public. 'After all, with security, it’s quite difficult to determine if what you’ve designed actually works; whether it is actually secure,' he explains. 'The only way we know to test that is to have skilled people try to break it. Given that, it’s obviously better to have the good guys break it first.'

The disclosure aspect is also important, Fluhrer says. 'It’s quite impossible to tell the good guys about the weakness without telling the bad guys about it too,' he argues. 'If we don’t publish the results, then any bad guy who stumbles on the same result will be able to break it at will. If we just claim to have results without publishing them, we wouldn’t be taken seriously… By publishing the results, we let companies who take security seriously update their equipment.'

So how did he break WEP?
'I did some simulations based on random sets of related (cryptographic) keys, and while I didn’t find the weakness I was looking for, I did notice an anomaly where occasionally, a set of related keys would act quite non-randomly,' he says. 'I tracked down what was happening in those cases, and found the basic observation the attack was based on.'

But Fluhrer misunderstood how WEP worked, so his research didn’t break WEP directly. 'At this point, I went to a technical conference, and ran into (Israeli researchers Itsik) Mantin and (Adi) Shamir. We decided to collaborate,' he says. 'Together, we refined the attack, including how these results could be applied to the real WEP protocol.'
The rest, as they say, is history.

Hacking tools: For better or worse?
Security research isn’t all about breaking software; sometimes it means creating it. Gordon Lyon, who’s better known by his handle Fyodor, achieved a fame of sorts when he wrote the Nmap network scanning software.

Nmap, a port-scanning utility, has become the de facto standard tool for good guys and bad guys alike. It’s a relatively simple piece of software that scans IP ranges for open or closed ports. It can identify running services, like Web-server or mail transfer software, Trojan software and even the operating system of the target machine.

But it wasn’t until his utility made a guest appearance in [i]The Matrix Reloaded[/i] that Fyodor got serious kudos from the geek elite. 'That was pretty awesome,' Fyodor told PC Authority. 'Especially since I had no idea it would happen.'

He’d scored tickets to a midnight showing when the movie was released. Sensing a “hacking scene” was approaching, Fyodor shuddered. 'I was like ‘oh no! These are always terrible!,' he says. 'Then I saw her (the Trinity character) whip out Nmap and was amazed.'

Fyodor’s movie companion, James Hong, the man behind the lurid dotcom operation hotornot.com, was as stunned as he was. Let me tell you, you can spend almost 10 years writing a port scanner, adding all sorts of great and useful features,' Fyodor says. 'But you don’t get nearly as much press from big new releases as when some hot celebrity chick in black vinyl uses Nmap for five seconds in a movie.'

But if anything, Fyodor finds Internet fame a little embarrassing. He took his nickname from Russian author Fyodor Dostoevsky. 'I’m a little embarrassed that a Google search for Fyodor now lists me before Dostoevsky,' he says. 'I guess it is hard to earn and maintain a decent PageRank when you’re dead.'

Fyodor, who’s now based in California and spends his days maintaining Nmap, says he never thought the side project would take off. He released it as open source software, and the response was overwhelming. 'Tons of people started sending me suggestions, improvement ideas [and] patches,' he says. 'So I decided to release one more version, and well, here it is nine and a half years later and I just released a version two nights ago.'

Today, Fyodor makes a crust by licensing Nmap to software companies that include it in their products. It’s a legitimate enterprise, but not even Fyodor himself saw it coming. 'One reason I used a handle was I was worried I’d get sued, harassed,' he says. 'But actually the response has been extremely positive in almost all cases.'

If someone is sophisticated enough to know what Nmap is, they also understand how much value it can bring them in terms of securing their own network, he adds. 'The very first step in securing your network is understanding what is really going on. So you whip out Nmap to inventory your systems, check whether any unexpected ports are listening, ensuring that your firewall is really behaving as you expect it to.'

Besides, the bad guys already had access to scanning technology prior to the release of Nmap, even if it wasn’t as sophisticated, Fyodor says.

At 29, Fyodor, a self-confessed workaholic, has some expensive hobbies, racing his BMW M3 coupe for kicks. 'I love to ski in the winters at Tahoe, I like driving fast, taking my car to the racetrack or going go-kart racing,' he says.

Fyodor, the author of the Nmap network scanning software

securitywep