At the biggest hackers' convention in the world, the cowboys, gangsters and pioneers of computing gathered to try out their new weaponry - including the ominous BO2K. Michael Booth reports
Click to follow
IN BLACK Prada-esque combat trousers and jacket, Kevin Poulson took the stage in the Alexis Park Resort hotel, Las Vegas. He was greeted by the massed ranks of computer hackers with cheers and wild applause. Poulson is something of a folk hero among hackers. Using his handle "Dark Dante", he reportedly hacked into the Pentagon, tampered with FBI and national security wiretaps, and won a Porsche and $20,000 on a radio phone- in by blocking all the other telephone lines to the station. He lived underground for two years, then was caught when he used his real name while online. He faced a 37-year sentence, but received 51 months.

Poulson's lecture at the Alexis Park concerned Fourth Amendment rights, and was fairly dull for the layman. Afterwards I asked him if he could explain to me the workings of the hacker's psyche.

"Real hacking is an aesthetic - they are creating beautiful code," Poulson said. "Hackers are, in a sense, artists. Remember the Sixties TV series Get Smart? It was a James Bond spoof and it had its own version of Q, the man who makes Bond's gadgets. In one episode he made Maxwell Smart a camera that looked like a tape recorder and a tape recorder that looked like a camera, and Maxwell asks him: `Why not just make a camera that is a camera and a tape recorder that is a tape recorder?' And Q narrows his eyes and says: `Because my mind doesn't work that way.' And that's what a hacker is, someone whose mind works in a very tangential, lateral way."

There is something ineffably American about computer hackers. Like cowboys, gangsters and gold-rush pioneers, they operate outside the law, create their own heroes and myths, and stir up a whole heap of misery. Hackers have toyed with satellites, infiltrated national military systems (the US military's computers are compromised daily, according to many Internet accounts), and sparked nuclear scares. But most of them, as I discovered, are more a force for mischief than for evil.

Poulson was talking last month at the seventh annual DefCon jamboree, the largest hacker conference in the world. Las Vegas still thrives on its Wild West instincts, and gathered for the event were more than 3,000 people: hackers, "script kiddies" (adolescent cyber-graffiti artists, who know nothing about writing code but pick up hacking tools from the Net and use them to deface websites), computer security consultants and undercover law-enforcement officers. Their arrival in the city was heralded by a torrential downpour. Roads were transformed into rivers, cars and houses swept away. If it were possible to hack into climate systems, the DefCon delegates couldn't have conjured up a better prologue.

Poulson says that the real hacker threat has passed and that FBI agents are overstating the dangers in order to save their own jobs. But the main event at this year's DefCon offered an unsettling insight into what a hacker can do. As an expectant crowd settled down in the conference hall, the lights dimmed, techno music began to blast from the PA and two revolving images of a cow's head on a crucifix were beamed on to the wall on either side of the stage. This was the much-hyped launch of Back Orifice 2000 (BO2K), a "remote administration tool" created by the 20-strong Cult of the Dead Cow (CDC), one of the world's most talented teams of computer specialists.

BO2K's powers are potentially devastating, and it is freely available over the Web (CDC are clearly not in this for the money). The method is this. First you "trojan" the tool on to someone's computer, by accessing their e-mail address book and then sending them BO2K hidden in a message apparently from a friend (the same method was recently used to propagate the Melissa virus). You then have full remote control of their computer system and software, and can press any button on their keyboard, read their e-mail and send e-mail from their machine. Because BO2K is virtually undetectable, the victim will have no idea what is happening. As I sit at my computer writing this, it is possible that someone, somewhere, is reading my every word.

With BO2K you can award yourself a degree from the university of your choice or have an enemy grievously insult his boss. To some it is nothing short of electronic rape, but the CDC claims that it is acting responsibly by highlighting the deficiencies in computer products. "Most major corporations should be quaking in their boots right now," Laslo Somi, a consultant from Bulgaria, told me joyfully. "It's frightening that Joe Average, sitting in front of a computer, can exploit a whole network."

"A heap of people are going to get trojaned," said another delegate. "But the CDC are doing users a real service by publicising this. These guys could shut down the national grid with this." "It's a brilliant piece of work," said Michael Martinez, a technology journalist. "And I suppose, like any brilliant piece of work, it can be used for good or evil. The wide distribution of Back Orifice will mean many more attacks, and I have to say that just being here makes me a little paranoid."

When I got home I checked out the Cult of the Dead Cow's website - it boasted 128,776 downloads. In other words there are already that number of BO2Ks making mischief out in the ether, and that's not counting the copies passed from hacker to hacker.

It wasn't hard to spot the "old school" hackers: pasty-faced, dressed in black, sporting goatees and ponytails, they were the ones overheard bemoaning the increased popularity, commercialisation and media attention at this year's event. More surprising was the number of younger, hipper males, kitted out in skateboarding gear, with pierced body parts and Oakley shades. "Hacking is like being a supermodel," one delegate told me. "Past 30 it just ain't seemly."

About one in eight of those attending DefCon was female, but the atmosphere was unmistakably macho. The lecture hall emptied in the middle of a talk when word got out that a woman had lifted her "I Know Send Mail Technique" T-shirt for the cameras. Any woman with a low-cut top would sooner or later find her chest adorned with a sticker or inscribed with biro to indicate that, like a computer that had been the target of a successful infiltration, she had been "owned".

A hacker from New York confided to me that, although they weren't especially voracious drug users, many hackers were S&M enthusiasts; given the shared issues of control, domination and terrorisation, this seems fairly logical. (The next morning, 60 or so delegates drove 40 minutes out into the desert, erected posters of Bill Gates and his wife, as well the irritating new Star Wars character Jar Jar Binks, and blasted them into the stratosphere with an assortment of weaponry.)

On one side of the trade hall two men dressed in sumo wrestling costumes were beating each other up, egged on by a baying crowd. This was "Hacker Death Match", and the contestants were probably from opposing hacker tribes (tribes, a means for hackers to pool specialist knowledge, are increasingly common); but sometimes the Death Match will be between a hacker and a security analyst, or even a journalist (another traditional enemy).

On the other side of the hall were 50 or so delegates hunched over laptops on whose screens unfathomable code was scrolling. This was the hacker challenge "Capture the Flag", in which competitors vied to break into a mailhost. In another corner was a fake ID stall, at which perfect replicas of US driving licences were being sold for $20, while nearby stood a lock- picking display and a couple of stalls offering books such as How To Investigate Your Friends, Enemies and Lovers and Be Your Own Dick.

In the centre of the hall, writers from 2600, the hacker quarterly, were selling back copies. I flicked through the latest edition and was given a glimpse of the moral issues with which hackers grapple. For instance, how can a group of people who regularly cite freedom of speech in defence of their actions justify defacing or destroying a website on which someone else is using to have their say? (I later witnessed a journalist, Carolyn Meinel, being physically ejected from DefCon because she is considered an enemy of hackers.) Another common justification for creating the tools that are used to subvert software is that they point out security deficiencies. But by releasing those tools on to the Internet the programmers are effectively giving loaded guns to any maladjusted misanthrope, who can use them to wreak cyber havoc. The supposed enemy, Microsoft (or whichever company designed the software), will merely profit by releasing a newer version of the software.

In the lecture hall, DefCon's MC, "Priest", took to the podium to announce the first game of Spot The Fed. A favourite with the crowd, this involves delegates standing up and pointing to another delegate whom they believe to be an undercover government agent and shouting, "He's a Fed!" The alleged Fed then mounts the podium to take questions from the audience. First up was a stocky man wearing a yellow polo shirt and khaki trousers. The questions ranged from the invasive but polite: "Do you earn more than $50,000 a year?" to the less friendly: "Were your mother and father married?" and practical tips: "Duck him - if he floats, he's a Fed!" Eventually the no-longer-undercover agent brandished his badge with a smile, taking his "outing" with good humour.

"I'm here to get some background for my computer-security research," he told me afterwards. "I didn't think I had anything that overtly said I was an agent, but then I'm not operating undercover. It was fun!" I am told that the "I Am The Fed" T-Shirt has a certain kudos in the Bureau. 1