• Slideshows
  • Videos
 
MORE

User Unknown

Web crawler: Rootfest organizer Lothos worms his way into a site during the convention's hacking contest
Bill Kelley

It's Friday morning at the Minneapolis Convention Center, and a flock of hackers are eyeing the man in a dark blue suit and tie. One teenager says he tried to call the pay phone next to the FBI agent, but it was out of service. Another walks slowly past the man, returns, and reports, "I don't think he's saying anything. I think he's just got the phone off the hook."

Paying close attention to law enforcement and telephone lines comes naturally to the people assembled at the Minneapolis Convention Center May 21-23. They're here for Rootfest, the first hacker convention in the Midwest, and the latest in a growing lineup of such events that started with Las Vegas's Defcon six years ago. Though it's officially billed as a "computer security convention," the implicit understanding is that most attendees will be hackers and sympathetic figures in the security field; the name refers to "root," the term for the log-in account needed to gain full access to a computer's operating system. The man in the blue suit, invited as a speaker to explain federal policies on hacking, eventually leaves the gathering--supposedly called away on a case--but speculation buzzes throughout the weekend that other spooks remain, either from the Bureau or from the Office of Naval Intelligence. Being over 30 or wearing a suit is an automatic cause for suspicion: Most of the 150-some conventioneers, some of whom have come from as far away as Los Angeles and the Netherlands, are young men who favor glasses, long hair, and large T-shirts. They make for a decidedly anarchic-looking group, their large single room bookended by a graphic design convention to the south and a dance-line competition to the north.

Among themselves, the hackers talk and joke amicably, nonconspiratorially: They've come to Minneapolis to learn, but also to meet face to face, to attach human voices to Internet chat nicknames. And they've come to play with toys, the more bleeding-edge, the better. People walk the halls bearing technofetishes like the newest Palm Pilot, a pager that can be used to surf the Web; cell phones and video cameras are practically de rigueur. At the back of the room, on a long row of tables, computers are being set up for play. One lanky teenager builds a mound of four PCs ("mostly dumpster-dived," he says), including one eye-catching, old-fashioned portable with a tiny hinged screen that displays letters in a burned-out yellow tint. The entropy of quick-and-dirty technophilia begins to eat away at the Convention Center's coordinated interior--chairs pulled out of formation, a multicolored vine forest of cables cascading from the backs of machines and squirming onto the floor.

At the center of this digital wilderness is 20-year-old Lothos, the founder and sole organizer of Rootfest. Dressed in an odd blend of business casual and postadolescent MTV garb--denim shirt and playful necktie clashing with baggy tan corduroys and a topknot--he darts anxiously from the registration table at the front door to the networking gear in the back corner, fretting about last-minute cancellations by speakers and the embarrassing lack of high-capacity Internet access. The connection he promised attendees, beamed by satellite from the roof of the Convention Center to a receiving station a few blocks to the north, isn't going up according to schedule.

But though Rootfest is probably the most ad-hoc operation the Convention Center has ever seen (the registration table is being run by Lothos's mother and his girlfriend), it's not bad for a first-time event whose founder just finished his freshman year studying computer science at a Minnesota college he refuses to identify. Lothos says his hacking days are now behind him, but he decided to pull together Rootfest to provide a gathering place for hackers and help improve their public image. "The media portrays us as criminals, pretty much," he says, noting that government agencies seem to rank the act of breaking into a computer system--regardless of motive--in the same category as theft, vandalism, and fraud.

Indeed, headlines about hacking's dangers accompany Rootfest like background music: Shortly before the convention, a grand jury indicted a Texas 19-year-old who, authorities say, is Zyklon, a hacker Lothos used to run with in the group Legions of the Underground. LoU itself gained notoriety earlier this year when people claiming to be part of the group announced their intention to attack government systems in Iraq and China, while other members denied having any such plans. Closer to home, Rootfest made news before the convention itself started, when the city of Minneapolis took the Convention Center off its wide-area network. Minneapolis chief information officer Dan Saelenz now downplays the decision, saying the city used the occasion "as an educational opportunity to remind people about security in the network world today."

To an anxious computer user, Rootfest might indeed seem like a training camp for renegade geeks determined to break into your network, delete your files, and steal your credit-card number. One of the speakers, Matt Willis, offers an introductory discussion on how to circumvent firewalls--systems used to limit access to internal networks via the Internet. In the back of the room, a hacker shows off a list of logins and passwords he discovered on a corporate server simply by making a lot of educated guesses. (A surprisingly high number of users apparently choose the same string of letters for their login and their password.)

 

Conventioneers, however, insist that they are motivated only by an abiding technical curiosity flavored with the illicit but benign thrill of trespass. Twenty-year-old Konceptor pulled off his first hack at age twelve, when his mom took him to her office for Bring Your Child to Work Day and he guessed her computer password. Eight years later, he calls hacking addictive: "When you get into a system and you realize you're not supposed to be there, you get a big rush."

Malicious behavior, on the other hand, is generally considered the province of "script kiddies"--a derisive term for neophytes who don't know the fundamentals and simply use the hacking programs now available on the Web. (One of them, Back Orifice, can be used to give another user remote access to your Windows 95 or 98 computer if you're fooled into installing it: The Trojan horse program is sometimes disguised as another application, or attached to other files.)

In associating destructiveness with inexperience, the term "script kiddie" also hints at many hackers' belief that understanding technology leads to a greater respect for its proper use. Recalling his experience with Unix, the breed of operating systems that runs on most high-powered servers, Lothos points out that learning about computers creates an appreciation of the work of others: "I've set up Unix boxes, I admin Unix boxes, I know what goes into it. And I would never maliciously remove someone's hard drive or delete any of the files." Further, hackers argue that they constitute a rigorous test market of sorts--that finding and publicizing flaws in computer systems forces manufacturers to fix problems that criminals will inevitably discover anyway. "Most manufacturers lie to customers and say their stuff is secure, and the work of hackers in exposing vulnerabilities is essential," charges Bruce Schneier, one of the most prominent figures in the field of cryptography and a Rootfest speaker. "You wouldn't have secure products if it wasn't for them."

Early Saturday evening, the Rootfest attendees are running a test center of their own. The tables in the back room strain under two dozen computers; speakers spew everything from Björk to the Cookie Monster theme as users play Quake 2 and wait for the hacking contest to begin. The rules call for each of five teams to set up a computer with a Web server, and to try to hack into every other team's server, leaving a mark on the victim's Web page. The network problems persist, however, and participants are getting impatient. One man plugs his laptop into the overhead projector and brings up The Matrix--he has the entire movie, dubbed from an original print, on his hard drive as one massive MPEG file.

By the time the network comes up, a couple of teams have taken off for the night, and the room is a little more subdued. The noise settles to intermittent suggestions and trash-talking, mixed with the unremitting clacking of computer keys. "Who's got 25?" cries out Lothos, referring to one of the assigned addresses within the room's network. "We just packeted you to death." ("Packets" are individual units of data sent over a network, and a surprisingly common bug in most operating systems will make a machine crash or reboot if it's sent a large enough packet.) The room settles back into the murmur of competitive exploration, of typists digging and nudging for weaknesses and holes.

Lothos watches with five other people as Bah_, a friend and Legions co-conspirator, uses a program to scan another contestant's machine for exposed points of entry. "This is sad," says Lothos, looking at Bah_'s monitor, "He's got all the script-kiddie tools. He's got a menu, even." Someone pulls Lothos to the side and offers him an edge on the competition--a little-known security analysis program written by one of the nation's top firms and clearly not destined for public consumption: As Bah_ pops in the CD-ROM, Lothos's benefactor asks a bystander to turn off his video camera.

Bah_ types in a few commands, and suddenly the screen is awash in a cascade of text describing each file as it's installed. "Are those all exploits?" Bah_ asks the man, realizing that each line means another way to look for a security weakness. "Oh my God, I love you." The lines keep scrolling up, and the group clustered around the screen falls silent for a second, waiting in the glow of new power, of new knowledge.


Sponsor Content

Newsletters

All-access pass to top stories, events and offers around town.

Sign Up >

No Thanks!

Remind Me Later >