AOH :: P35-03.TXT

Phrack Profile of Chris Goggans



                                ==Phrack Inc.==

                Volume Three, Issue Thirty-five, File 3 of 13

                 -*[  P H R A C K  XXXV  P R O P H I L E  ]*-

                             -=>[  Presents  ]<=-      

                        Sincerely Yours, Chris Goggans
                        -===--===--===--===--===--===-
                             by S. Leonard Spitz
                             Associate Publisher
                          INFOSecurity Product News

"A provocative interview with a former member of the "Legion of Doom" suggests
that the ethics of hacking (or cracking) are often in the eye of the beholder."

Malicious hackers, even though most operate undercover, are often notorious for
the colorful pseudonyms they travel under.  Reformed hackers, however, prefer a
low profile so as to shed their image of perceived criminality.  Kevin Mitnick,
infamous for the DEC caper, is one of the foremost advocates of this strategy.

Now comes Chris Goggans, trailing his former "Legion of Doom" moniker, Erik
Bloodaxe, behind him, to try it his way.  Goggans insists that where once he
may have bent the rules, he is now ready to give something back to society.
And coming across with a high degree of sincerity, he affirms his intention to
try.  Are he and his colleagues, wearing their newly acquired information
security consultants hats, tilting at windmills, or does their embryonic,
cracker-breaking start-up, Comsec Data Security Co., stand a fighting chance?
We thought we would ask him.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ISPNews: I am going to ask several legitimate questions.  Please answer them
          completely, truthfully, and honestly.

Chris Goggans:  OK.


JUDGEMENT BY THE MEDIA

ISPNews: Would you react to Computerworld's July 29 piece, "Group Dupes
          Security Experts," <also seen in Phrack World News issue 33, part 2
          as part of the article called "Legion of Doom Goes Corporate> in
          which members of your organization were accused of masquerading as
          potential customers to obtain information, proposals, and prices from
          other security consultants?

     CG: We were all amazed that something like that would ever be printed
          because, as we understand common business practices, we weren't doing
          anything unusual.

ISPNews:  Computerworld reported that the Legion of Doom was "one of the
          nation's most notorious hacker groups, according to federal law
          enforcers."  Can you respond to that?

     CG: Notorious is a relative term.  There has always been a shroud of
          mystery covering the Legion of Doom, because it was an organization
          whose membership was private.  When you keep people in the dark about
          the activities of something, there is always going to be the
          perception that more is going on than there really is.

ISPNews: Would you say then that the characterization of being notorious is
          unfair?

     CG: To some degree, yes.  There certainly was activity going on within
          the group that could be considered illegal.  But most of this was
          taking place when members of the group were all between the ages
          of 14 and 17.  While I don't want to blame immaturity, that's
          certainly a factor to be considered.

          The Legion of Doom put out four <issues of an> on-line electronic
          newsletter <called the Legion of Doom Technical Journals> composed
          of different files relating to various types of computer systems
          or netware.  They explained different operating systems or
          outlined different procedures used by networks.  They were always
          informative and explained how to use a computer.  We never said
          "This is a computer and this is how to break into it."

          Colorful names and words used to describe groups also add to
          notoriety.  If we had been the "Legion of Flower Pickers," the
          "Legion of Good Guys," or the "SuperFriends," there probably
          wouldn't be this dark cloud hanging over the group.

ISPNews:  Could you be charged with intent to provide information to others
          which would make it easier to gain unauthorized access?

     CG: I don't see how that could be a charge.  There's the first amendment.
          I maintain that talking about something and encouraging or forcing
          someone to do it are completely different.


EARNING AN "A" IN INFOSECURITY

ISPNews:  What attracted you to computer security?

     CG: The same thing that would attract anybody to being a hacker.  For
          half of my life I've been in front of a computer every day.
          Sometimes from early in the morning until the wee hours of the night.
          And my particular focus has been on computer security.

ISPNews:  At least the dark side of that coin.

     CG:  I wouldn't say the dark side.  I'd say the flip side.  If you do
          something for 11 years, you are going to pick up a lot of knowledge.
          And I've always wanted to find some kind of productive career that I
          thoroughly enjoyed.  So this was just an obvious progression.  No one
          wants to be a 40-year-old hacker living in fear of the Secret
          Service.

ISPNews: When you first applied to enter college, did you feel that it was the
          right place to learn about information security?

     CG: Yes, I thought it was the right place, mainly because college is the
          most obvious choice to pursue an education in any field.  I just
          assumed that I would be able to find formal training leading to
          certification or a degree in this field.  Yet, at the University of
          Texas, there wasn't anything along those lines.

ISPNews:  Did you graduate from the University of Texas?

     CG: No, I changed majors and then moved to Houston.  I had started out in
          computer science but it was completely unrelated to any kind of
          career I wanted to pursue.  I eventually changed my major to
          journalism.  There are only two things I like to do:  Work on
          computers, and write.  So, if I wasn't going to get a degree in one,
          it was going to be in the other.  I'm a semester away, and I do plan
          on finishing.

ISPNews:  If you were to structure a college curriculum for studies in
          information security, would you design it to focus on technical
          issues, ethics, business issues, or legal matters?

     CG: I would try to focus on all of these.  If you don't have a technical
          background, you can't understand the way the operating system works,
          and you really can't focus on some of the issues that need to be
          addressed with information security.

          Ethics certainly come into play ass well for obvious reasons.  I
          don't think hackers are going to go away.  Even with the advent of
          newer technology, there are always going to be people who have an
          interest in that technology and will learn how to manipulate it.


ETHICS, INTELLECTUAL PROPERTY RIGHTS, AND THE LAW

ISPNews:  What is your definition of a hacker?

     CG: A Hacker is someone who wants to find out everything that there is to
          know about the workings of a particular computer system, and will
          exhaust every means within his ability to do so.

ISPNews:  Would you also comment on the ethics of hacking?

     CG: There is an unwritten code of ethics that most people tend to adhere
          to.  It holds that: no one would ever cause damage to anything; and
          no one would use any information found for personal gain of any kind.

          For the most part, the only personal gain that I have ever seen from
          any sort of hacking activity is the moderate fame from letting others
          know about a particular deed.  And even in these cases, the total
          audience has been limited to just a few hundred.

ISPNews:  Are you unaware of hackers who have in fact accessed information,
          then sold it or massaged it for money?

     CG: No, certainly not.  I am just acknowledging and defining a code of
          ethics.  We of the Legion of Doom tried to adhere to that code of
          ethics.  For example, members of the original nine who acted
          unethically were removed from the group.

ISPNews:  Do you believe that penetrating a computer system without either
          making changes or removing information is ethical, or a least is not
          unethical?

     CG:  At one time in the past I may have held that belief, but now I
          certainly must not, because the whole idea of being involved in the
          formation of my new company, Comsec Data Security, would show
          otherwise.

ISPNews:  So today, you believe that unauthorized entry is unethical.

     CG:  Exactly.  As a hacker, I didn't particularly hold that.  But as
          things such as invasion of privacy, even though I never caused any
          damage, and breach of trust became more apparent to me, I was able to
          step back, see the picture, and realize it was wrong.

ISPNews:  Can I conclude that you are speaking for you company and its
          principals?

     CG:  Yes, I am speaking for all of the principals.

ISPNews:  What are your views on the ownership of information?

     CG:  I feel that proprietary information, national-security-related
          information, information that could be considered a trade secret, all
          definitely have ownership, and access should be restricted.

          In the past, I felt that information that affected me or had some
          relevance to my life should be available to me.  I felt that
          information should be available to the people it affected, whether
          that be phone company information, credit bureau information, banking
          information, or computer system information in general.  I am saying
          this in the past tense.

          In the present tense, I feel that the public is entitled only to
          information in the public domain.  Information not available legally
          through normal channels is just going to have to be left at that.

ISPNews:  Do you believe that software should always be in the public
domain.?

     CG: No, I do not.  If I wrote something as wonderful as Lotus, or any of
          the Microsoft programs, or Windows, I would want people to pay for
          them.

ISPNews:  Then you do believe in private ownership of and protection for
          software?

     CG:  Yes, definitely.

ISPNews:  What are you views on current U.S.  Computer crime laws?

     CG:  I think that the current laws are too broad.  They do not make
          distinctions between various types of computer crimes.  I consider
          breaking into a computer akin to trespassing.  If someone simply
          walks across my lawn, I might be upset because they trampled my
          grass, but I would leave it at that.  If someone drives across my
          lawn and leaves big trenches, and then comes over and kicks down my
          rosebush, well that's another thing.  Then, if someone drives up my
          steps, goes through my house, through my kitchen, steals all my
          silverware, and then leaves, that's something completely different.
          And while these physical representations of trespassing can't be
          applied directly to an electronic format, distinctions are still
          necessary.

ISPNews: And the present computer crime laws do not make these distinctions?

     CG: I am no lawyer, but from my understanding they do not.  They need to
          be brought into focus.

ISPNews: If they were brought into the kind of focus you suggest, would they
          be fair and equitable?

     CG: Definitely, depending on the punishment that went along with them.  I
          don't think that people who own and operate computer systems would
          view someone who has logged into their system using a guest account
          that was deliberately left with no password to be as serious an
          intrusion as someone who got the system administrator password and
          then went through and deleted all the files.  I don't think that
          simple intrusion would be considered as serious as unauthorized
          penetration along with the wholesale theft and sale to a competitor
          of marketing information, and advertising plans, and financial
          projections for the next quarter.

ISPNews:  What are your views on security training for users?

     CG: People need to be taught what the computer operating system is and
          how it works.  After that, they need to establish some sort of
          channel by which information can be transmitted to others. Direct
          physical contact between communicating parties, covered by official,
          standard company procedures, is the best way to do this.

          People need to be aware that their account, no matter the level of
          importance, is a link in a chain that makes up the security of the
          system.  Information from one account can be used as a springboard to
          other, more powerful accounts.  All users within a network must
          understand that their information is just as important in the
          security chain as is that of the next person.

ISPNews: Given where you are coming from, why should a potential client trust
          you?

     CG: I know that is a natural question.  Just the very nature of creating
          a company should project an image that we are trying to come out of
          the shadows, out of the underground.  We are saying, "Look everybody,
          we've been doing this for a long time, now we want to help.  We have
          11 years of working information about how people compromise existing
          security, and we can help with your particular situation."

ISPNews: I am sure that you understand the natural suspicion that people have.

     CG:  No, that's what I don't understand.  If we at Comsec were out to
          compromise information from an existing company's computer network,
          we wouldn't have incorporated.  We could have done that, and someone
          else out there probably has already done so.  Then the information
          would be available to from one hacker to another.

ISPNews: Are you suggesting there is no system out there that you can't break
          into?

     CG: No, I'm not suggesting that.  But I am saying the vast majority can
          be penetrated.

ISPNews:  Which system is easiest to crack; and which is most difficult?

     CG:  It is hard to say which system is more inherently penetrable than
          another.  From the initial log-in, it's not the operating system;
          rather it's the system's operating environment that is the problem.
          Users may not have addressed security measures.  Certain types of
          security holes may not have been closed.  That's where a technical
          background comes into play: to understand the way the applications
          work; how different systems are accessed; to close holes in the
          system which have become apparent.  You have to deal with human
          factors and technical issues.  You must understand the way the
          computer works and the way programs are run.

ISPNews:  What is the best way to foil hackers?

     CG: It depends on the hacker.  There are different types.  Some people
          hack with modems.  The casual hacker may just stumble across your
          particular computer system, and may be foiled with something as
          simple as good external security.  He may be turned off by physical
          security devices such as a call-back modem, some sort of code access,
          or smart card.

          These measures will not stop a serious hacker who is after your
          company specifically.  In this case, you have to beef up security,
          and take additional steps to ensure the safety of your computer.  And
          you must make certain that security on the inside is as tight as on
          the outside.

ISPN Editor's Note:  Chris Goggans will respond, in every other issue of
                     ISPNews, to your questions on hacking computer systems.
                     His answers promise to be problem-solving, interesting,
                     and even entertaining.  We invite you to write Chris c/o:

                     "Hackers' Mailbag"
                     ISPNews
                     498 Concord Street
                     Framingham, MA  01701-2357
_______________________________________________________________________________


AOH Site layout & design copyright © 2006 AOH