An Interview with Jericho from Attrition.org
Earlier this year I began my quest to interview some of the most interesting folks in the Colorado security community. The goal of this series is to explore some different perspectives on security in the region, and have some fun doing it. In March, I interviewed information lawyer Dave Navetta. In April I sat down with Chris Petersen, co-founder of Boulder-based Log Rhythm and in June I spoke with Johan Hybinette, CISO for Hosting.com.
I received feedback from a few readers that they’d be interested in hearing from someone from the hacker/offensive security side of things. I have had the opportunity to work with Jericho while planning the Denver B-Sides conference the last couple of years. I thought this would be a great opportunity for me to get to know him better and tell a least a part of his story.
Brian Martin, better known as Jericho throughout the security community, was gracious enough to accept my invitation to get together over lunch and talk security. We met at Ginza Sushi near DU for a couple of hours. Our conversation drifted all over the place… from phreaking, to FBI raids, to the current (frightening) state of security. I tried to capture as much of the essence of the conversation as I could below.
My questions are indicated in bold, with Jericho’s responses paraphrased below.
Jericho, you’re one of the big names in the security community here in the Denver area. So, as a starting point, are you from Denver?
No, originally I’m from South Carolina. I lived in Denver from 1993 to 1996 then left for work. When I had a job that allowed me to pick where I lived, I came back to Colorado. I’ve been back since 2003.
How did you get involved with security in the first place?
I’m one of the few people in the industry that will openly admit, “Yeah, I used to break into computer systems. I fractured an occasional law or two.”
I’m interested in hearing more about that… but let’s go back a bit further. What drew you into computers and hacking?
I had a computer system I was 7 or 8. I had a Trash 80 and a Commodore 64. My step-father got me a computer basically thinking it would be pretty cool. I mostly would play games, but then started to code.
First Logo then GW Basic. Then in high school, I moved to a recently built school in Arizona that had two programming classes. I took Pascal and Basic there. The year after I left they started teaching C. I believe that if I’d been there a year later and learned C, I’d probably have stuck around in programming. At that high school I also got to take two years of AutoCAD there.
Wow, that was a seriously advanced high school. We’re about the same age, but I was learning to type on typewriters when I was in high school.
Yeah, they had a lot of money and some nice programs. After high school I ended up going to Texas Tech to study architecture and civil engineering. Their program was antiquated, and didn’t allow us to use computers for design until the 5th year out of 6. After a couple years I decided it wasn’t for me, and left. I ended up coming to Colorado and getting into computers.
What did you do here in Colorado?
I worked jobs at places like Best Buy and Computer City. At that same time I started pretty heavily into phreaking, and then hacking.
Tell me about that.
There was a group of us here in Denver, we called ourselves TNO… The New Order. We were pretty good. Several times a week we got together at one of our apartments and just hacked stuff all night long. We did a little of everything at the time. We’d spend time putting back together shredded documents, phreaking (phone hacking), attacking PBX’s, voicemail boxes. When we hacked on the Internet we’d bounce through three different phone systems before we went out through the Colorado.edu network. It might seem a bit paranoid, but in hindsight it really wasn’t. A lot of people got busted for exactly the things we were doing, but we never did.
And what did you do once you were on the Internet?
It was a brave new world. We had access to computer and operating systems that we’d never seen before. These days it’s easy to get an image of any operating system you want. But back then they simply weren’t available. The only way to get access to Solaris or Cray systems was to hack. We wanted to learn… and hacking allowed us to do that.
We understood that what we were doing at the time was not legal. However, we also thought it was pretty harmless. We weren’t looking to do anything malicious. In many cases, we would actually leave the systems in better shape than they were when we got there. We’d fix things, make them run smoother, and harden them so that nobody else could get onto the systems we had owned except us and the sys admin.
Where does the 303 group come from? This timeframe?
If you ask a dozen people in 303 the origin of the name, you’ll get 13 difference answers. It’s muddy. In the phreaking days we always referred to places by their area code instead of the city name. So people from Denver were from 303. The first time I heard it mentioned was by someone negatively referring to the various hacker groups in the area. In 1994 or 1995 a woman called us, “Those 303 guys,” in the context of a criminal outfit. Until then we were just a handful of local hacker groups who would occasionally see each other at a 2600 meeting. She was referring to us as though we were a real gang, and we ended going with it ironically at first, then more seriously later.
303 has never been a formal thing. You don’t decide you’re going to join 303, 303 decides you’re one of them. You hang around for a while and eventually it just happens. It’s come a long way since then. Now there’s a 303 mail list, a party every year at DefCon, and other gatherings. But there’s no real leader or organizer for the group. The way a meeting happens… someone posts they want to meet up, and if people show up, it is a 303 gathering.
Where did the handle “Jericho” come from?
As a hacker I used to change my handle every few months, never happy with it. But as I cycled through handles I had to keep a username that would work on a Unix box. Back then a Unix login couldn’t be more than 8 characters. Many of my handles were longer, so I just consistently used Jericho for the account. It was the only consistent name I used, so people began calling me that. I didn’t choose it, it just stuck.
Did you have any negative repercussions from hacking?
Not at this point, but the FBI came knocking a few years later. I’ll tell you about that in just a bit.
So, how and why did the hacking come to an end?
In 1995, a hacker friend worked at a trade college teaching the more advanced computer classes… like building, repair, and programming. He got me the job there. When I got that first “real” job, I realized I had too much to lose and I quit hacking cold turkey.
How did you get into security professionally?
In 1996 I had my first interview for a security job as a penetration tester. I was clearly not going to get the job because while I had a lot of real world experience, there wasn’t much on my resume. These guys were somewhat impressed with what I could do, but being government and military contractors, they needed to see something on paper. So, seeing that they were reluctant, I asked one of them to pass me his cell phone. He did… it was an old Motorola flip phone. I jumpered it into test mode, flipped it over to a different channel, and handed it back to him. He asked, “What am I listening to?” I told him, “Someone else’s conversation within 50 yards.” “You’re hired.” The next day I was a security professional.
I moved around between security companies for a bit, doing penetration testing. In 1998 the New York Times was defaced by hackers. Back then newspapers, especially the Times, had a lot of pull. They put a ton of political pressure on law enforcement to find the people who did it.
Is this where the FBI shows up?
Yes. The FBI came knocking on my door. They thought that either I or one of my enemies at the time was responsible for it. They raided both of us hoping to get lucky. I had not done any hacking for years at that point, and was innocent. However, they took all of my systems, only to return them seven years later after many requests.
They’re supposed to return it after five, but it’s a common tactic to hold onto it a little longer. They were sure that I had done it, but they couldn’t provide any evidence. They weren’t even able to convene a grand jury to try me due to lack of evidence.
So, who were you working for at that point?
I was part owner in a startup security company. We were consultants doing pen testing and other security work.
Did the raid impact the company?
Absolutely. Having that kind of cloud hanging over a small company is toxic. As a matter of fact, the company ended up shutting down as a result. Earlier you asked if there were any negative repercussions of hacking. In this case I didn’t do the hacking, but my involvement in that community in the past made me a suspect here, and ended up wrecking a business.
What came next?
For the next couple years I spent my time doing training instead of consulting. I taught people pen-testing, security, and forensics. Interestingly enough, I ended up teaching the FBI some forensics courses.
So, does that mean you were teaching them how to catch hackers?
I was really teaching them how to do their jobs the right way. During their raid of my systems it was obvious they weren’t very good at it. They were entering commands and making changes that damaged the forensic integrity of the systems they confiscated.
After training, I had the opportunity to do more penetration testing. Interestingly enough, that included doing work for the Department of Justice. I got to do testing against all of their agencies except the FBI. During my conversations with the DOJ, I made it clear that I had been raided by the FBI. They said, “Innocent until proven guilty” and let me work for them. That was when I first realized that being honest about my past would work, and indeed, was a lot better idea than trying to cover it up.
Where did attrition.org start up?
I had started hosting sites a few years earlier, but started attrition.org in 1998. We started gaining a lot of attention with our defacement mirror. Which was, people would send us copies of any website defacements they performed and we would publish them on attrition.org. We did this for about a year and a half. It caught on and became a big deal. It turned into a full time job for two of us. We were working full time, and any time we weren’t working or sleeping we were updating the defacements page.
Did you monetize it?
No. We could have, but we wanted to be a trusted source.
Did running a defacement mirror attract any law enforcement attention?
We regularly had law enforcement asking for logs and information for defacements, but we wouldn’t provide the information unless they came with a subpoena.
And did they get subpoena you?
We received three subpoenas. One from the US Post Office, one from the FBI and one from the Department of Defense. A lot of other cases could have been closed if they had subpoenaed us, because many of these hackers would mail us the defacements from their own home systems, so the logs showed their home IP address. The cases would have been delivered to them on a platter if they’d come to us.
After we stopped doing the defacement mirroring, we started with Going Postal. This was a fun project. People would email us with things like, “How do I hack?” and we would reply in funny ways. Some of them were insulting, some would lead them on, and some would make them do outlandish stuff.
“Send me a picture of a squirrel to prove you’re real.” It was just a way to blow off steam. That was a good one. We were emailed by a guy who wanted to change his grades. He asked us to hack into the school’s system and change them. We made up a story about getting caught doing the hacking for him, and going on the run, driving cross-country to avoid the law. It turns out that the guy emailing us was a congressional aid who ended up losing his job for it.
At the same time Errata had been going. In 2005 it started to pick up popularity.
Tell me about Errata.
We had written biographies of some charlatans already. But we started tracking data breaches as well. This became incredibly popular. We had journalists and others contacting us for information regularly. We ran that for a while and ended up passing the project over to the Open Security Foundation (OSF), which I’m part of. But we turned the breach data into an official project with its own domain and a dedicated developer.
Errata was really a proof of concept. I wanted to show that you could call out the fakes and be able to stand up to the legal and physical threats. I never really enjoyed doing the Errata work, but I think it’s important, and needs to be carried on.
So, what are you doing now?
I’m spending my time on the OSF run vulnerability database, called the Open Sourced Vulnerability Database (OSVDB). Cataloging and improving our vulnerability awareness is what I’m passionate about. OSF’s projects have led to a commercial company, Risk Based Security (RBS) to ensure the projects have the funding required to continue. I head up their Vulnerability Intelligence team along with Carsten Eiram. This is in addition to my day job.
You’ve had the chance to watch security evolve over the last two decades. What’s your opinion about the state of security today?
It’s dismal. Frankly, it’s the worst it’s ever been. We have more malware, more breaches, more vulnerabilities, more bad guys, more people profiting off the bad, and we’ve got less highly skilled defenders. The highly skilled guys aren’t defending; they’re off doing their own offensive research. This is one of the problems we have, people are researching and creating “new” systems for vulnerabilities but they aren’t pushing the field forward at all.
Totally agree. The problem we have in security isn’t in knowing what to do, it’s having the resources and ability to actually implement those great ideas.
Yeah. For those on the defense side, they’ve got too many systems, too few resources, and too few people, working against terrible odds. We are going up against a legion of people who click links, we’ve got layers upon layers of vulnerable software, and we’ve got more vulnerabilities than we can possible handle and write patches for.
The threats are increasing dramatically. The vulnerabilities are increasing rapidly, and our dependence on technology is increasing the fastest of all. This is a scary mix. So, what’s the solution? Can we turn things around?
I don’t see this turning around without a huge disaster. It will probably take people dying because of information security. Dead kids will get people to react. It’s terrible, it’s grim, and I don’t want it to happen, but I don’t think anything else will move the needle. And if such a tragedy does occur it will spur the wrong kind of solution. It will move the government to legislate and go way overboard. While I don’t trust the government to do it well, they are the best of worst solutions I see.
That’s a grim vision for the future.
It is. In the interim, the industry needs to rethink and start from scratch. We need to assume that everything worth hacking is already owned. With that in mind we change the strategy. Rather than trying to defend an entire network, we should centralize the valuable data and stack more defenses there. Minimize the area we are trying to defend.
What would you say to someone looking to get into hacking or penetration testing?
Don’t. It is glamourous on TV and movies, it sounds exciting, but in the end it’s just a job. And after years of pen testing I’ve found that while I thought I was going to help someone, I would do a test against big companies with lots of resources, provide the results, they scramble to fix the things I found. Then I do another test a year later and find that they’ve deployed 15 new pieces of software with more vulnerabilities. There’s no challenge there. The testing isn’t fixing the problem.
So what should young folks do instead?
If you’re a smart creative person looking for a challenge, go into defense. Protect systems. It’s a lot harder, and ultimately a lot more rewarding.
In which disciplines within security do you see the most need?
Coding. All of these vulnerabilities start at the application level. A huge improvement would be to create new secure coding languages. For example, due to the way it works, Java doesn’t have classic overflow vulnerabilities (though it has a lot of other problems). We can’t assume that developers know anything about security. We need people to create other new languages that make it impossible for developers to create insecure code. But, those languages also have to have mass appeal for the developers, or they won’t adopt it.
Jericho, thanks so much for your time. Any last comments before we go?
Most hackers and defenders aren’t half as clever as they think they are. Don’t fall into the trap of thinking you’re making a difference when you’re not. If you’re very smart and clever, try to figure out a way to make a difference at scale. Figure out a way to make a difference to the whole system rather than just to one small company. Yes, it’s exceedingly difficult, but, exceedingly difficult problems are where our best and brightest should be focusing their attention.
Thanks so much to Jericho for taking the time to talk about the state of Security with me. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there’s someone you’d like to see spotlighted, drop me a note and I’ll see what I can do.
Connect with Robb on Google+