Friday, July 20, 2012

The Best Hacking Film You Haven't Seen (Yet)

When was the last time you saw a good documentary about the origins of computer hacking? Well, Code 2600, a new documentary film from a young filmmaker named Jeremy Zerechak comes really close to being both accurate and entertaining while at the same time scaring the pants off anyone who doesn't yet know that computer data is eternal and can be stolen by the wrong people if we're not careful. So it is fitting that the documentary, which is only available in limited release right now, will be shown next Friday at DefCon, the world's largest hacker conference and this year also celebrating its 20th anniversary.


Code2600 is a rich visual history of computer hacking's past as told by some of its principal participants.

The film opens with news of a Soviet satellite orbiting the earth in the late 1950s. The United States, which once thought itself on top of the world in technology, found itself behind. Suddenly, says Zerechak, the US military was keen on computer technology. He points out that in the 60s and 70s the military had all the best high-grade computer equipment, but after the computer revolution of the 80s and 90s that was no longer the case, with the military today buying off-the-shelf mobile devices.

Somewhere in those intermediate 60 years of military history we have the origins of computer hacking.

Like Steven Levy's 1984 classic book Hackers, the film explores early computer hackers who studied the original wired telephone switching system. One hacker, John Draper, discovered that the sound produced by an inexpensive Capt'n Crunch cereal toy whistle could interrupt the normal AT&T long-distance billing process. This 2600 hertz tone (hence the title of Zerechak's documentary) was very important to early hackers, known as Phone Phreaks, who wanted to access fast computers on the other side of the world without paying long distance charges. AT&T, at great expense, began to change its switching system.

Around the same time, the Homebrew Computer Club was starting in the San Francisco Bay Area. Member Bob Lash remembers a young Steve Wozniak showing off his early Apple computers – along with everyone else who was also building their own computers at the time. There was a lot of trial and error. But smart people where able to do very sophisticated things at home.

Throughout the film, Zerechak uses classic footage to capture a moment or to make a point. One reoccurring sequence is the 1950s black and white footage of Dr. Claude Shannon, mathematician, cryptographer and the father of information theory, with his metal mouse and its square maze. This was one of the first experiments in artificial intelligence, demonstrating how Theseus, his robotic mouse, could learn and adapt to a rapidly changing environment. This is an obvious metaphor for computer hackers who probe the phone networks, and later the Internet, simply wondering what is connected to what.

In one of his interview segments, Marcus Ranum, Chief Security Officer at Tenable Security, says that in the early days there was limited addressing. In other words, without a Google search, you had to know where on the Internet you wanted to go. Or, like the metal mouse, you had to search until you found something new or interesting. Often, you used your phone modem to find other phone modems.  In looking for computers set with default "guest" accounts, hackers used war dialing -- randomly dialing phone numbers until they got a computer on the other end -- to access corporate or military computers. At the time, says Ranum, system administrators would laugh at logs that showed 800 attempts for access using the default word "guest."  But that was when the Internet was still an intimate community of military, academics, and a few curious hackers, barely a few years removed from the days of the early ARPANET that predates today's Internet.

The upcoming shift, from in invite-only world to what we have today, is important; that's when hackers realized they were no longer alone on the Internet and had to go underground.  Jeff Moss, founder of Black Hat and DefCon, describes in one of his interview segments growing up in the Bay Area in the 1980s and having one of the first affordable home computers that, with a modem, connected over the phone to various bulletin boards. He says that he could connect and no one would know his true identity or age; he would only be judged by what he wrote. For a 14 year old boy, Moss says it was liberating to be able to talk about sex and drugs.

Then in the early 1990s, Moss says AOL, Prodigy, and CompuServe destroyed the local community bulletin board, opening up what had been an exclusive neighborhood of thought and discussion to the entire world. It created a gold rush—it gave us spamming and phishing which both got started only once the masses starting surfing the net. It also threatened to push the curious hacker community into a dark corner -- until Moss founded DefCon in the summer of 1992. DefCon is a real-world computer bulletin board where communities of hackers and law enforcement talk openly about the Internet with an eye toward fixing what is broken.

Not every computer hacker is malicious; Moss makes the point that there are good plumbers and bad plumbers. And not all famous computer hackers are ex-felons like Kevin Mitnick. Zerechak's film includes footage of the Boston-based L0pht Heavy Industries members testifying before Congress in May of 1998, saying confidently that they had the knowledge to take down the Internet in 30 minutes (but also that they wouldn't do it). Today, one of the original members of L0pht, Peiter Zatko aka "Mudge," works for DARA.  Another, Joe Grand aka "Kingpin," runs a hardware design studio in San Francisco. And even Moss, who wasn't part of Lopht, has served on President Obama's Homeland Security Advisory Council and is today ICANN's Chief Security Officer.

The film digresses into the important privacy issues we face today, with insight from Jennifer Granick, who at the time of production was a lawyer with the Electronic Frontier Foundation (EFF), and Lorrie Cranor, a researcher with Carnegie Mellon University's CyLabs. They remind us that with each digital transaction we're leaving digital breadcrumbs everywhere, and that we don't always have a say in how that information might later be used.

One of the really cool moments within the documentary is when penetration tester Gideon Lenkey shows off a mobile version of the Metaploit software running on an iPhone:  Lenkey uses it to log into a Windows laptop in an open Internet CafĂ©. Lenkey also reveals some of his social engineering tricks he uses to get inside corporate campuses without explicit permission.

Capping the film are interview segments with security expert Bruce Schneier who says "the Internet is the greatest Generation Gap since Rock N Roll," and that our kids, who grew up with this technology already available to them, will be the best to decide how electronic devices should be used going forward.

Moss agrees: "People can't control what they don't understand. How do you evaluate the risk of a computer controlled car? Well, people don't really know. We've never had computer controlled cars before."

I should disclose that I am one of the handful of supporting computer security experts that appear throughout Code2600. Although my interview segments were shot at Black Hat DC back in January 2010, they hold up well today. Indeed all of the interviews Zerechak captured in the three and half years he worked on the film appear eerily prescient today.

Since premiering at the Cinefest Film Festival in San Jose, California, last March, Code 2600 has enjoyed a limited run exclusively in film festivals around the country. At the Atlanta Film Festival the documentary won a coveted Grand Jury Award. Zerechak is currently working on a major film distribution deal so hopefully Code 2600 will receive the wider audience it deserves. In the meantime, you can see it next Friday night, 8pm, July 27, 2012, at the Rio Hotel in Las Vegas, Nevada. Admission to DefCon 20 is $200, cash only (of course).

This blog also appeared on Forbes.com