To most computer users, hackers are worse than second-hand-car salesmen. Virus-infected e-mails are their stock in trade and that鈥檚 when they鈥檙e not trying to bring down Microsoft, stock markets and the Pentagon. But according to Oxblood Ruffin, such a caricature is just plain wrong. Ruffin is 鈥渇oreign minister鈥 of the Cult of the Dead Cow, one of the oldest hacker groups. He says most hackers work within the law and use their skills to help governments and businesses defend computer systems from real criminals and faulty software. So why did Ruffin鈥檚 group release 鈥淏ack Orifice鈥, a free software tool that allows people to access anyone鈥檚 Windows operating system remotely? Duncan Graham-Rowe was curious鈥
Why do you call yourself Oxblood Ruffin?
The few strongest influences I have in my life are Brit culture and black culture. Oxblood is sort of a nod to ox-blood shoes, which to me has always been a very British thing. And Ruffin is the surname of one of my favourite singers, David Ruffin. It ends up sounding very Dickensian though.
Advertisement
How old are you?
Old enough to appreciate Shirley MacLaine; young enough to like Natalie Portman.
What do you do for a living?
I work for a distributive software development firm. I tend to be involved with recruitment and corporate strategy. I bring in companies to do computer security for us.
You鈥檝e got a background in hacking yet you get other companies in to do your security? Why don鈥檛 you do it yourself?
I鈥檓 not one of the sharper knives in the drawer when it comes to hacking and the Cult of the Dead Cow (CDC).
Do your employers know of this alter ego of yours?
Actually I was hired because I was in the CDC. My boss is very enlightened. Everybody round here grew up with the CDC and nobody could quite believe there was somebody in Toronto who was part of it.
You don鈥檛 hide it in any way then?
Not at work.
What do you tell people at dinner parties?
Only my friends know. I鈥檓 totally proud of it, though. If I were gay, I鈥檇 be totally out of the closet. The thing is we鈥檙e not doing anything illegal. Probably none of us has hacked into the NASA supercomputer since they were 13.
But as teenagers you did that?
Yeah, but there was nothing malicious about that. It was like playing catch. It was a challenge. Can you get in? What鈥檚 there? Okay, now I鈥檒l try to leave without getting caught. It鈥檚 not like, 鈥淥h, I want to go in and erase the archives.鈥
Is it standard for large corporations to hire ex-hackers for their security needs? Is there an industry of poachers-turned-gamekeepers?
No, it鈥檚 not like that at all. I鈥檓 in an exceptional position. My boss is a very enlightened person and understands how these things work. But most people rely on stereotypes. Being a hacker, it鈥檚 as if you鈥檙e branded as a liar. You鈥檙e always suspect. Once you鈥檙e identified as a hacker, it鈥檚 very difficult to shake that image in a corporate environment.
Still, doesn鈥檛 that create some sort of conflict of interest when people like you get hired in the computer security industry?
I think it would create a conflict of interest if I were actually doing that kind of thing. But even then the people we hire only hack into our own machines. It鈥檚 much easier when you鈥檙e working in a controlled environment. For most people 鈥渉acker鈥 equals 鈥渃riminal鈥, whereas in the hacker community where I come from it means something different. The term itself is considered a very honourable one. It鈥檚 maybe something that people outside of the geek community don鈥檛 quite understand. As far as we鈥檙e concerned the people they are talking about aren鈥檛 hackers, they are 鈥渃rackers鈥.
Don鈥檛 criminal hackers-crackers-and other hackers spring from the same fountain?
I don鈥檛 like the whole criminal side of things. I know obviously that it goes on and that there are all these idiots who write malicious worms and very destructive programs. They鈥檙e criminals and have zero respect in the crowd I mix in. There鈥檚 nothing but ridicule and contempt, and this is a very commonly-held opinion. We鈥檙e divided on quite a few issues but there鈥檚 absolute agreement that malicious programmers are absolute morons and they deserve anything they get.
How was the Cult of the Dead Cow formed, and what does it do?
It originally started in 1984 as a group using early networked computers long before the Web. You published whatever you wanted, pushing the free speech envelope. The name actually came from the two guys who started this, Grandmaster Ratte鈥 and Franken Gibe. They were 14-year-old kids hanging out in Texas at this abandoned abattoir, one of these big ruined buildings where kids smoke cigarettes, talk about girls and create mayhem and bust Coke bottles. Grandmaster is now a hip-hop music producer living in Harlem. And Franken ended up going to Harvard. The people in the CDC are tremendously diverse in their backgrounds. Some are security consultants, graphic designers, another is a lawyer. There鈥檚 even a professional soccer player.
You talk about the work the CDC does as never being malicious, but with the kind of knowledge you have as a group, where do you draw the line?
I think that it sort of comes with experience and time, that younger knives really don鈥檛 have the same kind of balance maybe, and are a little more ambanxious to do all kinds of things. I don鈥檛 know anybody in the CDC that I wouldn鈥檛 trust.
How did you get to join the CDC?
When I was recruited I was kind of stalked. I didn鈥檛 know anybody else in the CDC. They found out about me when I was having an online correspondence with one of them for a while. So they checked me out I suppose. Unknown to me, I was sort of being recruited and considered for membership of the CDC. If anybody ever asks to become a member they鈥檙e immediately taken off the list. They figure, if you need to be a member, you鈥檙e not cool enough.
Typically, from a kind of lay-person鈥檚 perspective, a hacker鈥檚 profile would be of some antisocial teenager with too much time on their hands. Is that accurate?
It鈥檚 a very common and in some ways quite inappropriate stereotype. Often it is a very, very smart kid, working alone or with a small pack of friends. But they tend to be less antisocial these days. Ten or 15 years ago geeks were more outsiders than anything. Now it鈥檚 incredibly cool if you鈥檙e a hacker.
What happens when a hacker grows up?
Some of them go into parliament. Seriously though I think that kids have a lot of time when they鈥檙e younger and they can spend time fooling around with video games and computers. Later on these same people are probably going to work in technology-simply because they spend so much time on computers.
If the division is one of age, are there 鈥渢wo cultures鈥 within 鈥渉acktivism鈥?
There鈥檚 hacktivism and there鈥檚 activism. Activists use computer technology primarily as a communications tool, organising online sit-ins, like organising a street protest online, sending out newsletters, advertising things for web sites. Hackers are looking much more directly at programs and technology.
To most people, there鈥檚 people in the know, like yourself, and people who haven鈥檛 the faintest idea how you鈥檇 even begin to go about doing something like breaking into NASA computers. How is it done?
Well, generally speaking, you would have to have a high level understanding of how networks operate and then you would have a high level understanding of programming and vulnerability of computer systems. There are all kinds of back doors you can use to get in, depending on what the administrators of computer networks leave open. A lot of hacking, or network intrusion, is just bad management of the network. It鈥檚 like having a house and forgetting to go around and lock the back door and close the windows and make sure that the windows going into the basement are shut. Back door is a common term.
So what could one do then?
It depends where you get in. You could 鈥渙wn鈥 the computer, meaning that you would get group privileges, in which one person-usually the administrator-has higher levels of access to a computer network than other users. Alternatively you could work your way up the security chain. Or you could take over a system. Usually what a lot of people want to do is just get in there and leave by a back door so that they can get in and out whenever they want. What others want is a stepping stone to another computer, so that they can hack into one system without revealing their tracks. You can do anything, is the short answer.
What about damage?
You can crash a network. You can erase the contents of a network. You can use it as a launching pad to attack other computers or e-mail systems. A very common technique is to look for passwords.
So what鈥檚 the worst thing you ever did?
I鈥檒l tell you the thing that made me feel the most uncomfortable. I once impersonated a priest to make three long-distance calls. I鈥檝e done far worse things, but that鈥檚 what I feel the worst about.
What about hacking?
I think I鈥檇 like to take a pass on that one.
CDC is best known for Back Orifice. This is a program available on the Web that allows anyone to gain entry to any Windows operating system remotely. Isn鈥檛 that putting a loaded gun in people鈥檚 hands?
Oh, yeah. But when used legitimately it鈥檚 one of the best network administration tools for Windows. It is very robust. It has very strong encryption. I know all kinds of system administrators who threw out all of their tools and they just rely on this now. It鈥檚 a very elegant program that鈥檚 very powerful. You can organise the network any which way you please.
But it can also be used to remotely take hold of another computer.
Yes, that鈥檚 what a network administrator would do. For example, if someone wanted to install a new program on your computer without interrupting your work during business hours.
Wasn鈥檛 Back Orifice originally developed to highlight potential security flaws in Windows?
Exactly, but also to publicise the issue of Trojans, which before simply wasn鈥檛 a word in common speech. A Trojan is essentially an application or a feature that鈥檚 running on a computer without somebody鈥檚 knowledge, like the 鈥淚 love you鈥 virus.
Okay, but despite the advantages couldn鈥檛 Back Orifice still be used for malicious purposes?
Yeah, if someone was trying to make malicious use of Back Orifice, someone could go in there and remove files, hard drives and literally do anything. Most often it would be sent to somebody as an attachment like the recent 鈥淚 love you鈥 virus. It鈥檚 the same kind of thing. You get an e-mail attachment and that鈥檚 most often how it鈥檚 deployed. When they click, it opens a small program that seamlessly ferrets into the computer and lies down at the bottom, unnoticed.
Okay. Given what Back Orifice is capable of doing, shouldn鈥檛 CDC bear some of the responsibility?
It鈥檚 sort of a double-edged sword. I think the upside of it is that hardware and software engineers are really going to be forced to develop better applications. The application will not do anything the machine does not allow it to do and this is really one of the problems we wished to highlight. Microsoft took a machine that was never designed to be a network machine and put it online. It鈥檚 like putting a sledge on the motorway.
What鈥檚 the future of hacking? Will it become more prolific? As you say, it鈥檚 become a lot trendier, sexier.
I think that you鈥檙e going to see a lot more of it. It鈥檚 become very easy to hack because there is this proliferation of 鈥渟criptkiddies鈥. They鈥檝e no idea what they鈥檙e doing. They download programs or scripts and hack by pointing and clicking. We usually call it Windows hacking. It just doesn鈥檛 take the same kind of skill as it used to. I mean, before you actually had to hack. You had to be considered a bit of a genius to do anything. Now it鈥檚 just like any moron can run a script, and the next thing you know they鈥檙e taking down the Pentagon.