It's A Good Thing This Hacker's On Our Side

During my five-plus years at InformationWeek, it's safe to say that no one has scared me (in a good way) as much as Laura Chappell. To be clear, it's not Chappell's person that scared me--it was the tiny sliver of the knowledge she shared.As senior analyst and founder of The Protocol Analysis Institute, Chappell is one of the world’s most renowned authorities on network security, and a highly skilled hacker who fights for the good guys. Earlier this week, I had the good fortune to sit in on a class she taught at the annual High-Technology Crime Investigation Association conference. What I heard sent shivers down my spine. And judging from the often audible reactions of the cops and security experts there to soak up her teachings, I was not alone.

An example: Chappell held up a Stealth Surfer drive--a pocket USB storage device that's commercially available, highly affordable, and undoubtedly one of the biggest pains in the rear end ever to hit cyber crime fighting. Pre-loaded with a Mozilla Firefox browser and an assortment of clever little applications, including one called the Anonymizer that uses SSL encryption to hide all IP activity, the Stealth Surfer allows a PC to be used for browsing, E-mail and God-knows-what-other online activities with nary a shred of evidence left behind. That's because all the caching, history, cookies, keystrokes and data is stored on the device. Even the applications run entirely on the device, making them invisible to network administrators. (As you can see, this would also be an extremely handy device for anyone wanting to job hunt on company time.)

A few cops, images of evidence walking away dancing in their heads as they listened, let out sighs and whews and sheeshes and any other low-key indicator of shock and dismay they could muster. They're hopefulness for the good fight took many more hits during the class, such as when Chappell let it be known that the previous night, she used an instant messaging sniffer to listen to an erotic exchange between two unsuspecting hotel guests. Adding insult to injury, she said she knew one was lying about being on the bed naked, with an IBM Thinkpad on his/her lap. As anyone knows, Chappell said, Thinkpads run very hot, and thus the machine would have quickly burned the person's, uh, lap.

Chappell spent much of the class running through a laundry list of software tools she'd included on the CD--entitled "Laura's Lab Kit v6.0"--that she distributed to the students. Among those abundantly available products: Brutus, which she described as the ultimate password cracking tool; NetScan, a toolset she said can be used to build a packet that would effectively kill a router; Blaster, which is used to plant key loggers on a user's machine; the self-explanatory Registry Viewer; Cain and Abel, an aptly named password recovery tool; and the ever-popular "Evil Program", which is used to hijack someone's browser.

But the person who probably should fear Chappell the most is her 10-year-old son. Any kid fond of online shenanigans wouldn't want to live in Chappell's house--mostly because few kids know what's good for them. On the one hand, she allows her youngster to play the online game Halo, quite a privilege for a pre-teen. On the other, her hacking prowess has enabled her to remotely extract all the power from the characters controlled by her son and his friends, watching with a combination of demonic joy parental relief as the virtual players all fell over dead, prompting cries of "Mom, something's wrong with the network." No question who's in control in Chappell's household.

While that skill alone would be enough to inspire any parent seeking ways to control their kids' online behaviors, Chappell takes her abilities several steps further, not only making it clear to her son that she will always be watching, listening and hacking, because that's what a responsible parent who happens to be a computer security expert should do, but also helping law enforcement officials to entrap online pedophiles. "I spend a lot of my time pretending to be a 12-year-old victim," she told the class.

In fact, Chappell has put together an incredible presentation called "Internet Safety for Kids" that should probably become the bible for all parents (and child pornography investigators) in the digital age. The presentation, which is available for download on her company's Web site, is filled with a combination of disturbing statistics about online threats to kids, numerous case studies, summaries of child-protection laws, techniques for identifying online predators, suggestions on how to manage kids' Internet activity, and tips on where to turn for help reporting and locating missing chilren. It should be required reading, whether you're a parent or not.

And for those of you who do download and read the presentation, don't let Chappell's eerie knowledge of online threats scare you: just remember, she's one of the good guys. Thank goodness for that.