Skip to content
Business
Link copied to clipboard

HACKER CAMP

Computer programmers get to play attacker in order to learn how to make security better.

Keatron Evans (center) teaches Paul Howard (left) and Chris Work how to detect an attack and counter it at Training Camp. (Sarah Glover / Inquirer)
Keatron Evans (center) teaches Paul Howard (left) and Chris Work how to detect an attack and counter it at Training Camp. (Sarah Glover / Inquirer)Read more
    by By Jane M. Von Bergen, Inquirer Staff Writer
    Published 

BUSHKILL, Pa. - Oh, it's so much fun to be at camp.

You get to play games and pranks, kind of like the ones newscaster Larry Mendte is accused of playing on co-anchor Alycia Lane.

Remember? Where he allegedly tapped into her e-mails 537 times in four months, leaking some juicy bits to gossip columnists?

Hah, that's nothing.

Welcome to Hacking Camp in the Poconos, where the pros learn to do real damage.

Forget about Capture the Flag. The game campers played after Tuesday's pizza lunch started like this:

"Put a Trojan back door of your choice on the target. Could be netbus, could be beast . . . Make sure you have snort running."

The campers - all grown men ranging in age from 21 to early 50s - nodded eagerly and got started.

They could hardly wait to practice hacking into each other's computers. We'll translate that instruction later, but let's just say that it wouldn't be nice if it happened to your computer.

Yep, summer camp at the Fernwood resort in the Poconos is where the Training Camp, a computer-education company based in Trevose, holds intense seminars.

Mostly, it's pretty boring stuff, except to geeks. They come to get certified in software applications, like Java or Oracle. The sessions culminate in certification exams.

The camp was all about hacking last week, just a few days after the feds arrested Mendte for hacking into his coworker's e-mail 537 times in four months.

Instead of getting a merit badge, these happy campers earn the right to attach a bunch of initials after their names, in this case, CEH, which stands for Certified Ethical Hacker.

For real.

The "hackers," by the way, are the good guys. The bad boys are known as "crackers."

"The only thing we really have in common is our desire to never stop learning how these systems work," said camp counselor Keatron Evans, 33, of Chicago.

For Evans and the campers, what Mendte is accused of doing would be child's play.

Most are programmers working in computer security and systems for their companies, or government agencies.

At camp, they relish the chance to poke into the Internet's dark corners, turning over rocks, looking for slimy stuff.

So even though the resort in the Poconos has three swimming pools and a golf course, they spend 12 hours a day in dark, nearly windowless classrooms, peering into their monitors.

"You can never get away for any length of time," said camper Kane Martin, a programmer who works for Unisys Corp. in California. "Being able to escape to a place that's all inclusive like this is a godsend. You get to play with other geeks for a week. It's like a geek playground."

These campers don't play any of the normal pranks on one another, such as short-sheeting.

Instead, hack into your neighbor's computer and make his CD drawer slide open and smack into his knee!

And that Martin, he's a sly one. He figured out how to break into another camper's computer, but make it look as though the guy in the back row did it.

The campers adopt a vaguely disturbing semisexual lingo.

There's "violation" and "penetration." When these guys form buddy teams, one "has to volunteer to take it first," Evans, the counselor, said - meaning one is the hacker, the other the cracker.

"I know our natural tendency as security people is to try to protect ourselves," Evans said, "but it's not that kind of class."

For these campers, with years of programming experience, hacking into a computer would be fairly simple.

Most of the hacking coding is available on the Internet. The code patterns are called "exploits," and they have "signatures," which make them detectable by security people who know what to monitor.

Also available are the defensive lines of coding and, no surprise, there are easy ways around the defensive systems.

It really amounts to a diabolical chess game, with each side fully aware of the other's moves.

So why isn't everything hacked every day?

Because, as defenses mount, the hacking becomes more difficult and time-consuming. Evans compared it to the modus operandi of a car thief. The thief would rather steal the unlocked Lexus with its key in the ignition than the one with an alarm system and tracking device.

In general, the goal of hacking is to stealthily seize control of a computer system from the outside and then use it to do mischief or steal data.

To start, the crackers learn all they can about a company. If they can find out the name of an executive's sibling, or some bio info, maybe they can gain some entry into a company using what they call "social engineering."

That's their term for lying.

What they want is a password or two. "If you ask 100 people for their passwords, you'll eventually get 10," Evans said.

The way to get control is to plant a Trojan, a string of nasty programming named after the giant Trojan horse of yore. Secretly filled with warriors, it was wheeled through Troy's gates as a gift. Once inside, the soldiers burst out of the horse and destroyed the ancient city from within.

These Trojans have great names - "Beast," "Donald Dick," "Barracuda," "Netbus."

A program that keeps track of the action is called "Snort," because it can sniff out all the nasty coding as it is written.

"A lot of this stuff is invented by college kids fresh off Dungeons and Dragons and hopped up by 16 hours of Mountain Dew," Martin said.

By comparison, Mendte's alleged method was simple.

Mendte supposedly used a key logger, a device that is as easy to use as a telephone.

You plug one end into the keyboard and another into a computer processing unit - the big box next to most computers. If you can tie your shoe, you can handle this technological feat.

The devices, which run between $90 and $300, can record up to a year's worth of keystrokes. Some key loggers can be accessed via software. Others need to be removed and plugged into another computer, like a flash drive.

The brass ring? A password. Once the hacker/cracker has a password, it is easy enough to tap into e-mails from a remote location.

In his years as a security consultant, Evans said he's run into a couple of key-logger incidents.

In one case, he said, an employee set up a software key-logger program on his manager's computer.

"He was getting ready to leave an oil company," Evans said, "and he wanted to take documents to his new company. It was software, so it was easy to detect. Those were trade secrets, so he did get prosecuted."

Another time, Evans spotted a key-logger during a physical surveillance of a workplace.

"We decided to leave it on and put up a camera," Evans said.

Eventually, the hacker came by to retrieve the device from a male coworker's desk. "He suspected [the man] was having an affair with his wife."

Hmmm.

Training Camp Inc.

Headquarters: Trevose.

Chief executive officer: Christopher Porter.

Chief operating officer:

Steven Gaudino.

Employees: 45.

Revenue: $20 million.

Campers: 4,500.

Class offerings: Computer-software certifications.

Project management.

Sales training.

School: Main campus at a Poconos resort. Other classes in hotels around the country.

History: Founded in 1999 in Philadelphia by Edward Denzler, a local computer trainer who believed immersion sessions ending with certification examinations were the most efficient way to learn.

Update: In 2007, Denzler sold his majority stake to the company and his partners.

Where is he now? Denzler runs motorcycle tours in the Dominican Republic.

Source: Knowledge Key Associates Inc. doing business as the Training Camp.

EndText