Underground: Hacking, madness and obsession on the electronic frontier - Suelette Dreyfus

`Yeah.'

And so began their hunt for the holy grail.

Deszip and Zardoz glittered side by side as the most coveted prizes in the world of the international Unix hacker.

Cracking passwords took time and computer resources. Even a moderately powerful university machine would grunt and groan under the weight of the calculations if it was asked to do. But the Deszip program could change that, lifting the load until it was, by comparison, feather-light. It worked at breathtaking speed and a hacker using Deszip could crack encrypted passwords up to 25 times faster.

Zardoz, a worldwide security mailing list, was also precious, but for a different reason. Although the mailing list's formal name was Security Digest, everyone in the underground simply called it Zardoz, after the computer from which the mailouts originated. Zardoz also happened to be the name of a science fiction cult film starring Sean Connery. Run by Neil Gorsuch, the Zardoz mailing list contained articles, or postings, from various members of the computer security industry. The postings discussed newly discovered bugs—problems with a computer system which could be exploited to break into or gain root access on a machine. The beauty of the bugs outlined in Zardoz was that they worked on any computer system using the programs or operating systems it described. Any university, any military system, any research institute which ran the software documented in Zardoz was vulnerable. Zardoz was a giant key ring, full of pass keys made to fit virtually every lock.

True, system administrators who read a particular Zardoz posting might take steps to close up that security hole. But as the hacking community knew well, it was a long time between a Zardoz posting and a shortage of systems with that hole. Often a bug worked on many computers for months—sometimes years—after being announced on Zardoz.

Why? Many admins had never heard of the bug when it was first announced. Zardoz was an exclusive club, and most admins simply weren't members. You couldn't just walk in off the street and sign up for Zardoz. You had to be vetted by peers in the computer security industry. You had to administer a legitimate computer system, preferably with a large institution such as a university or a research body such as CSIRO. Figuratively speaking, the established members of the Zardoz mailing list peered down their noses at you and determined if you were worthy of inclusion in Club Zardoz. Only they decided if you were trustworthy enough to share in the great security secrets of the world's computer systems.

In 1989, the white hats, as hackers called the professional security gurus, were highly paranoid about Zardoz getting into the wrong hands. So much so, in fact, that many postings to Zardoz were fine examples of the art of obliqueness. A computer security expert would hint at a new bug in his posting without actually coming out and explaining it in what is commonly referred to as a `cookbook' explanation.

This led to a raging debate within the comp-sec industry. In one corner, the cookbook purists said that bulletins such as Zardoz were only going to be helpful if people were frank with each other. They wanted people posting to Zardoz to provide detailed, step-by-step explanations on how to exploit a particular security hole. Hackers would always find out about bugs one way or another and the best way to keep them out of your system was to secure it properly in the first place. They wanted full disclosure.

In the other corner, the hard-line, command-and-control computer security types argued that posting an announcement to Zardoz posed the gravest of security risks. What if Zardoz fell into the wrong hands? Why, any sixteen-year-old hacker would have step-by-step directions showing how to break into thousands of individual computers! If you had to reveal a security flaw—and the jury was still out in their minds as to whether that was such a good idea—it should be done only in the most oblique terms.