THERE'S this awesome sense of having power, absolute power, in your hands.
“I could have shut it off, turned it on, do whatever I wanted,” recalls data security specialist Joseph Magee of the time some 10 years ago when he hacked into the phone switch of a telephone company serving the Philadelphia district in the United States.
Although Magee did not do anything, he was nevertheless very bothered over it, he remembers.
“I attempted to actually call the phone company and explain to them. And the first person I talked to was a lady in customer service. She said, 'Don't be silly, you can't do that'. Then I said 'Let me talk to your manager', and she said, 'Let me talk to your parents'. I hung up.
“At that point, my parents, I was more afraid of them than the FBI. I was 15 then.
“I called back some days later and kinda muffled my voice, to sound more adult, 'I need to speak to a senior manager'. I got somebody who put me to an engineer. I talked to the engineer for a while.
“He was actually very helpful. He understood the problem. We talked about it. Then he simply said, 'We don't know when we're going to fix the problem. But don't ever log in again. It's illegal'.”
Not long after that, recalls Magee, there was a major attack against the phone system in Philadelphia and two companies were taken down by hackers, for about five or six hours.
The second time he broke into the same local phone switch he had hacked earlier, Magee found that the company actually did get round to patching things up.
Easier to hack than secure
“I just realised at that point that it is a lot easier to hack into things than it is to secure them,” reminisces Magee who, today, as chief security officer of Top Layer Networks Inc, is on the other side of the firewall, so to speak.
“I thought it was fascinating to give weight to that point ... where you are standing at the edge of the building, without actually jumping ? for a number of reasons. One, I believe, is there's a lot to be said when you try to explain to that person whose server you are hacking that that's his problem.
“The lesson to learn here is what team are you on? And it is obvious that these people going out there and shutting down the phones are in the wrong team. I kind of thought I was in the good team by telling them about it, although nobody listened.”
Asked how he views hackers who commit mischief after breaking into a system, Magee says: “I am totally against it. Even in my days of perusing the Internet, and trying to understand how things work, and doing things like code dialling, which is dialling randomly, I never would do anything damaging.
“That's why you have the phrase security syndrome ? if you don't secure your website we will teach you a lesson. That's the overall idea. I don't believe in that. I don't buy into that concept at all.
“I also don't buy into the concept where people find some vulnerability and instead of responsibly disclosing it to the vendors, tell the world about it. They never give the vendors a chance to actually go ahead to fix the problem.
“What that leads to is hackers going around and exploiting any vulnerabilities, and causing a lot of damage.”
Reminded that he had done a fair bit of hacking, too, Magee responds: “I was a grey hat, somewhere in between (a black hat, the bad guys, and a white hat, the good guys). I never broke into a system for malicious intent.”
Justifying his grey hat days, Magee says: “My motivations, my urges, back then were more to learn about these systems ? systems that were way too expensive for me to actually be able to get hold of, things like university systems, OpenVMS (operating system). That was 1992.
“Ten years ago, when I first started cracking into other people's machines, so to say, the Internet wasn't as popular as what it is today. Today we are in an environment where there are systems, wide number of systems, connected via the Internet.
“Back then, if you wanted to learn to use computer systems or operating systems, you would have to hack into one, because computers were very expensive.
“If you were a college student going to a highly technical university you may have worked with computers, but if you were a kid like me growing up in a middle class neighbourhood in a city in the US, that wasn't easy.
“Computers were expensive. We couldn't get one computer that could run four or five different operating systems like we do today.”
The positive side to all these less than legal activities was that Magee developed a fascination with the idea of connecting networks, motivating him to get a job in networking.
He recalls: “I started working in technical support at a local law firm, the networking side of that, meaning hooking up PCs (personal computers) together, hooking up servers so they were all talking with each other.
“From there, I got a job as a co-op.” He explains: “When you go to school in the US you can go on co-op, which means you go to school for six months, and work for six months (in this instance, at an insurance company) ? to give you real-life experience. I was in college actually for a little over a year.”
Although he liked working there, Magee didn't find it challenging; and neither did he have any particular liking for school. “I never finished my degree, but I am still taking classes at night on and off, in online college,” he volunteers.
“I was interested in challenging areas, that's where I wanted to be. I approached the management about it and the person I talked to said, 'How about working for us full time?' In addition to a job, I got a promotion, too. It was network systems manager.
“This insurance company went through a lot of changes and I wound up being more in charge of security than the networking, because hack attacks were on the rise and we started seeing evidence of a need for network security. We also had problems internally, with ex-employees coming in and stealing files and stuff like that.”
Magee subsequently moved from Philadelphia to New York, to work for an online trading company, specifically doing security architecture.
New York was the turning point in his life. “Working in an online brokerage, doing security was an unbelievable line of experience. That's where the real stuff happens, that's where the markets are trading, that's where all the money is,” he exults.
“I got to tell you this. I can't think, as a hacker, of a better target than an online brokerage to attack. And it's pretty amazing some of the stuff that we used to see.
“Also, a lot of the time we come across people who would actually call and say 'I didn't make that trade' when the stock goes down ? and stuff like that. We had a constant struggle on our hands from both the technology and social standpoints.”
His work at the online brokerage was also his launch pad into Top Layer Networks.
“I was a customer of Top Layer Networks. I purchased Top Layer Networks equipment,” says Magee. “When I got the equipment I wrote a letter to Top Layer describing how I thought a couple of things could be working better, and from there they asked me to be on a customer-based advisory team, where I would go in and talk about what products a customer needed.
“Not too long after, I started talking to some of the management in Top Layer Networks and they gave me a big transition from network traffic management. I ended up in security expertise, and here I am. I have been with the company for a year and a half now.”
Asked what it takes to be a data security specialist, Magee says: “Be able to think out of box. The person looking at new threats has to understand them, and he needs to think out of box. It definitely takes all kinds of mindset to understand the enemy.”
Taking a line from the oft-quoted Chinese military strategist Sun Tzu, he said: “All war is deception.
“To wage war you must do intelligence gathering, you must know what your enemy has in his toolkit, you must know everything about your enemy, and when you find out all this information, you use every type of intelligence safeguards, whatever kind of measures, and be ready to attack.
“To security people it is the same way. Do all you can to win the war against hackers. You put safeguards and counter-measures in place. It takes a person who thinks out of box to understand all aspects of security, and be able to map all the business needs, and all the risks associated with that business.
Asked what advances he would like to see in data security solutions, Magee replies: “I would like to see one common unified platform for all security vendors, so we can have some unified format for firewalls and intrusion detection devices.
“The problem is nobody is going to spend engineering resources to go out there and develop one way to do things. It most likely will never happen.”