THC’s Marc Heuse: Researching for the community’s sake

• Group devoted to security gives back by providing research and tools for the IT security community
• Specializing in advance security topics and learning as much as you can – that’s the best way to get into IT security

CROWDSOURCING is a general term used to describe tasks that are distributed to a group or groups of people – normally to an undefined public – so that they can collectively work on the task to come up with a solution or achieve something together.
 
Popularized by journalist Jeff Howe in an article written on Wired, the broad concept of farming out work to people and breaking down huge tasks isn’t exactly new, especially in the online security world, where an organization known as The Hacker’s Choice (THC) has been functioning for 17 years already.
 
Little is known about THC except that its founder is Marc “Van Houser” Heuse, an independent security consultant who has been involved in IT security for the last 19 years, who assembled various novel hackers from around the world with the aim of exposing fishy security products and making sure that consumers’ rights are protected.
 
According to its website, THC which was founded in 1995 has published over 70 papers and software releases. “In contrast to most security companies, THC aims at analyzing and preventing novel, emerging security problems,” noted its About Us page.
 
“The group fosters independent research not driven by commercial interests and paradigms, and currently, THC is among the top non-commercial security groups worldwide."
 
Some of its most significant research has gained worldwide headlines; for example, THC was the first group to crack the A5 encryption GSM in 2006; it produced a tool to exploit weaknesses in SSL (secure socket layer, an encryption standard used by browsers) to kick a server off the Internet in July 2011; and it exposed the Femtocell security flaw, which can lead to phone tapping in Oct 2011.
 
Speaking to Digital News Asia (DNA) in an exclusive interview, Heuse noted that the philosophy behind THC is to provide a central platform for publishing research results and good security and hacking tools.
 
“That’s why we called ourselves ‘The Hacker's Choice’ because we are a central resource to where anyone can find good security tools,” he told DNA in an e-mail interview. “We were not, and still are not, a group that hacks systems.
 
“Everyone of us in the group is working on IT security as a consultant at the moment. In fact, when we started 17 years ago, we were all students. The research done by THC is undertaken in our spare time and our own resources, so the effort we make should benefit the community. This is why we still release tools and research results today [the way we do].”
 
IPv6 research
 
Heuse (pic) is due to speak at Malaysia’s premier cyber-security event, HITBSecConf next week at the InterContinental Hotel, Kuala Lumpur from Oct 8-11, on the topic, “IPv6 Insecurity Revolutions.” The conference will see over 42 of its most popular speakers over the years return to the stage in celebration of its 10th anniversary, and DNA is one of the official online media for the event.
 
“My presentation will also be on IPv6, where I will present new vulnerabilities and techniques. Basically, what attendees can expect is a very in-depth training on how to do penetration testing on IPv6 networks, and also how to secure them,” he says, adding that he will also reveal some unpublished research and tools, which will make the training session unique and state of the art.
 
IPv6 refers to a new Internet Protocol version that allows an almost infinite number of IP addresses to be assigned.
 
On what advice he has for those who are interested in Internet and IT security, Heuse says the landscape today is very different from the time when he started 19 years ago.
 
Noting that back then there was very little information out there, security researchers like him took a very long time to learn the tricks of the trade.
 
“Today, this has changed a lot and you can practically get information online or from a book,” he says. “There are demonstrations, test cases, training etc, all of which can teach those who are interested anything they want to know.”
 
Heuse also says that while this may be a good thing, there is also a disadvantage for people wanting to pick up security today.
 
“In the old days, you could know and do basically everything. Today, this is no longer possible and you must specialize as security is complex. For example, you cannot do all the forensics, binary analysis, source code audits, network pen-tests (penetration tests), operating system reviews, web application pen-testing by yourself.
 
“The problem with specialization is that it makes it difficult for someone new to get to a level from which he or she can make himself or herself a name to provide good services to those who need it.
 
So what’s his advice to those who want to get into IT security?

“Select a topic that you really find interesting and learn everything there is to learn about it in your free time. If you don’t invest time in this, you will never be good at it.”

For more stories on HITB, surf here.