'We only teach ethical hacking'

Just when you might have hoped that hacking would begin to die down, it's gone mainstream. The world's first hacking school opened in Paris recently, in the mainly residential 11th arrondissement. While it likes to list "self-defence" on its teaching curriculum, others question its ethics and legality. Will Zi Hackademy (as it is called) open a Pandora's Box by legitimising the harvesting of hackers? Or will it be shut down by the police?

Christophe Bourg, a 24-year-old freelance graphic designer from Normandy, is attending because he wants to improve his underground-internet savvy. "To me, Zi Hackademy is just furthering my knowledge of programming security, which formal computer curriculums cannot provide," he says. Bourg has no qualms about the legitimacy of his undertaking at Zi Hackademy, where a nine-hour lesson costs about €70 (£43). "I am aware of the consequences of hacking and I am not interested in hacking. Knowing how to hack and hacking are entirely separate. You have to be experienced in this sort of thing. Otherwise, you can easily get caught," he says.

Bourg doesn't see himself as a white hat. (In hacker lingo, "white hats" are hackers who use their computer skills to understand and secure systems, while "black hats" use their abilities to break into systems for profit or glory.) He believes that the lessons will prove beneficial to his career. "I think this type of system hack knowledge will spruce up my résumé."

Speedpunk, an American college student studying in Paris, is happy to come clean about his agenda, if not his name. An expert hacker, he wants to heighten his skills through his enrolment in the top-level "intrusion" class. He does not feel guilty about making incursions on the internet. "Many other people do it," he says. "In a world where ridiculous events take place, why should society fear a bunch of computer geeks? Fear stupidity, not intelligence." What is Speedpunk's ultimate hacking destination? "I was thinking of Larry Flynt's [publisher of the US sex mag Hustler] personal unpublished porno collection and the US Department of Defence."

The school is open from Wednesday to Saturday, 10am to 8pm. On Thursday, lessons run from 2pm to 10pm. The rest of the time it's shut, but it is willing to accommodate requests from groups of stu-dents from other parts of western Europe. There have been corporate requests for courses, but the owner, Oliver Spinelli, has yet to decide what to do about these.

There are three lesson categories: "newbie", "wild" and "intrusion" for beginners, and intermediates and elite computer literates respectively. Each course at any level costs €70 and comprises three lessons, each of three hours.

The students use personal computers in a classroom setting, but don't go on the internet seeking hacking targets. Instead, they are given programmes designed for them to hack into for target practice. It's largely theoretical – an introduction to terminology, forms of attack, and protection.

Self-professed white-hat Louis is a 23-year-old full-time programmer who enrolled for more than one reason. Primarily, he wants to learn how to secure his own programs. Getting philosophical, he cited the analogy: "If one wants to be a policeman, one must learn how to be a thief."

To him, Zi Hackademy does not entirely represent a learning journey about self-defence. "In the detection of cyber- terrorists, the law can allow the [US] government to use the Carnivore electronic surveillance system to read one's e-mail. If law enforcement suspects that one person using your Internet Service Provider (ISP) is a cyber-terrorist, they will use Carnivore, which can intercept mail from every person using your ISP's servers. This seems like a double-standard to me, and I'd rather have a 'Robin Hood' hacker monitor my mail than the government," he says with aplomb. What about temptation to abuse the hacking ability? "I wouldn't deny that there isn't," he mumbles.

Tempting or not, Spinelli is convinced that his school will produce white hats. He believes he is carrying out a public service, in a moral sense: he thinks people should have the freedom and choice to experience the transparency of the internet.

"What Zi Hackademy is doing now should have been done by the public schools, since the French government wants to educate students on the internet and new technologies," he says in jest. But will the search for freedom be accompanied by a larger price tag? Could someone use the skills they pick up there, add the information available on the net, and become a hacking monster? Spinelli thinks not. For him, hacking embodies the concept of the search for truth. "Socrates was a social hacker," he adds.

One of the school's teenage lecturers, who goes by the moniker of "Clad Strife", has admitted to having dabbled in illicit activities. He insists he is reformed. In his own words, if he were to hack into any company now, he would alert it to the security loophole. "I only teach ethical hacking skills and strictly legal stuff like espionage and making scripts [small hand-coded programs that instruct other programs what to do]," he says. But Strife's illegal past is bound to raise questions on how the students of Zi Hackademy will turn out.

For now, the French police are determining if providing hacking lessons is illegal.Yaman Akdeniz, Director of Cyber-Rights and Cyber-Liberties in the UK, takes an objective stance. "We might not like the idea or find it [the school] offensive, or immoral, but you must draw the line by the rule of law." Peter Csonka, deputy head of the economic crime division at the European Council, says "only hacking itself is illegal, if done intentionally and without right, that is if there are no legal grounds for doing so. Teaching techniques of hacking may not be illegal if this does not amount to aiding or abetting, instigation or attempt, which are criminalised under French law". Prior press reports cited a French lawyer as saying that hacking is illegal, no matter what the intent. Spinelli's lawyer asserts otherwise.

It is interesting to note that Spinelli publishes Hackerz Voice, a one-year-old hacking magazine. The circulation of the magazine has risen from 25,000 for its issue to 80,000. One recent edition explained how to invent a false credit card number for internet shopping. Another article told readers how to modify mobile phone settings to make cheap calls – which is illegal. The co-editor of Hackerz Voice, "Fozzy", made headlines after he declared that there is a global vulnerability in Yahoo! and Hotmail's e-mail services. "Strangely, our 'Robin Hood' hacks are being perverted by government and media rhetoric into something evil," he sighed. Strife agrees. "The media gives hackers a bad name."

Swedish computer expert Fredrik Bjork, is also laid back. "Teaching computer hacking per se, should not be viewed as illegal," he says. "Authorities cannot and should not crack down on this hackademy unless they have proof that the school's IT systems have been used in illegal hacking activities. I think providing such courses in computer security for a low price is a good idea," Bjork adds. Like Spinelli, Bjork is an advocate of freedom. "The presence of Zi Hackademy has unveiled two points. First, computer hacking is not magic, and it can be learnt quickly and for a low price and cost. Second, it has shown that everyone needs to understand basic hacking and computer security problems."

Ironically, it is the net that perpetuates hacking, and makes it easy. People use the web to search out password-cracking programmes and password-dictionary files. What is the path to security? From the other side of the looking glass, perhaps it should be a more open topic, and not typecast as underground. Everyone should know how to protect themselves, and that is what some of the students at Zi Hackademy are doing. Whether they turn out to be black hats or not is another issue. And how long Zi Hackademy remains open will be a test of that faith.