Marc Maiffret is a hacker. Maiffret started hacking about six years ago, at age 16, when a friend at school introduced him to computers, and he got hooked on a digital-age narcotic: information. He consumed what he could about the Internet, computers, networks, and phone systems. "I wanted to learn more," says the guy whose teenage handle was "Chameleon" and whose hair color shifts from black to green to blue. Maiffret says some of his actions back then wouldn't meet with widespread approval. "When I was younger, I was up to no good," he admits.

Today, Maiffret could be considered one of the good guys. In 1998, when he was 17, Maiffret co-founded eEye Digital Security, which makes security software that has been adopted by companies such as Prudential Financial. Now he has the title of chief hacking officer, and he and his co-workers help to discover security flaws in software.

Hacker is a loaded word. The hacker community--and it's a thriving online community--includes technophiles, curiosity seekers, cybervandals, and outright thieves and fraudsters. The technophiles love to take apart software to see how it works or what they can make it do. Some write tools and applications such as password crackers, vulnerability scanners, and anonymity tools, and make them freely available on the Internet or hacker Web sites and message boards. Some devote long hours to uncovering flaws in software that make systems less secure by allowing destructive worms and viruses to gain access.

The others--the intruders, vandals, virus writers, and thieves--are criminals, pure and simple. At their most benign, they are trespassers, rummaging through proprietary systems and databases. Hackers also are responsible for Web defacements, denial-of-service attacks, and identity theft. Some see themselves as rebels or revolutionaries, "hactivists" spreading a message of anarchy and freedom. Some are simple mercenaries who write tools, known as exploits, to take advantage of security flaws and make it easier to penetrate systems. In some cases, they sell that information to spammers, organized crime, other hackers, or the intelligence services of foreign countries.

Hackers are blamed for unleashing worms and viruses that have cost businesses billions of dollars a year in damages. The problems they cause have gotten so bad that Microsoft last week created a $5 million fund to provide rewards for information leading to the capture of the people responsible for those attacks. Fed up with the damage done to its reputation and, increasingly, to its revenue stream, Microsoft, working with the FBI, the U.S. Secret Service, and Interpol, is offering a bounty of $250,000 to people who help capture those responsible for the Blaster worm and the Sobig virus, which wreaked havoc this past summer on systems and networks worldwide.

	Maiffret turned his hacking experience into a career by co-founding eEye Digital Security. "When I was younger, I was up to no good," he says. Photo by Bryce Duffy

Hacker is a term with negative connotations for most of the technology community. "I used to call myself a hacker in the sense that I like to twiddle with stuff, but I don't use that word to mean that any more," says Marcus Ranum, senior scientist at TruSecure Corp., a risk-management and security vendor. "That word has been ruined by little selfish punks."

It's more than a question of semantics. Some of the positive that hacking represents--intellectual curiosity, tech savvy, innovative thinking--is overshadowed by its criminal aspects--the potential for grave harm and mass destruction--but it's a difficult line, especially for young people, who need to be encouraged to embrace technology and its potential. Also, recent laws such as the Digital Millennium Copyright Act and the USA Patriot Act may criminalize what some security researchers see as legitimate avenues of inquiry, limiting the technology industry's ability to help itself and eliminating necessary research or driving it further underground.

That's why it's illuminating to inquire about hackers: Who they are, what they do, and why.

Chris Wysopal is a hacker. Wysopal, VP of research and development at security consulting firm @stake Inc., advises businesses and government agencies how to better secure their computer networks and systems. He has also held jobs at GTE Internetworking and Lotus Development Corp.