Slashdot Mirror
The Myth of the Superhacker
mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."
root!
I live in a world where daily I hear people describing their monitor as their computer, and their computer as their "hard drive", or some other such mangled interpretation. That's actually very okay, it's not their job to have to know, and good for them for having some mental map.
What I find not surprising about the article's conclusions is even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work. Hence, much of the alarm over internet terrorism and superhackers potential to bring the IT world to its collective knees spawns from barely literate computer "geeks". At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape (hmmmm, Peter Principle?).
The biggest trick Satan ever pulled was convincing the world he doesn't exist
An article on the internet stating that the "superhacker" doesn't exist, it can only be true... unless...
*grabs tinfoil hat and hides under desk*
There are no super hackers out there.
Disregard that, I suck cocks.
it's a blue bright blue Saturday hey hey
I just came from a meeting on this very topic. The thing I came away from this meeting is that the real fear is that the Superhacker works for you. Or worse yet, you let him go yesterday. O. M. G.
I didn't read the article, but from the summary I can conclude that this idiot is trying to say that we need not be constantly looking to improve our security... instead stop when it's good enough. I call bullshit on that idea. It doesn't take a so-called super hacker to take advantage of an exploit discovered by on of hundreds of weekend hackers. That's the problem here, not a one man super-hacker, but a bunch of individual minor hackers with their attention focused at a particular weakness.
So yes, we must protect our systems as though a "super hacker" is going to come at us with all of his "super hacker" leetness.
Sometimes the best solution is to stop wasting time looking for an easy solution.
The article doesn't say that these super hackers don't exist, it merely says that we shouldn't be so worried about them and I agree. Trying to catch or stop one of these super hackers isn't worth the time or effort. We need to focus on more cost-effective means of security.
Hugh Jackman's a good guy, I'll trust him.
Just as with any other field or profession, hacking is getting more specialized. It's not that the "superhacker" does not exist, but that such an animal's existence is getting harder and harder to maintain merely because of the expanding skillset and knowledge it takes to be a "hack anything" hacker.
That said, a lot of exploits don't come from being a super techie hacker with the skillz to defeat any system through sheer programming ingenuity or brute force. A lot of them still come from social engineering... convincing foolish people to give you enough information that a middle manager could hack them using nothing more than a standard login.
Where the "superhacker" mainly exists is in the movies. The guy who can pull out his laptop at any given location and hack into any given location on demand and with no preparation or research into the target. He's the human equivalent of the gun that doesn't run out of bullets and hair that dries into a perfectly coiffed do within seconds of getting out of the water.
- Greg
Start a happiness pandemic
The people I have run into that are worse than hackers are at big companies. I've seen people purposely mess up others work and disrupt access and such all over grudges or for some power trip just to get people fired. Root cause analysis and auditing helps eliminate these people.
Nobody knows the superhacker was ever there.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Mention of Law +1 point - damn lawyers
Mention of intellectual property +1 point - imaginary, mindless term
Mention of Superhacker +1.5 points - popular usage of "hacker", plus a super tackled on it, also overloading Superuser - let me scream bloody murder k?
Mention of software and media stealing +1 point - you don't steal software and media
Mention of "The gist is that we need to start to police our rhetoric" +1 point - after overloading and misusing a lot of terms it is just hypocritical.
Final score: 5.5 points out of the needed 4,
article 2>&1 >/dev/null
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
A focus of the article is on the over response to the "superhacker" - this is the same knee jerk issue in regular crime. Glorify the criminal - make them all out to be Moriarty calibre - dancing magicians who laugh at us mortals - wheedle about inadequate laws .... rather neat solutions to abrogate your basic security responsibilities ? Fact is that most cybercrime is carried out by fairly basic means but there's an industry of ass covering in pretending otherwise.
You will find this sentiment about any type of criminal... they prepare for attacks like you would see in an action movie, but in reality most of the crimes are committed out of stupidity or drug influence.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
Um, since when are super skilled under-the-rader hackers a myth? If they're so good that they never get caught, then they definitely ARE "Superhackers". Of course, we wouldn't know if we never hear about them.
The most advanced hackers will change whatever data they feel like changing, in such subtle ways that no one ever notices. We might not have many (any?) cases of this, but that's the whole point - if you're subtle enough, you'll never get caught.
My high school still has absolutely zero knowledge of some of the hacks I pulled, and they never will know. I know of some friends' hacks (done to actual online systems) that were never found, and again, likely never will be. This doesn't make my or my friends' hacks some kind of mythological/theoretical/make-believe events that never really happened.
Knightmare's "Secrets of the Superhacker"...m are/dp/1559501065
http://www.amazon.com/Secrets-Super-Hacker-Knight
Who's afraid of a little social engineering?
Tibbon
tibbon.com
I know the Superhacker exists... because he's me. Now, if you'll excuse me, I need to go back to my 3D virtual reality interface, hop on my lightcycle, and infect the alien mainframe with the Michaelangelo virus. If you need me, I'm at IP address 24.75.345.200.
Gamingmuseum.com: Give your 3D accelerator a rest.
Before I move onto the title of my post, let me just say Kevin Mitnick.
Sure it's an old example, but it is also a great example. Maybe he didn't go releasing chaos in every category, but for a public example this is a pretty good one. Look at the stuff he got into and ahold of. These articles burned my eyes so I couldn't read the all three parts or even all of part one. Sorry, but one other thing -- where exactly is all this concern and discussion about a super-hacker? How can it be overblown, overhyped, etc? I don't hear anyone talking about a super-hacker.
You're punctuation is wrong. You wrote:
Girls on the plus side you can walk all over them and get anything you want.
What you meant to write:
Girls (on the plus side), you can walk all over them and get anything you want.
Law School professor Paul Ohm
I wonder if he teaches Ohm's Law?
I suspect many of us here, while not entirely the personification of this SuperUser know more than enough to be dangerous. There's no motive for us to commit what we know are criminal acts. If I were a malicious "superuser", I wouldn't be stupid. I'd work my way through government or corporate IT positions until I could either gain authorized access to the information I wanted or knew I could cover my tracks.
Stupid is as stupid does. Why steal a loaf of bread when I can become a senator and steal the entire bakery?
I can't imagine where people get all these ideas about "super hackers" and the like. Now where are my VR goggles? I need to hack a Cray using this pay phone down the street...
It must have been something you assimilated. . . .
It's too bad the quote is "the devil" or you might have gotten yourself some free geek credibility there.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The other difference: the superhacker wears a grubby t-shirt made out of spandex!
"Little does he know, but there is no 'I' in 'Idiot'!"
"YOU FAIL IT!"
6 94205
You mean like you did with this post?
http://slashdot.org/comments.pl?sid=230391&cid=18
My plan has finally come to fruition. They don't even believe I exist. And of course, unlike the lame 5kr1p7 k1dd33z who always get caught, I'm going to post this as AC rather than brag using my real userid.
Do not call me a Myth...To prove it, I just hacked the Anonymous Coward user account and am posting from there.
That's called Drebin-hair, or at least, it should be.
Nerd rage is the funniest rage.
When Ohm1
Lose: misplace or fail || Loose: not bound together
Hackers, terrorists, drug dealers, child molesters, communists:
Useful tools for the control of a fearful and gullible populace.
This guy who is a suppossed specialist in computer crime apparently never spent time being a security admin for a network. You know, those guys who spend all day making sure servers and workstations are patched, passwords follow policies, exploits are kept track of, logs analyzed, IDS/IPS systems are up, running and monitored. Who go to sleep at night worrying where the next one is coming from?
He doesn't see large outbreaks as often as before because of people like that. They stay on top of all these things. Take the ani cursor exploit recently in the Windows OS... it was used in a targeted attack against a few locations and some more rare broad attacks. If it has been more widely used or the patch had not come out as quickly as did; more harm would have been done.
As time goes on and more and more data is kept with identifying information; the loss expenctencies get greater not less.
I think the article is right in a legal sense and certainly wrong in a technical sense.
Part one is very general. No comment.
Nearly all of part two is spot on -- goverment officials seem to see civil rights as an iconvenience they should find away around. And they are using computer crime as another excuse to do it. He's quite right about this. As a bad analogy, it's like taking care of rampant prostitution in an area.. well.. the way it should be done is to put out some undercover guys to round up the hos and then possibly put out fake hos to catch some johns. Doing it the way these guys want to is like saying "screw it, lets just warrantlessly search every building in the city in case there's some prostitution going on in there." It'd probably catch a few more, but it violates everyone's rights.
Part two was spot on. Part three, not so much. Pervasive secrecy and self-interest sections, he's quite wrong. Sure, it's unlikely my box will be cracked BY a superhacker (I use Linux all the time and will not overload superuser..) However, the superhacker will just write up a nice easy vulnerability scanner and rootkit installer easy enough for anyone to use. So, my insecure box will be cracked next week by some rube with a rootkit instead of this week by the superhacker. Whoopdy-shit, that's MUCH better.
I do agree with section 2 "Everyone is an expert" though. I mean, some officials even used to regard Jack Thompson as a game authority! I've seen similar things for security -- some guy who obviously doesn't know what an IP address or firewall is is telling Congress or the like about how it's impossible to ever track a hacker and more laws are needed (how would these new laws make an "impossible" task possible? And what kind of crap expert doesn't have his machines keep logs to start tracking intruders down? The "expert" never says.)
I don't know about section 4 "The Need for Interdisciplinary Work" -- I have never dealt with criminologists. Would criminal profiles and the like help catch a guy? I don't know. I guess it couldn't hurt.
'There are no super hackers out there.'
In refutation, I give you the story of Mel.
Great minds think alike; fools seldom differ.
It's true that there's a weakness in almost any system, but most often that weakness is the humans involved. Unless it's DRM, the article's most flawed example, in which case it's provably insecure. You cannot give some one access and simultaneously deny it to them. "Trying to make bits uncopyable is like trying to make water not wet," as Bruce Schneier said.
In an unrelated note, please don't turn movie quotes into religious flamewars. It's somewhere between trolling and karma whoring.
Unfortunately a lot of laws and rules are created and govern the masses based on the few.
And not just at the inconvenience of the few, but rather of the many. Does it make sense? Only if you think that by forcing everyone to do less you can restrain the ones that don't care about the rules.
Oh wait, that doesn't really make sense either . . . well so much for thinking about it, let's just blindly follow . . . Patriot Act FTW!
- Kal`Goblez
The last thing we wnat is this term misused in a law somewhere or even in popular usuage. Some poor sod getting dragged off by security after being heard uttering what will be the suspiciuous words "I'll have to get superuser access" is some stupidity we can live without.
Other than that there are good points - he's talking about the mythical "cyberterrorist" (also a bad word due to distinct lack of angry robots with bombs - but at least it doesn't already have a meaning).
So it should actually be...
((Girls (on the plus side), you) can ((walk all over them) and (get anything you want.)))
(IANAL)
The first mistake is to think that anything mentioned even requires you to be a "superhacker". Identity theft is trivial. Stand on a street corner and say you're registering people for a contest, and put name, address, social security number on the form, and 90% of people who stop to fill it out will just put their SSN down. Stealing "software" and "media" hardly makes you a superhacker; hundreds of thousands of people do it every day, 99% have probably never even compiled a program. Virus writing isn't difficult either; it's finding the hole to exploit in the first place that CAN be difficult. But given an exploit, turning it into a virus isn't that tough.
Even when we take it up a notch and look at actually dangerous attackers, like people using widespread vulnerabilities to deploy custom rootkits, we're not talking about superhackers.
Then there's a class of people who, if they are inclined to be lawbreaking and antisocial, are superdangerous. Take a look at someone like Michal Zalewski, who's been pumping out advisories, proof of concepts, and gems like a hobby OS for...well, a long time. Can you imagine him in the wild as a black hat? Ugh, scary.
Then there's real superhackers. One former coworker built a railgun for fun, cracked DES (key recovery in 24 hours on a p3, given certain fairly common preconditions), cracked the remote management on a major commercial firewall (because we lost the password, and it was easier than going offsite for password recovery), then founded a security company, got rich when they got bought out, and moved onto toy around with things for nasa and the DoD. So, if someone like somehow finds their way onto - and stays on - a black hat path, well, the mere fact that securing something is harder than cracking it means he will always find a way in, if he wants to badly enough. I think they'd have to be unbalanced to stay black hat, since that sort of talent will either get them illegitimately rich enough that they'll avoid danger, or get them legitimately rich enough that they'll give up black hat activities to go legit.
But identity theft? Please. Peanuts. They're more likely to use large scale espionage to find some valuable nugget; perhaps upcoming M&A activites. Then they sell this info to a third party with plausible deniability and a lot of cash - say, George Soros (not that I'm saying he'd buy, but for example) - and let them profit massively off it and take a kickback. Just one significant score like that should be worth 7-8 figures. That's just one example out of a hundred scenarios where a true uberhacker could illegitimately profit. And they'd almost certainly only do it once, if money was their motivation.
[comment deleted by superhacker]
"There is no need for a hacker to obtain near omnipotent technical skills"
Who says that just beacuse you are at that level you are somehow magically honest? Often times its the thrill of cheating the system that appeals to the upper % of the food chain in the first place.
---- Booth was a patriot ----
You really have no idea what communism means... Good thing you never had to... Brainwashing on a grand scale... Talks about the evil capitalists (or facists, those days it didn't matter, and that was in the late 80s (!)) that kill children, heartbreaking stories in first-graders' books... Anyway, I'm in the US now, and there's no brainwashing here, I feel so free! It's sooo different here!
If a million monkeys could eventually happen to write Hamlet, a million typical users could eventually crack important network security. ...redacted document files retaining undo information, poor password choices, nigerian scams...
the more difficult a security system is to use, the greater the chance it won't be used.
employees will write client information and passwords on paper, allow others to use use their accounts, or hit 'yes' to every prompt.
I've seen new Windows XP computers plugged into a network get pwned before you could finish going through the Windows setup wizard. The reason stuff like this doesn't result in "loss of personal records" is because IT professionals and security experts put in a s**tload of effort to make sure it doesn't. But IT professionals and security experts can't prevent a PHB from putting sensitive info onto a laptop and then taking it home only to have it stolen.Yeah, well, I work in a hospital. Every time there's a large-scale problem with the network or enterprise system, it seriously affects the staff's ability to perform their duties. That translates to worse care for the patients. So, do you want your hospital to be running smoothly or not? Do we have to wait until someone IS killed to take security seriously?Buddy, I'll take Bruce Shneier's assessment of security over yours any day.
Ohm's Law.
Funny. Here on slashdot a pun is +1.
In social situations in the real world (check it out some time, great resolution and killer refresh rates!) my experience tells me puns are -1 and -2 if they're geeky puns!
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Hackers
Ever had your credit rating trashed by someone who lifted your financial info through a crack of a third party system? Many thousands of people have.
Odds 1:10,000
worse is you bank with retarded banks.
terrorists
Are you alive? Many thousands of people are not. Another couple dozen just died in Algiers today, killed by the local franchise operators of the same group that has attacked embassies, a US naval vessel, the WTC, the Pentagon, bars, nightclubs, hundreds of markets and restaurants, etc. This month, they are on a new campaign to ambush and kill anyone who reports to work in rural Afghanistan to teach young women how to read. It's super duper, though, that you don't find the people in London, or Madrid, or Detroit that preach the warm-up act for the same crap to be any concern at all. That's comforting!
odds 1:1,000,000
worse if your brown and live in a poor nation
drug dealers
You cite drug dealers, and then complain about "control?" These bastards deliberately seek to make behavioral slaves of generations of their neighbors, and think nothing of the resulting waste of lives and all of the accompanying damage. You'd rather that Wal-Mart sold heroin? Have you ever met someone with their teeth rotting right out of their meth-cooked skull? What is it that encourages you to gloss over the people that seek to make money peddling meth to school kids, or pretend they don't exist?
1:2
But the majority are pot pushers who sell to your kids. Your kids use it like you used to use beer... or pot/lsd. The potential harm for most people is minor.
child molesters
Ever met someone who had their youth stolen by someone like that? Let's find you a few thousand of them, and then you can address them, explaining how the people who did it to them don't exist, or aren't really a problem, and should be allowed to keep doing it. I'm sure you'll be persuasive.
1:100,000
Although these sick bastards affect everyone around their victims, they aren't that numerous. Many people still lead okay lives afterwards with some issues about security and sex. It's not a very homogenous group either.
communists
Well, you've got me there. They only killed a few hundred million people in the last century, so that's not so bad.
0:1
Communism is an idea. What killed most of the people your refering to is mob justice, fear, racial hatred, green, xenophobia, and poor management. Communism is general is a useless idea that was never fully implemented by anyone, could never be so, and used liek religion to clobber people.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
I have to join the other posters here in saying the author is full of it.
Any hacker who gains unauthorized access to a system has won. Even if there is no security in place on the system, they still beat it and compromised it and that needs to be protected against.
I suppose he never heard about the data loss at TJX where 45 million credit cards were compromised. And I suppose he doesn't know about the sales of social security information for $6 a name. Or information mining and keystroke logging, or the botnets he claims are not significant threats.
Computer crime is big and if he would bother keeping up with SANS newsletters, he might understand that.
It isn't just "hackers". There is now a criminal element and anyone who doesn't do everything they can to protect themselves is inviting identity theft, data theft, exploits, bots, loggers, leapfrogging from system to system, resource hijacking, whatever. I cannot imagine any credible computer security person saying that there is little need to protect against intruders.
The article is amazing in it's stupidity.
There are a few security gurus around the world who have their own unreleased network-stack exploits for many an operating system. They These people are hired by governments and criminals to do specific, nasty things. Most I imagine would not be interested in controlling the world, because that means you'll get thrown in jail. The "superhacker" exists - he just doesn't need to take the risk of being a superhacker.
I know of one superhacker: Peer Günt. He goes around resetting peoples connections on the internet sometimes. He's some finnish dude in a band. He's so good he's totally beyond the law. He's been harrassing me for years now and the police even refuse to arrest him or talk about him.
See:
e rs-can-do-in-movies/
http://theprogrammingblog.com/jokes/things-comput
ROFL
lol!
The tricks of the trade are beyond your comprehension. Read the following articles* and decide for yourself how much you know. You should be very concerned. There are two possible reasons why your network hasn't been cracked yet.
One: all your base stay turned off 24/7.
Two: Your network security people have managed to stay one step ahead of the crack.
[*]
http://rootprompt.org/article.php3?article=403
http://www.securityfocus.com/news/11392
Comment removed based on user account deletion
The real reason people want to beleive in super hackers is this. When they get a virus, they would rather say to the world "Some hacker gave me a virus" instead of saying "Im an idiot who doesn't keep his antivirus up to date". I constantly hear how "Someone hacked me", and whenever I query further it turns out it was actually their surfing of porn and get rich quick sites with no antispyware, anti-adware installed, and them thinking because they bought Norton's they can download and install any program or web app they are prompted to, with impunity. I have no doubt there are super hackers out there, but I also have no doubt they do not waste their time on your family or small business PC. Even in cases where someone was actually hacked, it always turns out to be script kiddies with really no real knowledge beyond being able to do port scans and install simple software any idiot could use. They always turn out to be pretty easy to trace back and report. I do not think I have ever come across a real super hacker in my 12 years of fixing PC's.
Adebisi
yum install delicious
or apt-get install delicious
perhaps emerge delicious?
Jayne: "These are stone killers, little man. They ain't cuddly like me."
98% of America's teens drink alcohol, smok
DAM YOU STEVEN COLBERT!
i have had the same experience as Adebisi...(would rather say to the world "Some hacker gave me a virus" instead of saying "Im an idiot...")...not to deny that there are some super-talented people out there but i really think that Adebisi hit it on the head. we all talk about the bogeymen but that doesn't make him so...
"You can kill the revolutionary, but you can't kill the revolution."-- Fred Hampton
Of course there are "superhackers"... Would you tell anyone if you found a new Windows hole? I bet there are some that very few people know about that can be used to infiltrate any Windows computer...
Ghost in the shell fans will know what I mean.
(Note:- This is intended to be my own version of the Superuser myth. As the saying goes, any resemblance to real individuals living or dead is purely coincidental)
...he's the anarchic, uber-Marxist, IRC-dwelling 14 year old. (Usually from either Germany, Scandinavia, or the Baltic states, but American, Canadian, and New Zealander variants of the species are known to exist)
;)
He knows C++ and 16 bit assembler back to front, as well as how to write shellcode in pure numerics, and spends most of his time with The Matrix playing in the background on repeat (sometimes in ascii mode through xine) while coding the latest Windows virus/worm/rootkit semi-collaboratively with his fellow sociopaths, on a private IRC server, using either the BitchX or EPIC CLI clients, or in raw mode via telnet. He'll have read most of the RFCs describing the core net application protocols, and learned their structure largely from there. He will also be intimately acquainted with all editions of PHRACK, 2600, and the Cult of the Dead Cow's material. The more socially capable of the breed may have been to DefCon one year.
When he isn't coding malware or terrorising his classmates at school with his chronic mental instability, Neo wannabeism, trenchcoat, and gun fetish, (along with a general air of "stay the fuck away from me or else") he's playing either Doom, the original Quake, or Unreal Tournament (original or 2k4) multiplayer, possibly writing mods for the latter, or training with various real-world deadly weapons (shotguns, handguns, machetes) offline. He knows about the OpenGL mods for Doom, but doesn't use them because he thinks they weaken the gameplay. A hard core atheist, Keanu Reeves, Karl Marx, and Linus Torvalds are the closest he has to gods.
Usually having an IQ of above 150, ideologically he will also be very well versed in Marxist and Leninist philosophy, as well as having a knowledge of the construction of amateur explosives and the tactics of geurilla warfare. Unlikely to gain conventional employment later in life, if he does not enter the penal system, (usually for computer related offenses, but occasionally for minor acts of terrorism or gun-related crime) he will typically be employed by the intelligence community. (But on a sub-contract basis only; governments tend to feel a need to keep their involvement with this type completely deniable)
Either custom, Debian, or Slackware Linux is his operating system of choice, with either Enlightenment or Blackbox as window manager and vi as editor, although for the truly hard core, window managers are usually only installed to enable easy access to multiple terminal windows. He'll have back doors installed in a large number of machines connected to the residential DSL nets of multiple ISPs, and will actively compete with others of his kind for access to and use of these machines. He is able to command grids of thousands of such machines for either network compiling or large scale network denial of service attacks, and can do so quickly.
Although this type do not exist in sufficiently large numbers to pose a truly grave threat to the rest of the world, (they're well below 5% of the global population) his danger is his incapacity for empathy, his subversive politics, and his unpredictability. He is to the Internet as a shark is to the ocean; the net is his natural environment, and he is always waiting, lurking, somewhere in the shadows...
Damn kid. They're all alike.
I, for one, welcome our new Superuser overlord.
www.purevolume.com/martyd
Boo hoo radiological dispersion devices boo hoo I fear. (Not.)
Movie-plot fearmongering. Specifically this is a non-issue; even if such device goes off, there will be little health damage, lots of shock (which is the goal), and some messup of local real estate market. Not enough for me to really worry. Do you know how many lives the hamburger stand on your corner can claim over the years? As long as the risk of being run over a car or getting a heart attack is significantly higher than the overly medialized but essentially unimportant terrorist-related mishaps, don't count with my support. Ever heard about moral panics?
If me or some of my loved ones die because of there weren't money for health care because it was wasted on "security", I will get mightily pissed.
Threat? What threat? 90% of weapons attempted to be smuggled to the airplanes get through. Count the number of real airplane incidents since S11 (five, including S11 itself, which was a statistical anomaly). Divide by number of the flights that you don't hear about because they are uneventful. To stay within the topic of airplanes, as a bonus assignment you may like to calculate the number of people who died after long-haul flights because of less newsworthy but still aircraft-related causes like eg. deep vein thrombosis.
Sir, people like *you*, the pushers of culture of fear together with its toxic fallout, are what I am truly afraid of.
Let's face it (and it's been said before), the average user doesn't know jack about his PC. For him, it's a huge machine with a keyboard attached and little gnomes inside that do the work.
In comes the media machinery that tries to sell its spin. Now, how do you sell "hackers"? I guess we all know, shady guys in smoke filled rooms, sitting in front of a screen as the only (and incredibly bright) light source of the room... personally I get a headache if I tried to work like that.
Then icons and buttons flying around and somewhere a big bright blinking "CONNECTED" or "HACKED" or some other bullcrap popping up. And why? 'cause our "ordinary" work is just that: Ordinary. How do you sell a few lines of gibberish (i.e. the output of a shell) on TV?
The media shape our opinion about something. If you do a study about it, and start asking people what they think as a menace in the web, it's usually that picture, some guy in a smoke filled, dark room...
But that guy simply doesn't exist. The real menace is a group of people who buy some stock trojan, spread it through the computers of some bot sheeps and use it to milk the ones that fall for it. Often they don't know jack about the technology behind it either.
The real menace isn't the lone hacker trying to prove some attack vector and write a PoC for it. The threat is in well organized international criminal groups, but they usually don't make a good poster child for computer crime. Simply because the computer is to them what it is to most people: A tool to get their money. They don't "hack", they use bought spyware, set up some server in Whateverstan and wait for it to tell them that it's time to call their dropoff sheep 'cause enough money has accumulated in his account, and it's time to send it through Western Union (or some other money service that doesn't track).
But filming that would not get the intended pictures. 'cause it's simply just crime, the computer plays a minor role in it.
It's just a tool. Not the focus.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Take that .ani exploit as an example. It surely took some serious sifting through the libs to dig it up, but reproducing it takes only a bit of knowledge of assembler. And with the kits popping up left and right, even that has been rendered redundant.
And we're talking stack overflow exploits here, which are by their very nature not as easy to understand and pull off as the "usual" malware like malintentious BHOs or simple bot programs.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Social engineering. What makes it good is simply that you can actually make it realistic AND entertaining.
If you take the "technical" side of hacking, it's boring to film. Pages and pages of source or disassembly, lines and lines of shellcode... blech. So we get flashy interfaces that make you cringe when you know what actually should be there.
SE is a different matter. I mean, think of the ways Eddie Murphy got into various restricted locations in Beverly Hills Cop by inventing some stories and playing on people's weaknesses and sense of shame. You're "hacking people", not computers, that's something pretty much everyone in the audience can grasp. That's entertaining.
Still, for some odd reason such movies are rare. Maybe 'cause people consider it implausible that geeks have social skills.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
One of the books you may like to read is this one.
Multinational corporations
Deforestation, desertification of vast areas, killing (indirectly, granted) thousands if not millions of people for personal profit.
Tobacco Industry
Creating millions of drug addicts with the blessing of most governments of this planet
Media cartels
Manipulating the public opinion in their and their lobbyists favor.
Why aren't they ever on the list of the "we have to do this crap to prevent them from growing further" agenda?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is not the hacker you're looking for.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
http://www.wweek.com/story.php?story=5722
Oh, I think the "super hackers(crackers)" are out there. The kid in the above story certainly acquired all the power he needed to cause some serious problems. Fortunately, his activity seems to have been motivated simply by the technical challenge of cracking into systems. Even the genuine criminals tend to be somewhat "focused" in their endeavors. I just don't think we've seen a "super hacker" or any sort of coordinated attack driven by a desire to cause as much general damage and destruction as possible.
This blog http://redtape.msnbc.com/ claims that criminal gangs are using millions of hijacked computers for spam and denial-of-service extortion.
Sir, people like *you*, the pushers of culture of fear together with its toxic fallout, are what I am truly afraid of.
Actually, I'm much more inclined to simply take action than to run around waiving my hands in the air over imagined or vague problems. It's completely true that the general media-born buzz surrounding ALL risks, of all flavors, is absurdly wrong (both over- and under-measuring reality, depending on the topic of the day). What are the risks of a given individual getting personally, directly killed by even a pretty good sized attack (say, a tanker car full of chlorine getting well-vaporized near a big public event... whatever)? Statistically, low, across the whole population. What is the actual impact (on the wider economy, if nothing else) of making our official position that we won't be at least trying to head off such events? What is the moral and cultural cost of saying that we equate knocking down skyscrapers full of people, for political reasons, with a bank heist?
Deep vein thrombosis isn't a risk that is produced by someone else's malice. It's a result of sitting still for too long on the wrong-shaped chair. We can argue about whether or not the chair designer (or the airline that bought the chairs) is deliberately trying to kill their passengers, but I don't think that discussion meaningfully rises to the same level as discussing groups of people whose stated objective is broad damage to our economy and the death of infidels like you and me.
Don't disappoint your bird dog. Go to the range.
hello im fairX the haxxor join my community of hackers if you payme enough i will give you access to a private area of haxx ;)
I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.
pH33r me
Who is this delectable creature with an insatiable love of the dead?
Thing is, people don't understand risk, at all. This is why people worry about the acidity regulator in a soft drink ( commonly something harmless, or even healthy put under a scarey sounding codename ) when in reality the raw sugar content is likely to cause you way more harm. People are uneasy about living next to a nuclear powerplant while smoking 20 cigarettes per day. They fear their kids will be victims of paedophiles or terrorists, yet let them play next to a busy street without supervision. A friend of mine said I was stupid for paying 30 pounds per year to have my personal belongings insured, she had 300 pounds worth of clothes ( she dresses expensively) stolen from her at the airport. My dad ( who knows 3-4 programing languages ) said he was concerned about Amazon's "one click transfer" scheme, he runs Windows XP, Internet explorer and Outlook on a wireless network secured only with a weak wep key. I keep a 2048 bit PGP encrypted list of keys for my e-mail. I frequently walk home past midnight through a rather bad part of town. Very simply, people don't understand, or care, about rational risk estimates. We just act out of instinct and that is usually based on what we do. A lawyer will have a very different idea of what "risk" is than a doctor, who again has a different view of things than a polititian or a nuclear engineer. The best bit of it all is probably that there isn't any good metric for risk. The probability of a problem? The probability of damage in the event of a problem? The probability of damage in view of the probability of a problem? The estimated cost of repairing damage resulting as a result of a problem with certain probability ? The probability of personal injury or damage as a result of a problem? The cost of preventing a problem compared to the probabilistic avrage cost of not preventing it? Take a pick, they will not dictate the same type of action...