Slashdot Mirror
The Myth of the Superhacker
mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."
I live in a world where daily I hear people describing their monitor as their computer, and their computer as their "hard drive", or some other such mangled interpretation. That's actually very okay, it's not their job to have to know, and good for them for having some mental map.
What I find not surprising about the article's conclusions is even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work. Hence, much of the alarm over internet terrorism and superhackers potential to bring the IT world to its collective knees spawns from barely literate computer "geeks". At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape (hmmmm, Peter Principle?).
The biggest trick Satan ever pulled was convincing the world he doesn't exist
The article doesn't say that these super hackers don't exist, it merely says that we shouldn't be so worried about them and I agree. Trying to catch or stop one of these super hackers isn't worth the time or effort. We need to focus on more cost-effective means of security.
Hugh Jackman's a good guy, I'll trust him.
Just as with any other field or profession, hacking is getting more specialized. It's not that the "superhacker" does not exist, but that such an animal's existence is getting harder and harder to maintain merely because of the expanding skillset and knowledge it takes to be a "hack anything" hacker.
That said, a lot of exploits don't come from being a super techie hacker with the skillz to defeat any system through sheer programming ingenuity or brute force. A lot of them still come from social engineering... convincing foolish people to give you enough information that a middle manager could hack them using nothing more than a standard login.
Where the "superhacker" mainly exists is in the movies. The guy who can pull out his laptop at any given location and hack into any given location on demand and with no preparation or research into the target. He's the human equivalent of the gun that doesn't run out of bullets and hair that dries into a perfectly coiffed do within seconds of getting out of the water.
- Greg
Start a happiness pandemic
Nobody knows the superhacker was ever there.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A focus of the article is on the over response to the "superhacker" - this is the same knee jerk issue in regular crime. Glorify the criminal - make them all out to be Moriarty calibre - dancing magicians who laugh at us mortals - wheedle about inadequate laws .... rather neat solutions to abrogate your basic security responsibilities ? Fact is that most cybercrime is carried out by fairly basic means but there's an industry of ass covering in pretending otherwise.
Before I move onto the title of my post, let me just say Kevin Mitnick.
Sure it's an old example, but it is also a great example. Maybe he didn't go releasing chaos in every category, but for a public example this is a pretty good one. Look at the stuff he got into and ahold of. These articles burned my eyes so I couldn't read the all three parts or even all of part one. Sorry, but one other thing -- where exactly is all this concern and discussion about a super-hacker? How can it be overblown, overhyped, etc? I don't hear anyone talking about a super-hacker.
I think it's the exact opposite: the more hackers you have working for you, the less you'll have to worry about a "Superhacker" (or a "Superdentist," or a "Superhairdresser," or a "Superanything") threatening your security.
I don't care why you're posting AC
Hackers, terrorists, drug dealers, child molesters, communists:
Useful tools for the control of a fearful and gullible populace.
but in reality most of the crimes are committed out of stupidity or drug influence
I don't think that inside theft of database dumps containing hundreds of thousands credit card accounts and SSNs is done by stupid or drug-addled people. I don't think that people who systematically probe for SQL insertion vulnerabilities on transaction systems in hopes of defacing something with some politicized rant are stupid or drug-addled. I don't think that people plant stealth FTP servers to serve up kiddie pr0n from unknowing desktops are being stupid or drug-addled. You're confusing malice with stupidity, and poisoned ethics with drug dependence.
Don't disappoint your bird dog. Go to the range.
Actually, I don't think he's resistant to that at all. From what I read in TFA, he's arguing for two things. The first is actual data collection on the phenomena so that discussion can go from anecdotal/emotional to hard data based. The second is that our responses should be based on the conclusions FROM fact based discussions rather than hysteria.
One thing that I haven't seen discussed in other posts is the usefulness of hysteria about hackers to law enforcement. It's given them unprecedented access to and control over personal freedoms in our country. The little we DO know about makes me seriously consider moving to another country. I can only imagine what else is going on.
Regarding security responses, his point is that resources are always limited. Where you put them - even in security focused enterprises - should be solidly based on risk/benefit analysis. You can't do that analysis if you don't stop spending your time reacting and start collecting real data.
All too often emotionally driven politics drives decision making rather than real data. This benefits others - including the security industry. I know because I was part of the security industry. While it's true that small companies often do the equivalent of leaving the doors unlocked, the percentage that have been actually hit is small.
I'd like it to become standard that vulnerability reports include statistics on the rate of exploitation of each found vulnerability. That allows overworked and under budgeted IT departments a chance to prioritize.
The first mistake is to think that anything mentioned even requires you to be a "superhacker". Identity theft is trivial. Stand on a street corner and say you're registering people for a contest, and put name, address, social security number on the form, and 90% of people who stop to fill it out will just put their SSN down. Stealing "software" and "media" hardly makes you a superhacker; hundreds of thousands of people do it every day, 99% have probably never even compiled a program. Virus writing isn't difficult either; it's finding the hole to exploit in the first place that CAN be difficult. But given an exploit, turning it into a virus isn't that tough.
Even when we take it up a notch and look at actually dangerous attackers, like people using widespread vulnerabilities to deploy custom rootkits, we're not talking about superhackers.
Then there's a class of people who, if they are inclined to be lawbreaking and antisocial, are superdangerous. Take a look at someone like Michal Zalewski, who's been pumping out advisories, proof of concepts, and gems like a hobby OS for...well, a long time. Can you imagine him in the wild as a black hat? Ugh, scary.
Then there's real superhackers. One former coworker built a railgun for fun, cracked DES (key recovery in 24 hours on a p3, given certain fairly common preconditions), cracked the remote management on a major commercial firewall (because we lost the password, and it was easier than going offsite for password recovery), then founded a security company, got rich when they got bought out, and moved onto toy around with things for nasa and the DoD. So, if someone like somehow finds their way onto - and stays on - a black hat path, well, the mere fact that securing something is harder than cracking it means he will always find a way in, if he wants to badly enough. I think they'd have to be unbalanced to stay black hat, since that sort of talent will either get them illegitimately rich enough that they'll avoid danger, or get them legitimately rich enough that they'll give up black hat activities to go legit.
But identity theft? Please. Peanuts. They're more likely to use large scale espionage to find some valuable nugget; perhaps upcoming M&A activites. Then they sell this info to a third party with plausible deniability and a lot of cash - say, George Soros (not that I'm saying he'd buy, but for example) - and let them profit massively off it and take a kickback. Just one significant score like that should be worth 7-8 figures. That's just one example out of a hundred scenarios where a true uberhacker could illegitimately profit. And they'd almost certainly only do it once, if money was their motivation.
"There is no need for a hacker to obtain near omnipotent technical skills"
Who says that just beacuse you are at that level you are somehow magically honest? Often times its the thrill of cheating the system that appeals to the upper % of the food chain in the first place.
---- Booth was a patriot ----
If a million monkeys could eventually happen to write Hamlet, a million typical users could eventually crack important network security. ...redacted document files retaining undo information, poor password choices, nigerian scams...
the more difficult a security system is to use, the greater the chance it won't be used.
employees will write client information and passwords on paper, allow others to use use their accounts, or hit 'yes' to every prompt.
I've seen new Windows XP computers plugged into a network get pwned before you could finish going through the Windows setup wizard. The reason stuff like this doesn't result in "loss of personal records" is because IT professionals and security experts put in a s**tload of effort to make sure it doesn't. But IT professionals and security experts can't prevent a PHB from putting sensitive info onto a laptop and then taking it home only to have it stolen.Yeah, well, I work in a hospital. Every time there's a large-scale problem with the network or enterprise system, it seriously affects the staff's ability to perform their duties. That translates to worse care for the patients. So, do you want your hospital to be running smoothly or not? Do we have to wait until someone IS killed to take security seriously?Buddy, I'll take Bruce Shneier's assessment of security over yours any day.
No, it's actually that they aren't looking for you, because the secretary found it and fixed it when she got back from the restroom.
Hackers
Ever had your credit rating trashed by someone who lifted your financial info through a crack of a third party system? Many thousands of people have.
Odds 1:10,000
worse is you bank with retarded banks.
terrorists
Are you alive? Many thousands of people are not. Another couple dozen just died in Algiers today, killed by the local franchise operators of the same group that has attacked embassies, a US naval vessel, the WTC, the Pentagon, bars, nightclubs, hundreds of markets and restaurants, etc. This month, they are on a new campaign to ambush and kill anyone who reports to work in rural Afghanistan to teach young women how to read. It's super duper, though, that you don't find the people in London, or Madrid, or Detroit that preach the warm-up act for the same crap to be any concern at all. That's comforting!
odds 1:1,000,000
worse if your brown and live in a poor nation
drug dealers
You cite drug dealers, and then complain about "control?" These bastards deliberately seek to make behavioral slaves of generations of their neighbors, and think nothing of the resulting waste of lives and all of the accompanying damage. You'd rather that Wal-Mart sold heroin? Have you ever met someone with their teeth rotting right out of their meth-cooked skull? What is it that encourages you to gloss over the people that seek to make money peddling meth to school kids, or pretend they don't exist?
1:2
But the majority are pot pushers who sell to your kids. Your kids use it like you used to use beer... or pot/lsd. The potential harm for most people is minor.
child molesters
Ever met someone who had their youth stolen by someone like that? Let's find you a few thousand of them, and then you can address them, explaining how the people who did it to them don't exist, or aren't really a problem, and should be allowed to keep doing it. I'm sure you'll be persuasive.
1:100,000
Although these sick bastards affect everyone around their victims, they aren't that numerous. Many people still lead okay lives afterwards with some issues about security and sex. It's not a very homogenous group either.
communists
Well, you've got me there. They only killed a few hundred million people in the last century, so that's not so bad.
0:1
Communism is an idea. What killed most of the people your refering to is mob justice, fear, racial hatred, green, xenophobia, and poor management. Communism is general is a useless idea that was never fully implemented by anyone, could never be so, and used liek religion to clobber people.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
BTW, I didn't say anything about committing crimes. "Not that I care", but calling me out on my full name and city of residence and then claiming some kind of illegal activity when I didn't actually mention as such is a bit slanderous.
I don't know about being "hacked." Is that something you do with a machete? Or a scalpel? Or, maybe, a golf club?
I was talking about "hackers."
You must be one of those people who thinks the word "hacker" refers to someone who uses a computer to commit crimes. Actually, we have a word for that already: it's "criminal." Hacker already has a meaning, and that isn't it.
I don't presume to be an authority, and I would certainly never call myself one, but I know people who exhibit the hacker spirit in their work and their everyday lives, and they tend to be leaders in the companies they work for. Hackers are resourceful; they find innovative ways of using tools that get the job done more efficiently in less time. They see possibilities where others see obstacles. Remember that kid who took his toys apart (and probably yours, too) just to see how they worked, and even managed to put them back together - give or take a few pieces? He was a hacker. Or the one who found a new and novel use for something you thought was boring and mundane? Hacker.
Do you have a friend who can fix your car, or a leaky faucet, or get your printer working again? Even though he's never worked with your particular printer or car before? He's a hacker.
We used to celebrate free spirits who had an insatiable curiosity about how things worked, and who shared their knowledge freely with anyone who wanted to learn, and couldn't sleep until they found the solution to a problem they were stuck on. But the media has latched on to a buzz word, so hard working, honest, productive people get slandered by ignorant morons who want to feel superior, at least until they can't get their printer to work. Then they ask that guy in the office who is "good with computers" to help them, and they never see the irony in this.
Someone else in this thread pointed out that most people think their monitor is the "computer," and that box with the wires coming out of it is the "hard drive." These people don't know any better and don't care, until something stops working. Then they ask someone for help, and that person who solves their problem for them is usually someone who possesses at least some of the qualities associated with "hackers."
Yet these same people will hear about an intrusion, or a virus or a worm and say "those damn hackers" because, once again, they don't know any better, and they don't care. As long as their printer works.
And here you are, surfing the Internet and posting on Slashdot, oblivious to the efforts of all the "hackers" who wrote code, developed protocols and designed the computer hardware that would make it all possible.
I don't care why you're posting AC
Social engineering. What makes it good is simply that you can actually make it realistic AND entertaining.
If you take the "technical" side of hacking, it's boring to film. Pages and pages of source or disassembly, lines and lines of shellcode... blech. So we get flashy interfaces that make you cringe when you know what actually should be there.
SE is a different matter. I mean, think of the ways Eddie Murphy got into various restricted locations in Beverly Hills Cop by inventing some stories and playing on people's weaknesses and sense of shame. You're "hacking people", not computers, that's something pretty much everyone in the audience can grasp. That's entertaining.
Still, for some odd reason such movies are rare. Maybe 'cause people consider it implausible that geeks have social skills.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.