Slashdot Mirror
The Myth of the Superhacker
mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."
I live in a world where daily I hear people describing their monitor as their computer, and their computer as their "hard drive", or some other such mangled interpretation. That's actually very okay, it's not their job to have to know, and good for them for having some mental map.
What I find not surprising about the article's conclusions is even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work. Hence, much of the alarm over internet terrorism and superhackers potential to bring the IT world to its collective knees spawns from barely literate computer "geeks". At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape (hmmmm, Peter Principle?).
The biggest trick Satan ever pulled was convincing the world he doesn't exist
There are no super hackers out there.
Disregard that, I suck cocks.
it's a blue bright blue Saturday hey hey
I just came from a meeting on this very topic. The thing I came away from this meeting is that the real fear is that the Superhacker works for you. Or worse yet, you let him go yesterday. O. M. G.
Just as with any other field or profession, hacking is getting more specialized. It's not that the "superhacker" does not exist, but that such an animal's existence is getting harder and harder to maintain merely because of the expanding skillset and knowledge it takes to be a "hack anything" hacker.
That said, a lot of exploits don't come from being a super techie hacker with the skillz to defeat any system through sheer programming ingenuity or brute force. A lot of them still come from social engineering... convincing foolish people to give you enough information that a middle manager could hack them using nothing more than a standard login.
Where the "superhacker" mainly exists is in the movies. The guy who can pull out his laptop at any given location and hack into any given location on demand and with no preparation or research into the target. He's the human equivalent of the gun that doesn't run out of bullets and hair that dries into a perfectly coiffed do within seconds of getting out of the water.
- Greg
Start a happiness pandemic
Nobody knows the superhacker was ever there.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A focus of the article is on the over response to the "superhacker" - this is the same knee jerk issue in regular crime. Glorify the criminal - make them all out to be Moriarty calibre - dancing magicians who laugh at us mortals - wheedle about inadequate laws .... rather neat solutions to abrogate your basic security responsibilities ? Fact is that most cybercrime is carried out by fairly basic means but there's an industry of ass covering in pretending otherwise.
Knightmare's "Secrets of the Superhacker"...m are/dp/1559501065
http://www.amazon.com/Secrets-Super-Hacker-Knight
Who's afraid of a little social engineering?
Tibbon
tibbon.com
I know the Superhacker exists... because he's me. Now, if you'll excuse me, I need to go back to my 3D virtual reality interface, hop on my lightcycle, and infect the alien mainframe with the Michaelangelo virus. If you need me, I'm at IP address 24.75.345.200.
Gamingmuseum.com: Give your 3D accelerator a rest.
Before I move onto the title of my post, let me just say Kevin Mitnick.
Sure it's an old example, but it is also a great example. Maybe he didn't go releasing chaos in every category, but for a public example this is a pretty good one. Look at the stuff he got into and ahold of. These articles burned my eyes so I couldn't read the all three parts or even all of part one. Sorry, but one other thing -- where exactly is all this concern and discussion about a super-hacker? How can it be overblown, overhyped, etc? I don't hear anyone talking about a super-hacker.
It doesn't take much reasoning to show why this must be the case.
So why is Ohm resistant?
You're punctuation is wrong. You wrote:
Girls on the plus side you can walk all over them and get anything you want.
What you meant to write:
Girls (on the plus side), you can walk all over them and get anything you want.
Law School professor Paul Ohm
I wonder if he teaches Ohm's Law?
So why is Ohm resistant?
Get out of here! Now!
This guy's the limit!
I can't imagine where people get all these ideas about "super hackers" and the like. Now where are my VR goggles? I need to hack a Cray using this pay phone down the street...
It must have been something you assimilated. . . .
It's too bad the quote is "the devil" or you might have gotten yourself some free geek credibility there.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
+1 insightful
+1 pun
Well done friend, well done.
You can be an atheist and still not want to succumb to some weird cross-over sheep disease -- AC
Hackers, terrorists, drug dealers, child molesters, communists:
Useful tools for the control of a fearful and gullible populace.
"My high school still has absolutely zero knowledge of some of the hacks I pulled, and they never will know."
FYI Andrew Matecha of Vancouver BC, there is enough information on your band's website and MySpace page to identify you and figure out which school you committed your crimes against. Not that I care, but you might want to think about that before you brag about illegal activity you've participated in.
This guy who is a suppossed specialist in computer crime apparently never spent time being a security admin for a network. You know, those guys who spend all day making sure servers and workstations are patched, passwords follow policies, exploits are kept track of, logs analyzed, IDS/IPS systems are up, running and monitored. Who go to sleep at night worrying where the next one is coming from?
He doesn't see large outbreaks as often as before because of people like that. They stay on top of all these things. Take the ani cursor exploit recently in the Windows OS... it was used in a targeted attack against a few locations and some more rare broad attacks. If it has been more widely used or the patch had not come out as quickly as did; more harm would have been done.
As time goes on and more and more data is kept with identifying information; the loss expenctencies get greater not less.
The last thing we wnat is this term misused in a law somewhere or even in popular usuage. Some poor sod getting dragged off by security after being heard uttering what will be the suspiciuous words "I'll have to get superuser access" is some stupidity we can live without.
Other than that there are good points - he's talking about the mythical "cyberterrorist" (also a bad word due to distinct lack of angry robots with bombs - but at least it doesn't already have a meaning).
but in reality most of the crimes are committed out of stupidity or drug influence
I don't think that inside theft of database dumps containing hundreds of thousands credit card accounts and SSNs is done by stupid or drug-addled people. I don't think that people who systematically probe for SQL insertion vulnerabilities on transaction systems in hopes of defacing something with some politicized rant are stupid or drug-addled. I don't think that people plant stealth FTP servers to serve up kiddie pr0n from unknowing desktops are being stupid or drug-addled. You're confusing malice with stupidity, and poisoned ethics with drug dependence.
Don't disappoint your bird dog. Go to the range.
Actually, I don't think he's resistant to that at all. From what I read in TFA, he's arguing for two things. The first is actual data collection on the phenomena so that discussion can go from anecdotal/emotional to hard data based. The second is that our responses should be based on the conclusions FROM fact based discussions rather than hysteria.
One thing that I haven't seen discussed in other posts is the usefulness of hysteria about hackers to law enforcement. It's given them unprecedented access to and control over personal freedoms in our country. The little we DO know about makes me seriously consider moving to another country. I can only imagine what else is going on.
Regarding security responses, his point is that resources are always limited. Where you put them - even in security focused enterprises - should be solidly based on risk/benefit analysis. You can't do that analysis if you don't stop spending your time reacting and start collecting real data.
All too often emotionally driven politics drives decision making rather than real data. This benefits others - including the security industry. I know because I was part of the security industry. While it's true that small companies often do the equivalent of leaving the doors unlocked, the percentage that have been actually hit is small.
I'd like it to become standard that vulnerability reports include statistics on the rate of exploitation of each found vulnerability. That allows overworked and under budgeted IT departments a chance to prioritize.
The first mistake is to think that anything mentioned even requires you to be a "superhacker". Identity theft is trivial. Stand on a street corner and say you're registering people for a contest, and put name, address, social security number on the form, and 90% of people who stop to fill it out will just put their SSN down. Stealing "software" and "media" hardly makes you a superhacker; hundreds of thousands of people do it every day, 99% have probably never even compiled a program. Virus writing isn't difficult either; it's finding the hole to exploit in the first place that CAN be difficult. But given an exploit, turning it into a virus isn't that tough.
Even when we take it up a notch and look at actually dangerous attackers, like people using widespread vulnerabilities to deploy custom rootkits, we're not talking about superhackers.
Then there's a class of people who, if they are inclined to be lawbreaking and antisocial, are superdangerous. Take a look at someone like Michal Zalewski, who's been pumping out advisories, proof of concepts, and gems like a hobby OS for...well, a long time. Can you imagine him in the wild as a black hat? Ugh, scary.
Then there's real superhackers. One former coworker built a railgun for fun, cracked DES (key recovery in 24 hours on a p3, given certain fairly common preconditions), cracked the remote management on a major commercial firewall (because we lost the password, and it was easier than going offsite for password recovery), then founded a security company, got rich when they got bought out, and moved onto toy around with things for nasa and the DoD. So, if someone like somehow finds their way onto - and stays on - a black hat path, well, the mere fact that securing something is harder than cracking it means he will always find a way in, if he wants to badly enough. I think they'd have to be unbalanced to stay black hat, since that sort of talent will either get them illegitimately rich enough that they'll avoid danger, or get them legitimately rich enough that they'll give up black hat activities to go legit.
But identity theft? Please. Peanuts. They're more likely to use large scale espionage to find some valuable nugget; perhaps upcoming M&A activites. Then they sell this info to a third party with plausible deniability and a lot of cash - say, George Soros (not that I'm saying he'd buy, but for example) - and let them profit massively off it and take a kickback. Just one significant score like that should be worth 7-8 figures. That's just one example out of a hundred scenarios where a true uberhacker could illegitimately profit. And they'd almost certainly only do it once, if money was their motivation.
"There is no need for a hacker to obtain near omnipotent technical skills"
Who says that just beacuse you are at that level you are somehow magically honest? Often times its the thrill of cheating the system that appeals to the upper % of the food chain in the first place.
---- Booth was a patriot ----
If a million monkeys could eventually happen to write Hamlet, a million typical users could eventually crack important network security. ...redacted document files retaining undo information, poor password choices, nigerian scams...
the more difficult a security system is to use, the greater the chance it won't be used.
employees will write client information and passwords on paper, allow others to use use their accounts, or hit 'yes' to every prompt.
I've seen new Windows XP computers plugged into a network get pwned before you could finish going through the Windows setup wizard. The reason stuff like this doesn't result in "loss of personal records" is because IT professionals and security experts put in a s**tload of effort to make sure it doesn't. But IT professionals and security experts can't prevent a PHB from putting sensitive info onto a laptop and then taking it home only to have it stolen.Yeah, well, I work in a hospital. Every time there's a large-scale problem with the network or enterprise system, it seriously affects the staff's ability to perform their duties. That translates to worse care for the patients. So, do you want your hospital to be running smoothly or not? Do we have to wait until someone IS killed to take security seriously?Buddy, I'll take Bruce Shneier's assessment of security over yours any day.
No, it's actually that they aren't looking for you, because the secretary found it and fixed it when she got back from the restroom.
Hackers
Ever had your credit rating trashed by someone who lifted your financial info through a crack of a third party system? Many thousands of people have.
Odds 1:10,000
worse is you bank with retarded banks.
terrorists
Are you alive? Many thousands of people are not. Another couple dozen just died in Algiers today, killed by the local franchise operators of the same group that has attacked embassies, a US naval vessel, the WTC, the Pentagon, bars, nightclubs, hundreds of markets and restaurants, etc. This month, they are on a new campaign to ambush and kill anyone who reports to work in rural Afghanistan to teach young women how to read. It's super duper, though, that you don't find the people in London, or Madrid, or Detroit that preach the warm-up act for the same crap to be any concern at all. That's comforting!
odds 1:1,000,000
worse if your brown and live in a poor nation
drug dealers
You cite drug dealers, and then complain about "control?" These bastards deliberately seek to make behavioral slaves of generations of their neighbors, and think nothing of the resulting waste of lives and all of the accompanying damage. You'd rather that Wal-Mart sold heroin? Have you ever met someone with their teeth rotting right out of their meth-cooked skull? What is it that encourages you to gloss over the people that seek to make money peddling meth to school kids, or pretend they don't exist?
1:2
But the majority are pot pushers who sell to your kids. Your kids use it like you used to use beer... or pot/lsd. The potential harm for most people is minor.
child molesters
Ever met someone who had their youth stolen by someone like that? Let's find you a few thousand of them, and then you can address them, explaining how the people who did it to them don't exist, or aren't really a problem, and should be allowed to keep doing it. I'm sure you'll be persuasive.
1:100,000
Although these sick bastards affect everyone around their victims, they aren't that numerous. Many people still lead okay lives afterwards with some issues about security and sex. It's not a very homogenous group either.
communists
Well, you've got me there. They only killed a few hundred million people in the last century, so that's not so bad.
0:1
Communism is an idea. What killed most of the people your refering to is mob justice, fear, racial hatred, green, xenophobia, and poor management. Communism is general is a useless idea that was never fully implemented by anyone, could never be so, and used liek religion to clobber people.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
BTW, I didn't say anything about committing crimes. "Not that I care", but calling me out on my full name and city of residence and then claiming some kind of illegal activity when I didn't actually mention as such is a bit slanderous.
Maybe we should be more concerned about the news media and Hollywood romanticizing the image of the "Super Hacker". This tends to lead to situations where 16-yr old kids are being sent to jail for nothing more than digital vandalism because they believe it "looks" cool. Not only did they do something unethical, you know that they obviously found instructions on how to do it if they didn't even know enough to cover their tracks.
The author also has an excellent point with respect to how laws have changed as the above mentioned individual (Google "Daphne High School Hacker Alabama") will be prosecuted for a federal crime and a felony---for deleting data from a high school grading system---that was backed up. Does THAT punishment fit the crime when murderers and rapists are still prosecuted at the state level?
Federal crimes require that you do 80% of the time before being considered for parole...state crimes are almost to the opposite extreme.
Just my 2 cents....Great topic by the way.
Social engineering. What makes it good is simply that you can actually make it realistic AND entertaining.
If you take the "technical" side of hacking, it's boring to film. Pages and pages of source or disassembly, lines and lines of shellcode... blech. So we get flashy interfaces that make you cringe when you know what actually should be there.
SE is a different matter. I mean, think of the ways Eddie Murphy got into various restricted locations in Beverly Hills Cop by inventing some stories and playing on people's weaknesses and sense of shame. You're "hacking people", not computers, that's something pretty much everyone in the audience can grasp. That's entertaining.
Still, for some odd reason such movies are rare. Maybe 'cause people consider it implausible that geeks have social skills.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
hello im fairX the haxxor join my community of hackers if you payme enough i will give you access to a private area of haxx ;)
I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.