Slashdot Mirror
CNN on "hackers"
phil reed writes "CNN is running a special section on "hacking" called Insurgency on the Internet. I read part of it and winced, but other parts aren't bad. They have a dualing interview, featering Emmanuel Goldstein (Editor of 2600 Magazine) on the 'pro' side, and he gives a pretty good accounting of himself. On the other hand, there is some pretty lame stuff. "
Frankly, I don't think this point-counterpoint was a very good debate simply because the 2 gentlement were working off COMPLETELY different definitions of 'hacker'. Goldstein was using the classical definition of someone who wants to learn for the sake of learning while the IBM guy characterized hackers as the script kiddies and cyberterrorists who want to destroy the internet for their own amusement or political gains.
This was nothing but comparing apples and oranges.
So here's my idea: VPI (virtual private internet). Protect the entire thing with strong encryption, the keys for which will only be given to people who show some basic degree of understanding of technology. So, we just let all the jonnie-come-latelies have the internet, and we have our own little niche.
For example, if you can't get the VPI software to work and your first urge is to call tech support rather than RTFM, you can't get on. Or, if you don't understand why your computer that you bought six years ago can't run the latest and greatest 3D game at a reasonable speed, you can't get on.
As a side bonus, this should do away with first posters and other people who ruin the AC thing for those who use it responsibly.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
No, the people described in this article are, for the most part, neither hackers nor crackers. Hackers are those skilled in programming or some other aspect of computers, and some of the people who break into systems may indeed be hackers. Crackers are the talented assembly language programmers who remove copy protection from programs - I doubt that's what they're describing in this article.
In short, I can see why hackers are upset at the commandeering of the term "hacker" to be a general description of any computer intrusion, but the answer is not to describe them as crackers instead. "Crackers" is a term that is already taken by a group that does not be deserved to be lumped together with script kiddies any more than hackers do. Polluting one word as retaliation for the pollution of another word accomplishes nothing - the word "hacker" will still be polluted, and all that will have changed is that you'll have succeeded in polluting yet another word.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Anyone else here remember Tymnet? When with a good understanding of a system, you could make it do what you wantedin clever and obscure ways? When computer time was billed? Hackers were, at that time, great programmers, or incredible system admins, or both.
People who broke into other computers were sometimes called hackers, but they did it using pure wits and skill. Hardly ever did they damage a system, they just wanted free computer time, or to be able to connect to another computer without paying for a LD call. Few 'hackers' broke into machines or networks, but those that did were almost always just having fun. True, I don't want anyone to have fun on my machine, but they were at most trespassers.. annoyances.
Now, enter the 1990s. Kids with 'virus creation kits' and 'syn bombers' that are already built for them do damage because then they can be '3133t', or have some other title that involves looking like a moron. They do thier best to install backOrifice on some poor housewives web-surfing machine and terrorize her. Then they get together and try to out-posture each other. How many of these 'hackers' have simply found a person who shared the C drive of thier machine and have a cable modem, then installed backOrifice or Netbus and called themselves a hacker 'D00D'? Do these people understand what they did or how they did it? No, but at least they can read the easy steps to do it... I can put a book on a photocopier, but does that make me a novelist?
Hacker has become a label for the latter group, and given the former a bad name. So let's call these 'new hackers' by a different, appropriate name. 'Morons' or 'Juvenile Losers' comes to mind.
For the few that DO know what they are doing, but still damage systems, let's call them 'assholes' (pardon my french). For if you really understand computers, and use that to hurt others, that's like knowing kung fu, and running around town beating people up.
I submit these new labels to the net community, hoping that I can once again call myself a 'hacker' and not have people either hate me, or ask me to crash thier boss' system.
The IBM suit, like all good suits, was there to sell his company, specifically his "ethical hacker" unit. He suggests that his (relatively small) group of "ethical hackers" could find potential security holes in your system - for a fee. It occurs to me that one could accomplish essentially the same goal by offering $1000 to anybody for each new security hole discovered (offer is null and void if said hole is used at any time to damage data etc). Given enough crackers, all security holes are obvious. I can feel the paranoid sysadmins recoiling in horror at this point, but a well-known site is going to be a target anyway; you may as well pay people for helping to find security holes.
How about comparing Hacking to breaking into a mall after dark. Malls have locked doors and security and there is a thrill in getting it. Looking around and then leaving without people noticing. If you are caught the guard probably just tosses you out (after you explain you were looking for a washroom).
:), I hate when people try to compare situations with computers to situations in physical life, because they tend to pick situations that cause the most FUD that they can use.
A cracker on the other hand would break into the mall to loot a store while it was closed.
The problem with networks is that they are public by definition. The house analogy is bad because you don't go to other peoples houses from your own house. It is not an access route to another house. On the other hand, if you had a really nice car, would you mind if someone was admiring it in the parking lot? Its a compliment, the same with a hacker that just probes a system without doing any harm. If that person were to then get in the car, that would be considered rude and could be equated with hacking a site and then putting up a new web page that says "I OWN THIS SITE D00DZ".
In conclusion
-?-
Anyone sit down and give both these articles a serious read? Did any of you who did, really sit down and think about them?
The *single* biggest proof to anything Goldstein said was Palmer's entire interview.
Goldstein's entire interview: The individual exists today in the form of the hacker. The corporation seeks to destroy the individual to further its own ends.
Palmer's entire interview: There is a threat to business which must be stopped, this threat is the hacker.
Hrmm... seems like one confirmed the other, the question we must each ask ourselves is, "Am I an individual, or a corporation?"
The vast majority of people use the terms "weight" and "mass" interchangeably. Despite this, their technical meaning is still recognised and everyone that needs to know the difference between the two does.
In much the same way, does it really matter if the popular definition of hacker is something other than what we take it to mean? The people that it matters to know the difference. It may well grate to hear the term being abused, but I also get irrationally annoyed with TV car safety adverts talking about the "force of an elephant". We're not going to be able to change the popular meaning, so why worry about it?
I'm 15 years old, I consider myself a hacker because I am a computer enthusiast. I never built an Altair, or owned an Osbourne, my first PC ran MS-DOS, my dad bought it for me and my sister. It was a piece of crap compared to my current PC, but i spent hours using it, and writing BASIC programs.
The only time i have ever done anything Malicious is once during a computer class, I logged onto a Mac server as my teacher, because i wanted to see if i could guess her password (it was very obvious).
IMO, your view that all teenage hackers are destructive and evil is wrong. From my experience the teens that REALLY qualify as hackers, respect their computers as well as everyone else's. The "destructive" hackers you talk about, tend to reside on AOL, are idiots, and they don't respect their PC's. Now ofcourse their are exceptions, but those people can't even be called hackers. Would a Car enthusiast break the windshield of someone else's car for fun? No, and a REAL computer enthusiast (a hacker) wouldn't destroy someone else's computer.
Opinionated Law Student Strikes Again!
When will people take the time to understand the hackers and their worldview?
/. would be considered hackers. I guess I would be too.
I know many of us here on
But I don't start viruses, crack programs, or delete files incomputers.
There are two types of hackers which are (to borrow from rap) Ols School and New School.
The old school hackers built Altairs, bootstrapped OS's onto their boxes, owned an Osbourne, were telnetting before anyone knew what telnetting was, had HTML 1.0 websites up, and basically flexed their love and knowledge of computers in any way they could. While some hackers were definately malicious, most of us weren't.
Come on, let's see hands. How many of us hacked into a site to see if we could, and then left after looking around?
But enter the new school.
These "new wave" live to destroy. No, I'm not talking to you, these guys are still in junior high and high-school, not online right now.
Yes, they are smart, but as one 14 year old I know says, "I like to blow a system, I like the control I have".
I guess this is their worldview, and while I don't agree with it, they can have it.
But the consequences to that worldview is unfortunate. They make it so those of us who do not do malicious actions (and in fact guard against them now) are grouped together with them.
So the question is, how do we get the mainstream to make the distinction?
"Responsibility for my career? I'm just a freakin' phone monkey!"
It's a thankless job, but I've got a lot of Karma to burn off
If we look at the history of responses to security threats, we see a trend towards greater preparedness and automation in response to threats. Ideally, this would make it easier for people to secure their (Unixoid) systems. However, for various reasons, this isn't exactly happening.
Originally, it was considered acceptable to have a relatively open system and to tighten security only when that system was actively abused or harmed. This was partly due to simple trust, but also partly due to the fact that the consequences of security threats on Net systems weren't nearly as bad as they are today. There were very few malicious crackers, and because of the small size of the Net it was easy to track them down. Most security-hole exploitation was done in fun, and without doing damage.
Later, after the RTM Internet Worm, it became expected that security holes would be reported as bugs, and that system maintainers would upgrade their systems to patch known holes. This is what we have CERT bulletins for --- to warn us of holes which have been discovered, so that we can secure our systems before they are exploited. In addition, we have systems such as SATAN that can diagnose existing, known security holes so that we can patch them. However, none of these measures are effective against a newly-discovered exploit which only the crackers know about.
Now, however, the increasing dependence of both the global economy and global culture on the Net has made it essential that we keep ahead of the crackers. So we now keep copious logs of all network activity, and we have security packages that alert us to activities which might be a prelude to an attack --- such as portscans. Even if we don't know of a security hole in our systems, we can at least notice when someone else is looking for one. Some of these packages simply alert the sysadmin to suspicious activity; others actively firewall out a site from which they detect a portscan.
Some free-software operating systems have kept up marvelously with this trend. OpenBSD, for instance, takes pride in being "proactively" secure, and sends regular security bulletins to the system administrator. Debian GNU/Linux also stands tall in security, making many logging and threat-detection packages easily available, as well as having reasonably paranoid security defaults. Debian's apt system also makes it trivially easy for system maintainers to keep up to date on security patches.
However, despite these advances in security, it's still true that far too many "Joe Redhat" users get rooted every day. Some systems aren't keeping up --- and in a sense, because Unixoid systems run more network services and in fact are designed for network operation, a poorly-secured Linux-based system may be worse, security-wise, than Windows.
Some would say "If a user doesn't know enough to secure his/her system, s/he deserves to get rooted." As a network systems administrator for a small college, I cannot accept that as a responsible answer. We encourage technically-minded students to put up Linux- and BSD-based hosts on our campus network --- not only for fun, but to encourage them to learn about these systems. However, if one of these students gets rooted, that exposes the rest of our network to greater hazard: something that I don't want to happen. Hence, I have a vested interest in ensuring that these students have good security on their personal systems, even though I can't go around auditing them.
An inexperienced user needs more help making his/her system secure than does a seasoned sysadmin. We cannot afford to think of security as something that can be traded off for ease of configuration, system simplicity, or ease of use. Unless those who intend to deliver "free software for the masses" --- Red Hat Inc. and its ilk --- make their systems more "proactively secure", free software will not live up to its security potential. If this goes on, "Joe RedHat" will keep getting rooted, and Linux-on-the-Desktop will be a security disaster.