GEN 110 - Freshman Seminar: Computers and Society- Hacking

GEN 110 - Freshman Seminar: Computers and Society

Dr. R. M. Siegfried

Hacking

What is Hacking?

The word to hack means "to cut irregularly; to notch, to mangle; to let out for hire." In terms of computers hacking originally meant to work your way through a computer system or through a computer program in an attempt to figure out how it worked.

Steven Levy, in his book Hackers: Heroes of the Computer Revolution speaks about the earliest generation of computer hackers, many of whom worked at MIT Artificial Intelligence Lab, who spent countless hours working on computer programs. Many of these people had a profound impact on the early generations of PCs. Levy characterized these early hackers as "adventurers, visionaries, risk-takers, artists " and "the ones who most clearly saw why the computer was truly a revolutionary tool."

Hackers conducted themselves in accordance with the Hacker Ethic, which was "Access to computers - and anything which might teach you about the way the world works " should be unlimited and total. Always yield to the Hands-On Imperative." Richard Stallman, who wrote EMACS (the text editor) and started the GNU Project (which products open source software) was (and remains) one of the last guardians of the Hacker Ethic.

The most common current usage of the term computer hacker is someone who attempts to achieve access to computer systems and computer files to which (s)he is or they are not authorized. These people are also known as crackers, a term that more accurately describes their chosen activity, which is breaking into computer systems and computer files for which they do not have authorized access:

According to Levy, hacking as we understand it - that is, involving the use of computer - began to emerge only with the development of time-shared systems. Hacking then spread quickly once VDTs allowed users to interact with a machine directly rather than through the remote mechanism of card-based batch processing. Yet, even then, hacking referred to a much more noble set of activities than the criminal acts that are described by the term today. Hacking was an elite art practiced by small groups of extremely gifted individuals. It generated its own set of folk heroes, huge rivalries, eccentricities, and cult rituals. But, above all, this early form of hacking was about intellectual challenge and not malicious damage. Levy portrays this period as a sort of golden era of hacking, which mainly took place at two major sites - MIT and Stanford University in California. For most hackers at this time, their chief interest lay in understanding the innards of a system down to the last chip and the last line of the operating system. The software they wrote was for public display, use and further development and was their major source of self- esteem, challenge and socialization.[Forester, Tom and Perry Morrison, Computer Ethics: Cautionary Tales and Ethical Dilemmas In Computing, MIT Press, 1994, p. 76.]

Even within the "hacker" community (by the current definition of the term), there are gradations:

There are two types of hackers: ethical pros, who wear the "hacker" label with great pride, and CyberRambos, punks who are more correctly called "crackers".

Ethical pros are highly skilled computer professionals who hire out their skills to organizations concerned about their own network's safety. Essentially, ethical hackers will, with your full knowledge and permission, try to break into your site to find the weaknesses, and then help you fix them. Ethical hackers also are software developers who write security and firewall software, and "hack" as a way to test their products. Ethical hackers never break into a site without the owner's permission, and they do so only to help make the site more secure in the end. They do no damage, and they have very strict ethical codes governing their work.

We don't worry about ethical hackers here.

We do worry about the other kind, the kind I call CyberRambos, the ones ethical hackers despise and hate, dubbing them "crackers" because they "crack" (break) systems instead of just finding holes in them. Crackers are usually teens or early twentysomethings who break into other people's computer systems for a variety of reasons, mostly having to do with ego, showing off, status, thrills, and the challenge of doing Bad Things without getting caught. They have websites and newsgroups where they boast of their conquests to other CyberRambos. They give themselves trendy "handles," have websites full of anti-authoritarian rants, and generally just make cybertrouble, as teenagers in any subculture will do. [ http://psy.ucsd.edu/psynet/security/hackers.html]

Hackers fall into several different categories:

Network hackers - who try to break the security of computer network, either crashing web sites, altering them or destroying data:

Once hackers get onto the machines that host networks, they can alter or remove files, steal information and erase the evidence of those activities. But many hackers break security systems just to see if they can do it. They may enter the system, look at the data within and never go back. For these hackers, it's more a test of skill than an attempt to steal or alter data. [http://www.cnn.com/TECH/specials/hackers/primer/]

Software hackers - who try to break the security of popular software programs so they can be pirated:

These hackers develop their own software that can circumnavigate or falsify the security measures that keep the application from being replicated on a PC. For instance, you have a piece of software that requires a serial number to install. A software hacker does this in much the same way that network hackers attack network security. They may set up a serial number generator that tries millions of combinations of numbers and letters until it finds one that matches. The hacker could also attack the program at the assembly-code level, finding and altering the security measures. [http://www.cnn.com/TECH/specials/hackers/primer/]

What are these "system crackers" actually capable of?

Most of them simply exploit holes in the security of common Unix-based systems. These holes are well-known and well-documented, and the patches to fix them are easy to find. The only reason these people get in is that someone is too busy (or lazy) to keep up with the security issues as they're identified. In the last six years, with the explosion in popularity of the Internet, there has been a great deal more awareness of this problem, and the system cracker is finding it much more difficult to operate -- but those who do are generally the most skilled, and the most dangerous, of the bunch.

Until recently, this group has been made up almost entirely of teenage boys, whose purpose was simply to prove themselves and see what they could get away with: a digital version of joyriding. Reports indicate that this is changing; the majority are now older, and their purposes are more monetary, stealing information for themselves or to sell to other corporations, or holding it for ransom. In one widely-reported case, a cracker hijacked a British military satellite and held it for ransom.

While they can be dangerous, this group is kept mostly in check by the hundreds of system programmers and system administrators who do battle with them every day. The press these system crackers receive when they're successful is proof itself that these successes are unusual -- if they weren't, they wouldn't be news. Script Kiddies?

"Script Kiddies" is the name given to unskilled system-cracker (or virus- writer) wanna-be's who rely on tools ("scripts") written by more skilled crackers. Though they wish otherwise, they are mostly harmless, not even qualifying as a mild annoyance to anyone who has kept up with security patches. They rely on the fact that if you look at enough systems, you're going to find a few that are vulnerable.

How do they get in?

There are some common techniques that hackers will try:

The Notorious

Kevin Mitnick

Kevin Mitnick was regarded as one of the most notorious hackers of his time, with the news of his capture in 1995 appearing on the front page of The New York Times. He is rumored to have trashed the credit report of the attorney who prosecuted him, disconnected the phone service of the judge who sentenced him and terms of his parole required that he not work with or even touch a computer. Mitnick, was born in Los Angeles in the mid 1960s and reached adolescence in the late 1970s as the home computer revolution started. He got involved with a group of "phone phreaks", people who enjoyed discovering all the machinations of the nation's telephone system. Through his involvement with the phone phreaks, he learned the art of "social engineering." Social engineers, are hackers who pretend to work for the phone company or be computer service technicians and scam people into giving them information that gave them access to equipment, files and systems to which they were not entitled.

Mitnick has been arrested and convicted of several computer-related crimes. They include a telephone company break-in, trespassing on the campus of the University of Southern California and theft of services (computer time and ARPAnet access) as well as hacking into the computer system of computer security expert Tsutomu Shimomura and stealing hundreds of thousands of dollars in cellphone service. Mitnick recently finished his parole without incident, wrote a book on safeguarding computer and information assets and started a computer security consulting business, whose web site was recently hacked.

Masters of Disaster

The Master of Disaster were a group of gang of hackers who live in the New York City Borough of Queens who hacked into the telephone company computers. They were believed to be responsible for the crashing of AT&T's long distance network because of their attempts to alter the software.

Project Equalizer

Project Equalizer involved a group of West German hackers who eventually hacked their way into a computer system at the Lawrence Berkeley Laboratory. Their breach was discovered by system administrator Cliff Stoll because of a 75-cent accounting error that he tried to correct. Eventually, they were caught. But it was due almost entirely to Stoll's single-minded dedication to tracking them down and gaining the cooperation of Federal and West German investigators. When they were caught, they were attempting to sell U. S. defense-related computer data to the East German Secret Police.

Personality Characteristics of Hackers

The most obvious common `personality' characteristics of hackers are high intelligence, consuming curiosity, and facility with intellectual abstractions. Also, most hackers are `neophiles', stimulated by and appreciative of novelty (especially intellectual novelty). Most are also relatively individualistic and anti-conformist.

Although high general intelligence is common among hackers, it is not the sine qua non one might expect. Another trait is probably even more important: the ability to mentally absorb, retain, and reference large amounts of `meaningless' detail, trusting to later experience to give it context and meaning. A person of merely average analytical intelligence who has this trait can become an effective hacker, but a creative genius who lacks it will swiftly find himself outdistanced by people who routinely upload the contents of thick reference manuals into their brains. [During the production of the first book version of this document, for example, I learned most of the rather complex typesetting language TeX over about four working days, mainly by inhaling Knuth's 477-page manual. My editor's flabbergasted reaction to this genuinely surprised me, because years of associating with hackers have conditioned me to consider such performances routine and to be expected. --ESR]

Contrary to stereotype, hackers are not usually intellectually narrow; they tend to be interested in any subject that can provide mental stimulation, and can often discourse knowledgeably and even interestingly on any number of obscure subjects -- if you can get them to talk at all, as opposed to, say, going back to their hacking. [ http://jargon.watson-net.com/section.asp?f=personality-characteristics.html]

What Does the Law Say?

Under the Computer Fraud and Abuse Act, as amended in 1996, states:

Whoever --

  1. having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
  2. intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:
    1. information from any department or agency of the United States; or
    2. information from any protected computer if the conduct involved an interstate or foreign communication;
  3. intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
  4. knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1- year period;
  5. knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
    1. intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
    2. intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
  6. knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--
    1. such trafficking affects interstate or foreign commerce; or
    2. such computer is used by or for the Government of the United States;
  7. with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;
shall be punished as provided in subsection (c) of this section.
[http://www.rent-a-hacker.com/hacklaw.htm]

How Do You Protect Yourself?

"[The] human factor is truly security's weakest link"- Kevin Mitnick

Some Guidelines For Protecting Yourself and The Network

[http://psy.ucsd.edu/psynet/security/hackers.html]

How To Pick A Good Password

DON'T use these in your password!

If you use any of the following, it's just a matter of time before some cyberpunk finds you:

DO choose a password that has the following:

Characteristics of a good password:

Examples of Secure Passwords

CAVEAT: Do NOT, under any circumstances, use one of these examples as a password for yourself on any computer system!!! Hackers are smart enough to spot a departmental web page titled "Choosing a Secure Password" and make note of the contents...
mBh4C1tg
Ps1t;F4mt
(At this point, you think I'm nuts.)

Good passwords are not simply word salad; they are alphanumeric combinations that you can create mneumonic devices for...

Mneumonic for first one: my Bunny hunts 4for Carrots 1n the ground. Mneumonic for second one: Piaget stinks 1 think; Freud 4for me and thee.

Get the idea? Have fun making up something you will remember that looks like gibberish when you type it. Become worthy of being a research project for the memory and cognition folks.

Strategies to help you remember, from a Professional Password Rememberer It's my job, after all, to remember gadzillions of passwords :) ...

However, I don't remember your passwords: even if I assign you one, I make myself forget it to ensure your security. But server passwords, workstation passwords, network passwords--they are all different. If I forget a password, I'm in BIG trouble. So here are some tips that have worked for me:

[http://psy.ucsd.edu/psynet/security/passwd.html]

{Back to the Notes Index]