jump to navigation

Hackers, Crackers, Script Kiddies and Testing August 4, 2007

Posted by malthusio in Uncategorized.
trackback

In the media, hackers for a long time have been cast in a negative light. The problem is that the term doesn’t even refer to what it’s being applied to here. What most people are actualy talking about when they talk about “hackers” is crackers and script kiddies. Script kiddies are the ones who don’t realy know what they are doing, typicaly high school kids who download all of thier tools from the internet, and would be helpless without them. The term comes from the practice of copying and pasting small code snippets from some online code bank, typicaly in an interpreted or scripting langage. The script kiddie may then modify one or two lines (typicaly the comment indicating the author). The thing that realy irks me is that this has evolved to becoming accepted as a legitimate software development practice! How can these people take themselves seriously?

Anyways, crackers are typicaly more advanced than script kiddies, but not as broad ranging as hackers. Crackers are typicaly crypto-bufs, who are in it for the love of making and breaking codes (not all that much different from cross word puzzle or sudoku addicts), although there are alot who are simply vandals, or more akin to virtual graphiti artists. The reason for wanting to B & E a computer system is to leave your tag there (there are of course other reasons, this is simply my take on crackers who B & E). Of course, since many computer users (including computer administrators! – did you know it was, and still is a common practice to simply leave the default password in place on corporate routers? anyone who is familiar with Cisco routers could take advantage of this to perpetrate man in the middle or massive DOS attacks without too much difficulty. The default user/password on almost all enterprise Cisco gear is Administrator/cisco in case you were interested…) are not aware of what goes on on thier system, so if you actualy want a hack to be notieced (as a cracker grafiti artist would), you have to go overboard and do alot of damage.

The same is true for the media. With our love of doom and gloom, death and despair, what the media is going to notice and sell is… doom and gloom, death and despair. One thing I find kind of odd about our society, is that it’s practicaly become anti-social not to gawk. If there is a car crash or a train wreak you have to stop and watch. If you’re there to offer help fine, but when it gets to the point of the gawkers being in the way of help, it’s too much. This reduces you (almost literaly!) to a flesh eating zombie looking for brrraaaiiinnnsss (and it’s already been pointed out to me that this is actualy a ghoul…). Anyways, it shouldn’t be any wonder that Hackers have been painted negative by the media… since this is the way almost everything else is in the media…

Alright, with that out of the way, asside from say creating the internet and personal  computers, there is another very valuable function that hackers (and crackers, but not script kiddies…) could be performing. That function is testing. The good news is that many software companies are actualy starting to wise up about this. What hacking primarily does is expose bugs and security vulnerabilities that shouldn’t have been there in the first place. If a company were to hire an independant firm (which usualy hires hackers) to do this work, it would cost them huge sums of money, but yet there are people who are performing this service FOR FREE! Those who are willing to share thier results with those they hack (typicaly known as “white hat” hackers) should be given awards, not prison sentences. And the good news is, that some companies are open minded enough to do just that… now anyways.

When I was working as an intern at IBM, I had the privilidge of seeing James Whittaker speak. He is someone who breaks software for a living. Otherwise known as a security expert, tester, and hacker (of the white hat persuasion).  Incidentaly, he is working for Microsoft now, which I hope should say something to dispell the myths about Microsofts commitment to quality, stability, and security…. (http://blogs.msdn.com/michael_howard/archive/2006/05/05/590906.aspx). In his talk he gave instructions on how to perform basic hacks such as SQL injection on web sites (try inserting sql statements into a web query box sometime, typicaly after a delimiter such as & or ?, or imagine how the contents of the box might be used in an sql query. this is the basic technique…), and buffer overflow exceptions. Many applications are vulnerable to this exception in surprising ways… long filenames can sometimes be exploited for example. He also talked about some of his teaching, and and even that there were jokes emebedded in some of the Microsoft windows system dlls (stuff like “why did the server decide to crash? – becuase it was tired of it’s life and wanting to end it’s misery…”. I forget the actual joke, but it was something like that)! Apparently he also embedded a virus in a word document he sent to one of the IBM execs, but it didn’t work becuase he opened it with Lotus 123… (and no, It’s probably more likely to be because Lotus sucks, not because it’s good…. I managed to uncover an infinite loop in Lotus Notes that could easily be entered by a simple search and replace….).

Anyways, the next time you use shoddy software that doesn’t work properly, is awkward to use, crashes, and is insecure, know that it’s because of a severe lack of hacking… In the software industy there is a euphamism for this. They call it “user testing” or “field testing” if it’s an enterprise product. The idea is that this is completely untested (or mostly untested) code, and any bugs are exposed by the end user or in the field…. And some of this software is used by banks and government….

I ask you what the greater evil is: hacking software, or creating software that’s so easy to hack…

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: