Re: Extreme Hacking

[Rafi Sadowsky <rafi () meron openu ac il>]

why call it hacking - hacking has a "good" side to it too

I thought a criminal hacker should be called CRACKER
that would make the differentiation clear

for example I assume most ppl who use the (non-commercial at least)
version of NFR are probably hackers but very few are crackers


-- 
Rafi Sadowsky                                   rafi () oumail openu ac il
Network/System/Security  VoiceMail: +972-3-646-0592   FAX: +972-3-646-5410
       Mangler ( :-)      |    member  ILAN-CERT(CERT () CERT AC IL)
Open University of Israel |   (PGP key -> )  http://telem.openu.ac.il/~rafi


On Mon, 5 Jul 1999, Ryan Russell wrote:

> > I have to remain a little sceptical on this point. What I think
> > they mean is that they invented a few tricks of their own, which
> > they aren't planning on publishing -- they'll leak out pretty
> > quickly, once the class has run a couple times. I find it hard
> > to imagine that teaching something in a class is a good way
> > to keep it a secret.
>
> Agreed.
>
> > A number of "reputable" security companies develop their
> > own hacking techniques. I'm not sure what the justification
> > is -- other than that it just comes naturally, since they
> > tend to hire "ex-"hackers. It'd be unrealistic to expect
> > those guys to stop thinking in terms of how systems are
> > broken into, and to shift their thought-patterns into thinking
> > about how to keep systems secure.
>
> Don't we all keep a few such "database" items?  In our heads,
> if nowhere else?
>
> > Am I the only person who has a problem with the idea of someone
> > teaching hacking techniques? Sometimes I think I am.
>
> Unfortunately, probably not.
>
> This has a certain hypocritical ring to it..  Are you claiming that you've
> never taught anyone technique?  Is it really possible to build
> an IDS product without such knowledge?  I'll stop short of
> accusing you of breaking in to anyone else's systems without
> permission... but I'm sure you must have at least broken into your own.
>
> Seems I remember some paper about going into unauthorized
> places... says to play dumb or some such.  Anyway, look it
> up, it offers some useful techniques.
>
> If one believes as I do, that we can only create secure systems by
> having people who know how to break insecure ones, then it
> makes sense to teach technique.  We need more eyeballs.
>
> If not, then not.
>
> > Hacking isn't a technological problem, it's a social problem.
> > As such, it's not going to be "solved" by technological means,
> > but rather by social means.
>
> Defending against hacking may be more social than technical..
> But how to perform a hack is largely technique and methodical
> process.  That can be taught like any other techno, no problem.
>
> > I'm pretty sure that the best way
> > to reduce the amount of hacking is _not_ to glorify it, charge
> > people money to learn it, and hire people as consultants for
> > lots of money because they have hacking backgrounds. The only
> > way I can think of to make hacking unattractive is to make it
> > really really expensive when you get caught.
>
> I would have hoped that YOU would not fall prey to the trap of
> confusing the terms "hacker" and "criminal".
>
>                     Ryan