Eight things hackers hate about you

[InfoSec News <isn () C4I ORG>]

Forwarded By: infosec () infosec 20m com

http://www.pghcitypaper.com/cv62800.html

Two months after the "Love Bug" and a week after "Life Stages," I'm
not going to try to get you to hug a hacker. What I am going to do is
give you a version of the "piece of mind" a computer-industry friend
gave me over dinner one night when, like so many journalists have, I
casually referred to virus-authors and system-crackers as hackers.

Hackers aren't crackers, Chris Lichti, a 26-year-old senior system
designer at a computer company with offices near Pittsburgh, told me
in no uncertain terms. They are a dedicated, workaholic group of
aficionados who spend much of their time helping to create and expand
the digital world for the love of it, often pro bono, for no other
reason than they believe it will help humanity. And mostly, they are
getting tired of being equated with the crackers who steal our data,
run up bogus phone bills, and send us e-mails whose lips say "love
you" while their actions say "fuck you."

And so, without further ado, here are eight things hackers hate about
you:

1. You don't know a hacker from a cracker.

One of the biggest pet peeves among hackers is the casual assumption
that they are all data-thieves and system-attackers ? "crackers" is
the proper term for those people.

"My code controls a product that can, and often does, either improve
the quality of medical care, reduce the cost, or both," says hacker
Robert Bickford on his Web site, "Are YOU a Hacker?"
(www.daft.com/~rab/ayah.html). "When some ignorant reporter writes a
story that equates the work I do with expensive but childish pranks
committed by someone calling himself a 'Hacker,' I see red."

Hackers are partly to blame for the confusion, because they themselves
don't use the terms consistently. "It's an understandable etymological
leap," says Pittsburgh-area hacker Mike Weber. "If a computer system
has been compromised, you say it's been hacked. But a hacker is not a
person who hacks in that definition of 'hack'."

While there's some small cross-membership between hackers and
crackers, Lichti says, "I think there is a growing animosity between
the two groups," as hackers increasingly feel targeted by society and
the law for the activities of crackers. Most reviled are the "script
kiddies": often young, always unsophisticated crackers with flamboyant
aliases who do great damage using cracking programs they downloaded
from the Web ? the workings of which they don't understand.

"I can say that a lot of attacks are launched by people who don't
understand technology," says Jed Pickel, a technical coordinator at
Computer Emergency Response Team (CERT) Coordination Center, Carnegie
Mellon's national anti-cracking war room. Pickel has seen evidence of
crackers trying to give commands in one computer language while
cracking a computer that uses another.

"These are people who take a hacker's discovery and put it to ill
use," agrees Weber.

Hackers consider crackers to be malicious poseurs who have fallen from
the true path of hacking. Some use the term "white-hat hacker" to
underscore their "good guy" role and further distinguish themselves
from crackers.

2. You don't appreciate a good hack.

If a hacker isn't a cracker, what is he (or, increasingly, she)?
That's a moving target, too, as hackers sometimes use the term in the
sense of a life philosophy that could apply to any number of hard-core
workaholics with a passion for their calling and an anti-authoritarian
streak. In fact, the very idea of a unified voice repels some in the
hacker community, who feel that nobody has the right to "speak" for
hackers. But most people who call themselves hackers are dedicated to
some aspect of computer software or hardware as well.

Hackers don't completely dodge the geek stereotype. "Contrary to
popular myth, you don't have to be a nerd to be a hacker," says Eric
Raymond on his Web site, "How to Become a Hacker"
(www.tuxedo.org/~esr/faqs/hacker-howto.html). "It does help, however.
... Being a social outcast helps you stay concentrated on the really
important things, like thinking and hacking."

With characteristic forthrightness, hackers generally embrace geekdom;
it's a kind of repudiation of a society that they feel mistreats
hackers and other misfits.

Bickford's Web site defines a hacker as "any person who derives joy
from discovering ways to circumvent limitations." Usually, legit
hackers use the word "limitations" to apply to problems, often
practical problems in making computers and networks work better.
Sometimes, however, limitations include security systems. Exactly what
a hacker is willing to do ? and where he or she draws the line ? is an
important part of the gray area between hacker and cracker.

"Sometime in the last year, someone I will call a cracker for now
discovered a weakness in [Microsoft Windows]," Lichti told me. This
person, possibly with no motive worse than warning the computer
community about that weakness, created a "worm" called VBS.Network.

Symantec AntiVirus Research Center's online encyclopedia
(www.symantec.com/avcenter/vinfodb.html) defines a worm as "a program
that is designed to copy itself from one computer to another over a
network (e.g. by using e-mail). The worm spreads itself to many
computers over a network, and doesn't wait for a human being to help.
This means that computer worms spread much more rapidly than computer
viruses."

And VBS.Network did just that: It spread like wildfire throughout the
Internet. But VBS.Network was essentially harmless: It spread, but
didn't damage the unsuspecting recipients' data.

The problem with VBS.Network was that, once someone had invented it,
it took little skill to turn it into a digital weapon. Someone else,
with far less skill, created an imperfect but destructive worm based
on the same general idea. Unlike VBS.Network it reproduced itself via
e-mail instead of by network connections, and it required the victim
to open an attachment that said "I Love You." Since no one acted to
close the gap in digital security revealed by VBS.Network, the earlier
worm only enabled the malicious cracker who authored the Love Bug and
its many copycats.

To be sure, computer law in many states defines unauthorized access to
a computer system to be equivalent to damaging it, whether or not
damage was done. (Laws elsewhere in the world can vary from
nonexistent to highly draconian.) In much of the U.S., the author of
VBS.Network is no less guilty than the creator of the Love Bug. But a
spectrum of activities lies between Love Bug, VBS.Network, and
legitimate hacking, posing an ethics problem regardless of the law.

"I want to know how a system can provide secure access to some people,
but not others," Lichti says. "Can we improve the system to prevent it
from being broken? Do I explore these issues by cracking into a
corporate system? Do I crack into my own system, or those of my
friends? This is the ethical fine line most hackers dance around."

"I don't think I'm in a position to be defining a line" between
hackers and crackers, says CERT's Pickel. He and his colleagues don't
even like to use the words "hacker" and "cracker": they say "intruder"
or "attacker" for a cracker. "You could even go as far as to say that
people who ... do all kinds of damage raise awareness," eventually
leading to better computer security.

Pickel never really told me what he calls hackers ? but he did
begrudgingly admit that many of his coworkers at CERT fit the benign
definition of the word.

Many hackers would like to see attitudes about nondestructive hacking
change. Damaging someone's data or computer is always wrong, they say;
but sometimes, breaking in can be a wake-up call and a warning that
prevents real cracking ? which leads us to our next point.

3. You make it too easy.

Hackers are amazed at how little the vast majority of computer users
bother to understand the technology they depend on so heavily. Hard
experience doesn't seem to steer people from stupid errors, such as
assigning obvious passwords or opening poorly explained e-mail
attachments from people they don't know.

Ease of cracking is even more of a major bone of contention between
hackers and the establishment computer corporations. In one sense, the
law has to protect people from being victimized, even ? especially ?
if they're easy targets. But many hackers believe that a combination
of malice toward hackers and plain old arrogance makes industry types
too slow to admit they've made a mistake ? and too quick to kill the
messenger. Microsoft is a perennial and favorite, but by no means the
only, target of this kind of criticism. Some hackers claim its
products are inherently easy to crack.

VBS.Network, which should have warned people the Love Bug was coming
but didn't, is a perfect example of industry hubris, says Lichti.
"Perhaps network security specialists were not as concerned about it
as they should have been."

Sometimes a hacker will inform the vendor of a problem in a software
product's security. The company's response can vary from a thank-you
letter and free software, to ignoring the hacker and denying the
problem, to threatening a lawsuit.

"To report the problem to the vendor is no longer an option," says
Lichti, because of the companies who have "attacked the hacker as if
he'd exploited the problem" rather than merely discovered it. One
arguable example of this ? depending on whom you ask ? is DeCSS, a
computer program designed to decode the encryption that the
entertainment industry used to prevent people from copying (and
pirating) digital video discs.

"DeCSS was developed because the company that did the encryption for
DVDs did [such] a shoddy job ... that any student could decrypt it,"
says Lichti. "And they did." The industry has responded not by
improving the decryption, but by suing a number of hackers and others.

4. In your eyes, we're guilty until proven innocent.

The most common refrain among hackers is that, contrary to media
stereotypes, they're not out to get the rest of us ? but our paranoia
makes us dangerous to them. Often intelligent and introverted, hackers
grow up as outsiders. They claim that a few cracking incidents ? as
well as school shootings completely unrelated to hacking ? have been
used by industry and government to create a witch-hunt for hackers and
other misfits of all ages.

Slashdot (www.slashdot.org), an online hacker newsletter, is,
according to the hackers I spoke with, arguably a voice of the
moderate hacker mainstream. Slashdot has run a number of features,
many written by print- and cyberjournalist Jon Katz, in which
self-proclaimed geeks tell stories of harassment and worse from fellow
students, teachers, school boards and the law. Aside from the
questions these stories raise about how officials are using their
authority over kids, it also underscores hackers' self-image as
besieged by the outside culture from an early age.

"I remember the basic assumption people made about me in [high] school
10 years ago," Lichti said in an e-mail. "When I expressed interest in
learning more about computer systems I didn't understand, the
assumption was that I intended to do harm."

Nowadays, "If I found a flaw in some Microsoft software, I wouldn't
report it to Microsoft myself; I'd report it to network security
experts I know. That might delay the time it takes for a fix to come
out," he admits, but if it's a choice between a "happy life versus my
facing lawsuits from an out-of-control bureaucracy ... I'm just not
willing to take that risk."

To be fair, Pickel says that CERT is willing to act as a middleman for
hackers wanting to warn manufacturers anonymously.

Lichti's worry, bordering on the paranoid, merits some background on
him: meticulous, married, holding a responsible computer industry job,
and a deacon in his church, he's not exactly the unkempt, wild-eyed
cracker who you might expect from those statements. Something has
given him what he feels is good reason to believe that being an
otherwise responsible citizen with good motives wouldn't protect him
if someone in power decided he was an evil cracker who needed to be
brought down.

5. You kill the messenger.

The difference between hacking and cracking is hazy and hard to
define. Yet the law does insist upon clear definitions, sometimes
based on a shaky understanding of the technology. And the consequences
for cracking ? or hacking near the edge ? can indeed be severe.

Consider a story in 2600: The Hacker Quarterly (www.2600.com), an
online magazine Lichti tells me caters to those on the hazy border
between hackers and crackers.

Ed Cummings, a hacker caught with equipment and a computer configured
to phreak ? steal telephone service ? spent most of the time between
spring 1995 and fall 1996 in prison. The Secret Service found an
online book on bombmaking and some material they thought might be
plastic explosives in the house Cummings was living in (the latter
turned out to be a dental compound used by the dentist who owned the
house). Cummings may or may not have erased incriminating data in one
computer device when the police made a visit to his house.

The Secret Service used this evidence to argue that Cummings was a
threat to the President.

The judge threw the book at Cummings. Among other prisons, he spent
time in the maximum-security wing of the Northampton County
Correctional Facility near Philadelphia. Also in that wing was Joseph
Henry, who had, according to 2600, "bit off a woman's nipples and
clitoris before strangling her with a Slinky." Worse, they transferred
Cummings ? a procedure usually reserved for snitches ? several times
during his incarceration. Cummings claimed to have been harassed by
guards; there seems to be no dispute that he was beaten by other
prisoners.

Remember: All they ever really proved was that the guy was stealing
telephone service.

The Northampton County Correctional Facility didn't return my call.
It's not exactly a secret that federal laws can punish minor criminals
more severely than violent criminals convicted under state laws. But
the hacking community looks at this story and sees a guy being
punished not because of his crime, but because he's a hacker.

A more recent case, and one that's appeared, among other places, in
the New York Times and Village Voice, is that of Eric Corley and
DeCSS. You'll recall that this program allows people to crack the
encryption of DVDs. Corley, among others, ran afoul of the Motion
Picture Association of America when he posted the code for DeCSS on
his 2600 site. Eight MPAA member studios have sued Corley ? along with
at least one other suit against others who had posted the software on
their sites. The Corley suit is ongoing.

Nobody accused Corley, who is an Internet journalist but doesn't even
consider himself a hacker, of pirating DVDs, or of writing DeCSS. Only
of posting it on his Web site.

At first, the case seemed a slam-dunk for the industry; the judge
immediately granted an injunction forcing Corley to remove the program
from his site. The plaintiffs have requested another injunction, to
prevent him from linking to other sites containing DeCSS. (For now, at
least, Corley offers these links at
www.2600.com/news/1999/1227-help.html.)

As the facts came out, the picture grew murkier ? and less flattering
for the industry. For starters, DeCSS is neither needed by nor
necessarily the tool of choice for DVD pirates. DeCSS can be used to
pirate DVDs by translating them into electronic form and sending the
resulting files through the Internet. But at the time Corley posted
DeCSS, the size of the average DVD was so large it would have taken up
most of a computer's hard drive and been prohibitively slow to
transmit ? although new compression technology recently changed that.
By contrast, known large-scale piracy operations copy disks bit by
bit, without bothering to crack the code, and so don't need DeCSS.

DeCSS can, however, be used to play a legally purchased DVD on a Linux
computer or other hardware that the movie industry hasn't anointed as
DVD players. Linux is the operating system of choice for most hackers
? they use neither the Macintosh or Windows operating systems found on
most PCs nor the UNIX OS on most mainframes.

Linux is what's called "open-source" software ? it's essentially free
for the asking, group property. Hackers as a community created and
continue to develop it. Open-source software, and its egalitarian
virtues, is something of a religion among hackers. The entertainment
industry hasn't produced Linux DVD software yet. The two Linux
projects it is developing will run only on certain proprietary
versions of Linux sold by the computer industry.

6. You won't set computer code free.

The industry's objections to using DeCSS to, in effect, make a single
copy of a movie so that an open-source Linux computer can play it ?
arguably analogous to the quite legal practice of making a single
cassette copy of a purchased CD for use by its owner ? reveals
another, not so savory, possible motive for the suit. Some hackers say
that the industry is trying to expand control over copyrighted
materials by way of controlling what systems and computers can play
DVDs. Potentially, it's a kind of monopoly in which DVDs and the
ability to play them are inextricably attached to certain vendors.

"The real importance of DeCSS is not that it could be used to make a
Linux DVD player," said Robert Link in a Slashdot discussion. "The
real importance ... is to make DVD an open format ... to make sure
that we retain our right to use material that we have legally
purchased however we see fit ... It means that when you buy something
you own it."

In a way, say some hackers, the industry is trying to have it both
ways: to enjoy the legal protection of copyright or patenting, which
normally requires making the information public, while retaining the
secrecy of a trade secret ? which, in the non-digital world, is up for
grabs to any one who reverse-engineers it.

In the physical world, you can copy a book you own as long as you
don't try to sell the copy or distribute it in large enough numbers to
undercut the vendor's ability to make money off of it. In the digital
world, thanks to laws like the federal Millennium Digital Copyright
Act of 1998, such "fair use" may or may not exist.

Martin Garbus, Corley's high-powered attorney (thanks to money from
the Electronic Frontier Foundation), has said that DeCSS is merely a
fair-use tool. He also argues that Corley, as a journalist, has the
right to post the DeCSS code as an expression of free speech. Industry
lawyers argue that the MDCA and other laws trump fair use ? and,
ominously, the First Amendment ? in the digital world.

That phenomenon ? copyright laws and the First Amendment changing when
you enter the digital world ? makes hackers feel targeted. In some
cases, mere ownership or transfer of software or hardware capable of
cracking is a crime, whether or not the hacker makes use of it, and
even when it has legitimate uses. It's as if the government made
photocopiers illegal because they could be used to pirate books (the
Soviet Union did this), or made ownership of a book on the chemistry
of explosive compounds illegal in the absence of any bombmaking. By
their nature anti-authoritarian, hackers see this trend as a threat to
themselves ? and to all of us.

Of course, along with this anti-authoritarianism comes diversity. It
would be a mistake to assume that all hackers agree where the line
between DVD hacking and cracking lies. On Slashdot, Travis Beals, a
student at the University of British Columbia who moonlights as a
software developer, openly questioned the party line on DeCSS: "If
someone can convince me that the primary use of DeCSS is a Linux DVD
player, I'll firmly support the effort to fight the restraining
order," he wrote. "Otherwise, I'm not so sure what's right ..."

7. You lump us in with that "Gen X" crap, but we work harder than you.

One of the most enduring stereotypes of hackers is that of the
teenaged boy, listless and apathetic at school, bringing down
nuclear-missile computers from his dad's rec room. Leaving aside for a
moment that the very concept of Generation X is something of a media
creation, hackers especially hate people to assume that they're all
lazy kids.

"I would not say that it is true that most hackers are young,"
Pittsburgh hacker Weber e-mails. "I would suspect that the average age
of the group of crackers is lower than the average age of the group of
hackers."

In an amusing Web site written to help managers understand the hackers
who work for them (www.plethora.net/~seebs/faqs/hacker.html), Peter
Seebach explains how managers can mistake hackers' unconventional work
habits as slacking, while they're nothing of the sort: If a hacker
takes a short day, maybe it's because she put in six 12-hour days last
week; if he's playing Doom during company time, it may be because he's
working through a tough problem.

"Hackers, writers, and painters all need some amount of time to spend
'percolating' ? doing something else to let their subconscious work on
a problem," Seebach wrote. "Your hacker is probably stuck on something
difficult. Don't worry about it."

"The 'Establishment' may view the different approaches to
work/play/dress/etc. as 'apathetic and lazy'," Weber e-mails. "But the
judgment has no basis in reality, as any judgment based on a
stereotype, because stereotypes apply to those you don't wish to
understand but [who] bother you." Hackers often work long hours;
complaining about the time flexibility they demand (and often get)
makes as much sense as complaining when a co-worker demands and gets
more money. It may be unfair, but it's a part of the world hackers
certainly didn't invent.

Certainly, the rhetoric of the hacking community gives one the picture
of an intense aesthetic philosophy rather than GenX listlessness.
"Being a hacker is lots of fun, but it's a kind of fun that takes lots
of effort," says Bickford on his Web site. "[T]o be a hacker you have
to get a basic thrill from solving problems, sharpening your skills,
and exercising your intelligence. ... Becoming a hacker will take
intelligence, practice, dedication, and hard work."

8. Not only do you not like us, but you won't just leave us alone.

The hackers I spoke with took pains to remind me that they weren't
pretending to speak for all hackers. In a group that prides itself on
its anti-authoritarianism, this is hardly surprising. What it means,
however, is that it's probably impossible to create a list of rules or
cardinal beliefs that hold for all hackers.

A source of debate among hackers is the self-appointed popularizer of
hacker culture. Many applaud Jon Katz, for example, for books like
Voices from the Hellmouth, which relates horror stories from kids who
were targeted for nothing other than being different. Others aren't
buying it.

"I feel like we, the so-called geek community ... are placed behind
glass and shown off to the rest of the world by [Katz] ..." said a
hacker, identified only by the screen name "Anonymous Coward," on a
Slashdot discussion of Voices. "Doesn't he realize ... maybe, just
maybe, we just want to be left alone to do our thing?"

writer:
KEN CHIACCHIA

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".