Hack Me Once, Phreak Me Twice
There are a few elite in our technology-driven world that possess the unnatural ability to understand and wield the power of computers. To the media they are known as hackers, threats to computer security everywhere. To the underground they are known as "console cowboys", samurais, and the last defenders of free information. To the common man they are young teenage boys that break your computer and ruin your e-mail. Hackers are not criminals or mischievous kids with no purpose. They play an important role in our culture and are the fuel behind our technological revolution.
Before we can fully understand the mind of a hacker, we need to look at the history of hacking. Hacking is usually broken up into three time periods: The Elder Days, The Golden Age, and Zero Tolerance.
The Elder Days were the years from 1965-1979 when the "hackers" emerged from the computer labs of MIT, Cornell, and Harvard. These computer geeks of the 60's had an incurable thirst to know how machines worked, specifically computers. While professors were trying to teach structured, mathematical programming, students were staying up late nights "hacking" away at their programs until they found shorter and more elegant solutions to the problems. This process of "bumming code" contradicted the professors' methods, and so began the defiant and rebellious origins of hackers. This time period produced one of the best hacks of all time, when Dennis Ritchie and Ken Thomson of Bell Labs created the operating system UNIX in 1969. This primitive operating system was written by hackers, for hackers. There was now a standard to run programs on, although it required an enormous amount of knowledge of computers for even the simplest tasks. As a consequence of UNIX, the 1970's became all about exploring and figuring out how the computer world worked. In 1971, a hacker found out how to get free calls from AT&T by emitting a 2600 MHz tone into the receiver. He called himself "Cap'n Crunch" because he used the free whistle that came in the cereal box to give off the 2600 MHz tone. From this, a new type of hacking gained popularity, one that did not deal specifically with computers but rather with telephones. Hackers like Cap'n Crunch were called "phreaks", for "phone freaks." So, fittingly, hacking phones is known as "phreaking." As more phreakers and hackers emerged, they needed a way to communicate with each other. In 1979, Randy Seuss and Ward Christiansen answered this problem with the first personal-computer electronic bulletin board. Once hackers could connect with one another, the underground computing world flourished.
The Golden Age (1980-1991) began with IBM introducing their personal computer in 1981. Soon kids wanted to explore the insides of a Comodor 64 (Commie 64) or TRS-80 (Trash-80) computer. Then in 1983 War Games, the most famous hacker movie of all-time, hit theaters. In this movie Mathew Broderick plays a computer genius who hacks the pentagon defense system computers and nearly starts World War III. While the movie warned audiences that their computers were not safe, it made hackers realize the power they possessed. Ironically, the next big jump for hackers came with the government project ARPANET (which began in 1969), intended to connect military computers in the case of war so that communication could still be passed on if a military base was taken out. However, this project proved difficult and was abandoned to the educational institutions. Universities implemented early versions of the system to communicate across campuses. Students "hacked" away at the program, until it evolved into what we know to be the Internet.
The years of Zero Tolerance (1986-present) began as the government decided hackers were a threat to computer security. In 1986, Congress passed the Federal Computer Fraud and Abuse Act. The first person to be convicted under this Act was Robert Morris, a hacker who accidentally released an Internet worm and crashed 6,000 computer systems in 1988. He was fined $10,000 and hours of community service. Also in 1988, hacker Kevin Mitnick broke into the Digital Equipment Company's network and was sentenced to a year in jail. After his release he went on the run, hacking into computers, stealing corporate secrets, scrambling phone networks, and breaking into the national defense warning system. He was finally caught and arrested again in 1995, charged with stealing 20,000 credit card numbers and illegally using stolen cell phone numbers. He was released from prison on Jan. 21st, 2000. So it may appear that there has been no injustice done to these criminals, these "hackers."
However, the people mentioned above are not hackers, they are "crackers." Crackers (named because they "crack" your system) are hackers gone bad, computer geeks who use their power for evil instead of good. Although there is a distinct difference between hackers and crackers, the media incompetently uses the word "hacker" to describe both types. Since these arrests, the image of hackers has been corrupted by the media and the government. People no longer view hackers as the lovable, curious, computer geeks who started exploring our computer systems. Instead the hacker is a criminal, a threat to national security. How does a hacker respond to this public image? Perhaps the best response is from a hacker named The Mentor, who writes in his Hacker Manifesto, "Yes I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for."
So what drives a hacker? The simplest answer to this question is information. Information should be free for all. A hacker might hack big corporate computers because they suspect the company of wrongdoing and feel it is necessary to bring their secrets into the open. On the other hand, a hacker might hack Bell Labs to get documentation on how the phone system works. Hackers have a thirst for knowledge and will not be denied any of it. After all, we have as much right to know what is going on in the world as the next big shot CEO, don't we? Hackers are just the ones brave enough to stand up to corrupt corporate America. When a phreaker learns how to get free phone calls from a payphone and passes that information on, they are helping us fight the phone companies that are charging us an arm and a leg for a service that should be dirt cheap. And when a CIA computer guru hacks terrorist computers to gain information, no one really cares. Or when a computer network analyst hacks into the bank he works for and finds 3 new potential viruses and kills them, no one minds. The fact of the matter is that most hackers run computer security businesses and find problems in systems by hacking into them, then reporting the bugs to the company's computer technician to prevent crackers from exploiting them. But the media doesn't find these stories of hackers juicy enough for publication so no one ever hears about them. Instead, the media writes about malicious crackers, calls them hackers and sends the story to the world. Gee thanks guys.
As hackers gain new information, they like to share it with each other. There are numerous websites, newsgroups, and online publications that are periodically distributed within the underground. There are two major online magazines that have been running in the underground for over 15 years. These magazines have been on the web for hackers since the 80's, when nobody was online except hackers. The first is 2600, created by Eric Corley under the name Emmanuel Goldstein. As you might've guessed already, the title comes from the tone that was used by phreakers to make free phone calls. The magazine presents the more political side of hacking, like how we are being robbed by the phone companies. It suggested things to do to avoid being taken advantage of. The other magazine, entitled Phrack (a combination of Phreaking and Hacking) is geared more towards the hacker culture. In each issue there would be essays written from contributors around the world about hacking information. For example, the topics in issue #15 range from "More Stupid UNIX Tricks" to "Making Free Local Payphone Calls". Phrack provides free information for all, not just hackers. To see for yourself go to
http://www.phrack.org
There is no one definite way to hack that will always work. Like the game of chess, you can't just memorize good moves, because they won't apply in different positions. Instead, you learn the strategies and methods to produce good moves and apply those principles to different situations. The most time-consuming part of a hack is finding a way to get inside the computer. Once you are inside, getting information is just a matter of looking around. There are many methods of getting inside a computer, and a hacker usually has to employ many of them to gain access.
Social Engineering/Reverse Social Engineering
The Knightmare, in his book Secrets of a Super Hacker, defines social engineering as "the attempt to talk a lawful user of the system into revealing all that is necessary to break through the security barriers. The alternate term for this is 'bullsh**ting the operator'." Social engineering is much like role-playing over the phone, where you pretend to be someone you're not. For example, the hacker as a neophyte (which means newbie, or one with no computer experience) could call up the company's system technician early in the morning and say he is having a computing problem. The hacker could pretend he was a temp worker on his first day and doesn't know how to login. Since it is early in the morning, the hacker could say there was no one else around to help him. With some smooth talking and a tone of despair, it is very easy to get the technician to give you some sort of temporary or guest account. Reverse Social Engineering employs the same techniques as regular SE, only you rely on them calling you. This can be achieved by posting flyers or advertisements at the workplace as a computer maintenance engineer a few weeks before their computers "mysteriously" crash. Then they will call upon your services to fix their computers, inadvertently granting you access to their files.
Spoofing
Spoofing is much like social engineering, except it is done over the computer. For example, a "spoofed" e-mail might come from a hacker who has found a way to send e-mail as if it were from someone else. The hacker could e-mail thousands of online customers as the head of a corporation (say AOL) asking them to please send in their passwords because some files were lost. This is an extreme example, but there will always be people naive enough to actually send in their passwords. A spoofed e-mail could ask you for billing information or other personal records, supposedly from a high-ranking employee. Dummy programs, on the other hand, are much harder to notice by novices and the computer illiterate. Dummy programs are usually menu simulations that appear to be login screens, but are not. Here at MIT, a hacker could create a dummy menu that looks exactly like the Athena login prompt, and no one would know the difference. So let's say Joe User types in his Kerberos name and password, only to see the following display "incorrect password". He assumes he just typed something wrong, so he types in his name/password combination again and logs into Athena. What he doesn't know was that the first time he typed his name/password he was typing to a dummy screen! The program took his information, stored it in a file or sent it straight to the hacker, gave the display "incorrect password" and then closed itself. Little does Joe User know that now his name and password are in the hands of a hacker.
Brute Force
The last method of hacking I will mention is called "Brute Force." And for good reason too. When all else fails, and there is no way to get someone's password efficiently, it's time to just guess. The brute force method will only work when you have some sort of hint at what the password could be. If you know that the user loves the Red Sox, you might try passwords like "redsox, pedro, REDSOX, BaSeBaLL, hateYankees" and so on. If you know that the password has to be a certain length or all of one cap size, then it makes the job easier. Of course this method is extremely unreliable and draining. So most hackers make password generator programs if they are going to hack via brute force. Password generator programs will constantly spit out combinations of letters or numbers until they get one right. So if you know the password starts with a B and ends with all L, you can set the program to only use combinations with these variables. Brute force is not a recommended way to hack a computer because it is much too slow and does not show any creative or original talents.
So what good are hackers to our society? Hackers have paved the way for technological advancement. Without hackers constantly exploring, creating new ideas, finding better ways, how could we learn? Hackers are always learning and always teaching. Who is going to find a way to make our technology better by constantly pushing it to the limit? Who will invent new ways to communicate? Who still these days has the desire for knowledge? Who wants to understand the way things work? You?
I hope so.
|
