Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

2017-07-07 02:10:07

I l @ ve RuBoard

There are many hackers who don't consider themselves criminals because they are not stealing money, credit cards, computer hardware, or anything made of atoms . Rather, they are only making copies of software and data and utilizing computer resources, CPU, disk, and networking. They seem to believe that since they are not depriving anyone of anything and the original copy of the information is still where it was, unaltered, they are not committing a crime. Since what they are taking is composed of bits, not atoms, and thereby, less tangible, they believe the laws of the tangible world do not apply.

Some hackers do not necessarily see their activities as criminal. In fact, many see themselves as defenders of the digital frontier. Some in the hacker community view corporations as evil and hackers as the only ones who can protect the world.

They feel that they are being persecuted because they know too much and that their knowledge is somehow threatening to the companies and governments which are persecuting them.

Releasing Information

For many, the free flow of ideas and information is the definition of the Internet. It started as a research network interconnecting universities and research institutions to facilitate communications. They see the commercialization of the Internet is the crime, and belive that "information must be free." For them, anyone who is controlling this free flow of information is doing it at the expense of all people.

A Norwegian teenager, Jon Johansen, was indicted for his role in creating software that permits DVD owners to view DVDs on players that are not approved by the entertainment industry.

Johansen originally published DeCSS as part of the open source development project LiVid (Linux Video) in building a DVD player for the Linux operating system. The MPAA CSS licensing entity, named DVD-CCA, refuses to license CSS to projects such as LiVid, which is an open source project collaborating on the Web to build interoperable software tools. LiVid's independently created DVD player software would compete with the movie studio monopoly on DVD players.

Electronic freedom advocates were quick to defend his work:

"Johansen shouldn't be prosecuted for breaking into his own property," said Robin Gross, staff attorney at the Electronic Frontier Foundation (EFF). "Jon simply wanted to view his own DVDs on his Linux machine."

"Although prosecutors in Norway failed to defend the rights of their citizens against Hollywood's unprecedented demands, we are confident that neither the Norwegian people nor their justice system will allow this charge to stand," added EFF Legal Director Cindy Cohn. "The movie studios have used intellectual property rights to silence scientists, and censor journalists . Now, they are declaring war on their customers." ^[27]

^[27] "U.S. Entertainment Industry Pressured Norwegian Prosecutors," Electronic Frontier Foundation Press Release , 10 January 2002.

Releasing Software

Many hackers view the nature of software licensing agreements to be unfairly restrictive . Most licenses will not allow you to have copies of the software on multiple computers even if you are the only one who uses those computers. In retaliation, hackers will crack the licensing codes so the software can be used anywhere by anyone. There is the debate that people who use cracked software cannot afford the licensed version and would not have purchased it anyway. Software companies look at the millions of dollars' worth of illegal software which is being used as lost revenue. Some users make a game of obtaining software for free.

In a certain elite circle that includes programmers, graphic designers, and many others, not paying for software is more than just money-saving, it's a point of pride . "Everything on my computer is stolen. I haven't bought one program," says a New York special-effects artist who estimates that his Apple Macintosh is loaded with more than $15,000 worth of software for which he hasn't paid a penny. ^[28]

^[28] Rosner, Hillary, "Steal This Software," The Industry Standard , 21 June 2000.

Consuming Unused Resources

It is common for the hacker to feel that if the resource is not being used, then there is nothing wrong with using it. Network bandwidth, computer cycles, telephone lines, and any resource to which a hacker can get access are likely to be used by the hacker. Of course, the consumption of these resources often leads to the company who owns them having to buy more resources when ample resources are available if they were not being used by hackers.

The consumption of unused resources is not always done with malicious intent. Often a hacker feels it is his duty to make these resources available to those who can use them, especially if it seems to be for a worthwile cause.

David McOwen, once a systems administrator at DeKalb Technical College, was brought up on charges of computer theft and computer trespassing for connecting a number of DeKalb computers to Distributed.net so that the spare computing cycles could assist in a communal code-breaking challenge. The state claimed that McOwen had drained $815,000 worth of DeKalb computing time and bandwidth consumption since installing the software early in 1999.

Under the Georgia computer trespass statute , criminal liability may only be imposed if the person uses the computer or network with knowledge that the use is unauthorized. The state would have to prove that he had fair notice that installing the Distributed.net client software was prohibited .

A deal was finally struck, in which McOwen will receive one year of probation for each criminal count, to run concurrently, make restitution of $2100, and perform 80 hours of community service unrelated to computers or technology. ^[29]

^[29] "Distributed Computing Prosecution Ends with Whimper Not Bang," Electronic Frontier Foundation Media Release, 17 January 2002.

Discover and Document Vulnerabilities

There are types of hackers who have taken it upon themselves to disclose the vulnerabilities in systems by making the details of the vulnerabilities as widely known as possible. They will often write programs which exploit the vulnerability as proof of the vulnerability. These scripts rapidly become tools for hackers who do not have the skill to create the tools themselves.

Adrian Lamo, who has a publicized history of exploring the inner workings of corporate computer networks in search of system weaknesses, sees himself as helping companies improve their system security by reporting flaws. He does this kind of work, he said, because he enjoys solving mysteries. Lamo doesn't hold a full-time job because, he said, it would be too restrictive and time-consuming .

He has been reported to have uncovered security lapses in networks run by Worldcom, America Online Inc., Excite@Home, Yahoo Inc., Microsoft Corp., and The New York Times. Lamo, who describes himself more as a "security researcher" than as a hacker, said he neither sought nor received any payment for his information.

His claims that he has never done any damage have come into question with his altering of news stories at Yahoo and The New York Times. Yet still there are those who identify him as a misguided youth with good intentions. ^[30]

^[30] Weiss, Todd, "Security Holes Closed after Hacker Intrusion," Computerworld, 27 February 2002.

Finding Fame

Fame is key to many hackers. This is obvious from the number of widespread attacks, such as viruses and website defacements, which do nothing other than draw attention to the attack. These attention- grabbing attacks are a way to prove the skill of the hacker. The more visible the target or the more widespread the victims, the greater the hack and therefore the better the hacker.

Some hackers want to gain fame from the technical ability of the hack. They want to show that they are able to do things which no other hacker has been able to do before. Others are hoping to become famous from the cunning of the attack. The selection of the target and the type of attack are key to demonstrating the courage necessary to pull off such an attack. And yet others are looking for as much publicity as possible by making the attack as widespread as possible.

Kevin Mitnick, a computer hacker who was once among the FBI's most wanted, guest-starred as a computer expert on an episode of ABC's spy drama "Alias." Mitnick served about five years in prison for a number of computer fraud crimes, including stealing proprietary software for cell -phone systems. He was released in January 2000.

"If someone else had cast him on another show, I would have been jealous," says "Alias" creator and executive producer J.J. Abrams. "I've always been a fan of Kevin's renegade spirit and sense of genius and curiosity ." ^[31]

^[31] "Famed Hacker to Guest-star on 'Alias'," Zap2it.com, 8 October 2001.