Fwd: [Dailydave] Re: Exactly 500 word essay on "Why hacking is cool, s o that Marcus changes his web site"

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

It'll be interesting to see how _this_ all works out. ;-)

- ferg


-- "Marcus J. Ranum" <mjr () ranum com> wrote:

First off, I apologize for my delay in responding. I had a crunch project
due and pretty much dug myself into a hole for a week. I'm out, now. :)


Dave Aitel writes:
> Hacking, or in common parlance, “breaking into other people's computers” 
> is a tool of the human spirit. We live in a time where new technologies 
> engender new freedoms as well as new tyrannies. As the discipline of 
> revolution must take hold among a society in order to combat any 
> tyranny, such has hacking taken hold among the technical community

This is the most unexpected and fascinating defense of hacking that
I have ever encountered; I thank you for it. I've been chewing it over
for several days now, and let me assure you that, honestly, it has cast
a new light on many of my views about hacking. It will cause me to
change my website, too, but in ways of which I cannot be sure, yet.

Freedom-loving people understand that, to resist the inevitable
trend toward tyranny, it is important that "the tree of liberty be
refreshed from time to time with the blood of patriots and tyrants."
But Jefferson probably would have drawn the line at watering the tree
of liberty with innocent victims chosen at random based on their
IP address.

My "issue" if you will, with hacking, is not that it is practiced by
a small handful of well-disciplined patriots. Such patriots, if they actually
existed, would presumably maintain effective tradecraft, hold their
weapons and techniques closely, and would only field them at the
point where it was necessary to spruce up the tree of liberty. But
that's not what I see - I see hacking practiced by a vast rabble of
undisciplined amateurs and opportunists. The amateurs, or "script
kiddies" are not interested in defending liberty or preparing to
overcome tyranny - if they were, they wouldn't be victimizing helpless
home users, university accounts, and small businesses. The
opportunists often rely on publicizing flaws in software so they can
get their 15 minutes of fame on CNN. They're not interested in
protecting the world against tyranny; they just want to hype
themselves so they can get better consulting contracts or promote
the products they want to sell.

So, Dave, you use ringing words of liberty and revolution to defend
a situation in which, from where I stand, I see little but victimization.
Indeed, what is tyranny but the usurpation and revocation of liberties?
As it stands, today, the hacking community has done more to usurp
personal liberties on the Internet than any government has. It is not
fear of governments that cause home users to disconnect their
internet links: it's fear of worms written by hackers/malware writers
based on knowledge published by "security researchers" and "grey
hat" hackers. It is not government censorship that renders Email
unreliable and dangerous as a form of communication: it is the
constant flood of new phishing scams, spyware, and trojans written
by hackers/malcode writers and shared with spammers and scammers.
If hacking is about fighting tyranny, then how has it become a tool
of the worst sort of petty, venal tyrants - tyrants that erode our
people's right to free speech by taking down or defacing web sites,
and destroy our ability to enjoy the web by forcing us to hunker down
behind firewalls?

Your words sound good, but if they were true we would be hearing
about how hackers had broken down the information firewalls in
the oppressive theocracies of the middle east, or had established
covert ISPs and Email access in North Korea. But instead, we hear
an endless litany of
"600,000 credit cards stolen"
"Personal information compromised"
"Crucial system taken offline"
These are not acts of revolution, no matter how you try to paint
them: these are acts of non-ideological selfishness, committed by
borderline sociopaths who enjoy anonymity as they electronically rape,
pillage, pry, and plunder.

> Because morality and legality are entirely separate worlds, hacking, and 
> the apotheosis of hackers in modern culture (Matrix, et. al) , provides 
> the public three valuable things. The first thing is the idea that 
> unknown heroes, electronic Robin Hoods, are working to defeat the 
> oppression around them. Hacking truly is the mighty made low. It's not 
> joe-blow's cell phone that gets hacked, but Paris Hiltons. It's not your 
> sister's email, but Michael Bloomberg's. This is as true for the 
> Pakistani hacker groups as for the Chinese. Higher levels of oppression, 
> not higher levels of expensive upper education, spawns hackers in places 
> like Turkey, China, Eastern Europe, and South America. Sometimes just a 
> story about revolution can be enough to inspire true freedom.

I grew up in the late 60's and went on some of the peace marches
in NYC in the 70's - so you can imagine my surprise when I hear
the sounds of old-school Marxist populism on an internet security
mailing list!!

Here, you are appealing to anti-classist sentiment. As if, somehow,
Paris Hilton has no right to privacy because she's beautiful and
vapid, or Michael Bloomberg's right to privacy should be derided
because he's a billionaire. But even so, your argument is flawed,
because it IS my sister's email that gets hacked AND it's Michael
Bloomberg's. It is not the billionaires and famous who have their
identities stolen and traded on IRC like poker chips. The people
who are hurt the worst by hacking are, as usual, the poor and
ignorant. It is one thing to shout "SCREW THE RICH!" but quite
another when it's the poor who are actually getting screwed.

Yes, hacking flourishes under oppressive regimes  - but profit-motivated
hacking flourishes particularly in economically deprived areas. It is
not love of revolution that makes Nigeria the global champions of
bank fraud - it is poverty and a corrupt banking system. It was not
Communist oppression that fueled the great wave of Russian hackers
of the late 20th century: it was lack of local resources and opportunity.
They weren't fighting communism; they were trying to cash in on
the table-scraps of the dot-com bubble.

Again, if hacking is a weapon against the oppressive state, why
is it that oppressive states seem to withstand hacking far better
than their free-market peers? Because we have more to lose - or
because we represent a larger body of potential innocent victims?

> The second thing hackers bring the public is a complete defeat of the 
> false sense of security world governments would like to provide 
> themselves with extensive Brave-New-World-like monitoring tools. What 
> use is monitoring the public when that data can be manipulated, 
> corrupted, and deceived. What use is it to fost an electronic voting 
> scheme on the public when the public knows how it can be fooled into 
> voting for whoever controls the wires? By defeating the false sense of 
> security normally associated with complex technologies the public does 
> not understand, hackers defeat a small part of the modern tyrannies we 
> could find ourselves under.

I believe hacking has done a lot to erode false senses of security.
Certainly, fewer people trust their credit cards online. Fewer people
are willing to rely on their email. Yes, I'm sure that fewer people
will trust E-voting systems, as well.

If I may sidetrack into politics, E-voting should not be what we
fear. A quick look at political history shows us that dictatorships
have NEVER bothered to conceal what they are; they have never
needed to. Nobody who has the power to topple a republic by
force would bother using E-voting to do so. Nobody who lacked the
power to hold a republic once it was stolen would be able to
retain their grip even if an E-voting election were rigged. E-voting
is an interesting problem and a fun technological toy, but it's
just a pretty GUI atop a more profound process. Mao was right,
political power grows out of the barrel of a gun - not a rigged E-voting
machine. If you truly believe what you're espousing, I suggest
you become a right-wing gun nut and supporter of The 2nd
Amendment and give up this computer security nonsense entirely.

> The third thing hackers deliver is an offensive operations team against 
> the very powers that seek to defuse other cultural revolutions. 
> Whistleblowers have a technique to use that provides anonymity. The 
> anonymity of astroturfing corporations can be penetrated. Shredded 
> documents detailing environmental destruction can be pulled from a 
> hacker's email archives and emailed to newspapers. When The SCO Group 
> find their website has been hacked, can they trust that their email has 
> not been stored somewhere, ready for revealing at an inopportune moment? 
> In this way, hackers keep those people in places of power honest.

There are right ways to foster honesty, and there are wrong
ways. When Ollie North's e-mails with the NSC were pulled from
backup tapes pursuant to a legitimate court order, the justice
system was seen to be functioning correctly. When someone
defaced SCO's website, justice was wronged. Why? Because
whether you think it was fast enough, the justice system was
grinding along and doing the right thing in that case. Hackers
defacing websites of the side they don't like is an attempt to
threaten, annoy, or intimidate - it is a miscarriage of justice.
Justice respects property rights. Justice encourages free
speech. Eroding trust does neither.

> While hacking does harm a few, it frees a many.

Against the hypothetical threat of technological tyranny, we
balance hundreds of thousands of computers compromised
every year - jobs lost, lifetimes of system administration wasted,
careers ruined, identities stolen, personal information disclosed,
and people's privacy violated.

Does that sound like a fair trade? Not to me. Next time some
big worm brings down a mission-critical network, will you stand
up in front of the network administrator and tell him it was for
the greater good? I'd like to be there; I'll drive you to the hospital
after he's done with you.

> An exploit itself is a study in cool understated elegance.

So is a haiku, or a well-coded B+tree, or a well-made sword,
or a nicely-fitted dovetail joint, or a photograph, or a techno
track - or any of literally hundreds of thousands of socially-sanctioned
forms of creativity.

Humans create and appreciate art. Yet, society has the right
to implicitly approve of some forms of art and to disapprove
of others. Usually, this depends on whether or not there are
victims - for example, it doesn't matter how well-photographed
it may be: child pornography is a crime. There is doubtless a
certain severe elegance in creating a custom-tailored
death virus - yet society frowns on doing so, and rightly
restricts people's ability to gain the necessary materials
and expertise. I am told by friends who know these things
that the internals of state-of-the-art hydrogen bombs are
"very cool" but you and I are not allowed to try to build them.

By arrogating upon themselves the power to penetrate, destroy,
and compromise both the evil and the innocent, the hacker is
stepping outside of the body politic. Indeed, in a sense, the
hacker collective might be a "rogue state" or the individual
hacker a "terrorist." You appeal to us with the words of 
revolution but you're no revolutionary - you're just another
computer security entrepreneur teaching shellcoding technique
at conferences to market your company's products. Real
anarchists do not hide in broad daylight - G.K.Chesterton
was writing parody, not truth. If you were truly a cultural
revolutionary trying to help defend us all against tyranny you'd
be an IT specialist for one of the 2 political parties, working
quietly from the inside. No shellcode necessary.

> Hacking is done under extreme 
> pressure and personal risk, each hacker a submarine captain in a leaky 
> boat with a cool head and a steady hand.

So is brewing crystal meth or shooting kiddie porn.

No matter how much you want to romanticize a thing, if
there are innocent people being placed at greater risk through
your actions or inactions, you bear some moral responsibility
for your actions.

There's where I have a problem with all this. By romanticizing
hacking, you make it more attractive. You make it easier for
someone to think "well, it's OK."  Whenever some hacker gets
busted and defends their actions based on "I didn't mean to
harm anyone" and THAT is what the media reports, it
desensitizes the potential hacker against the consequences
his actions might have on a victim. Desensitization goes
further, when you hear security practitioners blaming the
victim: "well, he got 0wned because he was too lame to
update his firewall."  Never mind that the victim was a
72-year-old lady in a retirement home, and it was some
kind of miracle to her that Email works at all - now you
expect her to install a firewall?

The computer security industry has a number of reprehensible
practices which I believe will eventually be abandoned. If they are
not, we security practitioners will eventually be regarded with
the level of professional respect accorded to tort lawyers and
used car salesmen. Inevitably, we will have to distance ourselves
from the source of the problem; eventually our customers will
realize that the vulnerability which was used to compromise
their system came from an employee of a consulting firm. The
industry has been trying to react to this problem linguistically,
by "sanitizing" the term "hacker" and claiming "'Hacker'
is GOOD. 'Cracker' is bad" - whatever. That's going to fool the
rubes for another couple years. History will judge us all by
our deeds, not what we choose to call ourselves.

Thanks for your time,
mjr. 



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.