funsec mailing list archives
Fwd: [Dailydave] Re: Exactly 500 word essay on "Why hacking is cool, s o that Marcus changes his web site"
From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Date: Tue, 20 Sep 2005 22:48:17 GMT
It'll be interesting to see how _this_ all works out. ;-) - ferg -- "Marcus J. Ranum" <mjr () ranum com> wrote: First off, I apologize for my delay in responding. I had a crunch project due and pretty much dug myself into a hole for a week. I'm out, now. :) Dave Aitel writes:
Hacking, or in common parlance, “breaking into other people's computers” is a tool of the human spirit. We live in a time where new technologies engender new freedoms as well as new tyrannies. As the discipline of revolution must take hold among a society in order to combat any tyranny, such has hacking taken hold among the technical community
This is the most unexpected and fascinating defense of hacking that I have ever encountered; I thank you for it. I've been chewing it over for several days now, and let me assure you that, honestly, it has cast a new light on many of my views about hacking. It will cause me to change my website, too, but in ways of which I cannot be sure, yet. Freedom-loving people understand that, to resist the inevitable trend toward tyranny, it is important that "the tree of liberty be refreshed from time to time with the blood of patriots and tyrants." But Jefferson probably would have drawn the line at watering the tree of liberty with innocent victims chosen at random based on their IP address. My "issue" if you will, with hacking, is not that it is practiced by a small handful of well-disciplined patriots. Such patriots, if they actually existed, would presumably maintain effective tradecraft, hold their weapons and techniques closely, and would only field them at the point where it was necessary to spruce up the tree of liberty. But that's not what I see - I see hacking practiced by a vast rabble of undisciplined amateurs and opportunists. The amateurs, or "script kiddies" are not interested in defending liberty or preparing to overcome tyranny - if they were, they wouldn't be victimizing helpless home users, university accounts, and small businesses. The opportunists often rely on publicizing flaws in software so they can get their 15 minutes of fame on CNN. They're not interested in protecting the world against tyranny; they just want to hype themselves so they can get better consulting contracts or promote the products they want to sell. So, Dave, you use ringing words of liberty and revolution to defend a situation in which, from where I stand, I see little but victimization. Indeed, what is tyranny but the usurpation and revocation of liberties? As it stands, today, the hacking community has done more to usurp personal liberties on the Internet than any government has. It is not fear of governments that cause home users to disconnect their internet links: it's fear of worms written by hackers/malware writers based on knowledge published by "security researchers" and "grey hat" hackers. It is not government censorship that renders Email unreliable and dangerous as a form of communication: it is the constant flood of new phishing scams, spyware, and trojans written by hackers/malcode writers and shared with spammers and scammers. If hacking is about fighting tyranny, then how has it become a tool of the worst sort of petty, venal tyrants - tyrants that erode our people's right to free speech by taking down or defacing web sites, and destroy our ability to enjoy the web by forcing us to hunker down behind firewalls? Your words sound good, but if they were true we would be hearing about how hackers had broken down the information firewalls in the oppressive theocracies of the middle east, or had established covert ISPs and Email access in North Korea. But instead, we hear an endless litany of "600,000 credit cards stolen" "Personal information compromised" "Crucial system taken offline" These are not acts of revolution, no matter how you try to paint them: these are acts of non-ideological selfishness, committed by borderline sociopaths who enjoy anonymity as they electronically rape, pillage, pry, and plunder.
Because morality and legality are entirely separate worlds, hacking, and the apotheosis of hackers in modern culture (Matrix, et. al) , provides the public three valuable things. The first thing is the idea that unknown heroes, electronic Robin Hoods, are working to defeat the oppression around them. Hacking truly is the mighty made low. It's not joe-blow's cell phone that gets hacked, but Paris Hiltons. It's not your sister's email, but Michael Bloomberg's. This is as true for the Pakistani hacker groups as for the Chinese. Higher levels of oppression, not higher levels of expensive upper education, spawns hackers in places like Turkey, China, Eastern Europe, and South America. Sometimes just a story about revolution can be enough to inspire true freedom.
I grew up in the late 60's and went on some of the peace marches in NYC in the 70's - so you can imagine my surprise when I hear the sounds of old-school Marxist populism on an internet security mailing list!! Here, you are appealing to anti-classist sentiment. As if, somehow, Paris Hilton has no right to privacy because she's beautiful and vapid, or Michael Bloomberg's right to privacy should be derided because he's a billionaire. But even so, your argument is flawed, because it IS my sister's email that gets hacked AND it's Michael Bloomberg's. It is not the billionaires and famous who have their identities stolen and traded on IRC like poker chips. The people who are hurt the worst by hacking are, as usual, the poor and ignorant. It is one thing to shout "SCREW THE RICH!" but quite another when it's the poor who are actually getting screwed. Yes, hacking flourishes under oppressive regimes - but profit-motivated hacking flourishes particularly in economically deprived areas. It is not love of revolution that makes Nigeria the global champions of bank fraud - it is poverty and a corrupt banking system. It was not Communist oppression that fueled the great wave of Russian hackers of the late 20th century: it was lack of local resources and opportunity. They weren't fighting communism; they were trying to cash in on the table-scraps of the dot-com bubble. Again, if hacking is a weapon against the oppressive state, why is it that oppressive states seem to withstand hacking far better than their free-market peers? Because we have more to lose - or because we represent a larger body of potential innocent victims?
The second thing hackers bring the public is a complete defeat of the false sense of security world governments would like to provide themselves with extensive Brave-New-World-like monitoring tools. What use is monitoring the public when that data can be manipulated, corrupted, and deceived. What use is it to fost an electronic voting scheme on the public when the public knows how it can be fooled into voting for whoever controls the wires? By defeating the false sense of security normally associated with complex technologies the public does not understand, hackers defeat a small part of the modern tyrannies we could find ourselves under.
I believe hacking has done a lot to erode false senses of security. Certainly, fewer people trust their credit cards online. Fewer people are willing to rely on their email. Yes, I'm sure that fewer people will trust E-voting systems, as well. If I may sidetrack into politics, E-voting should not be what we fear. A quick look at political history shows us that dictatorships have NEVER bothered to conceal what they are; they have never needed to. Nobody who has the power to topple a republic by force would bother using E-voting to do so. Nobody who lacked the power to hold a republic once it was stolen would be able to retain their grip even if an E-voting election were rigged. E-voting is an interesting problem and a fun technological toy, but it's just a pretty GUI atop a more profound process. Mao was right, political power grows out of the barrel of a gun - not a rigged E-voting machine. If you truly believe what you're espousing, I suggest you become a right-wing gun nut and supporter of The 2nd Amendment and give up this computer security nonsense entirely.
The third thing hackers deliver is an offensive operations team against the very powers that seek to defuse other cultural revolutions. Whistleblowers have a technique to use that provides anonymity. The anonymity of astroturfing corporations can be penetrated. Shredded documents detailing environmental destruction can be pulled from a hacker's email archives and emailed to newspapers. When The SCO Group find their website has been hacked, can they trust that their email has not been stored somewhere, ready for revealing at an inopportune moment? In this way, hackers keep those people in places of power honest.
There are right ways to foster honesty, and there are wrong ways. When Ollie North's e-mails with the NSC were pulled from backup tapes pursuant to a legitimate court order, the justice system was seen to be functioning correctly. When someone defaced SCO's website, justice was wronged. Why? Because whether you think it was fast enough, the justice system was grinding along and doing the right thing in that case. Hackers defacing websites of the side they don't like is an attempt to threaten, annoy, or intimidate - it is a miscarriage of justice. Justice respects property rights. Justice encourages free speech. Eroding trust does neither.
While hacking does harm a few, it frees a many.
Against the hypothetical threat of technological tyranny, we balance hundreds of thousands of computers compromised every year - jobs lost, lifetimes of system administration wasted, careers ruined, identities stolen, personal information disclosed, and people's privacy violated. Does that sound like a fair trade? Not to me. Next time some big worm brings down a mission-critical network, will you stand up in front of the network administrator and tell him it was for the greater good? I'd like to be there; I'll drive you to the hospital after he's done with you.
An exploit itself is a study in cool understated elegance.
So is a haiku, or a well-coded B+tree, or a well-made sword, or a nicely-fitted dovetail joint, or a photograph, or a techno track - or any of literally hundreds of thousands of socially-sanctioned forms of creativity. Humans create and appreciate art. Yet, society has the right to implicitly approve of some forms of art and to disapprove of others. Usually, this depends on whether or not there are victims - for example, it doesn't matter how well-photographed it may be: child pornography is a crime. There is doubtless a certain severe elegance in creating a custom-tailored death virus - yet society frowns on doing so, and rightly restricts people's ability to gain the necessary materials and expertise. I am told by friends who know these things that the internals of state-of-the-art hydrogen bombs are "very cool" but you and I are not allowed to try to build them. By arrogating upon themselves the power to penetrate, destroy, and compromise both the evil and the innocent, the hacker is stepping outside of the body politic. Indeed, in a sense, the hacker collective might be a "rogue state" or the individual hacker a "terrorist." You appeal to us with the words of revolution but you're no revolutionary - you're just another computer security entrepreneur teaching shellcoding technique at conferences to market your company's products. Real anarchists do not hide in broad daylight - G.K.Chesterton was writing parody, not truth. If you were truly a cultural revolutionary trying to help defend us all against tyranny you'd be an IT specialist for one of the 2 political parties, working quietly from the inside. No shellcode necessary.
Hacking is done under extreme pressure and personal risk, each hacker a submarine captain in a leaky boat with a cool head and a steady hand.
So is brewing crystal meth or shooting kiddie porn. No matter how much you want to romanticize a thing, if there are innocent people being placed at greater risk through your actions or inactions, you bear some moral responsibility for your actions. There's where I have a problem with all this. By romanticizing hacking, you make it more attractive. You make it easier for someone to think "well, it's OK." Whenever some hacker gets busted and defends their actions based on "I didn't mean to harm anyone" and THAT is what the media reports, it desensitizes the potential hacker against the consequences his actions might have on a victim. Desensitization goes further, when you hear security practitioners blaming the victim: "well, he got 0wned because he was too lame to update his firewall." Never mind that the victim was a 72-year-old lady in a retirement home, and it was some kind of miracle to her that Email works at all - now you expect her to install a firewall? The computer security industry has a number of reprehensible practices which I believe will eventually be abandoned. If they are not, we security practitioners will eventually be regarded with the level of professional respect accorded to tort lawyers and used car salesmen. Inevitably, we will have to distance ourselves from the source of the problem; eventually our customers will realize that the vulnerability which was used to compromise their system came from an employee of a consulting firm. The industry has been trying to react to this problem linguistically, by "sanitizing" the term "hacker" and claiming "'Hacker' is GOOD. 'Cracker' is bad" - whatever. That's going to fool the rubes for another couple years. History will judge us all by our deeds, not what we choose to call ourselves. Thanks for your time, mjr. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Fwd: [Dailydave] Re: Exactly 500 word essay on "Why hacking is cool, s o that Marcus changes his web site" Fergie (Paul Ferguson) (Sep 20)