Forbes Offers a Sympathetic Portrayal of Hackers

selain03 sends us to Forbes for a surprisingly tolerant article on the recent Defcon. The reporter spoke to several of the event organizers and faithfully conveyed their characterization of the community as motivated by curiosity about technology. The article quotes a Department of Defense cybercrime guy: "Run-of-the-mill individual hackers are just noise as we try to focus on the real problem. We have to investigate every threat, but we're often dealing with ankle biters." A refreshing perspective to read in the mainstream media.

Re:"ankle biters"?

[Anonymous Coward]

I work for a billion dollar privately owned health insurance company, and we recently had an incident where an internal development group connected an internal development machine to the DMZ without adequate password controls, violating several policies (password standards, development system standards, DMZ-house system standards, etc) to do some file transfer testing for an app they'd written. They even had a name setup in our external DNS! Someone ssh'ed in with a service account with the same password as the username and goofed around until it was finally discovered by chance. If it had been configured properly, the compromise would have never happened. If it had proper security measures in place, we'd have seen the attempt in real-time in our SEM. It was a comedy of errors, and sadly, the guilty parties in the company didn't even receive a slap on the wrist.

Alternate definitions

[Almahtar]

I've often heard what you call a 'hacker' called a 'white hat hacker' and what you call a 'cracker' called a 'black hat hacker'.

When I was just starting learning security stuff circa '95-'97 the term 'cracker' referred (in most stuff I read and by people I talked to at the time) to people who modified binaries on their own system to do things they weren't supposed to (such as a no cd crack or adding new features to a binary - it didn't have to be illegal), while hacking usually referred to gaining unauthorized access to anything, be it local or over network.

It all depends on what crowd you gained your definitions of hacking and cracking from. I prefer these definitions because they seem to have more precision. You can hack for multiple reasons (good or bad, white or black hat), you can crack for multiple reasons (good or bad, white or black hat).

A company I worked for had a lot of cracked copies of their software circulating the Internet and I spent some of my time for them reverse engineering and preventing one of their more mysterious and unsolved cracks - I'd call that white hat cracking.

Re:"ankle biters"?

[Opportunist]

You make that sound like it's some cool spy movie. It isn't. It's just plain illegal. Well paid, granted, but illegal. It's neither flashy (you can't even brag about your smooth moves!) nor in any way exciting. Neither is being wanted by some three-letter-agencies. Do you happen to know why they ALL have three letters, no matter what country or nation they belong to?

The only movie related thing that is real for a black hat is the briefing closing line from Mission Impossible: If anything goes wrong, we don't know you anymore and have never known you even existed.

Re:"ankle biters"?

[Opportunist]

It is a prerequisite, though, for hacks that aren't executable by clickmonkeys. Granted, pretty much every exploit there is today has been "tooled" to perfection, so that even the most clueless brick on earth can use them to do harm.

I'm honestly not afraid of hackers. I mean, the old school kind. The "real" ones. The ones that actually know that TCP/IP ain't the Chinese secret service and that a buffer overflow isn't something that requires a plumber to fix. In their growth years, they sooner or later stumbled upon the hacker's creed, and whether they heed it or not, the damage they do is usually minimal. Yes, they may steal your data (which is often enough a severe damage), but they don't destroy data intentionally.

What I'm afraid of is the scriptkid. The person without a clue, but with a tool. He doesn't know what he does, he doesn't know what he aims for, but he just clicks and hopes, trying to destroy and mess with other people's computers. He's the equivalent of the schoolyard bully. No clue, no skill, no perspective, but the need to once at least "prove" that he's "better" than someone else. If you're looking for wanton data destruction, that's the place to look for it.