Hacking

[seebs]

seebsNope. The average high-school sophomore isn't gifted with such responsibility.

Fair enough. Well, I would ask, then, that you at least give serious consideration to my claim that any break-in causes real damage.

And now, you may enlighten me a little as to what damages are done. I'm always open to new information. (Though I heavily suspect that you're simply going to throw some vicious remark my way and be done with me.)

That wouldn't be very charitable, now would it?

Okay, let's imagine, for a moment, a commercial system. We can reasonably assume that this system has at least some fairly significant confidential data on it; even something as naive as "the logs for the web server" is probably of some importance, let alone something like credit card numbers or whatever.

Now... The instant anyone breaks in, you have to deal with the real possibility that these confidential files have been leaked. You can say "well, we're assuming they haven't"... but while we, the people in the ivory tower speculating about abstract damages, can make that assumption, the people with the database can't. They have to take the risk into account.

No amount of contact from the "white hat" can reassure them; after all, if you were going to break into a computer and steal stuff, announcing that you didn't steal anything would be a great cover, and might lull people into not warning their customers that their credit cards have been stolen. So... You have to take precautions as though the break-in was hostile.

If nothing else, you have to spend a fair bit of time trying to verify the belief that the break-in was non-hostile. If you are somehow able to "prove" this (which is unlikely), you've still spent a fair amount of time trying to figure out exactly what happened. Even if only one system was obviously affected, you have to check everything else. Every desktop in your organization needs a fresh new virus scan, and you probably need to shut down your whole network while you're doing this, so you can be sure there isn't a virus just bopping around. (This last bit doesn't affect Unix folks, but...)

So, you basically get to spend at least a full day scanning everything. Good rootkits will replace common system utilities, and very good ones will also replace the programs which people use to run checksums on system utilities. That means a lot of work to verify the tools you'd use to verify that nothing is broken. And, of course, you still run the risk that something you don't know about was broken; that means you get to run port scans on your whole network.

That's assuming that absolutely nothing got touched. This is the response to a single break-in, with no observable changes other than whatever logs reveal that there was a break-in. At typical sysadmin wages, you're talking a couple thousand dollars for a smallish (say, 30-50 person) organization. If you don't have your own sysadmin, and you have to hire consultants, double everything in sight.

In some cases, your best bet is clean new installs and restoring from the last backups that you're pretty sure are before the breach, and re-applying any patches; all of this has to be done from inside a firewall, and you have to make sure any questionable machines are shut down or incommunicado while it happens.

If you have confidential data, you may well have to spend twenty thousand dollars or more notifying customers of the potential breach. That's to say nothing of the long-term loss of business as word gets out.

This, by the way, all has nothing to do with the question of whether or not such activities are "hacking" or the people who perform them are "hackers". Breaking and entering is script kiddie stuff; it's got nothing to do with what normally gets people recognition as "hackers". You want a reputation as a hacker? Win the IOCCC or something.

(Yes, there's a bit of bitterness here; I've never won the IOCCC.)

 

[Niz]

i personaly think that hacking isn't a sin until you make it one. I'm a hacker and i rip programs all the time. I'm also a extreme christian and a poor one at that ( money poor.. not my christianity =] ). I love web design and i'm gonna persue it as a carreer later in life but i cannot afford thousand dollar programs. I canm't even afford my internet and phone bill, let alone 1,000.00 for photoshop. But if you hack into other people's computer to cause pain/suffer, then ya that's wrong. I dunno it's just my opinon =]

 

[seebs]

Er... Are you quite sure you're a "hacker" in the sense that people are talking about? Stealing programs doesn't sound particularly like hacking. Do you program in any languages? Do you do anything else interesting?

If you really want to learn web design, and you can't afford expensive software, maybe you should use free software. You can learn your way around just as well, perhaps better, and it's not even similar to stealing.

Most of the people I've met that I would describe as extreme Christians would rather make do without than steal, except possibly for life-or-death issues.

Keep in mind that mere fanaticism about beliefs doesn't mean much if it doesn't affect the way you live the rest of your life.

Go pick up Linux and some free software packages. Learn HTML, rather than some expensive authoring suite, and you'll be a much better web designer.

 

[d0c markus]

i personaly think that hacking isn't a sin until you make it one. I'm a hacker and i rip programs all the time. I'm also a extreme christian and a poor one at that ( money poor.. not my christianity =] ). I love web design and i'm gonna persue it as a carreer later in life but i cannot afford thousand dollar programs. I canm't even afford my internet and phone bill, let alone 1,000.00 for photoshop. But if you hack into other people's computer to cause pain/suffer, then ya that's wrong. I dunno it's just my opinon =]

rationalized theft.

That wouldn't be very charitable, now would it?

Okay, let's imagine, for a moment, a commercial system. We can reasonably assume that this system has at least some fairly significant confidential data on it; even something as naive as "the logs for the web server" is probably of some importance, let alone something like credit card numbers or whatever.

Now... The instant anyone breaks in, you have to deal with the real possibility that these confidential files have been leaked. You can say "well, we're assuming they haven't"... but while we, the people in the ivory tower speculating about abstract damages, can make that assumption, the people with the database can't. They have to take the risk into account.

No amount of contact from the "white hat" can reassure them; after all, if you were going to break into a computer and steal stuff, announcing that you didn't steal anything would be a great cover, and might lull people into not warning their customers that their credit cards have been stolen. So... You have to take precautions as though the break-in was hostile.

If nothing else, you have to spend a fair bit of time trying to verify the belief that the break-in was non-hostile. If you are somehow able to "prove" this (which is unlikely), you've still spent a fair amount of time trying to figure out exactly what happened. Even if only one system was obviously affected, you have to check everything else. Every desktop in your organization needs a fresh new virus scan, and you probably need to shut down your whole network while you're doing this, so you can be sure there isn't a virus just bopping around. (This last bit doesn't affect Unix folks, but...)

So, you basically get to spend at least a full day scanning everything. Good rootkits will replace common system utilities, and very good ones will also replace the programs which people use to run checksums on system utilities. That means a lot of work to verify the tools you'd use to verify that nothing is broken. And, of course, you still run the risk that something you don't know about was broken; that means you get to run port scans on your whole network.

That's assuming that absolutely nothing got touched. This is the response to a single break-in, with no observable changes other than whatever logs reveal that there was a break-in. At typical sysadmin wages, you're talking a couple thousand dollars for a smallish (say, 30-50 person) organization. If you don't have your own sysadmin, and you have to hire consultants, double everything in sight.

In some cases, your best bet is clean new installs and restoring from the last backups that you're pretty sure are before the breach, and re-applying any patches; all of this has to be done from inside a firewall, and you have to make sure any questionable machines are shut down or incommunicado while it happens.

If you have confidential data, you may well have to spend twenty thousand dollars or more notifying customers of the potential breach. That's to say nothing of the long-term loss of business as word gets out.

This, by the way, all has nothing to do with the question of whether or not such activities are "hacking" or the people who perform them are "hackers". Breaking and entering is script kiddie stuff; it's got nothing to do with what normally gets people recognition as "hackers". You want a reputation as a hacker? Win the IOCCC or something.

(Yes, there's a bit of bitterness here; I've never won the IOCCC.)

wow... never knew all the details on that. So just breaking into a system no matter the intent is harmful to the buisness, on finances and possibly future sales?

Whats the IOCCC sounds interesting.

 

[seebs]

wow... never knew all the details on that. So just breaking into a system no matter the intent is harmful to the buisness, on finances and possibly future sales?

Pretty much.

There may be cases in which it could be justified. For instance, I have a bit of sympathy for programs which spot "zombie" Windows machines (ones where a virus or trojan is making it easy to remotely control the machine), and use the backdoor created to forcibly apply relevant patches and remove the virus. But...

Whats the IOCCC sounds interesting.

http://www.ioccc.org/

The International Obfuscated C Code Contest.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <signal.h>
#define m(b)a=b;z=*a;while(*++a){y=*a;*a=z;z=y;}
#define h(u)G=u<<3;printf("\e[%uq",l[u])
#define c(n,s)case n:s;continue
char x[]="((((((((((((((((((((((",w[]=
"\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b";char r[]={92,124,47},l[]={2,3,1
,0};char*T[]={"  |","  |","%\\|/%"," %%%",""};char d=1,p=40,o=40,k=0,*a,y,z,g=
-1,G,X,**P=&T[4],f=0;unsigned int s=0;void u(int i){int n;printf(
"\233;%uH\233L%c\233;%uH%c\233;%uH%s\23322;%uH@\23323;%uH \n",*x-*w,r[d],*x+*w
,r[d],X,*P,p+=k,o);if(abs(p-x[21])>=w[21])exit(0);if(g!=G){struct itimerval t=
{0,0,0,0};g+=((g<G)<<1)-1;t.it_interval.tv_usec=t.it_value.tv_usec=72000/((g>>
3)+1);setitimer(0,&t,0);f&&printf("\e[10;%u]",g+24);}f&&putchar(7);s+=(9-w[21]
)*((g>>3)+1);o=p;m(x);m(w);(n=rand())&255||--*w||++*w;if(!(**P&&P++||n&7936)){
while(abs((X=rand()%76)-*x+2)-*w<6);++X;P=T;}(n=rand()&31)<3&&(d=n);!d&&--*x<=
*w&&(++*x,++d)||d==2&&++*x+*w>79&&(--*x,--d);signal(i,u);}void e(){signal(14,
SIG_IGN);printf("\e[0q\ecScore: %u\n",s);system("stty echo -cbreak");}int main
(int C,char**V){atexit(e);(C<2||*V[1]!=113)&&(f=(C=*(int*)getenv("TERM"))==(
int)0x756E696C||C==(int)0x6C696E75);srand(getpid());system("stty -echo cbreak"
);h(0);u(14);for(;;)switch(getchar()){case 113:return 0;case 91:case 98:c(44,k
=-1);case 32:case 110:c(46,k=0);case 93:case 109:c(47,k=1);c(49,h(0));c(50,h(1
));c(51,h(2));c(52,h(3));}}

I've never won, and now I probably never will, because I'm one of the judges. Ahh, well.

(That's a complete video game, BTW.)

 

[d0c markus]

does what seebs saidchange any of your views on busting into a computer?

what kinda game?

 

[seebs]

Compile it and find out! (Needs unix-like system for the stty stuff).

 

[d0c markus]

i dont have unix

 

[TheOriginalWhitehorse]

Semantics aside, since we all know what you meant, Jesus said, Do unto others as you'd have done to you. If you're invading someone else's computer, you'd be doing something you have absolutely no right to do. And, there's always the possibility of one day crossing the wrong person, and getting caught.

 

[seebs]

i dont have unix

Get some. If you're on Windows, cygwin is probably good enough to let that work, although I'm not quite sure.

 

[Entropy]

If anyone is interested in using / learning Unix, Knoppix is a good bootable CD distribution of Linux (very much like Unix). Don't even need to install it, it just runs from a CD.

To give an example of what Seebs was talking about ... at my former workplace where I was a sys. admin, there were times when many hours of time were spent tracking down one particular cracker who did nothing more than flaunt the fact that he had root on some of our systems. He became top priority due to the damage he could have caused, which delayed other projects. Complaints were made over the other project delays, some classes couldn't do the work they wanted to that week (this was a university environment), and tensions ran high.

This is not a situation a Christian (or anyone else) should be putting others in.

 

[TheOriginalWhitehorse]

Entropy, can you recommend some good resources for anti-cracker problem-solving?

 

[seebs]

You might like the New Hacker's Dictionary, aka the Jargon File, as a starting point.

 

[Entropy]

Whitehorse ... besides the Jargon File, the Encyclopedia of Internet Security (TECS) is good. Google the words for a link. Google's computers > security group has links to many sites, and is organized well. If you are interested in newgroups, the comp.security groups are good. Google (again) is a decent place to read newgroups, if you don't have another newreader. The RSA faq is a good intro to cryptography.

That's internet stuff, bookwise, the security books O'Reilly publishes are much better than average. Kevin Mitnick's The Art of Deception is an interesting read on the human aspect of security.

That should get you started. Enjoy.

 

[P3nguin1]

Getting back on topic:

The issue is quite simple.

Compromising someones security system is a crime in this country regardless of the "damage" done. It is a crime, period.

The Bible makes it clear that we are to obey the laws of the land:

Let every soul be subject to the governing authorities. For there is no authority except from God, and the authorities that exist are appointed by God. Therefore whoever resists the authority resists the ordinance of God, and those who resist will bring judgment on themselves. Romans 13:1-3

It does not say "unless you strongly disagree with the law" nor does it say "unless you can logically prove it should not be a law".

The only exception to this rule comes from Acts:

27Having brought the apostles, they made them appear before the Sanhedrin to be questioned by the high priest. 28"We gave you strict orders not to teach in this name," he said. "Yet you have filled Jerusalem with your teaching and are determined to make us guilty of this man's blood."
29Peter and the other apostles replied: "We must obey God rather than men! Acts 5:27-29


Clearly the Bible tells us we are to obey the laws of the land unless the law is in direct opposition to Gods Word.

For example:

Prostitution is legal in parts of the country. It is a sin and therefore we are not to use the law to justify the act.

"Hacking" is a violation of the law. Unless you can demonstrate how these laws are in conflict with God's Word, it is a sin. Plain and simple.

 

[seebs]

Well, except that it's not hacking, but cracking, which is illegal.

I question your hermeneutics. It seems to me that the passage in Romans has a narrower intended scope and relevance than you give it; it was sent to people who were considering trying to entirely overthrow a government.

On the other hand, it seems clear to me that damage done is a problem whether or not there's a law against it.

 

[oddchild]

I am in a country that doesnt have laws against hacking... There are two type of hackers.. ethical, and nonethical... most hackers are ethical, they hack with a cause, IE taking out kiddie sites, or all adult sites. This in my opinion is OK. There is a time to turn the other cheek, but there is also a time when you should stand you ground and stand up for what you belive in. A pure internet is possible...

The place I volunteer has been hacked. The people who used to run it were killed. The sites that were linking to the site were also hacked.

 

[seebs]

I would have to disagree. Cracking sites is not ethical, even if you think you're the good guys.

Consider: The people who took down your site were also trying to get rid of something they disapproved of.

Also, people who break into systems are not, in general, hackers. Giving them an honorific term reserved for something they're not is harmful.

 

[TrustNo1]

i hack and i have cracked. ive stopped now because its boring. hacking is expanding your knowledge beyond the companies defined user operations of a system or program. cracking is damaging someone elses work to benefit yourself. thats what i was told by some dude

 

[TrustNo1]

companies hire crackers to gain access to their servers to find security flaws so in some ways cracking is good.