________________________________________________________________________________ CNN Interactive Two views of hacking For different perspectives on hacking, CNN Interactive posed a series of questions via e-mail to two experts in the field, one a computer security expert for IBM, the other, editor of 2600, the Hackers' Quarterly. Q&A with Emmanuel Goldstein of 2600: The Hacker's Quarterly (CNN) -- Emmanuel Goldstein is the editor-in-chief of 2600: The Hacker Quarterly and hosts a weekly radio program in New York called "Off the Hook." 1. How do you define hacking? Hacking is, very simply, asking a lot of questions and refusing to stop asking. This is why computers are perfect for inquisitive people -- they don't tell you to shut up when you keep asking questions or inputting commands over and over and over. But hacking doesn't have to confine itself to computers. Anyone with an inquisitive mind, a sense of adventure and strong beliefs in free speech and the right to know most definitely has a bit of the hacker spirit in them. 2. Are there legal or appropriate forms of hacking? One of the common misconceptions is that anyone considered a hacker is doing something illegal. It's a sad commentary on the state of our society when someone who is basically seeking knowledge and the truth is assumed to be up to something nefarious. Nothing could be further from the truth. Hackers, in their idealistic naiveté, reveal the facts that they discover, without regard for money, corporate secrets or government coverups. We have nothing to hide, which is why we're always relatively open with the things we do -- whether it's having meetings in a public place or running a system for everyone to participate in regardless of background. The fact that we don't "play the game" of secrets also makes hackers a tremendous threat in the eyes of many who want to keep things away from the public. Secrets are all well and good, but if the only thing keeping them a secret is the fact that you say it's a secret, then it's not really a very good secret. We suggest using strong encryption for those really interested in keeping things out of the hands of outsiders. It's interesting also that hackers are the ones who are always pushing strong encryption -- if we were truly interested in getting into everyone's personal affairs, it's unlikely we'd try and show them how to stay secure. There are, however, entities who are trying to weaken encryption. People should look toward them with concern, as they are the true threat to privacy. 3. What in your mind is the purpose of hacking? To seek knowledge, discover something new, be the first one to find a particular weakness in a computer system or the first to be able to get a certain result from a program. As mentioned above, this doesn't have to confine itself to the world of computers. Anyone who's an adventurer or explorer of some sort, or any good investigative journalist, knows the feeling of wanting to do something nobody has ever done before or find the answer despite being told that you can't. One thing that all of the people involved in these endeavors seem to share is the feeling from outsiders that they're wasting their time. 4. Are you a hacker? Why? Or why not? Absolutely. It's not something you can just erase from your personality, nor should you want to. Once you lose the desire to mess around with things, tweak programs and systems, or just pursue an answer doggedly until you get a result, you've lost a very important part of yourself. It's quite possible that many "reformed" hackers will lose that special ingredient as they become more and more a part of some other entity that demands their very souls. But for those who can resist this, or figure out a way to incorporate "legitimacy" into their hacker personalities without compromising them, there are some very interesting and fun times ahead. 5. What kind of hacking do you do? My main interest has always been phones and rarely does a day pass when I don't experiment in some way with a phone system, voice mail system, pay phone, or my own telephone. I've always been fascinated by the fact that we're only a few buttons away from virtually anyone on the planet and I hope that I never lose that sense of marvel. One of the most amazing things I ever got involved in was routing phone calls within the network itself -- known as blue-boxing. You can't do that as easily any more, but it was a real fun way to learn how everything was connected -- operators, services, countries, you name it. And in the not-too-distant past, there were so many different sounds phones made depending on where you were calling. Now they tend to be standardized rings, busies, etc. But the magic hasn't disappeared, it's just moved on to new things ... satellite technology, new phone networks and voice recognition technologies. Many times these new technologies are designed by the very people who were hacking the old technologies. The result is usually more security and systems that know what people will find useful. While I've spent a great deal of time playing with phones, I get the same sense of fun from computer systems and have invested lots of time exploring the Internet. It would fill a book to outline all of the hacker potential that exists out there. And, of course, there's radio hacking, which predates a lot of the current technology. It's gotten to the point where simply listening to a certain frequency has become a challenge. It's hard to believe that it's actually turned into a crime to listen to some of these non-scrambled radio waves. But this is the price we pay when people with no understanding of technology are the ones in charge of regulating it. 6. How much time do you spend at it a week? That's like asking how much time you spend breathing. It's always with you, you do more of it at certain times, but it's always something that's going on in your head. Even when I sleep, I dream from a hacker perspective. 7. Do you have a certain kind of site or "target" sites that most attract you? We don't sit around with a big map and a list of targets. In fact, we don't even sit around together. Most hacking is done by individuals who simply find things by messing around and making discoveries. We share that info and others add input. Then someone tells the press and the government that we're plotting to move satellites and all hell breaks loose. I think most of us tend to be drawn to the sites and systems that are said to be impossible to access. This is a normal human reaction to being challenged. The very fact that we continue to do this after so many of us have suffered so greatly indicates that this is a very strong driving force. When this finally becomes recognized as a positive thing, perhaps we'll really be able to learn from each other. 8. What, in general, do you think attracts people to hacking? People have always been attracted to adventure and exploration. Never before have you been able to get this without leaving your house and without regard to your skin color, religion, sex, or even the sound of your voice. On the Internet, everyone is an equal until they prove themselves to be a moron. And even then, you can always start over. It's the ability to go anywhere, talk to anyone, and not reveal your personal information unless you choose to -- or don't know enough not to -- that most attracts people to the hacker culture, which is slowly becoming the Internet culture. We find that many "mainstream" people share the values of hackers -- the value of free speech, the power of the individual against the state or the corporation, and the overall sense of fun that we embrace. Look in any movie where an individual is fighting a huge entity, and who does the audience without exception identify with? Even if the character breaks the rules, most people want him/her to succeed because the individual is what it's all about. 9. Do you know enough hackers personally to know what personality traits they share, if any? Hackers come from all different backgrounds and have all kinds of lifestyles. They aren't the geeks you see on television or the cyberterrorists you see in Janet Reno news conferences. They range in age from under 10 to over 70. They exist in all parts of the world, and one of the most amazing and inspiring things is to see what happens when they come together. It's all about technology, the thrill of discovery, and sharing information. That supersedes any personality issues that might be an issue in other circumstances. 10. Do you think hackers are productive and serve a useful purpose? I think hackers are necessary, and the future of technology and society itself (freedom, privacy, etc.) hinges on how we address the issues today that hackers are very much a part of. This can be the dawning of a great era. It can also be the beginning of true hell. 11. What percentage would you say are destructive as opposed to those in it out of intellectual curiosity or to test their skills? This raises several points that I feel strongly about. For one thing, hacking is the only field where the media believes anyone who says they're a hacker. Would you believe someone who said they were a cop? Or a doctor? Or an airline pilot? Odds are they'd have to prove their ability at some point or say something that obviously makes some degree of sense. But you can walk up to any reporter and say you're a hacker and they will write a story about you telling the world that you're exactly what you say you are without any real proof. So every time a movie like "Hackers" comes out, 10 million people from AOL send us e-mail saying they want to be hackers, too, and suddenly, every 12-year-old with this sentiment instantly becomes a hacker in the eyes of the media and hence, the rest of society. You don't become a hacker by snapping your fingers. It's not about getting easy answers or making free phone calls or logging into someone else's computer. Hackers "feel" what they do, and it excites them. I find that if the people around you think you're wasting your time but you genuinely like what you're doing, you're driven by it, and you're relentless in your pursuit, you have a good part of a hacker in you. But if you're mobbed by people who are looking for free phone calls, software or exploits, you're just an opportunist, possibly even a criminal. We already have words for these people and it adequately defines what they do. While it's certainly possible to use hacking ability to commit a crime, once you do this you cease being a hacker and commence being a criminal. It's really not a hard distinction to make. Now, we have a small but vocal group who insist on calling anyone they deem unacceptable in the hacker world a "cracker." This is an attempt to solve the problem of the misuse of the word "hacker" by simply misusing a new word. It's a very misguided, though well-intentioned, effort. The main problem is that when you make up such a word, no further definition is required. When you label someone with a word that says they're evil, you never really find out what the evil was to begin with. Murderer, that's easy. Burglar, embezzler, rapist, kidnapper, all pretty clear. Now along comes cracker and you don't even know what the crime was. It could be crashing every computer system in Botswana. Or it could be copying a single file. We need to avoid the labeling and start looking at what we're actually talking about. But at the same time, we have to remember that you don't become a hacker simply because you say you are. 12. Do people stay in hacking a long time, or is it the kind of thing that people do for a few years and then move on to something else? It can be either. I tend to believe that it's more of a philosophy, a way of looking at something. When you have the hacker perspective, you see potential where others don't. Also, hackers think of things like phones, computers, pagers, etc., as toys and things to be enjoyed whereas others see work and responsibility and actually come to dread these things. That's why hackers like to hold onto their world and not become part of the mainstream. But it certainly can and does happen. 13. What is the future of hacking? As long as the human spirit is alive, there will always be hackers. We may have a hell of a fight on our hands if we continue to be imprisoned and victimized for exploring, but that will do anything but stop us. 14. Given increased attention to corporate and government security, is it getting tougher to hack or not? Hacking isn't really about success -- it's more the process of discovery. Even if real security is implemented, there will always be new systems, new developments, new vulnerabilities. Hackers are always going to be necessary to the process and we're not easily bored. 15. Is the possibility of being identified and even prosecuted an issue for most hackers? Hackers make very bad criminals. This is why we always wind up being prosecuted. We don't hide very well or keep our mouths sealed shut to protect corporate or government interests. But the same security holes would exist even if we weren't around, so I think the hackers should be properly seen as messengers. That doesn't mean that you should expect them to just hand over all of their knowledge -- it's important to listen and interpret on your own, as any hacker would. 16. Are there hackers who are up for hire? What are they paid? Who hires them, and for what? Just as you can use hacker ability to attain a life of crime, you can use that ability to become a corporate success. Some are able to hold onto their hacker ideals. Others, sadly, lose them. It's especially hard when young people who haven't worked it all out yet are approached and tempted with huge amounts of money by these entities. It can be very hard to resist and the cost is often greater than anticipated. 17. Have you had any contact with people you consider cyberterrorists? Do you endorse what they do? In all of the time I've been in the scene, which is a pretty long time, I've never come across anyone I consider to be a "cyberterrorist," whatever that is. Most people who talk of such creatures either have something to sell or some bill to pass. This is not to say that such a concept is impossible. But I believe the current discussions aren't based in reality and have very suspicious ulterior motives. 18. What about the people who hack into Pentagon sites? Do you think they should be punished? According to the Pentagon, there is no risk of anything classified being compromised because it's not on the Internet. If they were wrong, I would like to see someone prove that. If a non-classified site is hacked, I don't see the harm unless something is damaged in some way. Remember, the security hole was already there. If a hacker finds it, it's far more likely the people running the system will learn of the hole. If a criminal or someone with an ulterior motive (espionage, etc.) finds the hole first, it's likely to remain secret for much longer and the harm will be far greater. While you may resent the fact that some 14-year-old from Topeka proved your security sucks, think of what could have happened had you not learned of this and had someone else done it instead. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offender is a true risk to society. The great majority of these cases do not involve damage or vandalism, a fact that largely goes unreported. What people have to remember is that most of the time, this is simply an example of kids being kids and playing games like they have always done. Obviously, the tools have changed, but that's really not something the kids are responsible for. If some kid somewhere can access your medical records or your phone records, he or she is not the one who put them there. The true violator of your privacy is the person who made the decision to make them easily accessible. 19. Your real name is Eric Corley. Why do you use the name Emmanuel Goldstein? I believe everyone should be given the opportunity to name themselves. That name should reflect something about who you are and what you believe in and stand for. Emmanuel Goldstein is that for me, and for those who want to learn why, get a copy of George Orwell's "1984" and see for yourself. Interestingly, our first issue of 2600 was published in January 1984. A complete coincidence. Q&A with IBM's Charles Palmer (CNN) -- Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit. 1. How do you define hacking? Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.) 2. Are there appropriate forms of hacking? Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target. 3. What do you and the other members of your team do? (We) work with IBM Consulting and its customers to design and execute thorough evaluations of their computer and network security. Depending on the evaluation they request (ranging from Web server probes to all-out attacks), we gather as much information as we can about the target from publicly available sources. As we learn more about the target, its subsidiaries and network connectivity, we begin to probe for weaknesses. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. As we find and exploit vulnerabilities, we document if and how we gained access, as well as if anyone at the organization noticed. (In nearly all the cases, the Information Syhstems department is not informed of these planned attacks.) Then we work with the customer to address the issues we've discovered. 4. What is the background of the people on your team? We have Ph.D.s in physics, computer scientists, and even one former photographer with a fine arts degree. They are all well-known, highly respected system security professionals from around the world. Most of them did not start their careers in this area, but ended up doing computer and network security because they were provoked by hackers at one time. Once they started on the road to improving security, they got hooked on the challenges it presents. 5. In "Helpful Hacking" from IBM Research magazine in 1997, you are quoted as saying you don't hire reformed hackers and "there's no such thing." Could you explain? The number of really gifted hackers in the world is very small, but there are lots of wannabes.... When we do an ethical hack, we could be holding the keys to that company once we gain access. It's too great a risk for our customers to be put in a compromising position. With access to so many systems and so much information, the temptation for a former hacker could be too great -- like a kid in an unattended candy store. 6. Is it fair to say that you are opposed to hacking? As I said before, hacking is a felony -- for good reason. Some of the "joyriders" -- hackers who access systems just for the challenge -- think it's harmless since they usually don't "do" anything besides go in and look around. But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless? These joyriders could be causing damage inadvertently since just by their presence they are using system resources. 7. Do you think hacking can be useful? Hacking can be useful in a controlled environment where there are ground rules and contractual agreements. 8. Do you have a profile of the typical hacker? The profile has broadened in the last couple of years to include many types of people, which makes it very difficult to call out a "typical" hacker. The motivations behind hacking have changed (see Answer No. 11 below). No longer are hackers limited to the teen-age, soda-slurping misfits, although they're probably the majority. There are girls and even younger kids. Many companies think all hackers come from outside, but surveys continue to show that the threat from inside an organization is greater than from outside. So if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you. 9. There have been reported instances where corporate security personnel have tracked hacking back to the source, broken in and stolen computers, or even used force. Do you endorse "vigilantism" as a response to hacking? I've heard those stories, too, and I don't believe most of them. It makes zero sense to respond to an illegal attack with another illegal attack. First of all, it can be very difficult to accurately determine where an attack comes from. Whether they end up retaliating against the right or wrong person, they've committed a felony and are just as guilty as the original perpetrator. It's no different than other forms of vigilante justice. 10. What about attacking Web sites that list hacking scripts? Again, any attack is a felony. It's a First Amendment rights issue as well. Where do you draw the line? Attacking adult sites? Attacking spammers? It makes more sense for corporations, schools and other organizations to try to block access to those sites. 11. Can you characterize the nature of most hacking attacks? A few years ago, the original motivations were pursuit of knowledge and the desire to "show off" one's skills. Now, there are new lures of money and power. However, the statistics can be misleading, so many of these incidents go unreported due to lack of detection or fear of further losses due to tarnished image and credibility. I believe that the majority of hacks are still motivated by curiosity and a desire to point out system weaknesses. However, as organizations have been finding, most of today's threats come from within the organization. According to a recent META Group study, current figures indicate that recent breaches of security within Information Technology organizations occur internally 58 percent of the time. The threat from the outside is rising at a steady rate, though. 12. Is there a trend in these attacks? Denial-of-service attacks and macro-viruses are the most popular hacker activities. The denial-of-service attacks are fairly easy for hackers of all skill levels -- from "script-kids" to professionals -- to launch. This is a situation where a company's Web site or online service is simply made unavailable by a hacker overtaxing the system resources. It doesn't sound that harmful, but there can be serious monetary and image losses attached to this. If you want to buy a book and you go to a popular book-selling Web site and find that site unavailable, chances are you'll try the next most popular book Web site. There's simply too much competition on the Internet right now to overlook security needs. These denial-of-service attacks are particularly troubling because they are hard to defend against. There are defenses available with firewall products from IBM and other companies, but there can be denial-of-service attacks from inside as well, which lends credence to the argument for Intranet firewalls. 13. Where does the real threat of hacking lie: in the private sector, in government or somewhere else? The widely reported attacks against government sites are troubling, but it's a good bet that the government would not have any sensitive information on a machine connected to the Internet. An unfortunate side effect of these reports is that people end up thinking that securing systems and networks is hard. It's not hard, but it does take time and training, and it's an ongoing process to stay one step ahead of the bad guys. Corporate espionage is also a threat, but not in the glamorous way portrayed in the movies. There, the threat is from the inside. There have been many reports of employees purposely sending proprietary information outside the company to other companies, perhaps just before they themselves move to that company. The greater connectivity that employees have today also leads them to inadvertent leaks via e-mail. 14. To what extent is cyberterrorism a genuine concern? There is little motivation for industrial control systems like those running nuclear plants or airports to be on the open Web. They may have dial-up access or private networks within the organization that would be susceptible to attack from the inside. IBM has found that it can be quicker and cheaper to attack a target physically, rather than digitally -- we've nonchalantly walked into businesses, snooped around, and walked out with confidential material (once with the security guard holding the door for us!). And there are many examples of unfortunate accidents that resulted in very effective "attacks." The most common example is the "backhoe attack," where an errant heavy-equipment operator accidentally cut a communications cable. ... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action. 15. What about responses such as the recent Pentagon counteroffensive that redirected hackers' attack to an applet that caused their browsers to crash? Is that an appropriate response to hackers? Anytime you acknowledge the hacker, you run the risk of heightening his or her interest. If you change the game from solitaire to a real poker game with human opponents, it becomes more interesting to most hackers. Such retaliation is also short-lived, since countermeasures will quickly be developed and publicized around the Web. In my opinion, this is not an effective usage of limited security personnel. 16. Are anti-hacking measures improving? The most important improvement is in the area of awareness. ... Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race. 17. If attacks can only take place on computers that are online, to what extent could hacking be mitigated by keeping sensitive materials, data, etc., offline? One of my colleagues at IBM likes to say, "only trust physics." My version is that the only 100 percent, truly secure system is one that is powered-off and filled with concrete. The military has long understood the security of an "air gap" (where a secure machine has no connection whatsoever to an unsecured machine), and we recommend to our customers that they consider such an arrangement for their most secure systems. This comes down to risk-analysis -- that is, weighing the cost in convenience and availability against the threat of having a system online. If it's important to ... your business to have data available online inside the company, then protecting it with an internal firewall makes sense. ... If you have a Web server you want your customers to access, you can't hide it behind your corporate firewall because they won't be able to get to it. There are network designs that will enable you to position the Web server on the "outside," while securely maintaining a connection between it and, perhaps, a server behind the firewall. 18. What is the long-term outlook for hacking? As long as there are unsecured computers with interesting stuff on them, there will be hackers. Law enforcement agencies have stepped up their facilities and training programs to meet the demand for computer and network security. Moving toward technologies that use strong encryption will greatly improve the overall security of systems. Virtual Private Networks are a fantastic tool for companies and governments to protect their systems and networks while taking advantage of the low-cost, high-availability offered by the Internet. Internet standards bodies are also moving toward designing security into new standards. Most kids today know much more about computers than their parents do, and some start "messing around" at earlier ages than in the past. The best thing we can do is to show them how interesting it can be to work at protecting systems and networks. 19. What about the outlook for computer security? While better security technologies are appearing all the time, education and awareness will continue to be the limiting factor. System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities (like choosing good passwords, not installing unauthorized modems, etc.). ... Innovations like biometrics and smart cards will go a long way toward making security easier for the end user as well as for the system administrators. http://cnn.com/TECH/specials/hackers/qandas/ ________________________________________________________________________________ no copyright 1999 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org