The art of war

Jon-K Adams in his treatise entitled Hacker Ideology (aka Hacking Freedom) states that hackers have been called both techno-revolutionaries and heroes of the computer revolution. Hacking ” has become a cultural icon about decentralized power.” But for all that, hackers are reluctant rebels. They prefer to fight with code than with words. And they would rather appear on the net than at a news conference. Status in the hacker world cannot be granted by the general public: it takes a hacker to know and appreciate a hacker. That’s part of the hacker’s revolutionary reluctance; the other part is the news media’s slant toward sensationalism, such as, ” A cyberspace dragnet snared fugitive hacker.” The public tends to think of hacking as synonymous with computer crime, with breaking into computers and stealing and destroying valuable data. As a result of this tabloid mentality, the hacker attempts to fade into the digital world, where he-and it is almost always he-has a place if not a!

In his self-conception, the hacker is not a criminal, but rather a ” person who enjoys exploring the details of programmable systems and how to stretch their capabilities.” Which means that he is not necessarily a computer geek. The hacker defines himself in terms that extend beyond the computer, as an ” expert or enthusiast of any kind. One might be an astronomy hacker” (Jargon File). So in the broadest sense of his self-conception, the hacker hacks knowledge; he wants to know how things work, and the computer-the prototypical programmable system-simply offers more complexity and possibility, and thus more fascination, than most other things.

I define the computer underground as members of the following six groups. Sometimes I refer to the CU as ” 90s hackers” or ” new hackers,” as opposed to old hackers, who are hackers (old sense of the term) from the 60s who subscribed to the original Hacker Ethic.

§ Hackers (Crackers, system intruders) – These are people who attempt to penetrate security systems on remote computers. This is the new sense of the term, whereas the old sense of the term simply referred to a person who was capable of creating hacks, or elegant, unusual, and unexpected uses of technology. Typical magazines (both print and online) read by hackers include 2600 and Iron Feather Journal.

§ Anarchists – are committed to distributing illegal (or at least morally suspect) information, including but not limited to data on bombmaking, lockpicking, pornography, drug manufacturing, pirate radio, and cable and satellite TV piracy. In this parlance of the computer underground, anarchists are less likely to advocate the overthrow of government than the simple refusal to obey restrictions on distributing information. They tend to read Cult of the Dead Cow (CDC) and Activist Times Incorporated (ATI).

§ Cyberpunk – usually some combination of the above, plus interest in technological self-modification, sciencefiction of the Neuromancer genre, and interest in hardware hacking and ” street tech.” A youth subculture in its own right, with some overlaps with the ” modern primitive” and ” raver” subcultures.

The FBI’s National Infrastructure Protection Center (NIPC) has coordinated investigations over the past several months into organized hacker activities targeting e-commerce sites. More than 40 victims in 20 states have been identified in the ongoing investigations, which have included law enforcement agencies outside the United States and private sector officials.

The investigations have uncovered several organized hacker groups from Russia, the Ukraine, and elsewhere in Eastern Europe that have penetrated U. S. e-commerce and online banking computer systems by exploiting vulnerabilities in the Windows NT operating system, the statement said. Microsoft has released patches for these vulnerabilities, which can be downloaded from Microsoft’s Web site for free.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. That’s why it’s important to never run, or even download, a program from an untrusted source – and by ” source”, I mean the person who wrote it, not the person who gave it to you.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore. In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the machine to do certain things. Change the ones and zeroes, and it will do something different. To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges.

§ He could unplug the computer, haul it out of your building, and hold it for ransom.

§ He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).

If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth – also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Windows 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.

Law #4: If you allow a bad guy to upload programs to your web site, it’s not your web site any more. This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his machine and running it. In this one, the bad guy uploads a harmful program to a machine and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your machine, web sites are involved in the overwhelming majority of these cases. Many people who operate web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we’ve seen above, unpleasant things can happen if a bad guy’s program can run on your machine.

Law #6: A machine is only as secure as the administrator is trustworthy. Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that he have control over the machine.

This puts the administrator in a position of unequalled power. An untrustworthy administrator can negate every other security measure you’ve taken. He can change the permissions on the machine, modify the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert virtually any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all. Virus scanners work by comparing the data on your computer against a collection of virus ” signatures”. Each signature is characteristic of a particular virus, and when the scanner finds data in a file, email, or elsewhere that matches the signature, it concludes that it’s found a virus. However, a virus scanner can only scan for the viruses it knows about. It’s vital that you keep your virus scanner’s signature file up to date, as new viruses are created every day.

The problem actually goes a bit deeper than this, though. Typically, a new virus will do the greatest amount of damage during the early stages of its life, precisely because few people will be able to detect it. Once word gets around that a new virus is on the loose and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your machine before the virus hits.

Does this mean that privacy on the web is a lost cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life – through your behavior. Read the privacy statements on the web sites you visit, and only do business with ones whose practices you agree with. If you’re worried about cookies, disable them. Most importantly, avoid indiscriminate web surfing – recognize that just as most cities have a bad side of town that’s best avoided, the Internet does too. But if it’s complete and total anonymity you want, better start looking for that cave.