blackcat@neuro.usc.edu (01/19/90)
In article <4613@helios.ee.lbl.gov> Jef Poskanzer <jef@well.sf.ca.us> writes: >In the referenced message, burch@quik07.enet.dec.com (Ben Burch) wrote: >}I think here we have the beginnings of a war over the definition of the >}term hacker! ... personal definition of hacker appears here ... >This is your definition. It is even the original definition. It is *NOT* >the only definition. Please do not chase off the telecom hackers. You >clearly have a lot to learn from them. Whether one likes change or not, the definition of specific words tends to change with common usage over time. There can be little doubt that public opinion subsequent to the release of the movie "War Games" would tend to support the use of the term "hacker" to refer to people who try to obtain unauthorized access to computer systems or communication networks. I fail to see the point of beating this dead horse any further into oblivion. Now, on to more serious matters. Whatever preconceived notions you hold about people who seek unauthorized access to computer systems, I ask that you suspend judgement for a few moments and consider the following points: o Not every hacker attempts to gain access to systems with freely published passwords (as in the case of DEC's VAX fiasco wherein the os installation manuals contained the default passwords for the field service and system testing accounts), easily guessed passwords (exploiting the lax security practices of authorized users), spoofing authorized users to give their account/password in response to a bogus login message, rumaging through dp center trash, or by entering lengthly random trial and error sequences. Tiny children often exploit these vulnerabilities. o Some hackers gain access by discovering little known defects in system software (e.g. side effects of operating system calls); scavenging communication devices or buffers for the plain text account/password combinations; rewriting microcode for public access communication devices; running code under temporarily suspended privileged accounts while charging resources used to currently active nonprivileged accounts; passively monitoring rf emissions from computer terminals, phone lines, microwave towers, and satellite links to secure plain text identification, communication access points, and operating procedures; or by a wide variety of other means requiring some minimal amount of technical expertise. Teenagers exploit such vulnerabilities. o A very small number of hackers acquire red (crypto secure) data communications, break the codes, and steal national defense and commercial business secrets. College kids, some West Germans, and not a few government sponsored and freelance intelligence agents fall into this category. o One sorry bugger to date has introduced a virus that managed to utilize a little known defect in DEC and SUN system software ... and the rest of his case is currently on trial & making history. I would note that his effort (the INTERNET virus) meets each of the criteria discussed so far in this group for being a "hack" of the highest level ... one requiring a considerable degree of expertise ... and one (from personal examination of virus code) which was not readily understood by an experienced hacker. o Personally, I believe the current attempts to write most computer crime/abuse/antihacker statutes are misdirected. They proscribe behaviours that are commonly performed by system managers, site security personnel, vendor maintenance personnel, and many others. These statutes may give the public a false feeling of security and provide prosecutors with an additional tool to selectively harass someone they don't like. But none of these statutes address the fundamental weeknesses in existing data processing systems. The primitive security techniques these statutes attempt to support (plain text challenge and response with account names/passwords) were developed in the 1960's with little thought about persistent attack. Such statutes will accomplish little more than the ECPA (electronic communications privacy act) which forbids listening to cellular telephone communications. Such calls are broadcast at 30 KHz intervals in the band from 870-890 MHz. A quick scan of this broadcast band will indicate that few if any callers are aware that their voice can be received anywhere within the range of the repeater servicing their call. Simple plain text challenge and response offer little more security for computer systems. o I believe the law should be changed to match the anti gun statutes ... "USE A COMPUTER IN THE COMMISSION OF A FELONY: GO TO JAIL" ... crimes require criminal intent ... the government should be forced to prove that intent ... if unintended damage is caused, some civil action to recover the cleanup costs may be appropriate ... and, if the government can prove intent, as in the case of a spy with full documentation of a continuing pattern of abuses, then find a tall tree and hang'em high ... but never sidestep the issue of intent ... it may not be easy to prove ... but our entire criminal legal system is built on a foundation of intent ... throw that away and no citizen (however blameless) will be safe from persecution. o In any case, I believe the new generation hackers (intruders) may be better served by being invited by the old generation hackers (obscure code craftsmen) to participate in this discussion group and attempt to become interested in more productive activities -- (e.g. fixing public domain INGRES to run on current generation unix systems, updating the old X10 server for the ibm/pc to work with X11R4, etc). I would offer them lists of anonymous ftp/xfer systems containing millions of lines of code from small programs to large systems that would meet their need to explore (without the very time consuming and wasteful process of breaking uninvited into personal, commercial, and government systems), be challenged, and perhaps even contribute to the wealth of good hacks available to the public. o No one should be insulted ... or otherwise baited or goaded into breaking into systems as a sign of rebellion against established authorities like the people who brow beat the bored and restless children who have written into this group in an attempt to make contact with something more stimulating than an assignment to write a "C" program to solve an arbitrary combinatorics problem. > Obligatory hacking report: I am trying to fix a generic security problem involving the triggering of data terminal answerback buffers by whatever program elects to send a ^W in the course of displaying a message. The specific problem I have encountered is a public access computer terminal room where one of our students entered "^Y@dra0:[name]x.bat" into the answerback buffer, waited for a privileged user to access that terminal, sent email containing a ^W to that privileged user, the privileged user read the email, triggered the answerback buffer, and promptly changed the protection on the user authorization file and the user authorization program to rwed access for all users on the system. The student user ran the user authorization program, reset the password on a dormant privileged account, logged out, logged back in as the dormant privileged user, reset the protection on the user authorization file and the user authorization program, read and copied mail between numerous high level administrative users, introduced numerous trapdoors to allow reentry to our system, and logged out with nary a trace (some details of the audit trails that were successfully used to secure a full confession have been left out) of her presence. This is a purplexing problem ... why do manufacturers still put an answerback buffer in computer terminals ... such buffers should have disappeared with the Model 35 TTY. Currently, short of periodically sending ^W to all of our inactive terminals (and gobbling up the response), there is no evident way to prevent such abuse. Suggestions anyone? FINAL COMMENT: The INTERNET virus should be treated as a product liability question. In my opinion, DEC and SUN should pay the cost of the cleanup effort. If it were not for latent defects in the products distributed by these two manufacturers (which have been subsequently repaired by emergency hacks and official patches), the relatively innocuous INTERNET virus could not have spread so far so rapidly. The show trial of some poor student who happened to test for the presence of this defect and found he had created a an extremely large chain reaction of systems passing this virus from one to another ... is only detracting from the central fact -- today's vendors are incapable of producing computer products without significant security (and for that mater day to day operational) defects. These defects regularly result in unintended system crashes, destruction of data, communications outages, denial of service, etc. If we are not going to put a very large number of unwitting vendor software development people, system managers, users, and maintenance people in jail for unintentionally triggering such disruptions ... then we are going to have to find a better way to secure systems ... some way that is better than the Morris show trial.