c|net Coverage of Johnny Long: EPIC FAIL
My postmortem of the Hackers on Planet Earth conference The Last Hope continues, thanks to an inane c|net article making the rounds this week.
Photo credit Elenor Mills
All the cool kids know the difference between a hacker and a cracker. On the off chance you’re not a cool kid, leave this page and wipe your cache. Ah, I crack myself up. Ok, you can stay; I’ll offer a super-brief and simplified de-obfuscation, paraphrased from wikipedia and the Hacker Manifesto:
Hacker (n.)
- Someone who knows/intuits/understands/learns a system well enough to navigate it quickly and find its flaws (computers, the body, social systems, food, the media……).
- Someone who gets a kick out of building, taking apart, modifying, or repurposing things most people would be afraid to break or touch.
Hackers realize the scope and potential effects of their discoveries, and take steps to report flaws they find and/or share their knowledge in an effort to make the system better. At the very least, they do nothing but rejoice in their triumph over The System, have a laugh with their peers about their obvious intellectual superiority, and move on.
Crackers can have the same characteristics, but exploit their knowledge for personal gain or to deconstructive ends. Crackers might also be operating off the knowledge base of others rather than their own research (i.e. script kiddies) but that’s beyond the scope addressed here.
The difference, clearly, is intention.
I know this operational difference has been addressed ad nauseum elsewhere, and it would appear that the disambiguation is taking root. Unfortunately, the pendulum occasionally swings too far, and the result is the article Hacking with No Technology from c|net news.
On one hand, I appreciate any coverage of HOPE in the media, but on the other hand, Elinor Mills gets it completely wrong. Result: It’s barely 9am and I am frustrated-slash-furious.
Mills excerpts the story security researcher Johnny Long recounted during his HOPE presentation, saying “[his friend] got a coat hanger and a rag and proceeded to break the window in the door [of a highly secured building]. He then reached in with the straightened coat hanger and the door opened up.”
“The message,” she says Long conferred is that, “there’s a lot of room for…solving problems in simple ways.” That may be true, but never once in her article does she couch any of her examples in an intention, forethought, or action taken to rectify the situation. Not only does this render her review essentially meaningless, it makes it downright detrimental to the cause.
To put it another way, consider these two scenarios:
- Your friend buys a new luxury car with a state of the art keyless entry system and shows it off as “unbreakable security.” You pick up a hanger off the street and with a few twists and turns through the window frame, open the door. You’ve hacked the car and educated your friend.**
- You and your friend leave the car in the parking lot and go inside for a cup of coffee. Meanwhile, a thief comes along, picks up another hanger and repeats the same trick. Your friend comes back to an empty parking space.
**Ignore that this scenario is very unlikely these days. It’s called an example, people.
The difference: Intent and follow through.
No one would call the car thief a hacker, but when it comes to networking security and the ever ambiguous “social-engineering” especially, it’s a slippery slope requiring constant vigilance.
Mills misses her first opportunity in the article’s introduction. I’ll ignore the subtle gender bias of the statement, “The woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company’s confidential sales data could be just as dangerous… as the typical image of a hacker is a kid hunched over his keyboard” and move on to the more important distinction that what she is describing already has a clear name, and it’s not hacking. It’s called corporate espionage. My resume said Corporate Intelligence Analyst. Much more marketable.
Most of us are probably familiar with the concept of “shoulder-surfing” for information by gleaning information during an innocuous walk-by of a target. Even “dumpster diving” for unshredded documents with usernames, phone numbers, passwords, personal notes, etc. is well known. Both first found their mainstream association with the hacker community in the 1995 eponymous movie. (Yes, the acts themselves go back wayyyyyy before that. You get a gold star.)
You’ll remember, however, that the goal of that movie’s good guys is to use their hacking “skillz” to take down system administrator and cracker “The Plague’s” diabolical money-skimming worm. Trite and simplistic, sure, but this image remains as most people’s understanding of how non-technical hacking can be used for Good with a capital “G”.
Johnny Long knows his stuff – and his definitions, scope of actions, and intent – inside and out. His discussion of No-Tech Hacking was geared at an audience that shares this intrinsic understanding and who erupt in rounds of applause when a speaker shares a story about acquiring several security guards’ ID badges simply by walking up to them and saying, “We’re handing out new badges and need to collect the old ones.” (Credit for this story goes to Emmanuel Goldstein from the Social Engineering panel - video on YouTube). When writing for a mainstream audience, however, one must spell it out. Definitional ambiguity orchestrated to suit the situation is our job.
UPDATE: It’s probably good that I read this article before her other article on Steven Rambam’s presentation. Head. Exploding.