GOODIES TO GO! (tm)
July 19, 1999 -- Newsletter #37
Application Security Testing: An Integral Part of DevOps
GOODIES TO GO! (tm)
July 19, 1999 -- Newsletter #37
Please visit http://www.htmlgoodies.com
Greetings, Weekend Silicon Warrior,
Another week has passed and we again take to the Web-waves with newsletter number 37!
Did you hear...
Jeffrey Hunker, director of the Critical Infrastructure Assurance Office of the National Security Council, has announced "version 1.0." That's a plan backed with just under one and a half million dollars designed to protect national computers from hackers and crackers in fiscal year 2000. Many will see this as a serious defense. Other will simply see it as throwing down the gauntlet.
By a vote of 404 to 24, and 81 to 18, the House and Senate passed a measure giving companies 90 days to repair computers before a Y2K lawsuit can be filed against them. The (now) bill will suggest mediation over lawsuit. President Clinton is expected to sign it into law.
Now onto today's topic...
Two weeks ago, I wrote this paragraph:
"On Monday the 28th of June hackers got in and defaced the Army's main Web site www.army.mil. It's been repaired, but once again someone has raised the bar and someone else will have to jump higher. It makes me nervous that soon they'll hit something that starts a domino effect that really harms someone -- like hospital records."
In fact, I led the newsletter with it. Well, very soon after, the e-mail from some very upset people came pouring in. The text varied, but the main thrust was that I had used an incorrect term. The people who altered the Army's Web site, claimed the e-mails, were not "hackers" but "crackers."
This seemed strange to me in that I always thought "hackers" were people who broke into systems and "crackers" were those who broke code. I've known a couple of pretty clever crackers who were heavily into finding ways around shareware screens.
So, I looked into it. Wow. There is a great deal written about this, far more than I expected. Soon my printer was humming and I was boiling all of this down into bite-sized bytes of information. Here's what I found.
There are generally three categories that encompass those who break into computers. Now, please understand that these terms are part of what's known as a "slang" language so the terms will change as fast as I can set them into stone.
Hacker: One who breaks into a network, server, or personal computer with the intent to do harm. The purpose of the entrance is to delete files, place a virus, or otherwise do bad stuff.
Cracker: One who breaks into a system yet does not want to cause harm. A cracker follows an unwritten code that nothing should be harmed or destroyed in their doings. I found a few pages that described crackers as people in competition with each other to gather attention or get a message out.
Sneaker: One who is hired by a company to test its computer defense system. The sneaker basically tries to break in with permission.
I found one more prevalent term that doesn't break the groups into smaller sections: Phreaker. Yes, that's spelled correctly. Someone who "phreaks" goes after, for example, a telephone system with the intent to make free long distant calls. Hackers, crackers, and sneakers can also be phreakers. Get it?
The most famous Phreaker must be John Draper, a.k.a. Cap'n Crunch. Phone company workers used to use a 2600Hrz tone to authorize phone calls that weren't to be charged. Draper got hold of this information and set out to find something that would reproduce this tone. He found it in a box of Cap'n Crunch cereal (thus the nickname). A plastic whistle they were giving away reproduced the tone perfectly.
The messages I received responding to last week's letter did their best to show that hackers are very bad people and crackers are the Robin Hoods of the computer generation. The main point supporting this was that hackers do damage while crackers simply use other sites to produce a message. I guess that depends on your definition of "doing damage."
Most hackers and crackers work with an alias, but it's not like people don't know who they are. I'm sure most are well known to others in the computer community. I make that statement because 2600.com possesses a fantastic collection of hacked pages. I highly doubt 2600.com were lucky enough to be there when the pages posted. I have to believe that the texts were sent to 2600.com by those responsible for the work.
Here's an example:
A person or group calling them- (or him- or her-) self "The Hong Kong Danger Dou and gh" got into the White House Web server and replaced the home page with the text below:
You're box was 0wn3d.
Look at the interesting things we found in Bill's personal files.
Recording #1 Recording #2 Picture
Why did we hack this domain? Simple, we ****ing could. Maybe this will teach the world a ****ing lesson. Stop all the war. Concentrate on your own problems. Nothing was damaged, but we not telling how we got in. Fear the end of the world is upon us, in a few short months it will all be over. Y2K is coming.
Following peeps get some shouts:
Tiffany G. - j00 ****ing ****! fjear the p00!
gH World Domination
Fjear. wuz here
The spelling was just as I found it. In case you're wondering, to give "peeps some shouts" means to offer praise to someone's friends or cohorts. The recordings and pictures were no less nasty.
I ask you, was this site hacked, or cracked? No, nothing was destroyed, but this message stood for a short while. Was that not damaging? Yes? No? You decide.
There's no question the people who can do this sort of thing are amazingly talented and quite intelligent. I guess my concern is motive. Why do it? Maybe the message above offers an answer... "because we can." Why climb Mount Everest? Because it's there. Why rob banks? Because that's where the money is. Why hack and crack? Because they can.
I was rather impressed with what I saw. A great deal of the hacked and cracked pages were very funny, the Spice Girls site knocked me out of my chair. But all the while, all I could think of was that I pray it doesn't happen to me.
To those who wrote to me saying I had used the term "hacker" when I should have used "cracker," my apologies. I didn't know the slang. Now I do and I'm not sure that your definition of damage and my definition are the same. No, a cracker harms nothing but the embarrassment suffered by the site is still a real kick in the teeth.
Still, it's impressive what they do.
So, look for the back door that can be opened with a key from the bit bucket and try to further munge spaghetti code using vaporware, wetware, and a Vulcan nerve pinch before raster burn sets in.
(Translation: Find a way into someone's system you can open with programming found in discarded data and look to further mess up very complicated code using cutting edge software, your brain, and a three-key keyboard shortcut before eye strain sets in from looking at your monitor for too long.)
And that's that... thanks for reading.
Joe Burns, Ph.D.
And Remember: Up above I blocked out some words because they are considered obscene. Well, times change. Did you know that the word "devil" was once the worst curse word you could call a person? The word "bankrupt" was once considered so foul that it was written "b-----pt" even in legal documents.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...