I want to discuss “hackers”. All of us in the security industry are all too aware of the abuse of the term hacker and its association with the kid in the dark room breaking into computers in some distant corner of the Internet.
While this is not strictly speaking the definition of a hacker it has become the adopted meaning in the mainstream. Even us Infosec peeps now use this term interchangeably to refer to both black and white hats. I can’t recall any of my security peers ever referring to “crackers” which is supposedly the correct term for black hats.
Maybe that’s because we all recognise the problem isn’t quite so black and white after all? We all know Bob right? ;-)
hack·er - a computer enthusiast.
That’s from dictionary.com. There’s no mention of evil computer criminals. A computer enthusiast….not bad but it doesn’t really capture the essence of hacking for me. Yes, enthusiasm is at the core of it but it’s something more than that.
Hacking is sexy
Information Security is a booming industry right now, and with that boom inevitably comes a wave of people doing it for different reasons to, well, me. Hacking is sexy, people watch The Matrix, do an Ethical Hacking degree or CEH, they download Metasploit and go “hack”.
No. Just in case this needs spelling out, that is not hacking. Hacking is something which runs through you, it’s an all-consuming passion for finding out how and why things work, taking them apart, putting them back together, often in a different form to before you took it apart. Then doing it again.
There is one phrase you will never hear a hacker say:
How do you know all this stuff?
People have said it to me before and my answer is always the same and always along the lines of “erm, I don’t know, I read up, I tried it out….erm, I just do…”. It never occurs to me that I couldn’t know something to do with computers. Some topics I find harder than others, hard-core cryptography for example, but I’ve never stopped learning something because it was too hard, just because I ran out of time or chose something else to learn that night.
We all get frustrated by people who turn up in IRC channels (or similar) and ask the inevitable “teach me to hack” questions. Why is that frustrating? For me, that’s obvious. If you’ve ever asked a generic question like that you will (likely) never hack something in your life. Your brain is just not wired that way. The sheer amount of information available on the Internet and the accessibility of it through search engines is phenomenal. There’s really no excuse not to attain a basic knowledge of anything these days. If you can’t master a basic use of the Internet you’re really not cut out for a career in IT, let alone Information Security.
Hackers find out for themselves (not just through the Internet) and ask other hackers when they get stuck. It’s ok not to know something but you need to show you’ve put some effort in before others will help you. If you spend any time on IRC hanging in the #metasploit channel for example, you’ll see someone get kick/banned every day for breaching this etiquette. Why is it so important to put the effort in first? There’s a number of reasons but I think primarily it comes down to respect. Time is the enemy of the hacker. There’s so much to learn, so many projects on the go at any one time that managing it all is almost an impossible task. Along the way we want to help others learn too but not by spoon feeding – don’t waste a hacker’s time, it’s the thing he values most.
Am I a hacker?
For the last twenty or so years I’ve been messing about with computers. I remember my first one, a 486 with 8MB of RAM running Windows for Workgroups 3.11 on top of MS-DOS 6. Some of you reading this will think I’m but a baby, some of you will wonder what on earth I’ve just written. I was 16. I was doing an A-Level Computing course and my parents bought this beast with its tower case and 14" CRT monitor. I spent hours messing about with autoexec.bat and config.sys, removing key Windows system files (it didn’t warn you in those days) and generally pulling it apart. I spent evening after evening re-installing Windows (from 8 floppy discs). I took that knowledge to college where I wrote DOS and Novell boot screen emulators in Turbo Pascal which captured other student’s usernames and passwords. I watched War Games and I wondered how on earth I would ever afford to buy a modem so I could do war-dialling as that looked cool.
A couple of years later we got a new computer. This time a Pentium II 400MHz. Crucially this baby did have a modem. A 56K V.90 no less. Internet here we come. I grabbed a free Compuserve disc off that month’s PC Pro mag and got online. No firewall, no antivirus, no NAT, just raw Internet. Yeh baby, that’s how we rolled in them days.
It didn’t take me long before I was searching (altavista.com) for hacking stuff. I frequented the CdC website, installed BackOrifice on my own and friends machines, messed around with L0phtCrack and generally did things which probably meant my machine was owned seven ways to Sunday.
A lot of the hacking sites I read were talking about this Unix thing I’d never heard of. It sounded cool, you could “telnet” into it and get “root”. People had pages of commands you could run. It was great but where would I find a Unix system? That’s when I discovered Linux.
That old 486 with 8MB RAM quickly became a RedHat server, I started writing HTML pages (used a WYSIWYG editor and switched to source to see how it made a table, for example – see, not hard is it?!) and serving them from this cool thing called “Apache”.
I blagged a job as a Windows and Unix SysAdmin in the Civil Service. I went and did my MCSE like a good boy and I looked after some really old military Unix boxes that had proper cassette back up tapes which we cpio’ed to every night. Then restored from every morning when the feckers didn’t boot.
I learned to program in shell and perl. I wrote CGI web pages (oh how I’d love to go back and pen-test some of those now), I set up Intranet servers with MySQL, I compiled my own kernel every time the latest minor revision appeared on kernel.org, I generally consumed any and all knowledge about any and all pieces of computer stuff I could get my hands on.
Fast forward to the present day and pretty much nothing has changed. These days it’s Python and Ruby for me when it comes to programming and I’ve squeezed OSX in on the OS front, but I’m still bursting with ideas for the next project and I still want to know how things work and produce creative solutions for problems.
Am I a hacker? Personally I subscribe to the old school way of thinking, “hacker” is not a term one bestows on themselves, it is a title given by one’s peers. But enough people have now referred to me as one that I'm now comfortable saying it myself.
Are you a hacker?
I’ve no idea. You’ll have to answer that question for yourself. Your definition may differ from mine and at the end of the day it really doesn’t matter. It’s just a label for something.
Before you say yes though, consider the following. You know MS08-067 right? Who doesn’t? Almost guaranteed pwnage. Every tester's go-to Metasploit module on a Windows network lacking in patch management.
Have you ever actually read the source code for that Metasploit module? Do you know how it works? Have you ever attached a debugger to a Windows box while it’s being pwned by this exploit? Hmmm.
While we’re on the subject of Metasploit, have you ever written a Metasploit module? You do realise how good it is for writing exploit code right? I have been publicly critical of Metasploit on Twitter but for the record I think it’s awesome. My criticism stems not so much from Metasploit but from the reality of the world we live in. I view Metasploit – out of the box – as a tool for the internal penetration tester. Out of the box Metasploit is a tool for exploiting known vulnerabilities. If you’re commissioning a penetration test in my utopia you won’t have any known vulnerabilities. You’re paying us to find the stuff you don’t know about. In the real world it doesn’t work like that.
However, if you want rapid development of custom exploits then Metasploit is completely in a league of its own. You don’t really need to know Ruby to come up with a working module with selectable payloads, etc. Just awesome.
What about nmap? Ever run Wireshark while you’re running an nmap scan so you can see exactly what is being sent over the wire? Written an Nmap module?
If you’re reading these questions and thinking “er no, I’ve never done that” does that mean you’re not a hacker? Well, I don’t know. Not necessarily. If you’ve never even thought to do it then I reckon no, you’re probably not a hacker. Sorry. If you put it on a list to do once you’ve finished some other cool stuff then maybe.
Being a hacker is a fantastic accolade, in my book and with my definition anyway. Someone who seeks out knowledge for the betterment of themselves and others, it’s something to be proud of.
In summary, if you’re bothered whether or not you’re a hacker then frankly you’ve got other issues. Stop worrying about a label and just hack stuff. If you don’t want to hack stuff then you’re not a hacker. If you’re not a hacker at least now you know and you can stop worrying about it.
And if you’re not a hacker you should consider getting out of the penetration testing industry and finding some other area of information security to work in because you can be damn sure the people that break in to your network, will be hackers.