My thoughts on hacking..

Written by b0iler for http://b0iler.eyeonsecurity.net/


Table of contents

-Intro
-Hackers
-Things get messed up and I just kinda ramble on... but still good stuff.
-Conclusion


Intro

Well, I cannot believe I am writing this. I never thought that I would write something on hacking ethics or hacking culture. I thought that type of stuff was for older hackers who have moved on and people who know nothing but like to babble about what they think people should do/be. As I am sitting here writing this I am hoping that this tutorial gives alittle insite on how hackers (me and some friends) think, what we do, how we do it, and what I think about other people in the hacker scene. I better start with the tutorial before I get out of this mood =)

oh, I will not discuss lamers - the people who have angelfire sites with hacker tools, people who just DoS, and people who flame all day and don't do anything. Just know that they aren't even really concidered in the culture at all and since everyone agrees that they are lame I will not even discuss them.


Hackers

Hackers... such a broad term I don't even think I'll try to define it. You all have your own definitions of a hacker, my definition is no better than anyone elses. I see hackers as alittle more hardcore than just the vanilla "learns about security" or "tries new things" definitions.

I see a problem, it is rather large although it is weaved into the culture so much that most people don't even notice it. I think it is mostly do to culture thinking hackers are cool. This problem is related to lamers.. in a way. You see, 90% or greater of people in are in the hacker scene don't really fit my definition of a true hacker. What I mean by this is they are almost average computer users. I don't really understand why they hang around the hacker channels on irc and hacker sites. Some hacker sites are even run by regular users! I think you know what I mean. You can tell who are serious about hacking things, getting their hands dirty, learning some serious security.. and those who are just there because hacking is concidered cooler than being a normal computer geek. I know that most people in hacking channels and such are wantting to learn how to hack, I am not ignorant.. but it seems they aren't going in the right directions. They aren't trying to exploit anything, they aren't trying to learn by doing, they aren't studying the right things! I cannot stand this.. I for one would love to see a place where there are no newbies, no lamers, no normal computer users!!! strictly hackers. People serious about breaking into things and learning from doing so. People who share their ideas and knowledge freely and without (much) judgement.

I will look at blacksun for an example. Their site is concidered one of the top hacking sites on the net, and for good reason, their tutorials are ace. But I see a few things wrong with bsrf (black sun research facility). In their channel on irc their is ALOT of gossip and talks of non-computer related things. This is fine, almost every channel has this, but it's alittle excessive for one of the leading hacking sites on the net. Flames are also fast and plenty in there, people who try to learn or try to share ideas and knowledge many times get a cocky responce from someone who knows alittle bit more than they do.

---start----

* jimmup joins #bsrf
jimmup: hey guys
jimmup: I was wondering if anyone has more details on the mazz server buffer overflow or if anyone has info on the protocol mazz uses.
lextheleet: jimmup: go search google, there are papers on that all over the place.
jimmup: I would rather have a discussion, I know quite about about it already.
lextheleet: you couldn't code asm to save your life.
lextheleet: anyone see saturday night live last night?

----end---

This was a made up situation, but it happens all the time. Someone wants to talk security and someone else shoots them down without knowing anything about them. lextheleet could have talked with jimmup about this, maybe the two could have thought of some other possible exploits or teached others in the room about mazz's buffer overflow or protocol. Instead the discussion was reduced to a flame and the next ("less hackerist") topic was introduced.

Not to pick on blacksun, it does a pretty good job with this.. being for hackers rather than computer geeks, But blacksun still fails in my opinion. This is where I see hacking sites seperate from security or normal computer geek sites... blacksun just doesn't cut it. It has some tutorials which explain ways to exploit things. But it is very script kiddish, it does not teach them how to find holes. One may argue that to find holes you need to know how something works, this is true.. and many of the tutorials (most) are focused on how things work - rather than securing/hacking them. But, even in these tutorials I would like to see points where the author makes notes where there are places security could be comprimized or methods of finding vulns.

If you haven't gotten my point yet this is it: Hacking is becoming more main stream, and with this it is loosing what it should be. I would like people who want to become hackers to actually HACK! Not learn about something that works based on tcp/ip.. but to interact with it, try new things, ask people about their experiences with hacking at it. To help others learn how to exploit it and get them to fiddle around with it. For example lets say I tell you "in A http header you can specify one of 16 values." That is great, you learned something... but the hacker way would be to tell you (this is how hackers should of heard that last sentace): "A http header has 16 possible values, some return different results depending on the situation. I noticed some interesting things when I tried ECHO followed by a NULL repeatively." This tells people the same as the first example but is more "hackerish". This way may get people to try the different values and find an exploit with ECHO, NULL, and the other possible values. It is learning, with the mindset of a hacker. Most newbies do not read the right things, they see how to do things and they do it. They do not try new things nor do relize that hackers don't only need to think outside the box, but all around the box.

I agree that hacking sites with tutorials shouldn't shy away from writting howto's and guides to help people with computers, but when the number of tutorials that show how to do things out number the number of tutorials focused on hacking or have the mindset of a hacker this is not appealing.


<yank> script kiddies are the MTV of hacking

Now lets see... many people think MTV is for young kids who don't know any better. They see the pop music and they become like it. It is all they see so they know no different. Everyone who they interact with acts like people on MTV so that is what they act like. We can put this into the world of hacking... I don't know how this started, but somehow the number of people who are not hardcore into hacking, people who do it socially or not at all overtook the number of real hackers.

What I mean is that newbies who wish to hack see all these normal people in the hacking culture and they become like them and learn from them. Since they do not see how true hackers do things they will not learn the way they should. Over time this becomes the norm, this is how these people act. I have a few ideas on how to avoid this. First idea is to stay clear of irc or message boards. Just read and experiment, read and experiment.. every night. There are some people who are regulars in some of my hacking channels who I can tell haven't read a tutorial on anything security related in probably 6 months. How are these people learning? That's the problem, they aren't. The people who become true hackers work hard for along time reading and experimenting each and everyday. They are hardcore, they don't take brakes or give up... they are always tinkering always learning.


Conclusion

Well, this paper wasn't really thought out, I more or less just let things flow out and put my thoughts on the screen as they came. I didn't structure this at all and I didn't think too much about my words... I just wantted to make a point and I feel I did. One other tutorial I did like this was a reaction to the proposed 'anti-terrorism act', check it out here. Since people really seemed to like it and I loved writting like that - strait from the brain, no structuring or anything.. just raw thoughts - I decided to try it again with this paper.

Yeah, this paper was not the longest, and it didn't teach much.. but I think 'idea' papers like this one are best when they are direct and make a statment. Any more of my babbling would just lose people's attention and stray from my point. I hope some of you feel the same way I do about this and think about changing your ways to help your goal of becoming a hacker in the true sense.


[-----]
http://b0iler.eyeonsecurity.net/ - A really good site with tons of orignaal tutorials.
[-----]