Nick Moffitt on Sat, 10 Aug 2002 20:13:56 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: <nettime> hack, hack, hack digest [spornitz, flagan, hwang, pope, assange] |
begin nettime's_1337ologist quotation: > > Hackers literally do enter strings of code at random in the hopes > > of cracking somebody's password etc. It's like searching for a > > needle in a haystack much of the time, and it is hideously dull > > and tedious work that bears absolutely no relationship to the > > intensive creativity of an artist's task. I was amazed by this thread. The whole discussion that followed this post seemed to actually accept its premise! Brute force and dictionary attacks against passwords are quite possibly the most unpopular mechanisms for breaking into a system! Most intruders, rather than bother with the front door, will look for a service that holds privilege on a remote system and then trick it into granting some of that privilege. The most common such attacks involve buffer overflows (an accounting mistake in the way many programs manage their allotted RAM that actually allows one to upload a new program over the running one), string format attacks (slipping redirecting data into a program to get it to do its work somewhere that it wasn't intended, or taking advantage of the trusting nature of an underlying tool), or man-in-the middle/snooping attacks (watch what authorized users do, and mimic it). The act of breaking into a system is a complicated one, and it's something that every system administrator needs to know. Unfortunately, the only side of it that the users see is their account and password management. They never see the constant upgrading, patching, malloc debugging, or service access restriction. This leads to some misunderstandings about how network and system security work. It doesn't help that film depictions of so-called "hacking" tend to show it as simple brute-force password guessing. I can tell you right now that any system running any sort of modern OS would flag any more than a few failed logins. Someone playing this guessing game would light up my alarms like a christmas tree. My friend Jim Dennis summarizes system security as "providing appropriate access to resources". Most intrusion is based on subverting some program's misunderstanding of just what's "appropriate". The SysAdmin's job is then broken up into three parts: Prevention, Detection, and Recovery. The sad story is that the first of these three is sysyphian, to say the least. The good news is that if you get the other two down pat you can almost ignore the former (see The Wiki Way for an example of this -- no access controls on the system, but everyone can quickly see a bogus change and revert it easily!). > > If you want an analogy that works, compare it to the codebreakers > > of WWII, The code-breakers of WWII were intense mathematical thinkers and the founders of Computer Science (not to be confused with programming, fool!). On the other hand, most crackers are technologists (not scientists or mathematicians), and are playing with the cogs and springs of the systems. These code breakers were uncovering truths about the universe and developing a calculus of information theory. There's an amazing gulf between the two, but the latter did lead to the former. > > I am sorry, but I refuse to see hacking as a pursuit we should be > > putting on the same pedestal (or higher, in one person's view) as > > artistic creation. It just ain't so! Exploring networks and making maps is an immensely creative activity. It's a pity that the Internet has homogenized things to the point where that's not nearly as entertaining as it once was. -- Jack Valenti is to the American film viewer and the American public as the Boston strangler is to the woman home alone. -- http://cryptome.org/hrcw-hear.htm (search for "Boston") # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: [email protected] and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: [email protected]