According the the Geek.com technical dictionary:
"Cracker - This is the common term used to describe a malicious hacker. Crackers get into all kinds of mischief, including breaking or "cracking" copy protection on software programs, breaking into systems and causing harm, changing data, or stealing. Hackers regard crackers as a less educated group of individuals that cannot truly create their own work, and simply steal other people's work to cause mischief, or for personal gain."
"Hacker - This is someone that seeks to understand computer, phone or other systems strictly for the satisfaction of having that knowledge. Hackers wonder how things work, and have an incredible curiosity. Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in. Contrast a hacker to the term cracker."
Looks good. These are definitely two different types of people, so I understand why a hacker would get upset at being called a cracker. This is the part that gets me, though: "Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in." I have a few problems with this.
1. Generally? "He breaks into cars and joyrides, but he generally returns them."
2. Questionable legal things? No, breaking into systems one does not own is unquestionably illegal in the U.S.
3. Even so, let's assume the hacker does nothing illegal. How is a company supposed to know the difference between the hacker and the cracker?
Follow me for a minute here: I own a company, NetNut, and it has a computer connected to the internet. Stored on this computer is my secret data. Rufus T. Wanklehacker wakes up one morning and decides to try to break into NetNut's computer. He finds a security hole and succeeds. After he is done, he restores the computer the state he found it in and reports the security flaw to NetNut, so they can fix it. Across the street, MaCooter Q. Buttcracker is just getting up. He decides he'd like to get a piece of that secret data of mine. So he breaks into NetNut's computer and gets the data. He then restores the computer to the state he found it in, and just in case there are any audit logs he doesn't know about, reports the security hole(s) he found when breaking in. In this way he can claim he is just a harmless hacker and avoid prosecution, so long as no one finds out he looked at secret data.
See where I'm going with this? This is not an implication that all hackers have malicious intent. I'm all for the idea of peer-review, publication of security flaws, open-source, etc. But when a hacker breaks into a live system and wants a company to "take his/her word" that no harm will come of it... please. No harm will come of it if the person is truly a harmless hacker, but why would a company want to take the risk?
My question is this: What does a hacker want from the law? Why should a company, after receiving an email about a security flaw from a hacker who broke in, trust that the hacker did not do anything to harm the company? Why should a legal deterrant not come into effect until the company starts losing money? An analogy: "Stealing cars should not be illegal. The owner of the car should not be able to prosecute until the car is actually sold on the black market." Long story short, a cracker is a malicious hacker (see definition above). Malice is not the most measureable aspect of a person. So until the CIA with its drug tests figures out how to determine the exact level of malice in a person's brain, hackers are going to have to find a more obvious way to differentiate their actions from that of crackers if they expect the law, the media, and the corporations not to come down on them.
Here are a list of potential responses:
1.
Response - About the stolen car...
Rebuttal - It's an analogy. I know that a computer user can still use the computer if it is broken into, but a car owner can't drive a car if someone else is driving it. The point is that the car owner never gave permission to anyone to use his car. A better analogy is a house. There's a reason we have laws against breaking and entering in addition to locks on doors. What makes a computer so different?
2.
Response - I'm a hacker and I don't break into sites uninvited. I only reverse engineer software, break into my own systems or my friends' systems, work for a security consulting firm, shoot myself in the junk with a dart gun, etc.
Rebuttal - Then I'm not talking about you. I'm talking about the hackers who break into someone else's system without permission.
3.
Response - On Smarch 32nd, 1989, Ronald M. Jobjob was aquitted of charges of breaking into a computer system on the grounds that he only elevated his privilege level, or was abused as a child, or whatever, so breaking into computer systems is legal.
Rebuttal - Sometimes people get away with doing something that is illegal. Sometimes people are found guilty of a crime they did not commit. In this country though, people are rarely charged with crimes that do not exist (I know some people can probably think of a few straw man examples against this, but they are rare). I work for a large corporation, and I have regularly seen it successfully prosecute people who work for the company and are caught trying to crack passwords or other such hacker activities. Breaking into computers is as illegal as breaking into homes (not the penalty, the legality).
"Cracker - This is the common term used to describe a malicious hacker. Crackers get into all kinds of mischief, including breaking or "cracking" copy protection on software programs, breaking into systems and causing harm, changing data, or stealing. Hackers regard crackers as a less educated group of individuals that cannot truly create their own work, and simply steal other people's work to cause mischief, or for personal gain."
"Hacker - This is someone that seeks to understand computer, phone or other systems strictly for the satisfaction of having that knowledge. Hackers wonder how things work, and have an incredible curiosity. Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in. Contrast a hacker to the term cracker."
Looks good. These are definitely two different types of people, so I understand why a hacker would get upset at being called a cracker. This is the part that gets me, though: "Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in." I have a few problems with this.
1. Generally? "He breaks into cars and joyrides, but he generally returns them."
2. Questionable legal things? No, breaking into systems one does not own is unquestionably illegal in the U.S.
3. Even so, let's assume the hacker does nothing illegal. How is a company supposed to know the difference between the hacker and the cracker?
Follow me for a minute here: I own a company, NetNut, and it has a computer connected to the internet. Stored on this computer is my secret data. Rufus T. Wanklehacker wakes up one morning and decides to try to break into NetNut's computer. He finds a security hole and succeeds. After he is done, he restores the computer the state he found it in and reports the security flaw to NetNut, so they can fix it. Across the street, MaCooter Q. Buttcracker is just getting up. He decides he'd like to get a piece of that secret data of mine. So he breaks into NetNut's computer and gets the data. He then restores the computer to the state he found it in, and just in case there are any audit logs he doesn't know about, reports the security hole(s) he found when breaking in. In this way he can claim he is just a harmless hacker and avoid prosecution, so long as no one finds out he looked at secret data.
See where I'm going with this? This is not an implication that all hackers have malicious intent. I'm all for the idea of peer-review, publication of security flaws, open-source, etc. But when a hacker breaks into a live system and wants a company to "take his/her word" that no harm will come of it... please. No harm will come of it if the person is truly a harmless hacker, but why would a company want to take the risk?
My question is this: What does a hacker want from the law? Why should a company, after receiving an email about a security flaw from a hacker who broke in, trust that the hacker did not do anything to harm the company? Why should a legal deterrant not come into effect until the company starts losing money? An analogy: "Stealing cars should not be illegal. The owner of the car should not be able to prosecute until the car is actually sold on the black market." Long story short, a cracker is a malicious hacker (see definition above). Malice is not the most measureable aspect of a person. So until the CIA with its drug tests figures out how to determine the exact level of malice in a person's brain, hackers are going to have to find a more obvious way to differentiate their actions from that of crackers if they expect the law, the media, and the corporations not to come down on them.
Here are a list of potential responses:
1.
Response - About the stolen car...
Rebuttal - It's an analogy. I know that a computer user can still use the computer if it is broken into, but a car owner can't drive a car if someone else is driving it. The point is that the car owner never gave permission to anyone to use his car. A better analogy is a house. There's a reason we have laws against breaking and entering in addition to locks on doors. What makes a computer so different?
2.
Response - I'm a hacker and I don't break into sites uninvited. I only reverse engineer software, break into my own systems or my friends' systems, work for a security consulting firm, shoot myself in the junk with a dart gun, etc.
Rebuttal - Then I'm not talking about you. I'm talking about the hackers who break into someone else's system without permission.
3.
Response - On Smarch 32nd, 1989, Ronald M. Jobjob was aquitted of charges of breaking into a computer system on the grounds that he only elevated his privilege level, or was abused as a child, or whatever, so breaking into computer systems is legal.
Rebuttal - Sometimes people get away with doing something that is illegal. Sometimes people are found guilty of a crime they did not commit. In this country though, people are rarely charged with crimes that do not exist (I know some people can probably think of a few straw man examples against this, but they are rare). I work for a large corporation, and I have regularly seen it successfully prosecute people who work for the company and are caught trying to crack passwords or other such hacker activities. Breaking into computers is as illegal as breaking into homes (not the penalty, the legality).
No comments:
Post a Comment