2.2 The Hacker

hacker, n: One with axe and intends to use it

2.2.1 Hacker vs Cracker?

A hacker is one who is ``intensely interested in the arcane and recondite workings of any computer operating system''[2]. A cracker on the other hand is defined as one who ``breaks into or otherwise violates the system integrity of remote machines, with malicious intent''[2]. From these definitions, it should be clear that what seems to separate a hacker and a cracker the most is malicious intent. Although malicious intent is not the only difference between a hacker and cracker, it provides at least one method of differentiating a hacker and cracker.

2.2.1.1 Legal test

Using this test, the difference between hacker and cracker is not based on any laws but on the state of mind of the person. The test is based on Mens Rea which refers to the guilty mind. It describes the mental condition in which criminal intent exists[2]. Using this test, it is very simple to differentiate between the hacker and the cracker. An action that any law-abiding citizen would have employed in that situation is acceptable because there is no mens rea. A real life example to illustrate how this test works is a security guard. He may check that every door is closed and locked to establish the security of the building. A thief on the other hand performs the same action but his motive is to steal, mens rea, and that makes the action a crime.

Although the correct term to speak of today's security breakers is ``cracker'', it is not widely used. The media and the general public refer to them as hackers, and not crackers. Indeed, they refer to themselves as hackers. It is for these reasons that we shall refer to security breakers as hackers^2.1 instead of crackers.

2.2.1.2 An Example : Robert T. Morris

Morris started as an old-school-hacker and ended up somewhat closer to a cracker. He is convicted of having written and deployed the WORM program that terrorized the Internet (then ARPANET). His defenders claim that his action was a demonstration of the weaknesses of security systems. They argue that the WORM put a point about security across to the security community more effectively than telling them would have done. The security community obviously did not appreciate the point, for Morris was arrested and convicted of a criminal offense. We discussed Mens Rea, and looking at the WORM program itself, it looks as if there was criminal intent. His intentions seem not to have been a direct attack against ARPANET itself. He did however have every intention of breaking into all those machines, for one reason or another. For more information on the WORM incident and Morris, see [9],[20] and [27].

2.2.2 Types of Hacker

Security is immoral, information WANTS to be free.

Chapman and Zwicky, in [6], group hackers into different categories. The categorization is based on the reasons for the intrusion and the intruders' actions when access is obtained. The categories Chapman and Zwicky have come up with are:

1.

Joyriders

2.

Vandals

3.

Score Keepers and

4.

Spies.

We have added tiger teams to this list of hacker categories for reasons explained later. We now continue to describe all the hacker types in more detail.

Joyriders

break into computer systems for fun. They are probably the safest type of hackers to have break into your computer system. They are not out to damage anything although they sometimes do when trying to cover their tracks, learn something new or when they simply make a mistake. They are probably the closest that modern day hackers get to the original ones; they are in pursuit of knowledge. Today's ``script kiddies'' fall mostly into this category.

Vandals

break in with criminal intent. There really is no way to overlook the mens rea. They break in either because they do not like you or just because they enjoy doing that kind of thing. They are probably the most dangerous of all hackers. It is also hard to identify who is not liked and therefore who will be attacked.

Score Keepers

break in just to brag about it. Most if not all hackers have traits from this group. For acceptance or respect on the computer underground, they have to have ``ears'' on their belt. To these hackers, well-known, respected, secure and ``feared'' sites like the US Military and NASA are particularly attractive. Unlike joyriders, they go from machine to machine trying to break into as many systems as they can. That leads to another way that they can be noticed, when an administrator from another network complains about hacking attempts from your network.

Spies

break in to get information; to steal information. They usually steal things that they can use or sell for money e.g. credit card numbers. They are the hardest type of hackers to catch since they usually do not disturb anything. They get in, copy information, and leave without changing or removing anything. They may not use that break-in method again and almost never use the same access method to break into somewhere else. That is the point of stealing information. Usually the first choices for target are Internet Service Providers (ISPs) and Telephone companies. Stealing passwords for dial-up accounts means the hacker never pays for the Internet connectivity. Breaking into the phone company means that he won't be paying for the call to the ISP either. If yours is a company relying on preserving a competitive edge by the information you keep, you will probably hate these hackers about as much as you will hate vandals. One of the most publicised stories of these types of hackers is described in [30].

Tiger Teams

do not belong here but are included for a reason. There is much debate about what they actually are. What is certain however, is what they were. Tiger teams are groups of people employed by companies to probe the security of hosts belonging to that company. This allows the company to keep ``ahead'' of the hackers because holes can be patched before the hackers break in. It should now be apparent why tiger teams do not belong here - they are law-abiding citizens with a knowledge of security issues and therefore a countermeasure against hackers. It is important to note that some of the members of tiger teams are hackers, some even convicted. These days, some refer to a group of spies hired by a competing company to steal information from the competition as tiger teams. Hence their inclusion in this section.

  
2.2.3 Hacker Ethics

Most hackers claim to adhere to a Hacker Ethic when they hack. These hackers are said to be the ``real'' hackers of today because they are principled and never damage anything. Steven Levy's book, ``Hackers: Heroes of the Computer Revolution'', came up with six tenets currently regarded as the hacker ethic:

1.

Access to computers should be unlimited and total

2.

All information should be free

3.

Mistrust authority - promote decentralization

4.

Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race or position

5.

One can create art and beauty on a computer

6.

Computers can change your life for the better[18].

As argued by Spafford in [26], at least two parts of the ``hacker ethic'' are flawed. It should be noted too, that the hackers that Levy was writing about were the original law-abiding hackers. The ideas he expressed were adopted by the currentday hackers to justify their illegal hacking and to get up to the level of the original and real hackers. It should also be noted that not everyone who breaks into computer systems shares these views. The fact that there are some hackers out there who do not subscribe to these ideas seems reason enough not to trust hackers. At the very least, it is reason enough to not trust anyone you do not know personally and whose necks you cannot snap in real life.

2.2.3.1 An opposing view

2.2.3.1.1 Eugene Spafford

Spafford has published extensively. He is also the co-author of the book Practical Unix Security[12]. He wrote a paper [26] in which he evaluated the moral implications of computer break-ins. In this paper, he concludes that the act in itself is immoral. He extends this idea to say that when not breaking in would cause ``a greater wrong'', then the act is allowed.

In his paper he refutes some of the reasons hacker give for hacking. We shall now take a deeper look at two of these reasons, with the reasons he uses to claim that they are not moral. We shall also consider counter arguments to his belief. The interested reader can read more on the Spafford's arguments in [26]. The two arguments of his we consider are :

The Hacker Ethic

claims in part that all information should be free (see 2.2.3). From this it follows that intellectual property doesn't exist and there is no need for security. He argues that privacy is not a possibility with this view, neither is accuracy of information. He continues to include economic arguments to point out that such a view is naive and unrealistic.

The Security Argument

claims that break-ins illustrate security problems to a community that would otherwise not listen. This argument is the used most by the people who defend Robert T. Morris, the author of the WORM program. Spafford goes on to add that Morris was respected in the security community. Therefore, if Morris had spoken about the bug he exploited in sendmail, Spafford claims the community would have listened. The security community had listened when he announced an FTP vulnerability. Spafford adds that people saying people who break into computers are performing a service for which they should be commended is as ridiculous as saying vigilantes have the right to break into homes to demonstrate how susceptible to burglars they are.
He points out that not every site has resources to install the newest, greatest and most secure software. The other side of the coin is that if they cannot fix their problems, they need to find other ways to protect their sensitive information. It boils down to what is more important. If your information is the lifeline of your organization, you will pour a lot of resources into protecting that lifeline. Going on, Spafford claims to know of sites that were taken off the Internet because of the threats posed. He claims that is a high price to pay for a claimed ``favour''. Taking mission critical machines off a publicly accessible network is just what Richard Stallman advocates[28]. Stallman believes that if one has information that needs to be kept secret, one needs to make sure it is unreachable.

2.2.3.2 Would you hire a hacker ?

In section 2.2.2, we introduced tiger teams. We also noted that tiger teams did not belong in the aforementioned section since they are/were law-abiding citizens. We also noted that some members of tiger teams have been known to be convicted hackers. He is adamant that it is ridiculous to employ a hacker, especially convicted, to secure your network. He believes that hiring a hacker would be like ``hiring a known arsonist to install a fire alarm. Just because he knows how to set a fire doesn't mean he knows how to extinguish one''[8].

While in a way Spafford is justified in being reluctant to hire hackers, his analogy does not do them justice. Hackers happen to know a lot about computer security and even if they do not patch the holes up themselves, they can point them out. When a hacker is helping you protect your system, you have the added advantage of knowing how the hacker thinks, and therefore how other hackers are likely to think. To claim that hackers are bad, fullstop, and that there remains no use for them is to send them back to what they know, which we will then condemn. While we agree that one has to be very careful if one intends to hire a hacker to improve system security, we do not agree with a blanket ``no hackers''. To effectively protect against hackers, one must have a working knowledge of how hackers think.

The answer to the question posed above is one that has to come from each individual concerned with security. There are pros and there are cons to hiring hackers. To give an answer here would make us responsible for bad choices on which hackers to employ, if a decision is taken to employ a hacker, a responsibility we do not want. If the reader is worried about security and cannot afford to take the risk hiring a hacker, then he is advised to go Spafford's route; it is the safest. However, if this document accomplishes what it sets out to accomplish, the reader should neither have to ask nor answer the question posed above.