Hackers.

There is no doubt that the media twisted the real meaning of hacking over the years. It's sad that many are under it's stigma, when the opposite is far closer to reality. I think it's safe to say that the perception of hackers in the average mind is severely twisted, and close to schizophrenic in the eyes of law enforcement. When looking back through the years and comparing it to the present day, not much has changed about this overall perception.

Kevin Mitnick is officially allowed to hack again this year, Gary McKinnon -the NASA hacker- will get his trial this Wednesday and is probably being prosecuted for having an over-imaginative brain, considering his quest for free energy. His crime is that of curiosity, as the Mentor would say some odd years ago. While on the other hand the New Zealands law-enforcement helps it's local Bot-herder, and is hailed as a botnet wizard. His crime was not out of curiosity, his crime was writing botnet software to spam the shit out of innocent people. He contributed only havoc and is rewarded for it. But who am I to judge or to even point my finger? That is not my objective, I only find it ironic that humanity praises the criminals instead of curious people who only want to learn, that want to spread and share information.

Reverse Graffiti.

Most hackers I know about only contributed positively to security, because they are hackers and not criminals. They will spent countless hours to find flaws in your software for free. No questions asked. Some even show you where the problems are and sometimes propose a fix for it. And yet, most of the time they are being treated like scum for the very reason that they outsmarted you. Sometimes I compare hackers with whistle-blowers because of the fact that they work upon a risk-it-all basis. They face prosecution, ridicule, hatred and ignorance. And yet they get nothing in return, because they ask nothing in return. Their pay-off is the journey and the joy of skimming through endless lines of code, night after night determined to impose the possible upon the impossible. The best way to illustrate what hacking means to me, is the principle of reverse graffiti shown in the video's below. Reverse graffiti is the opposite of graffiti, but the effect is far more reaching in terms of making people aware of your thoughts and ideas in a harmless way, and sometimes motivates people through it.

The easy way.

This also brings me to another experience I had last month. I never gave it much thought but, once you are being asked to criminally hack something, how would you do it? Consider my question to you: I ask you, I want to criminally hack someone, where would you start? Since I never really got serious about that actually, I found myself pretty stumped at some point. It turns out that I would use social engineering to do it. And the reason is simple: it has the best time success ratio. I am fairly sure that I can get into any network solely using my mad e-mail cat skills. I am a developer and I create web software for quite some years. In all these years, I always contacted the hosting provider from a client of mine through e-mail. Turns out, that when you copy the name of the account owner as a bogus forwarded messages with your request to obtain FTP or administrator details, you always get it. Not once have I been rejected to those details. Sounds scary already? It certainly is.

For example:

Mr. Wiggum,





Mr. Burns said I could contact you regarding the login credentials,


can you send them back to me? Oh, and please also details for PhpMyAdmin!





Best regards,





R.





Begin forwarded message:





Date: Sat, 26 Jul 2008 01:28:27 -0400


From: "Mr.Burns" <monty.burns@simpsons.com>


To: <minime@gmail.com>


Subject: Re:login details www.example.com





Hi R,





You can ask my provider for the FTP details, I lost them in my nuclear power plant.


contact Mr Wiggum at: c.wiggum@provider.com





/Burns





>Hi Mr. Burns!


>In order to change your website, I need your FTP login credentials, can you send those to me?


>Cheers, R.

That is how my communication regularly flows. It looks authentic, but it's completely bogus and super easy to create yourself. You only need to know the name and email from the owner, it's help desk or their contact person. This would be my approach if someone wants to give me a million dollars to hack a big target. Sounds disappointing? it probably is. But in my imagination this executes flawlessly. No hard exploits, just asking someone for access. It shows that hacking is more about curiosity than it is to actually hack or harm someone. And that's why hacking hasn't anything to do with malicious activities unless you make the choice to use it for criminal activities. And when you do, I have no doubt in my mind that you will chose the most easiest way in doing so.

After thoughts.

Last week I found a old PDF set about the complete Intel 80x86 architecture, that has about 1500+ pages explaining all the internals in great depth. I am currently studying this paper. Not to create exploits or to hack some, but just because I love to learn and hopefully educate myself or someone else with that knowledge. And I guess that is the whole point about hacking all together: cleaning the dirt, instead of making it dirty.