Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Hackers: Under The Hood 280

Posted by timothy from the human-interest dept.
jyre writes "ZDNet Australia has a special report that profiles and interviews five hackers over the next five days. Day 1: Raven Alder's page is up now (inludes photos). Day 2 will be Attrion.org creator, Jericho. Day 3: Adrian Lamo. Day 4: Kevin Mitnick and Day 5: L0phtCrack creator, Mudge."
This discussion has been archived. No new comments can be posted.

Hackers: Under The Hood More

Hackers: Under The Hood

Comments Filter:

  • Ah, Attrion. (Score:5, Funny)

    by FlyingJesus ( 772528 ) on Tuesday April 20, 2004 @02:34AM (#8913907) Homepage
    I love attrion.org! It's the best way to start my day, opening the old browser and surfing on over to attrion! First on my list of things to do in the morning!

    Mods don't hurt me :)

  • Who? (Score:3, Funny)

    by blair1q ( 305137 ) on Tuesday April 20, 2004 @02:36AM (#8913914) Journal
    The total amount I care about self-proclaimed "H4xx04s?"

    0.

    • I agree. They aren't interesting. (Score:5, Interesting)

      by Anonymous Coward on Tuesday April 20, 2004 @03:13AM (#8914057)
      If you aren't computer-ignorant. But the media are computer-ignorant, and are happy to stay that way.

      A few years ago a major New Zealand ISP was "hacked" -- or so the media said. The biggest talkshow host of the time interviewed the alleged "h4x0r" live, and proclaimed him to be a "computer genius". We were all in deadly and imminent danger of being hacked by guys like him he said.

      The "hacker" in question was a 13 year old whose friend's older brother worked for the ISP. The older brother had stupidly given his staff login and password to his kid brother, who had, naturally, shared it with his friend, the "genius hacker". This friend then logged in and deleted a bunch of hosted websites. Pretty frikken 1337, huh?

      Take the little assholes out and beat them with wet towels, then make them parade naked through the streets. A fit punishment for such computer Uber-Gurus.
    • And at least two of those mentioned are self-proclaimed, and only that. Poor ZDNet.
    • Interview who [science.uva.nl]?

  • Prominent (and "notorious") hackers (Score:5, Insightful)

    by Incognitius ( 690760 ) on Tuesday April 20, 2004 @02:39AM (#8913926) Journal
    Remember that many of these "hackers" are reformed, and thus attempting to sell their services. They aren't really "notorious" hackers and are often out of touch with the hacker community.

    This is to be expected from a mainstream publication that intends to present "hacking" in a mainstream light. I say, read at your own risk.

    • Re:Prominent (and "notorious") hackers (Score:5, Funny)

      by Zog The Undeniable ( 632031 ) on Tuesday April 20, 2004 @03:10AM (#8914049)
      Yup, that would be the same L0pht Heavy Industries that sold out and became @stake, Inc. I mean, FFS, they could have at least called themselves @st4k3, 1nc.
    • Maybe presenting some reformed hackers as semi-normal people will help change the public preception of "hackers" in general.

      Maybe even a few people in the general public will become enlighted to some of the issues involving computer security: Microsoft's lip service to security, public bashing of Linux, the dangers of a monoculture and the magnitude of un-patched end user's systems to name just a few.

      We can only hope.

      The simple fact that it is from ZDnet.com.au speaks volumes as to the bias here in Amer
      • Maybe presenting some reformed hackers as semi-normal people will help change the public preception of "hackers" in general.

        Or maybe presenting some never-weres, as "reformed" anythings, when they are only media whores, will just confuse the public into thinking that all hackers are idiots, and thus harmless.
    • Be specific if you're going to make a claim like that (or at least, if you insist on getting modded +insightful for it). Each of those people is certainly influential enough in recent hacker history, whether or not they are "reformed" or "out of touch."

  • Definition (Score:5, Insightful)

    by the_enigma_1983 ( 742079 ) <enigma.strudel-hound@com> on Tuesday April 20, 2004 @02:41AM (#8913937) Homepage
    But are they going to define hacker? Are people going to see this as a bunch of articles about some scum who break into computers, or are they going to see a bunch of articles about people who have an intimate knowledge of computers? Either the meaning of the word hacker needs to change, or another word for the computer savvy needs to be found.

    • Re:Definition (Score:5, Interesting)

      by raven_alder ( 772810 ) on Tuesday April 20, 2004 @04:25AM (#8914309)
      Well, if it was a "scum" definition, I would think that I wouldn't have qualified to be interviewed. Behold the angelic halo. [grin]

      I've had this argument with journalists before; it's one of the reasons that I tend to avoid being interviewed.

      "Tell me about your secret blackhat teenage years!"
      "Uh, I never had a secret blackhat teenage phase."
      "Oh, come on, you can tell me."
      "No, really, I didn't."

      Repeat ad nauseum.

  • Perhaps we'll see (Score:5, Insightful)

    by Crudely_Indecent ( 739699 ) on Tuesday April 20, 2004 @02:42AM (#8913944) Journal
    more high profile 'hackers' explaining their driving influences. Raven Alder bashing script kiddies and suggesting that users learn how to use their toys is a good way to start. I wouldn't argue for a second with a girl that is as cute as Bjork and could audit my security.

  • L0pht crack (Score:5, Funny)

    by solid ( 15355 ) on Tuesday April 20, 2004 @02:45AM (#8913953)
    Mmmmm... L0pht password cracker. *urgh!* "Me use brute force!" *urgh!*

    • Didn't the L0pht's website run off an old Mac SE for a long time?
    • Was that an orgasm?

  • It's the stories that are always masked by stigma. (Score:5, Interesting)

    by Anonymous Coward on Tuesday April 20, 2004 @02:47AM (#8913960)
    I find it fascinating to look at the lives or hackers just as you would the lives of movie stars or politicians. There is such stigma attached to these pseudo-celebrities that people often don't get so interested in their stories. I thought tonight's article [zdnet.com.au] was a much better article than the recent nytimesmagazine [nytimes.com] article on script kiddies.

    I'm actually surprised there have not been more television biographies on hackers. It seems A&E Biographies, Discovery Channel, Learning Channel etc. would want to tell these stories.

    www.reeddavid.com [reeddavid.com]

  • These stories kind of annoy me. (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 20, 2004 @03:00AM (#8914002)
    Self-styled 1337 h4x0rs aren't particularly skilled with computers. They just do stupid shit that other more mature computer users won't waste their time on.

    If I was a loser I could burgle houses if I chose to. It's not exactly difficult. Even the rich neighborhoods would be easy pickings. I'm sure I could break into many places before I got caught. But I'd still be a loser.

    So why are the computerland equivalent of dirty little sneak thieves constantly being feted as heroes and geniuses all the damn time?

    I hate movies like 'Hackers' which give zit-faced teenage virgins the idea that they'll get to screw Angelina Jolie if only they could be 1337...
    • They make great stories. Americans in particular are particular fascinated by the stories of criminals; I imagine it is the same in Australia if not more so given its history. From Billy the Kid to gangsta rap there's often glorification of the criminal's stories in popular culture, so it's no surprise to see computer criminals occupy a similar space. Though, the cowboys and gangsta rappers get way more chicks, Angelina Jolie aside....
      • It's the same in Australia. The Bushrangers of times past are reasonably well known (Ned Kelly being one) criminals in Australia.

        A friend of mine was busted by detectives for tricking some guy on IRC into accepting an EXE and running it. He then got his ISP login and that to various porn sites the guy was a member to. He was eventually busted sponging off the guy's net account.

        When it made the newspaper (small story) he was clearly portrayed as basically a smart kid looking for a challenge. Nothing overly

    • Raven definitely knows her shit. (Score:5, Insightful)

      by Kelvin ( 295 ) on Tuesday April 20, 2004 @04:41AM (#8914354)
      Admittedly, my only experience working with her was spending three days on the same team as her during last year's capture-the-flag contest at defcon, but it was pretty clear that she's very good at what she does.

      The kind of stuff she does is far above and beyond the sort of "easy pickings" you're imagining.

      Don't project your own script-kiddyness onto people actually have skills.

  • Perfect Ad (Score:5, Funny)

    by Jade E. 2 ( 313290 ) <slashdot@perlstor[ ]et ['m.n' in gap]> on Tuesday April 20, 2004 @03:07AM (#8914029) Homepage
    That's got to be the most perfect ad-to-article match ever. The interview contains these paragraphs:
    "The root problem that the security industry has is ... unscrupulous people selling to an uninformed market. The managers buying security products don't understand security at all, and so they trust the vendors to tell them what is best," Alder argued. "And somehow, conveniently, what is best has a great overlap with whatever that particular vendor happens to be selling."

    ...

    "[Companies] have the latest and greatest firewall that nobody has ever bothered to configure, or a very expensive intrusion detection system (IDS) that nobody has the understanding to tune."

    And the ad on the page says "Today's threats require a lot more than a firewall. This is a lot more than a firewall. Symantec Gateway Security 5400 series" (Ad here [doubleclick.net].)

    That's about the most perfect example of what she's talking about anybody could have come up with...

  • Attrition!? (Score:5, Insightful)

    by Anonymous Coward on Tuesday April 20, 2004 @03:08AM (#8914034)
    Yeah alright, they had a defacement archive back in the day, they're dried out now. What have they done since then and really what good was the defacement archive? All it really did was encourage defacements.

    The other guys have either shown skill, or created something. And lets shut up about "cracker v.s hacker" BS. Hacking is a SKILL SET, you can define black hat, grey hat, white hat from there if you want. Just because someone breaks the law doesn't mean they aren't a good "hacker" and are suddenly a "cracker".

    Also remember not all intruders are "dumb kiddies" there takes skill in a real intrusion even if you are using pre-canned exploits. There is a hacking mindset to getting into places. Its the same mindset used in writing unique code, among other things. Its not all dotslash. Thats like saying U.S Special Forces are 'kiddies' since all they do is a pull a trigger. Wrong.

    So tired of these people ranting and raving about 'cracking'. Get your head out of your asses and get off the bandwagon.

    • Re:Attrition!? (Score:4, Informative)

      by maxpublic ( 450413 ) on Tuesday April 20, 2004 @05:28AM (#8914481) Homepage
      Also remember not all intruders are "dumb kiddies" there takes skill in a real intrusion even if you are using pre-canned exploits.

      Script kiddies are called that for a reason. Often young and not terribly bright, they take programs written by others, programs they don't understand and can barely use, and launch attacks against the systems of others with them. Script kiddies, by definition, couldn't successfully modify or improve the code of the programs they employ if their lives depended on it.

      From my own experience I'd guess that perhaps only one in twenty so-called 'hackers' has the first damned clue what they're doing. Of this subset perhaps one in twenty could actually write an intrusion program of minimal value. And of this subset, perhaps one in twenty is actually skilled enough to call themselves 'hackers' and be recognized as such by expert coders.

      The actual number of hackers, or folks I'd deign to give the title, is minimal. The number of script kiddies is legion. This is actually a good thing, as you'd rather your average petty criminal was a fucking idiot than a genius any day of the week. It's easy to defend yourself against an moron who can't respond to a change in defensive strategy because they're incapable of modifying the code of their tools or coming up with a creative way to launch an attack; it's much more difficult to match yourself against someone with real talent who's spent years honing their skills in intrusion.

      Max

    • Re:Attrition!? (Score:4, Insightful)

      by Salamander ( 33735 ) <jeff@ p l . a t y p.us> on Tuesday April 20, 2004 @10:02AM (#8916082) Homepage Journal

      Looks like someone's fragile little ego got stepped on. "What have they done since then" and "there takes skill in a real intrusion" are the tipoffs that we're probably dealing with a 16-year-old who think computing began with him - yeah, almost inevitably him, sorry but that's the way it is in that community and I had to pick a pronoun. Here's a clue for you, kid. Cracking might not take zero skill, but it's still absolutely nothing compared to the difficulty of actually creating the systems you crack, or the tools you use on either side of the security fence. Reality puts up a lot more obstacles than any number of white hats, black hats, or any other color hats. Raven - who can obviously take care of herself and doesn't need my help defending her or other female hackers - offers some excellent advice that I can only second:

      To aspiring hackers, Alder has this piece of advice: "Learn TCP/IP or the internals of your operating system of choice. Ideally, learn both. Don't just be a script-kiddie who downloads an attack program off the Internet and think that's cool.

      "Understanding what you're doing is more cool. Having the know-how to develop a new and innovative attack or to develop a creative defence is a lot more impressive than 'dude, I sniffed your Hotmail password'."

  • Not that 1337 (Score:5, Insightful)

    by Magickcat ( 768797 ) on Tuesday April 20, 2004 @03:30AM (#8914117)
    If they were really oh so 1337, nobody would have ever heard of them, and they wouldn't be talking about their escapades either.

    • Re:Not that 1337 (Score:2, Insightful)

      by kmactane ( 18359 )

      Maybe that might apply to Mitnick. But Mudge/L0pht, Lamo, and Jericho/Attrition.org all publicized their own works. The L0pht folks said, "Hey, world, here's some software." Should they still be secret after that? Attrition.org was a public web site, fercrissake.

      And Raven Alder is 100-percent pure white-hat. She's interested in finding and publicizing vulns (and other security problems), rather than secretly exploiting them. Why in the world is that something that nobody should "have ever heard of"?

      When

  • An open letter to the anti-trolls. (Score:5, Insightful)

    by rjh ( 40933 ) <rjh@sixdemonbag.org> on Tuesday April 20, 2004 @03:57AM (#8914224)
    First, in the spirit of full disclosure: I know Raven. I know her well enough to be thoroughly impressed by her and her competency. By "thoroughly impressed" I mean "vaguely intimidated", too, and you know, that's not a bad thing to feel. Gives me an incentive to work that much harder. Competition is good.

    Reading this thread so far has led me to dismay. What thread dominates? Something that's so crude that it ought to be beneath our dignity to respond, even to condemn it. A few people have jumped on the trolls, modding them down into oblivion or responding to them.

    Here's a question: why? All it's doing is giving the trolls publicity. All it's doing is making people think that gender is an issue, because if it wasn't an issue, why would such a firestorm exist? If it wasn't an issue, why wouldn't the trolls just get modded into oblivion and go ignored, like the GNAA trolls?

    If you want to make a statement, if you want to condemn the immature and third-grade behavior of the trolls, if you want to say "look, I for one welcome competent people and I don't give a damn what plumbing they've got", the best response is not to jump on the troll bandwagon and respond to them.

    Mod them into oblivion, and let them be forgotten.

    They are nothing. For nothing, let there be nothing.

    If you want to make a statement, if you want to make a stand, if you want to say "look, I have no clue who this woman is, but frankly I'm appalled by some of the behavior here"... well, hey. Respond to this thread. Mod up responses in this thread. Let's take the publicity away from the trolls and put it to productive use. Let's see if we can't get a few dozen Slashdotters to make a positive stand instead of going around and giving the trolls what they want--furor.
    • More importantly, lets think of ways to stop this kind of behavior outside of slashdot discussions, where you can't just mod someone down until they disappear into oblivion.

    • Here's a question: why? All it's doing is giving the trolls publicity. All it's doing is making people think that gender is an issue, because if it wasn't an issue, why would such a firestorm exist? If it wasn't an issue, why wouldn't the trolls just get modded into oblivion and go ignored, like the GNAA trolls?

      Are you complaining because you think gender isn't an issue, or because you really wish it wasn't? Obviously it is an issue for some people, otherwise people would do exactly what you're saying.
    • The stereotype of the male geek being a mysogynistic prick isn't entirely off-base. Just try free-lancing for awhile, work with the IT departments of corporations large and small; you'll run into women-hating twits on a regular basis, far out of proportion to other departments within said corporations.

      Better yet, try working with those IT departments when you have a woman partner. When the geeks aren't hitting on her they spend their time muttering about what a 'frigid bitch' she is because she won't hop
    • I, for one, welcome competent people but I do give a damn what plumbing they've got...but it doesn't affect my opinion of their competence.

      When people make hurtful personal remarks, sure, that's immature, and shouldn't enter into a discussion on what is basically a profile of a person as a hacker. I'm equally offended when people make fun of RMSs beard or Tron dude's camel toe..

      I find girls more attractive than guys. I don't think she's a better hacker (well..maybe a better social-engineer:o) just b

  • Second profile is already up (Score:5, Informative)

    by prat393 ( 757559 ) on Tuesday April 20, 2004 @04:18AM (#8914287)
    and available here [zdnet.com.au]

  • Question for Raven, since I noticed you're reading (Score:4, Interesting)

    by thrice rocks! ( 619873 ) on Tuesday April 20, 2004 @04:37AM (#8914341)
    I noticed that in the article you gave some suggestions for what people should learn about.. I'm not nearly advanced enough to delve into any of that, though. I'm not as interested right now in security (just because I don't have the knowledge to approach it at the moment) but I am interested in learning more in general.

    I tried studying CS at my university and found it didn't interest me as much as it did when I studied it on my own (hence my becoming a sociology major ;) - perhaps because I'm much better with projects than tests, and the classes I took were centered mostly around tests. I'm still interested in learning more about programming and "how things work" in general, however.

    Do you have any suggestions for studying on my own? Would it be best to learn one programming language very well and then apply it to others, or is there a better approach? (One of the things I found frustrating in classes was learning a new language in every class I took, when I don't know any language well at all.) What advice can you give someone who would like to learn more, but doesn't do as well in a traditional CS/EECS/etc academic environment - books, good websites, anything? You also said that you were studying "an unrelated field," so I was curious as to how you went about learning more..

    (Personally, I know little bits of C, C++, Python, Perl, and Java, but not enough to do anything significant in any of those.. I also have written a few little shell scripts that don't do much. Otherwise, I'm pretty clueless - but I'd really like to increase my knowledge.)

    Thank you in advance to Raven and/or anyone else who gives me some advice.

    • Re:Question for Raven, since I noticed you're read (Score:5, Insightful)

      by raven_alder ( 772810 ) on Tuesday April 20, 2004 @05:23AM (#8914469)
      Okay, so you don't want to specialize at the moment. Fair enough. I am assuming that your wanting to understand "how things work" is programming in general and not security programming/code audit?

      In short, find something that you are interested in and take it apart. [grin] You don't necessarily have to follow a structured academic program to become proficient in a field, whether your intent is to make it your hobby or to make it your profession. My academic background is entirely not in CS, and though I have many friends in CS academia, what they do can be very different indeed from what I do day to day. I learned mostly by experimentation and research on things that I was interested in.

      So, find something that you like. Look at the source code, if it's available. Try to figure out what does what. Change things around, and see if you can make it better. One of the best ways to learn for many people is by doing. If you don't know what needs doing, volunteer for a project that is already established and is looking for people. Open Source is so helpful this way -- it feeds your resume *and* helps the community.

      My first programming language was Perl. I was told by many geeks that this was a bad choice -- it would give me bad habits if I ever wanted to move to a language with a more rigorous structure. They were right, but it was both a good and bad thing. When I started doing C, and in particular when I started poking at kernel code, I had a lot of extra learning to do. But Perl was still a good way for me to start, because when I started programming I wanted to do quick scripting, not kernel hacking, and the flexibility of Perl was great for me.
      • "Excuse me, miss Alder, its the 90's on the phone, and they'd like they're [grin] tags back."

        Now, I have a question that is partly in jest and partly in which I would really like to know the answer. If you started programming in Perl, how on earth did you ever stay interested in programming? I'm a "learn by example" when it comes to new languages, but unless I'm sitting next to an O'Reilly book, there isn't an example in the world that makes sense to me.

        Did you ever find the "new" slogan for perl - "The
    • Just to give a specific place to start if one is interested about network hacking, or whatever you want to call it:
      First, know what is a bit, byte, word, doubleword. What is big-endian and little-endian. What is a stack. How does a processor work in general.
      Then, buy "TCP/IP Illustrated, Volume 2". Read it through once.
      Write a simple pcap based IDS to detect normal half-open portscan (syn-scan).
      Now, write improve on your IDS to give no false positives on a server with undefined amount of undefined services.
  • I remember, back when I lived in the DC area several years ago, I went to the wedding of an aquaintence of mine (a friend of my friend Cat). She was this girl who was just learning C and invited me to be part of her CCNA study group. Being in the middle of one the most antisocial periods of my life, I just kind of dropped off the face of the earth (and eventually moved to Seattle). Now I see articles about her on slashdot. Raven, if you remember this long haired, antisocial, larval stage techie named Jo

  • Non-issues (Score:4, Funny)

    by zoeblade ( 600058 ) on Tuesday April 20, 2004 @06:17AM (#8914642) Homepage

    From the article: Gender is a non-issue... If there's one thing [Raven] hates, it's being type-cast as a "chick hacker".

    What a fantastic way to start off an interview: with something the interviewee doesn't consider in any way important! Do these people actually objectively read what they write?

    Obligatory Python reference: "And did you write this music in the sheds [uibk.ac.at]?"

    • Read any furthur and you subject yourself to the license in the paragraph at the bottom of this post. This does not apply if you only read the first and last paragraphs to this post.

      The problem is that this has become the reverse of a non-issue. It's an issue because she hates people making it an issue. As for putting it first in the article, sounds fine to me.

      Raven, if you ever read this...

      I'm going to pretend I'm in your situation. I'm going to pretend, just for a moment, that I'm a man who's into
  • We all know hackers are physically unfit males aged 13-19 with pasty faces and no social skills. :o)
  • Hopefully this whole series will give the "mainstream" a kick in the sternum by challenging their pre-conceptions about 'hackers'. They've certainly picked a great opener.

  • Programmers: Under The Hood? (Score:3, Insightful)

    by harumscarum ( 675595 ) on Tuesday April 20, 2004 @08:11AM (#8915012) Journal

    So when do we get to see some articles on the people that really do matter? :)

    Why is it that programmers get no love? What about the programmers who have changed/influenced culture within the last decade in gaming, corporate, or home use.

    *tear* all people want to do is tear our software down and praise the people that do it *tear*

  • My Attrition story... (Score:5, Interesting)

    by Samrobb ( 12731 ) on Tuesday April 20, 2004 @11:09AM (#8916935) Journal

    My wife and I were in Butler, PA about 2-3 years ago to consult a doctor. We arrived early, and decided to wander around a bit and grab a bite to eat.

    So, we walked by a storefront with a sign on it that said "Attrition". I glanced in the windows, saw a bunch of hardware, and took a few more steps before I realized "Hey... I *know* who that is!" I went back and poped in with my daughter, just to say hi. Gist of the conversation:

    Attrition guy: Can I help you?

    Me: Are you the guys that run attrition.org?
    AG: Yes, that's us.
    Me: Wow. I had no idea that you were in Butler.
    AG: Um... yeah.
    Me: OK, just wanted to say hi. Later!

    What really registered with me was that here was a fairly well-known web site, being run out of Butler, of all places. No need to live in NY, LA, Chicago, Boston, or any of those other urban sprawls... just find a nice town, get yourself a net connection, and you're in business.

  • Raven's comments on pre-packaged attacks (Score:4, Interesting)

    by Gyorg_Lavode ( 520114 ) on Tuesday April 20, 2004 @11:10AM (#8916951)
    Raven commented on "attack programs". I don't know if she ment pre-written code to exploit known vulnerabilities or not but that is what I am interested in.

    Last month I had the privelage of watching a small hacking competition as part of a larger defense contractors conference. (Southeastern Software Engineering Conference [ndia-tvc.org]). The had a small network set up to simulate a corporate network and teams attempting to attack it. The team that did the best was a red team from Northropp Grumman (which someone said won the Defcon capture-the-flag competition though I never looked it up).

    The thing is, their strategy seemed to be to map the network, then run pre-packaged attacks appropriate for the specific device, then install a backdoor and repeat launching off of the machine they'd taken. Security experts in all their interviews repeatedly state that it is undesirable to do this, (ie, use previously written code for the bulk of their pen testing/attacks). Is there a disconnect between what security experts say and what they actually do?

    (I do want to add that the team that won was very impressive, taking about a box an hour through the 6ish hours the contest was run. There was a very small time frame which might have necessitated the canned attacks. But the network was representative with at least 1 dedicated firewall, IDS, and honeypot and computers running windows, linux, and solaris. All with reasonable patching.)

  • Virginia Tech (Score:2, Funny)

    by kyoko21 ( 198413 )
    Raven went to Virginia Tech :-) Let's go Hokies! Even castrated turkies can be hackers, too. *gobble gooble*
  • Day 2 will be Attrion.org creator, Jericho

    Jeriho was at Attrition. Muge was at l0pt.

Slashdot Top Deals

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Close