Читать книгу Hacking the Hacker - Grimes Roger A. - Страница 9

I’ve been a hacker my whole life. I’ve gotten paid to break into places (which I had the legal authority to do). I’ve cracked passwords, broken into networks, and written malware. Never once did I break the law or cross an ethical boundary. This is not to say that I haven’t had people try to tempt me to do so. Over the years, I’ve had friends who asked me to break into their suspected cheating spouse’s cellphone, bosses who asked me to retrieve their boss’s email, or people who asked to break into an evil hacker’s server (without a warrant) to try to stop them from committing further hacking. Early on you have to decide who you are and what your ethics are. I decided that I would be a good hacker (a “whitehat” hacker), and whitehat hackers don’t do illegal or unethical things.

Hackers who readily participate in illegal and unethical activities are called “blackhats.” Hackers who make a living as a whitehat but secretly dabble in blackhat activities are known as “grayhats.” My moral code is binary on this issue. Grayhats are blackhats. You either do illegal stuff or you don’t. Rob a bank and I’ll call you a bank robber no matter what you do with the money.

This is not to say that blackhats can’t become whitehats. That happens all the time. The question for some of them is whether they will become a whitehat before having to spend a substantial amount of time in prison. Kevin Mitnick (https://en.wikipedia.org/wiki/Kevin_Mitnick), one of the most celebrated arrested hackers in history (and profiled in Chapter 5), has now lived a long life as a defender helping the common good. Robert T. Morris, the first guy to write and release a computer worm that took down the Internet (https://en.wikipedia.org/wiki/Morris_worm), eventually became an Association for Computing Machinery Fellow (http://awards.acm.org/award_winners/morris_4169967.cfm) “for contributions to computer networking, distributed systems, and operating systems.”

Early on the boundary between legal and illegal hacking wasn’t as clearly drawn as it is today. In fact, most early illegal hackers were given superhero cult status. Even I can’t help but be personally drawn to some of them. John Draper (a.k.a. “Captain Crunch”) used a toy whistle from a box of Cap’n Crunch cereal to generate a tone (2600 Hz) that could be used to steal free long‐distance phone service. Many hackers who released private information for “the public good” have often been celebrated. But with a few exceptions, I’ve never taken the overly idealized view of malicious hackers. I’ve had a pretty clear vision that people doing unauthorized things to other people’s computers and data are committing criminal acts.

Years ago, when I was first getting interested in computers, I read a book called Hackers: Heroes of the Computer Revolution by Steven Levy. In the dawning age of personal computers, Levy wrote an entertaining tale of hackers, good and mischievous, embodying the hacker ethos. Most of the book is dedicated to people who improved the world through the use of computers, but it also covered the type of hackers that would be arrested for their activities today. Some of these hackers believed the ends justified the means and followed a loose set of morals embodied by something Levy called “hacker ethics.” Chief among these beliefs were the philosophies that any computer could be accessed for any legitimate reason, that all information should be free, and to distrust authority. It was a romanticized view of hacking and hackers, although it didn’t hide the questionable ethical and legal issues. In fact, it centered around the newly pushed boundaries.

Steven Levy was the first author I ever sent a copy of his own book to and asked him to autograph my copy and send it back (something others have done to me a few times now that I’m the author of eight previous books). Levy has gone on to write or become the technical editor for several major magazines, including Newsweek, Wired, and Rolling Stone, and he has written six other books on computer security issues. Levy continues to be a relevant technology writer to this day. His book, Hackers, introduced me to the wonderful world of hacking in general.

Later on, other books, like Ross Greenberg’s Flu‐Shot (long out of print) and John McAfee’s Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System (https://www.amazon.com/Computer‐viruses‐diddlers‐programs‐threats/dp/031202889X) introduced me to fighting malicious hackers. I read these books and got excited enough to make a lifelong career out of combating the same threats.

Along the way, I’ve learned that the defenders are the smartest hackers. I don’t want to paint all malicious hackers with the same brush of mediocrity. Each year, a few rogue hackers discover something new. There are a few very smart hackers. But the vast majority of malevolent hackers are fairly average and are just repeating something that has worked for twenty years. To be blunt, the average malicious hacker doesn’t have enough programming talent to write a simple notepad application, much less discover on their own how to break into some place, crack encryption, or directly successfully guess at passwords – not without a lot of help from other hackers who previously did the real brain work years before.

The irony is that the uber‐smart people I know about in the computer world aren’t the malicious hackers, but the defenders. They have to know everything the hacker does, guess at what they might do in the future, and build a user‐friendly, low‐effort defense against it all. The defender world is full of PhDs, master’s degree students, and successful entrepreneurs. Hackers rarely impress me. Defenders do all the time.

It is common for defenders to discover a new way of hacking something, only to remain publicly silent. It’s the job of defenders to defend, and giving malicious hackers new ways to hack something before the defenses are in place won’t make anyone else’s life easier. It’s a way of life for defenders to figure out a new hack and to help with closing the hole before it gets discovered by the outside world. That happens many more times than the other way around (such as the outside hacker discovering a new hole).

I’ve even seen defenders figure out a new hack, but for cost efficiency or timing reasons, the hole didn’t get immediately fixed, and later on, some outside hacker gets credit as the “discoverer.” Unfortunately, defenders don’t always get immediate glory and gratification when they are doing their day jobs.

After watching both malicious hackers and defenders for nearly three decades, it’s clear to me that the defenders are the more impressive of the two. It’s not even close. If you want to show everyone how good you are with computers, don’t show them a new hack. Show them a new, better defense. It doesn’t require intelligence to find a new way of hacking. It mostly just takes persistence. But it does take a special and smart person to build something that can withstand constant hacking over a long period of time.

If you want to impress the world, don’t tear down the garage. Instead, build code that can withstand the hacker’s mauling axe.