Help - Search - Members - Calendar
Full Version: How accurate is SR's depiction of hackers?
Dumpshock Forums > Discussion > Shadowrun
Pages: 1, 2
emo samurai
by Bruce Sterling. His vision of the hacker underground is a bunch of teenagers simply looking to make information free. They steal research and shit, but they have no idea how to capitalize it. They seem motivated more by curiosity than anything else. And most importantly, they're rare; he estimates there are about 100 truly 1337 hackers, and about 5,000 true hackers.

Anyone able to expand on this, maybe even speak from experience?
Kagetenshi
SR doesn't depict hackers at all, with the possible exception of the old Neo-As.

~J
Ranneko
Put quite simply, it doesn't. It never has and it never will.

Accurate hackers are not that interesting, especially since SR doesn't have accurate computers.
Konsaki
SR Hackers are script kiddies on steroids. You cant do shit without a program, but if you have the right one at a high enough quality, you can take down government computers.
Wounded Ronin
QUOTE (Konsaki)
SR Hackers are script kiddies on steroids. You cant do shit without a program, but if you have the right one at a high enough quality, you can take down government computers.

Hysterical and sigged.
hobgoblin
about as accurate as their depiction of firearms (if the 10001 threads about the topic is anything to go by)...
Konsaki
QUOTE (Wounded Ronin)
QUOTE (Konsaki @ Oct 3 2006, 06:47 PM)
SR Hackers are script kiddies on steroids. You cant do shit without a program, but if you have the right one at a high enough quality, you can take down government computers.

Hysterical and sigged.

I'm honored. First time anyone had deemed anything that came from me worthy of sigging. biggrin.gif
emo samurai
What are RL hackers like, then?
Frag-o Delux
Just like any other person that is really into any other sub culture. Really wrapped up tight in their hobby and very passionate about it. Nothing special.
Ancient History
Well, the popular image of a "hacker" is a teens-to-twenty-something whiteboy breaking into bank computers, releasing viruses on e-mail, and committing identity theft.

Those are pretty few. For one thing, as Bruce Sterling points out in the book, the vast majority of computer criminals are crackers (yes, they tend to be Caucasian) who crack protection software to copy and meddle with programs and websites. If you're not a big corporation, you're probably not going to lose any money (and, indeed, you may save money by buying or downloading a pirated program - at your own risk).

There are a range of amateur-to-semiprofessional criminals (no doubt the Administration calls them computer terrorists, gah) engaged in malicious activity, such as identity theft, credit card fraud, transferring funds from bank accounts, stealing and selling sensitive data, etc. Generally, these people need a certain level of skill above crackers to operate effectively (i.e. make cash and not get caught), and there is probably some crossover with other criminal activities, like breaking-and-entering.

Then there are the darkside hackers, or compsecurity guys whose basic jobs are to keep people out of protected systems. Naturally, these are the same guys who have the skills to penetrate other system defenses (and indeed, some compsec guys and gals are hackers who decide to cash in and get a real job where they don't face prison if they fuck up).

Pursuers of electronic music, cryptography, game design, mathematics, computer engineering, deep programming and similiar fields tend to have a lot of cross-over with the people who have the legitimate skill and know-how to be a hacker or a cracker, hence the reason those areas are sometimes regarded as the domain of hackers - it's a recognition of trends (skills + interests == higher probability of hackers present). By comparison, the hacker subculture is based off of movies and popculture representation of hackers, which is based off of fictional representations of hackers, which are (loosely) based off of real hackers - and of course the hackers and crackers join in, so there is always a minority of hackers and crackers in the hacker scene.
Backgammon
I'm currently following a Software Security class as part of my Engineering degree. My current lab consists of having to hack into a comouter.

It's fucking HARD, tedious and boring. First you gotta find open ports. That's easy enough. But next you gotta find what version of what service is running on each port. Then you have to painstackingly (sp) research those services, of that exact version, and look for a exploit to get in. It's boring, boring research and analysing. Not to mention you have to cover your tracks or else you go to jail, Bleh, it's definatly no fun.
emo samurai
But if you were a hacker, you'd already know that stuff. I guess you become a hacker only if you enjoy doing that research. How do you research an exploit, anyway? Do you just go on the internet, or do you download source code?

And how many schools involve hacking a computer? Is that a normal part of any computer security course?
hyzmarca
Most cracking is actually done through social engineering. Call up the IT department and say "This is Steve in Accounting and I forgot my password." It works.
emo samurai
How often?
Kagetenshi
Often enough.

~J
emo samurai
Well, it works for my college; I still don't think it should work that well for research labs and stuff.
Frag-o Delux
Some exploits are also found by accident. NT4 had a bunch of them and you could just easily stumble onto them. A few friends and I were in class, well it was before class playing video games. The head of that department didnt want us playing in that room so he had us locked out of the network on those terminals. We bet our programming teacher that if we could gain access to the network and get access to the computers again can we play games again. He accepted and we sat down to go to work. In less then 30 minutes the 3 of us were in the system and resting passwords and permissions. 20 minutes after that we were back to playing games. Im not a hacker wont claim to be, but I learned a few tricks from old hackers.

A lot of hackers pick up these things from people they know. One of my friends is the child of two prgrammers. They were prgramming when punch cards were the only way. Then on to Cobol and all that stuff.

The information is out there, but today if its out there and easy to find you can bet its probably taken care of with a security patch. You can still try that way, because suprisingly a lot of admins are bad at updateing security especially on Windows servers, they fear the security releases. So they run them on a test server for a few days to make sure its not going to crash their networks and cause a lot of trouble ont eh real network. Some are just lazy or really dont have a clue.

You can try reverse engineering the software, or you can just try things in general. If you are into computers like the real hackers are you will know how the things work in such minute detail they sometimes just try things that theoretically would work and see what happens.

Like I know of a specific commercially availibale router that is sold everyday and is rather popular that does VPN and has a very major problem with the "Security" of this service. The VPN works, and it work like its suppose to. But if you telnet into the back of the router (which is relatively easy) you can then see the VPN and use it to ride into the other computer using the same VPN connection. Since you are on a VPN and its authenticated the other computer wont stop you. Its funny when routers are allowed to set up VPN connections through NAT IP addresses.

Oh, did I mention the engineers were told and they said "ok, well get to it when we have the time."
Backgammon
QUOTE (EMO SAMURAI)
But if you were a hacker, you'd already know that stuff. I guess you become a hacker only if you enjoy doing that research. How do you research an exploit, anyway? Do you just go on the internet, or do you download source code?

And how many schools involve hacking a computer? Is that a normal part of any computer security course?

We have a list of web sites that discuss existing weaknesses, from which we can download code, yes.

A real hacker would probably know by heart security flaws for certain versions. He would probably write his own exploits, which isn't that hard once you understand the logic of the flaw. We have life easier (since it's a class) and the server is running old software with known faults. We just have to find them, then run code on it.

I'm pretty sure if you don't hack a computer, you are getting a bad eduction. How else can you understand the dangers that exist? Of course, this is a computer specially set up for this. We're not hacking some random computer of our choice.
Backgammon
QUOTE (EMO SAMURAI)
How often?

We learned it's probably the best way to go at it. There are some very good articles on the net about social engineering, just google it.
emo samurai
But when you finally hack the computer, you'll think it's cool, right?
TheNarrator
Sure, up until the FBI Computer Crimes Division kicks down your door.
Vaevictis
QUOTE (EMO SAMURAI @ Oct 3 2006, 10:12 PM)
But if you were a hacker, you'd already know that stuff. I guess you become a hacker only if you enjoy doing that research. How do you research an exploit, anyway? Do you just go on the internet, or do you download source code?

There are four main ways:

1. Social Engineering.
2. Inside man.
3. Skript Kiddie Way -- go find someone who's researched and written an exploit, and get a copy.
4. Non-Skript Kiddie Way -- poke and prod and poke and prod until you find something for which you can write an exploit.

The first three are self-explanitory.

The fourth way requires a lot more technical knowledge than the first three. There are a few major techniques that are commonly used -- the most popular of them all being something called a "buffer overflow".

This was popularized in the mid 90's by a paper by a guy who called himself "Aleph One" -- the paper was called "Smashing the Stack For Fun and Profit."

Basically, if you know how, it's sometimes possible to trick code that handles input poorly into reading your input into it's own program code. By doing this, you can essentially load a program into memory with the same permissions as the program itself -- which, ideally, is an administrator (root) level account.

There are other techniques -- trojans (which are really just a technical solution combined with social engineering), exploitation of race conditions, sifting for passwords (either with listening/keylogging techniques or password cracking), and some others. I think I covered all of the most popular ones though.

Personally, if I had a class where we had to break into some server, I'd just "social engineer" my way into the room where the server was, yoinch the hard drive, reset the password and call it a day. If it was in the guy's office, for example, I'd just get a pal in the class to distract him while I did the deed, etc.
SL James
QUOTE (TheNarrator @ Oct 4 2006, 04:32 AM)
Sure, up until the FBI Computer Crimes Division kicks down your door.

They're not thugs....

They use a battering ram. And flash-bangs. And carry big guns.
Vaevictis
They don't usually do that unless they think you might be armed.
hyzmarca
QUOTE (Vaevictis)
Personally, if I had a class where we had to break into some server, I'd just "social engineer" my way into the room where the server was, yoinch the hard drive, reset the password and call it a day. If it was in the guy's office, for example, I'd just get a pal in the class to distract him while I did the deed, etc.

You don't eve n have to yoink the HD in most cases. If the server is running windows XP (and most are) there are bootable programs available that will show you XPs password list. Likewise, bootable flashdrives and live CD allow you to carry your own OS whereever you go and get protected files from any system. Unless they prohabitied booting except from the hard drive and password protected the bios, it is trivial to break into a system if you have physical access and if you have to open the case it is even simpler to reset the BIOS.
Ancient History
QUOTE (Vaevictis @ Oct 4 2006, 12:11 PM)
They don't usually do that unless they think you might be armed.

Or if you're a role-playing company.

[/edit]Kidding, kidding. They just take your stuff and never give it all back.
Vaevictis
QUOTE (Ancient History)
They just take your stuff and never give it all back.

Now THAT you're not kidding about. I had a buddy get raided in 1996, and he's still waiting for his equipment to be returned.
emo samurai
Would it help that much nowadays? Does hacker equipment age the way normal computer software does?
Vaevictis
Dude wants his porn back.
emo samurai
That's worse than losing your edge, man.
nezumi
Bah, looks like I missed most of the conversation. BTW Emo, Hacker Crackdown is a very good book. It's a fun read, and probably one of the most factual hacker books on the market (that really isn't say much, though).

I work with a government agency of little import in the security field. Two years ago I did the bulk of their security work. Most people considered security 'one more thing' they had to do. It's expensive, it wastes man hours, and it's inconvenient. The actual computer geeks know why we do it, and so a customer service team that has a background in computers won't give you a password, but most everyone else is clueless and careless. A smart social engineer can get a long way that way. In fact, the single most famous hacker (no points if you guess the name nyahnyah.gif ) is known primarily for his social engineering skills.

Like Backgammon said, REAL hacking (like what you see on TV, breaking into a computer remotely) is 99% research. How much research depends on how much data you have available and how well protected the computer is. If it's a win98 box, it could be fairly easy to find information out there already on known vulnerabilities. Hacking movies almost never have it right, and seem to now be competing on who can make the hacking scenes the shortest (remember the second Matrix movie when the woman hacks in in under 15 seconds? Yeah... Even though she was just password guessing, it's a little improbable.)

However, getting programs to behave how they shouldn't to your benefit can be a very fun hobby. If you're interested, it's well worth researching, even if you never get past modifying hex files in computer games. There's definitely a sense of accomplishment from solving problems like that.
emo samurai
How about hacking Linux? And what do you mean by covering up your tracks?
Kagetenshi
QUOTE (nezumi @ Oct 4 2006, 10:03 AM)
In fact, the single most famous hacker (no points if you guess the name nyahnyah.gif )

Linus Torvalds! nyahnyah.gif

Arguably John Carmack.

Anyway, your point on the second Matrix movie is unfounded. Shockingly enough, if you read the text on-screen, Trinity is legitimately using nmap to scan a machine and then using a known exploit for some service she finds there (IIRC, SSH) to crack into the machine. That's probably the single most realistic depiction of cracking in popular movie history.

~J
Vaevictis
I'm pretty sure he means Mitnick ;p
Kagetenshi
He might mean Mitnick, but he'd be wrong. Mitnick was a cracker.

~J
mfb
QUOTE (Kagetenshi)
That's probably the single most realistic depiction of cracking in popular movie history.

what about in Swordfish, where Wolverine haxx0rz teh intrawebs with nine screens and a 3d-imaging program? that seemed really realistic to me.
Shrike30
QUOTE (Vaevictis)
They don't usually do that unless they think you might be armed.

Hey, the FBI knows all real hackers carry flare guns grinbig.gif
Critias
QUOTE (mfb)
QUOTE (Kagetenshi)
That's probably the single most realistic depiction of cracking in popular movie history.

what about in Swordfish, where Wolverine haxx0rz teh intrawebs with nine screens and a 3d-imaging program? that seemed really realistic to me.

Squares are the secrets to ultimate intrawebs power!
Drraagh
There's a lot of different types of hackers as has been covered. If you go with, at least what I have seen as, the most accepted definition of a hacker, is that one who explores, poking and proding around in systems in search of whatever they can find. They are the people who sit down with a Hex Editor and then in ten minutes have a new web browser created or you give them a program and they find a way to make it do something it wasn't designed for, like there was a guy in my high school who had our server crash one day as he was using it to calculate some large equations, because he could and wanted to see how high it could go.

They aren't, by nature, destructive or malicious, though some people can see their actions that way because they are trying to push the limits of technology as far as they can, and some tend to follow the 'Information wants to be free' ideal.

Under the same definition I have seen in common usage, Crackers tend to be the ones who break into systems using brute force or dictionary programs (perhaps of their own writing), and then tend to do whatever they can. Copy programs, delete files, whatever.

There's a ton of other divisions, one of the most common being script kiddies, who ride on someone's coattails by using a released exploit on systems until it works. They usually don't know how or why it works, just point and double click. Sort of comparing the program's writer to a gunsmith, the script kiddie would be a recreational shooter. They don't care about the internal components and probably couldn't make it, but they have fun doing it.
Backgammon
QUOTE (EMO SAMURAI)
How about hacking Linux? And what do you mean by covering up your tracks?

Well, our TA strongly suggested we use Linux to hack. We are indeed making good use of nmap.

I don't know how to cover my tracks. That's something they are wisely not showing us how to do. As an example, though, the TA warned us that anyone in the school residences using a port scanning tool will immediatly receive the visit of campus security. It's possible for them to detect port scanning. So you'd have to be careful. Further, your IP adress if often logged here and there. That's bad. You either have to mess up those log files, or find a way to use an IP that can't be traced back to you.
Kagetenshi
IMO, it's a horrible idea for them to not teach you to cover your tracks. If there's anyplace where the idea of "being able to do it means being able to undo it" holds strongest, I'd say it's identifying intrusion in the first place, which means knowing the flaws in the methods of hiding, which means knowing the methods of hiding.

You should ask your TA (or campus security) if you'll get a disciplinary visit for trying to find out if the registrar's office has a phone number.

~J
Drraagh
I have degrees in Programming and in System Administration, so I could probably get into lengthy discussions about how things like hacking works and how to get away with it in some ways, but I figure that this is not the place for such sorts of conversations. Same with a friend of mine who is a network admin for a military facility. The two of us have played around with building secure systems on our networks and trying to break into them over the internet, seeing what works and what doesn't.


There are a couple 'authentic' hacking games, in other words, ones that are more than just click here, click here and you're in. These games require you to look into figuring out passwords, finding systems and determining IP addresses and so forth. I'll have to come up with a list of them because the only one that comes to mind now is a game known as Street Hacker. Uplink is a good game if you want to know what the Cyberpunk hacking in SR is like, but it's not very 'realistic' compared to current day.
Kagetenshi
The internet sucks. Modem banks were just so much more awesome.

~J
Drraagh
QUOTE (Kagetenshi)
The internet sucks. Modem banks were just so much more awesome.

~J

It's how I found three BBSes in my area growing up. Wardialing on a 14.4 baud modem. I even still have my 300 baud modem with my Commodore Vic 20. wink.gif
emo samurai
What's a modem bank?
Kagetenshi
I genuinely can't tell: was that irony, or a serious question?

~J
emo samurai
No, seriously.
Moon-Hawk
Now I feel old.
Kagetenshi
Indeed.

A modem bank is a bank of regular old modems (ish) attached to phone lines. In the old days, when you wanted to connect to another computer, they didn't have this big web (not to be confused with the WWW) of connected machines that could get you there eventually—you had to dial up the number of the phone line attached to the modem bank, and the modem bank would be connected to the machine or network you wanted to access.

Uplink's architecture, where you connected to systems by dialing into them, and where you routed your signal from system to system by dial-outs, is based on this old-school way of doing things.

~J
SL James
QUOTE (Vaevictis)
They don't usually do that unless they think you might be armed.

Thank you for ruining the joke.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Dumpshock Forums © 2001-2012