As you read about the many facets of hacking, you will be introduced to more equipment, tools, software and hardware that will be of interest to hackers who wish to try their expertise in more specialized areas of interest. For now though, all you need is the understanding that...
Days Of Yore Live On
Men you start reading through the literature of data security, you begin to get worried. Gone, it seems, are the days of "Joshua doors" as in the movie WarGames. Gone are the system bugs and loopholes, the naively entered "PASSWORD" used as a password. Gone, it seems, is the reverent awe people once held for the lone hacker, cracking secret government databases in the middle of the night. Gone are the lone hackers. It seems. But all of this really isn't true! As recently as just a few years ago, Robert Morris, Jr., was hacking into computers using system bugs that he himself had discovered. These weren't even new bugs -they were old ones that no one had ever noticed or bothered to correct before! Who knows how many more similar bugs like it are out there, waiting to be manipulated? And the trap doors will always be there as well: it is the programmer's vanity that leads him to stylize otherwise joint or corporate software by inserting covert code, either for benign, "jokey," Easter Eggs purposes - or to wreak havoc later on. < An Easter Egg in the computing sense is some unexpected, secret thing you can do with a piece of software that the programmer put in but doesn't tell anyone about.> And don't forget all the stupidity: the test accounts and demo modes, the default security measures that nobody bothers to delete or change. In July 1987, a bunch of Chaos Computer Club members hacked their way through the network, from an entry in Europe, to NASA's SPAN system (Space Physics Analysis Network). These crackers exploited a flaw in the VMS infrastructure which DEC Corporation had announced was remedied three months earlier. There must be hundreds of VAX computers still out there, still running the faulty parts of the operating system. Even with the patch in place, the Chaos members reportedly were laughing themselves silly over the often trivial passwords used to "protect" the system. Some of the passwords were taken straight from the manu-facturer's manuals! On the one hand we have a top secret VAX 11 / 785 computer with the full power of NASA to protect it; but on the other hand there are approximately four thousand users of that com-puter.
Never can you get 4,000 people together and still keep secrets hushed up. Hacking may seem harder than ever before, but it really is not. The culture may have gotten more security-aware, but the individual user still lives in a world of benign indifference, vanity, user-friendliness and friendly-userness. Users who are
in-the-know will always want to help the less fortunate ones who are not. Those who aren't will seek the advice of the gurus. And so Social Engi-neering and Reverse Social Engineering live on, as you shall discover within these pages. Ease of use will always rule. The "dumb" pass-word will be a good guess for a long time
to come.
After all, people just don't choose 116Fk%8l0(@vbM-34trwX51" for their passwords! Add to this milieu the immense number of computer systems operating today, and the stag-gering multitudes of inept users who run them. In the past, computers were only used by the techno-literate few. Now they are bought, installed, used,
managed, and even programmed by folks who have a hard time getting their bread to toast light brown. I'm not downgrading them - I ap-plaud their willingness to step into unfamiliar wa-ters. I just wish (sort of) that they would realize what danger they put themselves in every time they act without security in mind. it is a simple and observable fact that most computer systems aren't secure. If this isn't clear now, it certainly will be once you've read a few chapters of this book.
Ironically, many of the people who operate computer installations understand that there is a problem with system security; they just don't do anything about it. It seems incredibly naive, but it's true. There are lots of reasons why companies don't increase computer security. Publicly or privately, they say things like:
• Extra security decreases the sense of openness and trust which we've strived to develop.
• Security is too much of a nuisance.
• Extra security just invites hackers who love a challenge.
• It would be too costly or difficult to patch exist-ing security loopholes.
• The reprogramming could open up new secu-rity problems.
• We've never had a security problem before!
• The information we have here is not important to anyone but ourselves; who would try to break in here?
• But we just had a security breach; surely they won't come back!
• Didn't all those computer hackers grow up and go on t o better things?
There are different reasons why each of these statements is either wholly or partially incorrect. The last one is certainly false as any reader of this book should be quick to point out. Computer hacking (as well as the misuse of computers) will always be a contemporary issue because of the great value computers have in our
daily lives. Some of these sayings also have their validity. In any case, the people who run computer installations (call them sysops, system managers, computer operators or whatever) very often believe in these things, and so the window of opportunity is left open. With a little work we can often ride the breeze inside.
