Hackers and crackers are often referred to across the world as THE big menace for e-business and the e-society. They are often painted with the same broad brush as several other groups, like virus writers, as waging a cyber war on the internet. Is this threat real or do we need more differentiation when talking about hacking?
From our point of view hackers are the people who break into computer systems and crackers are something that you eat! In the good old days a cracker was someone who broke software copy protection code, and a hacker was someone who found holes in systems that would allow him/ her to explore other peoples systems. Since then things have changed as the use of computer systems has grown and the material kept on machines has become more valuable. The people attacking the systems have also changed.
It is for this reason that we break down the types of 'hackers' into the following categories:
The Good
Individuals and organisations that conduct security research and publish their findings. The people who find vulnerabilities and help them get fixed, the people who develop security tools and techniques. Companies such as ourselves who test security implementations to make sure that they are true and complete. This is done by examining the systems and looking for any software that is known to have security weaknesses, then informing the customer so that they can close the hole.
The Bad
People who break into computer systems for criminal financial gain, espionage or politically motivated reasons. Despite what people think this does exist, and there are examples that can be found such as the famous City bank hack and the recent UK cash-point hack that was successfully nipped in the bud before any substantial harm was caused.
The Ugly (the script kiddies)
Kids who have nothing better to do with their time than to take advantage of security weaknesses in order to boost their reputation. This is usually done using tools that are available on the internet. A good example of these types of people are the website defacers. Once they have compromised the security of a site they work like graffiti artists, painting the website with their logo and publishing their achievements on websites like www.attrition.org.
The Council of Europe is drafting the first international convention against cyber crime at the moment. One of the goals is to make hacking a crime and to allow the use of 'hacker tools' only for legitimate purposes. Will this provision foster security on the Internet?
The simple answer is 'No'.
Guns don't kill people, people kill people. The internet is out of control and people who want to hack into a system will always find a way. Currently, the most up-to-date mailing list for security problems is 'Bugtrack' which is mailed freely to subscribers on a daily basis (usually over 200 mails a day). If the type of legislation proposed by the Council of Europe were to be passed then it would make services like 'Bugtrack' illegal- this in turn would spell disaster for the whole security industry.
Outlawing hacking tools will make it difficult for IT professionals to secure their systems. If you cannot try out the hack you cannot know if you are protected from it. It will also make education in security nearly impossible.
Using hacking tools or anything at all to break into other peoples computers is already illegal. Making the tools themselves illegal will actually prevent people from using them legitimately.
David will be happy to answer any questions you may have about his paper and will provide further information about the services ScanIT can offer.
--
David Michaux
|
