What Is the Difference Between a Hacker and a
Cracker?
There have been many articles written (particularly on the Internet) about the difference
between hackers and crackers. In them, authors often attempt to correct public
misconceptions. This chapter is my contribution in clarifying the issue.
For many years, the American media has erroneously applied the word hacker when it
really means cracker. So the American public now believe that a hacker is someone who
breaks into computer systems. This is untrue and does a disservice to some of our most
talented hackers.
There are some traditional tests to determine the difference between hackers and
crackers. I provide these in order of their acceptance. First, I want to offer the general
definitions of each term. This will provide a basis for the remaining portion of this
chapter. Those definitions are as follows:
* A hacker is a person intensely interested in the arcane and recondite workings of any computer
operating system. Most often, hackers are programmers. As such, hackers obtain advanced
knowledge of operating systems and programming languages. They may know of holes within
systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share
what they have discovered, and never, ever intentionally damage data.
* A cracker is a person who breaks into or otherwise violates the system integrity of remote
machines, with malicious intent. Crackers, having gained unauthorized access, destroy vital data,
deny legitimate users service, or basically cause problems for their targets. Crackers can easily be
identified because their actions are malicious.
These definitions are good and may be used in the general sense. However, there are
other tests. One is the legal test. It is said that by applying legal reasoning to the equation,
you can differentiate between hackers (or any other party) and crackers. This test requires
no extensive legal training. It is applied simply by inquiring as to mens rea.
Mens Rea
Mens rea is a Latin term that refers to the guilty mind. It is used to describe that mental
condition in which criminal intent exists. Applying mens rea to the hacker-cracker
equation seems simple enough. If the suspect unwittingly penetrated a computer system--
and did so by methods that any law-abiding citizen would have employed at the time--
there is no mens rea and therefore no crime. However, if the suspect was well aware that
a security breach was underway--and he knowingly employed sophisticated methods of
implementing that breach--mens rea exists and a crime has been committed. By this
measure, at least from a legal point of view, the former is an unwitting computer user
(possibly a hacker) and the latter a cracker. In my opinion, however, this test is too rigid.
At day's end, hackers and crackers are human beings, creatures too complex to sum up
with a single rule. The better way to distinguish these individuals would be to understand
their motivations and their ways of life. I want to start with the hacker.
To understand the mind-set of the hacker, you must first know what they do. To explain
that, I need to briefly discuss computer languages.
Computer Languages
A computer language is any set of libraries or instructions that, when properly arranged
and compiled, can constitute a functional computer program. The building blocks of any
given computer language never fundamentally change. Therefore, each programmer
walks to his or her keyboard and begins with the same basic tools as his or her fellows.
Examples of such tools include
* Language libraries--These are pre-fabbed functions that perform common actions that are usually
included in any computer program (routines that read a directory, for example). They are provided
to the programmer so that he or she can concentrate on other, less generic aspects of a computer
program.
* Compilers--These are software programs that convert the programmer's written code to an
executable format, suitable for running on this or that platform.
The programmer is given nothing more than languages (except a few manuals that
describe how these tools are to be used). It is therefore up to the programmer what
happens next. The programmer programs to either learn or create, whether for profit or
not. This is a useful function, not a wasteful one. Throughout these processes of learning
and creating, the programmer applies one magical element that is absent within both the
language libraries and the compiler: imagination. That is the programmer's existence in a
nutshell.
Modern hackers, however, reach deeper still. They probe the system, often at a
microcosmic level, finding holes in software and snags in logic. They write programs to
check the integrity of other programs. Thus, when a hacker creates a program that can
automatically check the security structure of a remote machine, this represents a desire to
better what now exists. It is creation and improvement through the process of analysis.
In contrast, crackers rarely write their own programs. Instead, they beg, borrow, or steal
tools from others. They use these tools not to improve Internet security, but to subvert it.
They have technique, perhaps, but seldom possess programming skills or imagination.
They learn all the holes and may be exceptionally talented at practicing their dark arts,
but they remain limited. A true cracker creates nothing and destroys much. His chief
pleasure comes from disrupting or otherwise adversely effecting the computer services of
others.
This is the division of hacker and cracker. Both are powerful forces on the Internet, and
both will remain permanently. And, as you have probably guessed by now, some
individuals may qualify for both categories. The very existence of such individuals assists
in further clouding the division between these two odd groups of people. Now, I know
that real hackers reading this are saying to themselves "There is no such thing as this
creature you are talking about. One is either a hacker or a cracker and there's no more to
it."
Randal Schwartz
If you had asked me five years ago, I would have agreed. However, today, it just isn't
true. A good case in point is Randal Schwartz, whom some of you know from his
weighty contributions to the programming communities, particularly his discourses on
the Practical Extraction and Report Language (Perl). With the exception of Perl's creator,
Larry Wall, no one has done more to educate the general public on the Perl programming
language. Schwartz has therefore had a most beneficial influence on the Internet in
general. Additionally, Schwartz has held positions in consulting at the University of
Buffalo, Silicon Graphics (SGI), Motorola Corporation, and Air Net. He is an extremely
gifted programmer
NOTE: Schwartz has authored or co-authored quite a few books about Perl, including
Learning Perl, usually called "The Llama Book," published by O'Reilly & Associates
(ISBN 1-56592-042-2).
His contributions notwithstanding, Schwartz remains on the thin line between hacker and
cracker. In fall 1993 (and for some time prior), Schwartz was employed as a consultant at
Intel in Oregon. In his capacity as a system administrator, Schwartz was authorized to
implement certain security procedures. As he would later explain on the witness stand,
testifying on his own behalf:
Part of my work involved being sure that the computer systems were secure, to pay attention to
information assets, because the entire company resides--the product of the company is what's
sitting on those disks. That's what the people are producing. They are sitting at their work stations.
So protecting that information was my job, to look at the situation, see what needed to be fixed,
what needed to be changed, what needed to be installed, what needed to be altered in such a way
that the information was protected.
The following events transpired:
* On October 28, 1993, another system administrator at Intel noticed heavy processes being run from a machine under his control.
* Upon examination of those processes, the system administrator concluded that the program being
run was Crack, a common utility used to crack passwords on UNIX systems. This utility was
apparently being applied to network passwords at Intel and at least one other firm.
* Further examination revealed that the processes were being run by Schwartz or someone using his
login and password.
* The system administrator contacted a superior who confirmed that Schwartz was not authorized to
crack the network passwords at Intel.
* On November 1, 1993, that system administrator provided an affidavit that was sufficient to
support a search warrant for Schwartz's home.
* The search warrant was served and Schwartz was subsequently arrested, charged under an obscure
Oregon computer crime statute. The case is bizarre. You have a skilled and renowned programmer
charged with maintaining internal security for a large firm. He undertakes procedures to test the
security of that network and is ultimately arrested for his efforts. At least, the case initially appears
that way. Unfortunately, that is not the end of the story. Schwartz did not have authorization to
crack those password files. Moreover, there is some evidence that he violated other network
security conventions at Intel.
For example, Schwartz once installed a shell script that allowed him to access the Intel
network from other locations. This script reportedly opened a hole in Intel's firewall.
Another system administrator discovered this program, froze Schwartz's account, and
confronted him. Schwartz agreed that installing the script was not a good idea and further
agreed to refrain from implementing that program again. Some time later, that same
system administrator found that Schwartz had re-installed the program. (Schwartz
apparently renamed the program, thus throwing the system administrator off the trail.)
What does all this mean? From my point of view, Randal Schwartz probably broke Intel
policy a number of times. What complicates the situation is that testimony reveals that
such policy was never explicitly laid out to Schwartz. At least, he was given no document
that expressly prohibited his activity. Equally, however, it seems clear that Schwartz
overstepped his authority.
Looking at the case objectively, some conclusions can immediately be made. One is that
most administrators charged with maintaining network security use a tool like Crack.
This is a common procedure by which to identify weak passwords or those that can be
easily cracked by crackers from the void. At the time of the Schwartz case, however, such
tools were relatively new to the security scene. Hence, the practice of cracking your own
passwords was not so universally accepted as a beneficial procedure. However, Intel's
response was, in my opinion, a bit reactionary. For example, why wasn't the matter
handled internally?
The Schwartz case angered many programmers and security experts across the country.
As Jeffrey Kegler wrote in his analysis paper, "Intel v. Randal Schwartz: Why Care?" the
Schwartz case was an ominous development:
Clearly, Randal was someone who should have known better. And in fact, Randal would be the
first Internet expert already well known for legitimate activities to turn to crime. Previous
computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin
Mitnick never made any name except as a criminal. Never before Randal would anyone on the
`light side of the force' have answered the call of the 'dark side.'
----------------------------------------------------------------------------------------
Cross Reference: You can find Kegler's paper online at
http://www.lightlink.com/spacenka/fors/intro.html
----------------------------------------------------------------------------------------
I want you to think about the Schwartz case for a moment. Do you have or administrate a
network? If so, have you ever cracked passwords from that network without explicit
authorization to do so? If you have, you know exactly what this entails. In your opinion,
do you believe this constitutes an offense? If you were writing the laws, would this type
of offense be a felony?
In any event, as stated, Randal Schwartz is unfortunate enough to be the first legitimate
computer security expert to be called a cracker. Thankfully, the experience proved
beneficial, even if only in a very small way. Schwartz managed to revitalize his career,
touring the country giving great talks as Just Another Convicted Perl Hacker. The
notoriety has served him well as of late.
________________________________________________________________________________________
TIP: The transcripts of this trial are available on the Internet in zipped format. The entire
distribution is 13 days of testimony and argument. It is available at
http://www.lightlink.com/spacenka/fors/court/court.html
________________________________________________________________________________________
सदस्यता लें
टिप्पणियाँ भेजें (Atom)
कोई टिप्पणी नहीं:
एक टिप्पणी भेजें