How come so many teens and pre-teens know how to hack?

General Questions
#1

I am talking only about the ability; not the ethical issues.

I’m currently reading a book about teenage hackers and thier level of sophistication really astounds me. What really gets me though is that most of these dudes started when they were around nine or ten years old.

These kids then do stuff like take down the Pentagon and hack into various different corporations and do all sorts of mischief (from your basic childish web defacements to your more sophisticated forms of file sharing/stealing millions/global anarchy etc.). Though some of them are actually “white hats”.

But my point is, how come these little kids can learn so much in the art of hacking? I mean you hardly ever see kids aged 13/14 become doctors. Is it really that easy to learn this stuff?

One guy called H.D. Moore, apparently “one of the best hackers in the world”, was asked to help the Navy with some security related applications. Apparently this kid was so advanced that he had even the Boyz in Blue’s heads spinning when he made a mini-presentation to one of the chiefs. Now this kid had no real formal training to speak of, but he was 17 at the time!!! WTF???

Some other kid (Joe McGee - now a security consultant) was about 13 or 15 and after getting access to a modem learned the trade in SIX MONTHS!!!

Is it really that easy to learn how to hack that these kids can learn how to do it expertly within a few short years???

I know that they’re a dedicated group and obviously kids don’t have the type of time constraints that adults do, but many of these “little terrors” had very active social lives and played sports and went to school getting good grades.

Why does this particular demographic do it soooooo well?

And is it as easy as they make it look?

#2

Children can learn almost *anything * really well if they really want to. One of the advantages of being young is that you can stuff your head full of things. There are some young people who are absolutely killer at baseball. Same thing, different world.

Plus, it’s not hard to go over the head of top commanders. Most of them are a bit old and simply didn’t grow up with computers. They understand technology, but not nearly on so low a level as the hackers.

#3

I would suspect that a lot of it is because this kind of computing stuff maps quite closely to the patterns of learning language.

Young children, up to the early teens, can pick up languages astoundingly quickly compared to adults, their brains just seem to be ‘wired’ for it at that stage of growth. And doing incredible things with computers is largely learning the languages of the field, along with a little basic logic and arithmetic. (Real heavy-duty programming can get a lot more complicated, but I think what I’m saying is true for the kind of things you’re talking about.)

Another difference is the question of access. A pre-teen with a computer and a few contacts in the ‘hacking’ world can learn about, and try, an awful lot of wild stuff, while few kids no matter how genius are going to learn comparable things about becoming a surgeon. Medicine, it seems to be, also has a lot of stuff about learning visual identifications, memorizing abstract sequences of instructions, and understanding of what goes on inside the biology of living beings, which wouldn’t be as easy for young people to naturally pick up. Does this sound about right??

#4

Hackers are a peculiar bunch. With a thirst for knowledge and a general philosophy that information should be shared. Given that and that most hackers like to stay up in front of the computer with a cup/bottle/whatever of caffeine until their eyes hurt, it’s not really that hard to learn quickly.
Also, keep in mind, most “hackers” you hear about are what more experienced people call “scriptkiddies” because they use programs coded by other people that specificaly exploit security flaws with an easy to use point and click interface. That makes “hacking” so easy that most novice users could do it.

#5

Pretty much what Electronic Chaos says. Learning to be a doctor at home is messy, expensive, and hard to explain to your parents. ‘Hacking’ involves nothing more than a PC, standard equipment in most countries. The level of risk involved is also (at least superficially) far less than most other ‘sticking-it-to-the-man’ activities.

You can’t overlook the ‘script-kiddie’ factor either. The exact same tools these kids use are used by network security professionals, and free to download. On any half-decent linux box, you can auto-install yourself a copy of nmap to scan for targets (basically just checks for open ports), then run Nessus on your chosen victim to see if any of the services they’re running has known problems, then use the appropriate tool to break in. It’s literally something where cutting and pasting is the only required skill - I’ve seen some sadly hilarious ‘chat logs’ of script-kiddies who managed to break in to a system only to find themselves unskilled enough to even get a directory listing, and others where it’s clear they haven’t even the most basic clue of how networks function. Unfortunately the same tools that help network admins help them too, so it just doesn’t matter.

#6

Yeah, but what about Doogie Howser, M.D.? Doogie am sad…

#7

In more than half of the countries in the world, having a PC at home is “standard”?

#8

Nor even that odd. I actually once even e-mailed the family of African woman from a very poor nation she had given birth to a healthy daughter. Just the quickest way of delivering the message.

#9

Even discounting the script kiddies, there are still some very talented young hackers out there (after all, someone had to write the scripts that the kiddies use). This does not necessarily indicate that hacking is easy, but it does, to some degree, imply that the skills involved in hacking are somewhat inherent, rather than taught. Some people just think in such a way that it’s easy for them to see patterns in computer systems, and training can do very little to develop that ability. In some ways, formal training could even be a handicap, since most computer training is focused on how to make a computer system do what it’s intended to do. But the essense of hacking is in getting a computer system to do things it wasn’t intended to do, and for that, it can be better to approach the problem fresh, without any preconceived notions.

#10

Hacking is not hard in the same way that string theory is hard, it’s more about patience and luck than learning abstract, complex theory. The reason why is because it’s infinitely easier to break into a system than to secure one. For a system to be secure, a sysadmin has to win every time, for it to be compromised, the hacker only needs to win once. Most hacking is almost trivially simple and I wager I could teach an average 15 year old with a passing knowledge in assembly, C and unix how to hack in just a few days, and I’m not even a hacker, just someone who’s read a bit about it. The real “skill” is in finding systems which are open to these simple exploits. Kevin Mitnicks “Art of Deception/Intrusion” books are a nice, easy intro for the non-professional into the world of hacking.

It also depends partly on what sort of hacking you are talking about, there are “exploits” which rely on flaws in the software and there is “social engineering” which relies on the human factor.

The two main exploits still around are buffer overflows and unvalidated input. Neither should be a problem in well engineered systems which is a pretty glaring indictment of the quality of Software Engineers out there.

Buffer overflow attacks work by exploiting a lazy programmers who copy user input into memory without checking how big it is. Memory is stored in a computer as a sequence of bytes which the processor is responsible for trying to intepret. One of those bytes is the “return” instruction which is in charge of telling the processor where to go after it’s executed a particular chunk of code. Immediately before the return byte, theres room to store all the data variables needed for a particular subroutine. If the program tries to write data that’s too big for the variable, then it can overwrite the return value. If you rewrite the return value with a carefully crafted variable, then you can force the program to jump to a custom bit of code that you have written which can then gain full access to the system. The only real talent required to do this is to find systems which are vunerable to buffer overflow exploits. Everything else, you could bone up on in an afternoon. The “Smashing the stack for fun and profit” article by 2600 is a very widely read intro into buffer overflows.

Unvalidated input works on largely the same principles except at a higher level. Web forms occasionally need to take input from the user and then do something with them. Eg, if your buying something on the web and your name is John Smith, then you might enter John Smith into a web form and at the back end, the server might execute something like:

SQL_UPDATE(“Name”, “John Smith”);
SQL_COMMIT();

It simply inserts the string into a pre-assigned place in a program and then runs it.

However, if you entered something like:
John Smith"); SQL_WIPE_ENTIRE_DATABASE(); SQL_UPDATE(“HaHaHa”, "Losers you didn’t validate this input

into the name field, what will be executed is:

SQL_UPDATE(“Name”, “John Smith”);
SQL_WIPE_ENTIRE_DATABASE();
SQL_UPDATE(“HaHaHa”, “Losers you didn’t validate this input”);
SQL_COMMIT();

In order for this not to happen, input needs to be validated in order for malicious commands to not be inserted. The white house web site was brought down with a trivial hack that was essentially the same idea as this. Again, teaching people how to do this would take all of 15 minutes for someone familiar with a linux shell of SQL. It’s all a matter of finding vunerable pages.

There are quite a few more complicated hacks but it’s surprising the number of media hacker scares have been caused by one of these two trivial programming errors.

Social engineering is even more trivial but probably the more creative and ingenious compared to exploits. A system is really only as secure as it’s most vunerable part, when your most vunerable part is people who write their passwords down on post-it notes and stick it on their monitor, then it sometimes is really more like shooting fish in a barrel. Here are some social engineering “sploitz” that I’ve seen been made just in my general daily routine:

Our university library has a online reservation, renewal and booking system etc. The username is z<7 digit student number> ie: z1234567. For the booking system, there was a backdoor installed for the librarians so that if you entered Z<7 digit student number> as the password, then you can gain access to the system. ie: user: z1337357 pw: Z1337357. A librarian did that right in front of me when I asked how I could renew a book online. I now have access to anybodys library records… not a major accomplishement, but the same thing has happened for multi-million dollar server installations.

I used to keep a keystroke logger on my own laptop at all times. Nobody thinks twice about using someone elses machine to access sensitive materiel if they don’t have a machine handy. As a result, I managed to grab about 10 - 15 passwords in a 6 month period including one which belonged to a sys admin. I still have them but I haven’t done anything with them.

The way the computers are arranged at banks, computer support desks and other places, it’s often trivial to see what a person is typing on the keyboard. With a few months practise, virtually anyone can learn to read what a person is typing. I probably see about 10 passwords a month being typed in as I go about my daily errands. If I took the time to learn how to read keyboards, I could break into almost any of those systems.

Theres a hundred and one more ways to do social engineering if your willing to put a bit more effort into it and I bet that if you just took notice of your everyday surroundings a bit more, then you’ll start noticing these things too. In short, hacking really isn’t a mysterious, arcane and technical field, it’s mainly just tedious, lucky breaks that don’t require very much ingenuity at all.

Disclaimer: All of the above info is for educational purposes, don’t break into peoples systems. All of what I’ve said is availible in every decent book on computer security and is being taught at every decent university on network security.

#11

Good post Shalmanese.

#12

That isn’t hacking. That’s cracking. This is what you’re really talking about:

There are two points I’m making here:
[ul]
[li]Crackers aren’t skilled. They have a short list of things most badly-written software is vulnerable to and they simply iterate through the attacks until something breaks. Fudd’s Law of Opposition applies: If you push anything hard enough, it will fall over.[/li][li]Hackers aren’t crackers. Hackers were here first, the term dates back to the 1950s at least, and only in the past decade or so has the newsmedia confused the terms in its typical brain-damaged fashion.[/li][/ul]

But I suppose I’ll be shot down. After all, complaining about semantic drift is so gay. :rolleyes:

#13

Yes, your right, the hackers vs crackers debate is sooo 1990’s. Either way, I think the article is bullshit, neither hackers OR crackers particularly have nor require very much technical skill except for a couple of specialised examples.

What have been some of the great hacks of the internet age?

The RTM worm? Buffer overflow
Kevin Mitnick? Social Engineering
SQLSlammer? Buffer overflow
The Cuckoo egg case? I’m not sure but I think that was exploiting some shoddily written protocol code that wouldn’t authenticate properly.

In nearly every case, even the classic breakins have been done using fairly mundane methods and relied on incompetant programmers rather than any l33t technical skillz.

#14

Oh, and it’s not very clear exacly WHICH hackers vs crackers debate you are trying to promote, I’ve seen about half a dozen different arguments about the OneTrueMeaning of a Hacker vs a Cracker. In this case, I’m using hacker is a person who breaks into machines for educational purposes and a cracker as a person who breaks in for malicious damage.

#15

Good post, Shalmanese – the stuff you said about buffer overflow exploits is almost exactly what I always tell my C++ students when I am trying to impress upon them the importance of checking array boundaries when working with primitive C-style arrays (which usually leads into how to write them “safer” by embedding into classes).

#16

THANK YOU. And I say that as a hacker, not a cracker. I’ve hacked a number of systems in my days. Harm a computer system? I love computers too much. My response after playing around with their system is to e-mail the sysadmins there to fix their damn security holes. My hacks have included the following:

#1) I once found a way that anyone on the planet could hack full access to the Usenet server of a major US ISP. Out of professionalism, I won’t mention the ISP. However, anyone in the US would immediately recognize the name. I hate spam, particularly Usenet spam. A cracker could have easily used this exploit to spam the hell out of Usenet, and the ISP wouldn’t have known how they were doing it. My response was to do some digging and find out how to contact the top sysadmins in charge of such things. It’s all kinds of unprofessional and stupid to just send an e-mail to support@ and notify of the problem. Odds are that e-mail would be first read by some low level support drone making $8 an hour. How could I know that this low level support drone was honest? If I e-mailed him specific details how to hack the computer system of the company he worked for, how could I know he wouldn’t sell this knowledge to a spammer? Thus, I dug around and found the phone number of one of the top sysadmins. I then called him up, explained the problem, and told him the exact program coding to fix this security hole. He thanked me profusely. I checked a couple hours later and his system was again secure. :slight_smile: THAT is what hacking is about.

#2) Insecure financial data. I once found a company that was making available to anyone in the world who could figure out how all kinds of sensitive info about customers. As in names, addresses, full credit card data, etc. A cyber thief could have used that to rip off a lot of people. After a quick e-mail, this security hole was quickly closed.

#3) Sensitive medical data. I found a hospital was leaving open to the world a lot of stuff about patients they shouldn’t have. Like those who had been diagnosed HIV positive and such. I really doubt these patients would want me to know they were HIV positive. After a quick e-mail, all this was no longer available on the Internet.

The way I figure it, if it weren’t for hackers the Internet would just collapse. Like me, most people aren’t actually evil. Odds are all kinds of high if you leave a computer system improperly secured open to the Internet, some hacker will find it first and whack you with a cluestick about it. If you are a sysadmin without a clue, may God have mercy on your company and clients. :frowning:

#17

Yeah, but there have been all sorts of horror stories of people like rfgdxm who happily do that for many years and then, all off a sudden, encounter an ass hole sysadmin who drags them into court and puts them in jail for a few years. Personally, that scares me enough that I never try and contact people when I find flaws in the system unless I can do it anonymously (I print out helpful hints to people who leave their wireless unsecured for example).

#18

Yeah - though sometimes people ‘confess’ like that only when caught, it is a problem.
Unfortunately with the introduction of new laws trying to address ‘cybercrime’ you’ve got a number of law makers and enforcement officials who don’t know much about the scene. I recall a while back some consternation when it appeared that simply connecting to your neighbour’s open WiFi connection was a crime.
(And if you think it should be, bring a toothbrush next time you drive down the street with your laptop running - chances are it’ll connect automatically and that’s you going to the big house).

#19

What sysadmins do you deal with? They are geeks, like me. Geeks respect other geeks. Its the code of the Internet. Failing to point out security holes is a cardinal sin amongst geeks.

#20

Just out of curiosity, did you completely miss the second level to that statement?

What about people like Richard Stallman and Linus Torvalds, who are undeniably hackers and don’t break into systems at all?

Your definition does have some use, but it’s still, well, wrong. It doesn’t describe a large number of hackers who don’t break any kind of security and who spend their time building software, not destroying it.

(I think we can all agree that bugfinding is different from password cracking, right? Especially if you have the source and intend to fix the bugs you find.)

Hackers – that is, the people who call themselves hackers who aren’t total retards – are simply people who love complexity and approach it in a playful fashion. Computers are new on the scene: Hackers played with large model train sets before they were invented, among other things. (Search for the “Tech Model Railroad Club” on Google.) You could go so far as to say that Bach hacked music and Babbage hacked proto-computer mechanical adding machines, but that’s rather esoteric.

To be fair, so are a lot of hackers.