Read Steven Levy’s book HACKERS. Quite fascinating!
Yes, this is the real story of the true hackers - not the modern idea of people who break into things.
Broadly speaking, “hacking” involves gaining access to computer systems and networks that you are not authorized to access. It can also involve disrupting those systems, such as with a “denial of service” attack (which basically involves spamming a site with connection requests until you clog up the bandwidth)
The “how” it’s done consists of a number of techniques, including:
-Social engineering - tricking a legitimate user into providing their credentials
-Exploiting software vulnerabilities - using flaws in computer programs to gain access. For example, a “SQL injection” attack where you enter “or 1=1” as the user name for a login screen. If the code is badly written, the request “SELECT * FROM usertable WHERE username = ‘’ or 1=1” will be sent to the database, possibly outputting a list of every user name. This is a simple example that pretty much every site should already account for.
-Introducing “malware” (viruses, Trojans, bots, worms, etc) into a system. How they are introduced can vary from a simple email attachment or link to malicious software embedded within legitimate software. Once the software is installed, it can sit on the system for weeks or months waiting for an opportunity to do it’s thing.
The image of hacker dueling with his corporate cyber security counterpart to gain access to some system while illegible code streams by Matrix-like is largely a Hollywood fiction.
One edit. I don’t want to kick off a philosophical discussion on legitimate vs illegitimate hacking. Even more broadly speaking, “hacking” may also refer to “white hat” hackers who work to find security vulnerabilities or are asked to conduct penetration testing of corporate, government or other institutional systems.
So another term for illegal or malicious hacking might be “cyber criminal” or “cyber terrorist”.
Or “cracker”, which is the correct term.
This battle was lost 20 years ago. Nobody who actually matters cares about this distinction anymore.
I know. But it remains true. Depends upon when you grew up in the field.
I hate this argument. What if that argument had been made about slavery?
Anyway, the distinction is important because it leaves us without a clear, concise way to refer to actual hackers. Or as I explained to some of my colleagues (I work in a public school now), what if there were a rash of people breaking into schools and destroying or stealing stuff and the press started referring to them as “educators”? Or any profession, for that matter? “An notorious researcher group managed to break into the labs at the Mayo Clinic and steal 5 years worth of important data. It was the biggest act of research to date.”
Even more generally: Hacking means getting any computer system to do anything it wasn’t designed for. Letting in unauthorized users is one thing that computers weren’t designed for, true, but it’s far from the only one. All major advances in computing have been hacks, because the first person to do them was using systems to do things that they had never been designed for before.
Also of note, a lot of cracking nowadays is of the “monkey pushes a button” type: Someone gets a cracking program from somewhere that automatically does something-or-other, pushes a button on it, and lets the program do all of the work. This isn’t hacking, because you’re using that premade tool to do exactly what it was designed for. Now, the guy who created that tool, he probably is a hacker.
I remember reading about heartbleed when it was first publicly announced and thinking that was exactly the sort of cheesy exploit you’d expect to see in a mainstream hacker movie.
How was it not blindingly obvious to the person(s) coding up that handshake module?
Buffer overflow errors are one of the most common security exploits because C does not have any automatic bounds checking on arrays. Good programming practices and more modern tools make this stuff easier to catch before it gets into the wild, but there’s a lot of old, crusty code out there that nobody looks at very closely.
Google Project Zero is dedicated to finding and reporting security vulnerabilities in all computer systems (they were one of the groups that discovered the recent Meltdown and Spectre vulnerabilities).
Once a vulnerability has been reported to the vendor and fixed, they sometimes post a detailed explanation of how they found it and developed the exploit.
These posts are a great explanation of what actual, modern “hacking” consists of.
A few examples
What you see in the movies is complete bullshit. They make it look like any computer in the world is accessible by any other computer, without any security and passwords are zero protection. If all anyone had to do was tap on the keyboard for a few seconds to gain access we would stop using computers entirely, because they wouldn’t be secure at all.
As for the movies, it depends on their story lines, but overall, unless you know how development was done on a system it would take a long time even assuming you gained access to find what you’re looking for. It’s the same plot device on Star Trek, they come across a totally alien culture and somehow they instantly know how to work the equipment. Meanwhile in real life, most people can’t program their thermostats without studying the manually.
It’s not about who’s got the most bullets. It’s about who controls the information!
Actually it’s been doubly lost. I’m an ex-CS prof and at all the places I went to school and taught at a “hacker” was a lousy programmer. A “hack” was a poorly done way of sort-of solving a problem. It means kind of the same thing as used in describing a hack writer.
The hacker = good programmer thing was basically an MIT thing. (Hence the only person I knew at any of these places who used it that way was from MIT.)
Note that it is a lot more natural to derive the cracking meaning of hacking from this definition than the other since many cracks are quick and dirty jobs. How it could have been derived from the MIT meaning baffles me.
“Hacker” has never quite precisely meant “good programmer”, even in the MIT sense. You could say “clever programmer”, but even that loses some of the nuance. The mark of a hack is that, if you tell someone what you did, they’d say “Wait, and that actually worked?”.
The difference in culture between MIT and the rest of the world is that MIT respected that.
Not just an MIT thing. We certainly knew what a real hacker is at my small college in the midwest in the mid 80s. Some of the CS classes at Harvard still have a “hacker edition” of the coursework for students who want to dig into the subject more. (I never attended Harvard, I’ve just watched some of their podcasts of classes.) While it’s true that a piece of work that’s considered a hack is ugly and maybe just sheer luck that it works, a hacker isn’t someone who just throws stuff at the wall to see if it sticks, even if it looks like it. A hacker can reliably come up with unconventional solutions and know they’re going to work and be able to explain why. It’s part of the “first make it work, then make it pretty” philosophy.
Exactly. Buffer over/underflow has bitten my ass more times than I can count. The way this function was designed/written was textbook for a buffer read exploit. Literally “tell the remote server how much data to send back”
So, in the early evolution of the term “to hack”, did it mean “throwing stuff at the wall and seeing what sticks”?
Sometimes that describes my feeble attempts at programming. The rapid trial/debug/retry/debug/… thing that happens with incremental progress makes me sometimes feel that I’m “hacking away” at something.