Training Security EMEA - I pot

• Wide range rebellion • You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals • We make use

• Who are the hackers ?

Who are the hackers ?

Mythical Texts

“Mentor’s Last Words”

• aka « hacker’s manifesto », « conscience of a hacker »

• THE mythical text

• Written by a hacker in a period of large busting

1 Justified a posteriori the behavior of hackers

• We explore We seek after knowledge

• My crime is that of curiosity

2 Shows a very high self-esteem

• I'm smarter than most of the other kids

• My crime is that of outsmarting you

TEXTS

• Anger underneath

• We've been dominated by sadists

• Yes, I am a criminal

• Looking for an “elsewhere”

• This is it this is where I belong

• Wide range rebellion

• You build atomic bombs, you wage wars, you murder, cheat, and

lie to us and try to make us believe it's for our own good, yet we're the criminals

• We make use of a service already existing without paying for

what could be dirt-cheap if it wasn't run by profiteering gluttons

• your three-piece psychology and 1950's technobrain

“Mentor’s Last Words”

TEXTS

• Subjective text

• Written to justify hacker’s acts and provide them with

respectability

• Must not be analyzed “as is”

• No real theory or philosophy behind the text

• Still a reference

• Each and every hacker knows this text

• Mostly found on lamers web sites

• Flame wars have proved that real hackers know and respect this

text

“Mentor’s Last Words”

TEXTS

• One of the very few state of the art written document

• Written to explain who hackers are

• Dissident says he is not a hacker

1 Distinguishes 2 categories of hackers

• And the idiotic schmucks of the world …

• True hackers …

2 Defines the rules

• A true hacker DOESN'T get into the system to kill everything

• True hackers are curious and patient

TEXTS

• Text for newbies

• And to those wanna-be's out there who like the label of

HACKER" being tacked onto them, grow up, would ya?

• Clear real hackers

• maybe someone somewhere will read it, and know the truth

about hackers Not the lies that the ignorant spread

• High esteem of what hackers are

• True hackers are intelligent

“The ethics of hacking”

TEXTS

• Quite objective text

• Written with less anger than “mentor’s last words”

• Dissident gives an external view of the phenomenon

• First definition of real hackers

• Includes technical skills AND behavior

• Gives the rule for hacker’s survival

• Hackers’ meaning of life is information If they destroy it when

they get access, they kill themselves

“The ethics of hacking”

TEXTS

1 Always yield the Hands-On Imperative! Access to

computers - and anything else which might teach you about the way the world works - should be unlimited and total

2 All information should be free

3 Mistrust Authority - Promote Decentralization

4 Hackers should be judged by their hacking, not bogus

criteria such as degrees, age, race, or position

5 You can create art and beauty on a computer

6 Computers can change your life for the better

TEXTS

Sociological

Approach

Social movement requirements

SOCIAL

1 A social movement has at least minimal organization

2 A social movement is an uninstitutionalized collectivity

3 A social movement proposes or opposes a program for

change in societal norms, values, or both

4 A social movement is countered by an established order

5 A social movement must be significantly large in scope

6 Persuasion is the essence of social movements

Stewart, Smith, and Denton (1984)

SOCIAL

• Electronic community

• Hacking groups, started with BBS (the inner circle, l0pht heavy

industry, hack4girlz, Theso …)

• Magazines (especially phrack + dozens of ephemeral …)

• Mailing Lists (bugtraq, full-disclosure …)

• Physical meetings

• Cons (DefCon, HoHoCon, PumpCon…)

• Other meetings (CCC Camp, HAL, BlackHat, PH-Neutral …)

• No managers but some gurus

• From the past : Aleph One, Wietse Venema, SteveBellovin, Alec

Muffet

• New Generation : Fyodor, Ron Gula, The Hobbit, Renaud

Deraison, Mudge

SOCIAL

I learned as much as I could as fast as I could, and after several months of intensive hacking and

information-trading, the Cracker was no longer a

novice I knew a lot about hacking by then, and

because I liked to share what I knew, I gained the reputation of being someone to go to if you were

having trouble As the Cracker's reputation grew, answering such requests became a matter of pride.

Bill Landreth (aka "The Cracker"), 1989

• Lack of understanding by the public

• Misc laws increases marginality

 Even security specialists have to go underground

Uninstitutionalized Collectivity

SOCIAL

But, even as I type this, I begin to realize just why we are such a

feared group of people

We are misunderstood by the majority

You cannot understand someone who judges others by what they say, think, and do, rather than how they look or how large their income is You cannot understand someone who wants to be honest and sharing, instead of lying, stealing, and cheating

You cannot understand us because we are different Different in a

society where conformity is the demanded norm We seek to rise

above the rest, and then to pull everyone else up to the same new

heights We seek to innovate, to invent We, quite seriously, seek to boldly go where no one has gone before

We are misunderstood, misinterpreted, misrepresented All because

we simply want to learn We simply want to increase the flow of

information and knowledge, so that EVERYONE can learn and benefit

"Toxic Shock“, 1990

SOCIAL

• Sharing the knowledge

• Not to reproduce errors from the past

• Not only in computer sciences

• Fight against ignorance

• A “plague” that should be controlled by free access to

information

• Computers as an ideal

• Credo of the hackers

• You can create art and beauty on a computer

• Computers can change your life for the better

• Technological judgment

• Not based on nationality, position, color, religion etc.

SOCIAL

Most, if not all, of us think information should be

exchanged freely If everyone is kept abreast of the newest technologies, techniques, what have you,

then everyone can benefit The more each of us

knows, the fewer past mistakes we will repeat, the greater knowledge base we will have for future

developments

"Toxic Shock“, 1990

Countered by established order

SOCIAL

• Corporation and government interest

• Limit diffusion of the socio-political message

• Regular massive legal crackdown

• Very high paranoia level

• The Steve Jackson Games Case

• Political use of the subject

Countered by established order

SOCIAL

This is our world now the world of the electron and the switch, the beauty of the baud We make use of a service already existing without paying for what could be dirt-

cheap if it wasn't run by profiteering gluttons, and you call

us criminals

We explore and you call us criminals

We seek after knowledge and you call us criminals We exist without skin color, without nationality, without religious bias and you call us criminals

You build atomic bombs, you wage wars, you murder,

cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals

“The Mentor“, 1986

SOCIAL

• Hard to evaluate

• Different categories

• security professionals, students, professional hackers etc.

• Different level of expertise

• newbies, lamers, script kiddies, gurus etc

• Different mind

• True hackers vs ROW

• Some figures

• Security mailing-lists

• Around 50.000 subscribers for bugtraq

• Includes security experts and “hackers”

SOCIAL

• Internally

• Respect for the ethics of hacking

• Some groups are were very strict (the inner circle)

• Humility and discretion are mandatory

• Competition between groups

SOCIAL

There is one last method of this war against

computer abusers This is a less subtle, less

electronic method, but much more direct and gets the message across

I am speaking of what is called Anarchy Anarchy as

we know it does not refer to the true meaning of the word (no ruling body), but to the process of

physically destroying buildings and governmental establishments This is a very drastic, yet vital part

of this "techno-revolution."

"Doctor Crash", 1986)

Reality

Categories of “hackers”

Reality

• Technical ranking

1 Newbies : New to security Usually they don’t have a

clue and very few technical skills

2 Lamers : Newbies who found some tools and use some

terms They usually think they are hackers Annoying.

3 Script kiddies : Some skills Are able to replay and

automate attacks Dangerous when up-to-date.

4 Hackers : Quite Skillful Create attacks based on

existing technologies Very dangerous when leaving full-disclosure spirit.

5 Gurus : Find new intrusion technologies Deadly.

Categories of “hackers”

Reality

• Field of activity

1 Hacking : Network and system based intrusions, DoS,

Social Engineering, Viruses, Worms, malwares, backdoors etc

2 Phreaking / Boxing : Phone based hacking.

3 Cracking : Software piracy, reverse engineering, often

linked to modern version of warez

4 Carding : Credit/Phone/TV etc cards piracy

What hackers really are

Reality

• Way to be (or to think)

• Technology lovers

• Go deep into technical stuff – no only computer related

• Curious, need to understand things

• Patient and discreet

• Find ways around

• Test special cases

• Always aware of potential misbehaviors

• No stereotypes

• Age, position, diplomas, dress code are not a criteria

• Not 200 IQ…

Ok, but who ?

Reality

ANYBODY

And this is the problem

Security

Corporate Security

• Integrity : make sure data are not modified

• Confidentiality : restrict access

• Auditability: ability to know who has done what

• Evidence : = non-repudiation

• From anywhere

• Internal & external

• While stored or in transit

• Logical & Physical

The state of the art

Corporate

• Start from the top

• Identify assets

• Define risk exposure, tolerance and cost

• Create an AICAE matrix

• Match to IT infrastructure

• Identify application chains

• Define security zones

• Write security policy

 Then (and only then) choose the tools

The reality

Corporate

• Start from a problem

• “I have been hacked”

• “I have money to spend”

• “I read about worms in a magazine”

• “I don’t want to get fired”

• Try to find a tool

• No need has been exactly defined

• Random tests on different products

• Lack of ability to integrate new functionalities in a global plan

Security

Professionals

Ok, but who ?

Security

ANYBODY

And this is the problem