Not all hackers are bad guys. But understanding what motivates them can make you less vulnerable to an attack.
It might be an old computer industry term for programmers that dates back to the 60s, but the word "hacker" has become firmly fixed in the public mind to mean people who break into computer systems.
Not true, say the hackers CIO spoke to. They are members of the Sydney chapter of 2600 Australia, a loose-knit collection of people who share a common interest in computer security - and ways of getting around it. Most of the hackers in 2600 haunt the Net round the clock, sniffing out insecure systems and searching for their vulnerabilities. But the aim of the game is not to steal or vandalise, they say, but to demonstrate one's technical prowess. For them the thrill of hacking lies in the hunt, not the kill.
Besides, as the 2600 guys are only too happy to point out, why rip someone off when you can earn $100K a year hacking professionally? Make no mistake about it, today's hackers have the skills to pay the bills.
The current generation of keyboard jockeys is paid to invade systems. If the first wave of hackers were true outlaws, often cracking systems in defence of the people's right to know as well as for personal gain, today's hackers are taking the family business legit. And much like the Mob or any other Machiavellian institution, their power derives not from the destruction they cause, but from proving to others that they can be destroyed at any time.
CIO: The word hacker means a lot of things to a lot of people. What's your definition of the word?in0m: I personally believe that hacking is mainly advanced networking skills. If you can put together a network - which is how most of these guys learned their skills - the more advanced you'll be at securing your network. And that's all hacking is: securing a network by knowing how to break it. avantguard: Hacking is a mentality, in that you see behind the shroud thrown over everything and see a system for what it's worth.
Anonymous Hacker 1: Everyone's mentioned software and systems, but it goes beyond that. Anything you do where you can take something further than what it was designed to do is a form of hacking.in0m: Whatever you do, we don't want to be seen as is criminals. We're not the kind of guys who go out and deface Web pages.
CIO: What's the difference? in0m: Most of these guys [2600] have access to large infrastructures and if they want to test something they can go into their own company and test it 100 per cent legally. I think the statistics are that something like 90 per cent of hacks come from internal sources. If you look at the St George bank hack from September, I think it's quite coincidental that they put 1400 people off the week before. in0m: I had a situation a while ago where a site in Perth was hacked. It was a static page, which means there was nothing the guy could've gained apart from just messing it around - real junior stuff. That guy was nothing more than an online graffiti artist. He wrote himself all over the Internet as being this Robin Hood hacker out to make security safer. Let me tell you, that's the kind of guy you want off the Internet. He should have his modem broken in half.
CIO: Is that the kind of person you'd describe as a script-kiddie?in0m: Yes, guys who do "point and click" hacking. They don't invent anything or come up with anything new, they just use tools that have been left lying around. They attack people with old stuff - other people's intellectual property - and don't do anything unique. Personally, I prefer to contact the administrator of a site and say, "Hey, your site's weak. Would you like some help fixing it up?"
CIO: If you're not doing it for personal gain, the big question is: why do you do it?avantguard: It really does blur. It's a hobby but it also crosses over into our careers because it's what we like to do.
Anonymous Hacker 2: I earn over 100 grand a year doing it.
CIO: Do you target any specific systems?
All together: Insecure ones!
CIO: Notorious hacker Kevin Mitnick was released last year. Any thoughts on his case?
MneMoniX: The thing about Kevin Mitnick was he used a GSM mobile during most of his hardcore hacks, which was very atypical at the time in the US. They caught him because they traced his mobile phone.in0m: The first thing Kevin Mitnick will tell you is he never hacked anything that was hard. The reason he broke into sites was because 1) he used social engineering [verbally conning people into revealing their access secrets, such as impersonating a repairman], and 2) he exploited the top 10 security vulnerabilities. One of the things you should learn from speaking to people like us is that we're not these super-genius guys. Most of the time we're just using known holes - info about them is readily available and they're easy to patch. But people don't have the time to get to them or they're not paying attention to their security. Unfortunately, people are only paying attention to their security after the fact. After the Nazi party page has been stuck up on your Web site is not the time to start worrying about security.
CIO: Where does the name 2600 come from?
Dogcow: The name 2600 refers to a sound frequency. When making a long-distance call back in the 60s and 70s in the US, if you played the 2600 hertz tone on the line it would stop the billing, in which case you could continue to talk at zero cost. The 2600 tone was one of the things people used to explore the phone system in various ways. All the signalling was in band at the time and you could actually hear connections as they were made between exchanges. 2600 is also an organisation in the US that started in 1984. It centred around a magazine they used to put out and continued on from there. Over the years they started having meetings in cities around the US, and last year we decided to have a Sydney 2600 meeting. It was just people hooking up in a hotel for a few drinks and talking about stuff.
CIO: How big is the hacker community in Australia?
Dogcow: We have about 60 or 70 people who physically attend the meetings around the country, but counting our mailing lists there's probably between 400-500 people who in some way choose to associate with the group. 2600 can be found on the Web at www.2600.org.au.
Great Moments in Hacker History 1969-73
Using a whistle given away in a box of breakfast cereal, engineering student John Draper begins making long-distance calls for free by blowing a precise tone into the receiver that tells the phone system to open a line. Draper is hounded by authorities for phone tampering throughout the 70s.
Counterculture icons the Yippies launch YIPL/TAP (Youth International Party Line/Technical Assistance Program) magazine to help phone hackers (known as "phreaks") make free long-distance calls.
Two members of California's Homebrew Computer Club, Berkeley Blue and Oak Toebark begin making "blue boxes" - devices used to hack into the phone system. The two are in reality Steve Jobs and Steve Wozniak, who later go on to found Apple Computer.
Great Moments in Hacker History 1974-1984
ARPANET moves away from its research and military beginnings and becomes commercialised.
William Gibson coins term "cyberspace" in his novel Neuromancer.
In one of the first arrests of hackers, the FBI busts the 414 gang (named after the local Milwaukee area code) after members are accused of 60 computer break-ins.
The film War Games is released.
The first issue of 2600: The Hacker Quarterly is published.
Great Moments in Hacker History 1984-88
Two hacker groups form, the Legion of Doom in the United States and the Chaos Computer Club in Germany.
Veteran hacker Kevin Mitnick arrested for secretly monitoring the e-mail of corporate security officials. He is sentenced to one year in prison.
First National Bank of Chicago is the victim of a $US70-million computer heist Student Robert Morris releases a worm program that penetrates military and intelligence systems, crashing 6000 computers attached to the Internet.
Great Moments in Hacker History 1989-90
After AT&T long-distance service crashes, US government begins national crackdown on hackers, arresting Knight Lightning, Eric Bloodaxe and Masters of Deception trio Phiber Optik, Acid Phreak and Scorpion. Operation Sundevil, conducts raids in 12 major US cities.
Hacker Kevin Lee Poulsen (Dark Dante) is captured after a 17-month hunt, and is later indicted for stealing military documents.
Great Moments in Hacker History 1991-95
Russian Vladimir Levin creates a group that hacks into Citibank, getting away with more than $US10 million.
Kevin Mitnick incarcerated again, this time on charges of wire fraud and illegal possession of computer files stolen from Motorola and Sun Microsystems, among others.
Great Moments in Hacker History 1996-99
Hackers break into and deface US government Web sites, including the US Department of Justice, US Air Force, CIA, NASA and others.
The New York Times Web site defaced in protest over the imprisonment of Kevin Mitnick.
Two hackers in China sentenced to death for hacking into a bank and stealing money.
The Pentagon hacked by an Israeli teenager.
The hacker group L0pht speaks to the US Congress about security issues, warning it could shut down US access to the Internet in less than 30 minutes Unidentified hackers seized control of a British military communication satellite and demand money in return for control of the satellite.
Great Moments in Hacker History 2000
January
Russian hacker steals customer credit card numbers from online music retailer CD Universe and threatens to sell them if not paid $US100,000. When his demands are not met, details of 25,000 credit cards are promptly posted on a Web site.
Kevin Mitnick is released from prison. As a condition of his parole, he is prohibited from using computers.
February
The Web sites of Yahoo, eBay, CNN.com, Amazon.com, Buy.com, ZDNet, E*Trade, and Datek are targeted by an unknown hacker using denial of service. Months later, 16-year-old Montreal-area high-school student known as Mafiaboy is captured and agrees to plead guilty to the series of attacks.
Hackers penetrate the ASX Web site, causing an outage of four hours. The anonymous intruder, nicknamed "Prosthetic", breaks into the exchange's public information Web site for 30 minutes, leaving it littered with banner messages reading "Prosthetic owns the ASX".
May
The "I Love You" virus wreaks havoc on systems worldwide, causing an estimated $US8.7 billion in damage. A Filipino student is eventually arrested in connection with the bug, but is later released because prosecutors lack a law with which to charge him.
October
NY Yankees win US baseball's World Series. Next morning the team's Web site is defaced with a pornographic image and the words "Yankees suck!!!"
November
A hacker attacks the US Republican National Committee's Web site and plants a rambling tirade against Texas Governor George W Bush, forcing the site to be temporarily taken off-line on the day when voters are casting their ballots in the presidential election.
A 19-year-old Dutch hacker mocks software giant Microsoft by hacking into one of its Web servers twice within one week. Shortly afterward, Dimitri visits Microsoft's Dutch office and meets with the company officials to discuss the break-ins.
December
Security at the US Naval Research Laboratory is breached and an unidentified intruder downloads aerospace software that can be used to control satellites.
A hacker penetrates the computer network of a major hospital in Seattle, making off with files containing information about 5000 patients.
Malicious intruders plant the image of a nude woman on the Web site of Japan's top security organisation, the National Police Agency.
Creditcards.com is the victim of an extortion attempt by a cyber thief accused of hacking into its site and exposing more than 55,000 credit card numbers on the Internet.
Great Moments in Hacker History 2001
January
One day after a technical error shut down several of its Web sites, Microsoft announces that an outside attack is to blame for a second round of embarrassing outage. A denial of service attack hits the routers that direct traffic to several Microsoft Web sites when a hacker floods the company's equipment that directs traffic to its sites, blocking other users from reaching popular properties such as Expedia.com and Hotmail.com.
February
A group of malicious hackers go on a defacement spree, breaking into a string of corporate Web sites to replace text and graphics with digital graffiti. Among the victims of the hackers, who go by the name "Sm0ked Crew", were Web sites owned by The New York Times, Compaq Computer, Intel, AltaVista, Hewlett-Packard and Disney.
Brazilian police investigate an online attack on the country's largest Internet service provider, UOL, in which hackers succeeded in stealing credit-card numbers from over 10,000 users. According to Brazilian press reports, one of the suspects arrested is the son of a Brazilian congressman.
March
Hackers steal customer records from Amazon.com subsidiary Bibliofind.com, including credit card information. Some 98,000 customers are affected.