Home Page

All the Graphics


Post Database

Crackers, Not Hackers
By Thiravudh Khoman

A few comments, if I may, re: the front page story "Intruder drama at security seminar" in Post Database (March 1, 2000). First, like most serious computerists, I've tended to look the other way whenever the term "hacker" is used haphazardly by the mass media. But rather than looking away, it might be better to try and convince the media to use the term with more care.

Post Database (PDB) is an influential IT newspaper, one that is apparently read far and wide. It's unfortunate that PDB sometimes follows herd instincts in using the term "hacker", but what's worse is that such usage could be picked up and misused by less knowing readers. Of course, one could argue that the term is used to make it understandable by lay readers, but I believe PDB has both the moral authority and the responsibility to heighten people's awareness rather than dumbing-down for the sake of people's (mis)comprehension.

PDB has many very talented local IT writers, and I would wager that many could even meet the definition of a "hacker" (whether they welcome the title or not). This includes myself as well ("Ich bin eine hacker"). A visit to the "Hackers Hall of Fame" at https://www.discovery.com/area/technology/hackers/hackers.html should prove useful, as here we can find the definitions of "hackers" and "crackers":

    HACKER, n.: 1) A person who enjoys exploring the details of programmable systems and how to stretch their capabilities. 2) One who programs enthusiastically. 3) A person who is good at programming quickly. 4) An expert at a particular program, as in "a Unix hacker". 5) [deprecated] A malicious meddler who tries to discover sensitive information by poking around. The correct term for this sense is "cracker".

    CRACKER, n.: One who breaks security on a system. Coined by hackers in defense against journalistic misuse of the term "hacker". The term "cracker" reflects a strong revulsion at the theft and vandalism perpetrated by cracking rings. There is far less overlap between hackerdom and crackerdom than most would suspect.

The Hacker Hall of Fame highlights many "hackers", both good and bad (figure 1). Notable among the "goods" are the likes of GNU's Richard Stallman, Unix creators Dennis Ritchie and Kevin Thompson, and anon.penet.fi's Johan Helsingius. To this I would add Linus Torvalds, Tim Berners-Lee, Bill Gates (yes, even him!) and numerous other experts and non-experts whose accomplishments take place away from the limelight.

But to return to the matter at hand. How about everyone at PDB agreeing to use the term "cracker" instead, or failing that, qualifying the term as in "malicious hacker". The latter is less desirable though, since "malicious hacker" is less relevant these days given that one no longer needs extensive knowledge to hack maliciously, as illustrated by recent "script kiddies".

The second comment I'd like to make deals with the uninvited intruder. While Tony Waltham carefully distinguished between the "uninvited cracker" and Siam Relay's "in-house cracker", a casual reading of the article may blur what each person actually did. What I understand is that the would-be "cracker" did a scan of the IP address used by the Siam Relay host, couldn't find what he/she was looking for, and went on his/her merry way. It's ironic that the headlines highlighted the intruder given how little he/she managed to do, as compared to the in-depth demo by the "in-house cracker".

It's highly unlikely that the cracker targeted Siam Relay's host per se, but was simply scanning a range of IP addresses looking for a host computer that had certain characteristics, which he/she didn't find in Siam Relay's case. But even if the cracker had found what he/she was looking for, the host may not have suited his/her purposes or had defense measures to prevent any mischief. As a general rule, most crackers search for well-connected servers, rather than single, dial-up computers with forever changing IP addresses.

This is not to downplay the serious implications of such probes however. John DeHaven once wrote that "Paranoia is the correct attitude to take". While he was referring to viruses at the time, it applies just as well to crack attacks which potentially can bring about similar results.

As everyone should have a virus defense sytem installed on their computers, they should likewise consider an intrusion defense system if they're connected to the internet. The article didn't mention a consumer product appropriate for this, but I'd recommend Network Ice's (https://www.netice.com) "BlackIce Defender". I've had it installed on my computer for a few weeks now and I've been fascinated with what it's found. The dynamic IP address assigned to my computer when I dial into my ISP gets probed an average of once or twice a day (figure 2). So far, none of these probes can actually get through BlackIce's defenses, partly because BlackIce recognizes hundreds of types of probes and partly because my computer doesn't have what the scans are looking for (e.g. a DNS server, a Back Orifice implant, certain types of trojan horses, etc.).

By the way, BlackIce is able to determine certain characteristics of the prober as well: e.g. IP address, host name, MAC address, etc. (figure 3). This information is sometimes (but not always) sufficient to track down the actual prober if one really wanted to take the trouble to do so. It should emphasized though that despite their suspicious behaviour, not all of these probes have malicious intent in and of themselves.

Copyright © 2000, Thiravudh Khoman