Once upon a time, hackers were hackers and crackers were crackers, and everyone who counted knew the difference.
The earliest hackers were members of an electric train club at the Massachusetts Institute of Technology who would “hack” sections of track or model landscape from their elaborate set-ups and rearrange them at will. When these club members transferred their technological loyalty to the new science of computing, they took their terminology with them. A hacker became a genius programmer who could “hack out” computer code faster or better or in fewer lines than his colleagues.
By the early 1980s, the media had confused the issue, referring to rogues who infiltrated computer systems as “hackers.” Within the field they were contemptuously referred to as “crackers.”
Hacker or cracker, the leather-jacketed, mirror-shades-wearing computer rogue has become a late-20th-century icon. But in terms of computer security, hackers represent only one relatively minor threat among many. From viruses to power surges to employee sabotage, the risk to computer and network security has taken on myriad forms.
Authors Peter T. Davis and Barry D. Lewis are recognized experts in this burgeoning field and have written several books on the subject for a professional audience. Computer Security for Dummies is, as one would guess, an introductory text aimed at lay readers, yet it is surprisingly complete.
Davis and Lewis’s major strength is their inclusive interpretation of the word “security.” They focus not only on threats posed by mythical hackers – sexy, but not terribly likely in most cases – but on all potential computer hazards. Unattended cans of Pepsi, malicious co-workers, improper (or non-existent) back-up procedures, bad password practices, electrical surges, and even tornadoes represent a far greater potential for disaster than any anonymous, jumped-up cyberpunk. In fact, according to the authors, one of the most serious threats to computer security is that silly little lock mechanism built into most desktop PCs. Most users apparently ignore the lock and leave the keys dangling from the keyhole. One prankster managed to shut down a major corporation for a full day by locking all of his co-workers’ computers and absconding with the keys.
In tone, Computer Security for Dummies reads like a stripped-down version of an academic textbook: a little dry, but perfectly readable. However, the few attempts at breezy Dummies-style humour fall flat and read as if they were inserted by an editor. Not everyone can write like Dan Gookin (originator of the Dummies books), and not everyone should try.
Halting the Hacker: A Practical Guide to Computer Security by Donald Pipkin is a similar book, although clearly targeted at corporate system administrators. Pipkin, a computer security consultant with Hewlett-Packard, is very well versed in his subject and stresses the need for much better computer security in big organizations.
Like Davis and Lewis, he emphasizes common-sense security practices like using surge-suppressing, uninterruptible power supplies and doing regular back-ups and virus-checks. As a network security consultant, however, Pipkin focuses more on preventing unauthorized computer use.
He defines his terms and summarizes threat and risk analysis very well. He also passes along valuable information that even moderately well-informed systems administrators may not know. In these downsizing days, he says, system administrators are often overworked or underqualified, or simply lack the resources they need to combat threats to their networks. Pipkin aims a few choice barbs at companies that slash systems administration budgets while demanding enhanced security – as he shows, it simply can’t be done.
Like Davis and Lewis, Pipkin establishes early in his book that the major threats to corporate networks only rarely come from hackers. Many companies are at far greater risk from current or former employees, who often use the computer network as an easy tool for embezzlement, vandalism, or theft of computer resources.
Nevertheless, Halting the Hacker devotes a large section to defining computer crime and the several different classes of hackers. Pipkin also talks about virus infestations and the specific type of hacker who writes and spreads virus code, and defines step-by-step how hackers gain access to networks and how system administrators can stop them. It’s very detailed and very interesting. Not to mention scary. The bound-in CD-ROM is a bonus, featuring a huge number of security-related documents and hotlinks, as well as a suite of UNIX software security utilities.
If you’re the nervous type, you may want to skip Bryan Pfaffenberger’s Protect Your Privacy on the Internet, because as soon as you discover that there is none, you may never want to use the Internet again.
If parts of the Pipkin book were a little scary, this book is downright terrifying. Consider these scenarios: Ever visited a sex-related site on the Internet? How about gambling? Smoking? Drugs? Union activism? Politics? Ever Websurfed from work? Ever sent personal e-mail from work? Ever sent a piece of e-mail from anywhere to anyone that might be compromising if it got into the wrong hands? Ever chatted live with someone in an Internet chat room?
Guess what? Your Internet service provider or your corporate system administrator has an auditable record of all of those activities, available to any prosecutor or divorce lawyer with a subpoena. Many corporations routinely monitor their employees’ on-site Internet usage and the contents of e-mail sent from corporate accounts. People have lost their jobs over the contents of their supposedly private e-mail correspondence.
Guess what else? When you visit a web site, nine times out of 10 it can garner sufficient information from your web-browser to determine who you are. If it tosses a so-called “cookie,” a little packet of digital information, onto your hard-drive, it can essentially track your voyages across the Internet for the rest of that session.
In fact, so much supposedly private information about you is awash in the info-stream that even semi-skilled hackers can cross-reference almost complete personality profiles for direct marketers, government agencies, or other individuals.
According to Pfaffenberger, the libertarian promise of the information revolution is turning into a privacy nightmare. The very technology that makes the Internet possible also makes it possible to completely pierce the veil of personal anonymity. Worse, many organizations are collecting and posting this information to the Net with absolutely no concern for security or privacy. Some U.S. District Attorneys recently found their home addresses and unlisted phone numbers on one web page, probably a popular one at various maximum security prisons. The Lexis-Nexus database last year posted a huge listing of households with children under 10, complete with addresses and phone numbers. The sheer irresponsibility boggles the mind, and this is just the tip of the iceberg.
I got more and more uncomfortable as I read this book. We have all, at some point or other, behaved as if our activities on the Internet are opaque when in fact, according to Pfaffenberger, they are absolutely transparent to anybody who cares to take a look. Forgotten e-mail could come back to haunt you in a court case years later. A casual visit to the Playboy or Playgirl web site while on the job could cost you that job. An insulting e-mail about your pointy-headed boss could end up on the boss’s desk before it reaches its intended recipient. These, according to Pfaffenberger, are the norms, not the exceptions.
Luckily, the author also provides many neat tricks and tools to avoid the snoops. There are web sites you can visit that will tell you exactly how much information about you your browser is feeding the world. There are other web sites that act as anonymous intermediaries, shielding your identity behind a firewall as you cruise the Net. Pfaffenberger also provides information on how to avoid snooping on the job, how to choose an Internet service provider based on their privacy and security policies, and many, many other ways to protect yourself on this new, wide open frontier.
This is not just a good book. It’s an essential book.
At Large: The Strange Case of the World’s Biggest Internet Invasion is a strange book. Authors David H. Freedman and Charles C. Mann tell an alternately exciting and confusing story about an underreported incident of computer malfeasance that occurred between 1991 and 1994.
It was an event that received virtually no publicity. An ill, possibly schizophrenic, young man referred to pseudonymously as “Matt Singer” infiltrated hundreds if not thousands of sites across the U.S. in a bizarre but essentially harmless quest for greater computer access. Living like a hermit, Singer was hardly the media cartoon of a wunderkind “hacker.” In fact, outside his filthy room, Singer was barely functional.
It was his preternatural patience – not genius – that made Singer a super-cracker. For 12 and 15 hours at a stretch he would try the same crack on dozens of computers, typing the same lines of code over and over until he got the results he desired.
Later he began to use pre-packaged cracks – software written by other crackers and distributed freely through a network of underground bulletin board systems. His patience paid off. He broke into virtually every university computer centre in America. He stole prototype software code from Sun Computers. He used supercomputer resources at Thinking Machines Corporation and the U.S. Navy. He cracked into computers at NASA, the U.S. Defence Department, and even the nuclear laboratories at Los Alamos. There was virtually no system he couldn’t break into. Not even the birthplace of the atom bomb was safe from the depredations of an obsessed teenager with a breadboarded computer and a modem.
And that’s essentially Freedman and Mann’s point. Like Pfaffenberger, they are very concerned about the issues of personal and organizational security on the Internet, and they use Singer’s escapades as proof positive that no one, from law enforcement agencies to individual users, takes network security seriously enough. They spend an awful lot of time demonstrating how easily Singer broke into systems. Administrators left password-free backdoors into their root directories – the command centre of any computer. Software and hardware manufacturers left gaping, and well-known, security holes in their products because investing the time and energy in fixes was unprofitable. Individual users chose ridiculously simple passwords like “hello” that were child’s play for even an unsophisticated cracker, and worse, they often used the same passwords on different systems.
On many levels, this is a good, even an exciting book. In places it reads like a first-rate thriller or even a cyberpunk novel from 15 years ago. In other places, however, it gets tedious and downright confusing. Matt Singer is simply too pathetic to be engaging either as a villain or a hero, and it’s difficult to keep the gaggle of system administrators, FBI agents, U.S. attorneys, and the other crackers straight. There’s just too much jumping around.
Nevertheless, Freedman and Mann make their point. If a nobody like Matt Singer could compromise so many supposedly high-security computer systems, then security and privacy simply do not exist. Singer had no political motivations and no criminal intent, but he infiltrated computer systems that contained sensitive data (destroying them accidentally, in some cases). In one instance he gained root control over a computer system that controlled the entire Southern California water system. With the push of a few buttons, he could have opened floodgates and drowned thousands of people and destroyed vast tracts of prime agricultural land. He didn’t want to, but who is to say that the next cracker won’t?
Computer Security for Dummies
Once upon a time, hackers were hackers and crackers were crackers, and everyone who counted knew the difference.