My position on hackers/crackers:

[azurelunatic]

Script kiddies (Sandstrom had to identify those for the BIS students this morning) are t3h 3VIL! and should be banned.

I tend to use the term "hacker" to describe someone who works on computers with delight and some skill combined with raw enthusiasm and unholy glee in it, producing nifty things, and "cracker" to mean someone who has broken into something.

Good hackers are fun people. Someone who cracks my system should, after review of ethics, be hired, with job security dependant on keeping out intrusion. If someone else cracks that hacker's security, then that one should be hired as a consultant.

Really, I think those wishing to understand modern hackers should read Feynman's commentaries about his safecracking experiences. That's where I gained my understanding of it. "Because it's there" is a perfectly logical reason.

Sandstrom noted that crackers set up better security on the boxes they invade. Why? To keep anyone else from messing with it. So they're experts (unless they're script kiddies, in which case see above).

Were I hiring, I would accept hacks and cracks on a resumé. When they make cracking illegal, only outlaws will be crackers. I want some cracker inlaws.

Comments

[stronae.livejournal.com]

I want some cracker inlaws.

Now *that*, my dear, is funny. :)

[azurelunatic]

*smirk*

[wibbble]

I don't think you could write enforceable laws which said that cracking is fine if you're just doing it 'to see if you can', but not if it's malicious.

Further, given the value placed on data these days - patents, NDAs, Trade Secrets, copyrights, all that stuff - letting some random unauthorised person poke in the data is an anathema to the big corporations that would be the targets.

They can't trust that the curious-type crackers won't be downloading information that their culture of secrecy requires to be kept private. Didn't they do Kevin Mitnick for millions of dollars of damages, just because he downloaded stuff that had millions of dollars of dev time on it? Admittedly they were just trying to hang him out to dry to set an example (IIRC, they didn't even have that much support from the companies involved - they just asked them how much the stuff was worth, then charged Mitnick with that), but these days there's companies that are more than happy to take advantage of the sweeping criminal prosecution options the law gives them. (Which is fair enough, in a capitalist society. If one corporation doesn't take advantage, another will, and hurt the first one, or even drive it out of business.)

[azurelunatic]

Didn't say it was legally plausible. But I'm one who's more for skill, ethics, and safety rather than adherance to 110% of the law.

Sadly, those who will break the law aren't always on the bright side of the ethical.

So I guess I'll have to settle for folks like AJ, who crack their own systems.

What I do want, though, is for cracking *without permission* to be explicitly defined as the crime, rather than a blanket "breaking the security of a computer system".

[wibbble]

Cracking with permission isn't illegal, is it?

There are people who are employed by companies to test their security.

I mean, if you have permission, there's no argument that can be made for it being illegal. I can pick the locks (well, I could /try/ to pick the locks ;o) ) of my mother's house if I asked - it wouldn't be a crime.

[azurelunatic]

I don't think it's illegal. It shouldn't be. But I don't want to reach a point where possessing the skills and tools needed to crack and not having a job cracking would be a crime.

eep

[boojum.livejournal.com]

I'm...more cautious than that. I keep having this image in my mind of the difference between figuring out how to pick the lock on my front door and how to pick the locking mechanism that holds my seatbelt in. Yes, it'd be cool to play with seatbelt mechanisms, but I'd only do it on a seatbelt that no one will ever use again. That's sort of an extremal example, but I don't want anyone trashing my email archive or even my saved computer games in their explorations. I also don't want them reading either of the above. Learning is good, but not by breaking my stuff, not unless the person is explicitly invited.

People also have different levels of territoriality. I would be *furious* if I found a note on my front door saying "I've replaced the lock with a better one answering to the same key and fixed the drain in the upstairs shower. -- A Neighbor". It's my space. I don't want random other people in it, without control. Yes, the drain in the upstairs shower is badly designed and could use fixing, but my space. This is something that wouldn't hold in the same way for a corporate system, but as someone else mentioned, corporate secrets, and worse, secrets given to corporations (medical records, financial data, protection programs for witnesses and people fleeing abusers) shouldn't be poked at.

I've heard of people setting up boxes with explicit invitiations to the world to crack them, saying things like "I want to test my skills. This is a tweaked RedHat 8 box. Please don't overload my ISP or do bad things to other people's systems, but please do try to break in and, if you can, tell me how you did so." That's perfectly fine by me. The setup in Sneakers is provisionally fine by me, depending on what provisions they made to avoid false stresses on emergency services. (I don't remember details well enough.) Unsolicited cracking isn't. Trying to take apart things explicitly given/sold to generic-you (data, electronics, woodworking, whatever) is mostly okay by me, but not going and poking at ungiven stuff.

"Because it's there" is a good reason for poking at the universe, but it doesn't beat all counterarguments. It justified me trying to remove my own ribcage, but would not have justified me trying to remove someone else's, for instance. The staircase up to my bedroom is a challenge to get furniture up. (It used to be an attic stair, and so is steep, narrow, and twisted, with little clearance.) I don't want to come home to a moving company experimenting with techniques on it.

Re: eep

[azurelunatic]

Sandstrom wouldn't have been messing around in their stuff had they not been connecting to his computer with even less permission. He was a little peeved. (He was open at the time because he was setting up for a gaming session, and had gotten up to get a drink, leaving his machine unsecure for two minutes.)

Re: eep

[boojum.livejournal.com]

Retaliation is a completely different thing, yes. (Note to self: dig up amusing series of emails when a script kiddie thought I was trying to break into his system. (I'd left a daemon set at default, which periodically sent query packets out. Unwise, yes, and I fixed it once I'd gotten him to send me logs from his system so I could figure out what was happening.) Immature people are easily cowed by proper and polite language. That was fun, in a very Miss Manners-y control of the situation sort of way.)

I'd read into your original post that you were in favor of unsolicited attempts on other people's systems, and was (probably somewhat hysterically) reacting to that. I've seen the hardening that's gone into Mudd's main CS server to protect it from people who are completely innocently learning on it under the guidance of a teacher. I don't think it's appropriate to cause innocents to need that sort of hardening.

Re: eep

[azurelunatic]

I approve of the knowledge, and I'm relatively careless about where the knowledge came from.

Cracking a personal system without cause or permission is not something I'd approve of, especially as I was grumped when That Scumbag Her Ex did mine; I'm less unhappy about the idea of a professional system being invisibly cracked, without things meddled with or looked at much.