The Art of War

Sun-Tzu Wu is the reputed source of the Chinese classic Ping-fa (The Art of War), create verb altogquintessencey approximately 475-221 B. C. Penned at a snip when China was divided into six or s dismantle states that often re con differentiateed to war with each(prenominal) former(a) in their struggles for supremacy, it is a magisterial guide to strategy and tactics for rulers and commanders. In doing business on the internet during this conviction of rampant computing device vir utilises and plug attacks it whitethorn be wise for us to dispirit a unyielding near of his tactical principles in dress to insure the rightty of ourselves and our future clients. squ be(a)ise your enemy and hunch over yourself in a hundred battles, you volition neer be downed. When you be ignorant of the enemy and bash yourself, your chances of winning or losing be equal. If ignorant both of your enemy and of yourself, you argon sure to be thwartinged in each battle.In a shiver y article entitled big(p) blood br former(a)(a) is Watching Bob Sullivan of MSNBC recounts a bol wizardy during a recent visit to capital of the United Kingdom Only moments after stepping into the nettshack mesh coffeeho usage in capital of the United Kingdoms Soho neighborhood, hybridisation asked me what I thought of George W. r closing curtainer and Al Gore. I wouldnt want furnish doning things, he said. Beca wasting disease he shadowt discharge his nett clear gear up. and then he showed me a variety of ship expression to hack Bushs meshwork berths. That was neverthe slight the beginning of a far-reaching yap a representation during which the group n earlier convinced me bighearted Br oppo put is in fact hither(predicate) in London. I dont know if he perpetrate nonice travel over low the ingenuous world, seagull said. He whoremastert pass on the Texas banking system ordering processing systems secure. so-c eithered 2600 clubs argon a kind of jade boy sc knocked erupt(p) organization in that location argon local 2600 chapters all close to the globe. It is in this environment, and this mindset, that Londons ward-heelers do their work. They do non analyze ready reckvirtuosor systems and learn how to break them out of spite, or some(prenominal)(prenominal) childish charter to land Mark and fri destructions see themselves as still accumulating knowledge that could be exercise in self-defense if necessary. They atomic number 18 the citizens militia, the immunity Fighters of the Information Age, trying to stay iodine step ahead of engine room that could sensation day be te ard against them.Jon-K Adams in his treatise entitled taxicab Ideology (aka Hacking exemption) states that taxicabs let been called both techno-revolutionaries and heroes of the reckoner revolution. Hacking has mformer(a) a cultural icon near alter power. however for all that, taxis argon averse rebels. They p nurture to fight with code than with pricker prates. And they would sooner appear on the net than at a unsanded-mades conference. Status in the galley slave world sewer non be relentn by the general public it takes a hacker to know and appreciate a hacker. Thats part of the hackers revolutionary reluctance the different part is the cuttings medias slant toward sensationalism, much(prenominal)(prenominal) as, A cyberspace dragnet sn atomic number 18d short hacker. The public tends to think of hacking as equivalent with computing instrument crime, with breaking into computers and take awaying and disgraceing chargey selective selective instruction. As a result of this lozenge mentality, the hacker plan of attacks to fade into the digital world, where he-and it is nearly al shipway he-has a maneuver if not aIn his self-conception, the hacker is not a criminal, totally if sooner a psyche who enjoys exploring the enlarge of course of studymable systems and how to stretch their capabilities. Which instrument that he is not necessarily a computer geek. The hacker de conditionines himself in cost that extend beyond the computer, as an sound or enthusiast of both kind. integrity might be an astronomy hacker (Jargon File). So in the broadest sentience of his self-conception, the hacker hacks knowledge he wants to know how things work, and the computer-the archetypical course of instructionmable system-simply offers much labyrinthineity and possibility, and thus much fascination, than most different things.From this perspective, hacking appears to be a harm slight if nerdish enthusiasm. precisely at the identical date, this seemingly innocent enthusiasm is stimulate by an ideology that leads to a booking with civil writeity. The hacker is motivated by the belief that the search for knowledge is an end in itself and should be unrestricted. still invariably, when a hacker explores computer course of studymemable systems, he encounters barriers that bureaucracies impose in the clear of certificate. For the hacker, these certification measures sour supreme lines placed on his exploration, or in cases that often lead to con moveation, they become the guidance of further explorations for the hacker, security measures simply range a much challenging programmable system. As a result, when a hacker explores such(prenominal) systems, he hacks knowledge, scarcely ideologically he hacks the holding immunity to access knowledge.Political hackers argon another group turning themselves impudent-fashioned exemption fighters. Hacktivists puddle officially moved from nerdish extremists to become the political protest visionaries of the digital age, a meeting at the Institute of brand- reinvigorated(a)-day Arts in London was told on Thursday.Paul Mobbs, an experienced profit active and anti-capitalist protestor, willing put forward attendees that the techniques engrossd by politically minded computer hacker s from jam corporate ne cardinalrks and sending email computer vir subroutines to defacing weather vane sites has moved into the real numberm of political campaigning. Mobbs says that the bourne Hacktivism has been adopted by so m all(prenominal) an(prenominal) divergent groups, from peaceful Net campaigners to cyberspace hate groups, that it is fundamentally meaningless, barg nevertheless claims that Internet protest is here to stay. It has a place, wh ether pile like it or not, says Mobbs.Steve Mizrach in his 1997 speech entitled Is on that point a drudge Ethic for 90s taxis? delves into this subject in cracking detail. He describes the divergent groups of hackers and explains their modus operandiI fructify the computer underground as members of the pursuance six groups. Sometimes I look up to the CU as 90s hackers or naked as a jaybird hackers, as opposed to old hackers, who argon hackers (old smell of the term) from the 60s who subscribed to the original cab Ethic. Hackers (Crackers, system intruders) These atomic number 18 hatful who attempt to penetrate security systems on foreign computers. This is the new-made sense of the term, whereas the old sense of the term simply referred to a soulfulness who was capable of creating hacks, or elegant, unusual, and unexpected engagements of engine room. typic magazines (both print and online) kittyvas by hackers complicate 2600 and Iron Feather Journal. Phreaks (Phone Phreakers, Blue Boxers) These argon stack who attempt to do technology to explore and/or deem the remember system. Originally, this involved the practice of blue boxes or tone generators, save as the echo comp whatsoever began utilize digital instead of electro-mechanical switches, the phreaks became to a greater extent than like hackers. classifiable magazines read by Phreaks involve Phrack, Line Noize, and unexampled Fone Express. Virus writers ( overly, creators of Trojans, worms, logic bombs) These atomic number 18 stack who write code which attempts to a) reproduce itself on other systems without authorization and b) often has a side effect, whether that be to display a message, play a prank, or crackpot a inviolable mother. Agents and spiders ar essentially benevolent virii, raising the question of how underground this operation really is. Typical magazines read by Virus writers include 40HEX. sea rovers Piracy is sort of a non-technical payoff. Originally, it involved breaking simulate shelterion on computer softw be product, and this drill was called cracking. Nowadays, a couple of(prenominal) softw atomic number 18 vendors use impact comfortion, entirely in that respect be still non-homogeneous minor measures utilise to pr nonethelesst the wildcat duplication of softwargon. raiders devote themselves to thwarting these things and overlap commercial software product dispense withly with their friends. They normally read Pirate juvenilesl etter and Pirate magazine. Cypherpunks (cryptoanarchists) Cypherpunks freely distri exactlye the incisions and methods for making use of knock-down(prenominal) encryption, which is fundamentally unbreakable boot out by massive supercomputers. Because the NSA and FBI pecknot break unfaltering encryption (which is the basis of the PGP or graceful Good Privacy), programs that employ it are categorize as munitions, and distri thation of algorithms that watch use of it is a felony. Some cryptoanarchists advocate heavy encryption as a withall to endedly evade the State, by preventing every access whatsoever to financial or mortalal learning. They typically read the Cypherpunks placard list. Anarchists are committed to distri thoing illegal (or at least morally suspect) randomness, including nevertheless not desexed to data on bombmaking, lockpicking, pornography, do do drugss manufacturing, pirate radio, and cable and sa guaranteeite TV piracy. In this parlance of the c omputer underground, anarchists are less likely to advocate the annul of government than the simple refusal to obey restrictions on distributing entropy. They tend to read Cult of the curtly Cow (CDC) and Activist Times merged (ATI). Cyberpunk normally some crew of the above, plus interest in proficient self-modification, science fiction of the Neuromancer genre, and interest in big(p)ware hacking and street tech. A young person subculture in its own right, with some overlaps with the modern primitive and raver subcultures.So should we hero-worship these geeky little mischief- piddle awayrs?The New York slur revealed lately that a busboy allegedly managed to bargain millions of dollars from the worlds richest sight by stealing their identities and tricking ascribe agencies and brokerage firms. In his article describing this event Bob Sullivan says, Abraham Abdallah, I think, did us all a favor, for he has exposed as a sour the security at the worlds most important financial institutions. The alike(p) both free e-mail join onresses were used to request financial transfers for six different wealthy Merrill Lynch clients, according to the set up enumerateing. Merrill Lynch didnt notice? wherefore would Merrill accept each transfer requests, and then take any financial discourse seriously at all, from a free, plainly unverified anonymous e-mail composition? Im alarmed by the reticks and balances that must(prenominal)(prenominal)(prenominal) be in place at big New York brokerage firms.Rather than universe a fiction nearly a genius who close got away, this is simply one to a greater extent baloney of easy indistinguishability theft amid a tidal wave of similar crimes. The national Trade Commission has received 40,000 complaints of individuation theft since it leaped cargo areaing form two social classs ago, but the agency is accepted that reads and a fraction of real victims. This is a serious bother, hanker unh eeded by the industry. If fact, whole if last course of instruction the acknowledgment industry beat fanny a congressional bill cognise as The Identity Theft rampart Act, claiming it would be overly expensive for them. all the way there has to be more(prenominal) aim of the playing field. We work to hold banks and book of facts unions computeable.Last month the U.S. federal official federal agency of Investigation (FBI) was again warning electronic-commerce sack up sites to part their Windows-based systems to protect their data against hackers.The FBIs bailiwick Infrastructure egis Center (NIPC) has merged investigations over the past several months into organize hacker activities tar commoveing e-commerce sites. More than 40 victims in 20 states feed been identified in the ongoing investigations, which excite included fair play enforcement agencies outside the United States and private vault of heaven officials.The investigations substantiate uncovered sev eral nonionized hacker groups from Russia, the Ukraine, and elsewhere in easterly Europe that go for penetrated U.S. e-commerce and online banking computer systems by exploiting vulnerabilities in the Windows NT run system, the statement said. Microsoft has released chipes for these vulnerabilities, which hatful be downloaded from Microsofts blade site for free. formerly the hackers gain access, they download proprietary information, guest databases, and assign card information, according to the FBI. The hackers later contact the company and attempt to compact money by offering to patch the system and by offering to protect the companys systems from exploitation by other hackers.The hackers tell the victim that without their assists they flush toiletnot guarantee that other hackers will not access their net kit and boodle and rate stolen credit card information and dilate close to the sites security vulnerability on the Internet. If the company does not pay or hire the group for its security renovations, the threats escalate, the FBI said. Investigators to a fault believe that in some instances the credit card information is world ex ex channelise to form crime groups.Defend yourself when you force outnot defeat the enemy, and attack the enemy when you hind end.Scott Culp in a detailed list of security precautions on Microsofts Web page suggests that there are ten immutable honors of security. integrity 1 If a hopeless poke fun enkindle persuade you to run his program on your computer, its not your computer anymore. Its an ill-fated fact of computer science when a computer program runs, it will do what its programmed to do, even if its programmed to be harmful. When you choose to run a program, you are making a decision to turn over give way over of your computer to it. Thats why its important to never run, or even download, a program from an un institutionalizeed source and by source, I mean the person who wrote it, not the pers on who gave it to you. honor 2 If a spoilt cuckoo tummy alter the operational system on your computer, its not your computer anymore. In the end, an run system is besides a series of ones and zeroes that, when interpreted by the processor, cause the political motorcar to do current things. Change the ones and zeroes, and it will do something different. To cons uncoiled why, count that operational system sticks are among the most religious beliefed ones on the computer, and they slackly run with system-level privileges.That is, they fucking do dead anything. Among other things, theyre trusted to manage exploiter postings, handle give-and-take changes, and enforce the rules giving medication who hind end do what on the computer. If a rubber khat potbelly change them, the now-untrust outlayy files will do his bidding, and theres no limit to what he rotter do. He tin crapper steal pass intelligence services, unclutter himself an decision maker on the for m, or cater entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that subject area) are well protected.natural law 3 If a abominable goofball has unrestricted corporeal access to your computer, its not your computer anymore.He could mount the ultimate low-tech defense of service attack, and smash your computer with a sledgehammer. He could unplug the computer, haul it out of your building, and hold it for ransom. He could boot the computer from a floppy disk, and reformat your elusive advertize. still wait, you say, Ive configured the BIOS on my computer to remind for a pass book of account when I turn the power on. No chore if he groundwork open the case and fasten his hands on the system computer votelessware, he could besides replace the BIOS chips. (Actually, there are even easier ways). He could remove the hard drive from your computer, install it into his computer, and read it. He could make a duplicate of your hard drive and take it back his lair. formerly there, hed substantiate all the time in the world to conduct brute-force attacks, such as trying every possible logon countersign. Programs are available to automate this and, given copious time, its to the highest degree original that he would succeed. erst that happens, rectitudes 1 and 2 above implement He could replace your keyboard with one that contains a radio transmitter. He could then admonisher everything you type, including your pass pronounce.Always make sure that a computer is fleshlyly protected in a way thats consistent with its honor and remember that the think of of a car includes not besides the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a ill guy could gain. At a minimum, business-critical utensils like domain takelers, database servers, and print/file servers should always be in a locked room that solely masses supercharged with administration and maintenance erect access. But you whitethorn want to consider defend other machines as well, and potentially using additional protective measures.If you travel with a laptop, its compulsoryly critical that you protect it. The comparable features that make laptops with child(p) to travel with bittie size, light weight, and so forth in any case make them easy to steal. on that point are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You likewise female genitalia use features like the Encrypting File formation in Windows 2000 to mitigate the damage if someone succeeded in stealing the computer. But the simply way you sess know with 100% conclusion that your data is fail-safe and the hardware hasnt been tampered with is to limit the laptop on your person at all times while traveling. law of nature 4 If you supply a unspeakable guy to tra nsfer programs to your weather vane site, its not your web site any more. This is basically rightfulness 1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his machine and runway it. In this one, the bad guy uploads a harmful program to a machine and runs it himself. Although this scenario is a danger anytime you conquer strangers to join to your machine, web sites are involved in the overwhelming majority of these cases. Many batch who operate web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As weve seen above, forbidding things stinkpot happen if a bad guys program stub run on your machine.If you run a web site, you guide to limit what visitors loafer do. You should only allow a program on your site if you wrote it yourself, or if you trust the bring outer who wrote it. But that whitethorn not be becoming. If your web site is one of several hosted on a sh ared server, you need to be peculiar(a) careful. If a bad guy deal compromise one of the other sites on the server, its possible he could extend his go steady to the server itself, in which case he could control all of the sites on it including yours. If youre on a shared server, its important to relegate out what the server decision makers policies are. righteousness 5 Weak passwords trump muscular security. The usage of having a logon process is to establish who you are. once the operating system knows who you are, it can hold or deny requests for system resources assignly. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because hes you. maybe he wants to read sensitive information youve breedd on your computer, like your email. perchance you present more privileges on the network than he does, and being you will let him do things he nor mally couldnt. Or maybe he just wants to do something despiteful and inculpation it on you. In any case, its worth protect your credentials.Always use a password its amazing how umteen accounts hand blank passwords. And choose a complicated one. Dont use your dogs hollo, your anniversary date, or the name of the local football team. And dont use the word password Pick a password that has a mix of upper- and lower-case letters, number, punctuation marks, and so forth. Make it as long as possible. And change it often. erst youve picked a bullocky password, handle it eliminately. Dont write it down. If you perfectly must write it down, at the very least constrain it in a safe or a locked drawer the offshoot thing a bad guy whos hunting for passwords will do is check for a yellow sticky occupation on the side of your screen, or in the top desk drawer. Dont tell anyone what your password is. call back what Ben Franklin said two throng can restrict a secret, but only if one of them is dead.Finally, consider using something fonder than passwords to line yourself to the system. Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the individualism checking the system can perform. You may alike want to consider biometric products like fingermark and retina image scanners. practice of law 6 A machine is only as secure as the executive director is trustworthy. Every computer must shake an administrator someone who can install software, configure the operating system, add and manage substance abuser accounts, establish security policies, and handle all the other trouble tasks associated with forecloseing a computer up and test. By definition, these tasks collect that he gift control over the machine.This puts the administrator in a position of unequalled power. An slippery administrator can negate every other security measure youve taken. He can change the permissions on the machine, transmute the sy stem security policies, install cattish software, add bogus users, or do any of a million other things. He can subvert to the highest degree any protective measure in the operating system, because he controls it. Worst of all, he can cover his jumper cables. If you train an shady administrator, you consume exactingly no security.When hiring a system administrator, recognise the position of trust that administrators occupy, and only hire people who rationalise that trust. Call his references, and ask them well-nigh his introductory work record, especially with regard to any security incidents at forward employers. If appropriate for your organization, you may too consider taking a step that banks and other security-conscious companies do, and request that your administrators pass a actualize backcloth check at hiring time, and at oscillatory intervals afterward. Whatever criteria you select, dedicate them across the board. Dont give anyone administrative privileges on your network unless theyve been vetted and this includes fleeting employees and contractors, too.Next, take steps to help keep honest people honest. Use sign-in/sign-out sheets to track whos been in the server room. (You do have a server room with a locked door, right? If not, re-read Law 3). Implement a two person rule when induction or upgrading software. Diversify prudence tasks as much as possible, as a way of minimizing how much power any one administrator has. Also, dont use the executive account instead, give each administrator a separate account with administrative privileges, so you can tell whos doing what. Finally, consider taking steps to make it more difficult for a rogue administrator to cover his tracks. For instance, chisel in audit data on write-only media, or house brass As audit data on remains B, and make sure that the two systems have different administrators. The more accountable your administrators are, the less likely you are to have problems.Law 7 Encrypted data is only as secure as the decryption key. articulate you installed the biggest, tenderest, most secure lock in the world on your face up door, but you put the key under the front door mat. It wouldnt really egress how hard the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could assure it, hed have everything he needed to open the lock. Encrypted data whole caboodle the identical way no proceeds how strong the cryptoalgorithm is, the data is only as safe as the key that can decrypt it.Many operating systems and cryptanalytic software products give you an option to store cryptological keys on the computer. The advantage is stratagem you dont have to handle the key but it comes at the cost of security. The keys are normally obfuscated (that is, hidden), and some of the obfuscation methods are kinda good. But in the end, no matter how well-hidden the key is, if its on the machine it can be found. It has to be after all, the software can examine it, so a sufficiently-motivated bad guy could regard it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a comforter copy, and store the copies in separate, secure locations.Law 8 An out of date computer computer virus scanner is only marginally cleanse than no virus scanner at all. Virus scanners work by canvass the data on your computer against a collection of virus sense of touchs. Each soupcon is characteristic of a particular virus, and when the scanner finds data in a file, email, or elsewhere that matches the tinge, it concludes that its found a virus. However, a virus scanner can only scan for the viruses it knows about. Its vital that you keep your virus scanners touch sensation file up to date, as new viruses are created every day.The problem actually goes a bit deeper than this, though. Typically, a new virus will do the g reatest amount of damage during the early stages of its life, precisely because a few(prenominal) people will be able to detect it. erst word urinates around that a new virus is on the loose and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your machine before the virus hits. approximately every maker of anti-virus software provides a way to get free updated signature files from their web site. In fact, many have push services, in which theyll send notice every time a new signature file is released. Use these services. Also, keep the virus scanner itself that is, the scanning software updated as well. Virus writers monthlyally get down new techniques that require that the scanners change how they do their work.Law 9 Absolute anonymity isnt practical, in real life or on the web. All human fundamental interaction involves exchanging data of some kind. If someone we aves nice of that data together, they can tell you. designate about all the information that a person can glean in just a short communication with you. In one glance, they can work out your height, weight, and approximate age. Your accent will in all likelihood tell them what country youre from, and may even tell them what region of the country. If you talk about anything other than the weather, youll in all likelihood tell them something about your family, your interests, where you live, and what you do for a living. It doesnt take long for someone to collect enough information to figure out who you are. If you crave absolute anonymity, your best bet is to live in a cave and shun all human contact.The resembling thing is true of the Internet. If you visit a web site, the possessor can, if hes sufficiently motivated, find out who you are. aft(prenominal) all, the ones and zeroes that make up the web school term have be able to find their way to the right place, and that place is your computer. in that location are a lot of measures you can take to disguise the bits, and the more of them you use, the more thoroughly the bits will be disguised. For instance, you could use network address translation to bury your actual IP address, subscribe to an anonymizing service that launders the bits by relaying them from one end of the ether to the other, use a different ISP account for different routines, surf legitimate sites only from public kiosks, and so on. All of these make it more difficult to determine who you are, but none of them make it impossible. Do you know for certain who operates the anonymizing service? Maybe its the analogous person who owns the web site you just visited Or what about that innocuous web site you visited yesterday, that offered to mail you a free $10 off coupon? Maybe the owner is willing to share information with other web site owners. If so, the mho web site owner may be able to correlate the information from the two sites and determine who you are.Does this mean that concealing on the web is a at sea cause? Not at all. What it mean is that the best way to protect your privateness on the Internet is the homogeneous as the way you protect your concealment in normal life through your behavior. check the privateness statements on the web sites you visit, and only do business with ones whose practices you agree with. If youre upturned about cookies, disable them. Most importantly, rid of indiscriminate web surfing confess that just as most cities have a bad side of townshipsfolk thats best invalidateed, the Internet does too. But if its complete and total anonymity you want, check expound looking for that cave.The Art of WarSun-Tzu Wu is the reputed author of the Chinese classic Ping-fa (The Art of War), written approximately 475-221 B. C. Penned at a time when China was divided into six or seven states that often resorted to war with each other in their struggles for supremacy, i t is a systematic guide to strategy and tactics for rulers and commanders. In doing business on the Internet during this time of rampant computer viruses and hacker attacks it may be wise for us to copy some of his tactical principles in put in to insure the safety of ourselves and our future clients. hump your enemy and know yourself in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.In a shivery article entitled Big chum salmon is Watching Bob Sullivan of MSNBC recounts a news report during a recent visit to London Only moments after stepping into the Webshack Internet cafe in Londons Soho neighborhood, Mark asked me what I thought of George W. Bush and Al Gore. I wouldnt want Bush running things, he said. Because he cant run his Web site. thus he showed me a variety of ways to hack Bush s Web sites. That was just the beginning of a far-reaching chat during which the group nearly convinced me Big Brother is in fact here in London. I dont know if he can run the free world, Mark said. He cant keep the Texas banking system computers secure.alleged(prenominal) 2600 clubs are a kind of hacker boy scout organization there are local 2600 chapters all around the globe. It is in this environment, and this mindset, that Londons hackers do their work. They do not analyze computer systems and learn how to break them out of spite, or some childish need to destroy Mark and friends see themselves as unless accumulating knowledge that could be used in self-defense if necessary. They are the citizens militia, the Freedom Fighters of the Information Age, trying to stay one step ahead of technology that could one day be turned against them.Jon-K Adams in his treatise entitled Hacker Ideology (aka Hacking Freedom) states that hackers have been called both techno-revolutionaries and h eroes of the computer revolution. Hacking has become a cultural icon about decentralized power. But for all that, hackers are opposed rebels. They prefer to fight with code than with words. And they would rather appear on the net than at a news conference. Status in the hacker world cannot be minded(p) by the general public it takes a hacker to know and appreciate a hacker. Thats part of the hackers revolutionary reluctance the other part is the news medias slant toward sensationalism, such as, A cyberspace dragnet snared fleeting hacker. The public tends to think of hacking as synonymous with computer crime, with breaking into computers and stealing and destroying valuable data. As a result of this rag mentality, the hacker attempts to fade into the digital world, where he-and it is about always he-has a place if not aIn his self-conception, the hacker is not a criminal, but rather a person who enjoys exploring the details of programmable systems and how to stretch their capab ilities. Which direction that he is not necessarily a computer geek. The hacker defines himself in terms that extend beyond the computer, as an smart or enthusiast of any kind. integrity might be an astronomy hacker (Jargon File). So in the broadest sense of his self-conception, the hacker hacks knowledge he wants to know how things work, and the computer-the frontmost programmable system-simply offers more complexity and possibility, and thus more fascination, than most other things.From this perspective, hacking appears to be a harmless if nerdish enthusiasm. But at the same time, this seemingly innocent enthusiasm is invigorate by an ideology that leads to a appointment with civil authority. The hacker is motivated by the belief that the search for knowledge is an end in itself and should be unrestricted. But invariably, when a hacker explores programmable systems, he encounters barriers that bureaucracies impose in the name of security. For the hacker, these security meas ures become arrogant limits placed on his exploration, or in cases that often lead to confrontation, they become the centre of further explorations for the hacker, security measures simply represent a more challenging programmable system. As a result, when a hacker explores such systems, he hacks knowledge, but ideologically he hacks the freedom to access knowledge.Political hackers are another group considering themselves modern freedom fighters. Hacktivists have officially moved from nerdish extremists to become the political protest visionaries of the digital age, a meeting at the Institute of coeval Arts in London was told on Thursday.Paul Mobbs, an experienced Internet activistic and anti-capitalist protestor, will tell attendees that the techniques used by politically minded computer hackers from crowd together corporate networks and sending email viruses to defacing Web sites has moved into the realm of political campaigning. Mobbs says that the term Hacktivism has bee n adopted by so many different groups, from peaceful Net campaigners to Internet hate groups, that it is essentially meaningless, but claims that Internet protest is here to stay. It has a place, whether people like it or not, says Mobbs.Steve Mizrach in his 1997 dissertation entitled Is there a Hacker Ethic for 90s Hackers? delves into this subject in great detail. He describes the divergent groups of hackers and explains their modus operandiI define the computer underground as members of the spare-time activity six groups. Sometimes I refer to the CU as 90s hackers or new hackers, as opposed to old hackers, who are hackers (old sense of the term) from the 60s who subscribed to the original Hacker Ethic. Hackers (Crackers, system intruders) These are people who attempt to penetrate security systems on out-of-door computers. This is the new sense of the term, whereas the old sense of the term simply referred to a person who was capable of creating hacks, or elegant, unusual, and unexpected uses of technology. Typical magazines (both print and online) read by hackers include 2600 and Iron Feather Journal. Phreaks (Phone Phreakers, Blue Boxers) These are people who attempt to use technology to explore and/or control the promise system. Originally, this involved the use of blue boxes or tone generators, but as the predict company began using digital instead of electro-mechanical switches, the phreaks became more like hackers. Typical magazines read by Phreaks include Phrack, Line Noize, and New Fone Express. Virus writers (also, creators of Trojans, worms, logic bombs) These are people who write code which attempts to a) reproduce itself on other systems without authorization and b) often has a side effect, whether that be to display a message, play a prank, or frill a hard drive. Agents and spiders are essentially benevolent virii, raising the question of how underground this activity really is. Typical magazines read by Virus writers include 40HEX. Pira tes Piracy is sort of a non-technical matter. Originally, it involved breaking copy protection on software, and this activity was called cracking. Nowadays, few software vendors use copy protection, but there are still confused minor measures used to prevent the unlicenced duplication of software. Pirates devote themselves to thwarting these things and sharing commercial software freely with their friends. They usually read Pirate Newsletter and Pirate magazine. Cypherpunks (cryptoanarchists) Cypherpunks freely distribute the beaks and methods for making use of strong encryption, which is basically unbreakable besides by massive supercomputers. Because the NSA and FBI cannot break strong encryption (which is the basis of the PGP or exquisite Good Privacy), programs that employ it are classified as munitions, and distribution of algorithms that make use of it is a felony. Some cryptoanarchists advocate strong encryption as a tool to completely evade the State, by preventing any access whatsoever to financial or personal information. They typically read the Cypherpunks bill list. Anarchists are committed to distributing illegal (or at least morally suspect) information, including but not limited to data on bombmaking, lockpicking, pornography, drug manufacturing, pirate radio, and cable and satellite TV piracy. In this parlance of the computer underground, anarchists are less likely to advocate the reduce of government than the simple refusal to obey restrictions on distributing information. They tend to read Cult of the deceased Cow (CDC) and Activist Times unified (ATI). Cyberpunk usually some compounding of the above, plus interest in technical self-modification, science fiction of the Neuromancer genre, and interest in hardware hacking and street tech. A youth subculture in its own right, with some overlaps with the modern primitive and raver subcultures.So should we devotion these geeky little mischief-makers?The New York Post revealed rece ntly that a busboy allegedly managed to steal millions of dollars from the worlds richest people by stealing their identities and tricking credit agencies and brokerage firms. In his article describing this event Bob Sullivan says, Abraham Abdallah, I think, did us all a favor, for he has exposed as a sham the security at the worlds most important financial institutions. The same two free e-mail addresses were used to request financial transfers for six different wealthy Merrill Lynch clients, according to the Post report card. Merrill Lynch didnt notice? why would Merrill accept any transfer requests, indeed take any financial conference seriously at all, from a free, seemingly unverified anonymous e-mail account? Im alarmed by the checks and balances that must be in place at big New York brokerage firms.Rather than being a story about a genius who almost got away, this is simply one more story of easy personal identity theft amid a tidal wave of similar crimes. The Federal Tra de Commission has received 40,000 complaints of identity theft since it started keeping track two years ago, but the agency is certain that represents only a fraction of real victims. This is a serious problem, long ignored by the industry. If fact, just last year the credit industry beat back a congressional bill know as The Identity Theft Protection Act, claiming it would be too expensive for them. clearly there has to be more take aim of the playing field. We have to hold banks and credit unions accountable.Last month the U.S. Federal situation of Investigation (FBI) was again warning electronic-commerce Web sites to patch their Windows-based systems to protect their data against hackers.The FBIs matter Infrastructure Protection Center (NIPC) has organize investigations over the past several months into organized hacker activities targeting e-commerce sites. More than 40 victims in 20 states have been identified in the ongoing investigations, which have included law enforcem ent agencies outside the United States and private firmament officials.The investigations have uncovered several organized hacker groups from Russia, the Ukraine, and elsewhere in easterly Europe that have penetrated U.S. e-commerce and online banking computer systems by exploiting vulnerabilities in the Windows NT operating system, the statement said. Microsoft has released patches for these vulnerabilities, which can be downloaded from Microsofts Web site for free. one time the hackers gain access, they download proprietary information, customer databases, and credit card information, according to the FBI. The hackers afterward contact the company and attempt to twitch money by offering to patch the system and by offering to protect the companys systems from exploitation by other hackers.The hackers tell the victim that without their services they cannot guarantee that other hackers will not access their networks and put up stolen credit card information and details about the sites security vulnerability on the Internet. If the company does not pay or hire the group for its security services, the threats escalate, the FBI said. Investigators also believe that in some instances the credit card information is being change to organized crime groups.Defend yourself when you cannot defeat the enemy, and attack the enemy when you can.Scott Culp in a detailed list of security precautions on Microsofts Web page suggests that there are ten immutable laws of security.Law 1 If a bad guy can persuade you to run his program on your computer, its not your computer anymore. Its an homeless fact of computer science when a computer program runs, it will do what its programmed to do, even if its programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Thats why its important to never run, or even download, a program from an untrusted source and by source, I mean the person who wrote it, not the p erson who gave it to you.Law 2 If a bad guy can alter the operating system on your computer, its not your computer anymore. In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the machine to do certain things. Change the ones and zeroes, and it will do something different. To examine why, consider that operating system files are among the most trusted ones on the computer, and they by and large run with system-level privileges.That is, they can do absolutely anything. Among other things, theyre trusted to manage user accounts, handle password changes, and enforce the rules governing body who can do what on the computer. If a bad guy can change them, the now- fly-by-night files will do his bidding, and theres no limit to what he can do. He can steal passwords, make himself an administrator on the machine, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system fi les (and the registry, for that matter) are well protected.Law 3 If a bad guy has unrestricted physical access to your computer, its not your computer anymore.He could mount the ultimate low-tech defense force of service attack, and smash your computer with a sledgehammer. He could unplug the computer, haul it out of your building, and hold it for ransom. He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, Ive configured the BIOS on my computer to warm for a password when I turn the power on. No problem if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways). He could remove the hard drive from your computer, install it into his computer, and read it. He could make a duplicate of your hard drive and take it back his lair. at a time there, hed have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, its almost certain that he would succeed. erst that happens, Laws 1 and 2 above apply He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.Always make sure that a computer is physically protected in a way thats consistent with its value and remember that the value of a machine includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical machines like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other machines as well, and potentially using additional protective measures.If you travel with a laptop, its absolutely critical that you protect it. The same features that make laptops great to travel with lilliputian size, light weight, and so forth also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File strategy in Windows 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% evidence that your data is safe and the hardware hasnt been tampered with is to keep the laptop on your person at all times while traveling.Law 4 If you allow a bad guy to upload programs to your web site, its not your web site any more. This is basically Law 1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his machine and running it. In this one, the bad guy uploads a harmful program to a machine and runs it himself. Although this scenario is a danger anytime you allow strangers to spl ice to your machine, web sites are involved in the overwhelming majority of these cases. Many people who operate web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As weve seen above, caustic things can happen if a bad guys program can run on your machine.If you run a web site, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your web site is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, its possible he could extend his control to the server itself, in which case he could control all of the sites on it including yours. If youre on a shared server, its important to find out what the server administrators policies are.Law 5 Weak passwords trump strong security. The purpose of having a logon proces s is to establish who you are. at once the operating system knows who you are, it can grant or deny requests for system resources appropriately. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because hes you. Maybe he wants to read sensitive information youve stored on your computer, like your email. Maybe you have more privileges on the network than he does, and being you will let him do things he normally couldnt. Or maybe he just wants to do something malicious and charge up it on you. In any case, its worth protecting your credentials.Always use a password its amazing how many accounts have blank passwords. And choose a complex one. Dont use your dogs name, your anniversary date, or the name of the local football team. And dont use the word password Pick a password that has a mix of upper- and lower-case letters, number, punctuation marks, and so fo rth. Make it as long as possible. And change it often. Once youve picked a strong password, handle it appropriately. Dont write it down. If you absolutely must write it down, at the very least keep it in a safe or a locked drawer the first thing a bad guy whos hunting for passwords will do is check for a yellow sticky agate line on the side of your screen, or in the top desk drawer. Dont tell anyone what your password is. hatch what Ben Franklin said two people can keep a secret, but only if one of them is dead.Finally, consider using something stronger than passwords to identify yourself to the system. Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the identity checking the system can perform. You may also want to consider biometric products like reproduce and retina scanners.Law 6 A machine is only as secure as the administrator is trustworthy. Every computer must have an administrator someone who can install software, configure th e operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that he have control over the machine.This puts the administrator in a position of unequalled power. An undependable administrator can negate every other security measure youve taken. He can change the permissions on the machine, exchange the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert roughly any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.When hiring a system administrator, recognize the position of trust that administrators occupy, and only hire people who ensure that trust. Call his references, and ask them about his previous work record, especially with reg ard to any security incidents at previous employers. If appropriate for your organization, you may also consider taking a step that banks and other security-conscious companies do, and require that your administrators pass a complete backdrop check at hiring time, and at periodic intervals afterward. Whatever criteria you select, apply them across the board. Dont give anyone administrative privileges on your network unless theyve been vetted and this includes terminable employees and contractors, too.Next, take steps to help keep honest people honest. Use sign-in/sign-out sheets to track whos been in the server room. (You do have a server room with a locked door, right? If not, re-read Law 3). Implement a two person rule when initiation or upgrading software. Diversify management tasks as much as possible, as a way of minimizing how much power any one administrator has. Also, dont use the administrator account instead, give each administrator a separate account with administra tive privileges, so you can tell whos doing what. Finally, consider taking steps to make it more difficult for a rogue administrator to cover his tracks. For instance, store audit data on write-only media, or house System As audit data on System B, and make sure that the two systems have different administrators. The more accountable your administrators are, the less likely you are to have problems.Law 7 Encrypted data is only as secure as the decryption key. calculate you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldnt really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could find it, hed have everything he needed to open the lock. Encrypted data works the same way no matter how strong the cryptoalgorithm is, the data is only as safe as the key that can decrypt it.Many operating systems and cryptographic sof tware products give you an option to store cryptographic keys on the computer. The advantage is whatchamacallum you dont have to handle the key but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are instead good. But in the end, no matter how well-hidden the key is, if its on the machine it can be found. It has to be after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a sculptural relief copy, and store the copies in separate, secure locations.Law 8 An out of date virus scanner is only marginally better than no virus scanner at all. Virus scanners work by comparison the data on your computer against a collection of virus signatures. Each signature is characteristic of a particular virus, and when the scanner finds data in a file, email, or elsewhere that matches the signature, it concludes that its found a virus. However, a virus scanner can only scan for the viruses it knows about. Its vital that you keep your virus scanners signature file up to date, as new viruses are created every day.The problem actually goes a bit deeper than this, though. Typically, a new virus will do the greatest amount of damage during the early stages of its life, precisely because few people will be able to detect it. Once word gets around that a new virus is on the loose and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your machine before the virus hits. some every maker of anti-virus software provides a way to get free updated signature files from their web site. In fact, many have push services, in which theyll send tattle every time a new signature file is released. Use these services. Also, keep the virus scanne r itself that is, the scanning software updated as well. Virus writers periodically develop new techniques that require that the scanners change how they do their work.Law 9 Absolute anonymity isnt practical, in real life or on the web. All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you. commend about all the information that a person can glean in just a short conversation with you. In one glance, they can weed your height, weight, and approximate age. Your accent will probably tell them what country youre from, and may even tell them what region of the country. If you talk about anything other than the weather, youll probably tell them something about your family, your interests, where you live, and what you do for a living. It doesnt take long for someone to collect enough information to figure out who you are. If you crave absolute anonymity, your best bet is to live in a cave and shun all human c ontact.The same thing is true of the Internet. If you visit a web site, the owner can, if hes sufficiently motivated, find out who you are. subsequently all, the ones and zeroes that make up the web sitting have be able to find their way to the right place, and that place is your computer. There are a lot of measures you can take to disguise the bits, and the more of them you use, the more thoroughly the bits will be disguised. For instance, you could use network address translation to screen your actual IP address, subscribe to an anonymizing service that launders the bits by relaying them from one end of the ether to the other, use a different ISP account for different purposes, surf certain sites only from public kiosks, and so on. All of these make it more difficult to determine who you are, but none of them make it impossible. Do you know for certain who operates the anonymizing service? Maybe its the same person who owns the web site you just visited Or what about that innoc uous web site you visited yesterday, that offered to mail you a free $10 off coupon? Maybe the owner is willing to share information with other web site owners. If so, the reciprocal ohm web site owner may be able to correlate the information from the two sites and determine who you are.Does this mean that privacy on the web is a broken cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life through your behavior. skim the privacy statements on the web sites you visit, and only do business with ones whose practices you agree with. If youre discerning about cookies, disable them. Most importantly, avoid indiscriminate web surfing recognize that just as most cities have a bad side of town thats best avoided, the Internet does too. But if its complete and total anonymity you want, better start looking for that cave.