Thursday, 8 May 2008

Taming the Wild wild web

In many ways, although this is slowly changing, and the Internet and Web have many analogous parallels to the ideal of a frontier. The Wild Wild Web (west) of the Internet (Behan, 1995) is slowly fading as new laws and methods of enforcement are brought to bear.

In this frontier world of the Internet, the mythology of the antihero has played a large part in the cultural development surrounding the Internet. In this analogous context, people such as Simon Vallor play the role of the western hero. Like Butch and Sundance in the US, or the Kelly's in Australia, the role of the outlaw takes a particularly strong psychological enticement to those who feel disenfranchised (Zur, 1991).

Through the creation of computer code to wreak digital havoc, the antihero makes his/her stand against society by thrusting themselves into the limelight. Like the outlaws of old, their reputation requires that they are caught. By making an example of them in the public press and providing for a mythological level of intrigue and technological magic to detail the simple acts they create, the common press promulgates this analogy (Bowser, 2004).

To burst this bubble, we need to demystify the antihero. We need to show them what they are. People like Kevin Mitnick for instance have grown in infamy through their exploits (Littman, 1997). However, all they have done is break the law. Mr Mitnick was a simple confidence trickster with skill in the ability to deceive. Why do we reward this?

Destruction is easy; creation is difficult and requires skill. By allowing the hacker antihero mythos to survive we allow this disenfranchisement of our rights and society's rules to occur.


References and further reading:

Behan, Catherine (1995) “Taming the wild, wild Web” [April 25, 1996] The University of Chicago Chronicle, University of Chicago Vol. 15, No. 16
Bell, D. Elliott & LaPadula, Leonard J. (1973). "Secure Computer Systems: Mathematical Foundations". MITRE Corporation.
Bell, D. Elliott and LaPadula, Leonard J. (1976). "Secure Computer Systems: Unified Exposition and MULTICS Interpretation". MITRE Corporation.
Bell, David (December, 2005). "Looking Back at the Bell-La Padula Model". Proc. 21st Annual Computer Security Applications Conference.
Bishop, Matt (2003). “Computer Security: Art and Science”. Boston: Addison Wesley.
Biba, K. J. (1977) “Integrity Considerations for Secure Computer Systems, Technical Report” MTR-3153, MITRE Corporation, Bedford, Massachusetts, April 1977.
Bosworth, Seymour & Kabay, M. E. (Ed.) (2002) “Computer security Handbook” Fourth Edition, John Wiley & Sons Inc. USA
Bowser, Diane J. (2004) “Being-in-the-Web: A Philosophical Investigation of Digital Existence in the Virtual Age.” PhD Dissertation proposal, Duquesne University
Casella, George & Berger, Roger L (2002) “Statistical Inference” Duxbury Advanced Series
CSI/FBI (2006) “Computer Crime and. Security Survey” http://www.gocsi.com/
DTI (2006) “A Director’s Guide, Information Security” Dept. of Trade and Industry UK
ISO 17799:1/17799:2 Standards Australia
Leveson, Nancy & Turner, Clark S. (1993) “An Investigation of the Therac-25 Accidents” IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41
Littman, Jonathan, (1997) “The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen” Little, Brown and Company; 1st edition
McLean, John. (1994). "Security Models". Encyclopedia of Software Engineering 2: 1136–1145. New York: John Wiley & Sons, Inc.
NIST (800-12) “An Introduction to Computer Security: The NIST Handbook” (Special Publication 800-12)
NIST (800-27) “Computer Security” (Special Publication 800-27)
NIST (800-30) “Risk Management Guide for Information Technology Systems” (Special Publication 800-30), 2002
NIST (800-41) “Guidelines on Firewalls and Firewall Policy” (Special Publication 800-41)
NIST (800-42) “Guideline on Network Security Testing” NIST Special Publication 800-42
Panko, Raymond R. (2004) “Corporate Computer and Network Security” Pearson Prentice Hall, NJ
Rice, John A. (1999) “Mathematical Statistics and Data Analysis” Duxbury Press
Shimomura, Tsutomu & Markoff, John (1996) “Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It”, Warner Books Inc
Stein, L. D. (1998) “Web Security”, Addison-Wesley
Volonino, Linda & Robinson, Stephen R. (2004) “Principles and practice of Information Security”, Pearson Prentice Hall, NJ
Wells, Joseph T, (2004) “Corporate Fraud Handbook” ACFE, John Wiley & Sons
Zur, O. (1991). The love of hating: The psychology of Enmity. History of European Ideas, 13(4), 345-369

5 comments:

DanPhilpott said...

You write a huge assumption into your post, that the hacker antihero is destructive. When you were in grade school hackers were writing the best information available about security. Hackers have created huge volumes of code and security knowledge. This is not to say that there are not destructive hackers or that the destructive hackers are the majority. Today most 'hackers' are not the antiheroes of yore, they are criminals and script kiddies. But to claim the mantle of creation and reject hackers contributions as wholly destructive is simply wrong.

And as for having to get caught for their exploits to become famous, that depends on what you consider famous. Plenty of hackers are famous without getting caught.

Nice list of references. Try revisiting the NIST site, the 800 series has some excellent new documents with a general IT security scope (115, 123, 30, 39, 92, 100, etc.) Also instructive are the Syngress books "Stealing The ..." which provide a hacker-eye view of the highly creative process of compromising system security.

Craig S Wright said...

Actually Dan, it is you who are making the asumptions.

First, thanks for thinking I am younger than I am. My first email account was in 1979, so we are talking the 80's for the timeframe of what you relate to based on the assertions.

Actually, I have also revisited the NIST site as well. I do it weekly, but the existance of a document does not make it a refernce or I could also add CIS and DISA ones.

You are also using the past assertion of a "hacker" mythos as a benevolent coder. This terminology has not been valid for decades. In the 90's there may have been a cracker / hacker divide, but perceptions are based on a common phrasiology and taxonomy not that of a few diehards.

When I was in grade school hackers where doing little to improve security other than ... well sorry I can not see it. We are talking 80's and pre web here.

You make an assertion of creativity. Please provide some evidence if any is available. You state that to "reject hackers contributions as wholly destructive is simply wrong". Please provide evidence to this assertion.

Or rather are we talking again the cult of the anti and people who want to think that they are bad...

Regards,
Craig

DanPhilpott said...

I was not being facetious when I said it was a nice list of references, it is a good list. The reason to revisit the NIST web site is the large amount of new guidance released recently. The SP 800-123 Guidance on General Server Security is well worth a read. The SP 800-100 Information Security Handbook: A Guide for Managers is a good way to get managers (and especially Federal managers) up to speed. And speaking to your previous post about the SDLC, the draft of SP 800-64 Revision 2, Security Considerations in the SDLC was released in March.

If you want to reference happenings in the 80’s look no further than textfiles.com and thebbs.org. We can talk about hackers doing good in that time frame if you like. For example, there was the guy who discovered jackpotting and told the banks about this huge security hole in there ATM networks. Oddly enough that was hushed up, bankers don’t like news of bad security leaking out.

As to the question of 'evidence of this assertion' to creativity the evidence is in the head of the hacker. It’s that bit of creativity that looks at a nuance of system implementation and goes, “That’s not right” then finds a way to turn it into root access. Evidence of that is available at http://nvd.nist.gov For good examples of the creative process that happens in the hackers head when contemplating a system attack look to the Syngress "Stealing The Network" book series (How To Own A Continent, How To Own The Box, etc.). If ever there were a group of people who took the question "What if" seriously, these are they.

For evidence of the creative process, I'd start by pointing out that almost every major category of security software is derived from hacker tools. Even now many of the most useful software packages in the security field were originally written by hackers or derivative of hacker tools. Examples would be nmap, metasploit, crack, cain & abel, nessus, etc. More evidence in the hackers creativity in the security field can be easily had by walking down the halls of a Black Hat Briefing, DefCon, ShmooCon, H.O.P.E or any beery congregation of security experts.

Let’s talk about hackers who have done things in other creative arenas of creativity. Do you remember Operation Sun Devil where the Secret Service took down Steve Jackson Games? Why did they do that? Because the guy who wrote GURPS Cyberpunk, Lord Blankenship, was a hacker and happened to work at SJG. This miscarriage of justice led directly to the creation of the EFF. And there’s the Syngress series of books mentioned previously, “Stealing The Network”, which is written by hackers.

In one area I can only provide anecdotal evidence is that there is a disproportionately large showing of hackers and ex-hackers in the gaming industry. I think the first I knew of was Lord British's partner in business, Chuckles, coauthor of the Ultima series of games. Of course I say anecdotal because unless they choose to out themselves I’ll not be doing it for them.

And let's talk about a guy who arguably straddles the line between the old hacker definition and the new. According to Steven Levy this fellow considered himself the last true hacker. Symbolics accused him of theft of trade secrets for reverse engineering their software, which fits the new definition of hacker. At MIT he decrypted users passwords and sent them the plaintext. He also helped write Emacs, contributed to Lisp, founded the Free Software Foundation and inspired the creation of most of the codebase found on Linux systems. He was, of course, Richard Stallman.

As to whether I use the 'outdated' definition of a benevolent coder or a more narrow definition which is entirely restricted to computer criminals, I use neither in particular, but both in general. Which is to say I use the broad definition encompassing both along with the sense that a hacker is an investigator of their own curiosity who does not always stop investigating because due to questions of legality. Some hackers are black hat, some are grey hat, some are white hat and some even call themselves ethical. As a term 'hacker' is not now, never has been and never will be singularly synonymous with 'computer criminal'. Wiki's disambiguation page on hacker is eloquently unbiased on this point.

Pardon if I go silent, I will be out of town and offline for the weekend.

Craig S Wright said...

In that case (“I was not being facetious when I said it was a nice list of references”), thank you and my sincere apologies.

I think the distinction we have in the derivation of hacker. I am more focused.

I also have a view that being once a hacker does not make you always as such, but that we cannot grant a boon for the past poor behavior.

You can be a software coder without having to break the law.

Craig S Wright said...

I am continuing this in a new post: