Hackers aren't crackers

Chris Lichti, a 26-year-old senior system designer at a computer company with offices near Pittsburgh, told me in no uncertain terms.
They are a dedicated, workaholic group of aficionados who spend much of their time helping to create and expand the digital world for the love of it, often pro bono, for no other reason than they believe it will help humanity. And mostly, they are getting tired of being equated with the crackers who steal our data, run up bogus phone bills, and send us e-mails whose lips say "love you" while their actions say "fuck you."

And so, without further ado, here are eight things hackers hate about you:

  1. You don't know a hacker from a cracker.

    One of the biggest pet peeves among hackers is the casual assumption that they are all data-thieves and system-attackers."Crackers" is the proper term for those people.

    "My code controls a product that can, and often does, either improve the quality of medical care, reduce the cost, or both," says hacker Robert Bickford on his Web site, "When some ignorant reporter writes a story that equates the work I do with expensive but childish pranks committed by someone calling himself a 'Hacker,' I see red."

    Hackers are partly to blame for the confusion, because they themselves don't use the terms consistently. "It's an understandable etymological leap," says Pittsburgh-area hacker Mike Weber. "If a computer system has been compromised, you say it's been hacked. But a hacker is not a person who hacks in that definition of 'hack'."

    While there's some small cross-membership between hackers and crackers, Lichti says, "I think there is a growing animosity between the two groups," as hackers increasingly feel targeted by society and the law for the activities of crackers. Most reviled are the "script kiddies": often young, always unsophisticated crackers with flamboyant aliases who do great damage using cracking programs they downloaded from the Web, the workings of which they don't understand.

    "I can say that a lot of attacks are launched by people who don't understand technology," says Jed Pickel, a technical coordinator at Computer Emergency Response Team (CERT) Coordination Center, Carnegie Mellon's national anti-cracking war room. Pickel has seen evidence of crackers trying to give commands in one computer language while cracking a computer that uses another.

    "These are people who take a hacker's discovery and put it to ill use," agrees Weber.

    Hackers consider crackers to be malicious poseurs who have fallen from the true path of hacking. Some use the term "white-hat hacker" to underscore their "good guy" role and further distinguish themselves from crackers.

  2. You don't appreciate a good hack.

    If a hacker isn't a cracker, what is he (or, increasingly, she)? That's a moving target, too, as hackers sometimes use the term in the sense of a life philosophy that could apply to any number of hard-core workaholics with a passion for their calling and an anti-authoritarian streak. In fact, the very idea of a unified voice repels some in the hacker community, who feel that nobody has the right to "speak" for hackers. But most people who call themselves hackers are dedicated to some aspect of computer software or hardware as well.

    Hackers don't completely dodge the geek stereotype. "Contrary to popular myth, you don't have to be a nerd to be a hacker," says Eric Raymond on his Web site, . "It does help, however. ... Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking."

    With characteristic forthrightness, hackers generally embrace geekdom; it's a kind of repudiation of a society that they feel mistreats hackers and other misfits.

    Bickford's Web site defines a hacker as "any person who derives joy from discovering ways to circumvent limitations." Usually, legit hackers use the word "limitations" to apply to problems, often practical problems in making computers and networks work better. Sometimes, however, limitations include security systems. Exactly what a hacker is willing to do" and where he or she draws the line "is an important part of the gray area between hacker and cracker.

    "Sometime in the last year, someone I will call a cracker for now discovered a weakness in [Microsoft Windows]," Lichti told me. This person, possibly with no motive worse than warning the computer community about that weakness, created a "worm" called VBS.Network.

    Symantec AntiVirus Research Center's online defines a worm as "a program that is designed to copy itself from one computer to another over a network (e.g. by using e-mail). The worm spreads itself to many computers over a network, and doesn't wait for a human being to help. This means that computer worms spread much more rapidly than computer viruses."

    And VBS.Network did just that: It spread like wildfire throughout the Internet. But VBS.Network was essentially harmless: It spread, but didn't damage the unsuspecting recipients' data.

    The problem with VBS.Network was that, once someone had invented it, it took little skill to turn it into a digital weapon. Someone else, with far less skill, created an imperfect but destructive worm based on the same general idea. Unlike VBS.Network it reproduced itself via e-mail instead of by network connections, and it required the victim to open an attachment that said "I Love You." Since no one acted to close the gap in digital security revealed by VBS.Network, the earlier worm only enabled the malicious cracker who authored the Love Bug and its many copycats.

    To be sure, computer law in many states defines unauthorized access to a computer system to be equivalent to damaging it, whether or not damage was done. (Laws elsewhere in the world can vary from nonexistent to highly draconian.) In much of the U.S., the author of VBS.Network is no less guilty than the creator of the Love Bug. But a spectrum of activities lies between Love Bug, VBS.Network, and legitimate hacking, posing an ethics problem regardless of the law.

    "I want to know how a system can provide secure access to some people, but not others," Lichti says."Can we improve the system to prevent it from being broken? Do I explore these issues by cracking into a corporate system? Do I crack into my own system, or those of my friends? This is the ethical fine line most hackers dance around."

    "I don't think I'm in a position to be defining a line between hackers and crackers", says CERT's Pickel. He and his colleagues don't even like to use the words "hacker" and "cracker": they say "intruder" or "attacker" for a cracker. "You could even go as far as to say that people who ... do all kinds of damage raise awareness," eventually leading to better computer security.

    Pickel never really told me what he calls hackers " but he did begrudgingly admit that many of his coworkers at CERT fit the benign definition of the word.

    Many hackers would like to see attitudes about nondestructive hacking change. Damaging someone's data or computer is always wrong, they say; but sometimes, breaking in can be a wake-up call and a warning that prevents real cracking " which leads us to our next point.

  3. You make it too easy.

    Hackers are amazed at how little the vast majority of computer users bother to understand the technology they depend on so heavily. Hard experience doesn't seem to steer people from stupid errors, such as assigning obvious passwords or opening poorly explained e-mail attachments from people they don't know.

    Ease of cracking is even more of a major bone of contention between hackers and the establishment computer corporations. In one sense, the law has to protect people from being victimized, even " especially " if they're easy targets. But many hackers believe that a combination of malice toward hackers and plain old arrogance makes industry types too slow to admit they've made a mistake " and too quick to kill the messenger. Microsoft is a perennial and favorite, but by no means the only, target of this kind of criticism. Some hackers claim its products are inherently easy to crack.

    VBS.Network, which should have warned people the Love Bug was coming but didn't, is a perfect example of industry hubris, says Lichti. "Perhaps network security specialists were not as concerned about it as they should have been."

    Sometimes a hacker will inform the vendor of a problem in a software product's security. The company's response can vary from a thank-you letter and free software, to ignoring the hacker and denying the problem, to threatening a lawsuit.

    "To report the problem to the vendor is no longer an option," says Lichti, because of the companies who have "attacked the hacker as if he'd exploited the problem" rather than merely discovered it. One arguable example of this " depending on whom you ask " is DeCSS, a computer program designed to decode the encryption that the entertainment industry used to prevent people from copying (and pirating) digital video discs.

    "DeCSS was developed because the company that did the encryption for DVDs did [such] a shoddy job ... that any student could decrypt it," says Lichti. "And they did." The industry has responded not by improving the decryption, but by suing a number of hackers and others.

  4. In your eyes, we're guilty until proven innocent.

    The most common refrain among hackers is that, contrary to media stereotypes, they're not out to get the rest of us " but our paranoia makes us dangerous to them. Often intelligent and introverted, hackers grow up as outsiders. They claim that a few cracking incidents " as well as school shootings completely unrelated to hacking " have been used by industry and government to create a witch-hunt for hackers and other misfits of all ages.

    , an online hacker newsletter, is, according to the hackers I spoke with, arguably a voice of the moderate hacker mainstream. Slashdot has run a number of features, many written by print- and cyberjournalist Jon Katz, in which self-proclaimed geeks tell stories of harassment and worse from fellow students, teachers, school boards and the law. Aside from the questions these stories raise about how officials are using their authority over kids, it also underscores hackers' self-image as besieged by the outside culture from an early age.

    "I remember the basic assumption people made about me in [high] school 10 years ago," Lichti said in an e-mail. "When I expressed interest in learning more about computer systems I didn't understand, the assumption was that I intended to do harm."

    Nowadays, "If I found a flaw in some Microsoft software, I wouldn't report it to Microsoft myself; I'd report it to network security experts I know. That might delay the time it takes for a fix to come out," he admits, but if it's a choice between a "happy life versus my facing lawsuits from an out-of-control bureaucracy ... I'm just not willing to take that risk."

    To be fair, Pickel says that CERT is willing to act as a middleman for hackers wanting to warn manufacturers anonymously.

    Lichti's worry, bordering on the paranoid, merits some background on him: meticulous, married, holding a responsible computer industry job, and a deacon in his church, he's not exactly the unkempt, wild-eyed cracker who you might expect from those statements. Something has given him what he feels is good reason to believe that being an otherwise responsible citizen with good motives wouldn't protect him if someone in power decided he was an evil cracker who needed to be brought down.

  5. You kill the messenger.

    The difference between hacking and cracking is hazy and hard to define. Yet the law does insist upon clear definitions, sometimes based on a shaky understanding of the technology. And the consequences for cracking " or hacking near the edge " can indeed be severe.

    Consider a story in : The Hacker Quarterly, an online magazine Lichti tells me caters to those on the hazy border between hackers and crackers.

    Ed Cummings, a hacker caught with equipment and a computer configured to phreak " steal telephone service " spent most of the time between spring 1995 and fall 1996 in prison. The Secret Service found an online book on bombmaking and some material they thought might be plastic explosives in the house Cummings was living in (the latter turned out to be a dental compound used by the dentist who owned the house). Cummings may or may not have erased incriminating data in one computer device when the police made a visit to his house.

    The Secret Service used this evidence to argue that Cummings was a threat to the President.

    The judge threw the book at Cummings. Among other prisons, he spent time in the maximum-security wing of the Northampton County Correctional Facility near Philadelphia. Also in that wing was Joseph Henry, who had, according to 2600, "bit off a woman's nipples and clitoris before strangling her with a Slinky." Worse, they transferred Cummings " a procedure usually reserved for snitches " several times during his incarceration. Cummings claimed to have been harassed by guards; there seems to be no dispute that he was beaten by other prisoners.

    Remember: All they ever really proved was that the guy was stealing telephone service.

    The Northampton County Correctional Facility didn't return my call. It's not exactly a secret that federal laws can punish minor criminals more severely than violent criminals convicted under state laws. But the hacking community looks at this story and sees a guy being punished not because of his crime, but because he's a hacker.

    A more recent case, and one that's appeared, among other places, in the New York Times and Village Voice, is that of Eric Corley and DeCSS. You'll recall that this program allows people to crack the encryption of DVDs. Corley, among others, ran afoul of the Motion Picture Association of America when he posted the code for DeCSS on his 2600 site. Eight MPAA member studios have sued Corley " along with at least one other suit against others who had posted the software on their sites. The Corley suit is ongoing.

    Nobody accused Corley, who is an Internet journalist but doesn't even consider himself a hacker, of pirating DVDs, or of writing DeCSS. Only of posting it on his Web site.

    At first, the case seemed a slam-dunk for the industry; the judge immediately granted an injunction forcing Corley to remove the program from his site. The plaintiffs have requested another injunction, to prevent him from linking to other sites containing DeCSS. (For now, at least, Corley offers these links at www.2600.com/news/1999/1227-help.html.) As the facts came out, the picture grew murkier " and less flattering for the industry. For starters, DeCSS is neither needed by nor necessarily the tool of choice for DVD pirates. DeCSS can be used to pirate DVDs by translating them into electronic form and sending the resulting files through the Internet. But at the time Corley posted DeCSS, the size of the average DVD was so large it would have taken up most of a computer's hard drive and been prohibitively slow to transmit " although new compression technology recently changed that. By contrast, known large-scale piracy operations copy disks bit by bit, without bothering to crack the code, and so don't need DeCSS.

    DeCSS can, however, be used to play a legally purchased DVD on a Linux computer or other hardware that the movie industry hasn't anointed as DVD players. Linux is the operating system of choice for most hackers " they use neither the Macintosh or Windows operating systems found on most PCs nor the UNIX OS on most mainframes.

    Linux is what's called "open-source" software " it's essentially free for the asking, group property. Hackers as a community created and continue to develop it. Open-source software, and its egalitarian virtues, is something of a religion among hackers. The entertainment industry hasn't produced Linux DVD software yet. The two Linux projects it is developing will run only on certain proprietary versions of Linux sold by the computer industry.

  6. You won't set computer code free.

    The industry's objections to using DeCSS to, in effect, make a single copy of a movie so that an open-source Linux computer can play it " arguably analogous to the quite legal practice of making a single cassette copy of a purchased CD for use by its owner " reveals another, not so savory, possible motive for the suit. Some hackers say that the industry is trying to expand control over copyrighted materials by way of controlling what systems and computers can play DVDs. Potentially, it's a kind of monopoly in which DVDs and the ability to play them are inextricably attached to certain vendors.

    "The real importance of DeCSS is not that it could be used to make a Linux DVD player," said Robert Link in a Slashdot discussion. "The real importance ... is to make DVD an open format ... to make sure that we retain our right to use material that we have legally purchased however we see fit ... It means that when you buy something you own it."

    In a way, say some hackers, the industry is trying to have it both ways: to enjoy the legal protection of copyright or patenting, which normally requires making the information public, while retaining the secrecy of a trade secret " which, in the non-digital world, is up for grabs to any one who reverse-engineers it.

    In the physical world, you can copy a book you own as long as you don't try to sell the copy or distribute it in large enough numbers to undercut the vendor's ability to make money off of it. In the digital world, thanks to laws like the federal Millennium Digital Copyright Act of 1998, such "fair use" may or may not exist.

    Martin Garbus, Corley's high-powered attorney (thanks to money from the Electronic Frontier Foundation), has said that DeCSS is merely a fair-use tool. He also argues that Corley, as a journalist, has the right to post the DeCSS code as an expression of free speech. Industry lawyers argue that the MDCA and other laws trump fair use " and, ominously, the First Amendment " in the digital world.

    That phenomenon " copyright laws and the First Amendment changing when you enter the digital world " makes hackers feel targeted. In some cases, mere ownership or transfer of software or hardware capable of cracking is a crime, whether or not the hacker makes use of it, and even when it has legitimate uses. It's as if the government made photocopiers illegal because they could be used to pirate books (the Soviet Union did this), or made ownership of a book on the chemistry of explosive compounds illegal in the absence of any bombmaking. By their nature anti-authoritarian, hackers see this trend as a threat to themselves " and to all of us.

    Of course, along with this anti-authoritarianism comes diversity. It would be a mistake to assume that all hackers agree where the line between DVD hacking and cracking lies. On Slashdot, Travis Beals, a student at the University of British Columbia who moonlights as a software developer, openly questioned the party line on DeCSS: "If someone can convince me that the primary use of DeCSS is a Linux DVD player, I'll firmly support the effort to fight the restraining order," he wrote. "Otherwise, I'm not so sure what's right ..."

  7. You lump us in with that "Gen X" crap, but we work harder than you.

    One of the most enduring stereotypes of hackers is that of the teenaged boy, listless and apathetic at school, bringing down nuclear-missile computers from his dad's rec room. Leaving aside for a moment that the very concept of Generation X is something of a media creation, hackers especially hate people to assume that they're all lazy kids.

    "I would not say that it is true that most hackers are young," Pittsburgh hacker Weber e-mails. "I would suspect that the average age of the group of crackers is lower than the average age of the group of hackers."

    In an amusing Web site written to help managers understand the hackers who work for them (www.plethora.net/~seebs/faqs/hacker.html), Peter Seebach explains how managers can mistake hackers' unconventional work habits as slacking, while they're nothing of the sort: If a hacker takes a short day, maybe it's because she put in six 12-hour days last week; if he's playing Doom during company time, it may be because he's working through a tough problem.

    "Hackers, writers, and painters all need some amount of time to spend 'percolating' "doing something else to let their subconscious work on a problem," Seebach wrote. "Your hacker is probably stuck on something difficult. Don't worry about it."

    "The 'Establishment' may view the different approaches to work/play/dress/etc. as 'apathetic and lazy'," Weber e-mails. "But the judgment has no basis in reality, as any judgment based on a stereotype, because stereotypes apply to those you don't wish to understand but [who] bother you." Hackers often work long hours; complaining about the time flexibility they demand (and often get) makes as much sense as complaining when a co-worker demands and gets more money. It may be unfair, but it's a part of the world hackers certainly didn't invent.

    Certainly, the rhetoric of the hacking community gives one the picture of an intense aesthetic philosophy rather than GenX listlessness. "Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort," says Bickford on his Web site. "[T]o be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. ... Becoming a hacker will take intelligence, practice, dedication, and hard work."

  8. Not only do you not like us, but you won't just leave us alone.

    The hackers I spoke with took pains to remind me that they weren't pretending to speak for all hackers. In a group that prides itself on its anti-authoritarianism, this is hardly surprising. What it means, however, is that it's probably impossible to create a list of rules or cardinal beliefs that hold for all hackers.

    A source of debate among hackers is the self-appointed popularizer of hacker culture. Many applaud Jon Katz, for example, for books like Voices from the Hellmouth, which relates horror stories from kids who were targeted for nothing other than being different. Others aren't buying it.

    "I feel like we, the so-called geek community ... are placed behind glass and shown off to the rest of the world by [Katz] ..." said a hacker, identified only by the screen name "Anonymous Coward," on a Slashdot discussion of Voices. "Doesn't he realize ... maybe, just maybe, we just want to be left alone to do our thing?"


ISN is hosted by SecurityFocus.com
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".