Junk Science

Stop. Do not Copy


Bad Hacker, Good Hacker


Good hackers go to heaven, bad hackers go everywhere. But who are these hackers and what is so bad or so good about them? What do they do? Where do they go? Trying to answer these questions raises even more. Consider the following recent incidences.


The Code Red Worm started its attack around July 13th, burrowing into a known “hole” or “vulnerability” in the web-server software from Microsoft (called IIS). The worm compromised the servers and defaced web sites by replacing the contents with a page that proclaimed “Hacked by Chinese”. Code Red not only defaced web sites, but also injected programs into the compromised servers that started attacking the US President’s web site, using a “Distributed Denial of Service” (or DDoS) attack. The DDoS attack is a particularly heinous gimmick that uses hundreds of thousands of compromised computers to simultaneously send a flood of spurious messages to a particular web site. This flood causes the computers at the attacked site to get bogged down, and unable to function normally. Again on August 1st, the worm reappeared and caused plenty of woes. 


Dmitry Sklyarov is a 26-year-old Russian citizen and a Ph.D. student who studies cryptography. He also works for a Russian company called Elmcomsoft, and is the main developer of a software system called the “Advanced eBook Processor”. The AeBP software breaks the so-called secure encryption built into electronic books (an invention of Adobe Systems). Dmitry arrived in the United States as an invited speaker, to talk to a rather large group of computer security experts at a conference called DEFCON, in Las Vegas. After his speech, federal agents acting on a tip-off by Adobe Systems stormed his hotel room (on July 17th) and arrested him for violating US laws on hacking. He is in jail.


Carnegie Mellon University had a team of very dedicated people who worked on deflecting attacks on computer systems. This team was known as the “Computer Emergency Response Team”, but now is called the CERT Coordination Center.  The CERT delves into the inner mechanisms of worms and viruses, figuring out how each one works and how to stop the spread. CERT sends out immediate bulletins to millions of subscribers as soon as a naughty bug is detected. Similar groups of people exist at universities and organizations who purposely hack into systems, dissect software and uncover vulnerabilities. They publish their findings urging software manufacturers to plug the holes.


Software that messes up computer systems are called viruses and worms. The people who play with these things are often called “hackers”. Code Red is one of thousands of worms unleashed on the Internet. The designers of Code Red are bad hackers and are criminals. The CERT people and their ilk are the good hackers who provide a valuable service to the community.


Dmirty is also a hacker, who probably did no harm. He invented a way of defeating the encryption on the eBook system. The encryption was broken to start with (bad design). Dmitry’s crime was that he told people how to break the encryption  at his conference speech. While free speech is protected in the US, a sinister law called the DMCA (Digital Millennium Copyright Act), makes it illegal to distributed methods for breaking security on copyrighted material. Hence, Dmitry is technically a criminal, but hopefully, the law will be found to be grossly overbearing.


The word “hacker” has a checkered past. Originally the word was coined to mean an “extreme programmer”. Normal programmers write programs that do normal things. Hackers are very sharp people with a deeper understanding of how computers work and can write programs that do things programs are not supposed to do. Programmers can make computers compute, hackers can make a computer sing, dance and fly—or crash.


After the antics of some destructive hackers were publicly known, the news media started calling those destructive people “hackers”. The hacker community was quite upset. “Hackers are good people”, they cried. “These criminals should be called crackers”. However, the damage was done, today, hacker means a bad person, who writes programs designed to cause harm.


Worms and viruses are the infections of the computer world. The worm is a self-contained, replicating program that burrows its way from computer to computer, causing harm. A virus is a program fragment that needs to attach itself to a host program in order to live. Once a virus attaches itself, then it can replicate and travel and cause harm. As for the effects they can cause, worms and viruses are identical.


In theory, worms and viruses cannot exist. Computer operating systems are designed such that external programs cannot be injected into them. But obviously this is not true. The first Internet Worm was written almost by accident. A graduate student at MIT, called Robert Morris, thought he had found a flaw in the way Email software works. He then wrote a program to exploit the flaw and to test his hypothesis. His program sent messages over the Internet to every machine it could find and made these machines send more messages over the Internet. Of course, general consensus was that writing such programs are not possible, because one machine cannot make another machine do something it is not supposed to do.


But Morris was right. His program worked better than he had imagined. It clogged up the entire Internet on November 2, 1988 (at this point the Internet had less than a thousand machines connected to it). Of course no one knew how to stop the worm from spreading, as no one had ever seen anything like that. So the fix was drastic, all the machines on the Internet were shut off and rebooted. That killed the Morris worm. For trying this experiment, Morris went to jail.


Morris had invented the “Buffer Overflow Attack”, the same technique used by the Code Red worm. This technique works as follows. Suppose a computer connected to the Internet is waiting to receive a message—it expects a message of maybe 10 words. We send it a humongous message—several million words long. The computer stores the message and then looks at it. However, while storing the message, the faulty software did not check to see if there was enough free memory. So the message ended up being stored on top of programs that were already in the computer memory (overwriting these programs). Subsequently when the computer tried to execute some of the now overwritten programs, it ends up executing the contents of the long message. This causes the sender of the message to obtain complete control of what the computer executes.


Over the years the hackers have found, invented, perfected and finessed a whole slew of innovative tricks to fool the protections built into the computer operating systems. Before the days of the Internet, the viruses were “boot-sector” viruses. These program fragments lived on diskettes, and when the diskette was put into a machine, attached themselves into some part of the operating system. Subsequently, any diskette written on the infected machine carried the virus. Then came macro viruses, using the programming language built into MS Word. An innocuous document is mailed to a user who opens it, and the macro in the document comes to life and damages the computer. Even maybe sends itself out via email from the victim’s computer. Quite easy to write, but also quite insidious. Then came many more Email viruses and worms that used a plethora of tricks called “Trojan Horses”. A complete documentation of the types and techniques would fill volumes.


Finally, today, the virus writing state of the art has become really sophisticated. Any kid with a computer can find a “phreaking” site, that is, a web site run by senior hackers who want to tell everyone how to cause trouble. These sites have complete explanations of how to write viruses along with pre-written programs. All the kid has to do it to pick the features he or she wants and the site will generate a custom virus (also called a script) that can be used for nefarious purposes. The youngsters who use these virus generators are called “script-kiddies”. To help the script-kiddy out, the phreaker sites also provide “root-kits”. Root kits are sophisticated software that when aimed at to a site, will penetrate the site and then replace all the software on the site with software that makes the presence of the virus on the system invisible. For example, all the files containing the virus will become invisible, as the program that displays files, is replaced by a new program that displays all files other than virus files. Very well thought out, very neat and pretty dangerous in the hands of stupid script kiddies.


The attacks on the Internet are made possible by an ancient design error. The Internet was not designed to be a large public network. It was designed to be a closed network used by trustworthy people inside the US military and universities. Today the vulnerabilities are causing heartburn for all those who depend on the network. The hackers are running amok, and the fear of legal action is not enough of a deterrence (the challenge is to cause harm and not get caught). The solution? Who knows?



Partha Dasgupta is on the faculty of the Computer Science and Engineering Department at Arizona State University in Tempe. His specializations are in the areas of Operating Systems, Cryptography and Networking. His homepage is at http://cactus.eas.asu.edu/partha.




Partha Dasgupta