Skip to content

Reprodução: The Extinction of Hackers

Faz muito tempo que havia lido.  Vale a pena reprodução.

   The Extinction of Hackers

                             by fx@phenoelit.de

Abstract

   The Hacker community looks at the end of their era. The reason is not
   the always-propagated 1985 type of government, which we surely see in
   many places being perfected. Neither is it the big evil corporations
   hunting down and suing all the hackers, preventing freedom of speech
   and teaming up with the evil governments. The reason is something so
   simple that most of the people in the community would never notice it:
   there is no young blood to speak of. The entire community ages linear
   with the people who developed it to what it is now. At the same time,
   the technology and the respective hacker techniques get more
   complicated, complex and demanding, so that there is almost no chance
   any more to grow apprentice hackers.

Introduction

   I call myself a hacker. Its a title I carry with pride. Its a title I
   looked up to when I wasnt entitled to name myself one. I decided for
   myself when I was ready for the title, and honestly, I dont remember
   anymore when and why this happened. There will always be people who do
   not think Im worth the title and there seam to be some thinking I am.

   The term Hacker has many sides and facets and everyone likes some of
   it and doesnt like others. There are the aspects describing wizard
   like handling of technology, the black magic of breaking into
   computers and networks. There is the question of using these skills to
   do good or evil and the definition of what good or evil is. For many
   people, especially in what they call the scene, there is also the
   lifestyle.

   It doesnt matter if you think of hackers as the ones who write viruses
   and worms, the ones who wear black all the time and are rarely seen
   without their laptop computer, the people who publish security issues
   with all kinds of software and make the companies fix them for free or
   the ones who protect your personal data from being distributed all
   over the government and industry by showing the same that its not
   secure to do so. You might even think of hackers as the ones who broke
   into all your web sites and replaced the start page with an ugly text
   making fun of you.

   At the end, it doesnt change the fact that the hacker community did
   have an important role to play in the rise of the Internet (no, not
   just the Web). Its hard to say what the whole Dotcom time would have
   been without people constantly breaking all the fancy new stuff. Or do
   you want to drive a car where only the manufacturer tested it and told
   you it will be perfectly safe for you. Ford Explorer anyone?

   Anyhow, for the purpose of this text, think of hackers as renegade
   computer experts and take my word for it that we need them. If you
   dont, there is no point in reading the remaining text.

Random observations

   The following is a list of random observations, just to draw the
   sceptic reader into the picture:
     * The last hacker event I attended (less than a month ago) had an
       average age of almost 30 and people were congratulating each other
       for still hacking.
     * From all hackers I know personally, only two or three are less
       than 20 years old.
     * On a closed, so-called elite email list, a fellow hacker was
       celebrated for solving a simple task in Visual Basic. Any junior
       hacker proposing the same would have been crucified for it.
     * All new members of established hacker groups I heard of in the
       last two years were over 25 years old.
     * Everyone I know trying to get into hacking has the primary goal of
       writing buffer overflow exploits. Most of them dont actually know
       why this is their final goal and almost all give up before
       reaching it.
     * Every presentation I did on the topic of hacker development had an
       audience full of 30+ people.
     * Every young hacker I know either got tired of the community and
       left or stopped hacking in favour of just hanging out and talking.
     * There hasnt been any groundbreaking works in the last two years,
       except for one technique, which was developed by a teenage hacker.

   If you dont see a pattern emerging or dont think this pattern has a
   bitter taste to it, you should probably consider reading something
   else now.

   Some will now question if there is really a problem and if my random
   observations actually reflect the real world. The only thing I can say
   is: look around you. How many speakers at conferences you visit are
   younger than 22 years? Only a few years ago, I attended conferences
   with more than 5 speakers being teenagers. Today, there are none. That
   alone should speak for itself.

Unsorted list of reasons

   So the obvious question is: why is the community aging so badly and
   why dont we see smart, aggressive, young blood taking over from the
   old farts?

Late starts

   One of the more obvious reasons may be the age at which people start
   hacking. Although all the old farts in the scene will state
   differently, hacking has its peak of fascination when you are a
   teenager, and thats not a bad thing.

   Teenagers can dream a lot more than people in the twenties can. There
   is still time to think about the boring parts of life later: learning,
   graduating, finding a job and earning money. Getting into hacking is
   almost completely different than getting seriously into computers. But
   both have something in common: you need to play around a lot, which
   takes a lot of time and dedication. This dedication is hard to muster
   when you are an adult. But the dream of having the power to access any
   computer system on earth you want can result in a lot of dedication in
   a teenager. And, this dream is a lot more realistic than becoming a
   rock star.

   There is also the fact that nobody really knows how one learns hacking
   from the ground up. The teenage hackers just play around and after a
   couple of years they suddenly are hackers. When being asked how to
   become a hacker, many people just dont have any answer. Those of us
   who spent some time thinking about it will answer with a list of
   skills you need. This list tends to be large enough to keep a
   reasonable intelligent person busy until retirement. Interestingly
   enough, following such a list does not produce hackers.

   The third advantage for teenagers is knowledge or the lack thereof. It
   is common wisdom that knowledge and experience gets in the way when
   you try to be creative. People tent to imitate themselves when they
   found something works. Teenage hackers dont have this limitation.
   Teenagers developed many of the great breakthroughs in attack
   techniques on all fronts. Often in computer security, the trick is to
   be not impressed with the defences or the odds of getting in. If you
   think you know how much work a specific attack is, you either dont do
   it because its trivial or you dont do it because its too much work.
   But if you dont know, you just do it.

   Fact is, very little teenagers are getting into hacking in the last
   five years, and if they do, other aspects prevent them from becoming
   any good. Keep reading.

Stupid statements

   Interestingly, some of the old farts actually realise the problem, but
   offer an easy excuse why it exists and why they cannot do anything
   about it:
   "The young hackers did not build their first computer, but got it for
   xmas with Windows preinstalled and a lot of computer games. They
   cannot understand the fundamentals, therefore, they cannot become good
   hackers."
   This is arrogant bullshit. Just because a young hacker startet with
   Windows98 and his first programming attempts were in HTML, it does not
   mean anything. It's a different way to get startet, not the wrong way.
   Besides, the old farts stating something like that wouldn't be able to
   program for shit, even if their life would depend on it. So why bother
   listening to them.

The Meritocracy

   A commonly agreed upon fact is that the hacker community is a
   meritocracy. This means that your rank in the community depends mainly
   on how much magic hacker points you collected. It should be obvious
   that Im not referring to an official counting scheme but rather to a
   rating in the perception of other hackers.

   There is a major problem with that approach: the jury. The community
   is clustered around a relatively small number of fairly well known
   people. These people almost exclusively influence the joint opinion of
   the community. But these people are all part of the old farts club.
   For an apprentice hacker, its hard or almost impossible to be
   recognised as good or outstanding without impressing the old farts
   club.

   Now, the established leaders of the hacker community often have very
   little interest in openly stating that a youngsters work is way beyond
   them. People being glued to their chairs is a common problem and the
   hacker community is no exception. The old farts fear to degrade
   themselves by giving magic hacker points to young people. For some of
   the old farts its also their job security @stake. Most of them realise
   this fact at some point in time, but usually too late. A common sight
   is the late attempt to hand over to a younger (but still increasingly
   old) generation, only to find that the juniors forgot how to have
   their own style. Consequentially, the juniors fail to lead by example
   and keep relying on the seniors to tell them how.

   Another aspect of the meritocracy and the established leaders has as
   much impact as the first: the established leaders show the paved path
   on which they came from being nobody to being a hacker. The junior
   people either follow this path, learn how to write buffer overflow
   exploits and shell codes, although this attack vector might be extinct
   in the near future, or they wont be accepted. The few intelligent and
   promising young people in the scene stop respecting the established
   leaders and, since everybody else looks up to them, stop feeling
   comfortable with the entire scene. Interestingly enough, this is also
   one of the reasons there are so little female hackers, but I leave the
   discussion of this topic to other, more appropriate people.

   Bottom line of the meritocracy, which used to be a good thing, is,
   that apprentice hackers either follow antiqued paradigms and out-dated
   personalities or turn their back on the community because theyre not
   accepted.

Too easy and too hard

   In a highly technological environment, the technology itself has a big
   impact on the demographics of the people dealing with it. There is an
   interesting connection between the way the computer security defences
   developed in the last years and the influence this has on the hacker
   community.

   When starting with hacking ten years ago, it was all about exposed
   services, weak passwords and buffer overflows. Todays digital world is
   a lot different. Many operating systems are shipped with various
   anti-hacker technologies build in and every company has at least a
   firewall. That doesnt mean its harder now, because there are also the
   myriads of web applications, web services and new programming
   languages and paradigms.

   When starting today, the junior hacker probably starts reading the
   established mailing lists, only to discover that they are full of
   Linux distributions reporting fixed packages and companies posting
   vulnerability information without any details. The only issues found
   on these lists that a newbie would probably understand are Cross Site
   Scripting attacks. Naturally, the newbie will start looking for those
   himself and may end up posting some of them, without ever
   understanding which XSS effects of a web application can actually be
   used for an attack and which are just HTML games.[1]

   Assumed the newbie actually spends some time reading through papers
   and discovers SQL injections, there is a huge step between the two.
   SQL injections work by modifying a programming language (SQL)
   statement partially, mostly blindly, and work different on different
   back end database platforms, which the attacker usually doesnt know.
   This means, suddenly its no longer just imitation but understanding
   SQL, relational databases and web application architectures. And since
   these applications are often written in different languages, just add
   learning Perl, PHP and a little Java to the list of requirements.

   It should be obvious from this little example just how big the steps
   between two classes of attacks are. And since the established
   community so effectively prevents the next generations from developing
   their own attacks, there is little an apprentice hacker can do but
   learn all of it. Now, thats what I call hard, boring and reward-free
   work. Is that hacking? Its so not.

   On the other hand, there are so many juicy technologies the industry
   comes up with a young hacker could be interested in. But instead of
   encouraging an apprentice hacker to start looking at whatever he finds
   interesting and pointing out just how many interesting things are out
   there, the established clan of senior people require more and more
   superficial proofs of skill.

   From a purely technological point of view, it might make sense to
   require prerequisites. But if a young and dedicated candidate wants to
   hack .NET or Java, asking him to learn C and C++ buffer overflow
   exploitation and shell codes from Aleph1 to today is extremely
   counterproductive. The promising young fellow is pushed into the
   thinking pattern of the old generation, all dedication is used up and
   there is almost no satisfaction in for him or her. Thats exactly what
   is not wanted. You can bet that the most effective attacks against
   .NET applications will have nothing to do with buffer overflows. And
   you can bet whoever discovers them is below 25.

Wrong focus

   The established community and its rules have the effect of distracting
   young hackers from their own, personal goals. You are not accepted as
   a hacker if you run Windows (there are very few exceptions). If you
   are not an established and respected person, you must run at least
   Linux, but never one of the large distributions like RedHat or Suse,
   even if your goal is hacking in the Microsoft .NET environment.

   There is no doubt that working with Linux, FreeBSD, OpenBSD and MacOS
   X will teach you a lot. But if thats not what you are interested in,
   why bother? It just wastes a lot of valuable time, during which you
   could have read another book or two about the Windows architecture.

   Actually, in the time required to get into Linux, the person probably
   developed more new attacks against Windows than the Linux priest ever
   heard of. Holy wars about operating systems and programming languages
   are for people who basically have nothing else to do. But the
   apprentice hacker, when trying to join a community or hacker group, is
   forced to convert to their religion, meaning their operating system of
   choice, distribution and programming language.

   I have witnessed promising young hackers being attacked for running
   the wrong window manager on their Linux X Window System, while the
   person complaining was actually saying X Windows[2]. In many other
   communities, teaching the basics works quite well and establishing
   good standards helps the newbie to not waste his/her time. Not so with
   computers and hacking. Telling people what they need to use as tools
   is stupid and does not support creative thinking. Showing people what
   tools there are and trying to be objective is. The new generation
   needs the freedom to make their own decisions.

Conclusion, kind of

   Software doubles in size approximately every 18 months. The industry
   invents new systems, programming languages, protocols and products
   like ice cream flavours. Our personal data is distributed in global
   networks without anyone on earth understanding all the routes it
   takes. Even the companies who want to secure their software and
   systems dont know where to find the right people to do it.

   The community, the industry and the society as a whole needs smart,
   aggressive, young blood taking over the hackers banner. Its time the
   role models realise what their task and their responsibility is,
   namely to encourage young hackers to do their own thing and stop to
   tell them how something should be done. This is not science; this is
   hacking, where reinventing the wheel is not necessarily a bad thing.
   The task is to help (re)inventing, not to show them your wheel from
   five years ago, its rotten anyway.
   _______________________

   [1] As a rule of thumb, if the web application transports
   authentication or session information in the URL or as a cookie, the
   XSS is usable for an attack.

   [2] Which is a faux pas, so much for the political correct choice of
   Window Managers.

Comments are closed.