Yet Another Explanation of What “Hacking” Really Means
If you’ve read a book or two about networking or security (and if you’re here I’ll bet you have), you’ve already had to read some version of where the word “hacker” comes from and what “hacking” really means. But what began as a title of honor has been corrupted by the media into a synonym for “criminal.” That’s a shame, because criminalizing curiosity and solution-finding steers both students and professionals away from a critical awareness we all need.
People use the term “hacking” in a whole range of ways, aside from the “sociopath computer geek” meaning. “Life hacking” is finding clever solutions to life’s challenges; “Ikea hacking” is building something original from the stuff you find at Ikea, like, say, a go-kart. I’ll bet Ikea never had go-karts in mind, but would you be a criminal if you built one using furniture components? In theory, no; but try the same test with your cell phone (or don’t because “hacking” it might in fact be a criminal act).
But we’re not talking about life hacking or Ikea hacking here. We’re talking about hacking in its original sense: exploring the world of systems and networks in which we all live, cobbling things together, testing things, breaking stuff, fixing it. We’re talking about computer hacking.
Most cyber-security material, even if it uses the word “hacker,” is about regulatory compliance, or security awareness, or protecting corporate systems. That’s not us, at least not in these courses. These courses are about how to hack.
[ Hacking 101 ] is the introductory freshman course: learning the basics, and making some decisions about, hacking. It covers some of the basics of research, exploring with your digital senses, mapping and understanding the world’s digital terrain. We’ll give you a huge amount of information, but you’ll also do a lot of homework. The biggest part of being a hacker, after all, is learning to do it yourself.
We’ll help you stretch your new abilities and introduce you to the vast array of tools and resources available to the budding hacker. We’ll explain the footprinting > scanning > enumerating > exploiting process, and look at the kinds of things you can do once you’ve successfully exploited a system.
One of our main priorities is giving you the information you need to hack safely, which is to say invisibly. The heavy thud of boots in the hall and that pounding on the door are sure signs of unsuccessful hacking. That’s why we’ll talk about how to preserve your privacy and confidentiality, which are two very different things. As you begin the lessons for these freshman courses, remember that one of the most critical things is to hack safely. But another is to have fun. So do both.
Yeah breaker one nine this here’s the Rubber Duck
Uh, you got a copy on me Pig Pen C’mon
Uh yeah Ten-Four Pig Pen fer sure fer sure.
-C.W. McCall, “Convoy”
Long before there were hackers, there were truckers. Truckers understand the need for handles in the Citizens’ Band (CB) radio world. People are coming and going, real names are useless or dangerous, and descriptive terms are a lot easier to remember.
Hackers use handles for some of the same reasons. One legendary hacker promoted the fun fact that a whistle packaged in boxes of Cap’n Crunch cereal emitted exactly the right tone to initiate a free long-distance phone call (phreaking). He will be Captain Crunch essentially forever in the hacker universe. Others created handles by playing with spelling (Phiber Optik, Dzen Hacks), referencing antique space opera (Mentor) or thumping their chest (MafiaBoy). Gigabyte earned her rep over a decade ago; St. Jude died deeply beloved; Susy Thunder was just being kooky (and kicked ass all over DEC).
Do you need a handle? Seriously, what’s the point anymore? Do any of us kid ourselves that we have a secret super-hero identity? Probably not … depending on our reasons for hacking. In the US, most people take privacy and confidentiality and safety for granted. In Europe, the data privacy laws could legitimately be called “ominous,” at least for organizations that had better comply with them. But there are plenty of countries and regions where revealing your identity might be highly dangerous, depending on your politics or religion. So in some cases, an online handle might not be just a good idea, it might be mandatory.
Even in cases where your life isn’t at stake, using a handle is awfully smart. Did you find a vulnerability in your school’s network? Reporting it might be an unpopular move. Found a problem with a vendor’s software? You might be in trouble from the instant you admit you were testing it. You could just report things anonymously (which is harder than you think), but that has one major problem: you don’t establish a reliable communication channel, and you may need one. If authorities know they are at least dealing with a single individual, for instance, any dialog that’s necessary can happen more safely.
Do you believe in free speech? Does your government? You can’t take this for granted, because there are so many shades of “free.” For instance, if you have free speech (in theory), is it safe to exercise it? Why do we have all these whistleblower-protection laws; in fact, why should we even need them?
We need them because free speech often challenges those in power, or those who have an interest in preserving the status quo, or those who have done things they don’t want made public. Any of these situations can be dangerous, or even outright deadly, depending on where you are. A handle lets you establish a consistent character online, and say your piece to your heart’s content. People will come to recognize your positions on issues – or at least the positions your handle (your alter ego) espouses. Speaking from behind a mask also protects you from those who mean well but misunderstand you, or those who flatly mean you ill.
One of the thinks you’re going to do at the end of this lesson is choose a handle. It should mean something to you, even if it’s a misleading meaning (sometimes those are the most clever handles). Tempting as it may be to want to be The Flash, you’re likely to be competing with thousands of 11-year-olds who like that name too. But if you’re interested in anime too, which for a long time came almost exclusively in Flash format, Flash Gundam might have some appeal.
Should you be Deadly Ninja or Silent_Avenger? Uh, are you really a deadly ninja? Because pretending to be one invites the real ninjas to show you the ropes, and the chains and the knives too. I once thought along this line and decided, Okay, I’ll be Fluffy-Bunny, until a friend pointed out that the handle made me sound like a cousin of PedoBear. Thanks, never mind.
Should you make up a name in leet speak (1337)? Like Haxor75 because you’re a hacker born in 1975? Or Sh@d0w? There are about nine hundred “Shadows” out there using different characters for the letters. They end up just sounding pretentious, and ironically those unique spellings help researchers pin handles to individuals.
You can try for something more directly relevant, if that’s safe. Do you teach for a living? How about Professor Thwackum? Do you run a bookstore? How about ExLibris? Just remember to avoid giving away too much. Don’t use the real name of your bookstore, unless you’re deliberately being provocative. In many cases, it’s not going to be safe to provide the least hint who you are.
Should your handle be your email address?
Good God, no. Not unless you have a separate, private, confidential, protected email account just for that identity.
In a larger sense, your various identifiers and names should have one, and only one, function apiece. The login name you use at your company or school should never be the same name as your company email address. (That’s a serious rookie administrator mistake, one you may capitalize on later in your hacking career.) If your login name is Costanza, your email address had better not be email@example.com. Unless you really, really want us to come read your email.
Do remember, though: if one of the reasons you’re creating a handle is to report something, you likely need to establish a persistent communication channel with the people you’re reporting the problem to. Anonymous complaints or reports get a lot less credence than reports that are clearly backed up by someone who can be contacted again. At some point, depending on circumstances, you may need to come forward to identify yourself. Normally you’d want to keep private forever, but if the situation warrants it, you might prove you’re the person who made the report by proving you can access the email account used by the whistle-blower.
What you can do with your handle
By now you should be realizing that a handle amounts to an identity. A handle is ideal for the kind of research and communication hackers need. Want to visit that IRC channel where the double-top-secret hacking tools are shared? Or that forum where the seasoned hackers actually answer questions? Will you eventually become an information source yourself? You need a handle for that facet of your life.
Consider the opportunities: you can start a blog or bulletin board of your own. This calls for commitment; you’re going to spend a lot of time on either of these, but they’re also excellent vehicles for enhancing your fame, assuming you give a damn about fame. You could do these to enhance your infamy, too, if that gives you a bigger kick.
You got to keep ‘em separated
Once you’ve established a separate identity, or handle, play this game seriously. When you’re “in character” with your handle, never mention your real self, real job, real school, real employer, real partner – nothing. Get paranoid about this, for reasons you’ll see as you take this course.
This is particularly critical when you’re using your handle to report a vulnerable web site, a leaky server or an exploitable application – especially to your employer, your parent or your teacher.
It’s critical to understand what you’re protecting here. Security training often focuses on the Magical Triad: Confidentiality, Integrity and Availability.
Confidentiality, in our world, means people can’t read your stuff. In the world of cyber security, it means encryption: your data is literally unreadable. In the context of handles, it means communicating via confidential (encrypted) means when you’re using a handle.
Integrity means your data hasn’t been altered, which is awfully important when you are negotiating immunity or proving a point. In our world, we use hashing to prove that data hasn’t been altered.
Availability means your goodies aren’t being blocked by a Denial of Service (DoS) attack, or being kept from you by some other means. Ensuring things are available keeps system admins paying weekly fees to ulcer doctors.
Notice that there’s no mention of Privacy there? Privacy is what you have when nobody knows who you are or what you’re doing. Corporations and governments don’t actually value privacy, at least for you; they want to know everything they can about you. You, on the other hand, may not have been taught sharing as a child, and might not want to be so friendly. Privacy is your friend. Your best friend. Don’t share.
Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.
-Eric Hughes, “A Cypherpunk’s Manifesto”
Using your handle for fun and reputation
Okay, you may want a sexy handle that’ll attract attention as you gain fame and respect for your hacking activities. Giant-Panda may not strike quite the note that Poltergeist666 might, assuming that your main qualities are persistence and noisiness. The bigger issue is that you’re bragging, though as a certain person once said, “It ain’t bragging if you can do it.” You may find it wiser to conceal exactly what you can do.
Or go ahead and be DeathAdder or whatever you like at the moment, and burn through handles like TV spies burn cell phones. Just remember that some day when you’re the author of some magnificent cyber-universe-shaking exploit that saves the free world you’re going to be stuck with HoseWrangler or whatever you’re using at the moment.
In any case, you may eventually attain the degree of respect that you can safely come out from behind your handle and reveal who you really are. This is actually quite an achievement, one not many hackers actually see.
Do you need multiple handles?
So should you have more than one handle? Depending on your main activities, or the various private activities you engage in, this may be mandatory.
If you’re an uber-geek you’re familiar with Jung’s shadow or shadow aspect, the hidden form(s) of your personality. If you read popular soft porn you’re familiar with Fifty Shades of Gray, with “shades” meaning the different layers of personality of one Mr. Gray. Either way, it’s no surprise we’re all composed of multiple sides, like the facets of a jewel. You may not want to reveal all our shades to everyone.
Depending on the areas you’re working in, you may want multiple handles. You might use some, or all, only once. Just remember: unless you take additional precautions, you might make things easier for someone who’s trying to hunt you down. For instance, many bulletin boards show each user’s IP address; one IP used by many different “users” is a pretty obvious clue that someone’s playing games.
But you may want to segregate your identities in a different way, namely:
Using multiple identities
You could consider each distinct handle you use an identity, but remember: the real purpose of a real handle is to remain anonymous. What I’m talking about here is creating an entire background identity for the handle to point to, openly or secretly.
This technique involves creating email accounts and possibly social media presences. If you’re a genuine spy this is probably worth the time. For us mere mortals, it may be too much work to keep up. It is useful, though, to have a “spam address” for pure junk, and another false identity for all those sites you have to sign up for, and maybe another one for sharing files and other private collaboration. In this scenario these identities are Mike and Joe and Greg, not Dark_Knight.
The point is still this: don’t allow any connection between these accounts. This can be almost supernaturally difficult, so in the real world do the best you can. When you realize your mistakes, you become better at the privacy game for the next round.
Being a ghost
There’s a breed of hacker who doesn’t want fame and will never willingly out themselves. If you’re going to be one of these, you may not have a real handle per se, but you may use handles as layers of curtains between you and the world.
You’re going to have to be a master of secrecy to pull this off. Don’t hang around any venue for long. Don’t use any handle for long. Use technology like VPNs to hide your real IP address, and change servers often.
Even more important is varying your language, style and personality in print. Take it from me: any good English teacher learns to recognize a particular writer very quickly. Use one or two unique words, or the same pattern of misspelling, under more than one handle, and you’ll raise suspicions faster than you’d think.
There’s a cost in privacy every time you post. If you don’t consider every word carefully, you’ll reveal details that can be traced back to you. If you expose the same detail under two different handles, a determined researcher will connect them and potentially build a connection to you.
Kiddies want to brag about what they’ve done. Mafioso don’t know nothin’ and don’t say nothin’. You can decide to be either or neither, though it’s hard to be both. If you’re a true genius you may manage to keep two identities like this separated, but the talkative handle can never brag about the most stunning exploits of the silent persona.
101.1 Do you have a secret hacker identity you conceal from the whole rest of the world? One way or another, you do. So, what is your handle? (Don’t tell me or anyone the answer to this question.)
101.2 Who said “It ain’t bragging if you can do it”? Is that actually exactly what they said? What is this person’s real name? What is their handle?
101.3 Find “A Cypherpunk’s Manifesto”. Read it. Save a copy of it. Think about it for the next 20 years.
101.4 Read this article from the very excellent null-byte, including the comments:
Choose the one single most important sentence in the article.
101.5 Some of the most important stuff you’ll find on the Internet comes in the form of Word docs, Excel spreadsheets and PDFs left laying around on websites. This is a great place to introduce Google Advanced Search Operators, if you’re not using them already. First, see this page:
Next, go to the Wikipedia entry for “List of hackers”. Note that some handles are matched to users, while other users don’t use them – or their handles aren’t known. Pick one of these handles (which in this list, obviously, already has a name associated with it).
Create and run a Google search that finds Word docs for your chosen handle. Try it again for docx files, xls and xlsx files, and pdf files. Do you find anything that connects your chosen handle to a person? Get used to looking beyond the first page of results.
101.6 There actually is a hacker out there who uses the handle nobody. Identify this person. There’s a sort of Unix joke here: who is the “nobody” user on a Unix/Linux/Mac system?