Hacking just isn't what it used to be. We're referring to a recent event in China, where two brothers were sentenced to death for using computers to redirect the equivalent of $US31,400 to bank accounts they controlled.
Most of us regard this sentence as extreme, but it raises some interesting questions about the grey area between hacking and cracking, and how best to deal with such incidents. We haven't seen figures, but we suspect that such dreadful and swift retaliation against computer crime will reduce its incidence, at least in the short term. But how effective is this stance in the long term, and does it matter, considering how speeding electrons ignore national boundaries?
The first reaction to being attacked via a computer network is often one of intense confusion and frustration, followed closely by the desire to put a direct and immediate end to the situation by whatever means possible. We suspect that the sentences for the two brothers in China were set as examples by a government that lacks sophistication in computer security and would rather deal with the problem in a strong-arm fashion. This works fine, of course, until the lack of sophistication becomes a liability in detecting such exploits.
Revenge is sweet
We are seeing a replay of this same sentiment in the United "strike-back" movement. (See www.cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html.) Strike-back involves launching technological and nontechnological counter measures against would-be attackers. For example, a firewall server detecting a port scan from a specific IP address could be configured to launch a SYN flood in reply. (Secure Computing offered a similar counteroffensive capability with its Sidewinder firewall in 1994.)Granted, strike-back measures are easily foiled by address spoofing, and some of this sentiment grows out of frustration with law enforcement. Still, does anyone worry that there are some striking similarities in the visceral reaction to hacking embodied by strike-back and the deadly retribution meted out by the Chinese government? One of the great parables of one of our favorite film series, The Godfather, is how cold-blooded, ruthless behavior often consumes those bent on revenge, not just their enemies.
Experienced security professionals realise that keeping a low profile and paying attention to basics such as blocking and logging is a better long-term bet than trying to stamp out every port scan and banner grab. And because of the intimate relationship between today's hacker and tomorrow's security solutions, we would be foolish to try anyway.
"Hacker" or "cracker"?
Every so often we are forced to defend our use of the term "hacker" (instead of "cracker") in our writings. We are painfully aware of each term's traditional difference, but the word hacker has changed. Rancor over the commandeering of the term by the popular press won't change the fact that hackers break into things as a way of life. Whether their motivation is malice or just curiosity is often lost on the owners of the systems they break into.
Which is not to say that hackers should be arrested and/or put to death. The hacking tradition is one of open and full disclosure, and this may be the more appropriate distinction between a security researcher and a common thief. Without the drive to disassemble -- to see things in a different light -- security would not be progressive. The best expression of this sentiment comes from a successful group of hackers, the L0pht: "Making the theoretical practical since 1992."
Now that we have landed ourselves squarely in the pro-hacking camp, where do you sit? Is our society too soft on computer crime, or short-sighted and intolerant? Does our life-or-death dependency on electronic information systems call for more serious punishments of computer crimes, or will it stamp out innovation and free thought? Let us know at firstname.lastname@example.org.
Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's Information Security Services. They have managed information security in academic, corporate, and government environments for the past nine years.