July 3rd, 2011


Preaching To The Choir

So I was going to do a "Top Ten Computer-related Pet Peeves In TSN Fandom" post, but then I realized that all I wanted to do was bitch about hacking.

I have so, so, so many issues with how people write about hacking.

Hacking is kind of difficult. Yeah, they're smart guys, and yeah, I'm convinced that they can do it, but there's also a certain degree of patience and dedication needed in order to hack into a particular person's account (as opposed to obtaining a way to break into someone else's account in general). One of the most common types of attacks on say, a web application, is an injection attack. This means that you try to inject your own code into the web application code so that the application ends up running your malicious code on top of its own code. Easy, right? Well, first you have to find out a vulnerable place to inject your code. Generally, this will mean any text box on a website, but most of these textboxes are probably going to be sanitizing all input filtered through and only making database calls with prepared statements. So you won't find the vulnerable text box immediately. You'll have to keep testing each box with injected code to see what you can get out of it. After you've gotten a sweet little SQL injection going, what can you do next? You can get a dump of the users' table, with all of the usernames and hashed passwords. Of course, you have to figure out which table contains all the usernames and passwords. It could be in the table "users" or "shoppers" or "ausefultablename" or whatever. You'd need to get a dump of all the tables in the database and then figure out which one of them you're going to get. And then once you have a dump of the usernames and passwords, you will need to figure out what the password is from the hash...

Okay, I'm not going to keep going, because it is long and tedious and boring even describing it. That is one of the many ways you can hack into someone's account if you can't simply guess their password and you don't have any sort of physical proximity to the target account user. It is not something Dustin does with an extra hour. It is something that you need to put the time and effort into. Being a programmer/CS major does not give you some sort of bizarro skeleton key to every system on Earth.

Hacking skills are very domain-specific and most programmers don't bother learning how to actively attack something. They probably know basic things like, SANITIZE YOUR INPUTS, but the actual details of pulling off a buffer overflow are really complicated and require a great deal of low-level knowledge. Not every programmer has that, because most programming doesn't require it.

Also, hacking is illegal. Just a little. This isn't 'oh, let's engage in some copyright infringement by downloading television shows,' sort of funtimes. This is 'oh, let's break into someone's house and steal their shit' sort of funtimes. Yeah, you could probably do it without getting caught, but why would you risk it? The stakes of hacking into something like say, government databases or Gmail are pretty fucking high, since they will be keeping an eye out. Every time you fail, you're probably going to leave some sort of trace. Maybe Google and the US government think you're funny (probably not) and ignore you, or they decide you're a genuine threat and then they sic the FBI on you and your IP address. Not something I think Mark would ever risk for cheap thrills, man. Not when it's Facebook's reputation on the line. Seriously, you don't fuck around with this shit unless you're a moronic script kiddie or you're a Russian scammer. Or you're a white hat with actual skills. But neither Dustin nor Mark are any of those things.

Then there's the fact that there's a major terminology schism here. The term hacker means different things to the subculture that Mark comes out of than what most people think. I think 'hacker' is a term that applies to Mark (and the RL Zuck has used it to describe himself), but it doesn't refer to his security skills. Which exist, but are not nearly good enough to get him into the DoD. It means he likes to 'hack' things together and build shit. Facebook puts on Hackathons which are all about recruiting other people who also enjoy building shit.

Plus, the US government has its own internet. Those people are paid to be paranoid. Just saying.

tl;dr: I will probably smash my head against a wall if I read one more story where Mark hacks into anything, offers to hack into anything, or implies how easy it is to hack into something.

This entry was originally posted at http://thedeadparrot.dreamwidth.org/494552.html. You can comment there using OpenID or you can comment here if you prefer. :) comments there