------------------------------ From: BORGVM Subject: The Future of Hacking and the System Security Profession Date: 22 Oct., '90 ******************************************************************** *** CuD #2.09: File 6 of 8: Hacking and System Security *** ******************************************************************** Before I begin the discussion of my views on the future of hacking and the system security profession, I feel it necessary to offer an introduction which I hope will aid in the understanding of my views. I am an ex-hacker, yet in saying so I do not rule out a few things which I associate with my personal perspective on hacking. To begin with, I have always associated hacking with a genuine lust for knowledge. Whether or not that knowledge was restricted solely depends on the views of the individual. For me, however, hacking was an acquisition of knowledge a form the military likes to give as a good reason to join it. You know, hands-on training, of course! It was an attempt to learn as many operating systems as possible. Their strengths in comparison to one another, their weaknesses, and their nuances. When I was hacking, data was sacred. It was something which must not be harmed. I can say with genuine conviction that every time I heard of destructive viruses, malicious crashes, or the like, I would become enraged far more than would your common security professional, who would most likely eye the event as a possibility to acquire cash, reputation in the foiling of the plot, or as leverage to gain funding and public support. Although my respect towards data is still very healthy, my urge to hack is not. After entering higher education, I have been granted an account on the mainframe with internet and bitnet access. This situation had served as a fuel towards my already healthy paranoia of law enforcement and their new technologies: its just not worth the risk. After my 'retirement', however, I began to ponder the devices available during the apex of my hacking career such as ANI (Automatic Number Identification) and CLID (Caller Line Identification) which could instantaneously register the number of any 800 caller, and processes inherent in some digital switching systems which register calls to local packet-switched networks, that about 20% of my hacks could be traced right to my doorstep by the right investigator. I also noted the increase in these types of investigators and the development of more organized computer-security networks involving FBI, Secret Service, and private computer security enterprises which developed highly efficient training methods: the numbers of security representatives in the telephone companies and computer networks has increased dramatically, and to a point where telephone company toll fraud is no longer convenient, for danger and convenience rarely coexist. I believe that the future will offer much protection from hacking, but only to a certain extent. One needs only to examine the header of a message originating from some microcomputer host which UUCP's it through half a dozen Usenet sites, the Internet, and finally to its BITNET destination to visualize, quite realistically, a phone number tagged onto the end of the originating userid. With digital technology advancing at its current rate, the possibilities are endless. It is for these reasons that the private computer security profession (at its current size) is only a short-term success sparked by mass press-generated hysteria, and blatant disinformation. The computer security profession did not receive its recognition from the voices of concerned individuals or even gluttonous corporations: it received the necessary attention and nurturing due to the paranoias of a corrupt military-minded government which knows exactly what it keeps on its systems and exactly why no one else must. You see, its a matter of 'national' security! Any good real hacker who has been around a few nets knows this. The time will come when a hacker will sit down at his terminal to hack a computer somewhere far away. This hacker might dial up a local network such as Tymnet or Telenet and connect to a computer somewhere. That remote computer's standard issue security drivers will sense an intrusion (user John Doe calling form a network address originating in California which is inconsistent with Mr. Doe's schedule,) request the network's CLID result, and forward the information directly to Mr. Hacker's local police department which is, in this day and age, fully equipped with the ability to centrally tap telco lines (data or otherwise.) The expert system at the police department verifies that the local data tap is indeed consistent with the victim computer's John Doe Session and sends out a dispatch. Sound like fantasy? Every bit of it is perfectly possible with our existing technology, and upon review of the chronology of computer security over the last three years, certainly probable. Data security professionals are as easily replacable by computers as are assembly-line workers. In this day (which will be, incidentally, just prior to the banning of Orwell's "1984") there will be a small but very knowledgeable and powerful group of hackers able to circumvent some of these security mechanisms. A group of hackers not large enough to present an obvious threat, but powerful enough to give a self-perpetuating technological dictatorship and its docile society a nice, re-asserting slap on the rear. ******************************************************************** >> END OF THIS FILE << *************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+