[Image1.gif] 
   
                                                       Hacker Society
   
                                                                                                     By Gilbert Alaverdian
   
   In the past, there have been many papers and articles regarding 'Hackers'. Most of these have been written by
   journalists based on secondary information and by hackers to prove and distinguish themselves to other hackers and the
   electronic underground.
   
   Rarely does the media explain the ethics, codes, rules and regulations that govern this mysterious society. A society
   that exists known solely amongst underground.
   
   A professional approach has not been taken in analysing this mysterious sub culture. This paper is written to give the
   corporate community and the media an insight into who and what these people are, an understanding of their culture,
   their codes, their ethics and most of all an insight into what makes them tick...
   
   The media and general populace stereotype hackers as malicious, evil and destructive. The true meaning of a hacker is
   not one that mostpeople are familiar with. Stereotyped as being a 15 year old teenager, sitting behind a computer for
   hours a night, breaking into systems and deleting or destroying whatever they can. These "kids" are known as Crackers
   and are not to be confused as Hackers.
   
   These crackers are the ones you hear in the news, defacing websites, deleting data, and causing general chaos wherever
   they go.
   
   In the electronic underground real names are never used. People adopt aliases. This gives the anonymous an identity, a
   recognised amongst the underground. Popular names such as Emmanuel Goldstein, Silicon Toad, Aleph One and others are
   known in this society. An almost celebrity status is linked to popular aliases.
   
   According to http://www.whatis.com the definition of a Cracker is:
   
   Someone who breaks into someone else's computer system, often on a network; bypasses passwords or licenses in computer
   programs; or in other ways intentionally breaches computer security. A cracker can be doing this for profit,
   maliciously, for some altruistic purpose or cause, or because the challenge is there. Some breaking-and-entering has
   been done ostensibly to point out weaknesses in a site's security system.
   
   Eric Raymond, compiler of The New Hacker's Dictionary, defines a hacker as a clever programmer. A "good hack" is a
   clever solution to a programming problem and "hacking" is the act of doing it. Raymond lists five possible
   characteristics that qualify one as a hacker, which we paraphrase here:
     * A person who enjoys learning details of a programming language or system
     * A person who enjoys actually doing the programming rather than just theorizing about it
     * A person capable of appreciating someone else's hacking
     * A person who picks up programming quickly
     * A person who is an expert at a particular programming language or system, as in "UNIX hacker"
       
   Just who are these mysterious group of people? What does this subculture do? These questions and the like are
   questioned by the IT industry.
   
   Hacker Ranks
   
   Like any society, there exists in the hacking world a hierarchy based on rank.
   
   A Hacker is a title given according to one's rank. The rank determines if you are a hacker or cracker. To gain this
   title you must earn it from the Hacker community. Proving your skills is central to gaining such a title. There is no
   formal body that determines this. In this closely communicated society, common names spread quickly and become common
   knowledge. Most hackers in some form or another, know their equivalent counterparts from their names where ever they
   may be in the world.
   
   A Hacker is a title given according to one's rank. Your rank determines if you are a hacker or cracker. To gain this
   title you have to earn it from the Hacker community. To earn it you have to prove your skills to others. There is no
   formal underground body that determines this. In this closely communicated society, common names are spread quickly and
   become common knowledge. Most hackers in some form or another, know their equivalent counterparts from their names
   where ever they may be in the world. If you are good, you will be known.
   
   To increase one's name in the underground, hackers compose exploit code, tutorials, contribute to popular mailing
   lists, write programs and construct websites. By gaining such exposure, recognition and identification is gained
   
   Rank is determined by skills and experience. No one has formally identified the
   
   different hacker levels. Naturally these terms may not be embraced or accepted by everyone, including hackers and
   crackers.
   
   Hierarchy
   
   [hierarchy.gif]
   
   The leaders, the true hackers are known as 'Elite'. The opposing end of the scale, the "wanna-be" hackers are known as
   'Lamers'.
   
   Elite:
   
   Also known as 3l33t, 3l337, 31337 (or similar combinations of alpha-numeric characters with occasional letters replaced
   by similar looking numbers.)
   
   Elite hackers are at the forefront of the security industry. Their restrictions are limitless. Age battles with raw
   talent. Nevertheless, with older age comes a higher maturity level.
   
   They know operating systems inside out, configuring and connecting networks globally, whilst programming code on a
   daily basis. Naturally gifted, they are both effecient and skilled, using precise knowledge to outsmart the lacklustre
   comptetion.
   
   Due to the sensitive nature of security, many of these people rarely work in security related jobs, sometimes forced
   into data entry positions, helpdesk, and IT support.
   
   When the corporate world subceededs into its noctural state of sleep, these hackers awake.
   
   Their unquenchable thirst for knowledge and enourmous sense of curiosity is the deciding factor between success and
   failure. Why does this code cause a segmentation fault when i run it as a user but not as root? Such questions are the
   driving force, encouraging a hardworking ethos until they have found the solution to something they have discovered.
   Their work is a tribute to the struggle itself. They will not settle for anything less. Using the computer as a
   catalyst for change - the imagination knows no restrictions.
   
   Through constant improvement and dissatisfaction, the elite hacker is able to deftly apply the knowledge to change and
   better his environment. Should he find a flaw in an operating system or software, he will sit down and trace the roots
   of the flaw, it's cause and oftentimes deliver a possible solution.
   
   Experience and utmost skill is essential to never being caught. They hack in and out of systems effeciently without
   leaving a trace, their presence rarely detected and their hack seldom realised. It's the challenge. The risk. The
   recognition. They want to prove solely to themselves that they can break into a system and leave just as quietly. They
   do not delete or erase any data for damaging intent. The only data changed is those to cover their tracks. They have
   enough technical capabilities to damage entire networks and hack into almost any system and cause irrepairable damage.
   But they chose not to.
   
   Because they follow a code. Because they are elite.
   
   There exists a code amongst true hackers, which is discussed later.
   
   Though shalt not damage any data.
   
   Semi Elite:
   
   These hackers are usually a bit younger than their elite counterparts. They also have extensive computer knowledge,
   they understand operating systems, they know certain holes in operating systems, and are equipped with minor amounts of
   code - just enough to change exploit code.
   
   Many publicly reported attacksare done hackers of this calibre. They may choose to become recognised to show the lower
   ranks their superiority and to prove a point to their colleagues or peers of the same skill level. This activity is
   frowned upon by the elite. To them, this is seen as Lame. Their skill insufficient to be of the elite level, as
   oftentimes mass amounts of logs and fingerprints are left which system administrators notice almost straight away
   because of their loud and attention seeking activities. Usually such sloppy work and tracks left by them results in
   them being caught, or otherwise "ratted on" by their counterparts.
   
   Developed Kiddie:
   
   Based on a younger age group than the higher ranks. Usually these are the older teenagers, usually still in school, who
   read about a method of hacking and how to do it somewhere. They try it out on numerous systems until one is found which
   is vulnerable to exploit. Once in, they are usually unware of their actions and either, intentionally or
   unintentionally, cause destruction or damage and boast to peers their mediocre triumph.. Some may have earned the title
   of hacker, but most are still seen as crackers by the higher ranks.
   
   They do not possess the skills to find any new holes or vulnerabilities or to change current ones to adapt to their
   given situation. They are always reliant on the higher ranks to supply them with the services they requires, and are
   knowledgable in computers in general, but do not know fundamental networking or higher grade operating systems other
   than the GUI OS (Graphical User Interface Operating
   
   Systtem) .Most have just begun using UNIX and know only the basics. To them, it is enough to execute exploits.
   
   They rarely know how to cover their tracks, hacking is usually done from home or from stolen dial up account from home.
   When they manage to break into a network, they boast at every possible occasion. They engage in what is seen as
   
   extreme lame activities such as credit card fraud, pirating in "warez" (a term given to illegal copies of software),
   nuking, DoSing and causing general computer chaos to networks that they can easily access. Most serious hacks committed
   by this level of hacker are almost always prosecuted to the extent allowed by the laws bound by them. Being a minor and
   under most jurisdictions minors can not be prosecuted causes a problem for law enforcement officials and the corporate
   world. Once caught, they realise the severity and extent of their crime, usually ceasing to continue this sort of
   activity after realising the consequences and punishment of their crime.
   
   Script Kiddie:
   
   Much like the developed kiddie, the Script Kiddie usually enages in the same activities as stated above. These crackers
   can not earn the title of hacker. They, like lamers (see below) have minimal networking or technical knowledge on
   operating systems and networks. They seldom explore outside the world of GUI operating systems, using their computer
   knowledge for warez pirating, and the general activities engaged by lamers and developed kiddies. Hacking is usually
   done by using popular trojans to harass and annoy normal internet users. The main difference between script kiddies and
   lamers is a small age difference and a little more technical knowledge. These are usually the students that the
   computer teacher asks questions to when they do not know the answer themselves. By being asked by a teacher, a false
   mentality of superiority is seen and an elite level is crowned by equivalent and lower ranks.
   
   Lamer:
   
   These are the inexperienced multitude who are "wanna be" hackers. In no way, sense or form are they hackers and should
   always be referred to as crackers. They have hardly any technical knowledge on networking and high end operating
   systems. Their sole use of computers is to play games, use the internet for ircing, warez trafficking, credit card
   fraud, etc. They read about hackers in the papers, or hear about news from their friends and inspire to be the same.
   Their false sense of superiority assists in the illusions of being 'elite'. This mentality causes them to seek hacking
   tools (including popular trojan software) for their GUI operating systems, with their idea of hacking usually becomes
   using Trojan software, nuking, DoSing etc.. This boasting inspires others in a similiar situation and on the same
   technical level to pursue their quest of becoming a hacker. Their word is spread through their IRC and internet
   communication channels, and the cycle continues. Many lack the technical capacity to reach the elite level, even after
   years of studying, training and use of computers. They usually reach the developed kiddie or script kiddie stage and
   stay their until they retire.
   
   BOASTING
   
   Boasting is undoubtedly one of the key reasons why hackers get caught. Flaunting their actions, your skill level and
   hacked targets to the electronic underground projects the image of knowledge and "elite"-ness and hence raises your
   status in the hierarchy, gaining respect and following of the ranks below you. Most hackers do not have the skills to
   boast about, so they choose the targets carefully. This is their sole method of climbing the hierarchy. Simply,
   boasting leaves you open to detection and prosecution.
   
   HACKERS HELP THE INDUSTRY
   
   Every major vendor around the world realises that their internal systems are not always going to comb out every flaw or
   bug in their code. Most of them rely on "wiz"es and "gurus" to find and report them. Therefore, they have set up
   methods of contacting them regarding any security flaws, exploits, bugs etc that have been found. It is through such
   discoveries that we have the improved technologies and software of today. Many initial release software and operating
   systems were extremely 'buggy' that vendors have had to and still release service packs and update patches to repair
   them.
   
   These flaws are not always given to the vendor upon discovery. Most of the time, they are kept in the "underground"
   until someone decides that the vendor should be informed. Within the underground, an exploit code is written which
   takes advantage of the flaw and gives the user higher access to a vulnerable system. Sometimes this code falls into the
   'Lamers' hands and it is used stupidly, causing destruction and spreading chaos. This activity alerts administrators of
   their actions, and they contact the vendors once they have discovered a flaw exists and has been used to compromise
   their system. Upon being contacted the vendors research their product and flaw, and release a patch to fix the problem.
   
   HACKER CODE
   
   There is a code of conduct in the hacker community which almost all the true hackers follow. Yes, they have ethics
   aswell. The ethics of true hackers are based loosly on the following(1)
   
   ETHICS
   
   The idea of a "hacker ethic" is perhaps best formulated in Steven Levy's 1984 book, Hackers: Heroes of the Computer
   Revolution. Levy came up with six tenets:
   
   1. Access to computers - and anything which might teach you something about the way the world works - should be
   unlimited and total. Always yield to the Hands-On imperative!
   
   2. All information should be free.
   
   3. Mistrust authority - promote decentralization.
   
   4. Hackers should be judged by their hacking, not bogus criteria such as degress, age, race, or position.
   
   5. You can create art and beauty on a computer.
   
   6. Computers can change your life for the better.
   
   CODE OF CONDUCT
   
   The following is a general idea of what code true hackers follow, from Scorpio(2)
   
   * Above all else, respect knowledge & freedom of information
   
   * Notify system administrators about any security breaches you encounter
   
   * Do not profit unfairly from a hack
   
   * Do not distribute or collect pirated software
   
   * Never take stupid risks - know your own abilities
   
   * Always be willing to freely share and teach your gained information and methods
   
   * Never hack a system to steal money
   
   * Never give access to someone who might do damage
   
   * Never intentionally delete or damage a file on a computer you hack
   
   * Respect the machine you hack, and treat it like you'd treat your own system
   
   With this Ethic and Hackers Code, it reveals that true hackers in NO POSSIBLE WAY want to cause any damage to
   computers.
   
   PENALTIES
   
   Hacking is a risky business. Hacking is a risky business. The penalties have become so extreme that sometimes, it just
   doesn't seem worth it. But hackers still put themselves at risk by continuing with their activities, regardless of the
   risks.
   
   The Crimes Act 1914 of Australia states the following:
   
   CRIMES ACT 1914 - SECT 76B
   
   Unlawful access to data in Commonwealth and other computers
   
   (1)A person who intentionally and without authority obtains access to:
   
   (a)data stored in a Commonwealth computer; or
   
   (b)data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
   
   is guilty of an offence.
   
   Penalty: Imprisonment for 6 months.
   
   (2)A person who:
   
   (a)with intent to defraud any person and without authority obtains access to data stored in a Commonwealth computer, or
   to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or
   
   (b)intentionally and without authority obtains access to data stored in a Commonwealth computer, or to data stored on
   behalf of the Commonwealth in a computer that is not a Commonwealth computer, being data that the person knows or ought
   reasonably to know relates to:
   
   (i)the security, defence or international relations of Australia;
   
   (ii)the existence or identity of a confidential source of information relating to the enforcement of a criminal law of
   the Commonwealth or of a State or Territory;
   
   (iii)the enforcement of a law of the Commonwealth or of a State or Territory;
   
   (iv)the protection of public safety;
   
   (v)the personal affairs of any person;
   
   (vi)trade secrets;
   
   (vii)records of a financial institution; or
   
   (viii)commercial information the disclosure of which could cause advantage or disadvantage to any person;
   
   is guilty of an offence.
   
   Penalty: Imprisonment for 2 years.
   
   (3)A person who:
   
   (a)has intentionally and without authority obtained access to data stored in a Commonwealth computer, or to data stored
   on behalf of the Commonwealth in a
   
   computer that is not a Commonwealth computer;
   
   (b)after examining part of that data, knows or ought reasonably to know that the part of the data which the person
   examined relates wholly or partly to any of the matters referred to in paragraph (2)(b); and
   
   (c)continues to examine that data;
   
   is guilty of an offence
   
   Penalty for a contravention of this subsection:
   
   Imprisonment for 2 years.
   
   CRIMES ACT 1914 - SECT 76C
   
   Damaging data in Commonwealth and other computers
   
   A person who intentionally and without authority or lawful excuse:
   
   (a)destroys, erases or alters data stored in, or inserts data into, a Commonwealth computer;
   
   (b)interferes with, or interrupts or obstructs the lawful use of, a Commonwealth computer;
   
   (c)destroys, erases, alters or adds to data stored on behalf of the Commonwealth in a computer that is not a
   Commonwealth computer; or
   
   (d)impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a Commonwealth computer
   or data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
   
   is guilty of an offence.
   
   Penalty: Imprisonment for 10 years.
   
   As you can see, damaging data on another computer has a heftier penalty.
   
   "Hacking was about learning how a computer operates. You always tried to push it to the edge. Kids these days, they
   just want to do any damage they can"
   
                                                                                                           - Val Koseroski
   
   
   
   CONCLUSION
   
   The IT industry will always be at least one step behind hackers. Vendors will always bring out and will continue to
   bring out new patches and new software, proclaiming its safety and security. No sofware and/or system in the world is
   100% secure or safe. With the help of hackers, we are discovering new flaws and bugs everyday. With these bugs we are
   building newer and better versions of software to overcome the found flaw... soon after, a new flaw is discovered and
   the process begins all over again. The IT industry is not and can not be 100% secure. With the help of hackers, these
   notions are slowly changing. Without them, technology would not have advanced to today's standards and we would not
   have the improvements in software which we have today.
   
   To the different ranks of hackers who have read this paper. I hope I have given the corporate world an insight into
   your society. Sure, I may have offended some, and I apologise. Be careful in what you do. There is no great joy and
   superiority in spending time in jail from hacking. To the corporate world, I hope this paper has cleared up any myths
   and misconceptions of this eletronic underground community, and provided an insight into a secluded world where many
   people fear to mention, let alone tread. Knowledge is our greatest asset. Let us use it wisely...
   
   (1) http://grex.org/~cyborg/cp/hacker_ethics.html
   
   (2) Scorpio "My Code of Ethics"
   
   http://packetstorm.securify.com/docs/hack/ethics/my.code.of.ethics.html
     __________________________________________________________________________________________________________________
   
   [Neo Corporation]
   
   http://www.neo.net.au
   
   Gilbert Alaverdian <gilbert.a@neo.net.au> is as a Senior Security Consultant at Neo Corporation Pty Limited. Neo is a
   Sydney based security consultancy firm providing specialised services to corporate clients.
     __________________________________________________________________________________________________________________