The Hacker Enigma: Positives, Negatives and Who Knows?

by pantos

Some of you may know me from my writing about slapping content switches around.

In this article, I take a detour to discuss some of the positive and negative effects of "being found out."

I am not a great hacker.  I am not a bad hacker.  I am average.

My job as a UNIX systems/network administrator and programmer, for those who are familiar with the field, requires having a wide variety of mediocre hacking skills, ranging from the less and less important hardware to the nowadays more commonplace activity of shoehorning all sorts of software to work correctly (that is not to say that I have never shoehorned hardware).

It also just so happens that hacking and making are hobbies of mine.  Yes - it makes work fun if you remove the humans.  I can honestly say I have only worked 1/2 of my life; the rest of the time I was having fun (what others call work).

Taking into account that I am honestly curious and sometimes a bit too willing to just try stuff, this article discusses the positive and negative impressions other people get when they find out you, yes you, have done something consider hack-worthy.  The article will use three real world examples and cover how different types of people interpreted them.

The AOL Router Scenario

A long time ago, on a system in my small apartment, I was trying out a free America Online (AOL) dial-up access trial.

It was so long ago that I got the floppies in the mail.  Being AOL, it didn't work right.  I jumped into a shell and fired up my BSD TCP stack (because my crappy OS didn't have its own) to examine the routing tables.

Strangely enough, I was assigned an address and what looked like a proper netmask (Class C address with a 24 CIDR mask), but something still seemed off.  I checked the name servers.  They were correct, but resolution wasn't working.

Of course, my gateway was not set.  I took a few guesses at what the gateway was and got one that appeared to be correct.  I wasn't sure, though, so I Telnet to the address and got a router login prompt.  I took a few guesses, using typical admin passwords, and eventually logged in.  Once I was in, I realized I should probably log out.  I took a quick glance at the routing tables and then logged out.

The AOL Router Reactions

Reactions from the few people I told, a few trusted co-workers and friends, ranged from indifferent to blaming AOL for being idiots.

Of course, at the time, security on networks was nowhere near where it is now.  Most people still had open Telnet servers on the Internet.  Although I did nothing wrong under today's laws, I could have at least been fined and possibly worse.

The Jerk Off Co-worker Scenario

One evening, I was using IM and, for some reason, I allowed the people where I worked to get my nick.

Most of the time, for real conversations, I use darknet chat systems with my close techie friends, but for some reason I thought it would be okay since everyone at work used it.  A co-worker went over to another co-worker's station while he was out working on a problem and assumed his identity.  I had just started working there and this person told me that I was probably going to be let go.  Since I trusted the person I thought was messaging me, I believed it.  I found out an hour later from the real user what had happened.

I was - displeased.

To me, hijacking someone's system while they are gone is almost the worst offense you can commit... so I did a search for the jerk-off's name on the World Wide Wait and, lo and behold, buried deep in the results I found something both hilarious and somewhat disturbing; he had left a post on a pantyhose bulletin board while he was at work (they logged IPs).  I promptly pasted the URL to several other co-workers' IM sessions full-well knowing what would ensue.

The Jerk Off Co-worker Reactions

Of course I was called into the office to explain how I created a fake post using this person's IP address.

I told my managers to contact the admin and they would see it was a legitimate post from our address on a night I was not at work and was not logged into the VPN.  After some investigation the Pointy-Headed-Bosses discovered that indeed, the jerk-off co-worker had made the post.

From that point on, no one else ever messed with me too much but it was a black mark on me as far as management was concerned.  My friends, of course, thought it was hilarious.  Note that while this is not hacking, per se, it was a form of social hacking.

The Intentional Denial-of-Service Scenario

In another life I worked in an IT shop that had a developer who liked to buy whatever he felt like, using his corporate card and without asking for permission.

My manager (who was also responsible for provisioning the developers) was pretty upset at this person, so much so that he wanted to play a practical joke on the guy that was "As frustrating to him as possible, so that he can feel my pain" - he (along with several staff members) came to me to perform this miracle.  I complied.

I found a nice Perl program that could THC Hydra HTTP GETS and leave a custom message in the logfiles.  The developer in question was running Apache on their Windows 2000 workstation (as part of the Oracle forms suite).  I loaded the THC Hydra on three different UNIX servers and then wrote a wrapper that spawned about 2000 instances of it.  The fun part was I disguised my IP with one of the DHCP dial-in pool addresses.

After a few minutes I could hear the guy banging keys, slamming his mouse down, grumbling, swearing then finally shutting his system down since it became exhausted.  Everyone was quite pleased and thought it was funny.

The Intentional Denial-of-Service Reactions

My coworkers thought it was funny and understood the mechanics of what I had done, so no one thought it was particularly eccentric or great, but they never quite treated me the same afterwards.

There was always a little suspicion.  The developer whom I pranked was let go a week later.

Summary and Thoughts

The gist of these cases is simple.

Be careful whom you tell and what you agree to do.  These days, I am very wary about whom I tell this sort of thing to (I have told no one at my current job) and even more about what I do for people.  A friend of mine asked me to pen-test his corporate firewall last year; I told him to get me a signed document from his manager saying it was okay.

My geek friends, of course, are all hip, as is the 2600 crowd, but hacker beware to whom ye boast...