Hacker Perspective: Dimitri
I'm not famous.
I think that's a good thing. I think generally, if you're a hacker and you have mainstream fame - then something went wrong. I'm trying to avoid things going wrong, but it's harder than it sounds and I've been closer than I'd like. When I see something, anything, I feel I have to know what it's for and how it works, what was it put there for, and how it does what it does.
So I'm a hacker.
I'm not famous, but I don't do it for the fame. I do it because that's the way I'm programmed. But, what do I mean when I say I'm a hacker? I mean that I do things with hardware and software, computers and networks, that the designers didn't expect me to, sometimes didn't want me to.
I don't do it for fame, I don't do it for money, I do it because I see things that other people miss, that they're not able to see and that's exciting. How I can access a network, a whole world that people aren't even aware exists!
So it started when I was younger, around eight - something in the region of 13 years ago. It was never a mainline thing for me, although I now I work as a network engineer, so it's a little more mainline than it was.
When did I start hacking? You'd think that would be an easy question, but it's not, because the line is sort of blurred. The question shouldn't be when did I become a hacker, but when did I notice that I was a hacker?
For me, it was probably around age 11, when I was first restricted. I just wanted to surf the Internet. I was addicted. I researched everything from quantum physics to computer security, constantly. When I got to school, I was first hit by that little warning: "Access to this page has been restricted, as it violates the security policy in place." I got around it. I don't remember exactly how, but it didn't take long. It wasn't difficult.
I didn't want to break the law. At that age, I wasn't even sure what breaking the law was when it came to computer security.
I continued this way for a couple of years, playing on networks and finding networks. I had a very bulky, heavy laptop that I used to carry everywhere with me. If I saw a jack, then I'd plug in - be it a computer network or a phone line - and just see what was out there.
Skip a few more years and I started looking at radio frequencies. I started seeing wireless. By this time, my finances were a little better and I got hold of a handheld. It had a pretty effective 802.11b receiver, so I set it to periodically scan around. Most of the time, I was just looking at the names of the networks as they appeared on my screen to see what was out there. I did a little WarWalking with a GPS receiver and plotted out my local neighborhood. Then I printed it on A3 and posted it on my wall next to a spreadsheet detailing networks that I'd seen.
Kids my age had pictures of movie stars and bands on their walls. I had a statistical analysis of the security systems used by over a thousand companies in my local area. I didn't do it as part of an attack; it wasn't malicious.
I was amazed by the fact that I could see all of these networks and no one else I knew even knew what they were, that they were there, or the security implications of my being not only able to see them, but to access them too. I went from hunting jacks to hunting radio waves.
I openly talked about security. I openly talked about what I saw.
My parents weren't bothered. They didn't understand what I meant. They didn't understand how close I was to the edge of law. I didn't understand how close I was to the law. In fact, it wasn't until I was first questioned that it hit me - that there were restrictions. I knew I couldn't just walk onto someone's property and start going through their personal belongings. Though I had been using a directional antenna from a car park to access a government department's (more than one department, more than once) computer systems and start hunting through not one person's belongings and personal data - but the whole neighborhood's.
When you buy a computer, they don't tell you that you can break the law with it. By the time you realize this, it's too late. Either you're addicted to it already or you're staring at a police officer asking some pretty hard questions about your habits.
You're addicted. Worse, you don't have to the ability to explain what you're addicted to. The police are asking more questions - even harder ones this time - and you don't have the vocabulary to explain what it is that you're doing. Or worse, they don't have the training to understand what you're saying. It gets pretty scary when you can't explain. They're quoting laws and you're quoting frequencies and explorations. You're not on the same wavelength.
It was fine when it was your parents. They didn't understand, so they just left you to it. It was fine when it was your teachers. Your grades were high, so they just left you to it. When it's the police, it's a different matter. Just hope you're as good at social engineering as you are at network security.
How good can you be, when you're 13? I guess it's all practice. Eight years on, I'm still doing it. I dropped my old laptop and handheld and upgraded, voting for a purely open-source operating system, a more powerful machine, and a better wireless card. More power, more speed, more range, more freedom.
My cell prompts me now when it sees something that I might be interested in. I've hooked it up with text-to-speech and it tells me what it sees, and often it even says why I should be bothered. My exploration is automated.
I was walking through town, past a hotel, and I heard a network jump into range. "Network detected: Eee Pee Oh Ess." It happens every now and again. I've heard that network before, I know physically where it's located, I know the kind of encryption it uses, the number of users on at any time of day, and I know what the network is for. EPOS: Electronic Point of Sale.
I'd heard the network before because I heard it every day on my way into work, though it wasn't until I dug deeper that I realized the implications of having remote access to this system.
If I booted my laptop, I'd see maybe 15 networks. There was the one I was interested in, right in the middle. EPOS. I clicked connect. It asked me for my encryption key. I hit Ctrl-Alt-F2 and dropped out of graphics mode and into text-only mode, which is the first step when I mean business. I was wasting CPU cycles by using graphics, and I needed to be quick.
So skip a couple of years. I'm older now. It's a different network. It has a different reason for being interesting to me, but it's the same story. However, this time I know that what I'm doing is illegal, but I don't stop. I've been doing it for years. Why would I stop?
I start capturing packets coming from the network. I see a client and pretend to be it, pretend that I'm authorized. The traffic flows faster and within an hour, I have enough data to calculate the key. It's only WEP. These days, an hour is an age. You can get WEP in 30 seconds, and I can prove it.
Armed with the correct key, I bring my graphics back up and enter when prompted, then watch the icon on my task bar whirl as DHCP is activated and I'm allowed onto the network.
I load some more software now to watch on the wire, capturing data as it passes over the network and I'm watching data bounce around, looking at one machine in particular: "Front-Desk". That looks interesting. I scan it for SMB shares, the kind of network file sharing technology that's used by most home computers. It's got the defaults open, one of which is "C$". A quick dictionary attack gives me access to the whole system.
I'm not really paying attention to what I'm doing. I'm not attacking the network. I'm in autopilot. Something appears on screen that looks interesting, and I start probing and looking at it in more depth.
First, I was attracted by the network's name, then the computer's name, then the known network share, and finally, the last thing that got me on this network: it was running a program made by a company that I recognized.
I couldn't remember what the company did or how they made a profit. I knew I recognized them and there was something interesting about it. It was a software development company specializing in accounting software.
I hit the button to transfer the software and ran some emulation software to allow the code to run on my operating system.
"ENTER ACCESS CODE" appeared on the screen. Four digits. Ten thousand combinations, some more likely than others. 1-2-3-4. Access granted, level ADMINISTRATOR. Surely not.
I wasn't familiar with the software in use on the network, but I'm familiar with how networks work and how machines talk to each other, and how the correct command can get that machine to do anything that you want. I hit the wrong button, I mistyped a command, I sent the data to the wrong address, or I did it because I wanted to. I wanted to see it happen, to see if I could make it happen. I could - I hit Enter.
I was sitting in the hotel lobby and there was a very attractive girl my age, sitting being the front desk. I didn't care about her. I was on their network. That's what I cared about. When I hit that final key, the cash drawer shot open with a crash two feet away from her and she screamed. Everyone looked, and I've never left a hotel faster.
I'm not here doing this because I want to make money, I don't want to be famous. I'm just curious. I'm interested. I'm addicted. Thirteen years after I started, I'm still amazed that people aren't aware of how I do what I do, or what is even possible.
I've been spoken to by the police on more than one occasion and, although I don't set out to break the law, sometimes it happens. I used to talk openly about what I do. Now I don't, though I still hack. I still explore. I still break systems, copy data, and manipulate machines. But I don't do it for personal gain. I never have. I do it because it's the way my brain is wired.
So what's my message? What would I tell the aspiring hacker? I guess I've only got one message.
You don't become a hacker. You're born one.