Security

Hacker vs. cracker

The word "hacker" gets used in a pejorative sense by journalists an awful lot. Some people think this is perfectly reasonable; others find it offensive, and recommend an alternative term for that meaning. Read on to find out why.

In mainstream press, the word "hacker" is often used to refer to a malicious security cracker. There is a classic definition of the term "hacker", arising from its first documented uses related to information technologies at MIT, that is at odds with the way the term is usually used by journalists. The inheritors of the technical tradition of the word "hacker" as it was used at MIT sometimes take offense at the sloppy use of the term by journalists and others who are influenced by journalistic inaccuracy.

Some claim that the term has been unrecoverably corrupted, and acquired a new meaning that we should simply accept. This descriptivist approach is predicated upon the assumption that there's no reasonable way to communicate effectively with the less technically minded without acquiescing to the nontechnical misuse of the term "hacker". I believe it's still useful to differentiate between hackers and security crackers, though, and that terms like "malicious security cracker" are sufficiently evocative and clear that their use actually helps make communication more effective than the common journalistic misuse of "hacker".

I think it's useful to differentiate especially because there are many situations where "hack", and its conjugations, is the only effective term to describe something that has nothing to do with malicious violation of security measures or privacy. When you simply accept that "hacker" means "malicious security cracker", you give up the ability to use the term to refer to anything else without potential confusion.

Both are distinct from people whose interest in technical matters is purely professional, with no desire to learn anything about the subject at hand other than to advance a career and make a living. Many hackers and security crackers turn their talents toward professional ends, of course, and some security crackers got where they are only through professional advancement, but one definitely need not have a professional interest to pursue the path of either a hacker or a security cracker.

A hacker, in the classic sense of the term, is someone with a strong interest in how things work, who likes to tinker and create and modify things for the enjoyment of doing so. For some, it is a compulsion, while for others it is a means to an end that may lead them to greater understanding of something else entirely. The RFC 1392: Internet Users' Glossary defines "hacker" as:

A person who delights in having an intimate understanding of the

internal workings of a system, computers and computer networks in

particular. The term is often misused in a pejorative context,

where "cracker" would be the correct term. See also: cracker.

The Jargon Wiki's first definition for hacker says:

A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.

A security cracker, meanwhile, is someone whose purpose is to circumvent or break security measures. Some security crackers end up using their powers for good, providing penetration testing services or otherwise making efforts on the side of the angels. Many others use their powers for evil, however, as we are all too painfully aware. Both RFC 1392 and the Jargon Wiki provide definitions of "cracker" that support this use of the term.

Maintaining distinct terms for distinct phenomena is an important aspect of communication, as demonstrated in the incident I described in Managers and technologists live in different worlds, where a company executive and I used the same term to refer to two different things and failed to communicate effectively as a result. When two different phenomena acquire the same label, as in the case of hackers in the classic sense on one hand and malicious security crackers on the other, either something has to give or discussion is bound to suffer from confusion that could easily have been avoided.

The more easily relabeled of the two uses of the term "hacker" is the malicious security cracker: it is not only the more recent phenomenon to acquire that label, but also the one whose meaning is most easily evoked by an alternative term. This is why, when you read an article of mine that talks about malicious security crackers, I use the term "malicious security cracker" -- and in an article that talks about hackers in the classic sense of the term, I try to differentiate clearly between these two uses of the term "hacker" before using it myself.

For purposes of clarity when communicating with others about security issues, I recommend you do the same.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

102 comments
sivakumar ashan
sivakumar ashan

sir,

   i want your help i need to study about hacking and cracking 

     so i think you can help for me

                                                                                         yours sincerely,

                                                                                           a student

ashankalai143@gmail.com  this my gmail account

ptaegel
ptaegel

Excellent distinction, though there's a lot of florid linguistic foreplay before you get to the meat of your argument. Always start with a clear articulation of your argument. Then clarify definitions. Then expand your argument and explore nuances. Your tirade against the "media" (also requiring definition) could have gone at the end. The fact is that the term "hacker" does not suffer from a simple duality of arenas, where one group of insiders knows the truth and the thronging masses remain ignorant and poisoned by the malfeasance of the "media." In truth, the term "hacker" is probably the only reason most computer programmers ever got laid. At last they had something of a desperado mystique to defray the staid iconography of the hygienically-challenged misanthrope who'd rather spend his Saturday evenings bathing in the blue tint of a computer terminal than in the sultry clutches of some daiquiri-addled sorority girl with a daddy complex. So go ahead, geld the term "hacker." But you do so, I fear, at your peril.

Ocie3
Ocie3

When I began using computers in 1970, "mainframes" were the principal computers (there were also "minicomputers" -- smaller, less expensive, but managed much the same way as mainframes). Anyone who used or attempted to use a computer system, or to change any operation or feature of a computer system, without authorization to do that was referred to as a "hacker". Of course, no one could (ostensibly) log-on to an account without knowing and entering the password for it. So, to gain access to an account, "hackers" often tried to rapidly input many possible passwords, by a systematic, modified trial-and-error approach (thus "hacking" on the keyboard like someone trying to hack an opening into a wall by using a hatchet or some other such tool). But "hacker" also included anyone who abused their access to a computer via an account that they were authorized to use. Using that authorized access, they would seek ways and means to compromise the system, and/or to use it in unauthorized activity, sometimes for recreation but often for some financial gain or even for sabotage. It seems that the meaning of "hacker" began to change when microcomputers such as the IBM PC were introduced. Microcomputers were regarded with disdain and fear by many people whose careers had been made in the mainframe world, and they regarded anyone who introduced a microcomputer into their enterprise as a rebel, at least, and as a "hacker" at worst. So the younger people seeking computer-based careers, in particular, started considering "hacker" as a badge of distinction insofar as they considered themselves (not without reason) and their microcomputers as the "future of computing". They seemed to overlook the fact that a lot of "hackers" were to be found in penitentiaries. Some of them thought that anything which threatened the hold that mainframe computers and their attendant infrastructure had over enterprise computing was a "good" thing, especially when someone found a way to perform some tasks either better with a microcomputer than it could be done with a mainframe, or at less cost than it could be done with a mainframe, or both. That said, "security cracker" sounds like some kind of cookie. After all, a tracking cookie could be called a "tracker". ;-)

pgit
pgit

I've always gone out of my way to use the 'correct' terms, but this ALWAYS entails a lengthy explanation, not too conducive to the point, being communication of something. I doubt I have altered even one person's misuse of these terms, despite being rather zealous in pursuit of clearing the good name of the hacker. BTW I disagree in the respect that I think it would be easier to come up with a new term for the white hat variety. I'm surprised this hasn't already been done. Have they no imagination over at MIT anymore? ;-)

JayhawkJoe
JayhawkJoe

I can see how an average person watching the news could consider a hacker as the bad guy (almost always) and a cracker as the bad guy as well (unless explicitly explained to them each time). We need a great new/old term.. the sneaker!

pamelahowell
pamelahowell

mmmmm, malicious security crackers! with cheese? um, i've been interviewed on this exact topic several times. those of us who are hackers know what we mean by it. those of us who are criminals know they give hackers a bad name. those of us who are journalists should make some distinctions, and as clearly as they possibly can. even if 'malicious security cracker' doesn't fit nicely in a headline! with no malice aforethought, and no interest in gain except knowledge...hackers should claim their word proudly and define it for the world. i've worked in the fortune 10 and concurrently was extremely noticeable as a hacker. i choose to admit my own hacker-ness even during job interviews. did my arcane knowledge get me jobs? no. did it help protect my clients? YES. have i ever hacked for material gain, or for anything other than knowledge? NO!!!! there's where my boundaries are drawn. ---p, hack hack hack p.s. i come from a whole family of hackers!

jsaubert
jsaubert

Having grown up around a bunch of MIT guys (who admittedly have their own weird language) I thought hackers were guys that pulled complicated pranks; generally not computer related at all. Crackers were computer coders, sometimes maliciously. Once I hit high school I figured out that hackers and crackers had the same connotation in the rest of the word. It was actually kind of funny. I kept thinking "Why are all these big companies worried about getting hacked? Are they run by a bunch of sourpusses?" ... well, I guess I was half right.

Brother Martin de Porres
Brother Martin de Porres

'Gangster' is criminal, 'Gang'...as in a company of workmen, is not. So perhaps 'Hackster' might catch on, or might not. It could be worth coining a new term, if folk feel strongly enough about it.

CharlieSpencer
CharlieSpencer

Those within the IT community should know the difference between these terms and use them appropriately. That said, I'm in the 'irretrievably corrupted' camp. Those outside the field only know the term 'hacker' in the negative sense of the word.

Neon Samurai
Neon Samurai

The Jargon File contains a bunch of definitions of the term ?hacker?, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant. There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ?hacker?. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker. The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music ? actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ?hackers? too ? and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ?hacker?. There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ?crackers? and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ?hacker? to describe crackers; this irritates real hackers no end. -- ESR http://www.catb.org/~esr/faqs/hacker-howto.html

Saurondor
Saurondor

A cracker is a hacker. You need to be one to have the experience and knowledge to crack something. Yet not all hackers are crackers. Hackers will always be seen as malicious or at least suspicious because people are inherently ignorant of computer related matters. This ignorance leads to insecurity and thus fear. If you're not sure what a computer savvy person is doing to a machine you start to get suspicious. When that person says "Ok your machine is ready". Does it mean ready ready or rigged ready?

Neon Samurai
Neon Samurai

This is a term with a few sources though no solid historical liniage I'm aware of. Cracker coming from "Safe Cracker" but ported to computers. I see the difference being that most Safe Crackers are licensed and legal lock and safe smiths. Cracker coming from Shakspear's "What Cracker dains my year" (or similar) indicating a more derogatory meaning. Cracker coming from the while folk stereotype also chosen for the derogatory connotations that can be associated. I do prefer Hacker/Cracker too various hat colours personally though.

deepsand
deepsand

When System 360 was first released, running HASP, one could use a batch job to make the system clock run backward, which had the odd effect of making protected memory accessible!

hlhowell
hlhowell

The subject line is from an ad link at the bottom of this piece. When Tech Republic posts links like this, no wonder the rest of the world is confused. And by the way, hackers existed well before MIT. Gun smiths in the early days were among the hacker community. Sailors even before that. Somebody had to figure out catamarans, Dhows, and fishing scows. And they all predate America by a long time. Hacking is the abilty to visualize new ways of utilizing an existing technology. It is the precursor to engineering. Engineering occurs AFTER hacking. Engineers who hack call it prototyping. Somethings appear possible, but are not simple, some things appear impossible but are very simple, once the correct hacker visualizes the right approach. Engineering is the channeling of a prototype into something reproducible with predictable results. Often hacks are not really reproducible with any degree of reliability. That means only that some not clearly understood artifact hasn't been worked out, and that is what a good engineer can do, discover the misunderstood bit, clarify it, code it, standardize it and fix the underlying issue to get to reliability and repeatability. Just two aspects of the job of moving civilization forward. Regards, Les H

Neon Samurai
Neon Samurai

Sneaker or Sneakers could be used to refer to Security Hackers specifically countering the public perception that Security Hacker is the same as a malicious cracker or criminal. What of the rest of Hackerdom? Some are just code hackers, some are stereo hackers, car hackers, radio hackers, psychology hackers, the original where train hackers, hardware hackers are there too, sex hackers (yes, they exist if the "toy" sculpture at Hope 2009 is anything to go by), food hackers too. Any topic where the Hacker interest to learn and curiosity to explore and extend can become a preface.

Neon Samurai
Neon Samurai

Criminals. If your a cracker in the malicious sense, why distinguish them from any other malicious intentioned criminal?

deepsand
deepsand

By necessity, they used home brewed electronic devices. In fact, it was the advent of computerized switching systems that led to the death of true phreaking.

deepsand
deepsand

You need to know a good bit more than that to be a competent hacker.

Neon Samurai
Neon Samurai

Anyone can use pointy clicky scripts to learn cracking. It may be a thing that a hacker discovered and explored but that doesn't mean the script kid that uses that same technique is a hacker. They use the tool in the least creative way; a copycat at best.

apotheon
apotheon

The whole thing about hat colors is basically just the result of an inability to recognize the fact that the word "hacker" has a rich meaning and history even outside of security, but including security in is purview. In short, the term "white hat hacker" as a means of differentiating from malicious security crackers is just part of the problem.

apotheon
apotheon

That's an excellent point, regarding the relationship between the hacker and the engineer (which are both, often enough, the same person).

Neon Samurai
Neon Samurai

If it's a sponsored link or oen of the add boxes, that's fed to TR's website by the advertising company who purchases the page space from them. Same with reading an article on Linux.com showing an ad for Microsoft products; the website sells ad space rather than choosing the ads that are displayed.

Neon Samurai
Neon Samurai

Granted, the Hacker mindset is not remotely foreign in history. heck, the US was founded on the Hacker mentality. But, the phone phreaks have a pretty special place in Hacker history. I remember when my small town's switch got upgraded from rotary dial and the phreaks not into the BBs scene finally faded. By necessity, home brewed hardware and trained hearing where the primary tools. Originally exploring the phone network was not illegal though that quickly changes helping to start the "all hackers are evil" media and police montra. For anyone interested, there is a project (telephreak is it?) that runs a VM'd phone network on line. Phreaks get a legal place to play with old and new phone systems or simply hangout in the confs. I think it's fantastic to provide a place where the community can still gather and a legal playground to be explored.

Saurondor
Saurondor

Would you say then that someone who uses a script to quickly setup a LAN is network administrator? Same way pushing the autopilot button doesn't make me a pilot. Even though the airplane did reach its destination.

Neon Samurai
Neon Samurai

Hacker was mashed into meaning only malicious intent so the attempt to differentiate with black, grey, white hats was made. I heard Red Hat first and maybe that's why it stuck. It's one of those subcategory attempts that is just too synthetic for me.

deepsand
deepsand

Scrap wood, or discarded furniture with suitable flat surface, Fanstock clips, binding posts, alligator & crocodile clips, scrap wire salvaged from everywhere & anything, scavenging the local sink holes, which the town folk used for trash disposal, hoping to find a recently discarded radio or electric appliance, boxes of discrete components carefully removed from the fruits of such hunts, the cuts & burns suffered during such stripping process; later, radio chassis stripped of all but the power supply, mounted tube sockets, terminal strips, and rotary controls such as pots & open air caps, the smell of solder rosin & burnt insulation, the purple glow of a tube running wild - all of these and more. The shear joy of building something from scratch & having it work with a bit of troubleshooting. Thanks for reminding me of those halcyon days.

Neon Samurai
Neon Samurai

Yee 'ol direct current flow; not enough time mucking with the breadboard as a kid.

deepsand
deepsand

We'd need a full blown pre-SS6 POTS emulator between VOIP & local POTS equipment.

Neon Samurai
Neon Samurai

We may now be limited to listening to the recorded tones of the various boxes. If I read correctly though, voice and commands inline would make both the content and the controls part of the audio stream. Could one connect the local wires to a remote system which also supports the analogy signal using the VOIP as only a bridge? Inband signal is compressed on one side and expanded on the other back to it's near original? It would expand the scene past listening to recordings and chatting on confs.

deepsand
deepsand

They pre-date SS7, toa time when all control signaling was in-band, i.e., share the same bandwidth channel as content being controlled, that of voice. Some of these control signals were AC waveforms; others, simply a change in the DC voltage level. A local conversion of VOIP to POTS does not fully emulate the local loop of old, but only the currently used in-band AC signals. All other command signals remain out-of-band.

apotheon
apotheon

It's already publicly available, so no real harm done (by you). Furthermore, the more the vendor ignores it, the more it behooves us to put pressure on the vendor to fix the problem.

seanferd
seanferd

It's even better, as the post was removed upon request from the original site, but is still archived here: http://www.gnucitizen.org/blog/router-hacking-challenge/ Not phreaking, but a bad VOIP solution implementation exploit. ________________________________ There's a VoIP solution called Snom 320 - more info on that beast here: [www.snom.com] It comes with a central phone server which features a web front-end. This thing can't be password protected - I don't know why but it just is that way. there's an input field labeled "Call a number" - and this is done via regular POST - no JS, no token - nothing. So - if you manage to get someone with this thing in his intranet to visit a prepared site of yours you can make his phone do loads of calls to everywhere in the world. [update] If you let the victim call yourself and you answer the phone you can hear the victim talk without knowing that you are listening. Well done, Snom :) [/update] But - you might say - the victim will notice when watching his logs! Nope - he won't. The logging application a a Flash file called snomControl.swf. If you call let's say 100 numbers in a place really far away you just have to make sure the last number you call is - tada: "'); After that all other numbers that have ever been called aren't visible in the log anymore since the Flash app kind of crashes internally and only shows the calls made after the above mentioned one. I was too lazy to decompile it - maybe later. So - CSRF all over the place but isn't it boring to just get the user to make calls when he visits your prepared site? Yes - it is! You can CSRF a nice persistent XSS into the address book. So anytime the user visits it you can execute your script and do other stuff - like data mining, more calls, even some more calls and so on. There is XSS which also enables you to XHR yourself through the whole front-end and change arbitrary settings, like display names on the phone display, read out settings and anything else you want. Might be bad if you call your boss and some f-words appear on his display... Well, that's it for now - as said I dunno if this really counts but I consider it a funny find anyway ;) ___________________________________ Of course, if anyone thinks it is a bad idea to post this here, say so. I'll edit, or won't complain if marked as spam. (As if it would matter. :) )

Neon Samurai
Neon Samurai

Asuming the person is using a voip box connected to a physical handset, could they not clip or chain in the various boxes? For things further down, I'm not sure if telephreak.org emulates loops, switches and such or not. I believe they use Asterix in the back end though so they have all it's abilities plus whatever they can add into it. I believe they also host recordings of old phone sounds so you can hear the old lines and loops though not interactively. My knowledge of the various boxes is pretty faded though so I'm mostly guessing here.

deepsand
deepsand

While the blue box is an active circuit, the same cannot be said for all the other "colored" boxes. Unless telephreak's DID lines can be used to [i]originate[/i] calls, and to a system which both duplicates/emulates an analog system and can can be [i]answered[/i] by you, one cannot tinker around with passive circuits.

Neon Samurai
Neon Samurai

There is also a community of phreaks that have gone to using VOIP systems. I've mostly read about it for scanning numbers in other countries or generally opening up the world to legal phreaking. It's also used in the now obscure BBS scene a little rather than the old virtual modem hacks. A VOIP box with phone jack would also do it I suspect. I'm just guessing here though as my mucking with phones was limited to hacking in an "off the hook" toggle and "on air" light in my BBS sysop days. (edit): This is probably where we should both be looking for answers. http://www.telephreak.org/

deepsand
deepsand

It's kinda hard to hang a black/blue/gray/brown/red box onto a virtual system.

Saurondor
Saurondor

I'm sure in some cases the person may be gifted. I've hired people because they're gifted even if they lack the paperwork. But in the case of keeping security you might be interested in someone's skill set now rather than later when he gets himself up to speed. And there is still the issue of the paycheck. Would you pay him full prime because he HAS the potential or only pay him full when he achieves it?

Neon Samurai
Neon Samurai

It could easily be someone who's grown up in the Hacker mind set exploring and learning about technology who's not accepted an entry level job. Maybe the mighty CIO or infosec manager has a degree in comp sci but has no interest in tech outside of work. Choosing between a Uni grad with papers and little interest outside of work versus no papers and a nearly obsessive interest in learning about tech; I'm hiring the second more likely than the first provided he demonstrates the skills obtained outside of school.

Saurondor
Saurondor

If we look at the opposite of the security cracker. The person you hire to maintain security. On one side you have the expert who knows the system inside out. On the other you have the rookie who's real good and downloading stuff and running monitoring processes and stares at the screen waiting for the next port sweep to appear. They're both maintaining security in their own ways. Would you give them the same job title? Give them the same job description? Pay them the same? Would you hire them?

deepsand
deepsand

between hacker & cracker. Simply put, it is that of intent. Palmetto put that to you at the very beginning of this sub-thread, and yet you continue to wander off into arguments regarding the definitions of sub-sets of the set "cracker." Furthermore, you fail to grasp that you are here in the presence of one or more hackers, some us truly worthy of the appellation "old timer," and that your attempts at revisionism with regards to the distinctions here under discussion will never gain traction with such persons. We know what we did; we know why we did it. We also know the differences between those personal experiences and those of the crackers who followed us. Yours is a lost cause; let it die with dignity.

apotheon
apotheon

If you plagiarize a book, you are both a plagiarist and a collector of royalties. Both original authors and plagiarists of books collect royalties. They are both royalty collectors. This is a more accurate analogy with the term "security cracker" -- both security crack developers and script kiddies are security crackers. Of course, one might argue that the script kiddie isn't a security cracker if he fails to actually crack security using someone else's automated techniques, but then, a plagiarist isn't really a royalty collector if he fails to get his plagiarized manuscript published. Using analogies to make your point only works if the situations map to each other analogously. It's not "plagiarist" or "author" to which "security cracker" maps, but "royalty collector". The "plagiarist" is the script kiddie, and the "author" is the security crack developer (or, if you really want to broaden the coverage a bit, the author is the security hacker). The security crack developer, or author, develops something innovative; the script kiddie, or plagiarist, makes use of that innovation; both of them, if they're successful in their aims, are security crackers, or collectors of royalties. If you can't get a one-to-one relationship between entities in your analogy, you're doign it wrong.

Saurondor
Saurondor

I'll try to explain the point from another angle. Lets take a security cracker and for a moment imagine neither him nor his fellow security crackers ever release any of their scripts. Would there be script kiddies? No. A person through learning and working on a system may become a hacker. But someone with the skill set of a script kiddie will never come up with the tools required to crack a system. No matter how long he or she sits in front of a computer. While common usage will label him "security cracker" the truth is a script kiddie isn't doing anything a machine could do. I agree with you that according to common usage my position in the context of computer security sounds outrageous. But according to common usage if I take someone's published novel (the one the author took a long time to investigate and write) and reprint it under my name I'm a plagiarist and a thief. Yet in the context of computer security I would be accepted as a novelist. I did after all roll out printed copies.

seanferd
seanferd

Your distinction may, or may not, have merit. However, I see the problem here is in the way you are defining terms. If you say. "I submit that there may be a useful distinction between crackers and script kiddies as follows...", I don't think this disagreement would exisist, OTOH, you are submitting your definitions as if they were already commonly accepted, in respect to this discussion, which apparently they are not, in all circles. Anyway, that is my take on the primary resistance to your definitions. There may be deeper objections, but we haven't gotten past the first layer as of yet.

apotheon
apotheon

A security cracker actually cracks security on a live system. That's the definition of a security cracker. Live systems have security; security crackers endeavor to crack that security. People who develop techniques for cracking security are security crack developers. They develop the cracks. Using a crack is "cracking". Developing a crack is "developing". I don't see what's so hard to grasp about that. The very denotative definitions of the words being used mandate this understanding of the terms. There is, as far as I've been able to determine thus far, no good reason to go about artificially confusing the issue by using words in ways that don't match their definitions. There isn't even a culturally reinforced connotative usage of the term to support this weird perversion of the generally understood term, so there isn't even any limp-wristed descriptivist justification for using "security cracker" to mean the same thing as "security crack developer".

CharlieSpencer
CharlieSpencer

It's not the skill level that defines a cracker, it's the malicious intent.

Saurondor
Saurondor

We'll just have to agree to disagree. I can't call a scrip kiddie a cracker. They're two different levels. You're free to call both of them crackers. Be my guest. I believe script kiddies can achieve a breech, but can also be easily countered by scripted tools to maintain security. What I call crackers are something else, they're more clever and more dangerous. Like I said I consider a cracker to be hacker. While a script kiddie (for me) is a carbon based automaton that can easily be replaced by a botnet. The intentions and the effects are, like you mention, the same. But the means to counter them are totally different. At least for me, but you're free to hold your own opinion.

Saurondor
Saurondor

standing alone and I think I went to great extent to explain myself. Is there something I missed here? I thought the original article was exactly about this: the misuse of the term Hacker. Whereas Chad went to point the malicious versus non-malicious use of the term hack/hacker. I just followed up with my position regarding crackers and how I believe script kiddies are mislabeled crackers when their proficiency is leagues below a cracker's. PS, standing alone hardly troubles me.

CharlieSpencer
CharlieSpencer

Use the terms as you wish, but be prepared to explain your unconventional definitions. I'm unaware of anyone who defines them as you do.

apotheon
apotheon

I'm not talking about conformance for conformance's sake. If I was, I'd just advocate calling all security crackers "hackers", and damn the consequences. I'm talking about clarity of communication. You want to muddy things up by inventing new uses of old terms, the same as the idiots in the mainstream media who never bothered to actually learn anything about the word "hacker" that they abuse so much. Where mainstream media ignoramuses misuse "hacker" by rote because they've seen others of their ilk misuse it by rote, you seem intent on misusing "cracker" because you damned well feel like it, without even the excuse of following someone else's example. In both cases, the speaker is confusing the issue, which I find counterproductive.

Saurondor
Saurondor

Deepsand, while the terms do sound the same in the dictionary I used them to distinguish the action performed by the cracker from the action performed by the script kiddie. Because if I used the same word across my post it would have been more difficult for you and others to understand when I meant one and when I meant the other. I used the word crack when the action of figuring out and abusing a weakness in the system was being taken. Action which leads to the breech the cracker does achieve. The script kiddie skips all this intellectual process and goes straight to the breech. By using a specially crafted tool for the job. Tool which is fit for that one exploit and minor changes in the target system could render it useless. Am I making myself clear why I used those two word in my text?

Saurondor
Saurondor

Apotheon, you say: 'Without any history behind your usage of the term, your explanation of how the term "cracker" is used is nothing but your personal conceit.' Exactly. It is my personal conceit. What value would my post have if I copy paste Wikipedia? To me this is the value of a forum. That is to read others personal 'conceits' and give one's own. I particularly like your choice of the word conceit above say idea or thought. Because it infers the idea of elaboration, exaggeration and being extravagant to the point of being outrageous. I do prefer to explore outside the common set boundaries rather than be tied to "historical railways". Particularly if those "historical railways" that have lead to the current usage of the term "cracker" were set in their majority by the press. They're like a double pass blur filter on reality. Once so they understand it and once so they can express it. Not to mention the little sprinkle of fear they'll put into their story so it sells better. I guess that on this matter we'll have to agree to disagree. I'm neither rewriting history nor imposing my ideas. Just expressing them. But I'm certainly not going to constrain them because there is some "current common usage". If it fits you to be bound by this "common usage", go ahead. It doesn't fit me and guess we'll just have to agree to disagree.

apotheon
apotheon

saurondor: Without any history behind your usage of the term, your explanation of how the term "cracker" is used is nothing but your personal conceit. Meanwhile, there is history behind the use of the term "cracker" in an IT security context that exactly matches the way everyone but you seems inclined to use the term. If the only reason for anyone to regard "script kiddie" as anything but a subset of "cracker", and vice versa, is your say-so, I don't think the usage you endorse is going to gain much traction amongst people who know better.

deepsand
deepsand

without regard to the morality of the intentions.

deepsand
deepsand

To say that the "cracker," i.e. the one who developed the script employed by others, did not "breech" security is patently false, in that, had he not done so he'd not be certain as to whether or not his tool worked as desired. As for the script kiddies, to say that their using a "cracker's" tool does not make them a "cracker" is likewise preposterous, as within the present context, both "crack" and "breach" mean to "create an opening." Formally, "breach" means "act of breaking," or "to break." Etymology: Middle English [i]breche[/i], from Old English [i]br?̄c[/i] act of breaking; akin to Old English [i]brecan[/i] to break [b]1:[/b] [i]infraction or violation of a law, obligation, tie, or standard[/i] [b]2 a:[/b] a broken, ruptured, or torn condition or area [b]b:[/b] a gap (as in a wall) made by battering Clearly definition [b]1[/b] applies to both the developer and the user of the tool employed by script kiddies.

Saurondor
Saurondor

Does the source of the usage of those terms matter to the overall points made in my post? Does the distinction pointed out between cracker and script kiddie vanish? I understand it might not be "common usage". That common usage makes them equal is true, but I really don't agree nor care to agree. Because I see a clear distinction between them and I like to address them differently. It might sound romantic, but the truth is a security fix might keep you safe from a script kiddie, but not from a cracker. Or "real" cracker if we were to use the common usage of the word cracker.

apotheon
apotheon

Saurondor . . . it seems to me that you're trying to redefine the term "crack security" to suit some kind of romanticized notion out of thin air. I'm pretty sure the term "cracker", as referring to the behavior of both talented developers of security cracks and by-rote users of security cracks developed by others, predates your familiarity with it and your understanding of it as meaning "hacker who violates security". In fact, the use of the term "cracker" in the context of computer security originated with a very conscious attempt to redirect the misuse and abuse of the term "hacker". I, for one, am not sold on your revisionist view of the term "cracker".

Neon Samurai
Neon Samurai

I like that distinction. I have more respect for technician that I do for someone with malicious intent but in general, that's a pretty good way of explaining it.

Neon Samurai
Neon Samurai

That's one of the big differences in my view. If I break into a system that isn't mine, you can be sure I confirmed permission from the system's owner. If I break something, I don't get to just walk away; I'll either fix it or sit beside the admin doing the fixing. A fully qualified Pentester is going to have permission before cracking a system's security. My view the definition of Cracker has always included the "without permission" clause. It gets more complicated when you consider the original MIT definition of hacker not meaning "computer hacker" specifically most of the time. Sterio Hacker (audiofile), Radio Hacker (ham, sparky), Car hacker (gearhead), Brain Hacker (derived from phsycology and Hacker mindset), Political Hacker (US founding fathers)... Heck, Alexander Graham Bell; Hacker. I don't think so many different areas of interest to the Hacker mindset should be demonized because Security Hackers get the blame for Crackers in the public media.

Saurondor
Saurondor

And there is a clear reason why I'm making this distinction between cracker and script kiddie. The script kiddie is breeching the security, but he isn't cracking it. The security is cracked one time by the cracker. The cracker then packages the process in a script (thus the term script kiddie). It is this script's repeated usage that breeches the security on subsequent systems. But it's the same security. Since each installed system targeted is a replica of the original one cracked there is nothing new being made. Let me develop on this further. I develop software ok. I start working on some application and out of nothing a tool appears on my development machine that allows me to do process A. I then package this tool with an installer and give it to one of my support guys to go off and install it on a machine (similar to mine) that doesn't have a way to perform process A. After the installation this other computer can now perform process A. Is the techie a developer now? Technically he made process A available on that machine, but he didn't develop nor implement the solution for process A. I did that. If we move to the arena of cracking systems we can then imagine for a moment process A is a means to crack system B.4. But if we target process A against system B.5 which has fixed the vulnerability process A exploited, then the script kiddie can't breech the security. Why? Because he isn't cracking the security. The security was cracked by the cracker who wrote the script. Any other device using system B.4 has the SAME security even if it is a physically different object. For me "security" in this context is the way it is implemented rather than the instances it is implemented. If a particular "security" setting is implemented once or a million times it is still one "security" setting. Once you crack it on one device you can repeat the breech on any of the installed devices because it IS the same "security" just a different instance.

apotheon
apotheon

The effect on the target system is that its security was cracked. The person who did it was the cracker of that system's security. That makes that person a security cracker, tautologically. Thus, a security cracker is a person who cracks security -- making both script kiddies who crack security and a hacker who cracks security "security crackers". The difference between the two -- what makes one of them a hacker and the other a script kiddie -- is that one of them develops clever hacks, and the other only uses those clever hacks that have been automated enough for script kiddies to use them without understanding them. I can't figure out why saurondor is trying to invent some artificial distinction between "script kiddie" and "security cracker", as if "security cracker" implies some kind of level of sublime, consummate skill.

deepsand
deepsand

Analogously, hackers are generally engineers (though a few are scientists,) crackers are almost always technicians with regards to knowledge & skills.

CharlieSpencer
CharlieSpencer

does it matter to the customer whether I developed the recipe myself from scratch or just followed someone's instruction? Script kiddie or cracker developer, the intentions and effects on the target system are the same.

apotheon
apotheon

The chef is the hacker who is a security cracker. The script kiddie who is a security cracker is someone flipping preformed hamburger patties in a fast food joint. Not all cooks are chefs.

Neon Samurai
Neon Samurai

Ha.. that's fantastic, I'm remembering that one. On the Chef note; technically, one must have papers to be a Chef. No school, no papers, no Chef title. That doesn't mean unskilled by any means given that many without the official school stamp of approval are artists at the cutting board. It's not a large difference really now that I think of all the skilled but un-MCSE out there.

Neon Samurai
Neon Samurai

Hackers delight in exploring there technology rather than simply using it. This leads to discovering the technologies limitations, benefits and failures. A hacker will then try to draw attention to the failurs so that they can be addressed improving the overall system. The skript kiddie or cracker comes along and takes those same nighty tricks and exploits them towards malicious ends. Using these previously known tricks doesn't demonstrate hacker mind set, creativity in problem solving or a new way to make use of the tricks. It's simply copying someone else. I think there is a difference between that and a network admin who uses a scripted setup; the admin knows what they are doing and owns the network. They are not breaking into something they have no permission to pentest. They are also not simply trying to cause havoc on the network. A pilot who uses autopilot during flight still has the skill, training and experience to take over when the navigation computer fails. The pilot is also repsponsible for the aircraft and using the autopilot keeps it on course (flight safety) and allows the pilot to have a more restful file (flight safety, distance). The admin and pilot have a strong understanding of what those tools do for them in respect to the job. They are using those tools in a way that benefits the network setup or flight. They have authority/permission over the systems they are effecting. The cracker does not have permission to effect the target system. They also do not have responsibility over the system's health. If the network setup doesn't go cleanly, they go home. If the flight goes off course or crashes, doesn't matter, they where in through remote pilot anyhow. The goal they seek is at the expense of the target not it's benefit.

Saurondor
Saurondor

would strongly disagree with your position. Anybody can follow a recipe, but that doesn't make him a chef. He or she might be a talented cook, but still a long shot from being a chef. To think that a script kiddie is a cracker is to seriously over rate a script kiddie. IMHO a script kiddie is a carbon based automaton, nothing more.

apotheon
apotheon

I think you just made Neon's point for him. A security cracker is someone who cracks security. A hacker is someone who explores new ways of doing things, new ways to use old ways of doing things, and so on. A hacker may become a talented security cracker who comes up with new ways to crack security; a script kiddie who cracks security is, tautologically, a security cracker -- but one who uses automated tools and well-worn techniques created by other, better minds than his or her own. Not all security crackers are hackers; some are just script kiddies. Not all hackers are security crackers; some put their talents to use in other areas.