Security

The value of accidental security through obscurity


Any security professional worth his salt should be familiar with Kerckhoffs' principle, which states that a cryptosystem should be secure even if everything about the design of the system is public knowledge. The same concept was expressed by Shannon's maxim, "the enemy knows the system". In either case, the implication is clear: Don't rely on obscurity for security.

The term "security through obscurity" has become a pejorative one in professional security circles. The way many people describe it, it refers to hiding the details of a set of security procedures because they aren't strong enough to stand on their own. One might define security through obscurity as security that relies on the stupidity of the enemy -- which is generally regarded as a bad idea.

There are two sides to the "security through obscurity" coin:

  1. Intentional Security Through Obscurity: Security through obscurity may refer to an intentional act of trying to maintain or strengthen security by keeping security policies and procedures secret. This approach to security is behind such common vendor behavior as attempting to keep any and all vulnerability discoveries secret until after the vendor has the opportunity to release a patch (and spin the story to make the vendor sound good, of course). This occasionally has the effect of actually punishing security researchers for doing their jobs, and is generally more of a means of protecting the vendor than the end user. When security professionals talk about "security through obscurity", this is usually what they mean.
  2. Accidental Security Through Obscurity: In a more casual sense, the term "security through obscurity" is sometimes used to refer to the idea that a less well-known, less common, and thus less inviting target appears more secure statistically, even if it is not more secure technically. This is the concept behind statements commonly made on the Microsoft Windows side of the Windows/Linux security debate such as "Linux will have just as many security problems as Windows if it ever becomes as popular." The way the argument works is expressed by another formulation of the same idea: "Linux only looks more secure because it's so unpopular that nobody bothers to attack it."

There does, in fact, seem to be a correlative connection between the security of an operating system and its popularity much of the time.

  1. MS Windows suffers a greater statistical incidence of breaches than MacOS X.
  2. MacOS X suffers a greater statistical incidence of breaches than (most) Linux distributions.
  3. Linux distros tend to suffer a greater statistical incidence of breaches than FreeBSD.
  4. FreeBSD suffers a greater statistical incidence of breaches than OpenBSD.

Correlation does not imply causation, however -- and, even if it did, one could not be certain based on that data alone which way the causation ran. We do not know, based on nothing more than a correlation, which of the following is true:

  1. Does the popularity of MS Windows make it a bigger target, thus leading to a greater statistical incidence of security breaches?
  2. Does a poor technical design with regard to security contribute to greater popularity for MS Windows?
  3. Is there some single cause of both greater popularity and poorer technical security design?
  4. Is there some single cause of both greater popularity and higher profile as a target aside from popularity itself?
  5. Is this apparent correlation all the result of a biased sampling of operating systems?

Point 1 is the accidental obscurity argument. Point 2 suggests that secure design interferes with design that builds market share, which matches the sometimes offered suggestion that security and usability are to some extent incompatible with one another.

Point 3 might support an argument that making technically correct design decisions secondary to the mandates of a vendor's marketing department is the real cause of reduced security for major vendors, as well as the real cause of those vendors' software gaining significant market share. There is no implication here that marketability and security are incompatible -- only that the people making decisions are good at making decisions for marketability and bad at making decisions for security. This seems to match the observations of many developers who are frustrated with their work environments, as well as those of people who become increasingly frustrated with the direction of certain Linux distribution projects as they focus increasingly on "user friendly" operation, often at the expense of other concerns they consider more technically correct.

Point 4 is a bit difficult to define clearly. It differs from point 3 in that it still assumes, like point 1, that "size" (one might say "footprint" or "profile") of the target is the primary determining factor in security breach statistics, rather than purely technical design characteristics. It bears similarity to point 3, however, in that it does not establish a direct causal relationship between popularity and security breach statistics. Depending on the specific form of target profile used to justify this hypothesis, it may end up supporting the notion that technical design characteristics are a more significant factor than popularity, or the opposite -- but more likely would support neither, particularly.

Point 5 is sort of an "escape clause". It is the most direct route to invalidating any connection between popularity and increased security breach statistics of MS Windows as compared with other OSes. One could simply point to other OSes not commonly considered as exceptions to the perceived trend, and if there are enough exceptions the trend itself might be shown to be statistically insignificant.

I've examined all these possibilities, and a few more that are less obvious than these, at some length. I intentionally challenge my own beliefs about (and understanding of) security principles constantly. Where security is concerned, it is my opinion that it is better to be right than to be perceived as being right, and even when I debate matters of security with someone I am always looking for signs that any opposing debaters might be right due to an insight I've missed. As things currently stand, however, I find that the evidence and logical principles that apply seem to support the theory that popularity only overshadows technical characteristics for impact on security up to a point -- and that point is where popularity is great enough to matter at all.

If your system is so unpopular that someone who wants to breach security simply cannot find a vulnerability without using reverse engineering and fuzzing techniques to find it himself, then popularity is a factor for determining the actual security of a system for purposes of deciding whether it is acceptable to use. It is doubtful whether even a system as rare as Plan 9 fits into this category, let alone one with such widespread deployment as Linux. Anything more popular than the absurdly low level of popularity of something rarer than Plan 9 suffers from wide availability of information and established techniques for finding and exploiting common vulnerabilities that are characteristic of that system.

OSes like OpenBSD, FreeBSD, and major Linux distributions are all well within the range of popularity where obscurity does not provide security, particularly considering the similarities between these systems, the commonality of software between them, and their ubiquity as Internet-connected server systems. Couple this with the fact that -- in the case of open source projects like Linux distributions and open source BSD Unix systems -- the matter of security through visibility is a significant factor, and the accidental security through obscurity argument starts looking pretty thin.

Let's just assume for a moment that you have some staggering, undeniable argument, sublime in its logic and rock-solid in its evidenciary support, that the conclusions in the above paragraph are inaccurate. Let's just assume that you know The Secret Proof that the only thing that makes an OS like Debian GNU/Linux or OpenBSD, or even OpenVMS, more secure than MS Windows is its relative obscurity in the home desktop computer market. Just for argument's sake, I'll go ahead and assume that such a rebuttal to the "security through visibility" and "security through obscurity doesn't work" arguments actually exists. What then?

Well . . . then the question becomes:

Why does it matter if that's the reason something like NetBSD suffers fewer security breaches per system in play than MS Windows, or even MacOS X? Isn't the important factor, for security purposes, that a system is less likely to be breached?

If obscurity works, use it.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

87 comments
howiem
howiem

Being obscure to threats can also turn into being oblivious to them. I prefer to think of obsecurity as anorther layer of security. Discussing obsecurity as stand-alone protection doesn't take into account the various att5ack vectors and attack rationales. Example: If someone wants to steal money through the use of high volume spam, then you got to go where most of the users are, namely Windows. If this is the only type of attack you want to be protected against, then by all means, use a more obsecure OS. But if an attack is targeted against you personally, failure to use other layers may not protect you. After all, threats are not only in the form of malicious code. Scams like phishing, are also threats, and are OS-neutral. If we understand the various types of attack vectors and focus on protection against those attacks, the use of obsecurity may be relevant, but not at the expense of foregoing other types of protection.

kpthottam
kpthottam

Security thro obscurity has a role in that it prevents inference attacks. However this security principle doesn't use the word obscurity in a casual sense , but rather in a very rigorous fashion which is total obscurity. Hence this concept does not apply to any OS in the public domain aka open BSD , Linux etc. So any implied argument that linux being obscure is less vulnerable to inference attacks isn't valid.

Photogenic Memory
Photogenic Memory

The author didn't say this exactly but he is right about the obscure nature of it promoting it's own form of security. I; myself, have attempted to "check" this OS out. I truly believe that if you can make this OS work for you then you can probably surf the net safely without fear. The only caveat is if(and if you can which may be unlikely) you install a popular 3rd party application on it. This will probably give you more of a foot-print and a door towards application exploitation via an old module that has been hacked. However, as mentioned before, this is unlikely. The reason I say this is that Plan9 is gibberish and it just plain sucks, LOL! (Although when I mention it; if only I could get it to.....naw!)

cathar.gnostic
cathar.gnostic

Unix based systems are the back bone on the net, always have been, not Windows! Nothing is completely secure, some are just more secure than others. Unix based systems have more up (computing) hours than any other systems yet are more secure. Installed base is not the way to look at it in which Windows based OS's has the numbers.

bobs
bobs

too many words: no compelling business case to dump linux

joeller
joeller

I have to say that any argument concerning security that discounts the numbers of systems in operation, the type of users that use it, and the psychology of the those that are trying to break security is invalid research and improper use of statistical analysis. Why is Windows more popular? Because it is easier for the average every day computer illiterate user. These are the same people who are least likely to put up security measures that interfere wtih ease of use. They use the same password for everything. They make it easy to remember (and thereby easy to hack). Hackers on the other hand have two motivations. 1. They want to hurt as many people as possible. (The same reason Terrorist blow up subways and commuter trains and market places rather thhan attack military bases.) Therefore they will tend to attack the "soft targets". My bosses father-in-law went out a got a high speed internet connection but did not want to make the expenditure for a firewal or an antivirus system. He ended up having his C drive wiped. 2. Hackers also want to maximize their profit. Those high profile instances where you hear of them breaking into DoD systems, or a major retailer's system, are a small percentage of the total security violations. They have the same relationship to computer crime as the Brinks Armored Car robbery to total of liquor store hold-ups. Until someone devises a means by which security can be ensured without hindering, or relying on the user no popular system is going to be secure. And face it there is really no way that any system that can sucessfully interface with a user be made fully secure. As Doc Smith continually pointed out in his Lensman series, "What Science can build, Science can duplicate."

jg1646
jg1646

Is Linux more vulnerable statistically outside the U.S. where it's much more popular?

dcolbert
dcolbert

During a period several years back where IIS buffer over-run exploits via trojan were rampant, my logs were full on a daily basis with attacks against IIS. During this whole period, I was running Debian Potato with an insecure SSH, and did not have a single knock on the door. But because of the popularity and size of the W32 market, I was well aware of the security issues with my Win platforms. It took me quite awhile to find out about the SSH vunerability. Your results may vary. I just don't see the value of this essay. I'd love to go point by point, but really, this just seems like a crafty way to stir up the Linux vs. Win32 wars again... Use whatever you prefer, and don't try to justify it, and don't come evangelizing to me. You guys are as bad as Jahovah's Witnesses.

alaniane
alaniane

is talking about security and not whether Unix or Windows is more secure. Unix systems have had their days of being cracked; ask MIT about how their professors passwords were made public. Also, "root" kits originated with Unix. So, whether the system is Unix/Linux based or Windows based or OS X based, it still needs to be secured. Believe it or not there are crackers out there who are competent enough to break into *nix systems.

joeller
joeller

Words are defined by their predominate usage. No matter how hard we try to maintain their orignal meanings and usages they will change over time. If we wanted to be technical and maintain all the original meanings and spellings or words, King would still be spelled Cyning and mean local Chieftan, aweful would mean awe inspiring and pompous would still be defined to mean magnificent. Formerly a noble's entourage was properly referred to a herd. Can you imagine how the president people would react today to a newcaster referring to them as a herd? However words do change over time due to usage. the verb "dis" is now in webster's mean to show disrepect. And in fact the noun disrepect is shown as a verb. To the world at large, a hacker is a criminal would goes onto other peoples computer systems and messes with them. If this person, has not been hire to do so to test security, they are causing injury to the owners of all the systems they affect. That means at minimum they don't care how they injure people as long as they get they kicks and at worse they enjoy hurting people. This means at minimum they are sociopaths and at worse psychopaths. I can understand someone who is search of profit and does not care about the collateral damage they cause. This is logical if not moral behavior. What I don't understand is people that cause pain and damage just for the sake doing so. My mother stopped using the computer when windows fist came out because it was too difficult for her to understand the ndew OS. My wife has still not been able to adjust to the change from Windows 98 to Windows XP and it has been 4 years. My father-in-law has the same issue. My mother-in-law has not touched the computer since he bought the laptop with XP. I am considering bying a laptop for my wife and I need to make sure it comes with XP. my sister in law considers herself technically savvy and yet she still needs to ask me about using Windows Explorer. For most of the Home Computer market there is no such thing as a choosing an operating system. You pick a machine that the salesman tells you can play videos, or connect to the internet or write letters or whatever. Whatever operating system comes on it that is what you get. The majority of home computer users have never even heard of Linix and only know about Mac's because of the Mac vs PC commercials being run now. These are the people that need to be considered when designing secure systems, and sad to say this is not being done. It is easy to say educate users but it is another matter to actually accomplish this laudable goal. In fact practically all of us developers in our department ended up writing down our passwords on post-its when the Navy began mandating password with at least 15 characters with that had to contin both upper and lower case, special characters and numbers, and we know better. I don't personally believe any system will ever be truly secure. As Doc Smith said "What science can create, science can duplicate." Someone will always find a way to breakthrough any security measures. I don't know the answer but I never carry my wallet in my back pocket and don't keep any money in it anyway. Don't expose anything anyone wants and you don't have to worry about getting robbed.

royhayward
royhayward

I think in this virtual room, you will find that over half of the people do now or have at sometime, considered themselves to be white hatted hackers. I have had occasion to breach the security of my own business applications in order to fix things, and test things. Saying "hackers are bad people" is not going to get you any points in this company. However your point about the technical class of user is well taken. I have never met a person with a PC running Linux that didn't have some respectable level of knowledge and experience on computers. (I'm sure there are some out there, but out of thousands of linux users that I have talked to, none of them are nubes) On the other hand, I am constantly finding people that are talking to me about the troubles they have with their new computers who are windows users. ( problems like I have no firewall, virus scanner, there is porn on my desktop that I can't remove, help help) So we should probably look at things like servers statistics to try and level the statistical playing field so to speak. This is in the hopes that on average, the Windows Server Admin knows about security a bit more than the average windows PC user.

Neon Samurai
Neon Samurai

" Hackers on the other hand have two motivations. 1. They want to hurt as many people as possible. " Hackers are not the people who are looking to hurt anyone let alone as many people as they can reach. You mean Crackers or simply your every day criminal who happens to use a computer. " 2. Hackers also want to maximize their profit. " Hackers rarely have any monitary motivation. They explore hardware and software because they love to do it. They figured out how to setup this Internet thing becuse they loved to do it. They figured out how to build personal computers in there basements because they love to do it. By saying that Hackers only want to 1. hurt as much as they can and 2. maximize there profits, you over generalize, insult and deamonize. "Hacker" as some evil computer genious or the modern bogieman. If you mean people who hurt other people with or without the aid of a computer system; please, just say "criminal". [/rant]

apotheon
apotheon

"[i]Why is Windows more popular? Because it is easier for the average every day computer illiterate user.[/i]" That is the result of unrealistic oversimplification of facts. To be more precise, you ignore a lot of factors that go into OS choice, and just pick the one that makes you happy -- and it's wrong in many cases. It's probably wrong in [b]most[/b] cases. "[i]These are the same people who are least likely to put up security measures that interfere wtih ease of use.[/i]" . . . but that part is correct. "[i]Hackers on the other hand have two motivations.[/i]" You've oversimplified, with that statement and everything that follows it, to the point of gross inaccuracy (again). 1. The term "hacker" is not the best term to use for the people to whom you refer, for a great number of reasons. Try "security cracker" on for size. 2. Many profit-oriented malicious security crackers attack the "soft" targets first (or only). In many cases, the maximum gain can be had through maximizing the number of successful attacks, such as when building spammer botnets. 3. The abysmal security statistics related to the majority of end users can be avoided with reasonable certainty in specific cases. Among other things, I try to tailor articles toward helping people ensure their networks fall into that category.

Tig2
Tig2

That Chad was accounting for a wide distribution base when he referred to Linux, thus accounting for them. The challenge is that there is really no way to truly know what that base is. I'm posting from a Mac, so it can be generally assumed that I am using OS X. However, it can also be that I am using Linux. Or I could be using XP. OR, I could have this thing triple partitioned and be using all three. And it may happen that one day I will do exactly that. I honestly don't think that there are ANY safe assumptions when we're talking about an OS.

rykerabel
rykerabel

thats he point. you stopped and caught all attempts at IIS because you knew about them. you did not catch or even know about the successful attacks on your DP.

seanferd
seanferd

Does anyone else see what this fellow is talking about, because I missed it. I am thinking that seeing Lin V Win wars is quite frequently in the eyes of the beholder. Is it that simply mentioning any software not created by MS is an effort to start a "war". (Okay, I'm ignoring all other closed- and open source software here.)

Absolutely
Absolutely

An oncologist would be more likely than the average layman to disagree, and to observe that the correct term is "malign," because, as my Pocket Webster's dictionary just told me, the definition of "malignant" includes intent, whereas "malign" does not. Use of the latter therefore allows for the possibility that you are just ignorant, as I am of most of the vocabulary of oncology. Since we haven't met, I should choose a word that implies no knowledge I don't have about your intent, so the better word is "malign," but if, in my ignorance, I call you "malignant," then, according to your own words, you must forgive the insult. Jack*ss.

alaniane
alaniane

Words are also defined in the context or setting that they are used. In a tech forum is would be inappropriate to use the words "hacker" and "cracker" interchangeably since the tech community draws a distinction between the two words.

royhayward
royhayward

I think that your basic statments here are incorrect. 1. Words may change over time, but the dictionary is the place intelligent people go to reference their definitions. There are forums that discuss such things and I sounds like you might want to find some. 2. Hackers are not criminals anymore than drivers are. A person may commit a crime while hacking or driving, but not by the nature of it. I have a vested interest (as do many here) to protest when our actions are portrayed as criminal. I am an innocent hacker and I plan on staying that way. 3. This is a forum on security, not end user OS preferences based on ease of use or aptitude. I have no idea why your mother's computer use and choice as any bearing on this discussion. (Although I am sure she is a wonderful person) 4. With all due respect to Doc Smith, (is this guy even really a doctor?) I think that statement is false too. Just because it sounds cool does not make it true. 5. While I may have some sympathy to your plight with a 15 char password of mixed case, special char and numbers. I think that anyone serious about security would agree that writing the password on a postit will never be acceptable. Even if the password is enormous and includes unprintable characters and foreign language punctuation characters.

bruno_ann
bruno_ann

Hackers, Crackers, Criminal high-jackers - they all spend time, for one reason or another, trying to break into systems. Whatever their intentions, anyone who attempts to break someone else's system is acting immorally, if not illegally. Ethical Hackers are properly trained and SPECIFICALLY hired to break into systems. ANYONE else who does it is a criminal. How's that for a bottom line???

dcolbert
dcolbert

Well, if I was compromised on Deb during that period, the guy covered his tracks very well, or was just a very polite hacker and didn't do anything malicious, because I certainly did my research once I found out about the Debian vunerability. Who knows... And, perhaps I just saw the *nix vs. Win war here because I was being dragged into a flame war in another thread the day I made this response... but the implication seems to be there, to me, when you start talking about security versus obscurity. I could be wrong.

Tig2
Tig2

I found the point to be security through obscurity versus security through visibility. As Chad points out, visibility is a better (in my opinion) model. But he also states that if obscurity works for you, by all means, use it. I think that people are often looking for a war and are surprised when they find one. Truly, the conversation should always be one of functionality to meet the needs of the end user. In short, use what works best.

Neon Samurai
Neon Samurai

I can understand why the minimum is 15 char for a military facility. Even for short passwords, I've found it worth while to get a password keeper of some sort. I'm not sure about phones but I haven't seen a PDA or bigger device that doesn't have something available. All your passwords are with you for reference and no nasty post-it notes are left laying around. - keeppass (win32/*nix) - pgp password vault (win32) - Password Safe (maemo.org) Are three good ones. Keeppass actually pairs with a PalmOS password keeper but I've forgotten it's name at the moment.

Absolutely
Absolutely

OK, I admit, that's an exaggeration.

Absolutely
Absolutely

I never meant to validate the sloppy use of terms that leaves the mainstream without a term for "creative problem solver who is a computer professional," and similar nuances of meaning captured by the correct use of the term "hacker" and only by that term. It's an important word to have in one's lexicon, for anybody who knows such a person, and I think my analogy to using a particular epithet to refer to a woman whose name I have not bothered to learn fairly well sums up my general stance on the subject. I just thought Neon went [i]a little[/i] too far. Maybe trying to be so specific, and the mass quantities of words used to do it, had the effect of implying emphasis where only exactness was pursued; in fact I know that effect tends occur, yet I persist in my verbosity. Really, I just think Neon got [i]slightly[/i] carried away, and I wanted to describe in detail how I differ and why -- partly because I have agreed so emphatically with him in other threads, and am interested in reading more of what he has to say. Seems that part worked.

apotheon
apotheon

I'm confused. "[i]That's a very good summary of the only good argument for hacking as a legitimate professional skill, and that is because in that scenario, the hacker is hacking for the purpose of protecting his own property.[/i]" When did you "switch sides" and start arguing for the mass media definition of "hacking" and "hacker"?

Neon Samurai
Neon Samurai

It's an old discussion that someone of us have been through many times. It sounds like you've simply been educated by the mass media about hackers making you no different from the rest of the world outside of computer entusiasts. If that's the case, you've inadvertantly walked into the middle of an ongoing grudge match; try not to take it personally and if you are open to information on the history of computers and hackerdom, links can be recommended. There've been a few technically knowledgable people who've intentionally argued (for entertainment or due to actual belief) that all hacking is criminal. At the same time, there are those of us who have lost most of our humour about being treated like criminals because our enthusiastic hobby happens to be seeing what computers can do beyond designed limitations.

Neon Samurai
Neon Samurai

Ownership is important and perhaps more applicable in this case. Intent is something I apply generally and probably in the same way you apply ownership. If someone cuts me off in the subway by accident, that sucks but it?s an accident. If someone shows intent to cut me off in the subway, then we have more than a passing slight to consider. An extreme example would be arriving home to find someone sitting on my couch. I?m going to be more accepting of someone who intended to be waiting on there friends couch but made a mistake of address than I am of someone who intended to break into my home. (Granted, that?s an extreme and unlikely example.) This bit threw me off: ? Neon: so wrong.. so very wrong.. Barely, and only rarely wrong. ? You lost me there. I was replying to one person.. you responded to me as if ?wrong, so very wrong? was directed at you.. could be just me.. either way.. not an important point to focus on. I didn?t think the cases I sited where that rare but perhaps they are. A co-worker?s significant other works in a computer forensics firm which often does contract work related to police investigations; that one didn?t seem to far out there as a result. Rogue users and time or logic bombs are the very reason that enterprises terminate staff by having security accompany them out after ?the meeting?. The terminated staff is escorted out avoiding damage to the physical location or data that staff may have access too. That one didn?t seem to far out there as a result (I?m also smack in the middle of a security+ textbook so ?rogue users? is a fresh topic). Learning the security weaknesses in one?s own computers is surely not that obscure. How does a tech professional learn the skills of the trade if not through self education? Schools provide the initial lab environment but learning is an ongoing thing that continues log after the school days. I have a network setup at home specifically too play in a safe and legal environment. If I figure out how to do something new with the machines or unlock something (by relation learning how to better protect something) then I don?t need to learn how to do it when a client asks. I thought this one was more common sense rather than an obscure case. The last one ?attempting with the permission of the client? is direct tiger team work. While most businesses are not going to employ there own security penetration testing teams, you can bet that the info sec consultant they hire will have a team or access to a team?s services. My point was really to give a few examples of cases where breaking system security is not remotely immoral or unethical though more generic cases would have been better. That was in direct response to the initial poster?s comment that any act of hacking was immoral. Again, the idea that hacking only covers breaking system security and that breaking system security in all cases is immoral does not account for cases where such activity is very much moral and supported by best intentions. I read the overall tone of the poster?s comments to suggest that hacking is, by its nature, immoral. On a reread of the poster?s last line, I?m still finding it too black and white; all cases of hacking are immoral except one.. it still suggests that hacking is only breaking security and that it is primarily an immoral activity; that?s where I can?t agree. I suspect in this case I got all spun up from a few other recent ?hacker? definition threads. The irony is that in my post that you replied too, I?m not remotely trying to be adversarial. I simply acknowledge that the poster shows some recognition that intent can indicate weather an act is immoral or not and comment that a greater community of enthusiasts should not be condemned for the actions of minority group who associate themselves with the greater community. Anyhow, enough on an ages old topic for now. I was just surprised to see such a long response to my short closing reply. I can appreciate being called out when I start heading for the deep end though.

bruno_ann
bruno_ann

Please allow me to apologize once again! As I am not a "Hacker" myself, I was not aware the issue is so sensitive. I certainly did not mean to hurt anyone's tender little feelings. I shall take great care in the future to remember with whom I am dealing in this forum. But as I said in my recent reply to Apotheon, 'nuff said! Adios!

JCitizen
JCitizen

Lets see; that's too long so what if we used aficiytech? Naww! How bout techanado! Yeah! Naaaah! Oh well! :)

bruno_ann
bruno_ann

You've missed the point entirely! No matter. Enough has been said on the issue. Later!

Absolutely
Absolutely

[i]I submit that your comment that when words "...cease to have a specific meaning, we cease to be able to communicate effectively." is actually counter-productive to effective communication. Regardless of how incorrectly ANY language is used, its point is to be understood. The general population understands the word Hacker to be something negative.[/i] People who are not doctors don't go around referring to "stethoscopes" with the noise "thermometer." A meaningless sound is noise, no longer a word. Those who use the word "hacker" to mean "computer criminal" [i]have no word in their vocabulary[/i] for the honest, industrious, ready-for-anything computer professional who makes it a point of honor to be prepared for the worst. The implied assumption of my non-existence is insulting, and the absence from your vocabulary of the term that [b]accurately[/b] describes me, does exactly that. I'm not one who normally calls out this point, but I do understand it. And, I think I should do so more often. But in your case, I have the impression that this "little" word error is not indicative of your character. [ It appears from subsequent posts from ann.bruno.ctr, that I was extending too much credit; she refers only to "tender little feelings" and evades the nature of her error as an error. edited to add this note, and to change "worse" to "worst" in the preceding paragraph. How ironic. ] But to put it in the perspective from which I see it, I don't call you "b*tch" before learning your name. I assume that it would be an inaccurate description, because I agree with the substance of most of what you've posted. But, if I look you directly in the face and say the word "b*tch" you'd know I'm addressing you, [b]and it would be more convenient, for me[/b], than learning the correct term to address you, your name. Calling you "b*tch" thus [b]satisfies your own conditions of personal address[/b], according to your explanation of the purpose of language. Please address me with the same respect you wish to be addressed. I am completely serious, it is that important. The first time you show me disrespect, I can allow that it's an accident. But when you're told that the term you use is disrespectful, and why it is disrespectful, and you continue to use it

Absolutely
Absolutely

Neon: [i]see, now that recognizes "intent" Intent is where the good or bad of a thing exists. If the intent is to breach a system without approval or harm others then that is most definitely an immoral act. Intent is a key thing to consider.[/i] "Ownership" gives the right answer in most cases, with less complexity to "consider." I prefer to apply the simplest possible analysis first, examine it carefully and completely for any concrete factors which might render it inapplicable in specific cases, and go with that if there are not. It's more efficient and more moral. Neon: [i]so wrong.. so very wrong..[/i] Barely, and only rarely wrong. Neon: [i]"anyone who attempts to break into someone else's system is acting immorally" This is one of the things I'm arguing against specifically. If you're trying to break into a computer you don't own or don't have explicit permission to try and break into, *THEN* you are acting immorally and are no better than any other Cracker (aka criminal that uses a computer). If you're trying to break into a computer you own or have permission from the rightful owner to break into, *THEN* there is no immoral act. In fact, wouldn't it be professionally immoral to not attempt to break into a computer after you've been hired to do just that by the system's owner? How about: - unlocking systems for there owners to retrieve locked data (owner forgets passwords; it happens).[/i] Good points -- so far, but then you keep going, too far in my opinion. Neon: [i]- unlocking systems during the course of a police investigation? - unlocking systems locked down by rogue users within your organization? Always good to have an image of a staff member's machine before they get walked out the door.[/i] I think it's unusual that an employee knows the exact date and time to perform the mischief you imply there. Don't you? Neon: [i]- investigating how to unlock one's own computers for the purpose of being able to help clients in the future. - attempting to break into computers with the permission of the client?[/i] Why do you cite such rare cases? That tends to arouse my suspicion -- and newbies more so, I'm sure -- that you're attempting to [b]generally[/b] excuse what really only applies in such rare cases that most people will never encounter them. Neon: [i]If you don't try to penetrate your system security; how do you know it actually works and has no holes?[/i] That's a very good summary of the only good argument for hacking as a legitimate professional skill, and [b]that[/b] is because in that scenario, the hacker is hacking for the purpose of protecting his [b]own property[/b]. In all cases, property ownership is important. In all but very rare cases, property ownership and permission are all that there is to consider. In the very rare exceptions, "intent" is up to a judge to decide before granting a search warrant, and thus beyond the scope of the profession of this forum. Neon: [i]Your bottom line simplifies topic for the convenience of your own opinion. It does not recognize all possible reasons one may try to break security on a system.[/i] No, it does ignore some rare cases, but only by accident and because those are rare, not by [b]intent[/b] She also implicitly recognizes property rights as the primary factor, as in the vast majority of cases, it is. Statistically, and therefore in the [b]general[/b] ethical case to consider primary, property ownership is the whole story, and you obscure that in your analysis. Except where there is a search warrant, she's absolutely right, and (please excuse this small bit of sarcasm, I still think highly of what you've posted, in general) you have not presented one. She did include all your valid exceptions already, before you raised them. Ann: [i]Ethical Hackers are properly trained and SPECIFICALLY hired to break into systems. ANYONE else who does it is a criminal. How's that for a bottom line???[/i] Neon: [i]It does not recognize that security hackers are a small part of greater hackerdom.[/i] No, but it also does not suggest the converse, despite your inferences, which are incorrect. Neon: [i]It also does not recognize that hackerdom has very strong ethics and that the community's members have a far lower opinion of criminals and general skript kiddi behavior than the media brainwashed general population.[/i] No, but it also does not suggest the converse, despite your inferences, which are incorrect. She misused the word "hacker" too generally. She probably learned it from the paparazzi. Why don't you save your malice for them? I know from reading a lot of your posts that I agree, strongly, with your general opinion on this language problem, but I think you overreacted on this particular person; ironically, her [b]intent[/b] seemed to me to be what you would value. Keep up the [mostly] good work.

apotheon
apotheon

The correct usage would have been "his or her", or just "his" if you wish to use the traditional neuter generic pronoun. "Their" muddies the waters a bit in relation to "his or her" -- so my point is made for me. As for the rest . . . I think Neon Samurai covered it.

Neon Samurai
Neon Samurai

The first true Hackers where the members of the MIT model train club who spent more time under the model table hacking wires together than above the table watching the trans run. A "hack" being any experiement without clear expected outcome (ie. what happens if we wire the trains to do this?). When computers first turned up in university labs, the model train club members where the technically curious types that took to this new computer thing as a whole new puzzle to explore. From here you get some distant cross polination between the MIT hackers and (crap, can't remember the otner Uni) another university. The Jargon File (published as the Hacker's Dictionary) starts it's life at these two universities and get's synced up (shared back and forth) from time to time. At MIT, this first lab would later evolve into the group now doing AI research if I remember correctly. The Phreaks are very early in Hackerdom also but fall closer to the crackers. Phreaks where the first people to explore the phone networks at a time when Ma Bell was truly charging exorbitant rates. They are more social times and generally explored the phone systems with the end goal being to find common places to meet up and chat (conference call hosting servers and such). Captain Crunch is one of the most famous Phreaks for discovering that the whistle that came in Captain Crunch cereal at the time produced the correct frequency for signalling payment to pay phones. Him and a group of blind geniouses at the time where the last of the true benign Phreaks just before the general public discovered grey boxes and phreaking destroying the nervana that the phreaks enjoyed up until then. After that is when you hear about all the big crackdowns by the FBI and phone companies (late 70s, early 80s?). Phreaks are more of a stupid highschool kid fase that some people go through; either you grow out of it, continue the hobby legally or continue the immoral form and join the ranks of the everyday garden veriety criminal. That's how I see them fitting together anyhow. Phreaks are phone system hackers and like computer hackers and car hackers (gear heads, tuners); there is a majority of well intentioned enthusiasts and a minority of ill intentioned that associate themselves with the enthusiasts.

Neon Samurai
Neon Samurai

Intent is where the good or bad of a thing exists. If the intent is to breach a system without approval or harm others then that is most definately an immoral act. Intent is a key thing to consider. Just don't condem a majority of well intentioned hackerdom community members for the actions of a minority of ill intentioned degenerates who incorrectly (and with the help of mass media) associate themselves with hackerdom.

bruno_ann
bruno_ann

...to revise my original statement, "anyone who attempts to break into someone else's system is acting immorally," to read as follows. Anyone who attempts to break into SOMEONE ELSE'S system without the owner's expressed permission is acting immorally. Sorry for the confusion.

bruno_ann
bruno_ann

I should have been more specific. Any person who is hacking anything in the performance of THEIR job is an ethical hacker. Anyone else is doing it for their own purpose, regardless of what that purpose is. Does that sound better? Is it true that the first true Hackers were what we now refer to as Phreakers? If so, then perhaps the term should be used in its original context, and if not, then I humbly apologize. BTW, note the capitalization of the word "THEIR" in my first sentence. It is grammatically incorrect, but has become so common that it is pretty much the standard now. Language, like everything else, must evolve to remain effective. I submit that your comment that when words "...cease to have a specific meaning, we cease to be able to communicate effectively." is actually counter-productive to effective communication. Regardless of how incorrectly ANY language is used, its point is to be understood. The general population understands the word Hacker to be something negative. Moot point to the original thread, but after all, you brought it up!

Absolutely
Absolutely

...doesn't mean we should let them live.

vacuole
vacuole

They've come to kill us all! Run for the hills!

Neon Samurai
Neon Samurai

"anyone who attempts to break into someone else's system is acting immorally" This is one of the things I'm arguing against specifically. If your trying to break into a computer you don't own or don't have explicit permission to try and break into, *THEN* you are acting immorally and are no better than any other Cracker (aka criminal that uses a computer). If your trying to break into a a computer you own or have permission from the rightful owner to break into, *THEN* there is no immoral act. Infact, wouldn't it be professionally immoral to not attempt to break into a computer after you've been hired to do just that by the system's owner? How about: - unlocking systems for there owners to retrieve locked data (owner forgets passwords; it happens). - unlocking systems during the course of a police investigation? - unlocking systems locked down by rogue users within your organization? Always good to have an image of a staff members machine before they get walked out the door. - investigating how to unlock one's own computers for the purpose of being able to help clients in the future. - attempting to break into computers with the permission of the client? If you don't try to penetrate your system security; how do you know it actually works and has no wholes? At it's root dinition, too "hack" means to understand a thing too it's lowest level of detail. Hacking is learning and understanding the topic at that lowest detail level. Hacking computers means exploring the limits of computers. Hardware hackers (case modders) explor the boundries of what can be done by modifying hardware and putting it in pretty cases. Car hackers (tuners, modders) do the same with cars. Your bottom line simplifies topic for the convenience of your own opinion. It does not recognize all possible reasons one may try to break security on a system. It does not recognize that security hackers are a small part of greater hackerdom. It also does not recognize that hackerdom has very strong ethics and that the community's members have a far lower opinion of criminals and general skript kiddi behavior than the media brainwashed general population. Here, do a bit of reading. The history of computers and the Internet is the history of Hackerdom. http://www.catb.org/~esr/writings/cathedral-bazaar/ required - A brief history of Hackerdom required - The revenge of the Hackers recommended - The cathedral and the bazzar recommended - The magic cauldron

royhayward
royhayward

it is longer than "hacker" but it still sounds cool with an exotic flair.

Absolutely
Absolutely

I propose that we reply by calling them all "paparazzi." I've started to do so, but so far, I'm disappointed with its uptake, even among hackers.

JCitizen
JCitizen

it is an uphill battle to educate the public about the connotations and meanings of these words. I'm afraid the public only accepts the negative connotation. I'm ready to give up. Perhaps we need to invent a new word for the harmless guy you and others in this thread are defining. This way we could stop wasting time educating the clueless, and get on with the communication process. For those of you who enjoy the arduous process of enlightenment, I salute you! Keep up the good effort, and with stiff upper lip.

royhayward
royhayward

http://www.m-w.com/dictionary/hack http://www.m-w.com/dictionary/hacker One of the first parts of the definition is a person or relative inexperience. If you are a hack, (at anything) you are using "irregular" and sometimes "Unskilled" methods to do something. The first part of all most all the new tasks that I get is to hack through the process and find a way to reach the goal. After that is done, then I refine, or develop the process so it becomes more elegant. But I am by these definitions a hacker. I hack at problems and find ways to get my job done. But I don't go out and commit crimes. I have installed security software and then tried to breach it. Hasn't everyone? This is not criminal, it is evaluating the product. It is part of my job. And the only training I have at this is acquired from myself when I try to get poorly designed applications to work form me. Again, don't we all get this training everyday? The only difference between a computer user and a computer hacker is that a user stops and asks for help when the application instructions don't tell them what to do next, and the hacker says, "I wonder what happens if I click the 'Next' button?"

alaniane
alaniane

necessarily people who break into systems. The term also applies to programmers. A hack can be code that is put into place temporarily (hopefully it will be removed later although in a lot of cases it becomes a permanent part of the code) to address a certain situation. Programmers have been called hackers long before the media used the term to refer to crackers.

apotheon
apotheon

"[i]Hackers,[/i]" . . . are enthusiastic expert practitioners in some field of knowledge. That could be driver development, network administration and architecture, or model trains. In fact, in the modern sense of the term, "hacker" first arose in the Tech Model Railroad Club at MIT. Some day, you will have to learn that words have a specific meaning -- and when they cease to have a specific meaning, we cease to be able to communicate effectively. A security cracker could also be a hacker. Neither is, by any stretch, necessarily also the other.

seanferd
seanferd

That is exactly what I saw. I found the article and the majority of posts interesting and informative. Usually (not always)indicative of a "war zone" are: > You're just MS bashing. Windows rocks! > Linux will solve all your problems. > Get a Mac! Also, whenever you see the tagline "snicker, smirk." I wasn't seeing it here, and I thought I was missing out on something. Oh, well. ;)