The Extinction of Hac ers

Abstract The Hac er community loo s at the end of their era. The reason is not the always-propagated 1985 type of government, which we surely see in many places being perfected. Neither is it the big evil corporations hunting down and suing all the hac ers, preventing freedom of speech and teaming up with the evil governments. The reason is something so simple that most of the people in the community would never notice it: there is no young blood to spea of. The entire community ages linear with the people who developed it to what it is now. At the same time, the technology and the respective hac er techniques get more complicated, complex and demanding, so that there is almost no chance any more to grow apprentice hac ers. Introduction I call myself a hac er. Its a title I carry with pride. Its a title I loo ed up to when I wasnt entitled to name myself one. I decided for myself when I was ready for the title, and honestly, I dont remember anymore when and why this happened. There will always be people who do not thin Im worth the title and there seam to be some thin ing I am. The term Hac er has many sides and facets and everyone li es some of it and doesnt li e others. There are the aspects describing wizard li e handling of technology, the blac magic of brea ing into computers and networ s. There is the question of using these s ills to do good or evil and the definition of what good or evil is. For many people, especially in what they call the scene, there is also the lifestyle. It doesnt matter if you thin of hac ers as the ones who write viruses and worms, the ones who wear blac all the time and are rarely seen without their laptop computer, the people who publish security issues with all inds of software and ma e the companies fix them for free or the ones who protect your personal data from being distributed all over the government and industry by showing the same that its not secure to do so. You might even thin of hac ers as the ones who bro e into all your web sites and replaced the start page with an ugly text ma ing fun of you. At the end, it doesnt change the fact that the hac er community did have an important role to play in the rise of the Internet (no, not just the Web). Its hard to say what the whole Dotcom time would have been without people constantly brea ing all the fancy new stuff. Or do you want to drive a car where only the manufacturer tested it and told you it will be perfectly safe for you. Ford Explorer anyone? Anyhow, for the purpose of this text, thin of hac ers as renegade computer experts and ta e my word for it that we need them. If you dont, there is no point in reading the remaining text. Random observations The following is a list of random observations, just to draw the sceptic reader into the picture:

by fx@phenoelit.de

* The last hac er event I attended (less than a month ago) had an average age of almost 30 and people were congratulating each other for still hac ing. * From all hac ers I now personally, only two or three are less than 20 years old. * On a closed, so-called elite email list, a fellow hac er was celebrated for solving a simple tas in Visual Basic. Any junior hac er proposing the same would have been crucified for it. * All new members of established hac er groups I heard of in the last two years were over 25 years old. * Everyone I now trying to get into hac ing has the primary goal of writing buffer overflow exploits. Most of them dont actually now why this is their final goal and almost all give up before reaching it. * Every presentation I did on the topic of hac er development had an audience full of 30+ people. * Every young hac er I now either got tired of the community and left or stopped hac ing in favour of just hanging out and tal ing. * There hasnt been any groundbrea ing wor s in the last two years, except for one technique, which was developed by a teenage hac er. If you dont see a pattern emerging or dont thin this pattern has a bitter taste to it, you should probably consider reading something else now. Some will now question if there is really a problem and if my random observations actually reflect the real world. The only thing I can say is: loo around you. How many spea ers at conferences you visit are younger than 22 years? Only a few years ago, I attended conferences with more than 5 spea ers being teenagers. Today, there are none. That alone should spea for itself. Unsorted list of reasons So the obvious question is: why is the community aging so badly and why dont we see smart, aggressive, young blood ta ing over from the old farts? Late starts One of the more obvious reasons may be the age at which people start hac ing. Although all the old farts in the scene will state differently, hac ing has its pea of fascination when you are a teenager, and thats not a bad thing. Teenagers can dream a lot more than people in the twenties can. There is still time to thin about the boring parts of life later: learning, graduating, finding a job and earning money. Getting into hac ing is almost completely different than getting seriously into computers. But both have something in common: you need to play around a lot, which ta es a lot of time and dedication. This dedication is hard to muster when you are an adult. But the dream of having the power to access any computer system on earth you want can result in a lot of dedication in a teenager. And, this dream is a lot more realistic than becoming a roc star. There is also the fact that nobody really nows how one learns hac ing from the ground up. The teenage hac ers just play around and after a couple of years they suddenly are hac ers. When being as ed how to become a hac er, many people just dont have any answer. Those of us

who spent some time thin ing about it will answer with a list of s ills you need. This list tends to be large enough to eep a reasonable intelligent person busy until retirement. Interestingly enough, following such a list does not produce hac ers. The third advantage for teenagers is nowledge or the lac thereof. It is common wisdom that nowledge and experience gets in the way when you try to be creative. People tent to imitate themselves when they found something wor s. Teenage hac ers dont have this limitation. Teenagers developed many of the great brea throughs in attac techniques on all fronts. Often in computer security, the tric is to be not impressed with the defences or the odds of getting in. If you thin you now how much wor a specific attac is, you either dont do it because its trivial or you dont do it because its too much wor . But if you dont now, you just do it. Fact is, very little teenagers are getting into hac ing in the last five years, and if they do, other aspects prevent them from becoming any good. Keep reading. Stupid statements Interestingly, some of the old farts actually realise the problem, but offer an easy excuse why it exists and why they cannot do anything about it: "The young hac ers did not build their first computer, but got it for xmas with Windows preinstalled and a lot of computer games. They cannot understand the fundamentals, therefore, they cannot become good hac ers." This is arrogant bullshit. Just because a young hac er startet with Windows98 and his first programming attempts were in HTML, it does not mean anything. It's a different way to get startet, not the wrong way. Besides, the old farts stating something li e that wouldn't be able to program for shit, even if their life would depend on it. So why bother listening to them. The Meritocracy A commonly agreed upon fact is that the hac er community is a meritocracy. This means that your ran in the community depends mainly on how much magic hac er points you collected. It should be obvious that Im not referring to an official counting scheme but rather to a rating in the perception of other hac ers. There is a major problem with that approach: the jury. The community is clustered around a relatively small number of fairly well nown people. These people almost exclusively influence the joint opinion of the community. But these people are all part of the old farts club. For an apprentice hac er, its hard or almost impossible to be recognised as good or outstanding without impressing the old farts club. Now, the established leaders of the hac er community often have very little interest in openly stating that a youngsters wor is way beyond them. People being glued to their chairs is a common problem and the hac er community is no exception. The old farts fear to degrade themselves by giving magic hac er points to young people. For some of the old farts its also their job security @sta e. Most of them realise this fact at some point in time, but usually too late. A common sight is the late attempt to hand over to a younger (but still increasingly

old) generation, only to find that the juniors forgot how to have their own style. Consequentially, the juniors fail to lead by example and eep relying on the seniors to tell them how. Another aspect of the meritocracy and the established leaders has as much impact as the first: the established leaders show the paved path on which they came from being nobody to being a hac er. The junior people either follow this path, learn how to write buffer overflow exploits and shell codes, although this attac vector might be extinct in the near future, or they wont be accepted. The few intelligent and promising young people in the scene stop respecting the established leaders and, since everybody else loo s up to them, stop feeling comfortable with the entire scene. Interestingly enough, this is also one of the reasons there are so little female hac ers, but I leave the discussion of this topic to other, more appropriate people. Bottom line of the meritocracy, which used to be a good thing, is, that apprentice hac ers either follow antiqued paradigms and out-dated personalities or turn their bac on the community because theyre not accepted. Too easy and too hard In a highly technological environment, the technology itself has a big impact on the demographics of the people dealing with it. There is an interesting connection between the way the computer security defences developed in the last years and the influence this has on the hac er community. When starting with hac ing ten years ago, it was all about exposed services, wea passwords and buffer overflows. Todays digital world is a lot different. Many operating systems are shipped with various anti-hac er technologies build in and every company has at least a firewall. That doesnt mean its harder now, because there are also the myriads of web applications, web services and new programming languages and paradigms. When starting today, the junior hac er probably starts reading the established mailing lists, only to discover that they are full of Linux distributions reporting fixed pac ages and companies posting vulnerability information without any details. The only issues found on these lists that a newbie would probably understand are Cross Site Scripting attac s. Naturally, the newbie will start loo ing for those himself and may end up posting some of them, without ever understanding which XSS effects of a web application can actually be used for an attac and which are just HTML games.[1] Assumed the newbie actually spends some time reading through papers and discovers SQL injections, there is a huge step between the two. SQL injections wor by modifying a programming language (SQL) statement partially, mostly blindly, and wor different on different bac end database platforms, which the attac er usually doesnt now. This means, suddenly its no longer just imitation but understanding SQL, relational databases and web application architectures. And since these applications are often written in different languages, just add learning Perl, PHP and a little Java to the list of requirements. It should be obvious from this little example just how big the steps between two classes of attac s are. And since the established community so effectively prevents the next generations from developing

their own attac s, there is little an apprentice hac er can do but learn all of it. Now, thats what I call hard, boring and reward-free wor . Is that hac ing? Its so not. On the other hand, there are so many juicy technologies the industry comes up with a young hac er could be interested in. But instead of encouraging an apprentice hac er to start loo ing at whatever he finds interesting and pointing out just how many interesting things are out there, the established clan of senior people require more and more superficial proofs of s ill. From a purely technological point of view, it might ma e sense to require prerequisites. But if a young and dedicated candidate wants to hac .NET or Java, as ing him to learn C and C++ buffer overflow exploitation and shell codes from Aleph1 to today is extremely counterproductive. The promising young fellow is pushed into the thin ing pattern of the old generation, all dedication is used up and there is almost no satisfaction in for him or her. Thats exactly what is not wanted. You can bet that the most effective attac s against .NET applications will have nothing to do with buffer overflows. And you can bet whoever discovers them is below 25. Wrong focus The established community and its rules have the effect of distracting young hac ers from their own, personal goals. You are not accepted as a hac er if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions li e RedHat or Suse, even if your goal is hac ing in the Microsoft .NET environment. There is no doubt that wor ing with Linux, FreeBSD, OpenBSD and MacOS X will teach you a lot. But if thats not what you are interested in, why bother? It just wastes a lot of valuable time, during which you could have read another boo or two about the Windows architecture. Actually, in the time required to get into Linux, the person probably developed more new attac s against Windows than the Linux priest ever heard of. Holy wars about operating systems and programming languages are for people who basically have nothing else to do. But the apprentice hac er, when trying to join a community or hac er group, is forced to convert to their religion, meaning their operating system of choice, distribution and programming language. I have witnessed promising young hac ers being attac ed for running the wrong window manager on their Linux X Window System, while the person complaining was actually saying X Windows[2]. In many other communities, teaching the basics wor s quite well and establishing good standards helps the newbie to not waste his/her time. Not so with computers and hac ing. Telling people what they need to use as tools is stupid and does not support creative thin ing. Showing people what tools there are and trying to be objective is. The new generation needs the freedom to ma e their own decisions. Conclusion, ind of Software doubles in size approximately every 18 months. The industry invents new systems, programming languages, protocols and products li e ice cream flavours. Our personal data is distributed in global networ s without anyone on earth understanding all the routes it

ta es. Even the companies who want to secure their software and systems dont now where to find the right people to do it. The community, the industry and the society as a whole needs smart, aggressive, young blood ta ing over the hac ers banner. Its time the role models realise what their tas and their responsibility is, namely to encourage young hac ers to do their own thing and stop to tell them how something should be done. This is not science; this is hac ing, where reinventing the wheel is not necessarily a bad thing. The tas is to help (re)inventing, not to show them your wheel from five years ago, its rotten anyway. _______________________ [1] As a rule of thumb, if the web application transports authentication or session information in the URL or as a coo ie, the XSS is usable for an attac . [2] Which is a faux pas, so much for the political correct choice of Window Managers.