Marc Barclay

What Is Hacking?
Note: Some of the material comes from external sources, which are
listed subsequently
==============================================
=======================
Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank
Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world…
// the guy who wrote this was known as The Mentor, and I
// HIGHLY recommend reading the entire manifesto (it’s only
// around 1 page).
// He is a fucking genius. You will see more excerpts later...
Source: Hacker’s Manifesto
==============================================
=======================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hack:
Transitive verb
1
b: to cut or shape by or as if by crude or ruthless strokes
Intransitive verb
4
a: to write computer programs for enjoyment
b: to gain access to a computer illegally
// note: last 2 definitions are COMPLETELY separate actions.
// Besides, Webster’s got it all wrong. Hacking is really just
// creative exploration, manipulation, and creation, often for
// the purposes of learning about a system or it’s limits. Let
// that sit in...
Source: Merriam-Webster’s Dictionary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

// In case you haven’t figured it out already, any line
// starting with ‘//’ is a comment, to be ignored by the

// machine, but NOT the reader.
# Some languages use pound signs (“hashtags” for millennials)
<!--Websites use this, but YOU wouldn’t ordinarily see them-->
/*
I can also nest comments in between a slash and an asterisk
/*
like
this,
*/
which some people find more readable than starting
// every
// line
with two slashes. I’ll let you decide for yourself.
It’s your own code, after all.
*/

/* Some people just see hackers as people who do
* “computer crime.”
* Fun Fact: not even the law really knows exactly what a
* “computer crime” is.
* This is due to misrepresentation by the media, who
* constantly spews toxic, wordcruft headlines about so* called “hackers” when in reality, most of the events are
* committed by criminals who aren’t just your stupid
* rob-a-gas-station type of guy.
* There are exceptions, however.
* Question: is “unauthorized access” to a computer still a
* crime when all of the world’s governments and nation states
* commit it to each other and to their citizens on a daily
* basis?
*/

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
// I’ll tell you what, let’s have some fun. I’m going to
// assume you’re using a unix-based system (think not-Windows)
// for the sake of this activity. Open up a terminal (press
// command-space, then type terminal and press enter, for you

// mac users) and type the following, pressing enter after
// each command:
cd /
ls
// Congratulations. You are now looking at the “root” of your
// computer’s file system. Everything you know and love that
// sits on your little hard-drive is inside of these folders.
// The folder named ‘bin’ contains a bunch of programs and
// commands that your computer uses. ‘dev’ is what lets your
// computer talk to the keyboard, the mouse, the screen, the
// hard-drive, etc... essentially much of your hardware.
// On linux or other systems, your personal “home directory”
// resides within ‘home,’ but because Apple thinks they’re
// special, they put you inside of ‘Users.’ Knowing stuff like
// this at the top of your head allows you to better
// understand and manipulate your computer. Feel free to learn
// more unix commands on your own and try them out (WARNING:
// stay away from commands like ‘rm -rf’. They can destroy
// everything if you’re not careful, but don’t let that scare
// you.)
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

==============================================
=======================
I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
Source: Hacker’s Manifesto
==============================================
=======================

/* Computers are not magic. They are made by human beings like
* yourself. They follow the rules of physics just the same as
* a bottle opener. They just take a little more time to get
* to understand.
*/

******************************************************************************
The beginnings of the hacker culture as we know it today can be conveniently
dated to 1961, the year MIT acquired the first PDP-1. The Signals and Power
committee of MIT's Tech Model Railroad Club adopted the machine as their
favorite tech-toy and invented programming tools, slang, and an entire
surrounding culture that is still recognizably with us today. These early years
have been examined in the first part of Steven Levy's book Hackers [Levy] .
MIT's computer culture seems to have been the first to adopt the term `hacker'.
The Tech Model Railroad Club's hackers became the nucleus of MIT's Artificial
Intelligence Laboratory, the world's leading center of AI research into the early
1980s. Their influence was spread far wider after 1969, the first year of the
ARPANET.
// That’s right, arguably the first hackers as we know them
// were, of all people, some goddamn model railroad nerds.
// That describes my grandpa, and he’s awful with computers.
// Just wait till I get to phreaking…
// Note: ARPANET was an early attempt at making a few
// computers around the country talk to each other, and it led
// to the creation of your internet and eventually
// World Wide Web, which is how most people, probably yourself
// as well, know the internet. They are two related yet
// different things.
// The World Wide Web is responsible for all your websites.
// The internet allows your computer to talk to your ISP
// (Internet Service Provider), which can talk to a server
// in Europe, your smartphone, maybe your car, thermostat, or
// watch, and possibly someday your toaster.
Source: http://catb.org/esr/writings/hacker-history/hacker-history-3.html (written
by Eric S. Raymond, a controversial, but still very important hacker)
******************************************************************************

// Here is a very beautiful picture:

/* This is called a CPU die. It is a very small piece of
* silicon onto which billions of transistors and lines of
* circuitry are etched. This is essentially your computer’s
* CPU (Central Processing Unit), better known as a
* “processor.” You can imagine this as the only part of your
* computer that is actually a computer. It does all of the
*“thinking” and “deciding,” and everything you do or that
* your computer does ultimately gets done by this. On a
* 64-bit Intel x86 CPU such as this (and probably yours),
* this little guy might do over a billion or two tiny actions
* in one second. That is a lot of doing! The four large,
* purple rectangles at the top are it’s personal memory.
* Memory in a computer, whether or not it is in the CPU, is
* just a place where data is held, sort of like a bookshelf.
* Somewhere in the middle reside the circuits that perform
* math and compare numbers (the ALU) and decide what the
* computer will do next (the Control Unit). It is pretty to
* those who look, but beautiful to those who understand it.
*/

==============================================
=======================
And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.

"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike…
Source: Hacker’s Manifesto
==============================================
=======================
##############################################################
Hacking is not just limited to computers. You can hack any
system really. Cars. Mail delivery. The human body. A notable
example from the 1960s onwards is phone phreaking, or hacking the
phone system. Keep in mind that the phone system countrywide was
composed of thousands of miles of wire, thousands of switches and
hardware and booths, as well as the actual telephones of people
and organizations. It is complicated, and it has rules. People
discovered these rules and figured out how to control the
telephone system in ways nobody could have imagined. John
“Captain Crunch” Draper discovered how to get free long-distance
calls by using a toy whistle found as a cereal box prize. Back in
those days, payphones used a series of tones to mechanically
perform certain actions such as calling, hanging up, or
connecting. A mechanical device such as a phone is, of course,
incapable of distinguishing its own sounds from those made by a
phreaker. Joybubbles, a blind phreak, could actually whistle one
of those tones, exactly 2600 Hz, and get free calls without the
plastic whistle. Mitnick at one point could eavesdrop on
practically any conversation in California that he wanted, and he
figured out how to do makeshift conference calls WITH ONLY
PAYPHONES! While many saw them as the scourge of Pacific Bell
Telephone Company, these revolutionaries contributed immeasurably
to hacking.
Frank Abagnale as another great non-computer hacker. His
tactics are now known as “social engineering,” which is
essentially people-hacking through trickery, establishing a
rapport, and relying on conscious and subconscious biases in
order to game a human like they were a machine. Of course, some
might argue that humans are nothing more than wet, fussy
machines, but I digress; I will not force my personal worldviews
upon my readership.
##############################################################
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
// I hope you’re not bored. I’m about to show you how to
// “exploit” a “vulnerability” in a program. Here is a program
// written in C that, when compiled and run, will ask you for

// a word and then write or “print” that word for you.
#include <stdio.h>
int main() {
char word[6]; // defines a variable to store the word
printf(“Type in a word, and I will repeat it for you: ”);
gets(word);

// gets input from user and puts it in word

printf(word); // repeats your word back to you
return 0;
}
// Notice the program doesn't check how LONG the word is.
// Why is this a problem? The 3rd line of code only allocates,
// count it, 6 characters for a word, which is perfectly fine
// for words like car or mother. However, if somebody tries to //
type in anything 28 characters or longer, your poor
// computer throws a fit, yelling “Illegal instruction” or
// “Segmentation fault” at you. Essentially, your code only
// works if the user acts normally. By definition, Hackers
// aren’t “normal” people, and they will act in weird ways
// like typing in a long string of gibberish to see if the
// computer is weird back.
// By typing in too many characters, the hacker “overflows”
// the variable, and their characters end up spilling onto the
// rest of the memory. Best case scenario, things break, but a
// highly skilled attacker can use this to trick the machine
// into running their own code: the payload or shellcode.
// Here is some shellcode:
"###BOT_TEXT###x31###BOT_TEXT###xc0###BOT_TEXT###xb0###BOT_TEXT###x46###BOT_TEXT###x31###BOT_TEXT###xdb###BOT_TEXT###x31###BOT_TEXT###xc9###BOT_TEXT###xcd###BOT_TEXT###x80###BOT_TEXT###xeb###BOT_TEXT###x16###BOT_TEXT###x5
b###BOT_TEXT###x31###BOT_TEXT###xc0###BOT_TEXT###x88###BOT_TEXT###x43###BOT_TEXT###x07###BOT_TEXT###x89###BOT_TEXT###x5b###BOT_TEXT###x08###BOT_TEXT###x89###BOT_TEXT###x43###BOT_TEXT###x0c###BOT_TEXT###xb0###BOT_TEXT###x0
b###BOT_TEXT###x8d###BOT_TEXT###x4b###BOT_TEXT###x08###BOT_TEXT###x8d###BOT_TEXT###x53###BOT_TEXT###x0c###BOT_TEXT###xcd###BOT_TEXT###x80###BOT_TEXT###xe8###BOT_TEXT###xe5###BOT_TEXT###xff###BOT_TEXT###xff###BOT_TEXT###xf
f###BOT_TEXT###x2f###BOT_TEXT###x62###BOT_TEXT###x69###BOT_TEXT###x6e###BOT_TEXT###x2f###BOT_TEXT###x73###BOT_TEXT###x68###BOT_TEXT###x58###BOT_TEXT###x41###BOT_TEXT###x41###BOT_TEXT###x41###BOT_TEXT###x41###BOT_TEXT###x4
2###BOT_TEXT###x42###BOT_TEXT###x42###BOT_TEXT###x42"
//
//
//
//
//
//
//

This is really just a bunch of tiny commands that the
computer can understand and run. Notice the fact that all
of these commands are numbers. Fundamentally, computers
only really work with numbers.
On a computer running 32-bit linux, this SHOULD spawn a
shell, which would essentially let the hacker control the
system. As the programmer, it would be your job to try to

//
//
//
//
//
//
//

code securely enough to prevent this sort of behavior. As
a hacker, you would want to find some hole in the program
that you could use to your advantage. The overflow example
above could be such a hole, but holes can come in all
shapes, sizes, and forms. There is an entire universe
surrounding this topic, but I won’t bore you with the
details.

// Fun Fact: there is another almost equally dangerous
// vulnerability in this program. Can you spot it? I’ll give
// you a hint: format string. Google is your friend.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

==============================================
=======================
// I’ll leave you with this
Yes, I am a criminal. My crime is that of curiosity. My crime is that of
judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive
me for.
I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop us all... after all, we're all alike.
+++The Mentor+++
Source: Hacker’s Manifesto
==============================================
=======================