Hacking vs. Sysadmining

posted onMarch 14, 2001
by hitbsecnews

By Madirish

I’ve recently been giving advice to some acquaintances about hacking and a couple of things occurred to me that I figured might be worth relaying to the reading public. I guess my purpose is to dispel the myth that hacking is some dark glamorous occupation that leads to high paying internet security consultant positions. I think the best piece of wisdom I’ve read on this subject was from Jeff Crume’s “Inside Internet Security.” In it Crume states that hacker tricks are a lot like magic tricks, at first they seem astounding and to defy logic, or at least to require a heap full of logic, but once you understand how the magic trick is performed it seems pretty mundane. Crume says that once you understand how hacking is done, it doesn’t seem at all glamorous. I completely agree. This is why hackers guard their tricks so jealously. God forbid you find out they don't really have any special talent. Recently my boss leveraged a complete list of users off a box we had scanned. At first I was astounded that he could get a list of all 1800 users on a box. Later he showed me that all he did was finger 0@targethost.com and the results spewed back. Not so impressive (well it was impressive that the host was allowing unfirewalled finger daemon to run on his box).

Then why should anyone bother to learn to hack? Well, for several reasons. The “to learn” idea is a little played out and I’ll get to why its bunk in a moment. I feel the primary reason one should learn to hack is to protect networks from being cracked. Now, this is a rather common idea bantered amongst hackers but there’s something inherent here that must be realized. Knowing how to hack, and knowing how to prevent a hack, are two completely different concepts. Knowing how to compile and execute a pre-packaged exploit takes NO brains and NO skills. Knowing how to defeat the exploit (above and beyond just installing a patch) takes quite a bit of savvy and know how. Now, learning how to defeat a crack rather than just knowing a crack is the impressive feat, much to the dismay (I’m sure) of the proponents of glorious hacking.

Hacking to learn is only useful if you actually explore both sides of an exploit. Not only how to accomplish it, but how to fix it. Often, crackers leverage poor configuration. Well its easy to decry the sysadmin on the box you’re rooting and say he’s an idiot for not doing it right, but could you? Properly configuring a server is hard work, and takes a lot of time. And yes, the sysadmin was probably negligent. How then can sysadmins make sure their configurations and platforms are secure? By trying to hack them.

It has been said before, but its true. The best way to learn to hack is to crack your own network. I’m not sure, however, how many people actually understand how easy this is. All you have to do really is set up one box, a Linux server for instance, and assign it a Class C reserved IP address. Then string an Ethernet cable between the server and another box, assign it another reserved IP, even use the Linux box as the router, and hack away. You don’t need any fancy T1 connections or even a dial-up for this to work. Alternately you can set up your home machine as a server, and try to crack it in your spare time from work. Run a port scan on the target machine (and nobody will come banging on your inbox asking what the hell you’re up to) and find open services. Try finding exploits for these services. Then find out how to fix the service so the exploit won’t work. Switch to a different service and try again. Finally try to figure out how to prevent your scans altogether by using a firewall or other service. Doing this you can find out a lot about not only hacking, but also setting up a secure machine. So yes, hack to learn, but make sure you learn everything you can. If you can hack your box, find out how to protect it. Only by doing both of these things can you gain that lucrative Network Security Officer position.

1.) The Return of the Shadow Legacy - druid
2.) Rampant Piracy on the Sea of Information - xearthed
3.) Napster, MPAA, AOL, and how stupid people in power will kill the first amendment - unfrgvnme
4.) Copyright Law - Aleanor
5.) Hacking vs Sysadmining - madirish
6.) State of the Hack Awards #4 - madsaxon
7.) Somethings Never Change - UberGeek
8.) It's Not about Change - darlene
9.) Programming your PSX (part 1) - OZONE

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes