No Fancy Name
Thursday, April 14, 2005
hackers good, crackers bad
Dr. Free-Ride writes about hearing a story regarding the vulnerability of Bluetooth-enabled devices and the manner in which this news came about: via a hacker who created a device that can exploit this vulnerability. In other words, notice of the vulnerability did not come from the Bluetooth SIG, it came from a man who is the "cofounder of a wireless security think tank" who used his device "only to determine security vulnerabilities, not to actually hack wireless devices to obtain personal information."

This is A Good Thing. Hering is a hacker. Hackers tend to be good. Crackers tend to be bad.

From The Jargon File:
hacker: n.
1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
[...]
7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
cracker: n.
One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker.
[...]
While it is expected that any real hacker will have done some playful cracking and knows many of the basic techniques, anyone past larval stage is expected to have outgrown the desire to do so except for immediate, benign, practical reasons (for example, if it's necessary to get around some security in order to get some work done).

Thus, there is far less overlap between hackerdom and crackerdom than the mundane reader misled by sensationalistic journalism might expect.
The response from the Bluetooth SIG was that "so far no security holes have been discovered in the Bluetooth specification itself. Vulnerabilities that have come to light either exploit the Bluetooth link as a conduit, much like the Internet to the PC, or are a result of the implementation of Bluetooth technology within the device—as such, we constantly work with our members to assist in implementing Bluetooth technology more effectively." Dr. Free-Ride says she reads this as "Dude, don't blame us" and that's an accurate interpretation of their statement.

And that's not a bad thing.

Specifications are just that—specs. Companies attempt to implement functionality to specifications, within their products, and quite often in doing so create other issues. But that doesn't mean the spec is wrong and in this example it doesn't mean the Bluetooth SIG is responsible for the vulnerabilities that were discovered in some devices that implement Bluetooth technology in a particular way.

Dr. Free-Ride asks "Is John Hering something like a whistle-blower here? [...] He is sharing information with the public -- information that he things the public needs to know to protect themselves -- that, arguably, Bluetooth is not providing." The basic definition of a whistle-blower is "one who reveals wrongdoing within an organization to the public or to those in positions of authority." If one is to consider him a whistle-blower (which I do not), then he's blowing the whistle on whatever company has implemented a Bluetooth solution in which vulnerabilities have been found—not the Bluetooth SIG. Hering is following the hacker ethic.

If "wrongdoing" is akin to "vulnerable implementations of specifications and/or exploitable software and hardware," then the entire Information Technology industry is ripe for whistle-blowing! Dr. Free-Ride says "But what if putting this information out there leads to evildoers exploiting the vulnerability before Bluetooth fixes it or the consumer has time to switch over to the more secure technology? Is there any way the information can be used for good without being available for evil in a case like this?"

Let's revisit the definitions of "hacker" and "cracker" and apply the two groups to this type of situation. In the IT world, hackers find vulnerabilities (some companies exist solely for the purpose of finding vulnerabilities in software), alert the company involved, advisories are issued and hopefully companies involved have created a software patch or created instructions that will limit the affects of the vulnerabilities, and so forth. For instance, take a look at the latest Microsoft Security Bulletin, in which eight critical or important fixes were issued to users. [Note: If you have automatic downloads turned on, your XP system should have updated itself in the last two days. If you have automatic downloads turned off, make sure to go grab those updates.] The bulletin has an "acknowledgements" section, which is basically "who found the vulnerability and told us about it"—e.g. here's the list of "whistle-blowers" to whom we are grateful. As you can see, they're not "whistle-blowers" in the traditional "Enron is cooking the books" sense. They're people who have invested time and effort into finding vulnerabilities and using their powers for good, not evil—just like John Hering's group.

If one is in the IT business, one will see notification of the vulnerability from the company who found it before they see a fix or an alert from CERT. This allows the administrator to take machines off-line or attempt their own workarounds to limit the exploitation of the vulnerability, before crackers start causing trouble. That's what crackers do—they cause trouble. Crackers will attempt to exploit published vulnerabilities in software, banking on the fact that the vast majority of users and administrators don't patch their software or update their virus software or keep their firewalls turned on.

This goes back to the statement made by the Bluetooth SIG, that security flaws that are revealed "are typically solved by new software builds and upgrades." The "new software builds and upgrades" are those created by the companies who developed the vulnerable software in the first place, not the Bluetooth SIG. Just as the Bluetooth SIG is not responsible for what developers of software for Bluetooth-enabled devices manage to create, the companies involved are not in the business of wrongdoing (bugs are never intended, but they are inevitable, in any piece of software). "Wrongdoing" would only be an applicable statement if the companies, after being alerted of their shoddy software, did nothing to fix it and instead perpetuated the vulnerabilities without telling anyone. In that case, unless you're Microsoft, you're not going to be in business for very long.

go to main page






 



ME-RELATED
job / books / new blog

ARCHIVES
04/04 · 05/04 · 06/04 · 07/04 · 08/04 · 09/04 · 10/04 · 11/04 · 12/04 · 01/05 · 02/05 · 03/05 · 04/05 · 05/05 · 06/05 · 07/05 · 08/05 · 09/05 · 10/05 · 11/05 · 12/05 · 01/06 · 02/06 · 03/06 · 04/06 · 05/06 · 06/06 · 07/06 · 08/06 · 09/06 · 10/06 · 11/06 · 12/06 · ???


CREATIVE COMMONS

Creative Commons License
All blog content licensed as Attribution-NonCommercial- ShareAlike.