Original: http://www.hackernews.com/bufferoverflow/99/stateofnet.html The State of the Net... if hackers were smart. You sit down at your work computer, ready for another day of work and Internet. Logging into your secure Windows NT machine, you check the daily mail and see that everything is smooth. No users forgot their password, no security alarms were tripped. You fire off mail to your boss ensuring him that sending the financial plans via email for next year is safe. No one but you and the other CEO can see it. Opening a 'telnet' session, you log into a partner companies server to check things out. Thanks to the time tested security of the TCP/IP protocol and no snooping eyes, your work day is assured to be stress free. Now you are ready for another day of browsing the web. Logging into Hotmail you want to see if your buddy mailed you. Your password of "blinky" is yours and yours alone. No mail from Frank, just your monthly bank statement. Netscape takes you to another auction site where you safely type in your credit card number and address over secure 40 bit encryption layer. Sheesh, who needs a full *40* bits! If hackers were smart, this might be a real scenario. Hackers? Crackers? There would be no distinction. No articles in main stream press like CNN, Forbes, Wired or NBC. No hacker specials on 20/20 or MTV interviewing shadowy figures with muffled voices. No security books written by 'anonymous' claiming to be the end all reference on security. No hysterical rantings from law enforcement claiming hackers will shut off phones, down power grids, and turn off airplane flight towers. If hackers were smart... The dozen or so defaced pages in 1995 that are so well known (Nation of Islam's home page, MGM's "hackers" prank), to the over 600 hacked web pages in the first half of 1999 would be mostly unheard of. Since defacing a web page leads to hackers losing system access, that would serve a counter purpose to the smart hacker. Occasionally you might see defaced pages on child pornography servers, political messages with no signature left on other high profile servers, but it would be infrequent at best. If hackers were smart... Bugs in Cold Fusion (1), count.cgi (2), Novell Netware (3), Internet Explorer (4), Solaris (5), Irix (6), Sco (7), several IDS products (8) and more, would all stay mostly undiscovered. Consumers would go on using products with the illusion of security. Highly vulnerable Operating Systems would litter every corporation and every desktop, all presumably secure. The amount of advisories released from security companies would be cut in half if not more. A good half of all reported bugs would never be talked about, or filed away in corporate security databases. If hackers were smart... Almost any software could not truly be trusted. Well known public archives like Tucows would not have been defaced. Instead, smart hackers would have backdoored hundreds of popular downloads ranging from netscape to ICQ to shareware games. Commercial operating systems like Sun Microsystems (Solaris), Cisco (IOS), or FreeBSD would most certainly contain hacker spawned backdoors. These would allow full control over your machine, and you would never know. Every key you press would be read by these smart hackers. Machines on just about every subnet would be compromised. Each would contain subtle and difficult to remove backdoors. Hackers could move around on the machine and never be discovered because of the depth of their penetration. Large servers, routers, dedicated home machines would all be under the control of someone else. Every unencrypted keystroke would be silently logged elsewhere, ready to be used later by these silent intruders. The backbone routers that control some 90% of Internet traffic would become monitor points for your activity. If hackers were smart... If one hacker wanted onto any of these machines, it would be a matter of one polite request. The flow of information about servers, logins and passwords, tools, tips and methods would all be openly shared. New vulnerabilities would circulate quickly so that the network of hackers could compromise a few of the servers left on the "we don't own" list. Each hacker would control so many systems, giving up a dozen here or there would make no difference. Machines would have a lot less downtime, and a lot less problems in general. Most hackers are quite familiar with systems and know how to run them. Systems with problems tend to be noticed by the legitimate administrators. In an effort to keep prying admin eyes away from these machines, the hackers would take care of administrative problems and keep the servers running quickly and quietly. The legitimate admins would enjoy stress free lives and enjoy that myth called "free time". If hackers were smart... Each and every machine that has been compromised would be rigged for high end remote distributed computing applications. Challenges like the RC5 Cracking would find itself with over ten times the computing power it currently enjoys. Imagine over half the Internet all working toward a handful of computing goals and the power behind it. If hackers were smart... I think it is fair to say that the state of the net doesn't quite match the description above. There are a handful of talented hackers out there capable of everything I described. These individuals bring new meaning to "one with technology". But, for the most part, the hacker scene is a cesspool of little ignorant kids, hiding behind a legendary veil called 'hacker'. They have problems compiling exploits written by other people. Sheer luck allows them to break into domains you never knew existed. They run around defacing no name web sites with poorly written flames against other hacker groups you've never heard of. Their HTML is full of errors causing the page not to load sometimes. Or maybe these supposed "kiddie" web defacement groups out there right now are only there to distract you from the real hackers.. the smart hackers. They are out there, silently doing everything I described above and more.
Brian Martin Copyright 1999 Brian Martin 99.05.15
Reference 1. Cold Fusion Bug 2. count.cgi Bug 3. Novell Netware Bug 4. Internet Explorer Bug 5. Solaris Bug 6. Irix Bug 7. SCO Bug 8. IDS Vulnerabilities -EOF