Re: [ISN] Meet the Hacker Trackers

From: mea culpa (jerichoat_private)
Date: Wed Aug 05 1998 - 12:44:03 PDT

  • Next message: mea culpa: "[ISN] L0pht Releases PPTP Sniffer"

    Reply From: Russell Coker <russellat_private>
    
    
    >Meet Gail Thackeray, the world's foremost legal expert on computer crime.
    
    >A former assistant attorney general of the state of Arizona, Thackeray has
    >Taking a break from the slide show for a moment, she shows me a little
    >number-generating program stored on her laptop. It generates random
    >numbers for Visa cards. Give it the four-digit code that identifies a card
    >issuer and within minutes you'll have hundreds of false credit card
    >numbers to play with. "Now supposing you had another little program that
    >made the bank think these numbers were legitimate - How much do you think
    
    What exactly is being suggested here?  That a hacker can insert some code
    into the credit-card validation software of a bank?  If that can be done it's
    "game over" anyway.  Programs to generate 16digit numbers that pass the basic
    checksums of credit-cards are not difficult to write.  I've got a program to
    verify credit card number checksums (designed to be used in E-commerce
    systems), I'm sure I could reverse-engineer it and write a program to
    generate 16 digit numbers that pass.
    The issue is that if you just take numbers with no other validation than the
    checksum then it's not going to be too hard for someone to rip you off.  The
    solution is simple, get the name and expiry date of the card and verify it
    with VISA/Mastercard/whoever.  Of course using this system someone can still
    rip you off, but at least they need to see the real card information (collect
    carbon paper from bins etc).
    
    >Does she think this new generation of Web hackers is a real threat to
    >people? "Every baby in America knows the 911 emergency system. If mommy's
    >drowning in the pool, we've had three-year- olds save her life by dialling
    >911. The hackers have attacked the 911 system and they're still doing it.
    >That's not for knowledge or for glory, that's just an act of vicious ego."
    
    Has any evidence of such attacks ever been shown?  The law enforcement people
    always use the 911 system to stir up an emotional response in the general
    public to gain support for their attempts to ban encryption etc.  Have they
    ever shown evidence of 911 hacks?
    Then of course there's the issue of why the 911 system would be connected to
    the Internet or to modem dial-in lines...
    
    >Thackeray denies this. "It's a hacker myth that we take away their
    >computers and sit on them forever. In one case we came across, the guy had
    >over 12Gb of data stored on his system - that's equivalent to 15,000
    >paperback books. It's better that we seize all that material - you might
    >have love letters, cook book recipes and your extortion kidnapping letter
    >on the same disk. We can't take one without taking the other. We cannot
    >physically copy that volume. It is far easier for us to take computers
    >away than for us to camp out in your house for six months."
    
    I could setup a machine with a 12Gb hard drive that could copy 12gigs of data
    across an ordinary Ethernet network in 4 hours.  If American law enforcement
    agencies need my help to setup such a system (they claim to be incapable of
    doing it themselves) then I'll be visiting that country later this year and
    I'd be happy to work for them.
    Of course stealing someone's computer is the modern equivalent to being a
    "horse theif".  It is a great punishment and you don't even need a conviction
    to impose it!
    
    >A hovel of a bedroom fills the projector screen. Coke cans everywhere,
    >rubbish dotted across an unmade bed. In the corner sits a naked computer,
    >stripped of casing, wires exposed. Thackeray calls it a rat's nest. She
    >has hundreds of similar photos. "Back in Philadelphia I began collecting
    >pictures of computers with their wires hanging out. When the geeks speak
    >to a jury we call the language they use technocrap. What you have here is
    >the physical version of technocrap." She gestures at the screen. Typically
    >hackers will set up a stereo system within easy reach of the computer, and
    >often a drinks cabinet as well.
    
    Ahh.  So people with poor hygeine standards are criminals, and people who
    dress well and have clean houses aren't.
    If I ever get involved in any criminal activity in the US I'll be sure to
    wear my best suit.  :-#
    
    >A recent innovation is the home network. "We've come up against four or
    >five houses recently where people have had multiple systems networked in
    >the house. And that's even without running a bulletin board. When we get
    >lucky and we're fast enough we can find the guilty computer - but the
    >hardest part of the job is finding the brain behind the computer. To find
    >that person is good old- fashioned low-tech police work."
    
    What has this got to do with hackers or law enforcement?  Doom, Quake, and Red
    Alert are all good reasons for having home networks.  I know many people who
    couldn't code or hack to save their lives who have home networks to play
    games.
    
    >"Police management is dominated by the physical crimes people.  We've got
    >to dissolve some of these barriers. When we move we need to move fast like
    >the Texas rangers - both legally and bureaucratically we're just not there
    >yet. When I started 20 years ago law enforcement was behind the computer
    >crime wave. We're farther behind today than we were then." 
    
    >From what I keep reading about the attitudes and approaches used by police
    against suspects in computer crimes cases I am very glad that they are
    getting further behind.  The legal system of all first-world countries is
    based around the principle of "innocent until proven guilty".  It seems that
    if the police catch someone (maybe the wrong person) in a computer crimes
    case that principle is not upheld.  Apparently the only way to avoid
    punishing innocent people (often without convicting them) is for the police
    to lack the powers or ability to combat computer crime.
    
    --
    I am a wolf, but I like to wear sheep's clothing.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:26 PDT