Thursday, February 18, 2010

Layers of the Hacker Onion

There are hackers, and then there are HACKERS. Which one you are depends on how deep you go through the layers in the onion. At the heart of this metaphorical onion is the actual CPU. Around this heart exist all the different pieces of a computer. I know, weird metaphor, but stick with me for a minute.

Let's start at the outside layers and work in. I'm not going to cover everything, just enough to get my point across. One instructor I've heard refer to this as "going toward the dragons." If you think back on really old maps, or even the ones used in role playing games today, there was always that part of the map around the edges that no one had ever gone to before (or very few people). That area always had dragons, and sea creatures draw on it, because there was a fear of the unknown. So he refers to your journey from the "known" into the "unknown" as the journey toward dragons. In our metaphor, as you work your way closer to a full understanding of the CPU, you'll be traveling toward those dragons, and increasing your own abilities.

The outer most layers of our onion are the domain of the normal end user. Solitaire lives here. The Windows GUI lives here. What we know is how to click which icon to get what application. Although this has improved the lives of billions of people around the world, it's also just the very surface of what's actually happening in the computer.

At the next layer down we have the expert users. People that can manipulate that operating environment, make changes that don't explode in their face, and do things that most end users think is amazing. This is the person your Granny might call first when she can't get on AOL.

The next layer is the super user. This person understand a lot more than just basic software and hardware. You might even say that people here are the first layer that we refer to as hackers. They probably know how to program in a high level language, understand how networking actually works (at a high level), and what services area. These are the script kiddies.

Deeper down, we find a layer where 90% of the hackers we know live. They can create scripts, understand network protocols, and run a bunch of security applications. They know how to do a port scan and vulnerability scans. They can understand the overall implications of 75% of the findings these tools present. But past this point, we're looking into the face dragons.

Thar be DRAGUNS!!! Here is the beginning of your quest for knowledge. At this point, you start to understand how High Level programming languages, like C++, are a lot like your Windows GUI. They give you a very high level way to access the CPU and it's functions. You start to want to learn Assembly, and how to use debuggers. You want to learn the difference between how RAM truly gets assigned and utilized by the CPU, and how the CPUs own internal register locations are used. You're one layer away from the CPU in our model. With enough work in this area, you'll actually understand the binary instruction sets used within the CPU, and how we can modify the registers to create our own instruction flow. This is how you Reverse Engineer and write Exploits.

Now, as you've read this, I'd imagine you've probably already placed yourself within one of these layers. Your goal, as a hacker, is to reach that inner most layer, nearest to the CPU. To really gain a complete understanding of the system, so that you can hack it, and protect it. But the only way to do this is to do it on your own. Someone can open the door, but you have to do the walking on your own. It's a little bit like a religious journey in that respect.

Wednesday, February 17, 2010

Lazy is as lazy does...

Network Security is a hugely hot topic these days. The truth of the matter is that networked devices are permeating deeper into our everyday lives. As that happens, more of our personal and private information is put at risk through security holes in applications, operating systems, embedded systems, etc. Thus, the need for individuals with experience and education in network security continues to go up. Check out http://www.simplyhired.com/a/jobtrends/trend/q-network+security+analyst for an example.

Along with this trend is the increasing salary "cap" for network security professionals. This means that kids leaving High School that might have had a normal interest in computers are now considering Network Security as a viable option for a career. But there is a huge catch here. And I believe it applies to all industries, but I can really only speak specifically about my own.

LAZY PEOPLE WILL NEVER BE AS SUCCESSFUL!

It's sad, but true. You can't really sit on your behind and hope that life will carry you along, like a small boat adrift on the water. If you come to UAT (uat.edu) and get your degree, you'll be educated, but that won't make you a hacker. It won't even guarantee that you're any good at the job. All it tells employers is that you have had your chance to BECOME good.

The hacker mentality can be broken down into a single core concept: You have the drive and motivation to learn this stuff on your own. This means that, even if you're not in the classroom right now, you're still mucking with software or hardware. That you're still trying to figure out a new way to gank the CPU register to redirect the flow of instructions to your own code. There are hundreds, if not, thousands, of ways to be a hacker. But being lazy isn't one of them.

If you're going to go through all the trouble of getting your degree in network security, at least take enough pride in it to set yourself apart from the rest of the college grads. Spend the extra time delving into the hard topics, and you'll be rewarded with a life long career that you love, and that pays well.

Wednesday, February 10, 2010

Death of a Hacker

On February 5th, the last living person on Earth speak the Bo language, which is believed to be roughly 70,000 years old, died. This got me to thinking, as I was preparing for my upcoming network security courses at UAT. I was talking to one of my students today explaining the significance of our numbering system and how it's based on humans having 10 fingers. This is so significant because it related to the way we count things, perform math, and more. It's also called Base 10. To intensify my concern, I happened to be reading a book on Assembly to improve my skills in reverse engineering and exploit writing. (In case you're curious, the book is "Assembly Language: Step by Step", by Jeff Duntemann, and I highly recommend it.)

There are a steadily declining number of hackers that understand the concepts of Base 10, Base 16 (hex) and binary (base 2), and it saddens me. We've gotten so good at creating software that we can call a person a hacker that may not actually understanding how a computer works at its deepest level. So with that in mind, here's a quick (and very basic refresher).

Base 10 is the numbering system that is based on the number of fingers we have (most of us, anyway). The base numbers are 0 through 9. Once we reach 9, we add a 1 to the column to the left, and revert the 9 to a zero, thus making 10 (ten). The first column on the far right is ones, the next to the left is tens, and the one after that is hundreds. Each column to the left is a power of 10 times the column to its right. I know, sounds pretty simple, right? But it's the very basis for how a computer operates.

Imagine a light switch on your wall at home. When you switch the light on, you have power flowing. When the switch is off, there is no power flowing. You basically have two conditions, on and off. In essence, your computer is like this, in that it reads whether a switch (or gate) has power or not. To put it more simply, your computer only has 2 fingers. :-)

This is called binary... your computer uses binary to calculate, perform instructions, etc. Off = 0 and On =1. If we use our model from above to determine how these numbers works, we start with the far right column. Since this is base 2, we only have 2 options for each column, a 1 or a 0; with 1 being the highest number that any column can contain before we move to the next column to the left. Each column is a power of 2 of the column to its right. So the first column is one, the second column is two, the next one is four, the next one is eight, and the next one is sixteen. So the number 28, when written in binary would look like:

1 1 1 0 0 = 16(x1) + 8(x1) +4(x1) + 2(x0) + 1(x0) = 28

I'm not going to go much deeper than this here, but suffice it to say that students that truly want to understand the computer better, and become better hackers, will spend the time necessary to learn these bases of numbers, and why they're so important. Additionally, learn Hexadecimal, or hex, as well. It's Base 16 and provides a powerful translation between binary and base 10.

My take on Hacking

So, ummm, seriously. Hacking, in and of itself, is NOT a bad thing. The smartest people in history have been hackers, in one way or another. It's an operation of brain function. Creativity. Intelligence. Breaking boundaries. Testing truths. Discovering truths.

I know we've all heard it hundreds, if not thousands, of times now. "Hackers" broke into this... or brought down that. Okay, let's be clear about this. "BAD people broke into this... or brought that down." e.g. The gun doesn't kill people, people kill people.

Knowledge is power. Despite your personal motivation, as a hacker you strive to learn more; to understand more. It's your personal motivations and ethics that define your actions, not your knowledge. As a mentor, it's my job it reinforce the need for ethics as you move through your education, but at no time can I actually enforce that. You're on your own to make the right decisions.

Certified Ethical Hacker, aka CEH: Since we're on the topic, I'd like to toss out to the world that there is absolutely no way you can certify another individual's ethics. You can make certain assumptions based on years of observation and experience with that individual, but you can not, within the period of 1-2 weeks certify anyone as ethical. I'm not going to get into a debate about whether the content of the course/training of the CEH is of any value; that's not what this is about. But the simple use of "Certified Ethical Hacker" reeks entirely too much of a used car saleman-type marketing ploy to get people to plop down their hard earned money for a certification that is entirely implausible.