jump to navigation

The Origin of “Hacker” April 1, 2008

Posted by Imran Ghory in Computer Security, etymology.

Everytime the media carries a sensationalist story about “hackers” committing cybercrimes there’s always an uproar among geeks about the misappropriation of the word “hacker”. Sadly it’s the geeks who are mistaken and not for once the media.

A few years ago Fred Shapiro tracked down the earliest known reference to computer hackers:

1963 The Tech (MIT student newspaper) 20 Nov. 1 Many telephone services have been curtailed because of so-called hackers, according to Prof. Carlton Tucker, administrator of the Institute phone system. … The hackers have accomplished such things as tying up all the tie-lines between Harvard and MIT, or making long-distance calls by charging them to a local radar installation. One method involved connecting the PDP-1 computer to the phone system to search the lines until a dial tone, indicating an outside line, was found. … Because of the “hacking,” the majority of the MIT phones are “trapped.”

This is the earliest know usage of hacker in the modern sense, the TMRC Dictionary has it a few years earlier but not in the computer sense. The earliest computer related uses of the term (through anecdotal evidence) were also malicious (although the term wasn’t originally intended maliciously – in practice it was) in the sense that they involved gaining unauthorized access to computers to play on.

The New Hacker's DictionaryThe modern “geek” definition of the term hacker to reflect a skilled programmer didn’t originate until the late seventies when the term ended up in the later famous Jargon File.

Intelligent Design for IdiotsThat doesn’t mean to say we should all stop using the word “hacker” in it’s positive sense, but as evidence advocating geeks we should at least stop claiming a false history to support our cause. As we all know where that ends up.

In response to those who disagree with me: If you think I’m wrong then show me the evidence, if you can find earlier records showing hack(er)s being used in a computer context in a non-“black hat” manner I’d be happy to retract my post and put the evidence up here.

Google code search: A vulnerability hunters dream October 7, 2006

Posted by Imran Ghory in Computer Security, Google, Software development.
1 comment so far

Google code search: A vulnerability hunters dream? – well maybe not, but if a hacker wants to compromise random machines rather then particular targets then Google’s making finding new exploits ever easier.

Google’s latest search tool has made it incredibly easy to take one particular vulnerability which has a fairly recognizable signature and search vasts amounts of code for it. And to prove it here are some examples:

(Some of these are derivative of various suggestions posted on reddit)

For starters lets have a look for programs that run setuid/setgid and copy strings from environment variables without even verifying the lengths (hence providing an easy buffer overflow exploit):

In a similar vain code that takes an environment variable passed to it by a web-browser before sticking it in an SQL query (thus allowing SQL query injection attacks):

How about code which uses the unsafe chmod command ( chmod is bad due to non-atomicity, code normally checks the file has some properties first before chmoding it – however due to the fact that the checking is a separate operation from the chmoding a hacker could replace the file with a symlink after the check but before the file has been chmod – hence allowing them to change the permissions on arbitrary files) :

Or a similar race condition which can be used to create havoc, this time the mktemp() function – which creates a temporary file with a predictable name (so what happens if someone else gets there first with a symlink….).

I think the scariest so far is the number of mid-to-large size projects which show up for this following search (where an input is read from a file into a fixed size buffer without a limit being put on the amount of data being read in):

And somewhat more lightheartedly a look at all the programmers that are hard-core traditionalists when it comes to crypto:

So there you have it – vulnerabilities galore and just from a few minutes work.