2010-07-27 02:07:10

This is a requested post from some people outside of the field curious about hacking.

We all know what hacking looks like on TV, epic 3D realms, police chases, spiffy colored screens, and exciting battles with network admins. It looks more like geometry wars than development.

If this was what hacking was like, it would be a much more popular hobby.

The sad reality is that hacking involves more tedium and left over Chinese food than anything else.

So, let me walk you through a typical hacking experience.

I decide I'm going to hack XYZ, inc, a web hosting service.

First, I'd run a lot of scans, looking for open ports, trying to guess the operating system and services installed on the servers, and looking for known exploits.

The heart of hacking is the exploit. An exploit is effectively a bug in software that can be leveraged to do something malicious. For example, if I have a program that returns the output from a directory list command "ls " a hacker may input ".; rm -rf /*" which would make the executed code "ls .; rm -rf /*" Deleting everything allowed on the server.

There are many hundreds of types of exploits, but they are all essentially bugs in software that can be leveraged maliciously.

So, how does a hacker find one? Well, after running a plethora of scans, he will go through each and every service, one by one, trying dozens of inputs, trying to get an error message.

Hackers get excited about error messages- it means they found a bug. Once an error is found (even though they don't always display an error message) the hacker will expand on that, trying to do... anything. Eventually, he may just get some remote code execution, or privilege escalation, or something fun.

The sad reality of the hacker is hours upon hours of looking at error messages and taking educated guesses as to what to try next.

In general, hackers are little more than very good programmers who got bored. The image of some 14 year old in his mothers basement hacking the NSA is pretty uncommon, its usually a young professional, or a seasoned developer that wanted to have a little more fun.

It should be noted, however, that the hours or days of tedium, scans, waiting, and thinking with no certainty of getting anywhere is not fun to most people.

The more interesting thing is the reasoning behind the hacker. Well over 95% of people convected of computer crimes have an intellect considered "very bright" or higher. 80% have diagnosed psychological conditions, with major depressive disorder, bipolar disorder, and thought disorders (delusions, paranoia, hallucinations) being common.

The simple answer to "why?" is not so simple. Every hacker has their own reasons, although from my experience of communicating with then, a disdain for society in general and boredom seem to top the list.