1

The Benefits of Hacking: A Different Perspective for

the Security Conscious

TS5004 Technical Communications

Tina Duff
trdiau@yahoo.com

March 20, 2005

 2

Table of Contents
Abstract…………………………………………………………………………….…...…3
A BRIEF HISTORY OF HACKING.......................…………………………….…...…4
Introduction….……………………………………………………..………….……….4
Background…….………………………………………………..……………....……..4
Hacking Today............................…………………………………..…………….…..…..6
Evolution.........................................................................................................................6
Types of hackers..................................................…………………………….…...……6
Beneficial vs. Malicious hackers....…………………………….....………….…...……7
Traditional hacker ethics................…………………………….....………….…...……7
New hacker ethics..........................…………………………….....………….…...……7
Media's misuse of the term and consequences...……………………...….….....………9
The Benefits of Hacking.....………………………………………….…………....……..10
Industry related benefits................……………………………………....…….……..10
Individual related benefits.......……………………………………….…...……….…10
Concentration on threats.................................................................................................10
Security and hacking....................................................................................................10
Conclusion…………………………………………………………………..…………...11
Appendix A: Proposal……………………………………………………..……….….…12
Appendix B: Revised Progress Report……………………….………………………….14
References……………………………………………………………………..…………16
 3

Abstract

This research paper identifies the benefits that security professionals and the public gains from
the hacking community. It illustrates the need to clarify the meaning of hacking in professional
and public communications. In conclusion it shows that we can all continue to benefit from
hacking by eliminating the confusion that surrounds the term.
 4

The Benefits of Hacking: A different perspective for the security conscious

A BRIEF HISTORY OF HACKING

Introduction

Just by reading the title of this paper, most people raise an eyebrow. It is hard to imagine that
hacking can be beneficial. I wonder why that is? Why is society so determined to criminalize
anyone who identifies with this label? Is it perhaps due to our own lack of knowledge and
security? Could it be misinformation about the word and what we associate with it? Some have
suggested that it is just a clever marketing ploy. One that generates fear that our computers will
be hacked so we must all run out and buy security software. Judging from societies reaction to
hacking, it appears to be working. In order to answer these questions and be on our way to
understanding the benefits of hacking, we need a brief history lesson.

Background

The history of hacking is hard to track down. There appears to be as much confusion about the
origins of hacking as there is about the term itself. Where did the term come from? When was it
first used? What were they talking about when they first used the word hacker? There does not
seem to be one single answer to these questions. As is the case with almost everything that
surrounds hacking, it is open to debate.

The debate over the history of hacking parallels the debate over the meaning of the term. There
are two very distinct arguments on this issue. One side claims that hacking has always referred to
those criminal individuals among us who will attempt anything for personal gain. The other side
claims that hacking has always referred to those who are the pioneers of new fields and
constantly explore just for the sake of knowledge. It all comes down to one single question. Is it
good or bad?

Good or bad? Right or wrong? Does it really make that much of a difference? How will you
decide what first really is? Shapiro (2003) claims that the earliest known use of the word hacker
was in a student paper from the Massachusetts Institute of Technology (MIT). He quotes the
following from the November 20, 1963 issue and uses this as proof that the word hacker has
always referred to someone with malicious intent:

“Many telephone services have been curtailed because of so-called hackers, according to
Prof. Carlton Tucker, administrator of the Institute phone system. [....] The hackers have
accomplished such things as tying up all the tie-lines between Harvard and MIT, or making long-
distance calls by charging them to a local radar installation. One method involved connecting the
PDP-1 computer to the phone system to search the lines until a dial tone, indicating an outside
line, was found. [...] Because of the “hacking,” the majority of the MIT phones are “trapped.””
 5

I agree that this may be the first known printed reference to hackers but I do not believe that this
shows that the origin of hacking was malicious. The hacking culture as Jonas Lowgren (2000)
describes it, is already entrenched at this time. Lowgren gives a through examination of the
history of hacking by explaining the origin of hacker cultures. Lowgren identifies three distinctly
different cultures:

● Hobby This type of hacking originated in the 20's. Radio amateurs and electronic
enthusiast are the primary members of this group. These hackers began by
putting together early computer kits such as the Altair 8800, ABC80 and
the ABC800. This began the ideology that hackers possess a through
understanding of technology. This type of hacking predates all of the
others.

● Academic The Model Railroad Club at MIT developed this type of hacking through
the sophisticated railroad systems they built in the 50s. The word “hack”
first appeared and was used to describe technology based pranks. This
group included students from disciplines such as math and eventually,
evolved into programming.

● Network Today, we would call them phone phreaks because they developed ways to
utilize the phone system to make calls. The old phone system used dozen
of switches that were controlled by tone commands. Once these switches
were discovered they could be used to control the phone system.

Reviewing this information, it is clear to see that the origins of hacking can be traced back to the
20's and was not malicious in any form. One can see that the term came from MIT and the model
railroad buffs were the first to use it. They used the term hacker as early as the 50's to describe
those individuals who were skilled in technology.

Determining if hacking was originated for personal gain or just seeking knowledge is easy. The
hobbyists were seeking knowledge to gain a better understanding of their field. However, trying
to determine if hacking is good or bad is pointless. It would be like trying to determine if any
other Academic discipline was good or bad. Is there such as thing as bad psychology? Wrong
criminology? I believe there isn't. The information one gains from their discipline can be used for
good or bad but the decision remains with the professional.

This paper took the approach that first meant the earliest recorded date of individuals actually
performing the actions that would later be described as hacking. Others may chose a different
approach to first, like Shapiro(2003) who chose to use the first printed instance of the word
hacker. There are still many other ways to determine the origins of hacking. One could use MIT
as the origination point because that was the first time the word hacker was used. The point here
is that first is subjective and can be determined by the individual.

Through this historical review, the definition of hacking begins to take shape. This paper will
define hacking as the act of exploring technology to expand one's own technical knowledge.
Therefore, hackers will be defined as the individuals who explore technology to increase their
own knowledge.
 6

Hacking Today

Evolution

Computers have evolved since those early Commodore 64 machines and hacking has kept pace
with the changes. Today, the hacking community is much more complex and diversified. The
common label of hacker no longer fits some specialized individuals and that has given rise to
new terminology.

Types of Hackers

Hackers can be broken down in several ways. You can classify hackers based on their level of
skill, on their chosen specialty or a combination of both. This section describes the various types
of hackers and provides a glimpse of classification by reviewing Guppta, Laliberte & Klevinsky's
(2002) three tiered system.

Each new technology that is developed generates a new specialization and new terms are created
to describe these individuals. Some of the terms that are the most common are:

• Cracker This term is used mainly to identify an individual that cracks or breaks into
various items. This hacker can be cracking security codes, software
registrations, or computer systems. This is generally the name the
community gives for malicious hackers.

• Phreaker Phreaker's are phone hacker's and usually concentrate on understanding

and manipulating the phone system. Phreakers can be malicious but are not
always seen that way in the hacking community. Especially with the rise of
cell phone security and wireless communication.

• Script Kiddie These individuals usually comb the Internet looking for pre-written scripts
or programs they can use for various purposes. The individuals in this
category are considered amateurs.

There are several more terms that can be encountered in the hacking community but they are out
of the scope of this paper.

The three tiered system of classification was designed to represent a pyramid. The first-tier
contains fairly advanced hackers with the skill level dropping until the last tier is reached. They
chose the pyramid to reflect the actual number of hackers that would be in each category. This
demonstrates that as skill level drops the number of hackers increase.

The first-tier consists of programmers that find vulnerabilities in existing code. These hackers are
well educated and possess a deep understanding of computer technology. They are not publicity
seekers and are rarely in the news. Some of these hackers are employed by security companies
 7

such as ISS X-force, Bind-view Razor Team and AXENT SWAT team. These hackers
commonly work in groups or teams. There are computer hacker gangs such as the CDC that often
work in this manner. They will develop specific programs or find vulnerabilities in an existing
system and pass that information to another member of the group that uses the information to
attack the system.

Second-tier hackers have less skill in programming than first-tier hackers. This group usually has
experience with several operating systems, the ability to do general programming, and an in-
depth understanding of networking technologies. This group can consist of beta-testers, security
consultants, and system administrators. Second-tier hackers usually do not find exploits or write
programs due to time constraints. This category could include crackers and phreakers.

Third-tier hackers have the lowest skill level and are the most numerous. These hackers are
commonly referred to as script kiddies. They download scripts and programs from the Internet to
accomplish their hacking. This group has the potential to do the most harm to a system, simply
because they will use unproven code. These hackers usually do not have an in-depth
understanding of the tools they use. This type of hacker is usually seeking notoriety and are
generally the younger Internet users. They frequent hacker mailing lists but don't contribute.
These hackers may not be malicious but are generally considered so because of their lack of
knowledge.

Beneficial vs. Malicious hackers

Through the description and classification of hacker's one can see that the technical knowledge
required to hack can be used to benefit society or to benefit the individual. This simple, glaring
difference is the only thing that separates malicious and beneficial hacker's.

Beneficial hacker's are sometimes called white-hat hackers by the security profession. This name
was derived from the old western movies where the good guys always wore white hats and the
bad guys wore black hats. The white-hat hacker considers their activities to be helping their
industry and are often done with no compensation. Currently there is a split in this group that
mainly involves a changing ideology. You have traditional white-hat hackers and new white hat
hackers.

Traditional white-hat hackers subscribe to an ideology that was summarized by Stephen Levy in
Hackers: Heroes of the Computer Revolution (Lowgren, 2000). Several points in the list of ethics
that is provided are at odds with current laws. In these instances white-hat hackers would obey
the law but continue their efforts to change those laws. These governing ethics are listed below
followed by an explanation of the ideology.

Traditional Hacker Ethics

 “Access to computers—and anything which might teach you something about the way the
world works-- should be unlimited and total. Always yield to the hands-on
imperative!”(Lowgren, 2000, Traditional hacker ethics)
 8

The hands-on imperative is referring to the ability of the hacker to fix any problems they
encounter in code or programs. The ideology simply put means that if you need something done,
don't complain about it to someone else. Learn what you need to learn to do it yourself. Access to
computers and knowledge is vital to the learning process. Therefore they feel such access should
be free and unobstructed.

 “All information should be free.”

This idea has help promote freeware (free software) and the GNU General Public License. The
point is similar to the one above in that information should be free because with out information
the learning process is obstructed. Currently this view is at odds with copyright laws, which is
precisely why the other two licensing options have been developed.

 “Mistrust authority—promote decentralization.”

This concept speaks to the belief that centralized authority can withhold information in an effort
to conceal dishonest behavior. The belief is that by decentralizing authority and freeing up the
information the truth can be discovered.

 “Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or
position.”

The belief that every one is only as good as their hacking ability. All individuals are judged
solely on their hacking.

 “You can create art and beauty on a computer.”

These last two are dated due to the fact that traditional white-hat hackers first appeared in the
70's. This is one cause for the split in ideology between the traditional and the new.

 “Computers can change (your) life for the better.”

The new white-hat hackers have updated the ideology for the 90's. Steve Mizrach published these
findings in a paper tittled Is there a hacker ethic for the 90s hackers? (Lowgren,2000).

New Hacker Ethics

 Above all else, do no harm.

White-hat hacking still values the ideology of not destroying anything. This is not limited to
computers and information alone.

 Protect privacy.

This is an updated version of the freedom of information ideology that separates personal
information from private information.
 9

 Waste not, want not.

Improving a system's performance is seen as a positive use of idle time. Anything that can be
done to improve the use and efficiency of computer resources is beneficial.

 Exceed limitations.

Don't give up just because you are told it can't be done. This is the innovative side to hacking that
was discussed earlier.

 The communicational imperative.

The communicational imperative is simply the ability of the hacker to communicate and
associate with peers.

 Leave no traces.

Web defacing and claims to fame are common among black-hat or malicious hackers. This ethic
has grown out of the idea that white-hat hackers are hacking for knowledge and not notoriety.

 Share!

The old ideology of disseminating information has been reinterpreted to include sharing
resources and ideas with others.

 Fight cyber-tyranny.

Fighting the ability of larger organizations to control the Internet and information systems is now
seen as necessary.

 Trust, but test.

Redefined but basically still the idea that by actually hacking systems and technology can be
improved.

Black-hat hackers are those individuals that use their technical skill for personal gain. These
include hackers from various disciplines and motivations. These are the malicious hackers who
are intent on destruction and profit. These hackers may have personal motivations such as
revenge or anger. Sometimes the motivations are simple such as money or notoriety.

Media's misuse of the term and consequences

The media has consistently misused the term hacker to identify any computer criminal. All too
often headlines read that a hacker has broken in to a bank or stolen credit card numbers. This
misuse of the term has had considerable consequences for both the industry and the computer
professional.
 10

This confusion over terms has begun to influence business practices. The industry has been
forced to redefine and classify hackers as described above. The security industry is the most
heavily influenced by the confusion due to the similarities in hacking and security job functions.
Management and administrators of companies are all too often non-technical. With these non-
technical positions being influenced by the medias criminalizing of hacking, security
professionals are now being scrutinized. This excessive scrutiny is slowly eroding the ability of
the security professional to perform the necessary tasks to secure the system.

In a recent case, two IT contracts landed in court by initiating unauthorized port scans against a
company network.(Poulsen, 2000) The competing company filed charges against the contractor
for scanning their network while testing the one he was installing. Hackers commonly do port
scans before initiating an attack and security professionals test their systems the same way. The
company charged the professional under the anti-hacking laws and attempted to sue for damages.

Education of the media and the general public on hacking and security measures could reverse
this very dangerous trend. The media needs to realize “...that 'hacker' doesn't mean 'criminal' any
more than 'locksmith' means 'burglar',...” (Bauer, 2005).

Benefits of Hacking

Industry related

The computer industry was virtually founded on the ideals of hacking. From the very first
hackers that began assembling those early machines to the innovations that have changed
computers forever, hacking has always been a part of the computer field. The benefits that the
industry has gained from hacking are:

• Rapid advancement
• An inability to stagnate
• Diversification
• Innovation

Individual related

Consumers benefit everyday from hackers and their endless search for knowledge. Although, the
hackers mainly seem to compete against one another, society benefits from the discoveries that
are made. The benefits that individuals have gained from hacking are:

• Continually improving security

• Product improvements
• Increased attention to consumer's needs
• Reliable, free software
• Free computer and software assistance

Concentration on threats
 11

Security and hacking

The security industry is closely tied to hacking through the normal job activities that are
involved. Security professionals have concentrated on the threat presented by malicious hackers
much longer than the media has. Many security professionals identify with hackers and may have
even started out by hacking themselves. Companies even hire security professionals based on
their level of experience in defending a system from black-hat hackers. Therefore it is quite
natural for this industry to place a rather high value on the threat presented by malicious hackers.
This should be viewed in addition to all other information and considered appropriate to the
field. It should not be used as a further justification to continue criminalizing hackers.

Today, the industry itself is beginning to change the way it views hackers. Companies have
began to have hackers demonstrate their lack of security and implement better security practices.
Hackers are beginning to teach security professionals how to hack so they can better defend their
own system. Several certification companies are now offering Ethical Hacker certifications so
companies can be assured that their professionals are knowledgeable in this area. The changes
that are being made can only continue to benefit security but more needs to be done to change the
views that are commonly held by the public.

Conclusion

It is hard for many people to believe that hacking can be beneficial because the media has
popularized an incorrect view of the common hacker. The media publicizes this view due to the
sensationalist image that it portrays. Many of us bought this sensationalized view because we
have limited knowledge in this very technical area.

Security companies and professionals are not without blame. They have used this incorrect view
of hackers for their own gain. Using it to motivate the public and employers to increase security.
This was a mistake that is now beginning to have severe consequences.

Through education of the media and public, this misconception can be corrected and further
complications avoided. Hacking is beneficial to the industry and to individual consumers.
Hacking is the act of exploring technology to expand one's own knowledge. Hackers retain the
responsibility of being ethical or not, just the same as any other professional does.
 12

Appendix A: Proposal for the creation of a research paper on the benefits of hacking.

Date: March 9, 2005

To: Jill Krout

From: Tina Duff

Subject

Academic proposal for writing a research paper on the benefits gained by security professionals
from hacking.

Introduction

Hacking originally referred to a person who was learning programming and computer systems for
the sake of learning. Today, the term is commonly used to refer to individuals who use networks
to gain unauthorized access to computer systems and information. This includes several criminal
offenses that have been recently defined by law and some that are not as clear cut. This paper will
examine some of those areas and offer a different concept of hackers from the one held by the
public.

The publics view of hacking is grim. Images of identity theft and viruses are immediately
conjured up by the media. Notorious hackers, such as Mitnik come to mind and Microsoft offers
rewards to informers who assist the police in capturing virus authors. Society and the security
profession have begun to see hackers as a destructive menace that needs to be stopped. This
paper centers on those views and offers three main reasons why those views should be changed.

Purpose

The purpose of this paper is to identify the ways in which hacking has benefited the
security industry. The paper will demonstrate that hackers are a valuable asset for the
security professional. The division between security professionals and hackers has
become blurred as cross-over training and knowledge becomes widely available. Several
companies have ethical hacker certifications now available to educate security
professionals in the same tools and tactics used by the hackers. Some very well known
hackers have made the transition from former criminal to security professional. Books
have been published on the topic of hacking to instruct security minded individuals on
how to protect themselves and their equipment. This paper will clearly show, that hacking
has provided the security industry with several benefits.
 13

Problem

Security professionals and the general public has begun to view hackers as criminals and thieves.
The media assist in the wide spread acceptance of this view by labeling any computer criminal a
hacker. This view is incorrect.

Solution

The solution to this problem is the education of security professionals and the general public in
the various types of computer crimes and criminals. Through identifying the real criminals and
showing the public the beneficial side to hacking this can be accomplished.

Timeline

The paper will go through several revisions. The initial rough draft of the paper is
complete. However, there is still sufficient work left to do in reorganizing and refining the paper
for the final draft to be ready on March 20th. I will submit a progress report on
March 2nd to clarify any areas that still need to be reworked. On March 9th, I will deliver
the final rough draft for approval before submitting the paper.

Conclusion
This research paper will identify the benefits that security professionals gain from the
hacking community. It will illustrate the need to clarify the meaning of hacking in
professional and public communication. This paper will show that we can all continue to benefit
from hacking by eliminating the confusion that surrounds the term.
 14

Appendix B: Revised Progress Report

Date: March 6, 2005

To: Jill Krout

From: Tina Duff

Subject: Progress Report – The Benefits of Hacking

INTRODUCTION

This report covers all work done from February 13, 2005 to March 2, 2005. The report focuses
on the progress made since the initial proposal was submitted. The paper is being written to
identify the ways in which hacking has benefited the security industry and to demonstrate that
hackers are a valuable asset for the security professional.

Progress

Since the initial proposal the rough draft went through several revisions and new resources were
identified. The following list the items that have been completed:

● I have revised the initial proposal for resubmission.

● An outline of important points is complete.
● All research is complete and include in the outline of important points.
● I have completely reorganized the rough draft of the final paper.
● I have completed the title page, abstract and reference sections.

The paper still needs to be assembled in the proper format and checked for errors. Proofreading
will continue until the paper flows in an appropriate manner. Organization will be checked again
for the best possible layout before submission.

Timeline

The following schedule details the timeline for this paper:

● I will submit a refined progress report on March 6th .

● I will deliver the final rough draft for approval on March 9th.
● The rough draft of the final paper will be submitted on March 16th.
● The final paper will be submitted on March 20th.
 15

Tina Duff -2- Progress Report

Conclusion

The paper is progressing quicker than expected. The research was completed much quicker than
planned which allowed for the inclusion of additional resources. The extra time will allow for
extensive formatting and grammar error correction. The final paper will be submitted on time
and should be quality work, worthy of publishing.
 16

References

Bauer, M. (2005) Fear and Loathing in Information Security. O'Reilly Network. Retrieved
February 22, 2005 from
http://www.oreillynet.com/pub/a/network/2005/02/11/mbauer_1.html

Dhanjani, N. (2003). Hack Notes: Linux and Unix Security: Portable Reference. Emeryville,
CA : McGraw-Hill/Osbourne.

Gupta, A., Klevinsky, T. J. , & Laliberte, S. (2002) Security through penetration testing.
Indianapolis, IN : Pearson Education.

Hatch, B., Lee, J., & Kurtz, G. (2001). Hacking Linux exposed: Linux security, secrets and
solutions. Berkeley, CA : McGraw-Hill/Osbourne.

Johnson, B., Jone, K. J., & Shema, M. (2002) Anti-hacker toolkit. Berkeley, CA: McGraw-
Hill/Osbourne.

Kurtz, G., McClure, S., & Scambray, J. (1999) Hacking exposed: Network security, secrets and
solutions. Berkeley, CA: McGraw-Hill/Osbourne.

Lowgren, J. (2000) Hacker culture(s). Retrieved from

http://webzone.k3.mah.se/k3jolo/HackerCultures/index.html

Poulsen, K. (2000) Federal court finds that scanning a network doesn't cause damage, or threaten
public health and safety. Security Focus. Retrieved February 7, 2005 from
http://www.securityfocus.com/news/126

Shapiro, F. (2004) Etymologies & Word Origins: Letter H, Hacker. Retrieved February 18, 2005
from http://www.wordorigins.org/wordorh.htm.