I’m a Corsair, Now

For the past few months, I’ve watched with growing fascination people trying to hack (and sometimes succeed) into my various servers.

Now, while I won’t admit to any foul play, it reminds me of things we used to do with a group of friends who are today much less disreputable than I am.

So, at the risk of earning once more a reputation of being a dinosaur, I’ll gloss over some stuff that gave us (and probably give the people behind these somewhat unskilled attacks) a rush and some thrills.

I don’t remember anything before 2000. My memory from before is composed of things that I was told. But, given the fact that some of these people are my friends to this day, people I trust completely, I’ll go ahead and assume they were true. It blends so well with what I do remember that I’m inclined to believe it all anyway.

Ye Olden Days

Back in the day of RTC modems, being connected was an investment. Relatively speaking, it costed a lot of money, especially given the fact we were paying by the minute, here, in France. We were connected because we wanted to be connected. None of that “hey, I’ve got 10 minutes to kill, I’ll watch a youtube video” kind of things. We didn’t even have the bandwidth to do that… 3KB/s meant that downloading a single mp3 file would take a half hour. And it would be a half hour where we could do nothing in the meantime.

I won’t say it forced us to do meaningful things, because it didn’t. But with so many things to cram in such a short time of activity, writing an email, a post on a newsgroup or a BBS, or even chatting on IRC took a certain degree of planning and will.

It’s hard to imagine today that checking my email (downloading AND sending) would take 5 to 10 minutes to complete. Then I would have to disconnect if I wasn’t doing anything on the ‘net, to reconnect when I felt like sending my responses. Boggles the mind doesn’t it?

It also means that every minute/hour we could steal to spend chatting with our friends on IRC would have to serve some purpose, whether to get news from people you like, plan something together, etc… What I certainly can remember is when most of us got permanent broadband access. Suddenly, the activity was a lot less focused.

Anyway, back to the thrills and the adrenalin rush, we were doing inconsequential things such as taking over channels, and probing defenses of other computers, sometimes even getting access. Some of that original group even went on making that their actual job. I never did, although I kept a toe in that pool: trying to figure out a way to hack into other people’s machines and servers, as well as “social hacking” organizations to get privileged information or just for fun, is a useful skill to have, if only to have a basic understanding as to how to protect yourself and people around you from it.

We would spend hours discussing the best methods, and talking about the latest exploits that would allow someone to get in and do… whatever. I don’t think, nor remember, doing any harm, but we could have, I guess. And that’s the clincher when you’re a young computer scientist in a world where most people just don’t get it. It gives you tremendous power, that can look, from the outside, quite magical. The temptation to use the skills, the minutes or hours you spend preparing and finally the victory over a security system is like every other sport. It makes you feel immensely good.

Fast Forwarding Ten Years

Nowadays, I get amused when I see the phishing campaigns which seem so effective. They are a very crude attempt at corrupting the weakest link in the security chain: the human brain. I mean, come on! Who in their right mind would think that the bank would send you an email telling you your account has been hacked/overfunded/…? Banks usually understand security, and will do paper or phone, not hilariously unsecure emails… Millions of people apparently fall for that.

To circle back to my current string of attacks, what appalls me is that it’s a brute force attack. The attacker(s) are trying as many passwords as they can to gain access. Someone read too much Dan Brown, the Bergovsky Principle doesn’t exist… While it is indeed possible on some incredibly weak protection schemes to guess the password for an account by repeatedly trying until you’ve exhausted all the possibilities, it’s hardly the most effective method:

  • it’s slow
  • it leaves a huge amount of traces
  • it can only work if you know for sure the login
  • it works only if you have an unlimited amount of tries
It’s All About The Brain

Man, some days, I pity the clever minds who always had access to that amount of raw processing power and bandwidth. The most effective way to do something to an average person or system is supposed to be repeatedly banging against the door? If a piece of software doesn’t run fast enough, “tough luck”, and wait for the next generation of hardware?

I was sitting at a table the other day with some young programmers who looked at me as if I foamed at the mouth because I asked if they were using encrypted connections to check out their sources. In a fricking public space. And for some reason, I’m a rabid and ranting person because there’s no way I’m going to store some personal and confidential data on a server I don’t trust (I’m looking at you google and dropbox).

Am I paranoid? Is it the rambling of an internet-time old geezer? Maybe. But remember: trust is something that should be earned. What if your account got hacked? How would you know? At least, with the (increasingly smaller, incidentally) amount of control I have over my servers and services, I can tell if I have been impersonated or stolen from…

It’s an evolutionary meme that scarcity of resources breeds inventiveness. When you don’t have the possibility of trying 30 million passwords per minute, the few you actually do try have to have a good chance of being the ones. When your bandwidth limitation means that it’s going to take literally forever to get something, you try to get it offline. And when you can’t trust a service beyond a certain point, you don’t give it information that is too sensitive.

What’s With The Dinosaurs, Anyway?

Dinosaurs got extinct, probably because they were built to take advantage of a much bigger resource pool than we are. They couldn’t adapt to having less. That’s why I laugh when I’m called a dinosaur. I might become extinct because I can’t adapt fast enough to certain things, that’s for sure. But resource-wise, I learned with my friends a long time ago, that if you have the skill, you can do a lot more, with a lot less. And if I do have more at some point in the future, who knows what I can do?

You guys who are trying to get in at that very moment… Do less, but smarter. It’s not that hard. And you’ll get in. And I’ll curse and I’ll laugh at the same time, and the game will go on. For the moment, you are behaving like a dinosaur, be it the cooler Tyrannausorus-Rex one, and it got extinct. Or so I’m told.


The joy of hacking : screensaver’s prefs

It so happens that I need to change the settings of the System Preferences’ Screen Saver pane, programmatically. I need to make the slide show one non-random.

Armed by nothing more than my trusty Cocoa Documentation and my guile, I try to see where the preference is stored. It’s in the ByHost section of the defaults, and changing it apparently does nothing.

Programmatically, changing the default for another application generally means using

ScreenSaverDefaults *prefs = [ScreenSaverDefaults defaultsForModuleWithName:@"com.apple.screensaver.slideshow"];
[prefs setBool:NO forKey:@"Random"];
[prefs synchronize];

But it doesn’t work. So I scratch my head long and hard. I try subclassing, I try changing it through gdb. I try a lot of things.

Finally, it comes in a flash : the slide show preferences, for some obscure reason, seem to be attached (at least on a temporary basis) to [ScreenSaverDefaults defaultsForModuleWithName:[NSString stringWithFormat:@"com.apple.screensaver.%@", [directory lastPathComponent]]] !

Illogical? Maybe. But it works :)