Wednesday, February 03, 2021

The other cDc

kw: book reviews, nonfiction, information technology, hacking, clubs, politics

There were hackers before there were computers. Many were golfers, which is where the term "hacker" originated. It meant "enthusiast", and in golf, a player with more zeal than accuracy would just hack away at the ball. Soon "hacker" meant any non-pro enthusiast in many endeavors, frequently a hobbyist.

Once people could build their own hobby computers in the late 1970's, they also came to be known as hackers, and within a few years, a hacker was someone who programmed for the fun of it (I was one such). Among programmers both amateur and professional (we weren't called coders until the early 2000's), a bit of nicely-written code or a routine that did something really well or even with elegance was called a "good hack" or a "clever hack".

Of course, pushing the ethical envelope comes along with any enthusiastic pursuit, and all kinds of shady behavior showed up. To many folks, locks exist to be picked. In his autobiography Surely You're Joking, Mr. Feynman, the Nobel Prize-winning physicist wrote of a practice he had while he worked on the Manhattan Project, of figuring out the combinations of the locks on all the filing cabinets in his colleagues' offices.

When people who used either computer skills or social-engineering skills to break into computer systems (either determining/stealing a password or finding a way around the password authentication) began to be called "hackers" in news reports, those of us who wore the term proudly protested that they should be called "crackers", by analogy to "safecrackers" (safecracking was what Dr. Feynman was doing). It was to no avail. For close to 40 years, "hacker" has come to mean "criminal interloper".

Curiously, many of the famous "hacking" exploits didn't involve computer skills, but rather fooling someone into revealing privileged information a criminal could use to penetrate a phone system or computer network. But programmers were also busy learning various ways to extract passwords. An early "window into Windows" took advantage of a lazy error by Microsoft programmers in the way passwords were processed. That may have been corrected, but laziness by computer users still provides a wide-open door. Let me explain.

Modern encryption methods produce a "hash", turning a password into a string of 8, 12, 16, 24, or 32 bytes (when you read of "128-bit encryption", for example, that's 16 bytes). Of course, 32 is best. One would think that would make it hard to decrypt, but brute force attacks work this way:

Someone with access to a server (legal or otherwise) copies the pwd file or its equivalent. It contains hashed passwords for all the accounts. The cracking procedure is to create all possible passwords of a specific length, hash them, and see if any of the hashes match those in the pwd file. Specially-built hardware can generate and test billions of combinations every second. The fastest I've read about can "crack" more than 300 billion per second, using a big stack of GPU's (Graphical processing units).

Do you still use mainly 8-character passwords? I hope you at least use both upper- and lower-case letters. Here are some numbers you need to know.

  • 8 lower-case letters, 26^8 = 210 billion possibilities. All passwords of this sort in a pwd file can be found in less than a second.
  • 8 letters, both cases, 52^8 = 53 trillion possibilities. The time to crack them all is about 3 minutes.
  • 8 letters, both cases, plus digits, 62^8 = 218 trillion. Crack time is now 12 minutes.
  • 8 letters, all typeable characters (excluding é, ø, etc), 95^8 = 6.6 quadrillion. Crack time 370 hours, or just over two weeks.

That two-week epic cracking session has already been performed. I suspect someone somewhere has a room full of disks with all the resulting hash decryptions stored in about 160 petabytes. This is why you need passwords longer than 8 characters. I use passwords ranging from 12 to 15 bytes. I call them "million year passwords".

Some of the specialty cracking work was done by members of hacking groups with various quirky names. One group that is probably not quite as unethical as others is one of the oldest, named Cult of the Dead Cow, or cDc. In the book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, Joseph Menn outlines the formation and history of cDc and many of its prominent members.

Ignoring for the moment the first chapter and last two chapters, the book does dig into fascinating history, that of cDc and a number of other groups, and into the conferences and other events that made them famous, at least in IT circles. It seems that cDc members mostly straddled the boundary, some working with government and industry in a "white hat hacker" rôle (breaking in to show how it is done and to advise on how to prevent future intrusions), and some feeding hardware and software to what I prefer to call the cracking community, the black hats.

I was puzzled by the "save the world" bit in the subtitle, until I read the last two chapters and saw their connection to the first chapter. An early member of cDc was Robert "Beto" O'Rourke (AKA Psychedelic Warlord), who had left the group after around a decade and gone into politics. You may remember him from the Presidential primaries. He hasn't been named yet, but during the Biden campaign last year, Beto was to be Biden's front man for disarming the American people. Whether that makes you love him or hate him depends on your own political leanings.

It became clear that the book is more properly viewed as campaign material for the future political aspirations of Beto O'Rourke. It opens and closes with fund-raising being carried out on his behalf by a prominent member of cDc, and ends with a long musing on his prospects in future (and now, present) administrations and Presidential ambitions.

The history is interesting. The politics, not so much. For that reason, I can't recommend the book.

No comments:

Post a Comment