What is a proportional response to curiosity?
Lately, it seems as if there have been more reports about hackers in the news. If they’re not stealing credit card information, they’re leaking private photos from celebrities' phones or stealing company or government secrets. I guess these events are a kind of collateral damage from the way that IT has been merging with everything else for the last two decades. It has brought on a disrupting change to our society in, what I assume is, quite a short time. At this pace, some things are going to be left out, and when it comes to IT, many times that thing is security.
When I was younger, both cracking and hacking fascinated me. I remember how mysterious it all seemed, wondering how the hackers managed to do what they did. And the hackers themselves, many times nothing more than a pseudonym, but the excitement you felt when you recognized that name on a defaced site somewhere, was hard to beat. This is probably why I still get a bit curious when I hear or read about the latest “hack”, part of me stills wants to know how they did it even though most of the mystery is gone.
Since the terms “hacking” and “cracking” seems to take on somewhat different meanings in different contexts, I’ll clarify how I’ll use them in this text. By cracking I’m referring to software cracking which means to remove copy protection from software and by hacking I mean gaining unauthorized access to a system.
Let me take you back to the beginning
I had been teaching myself how to program C and assembly language since I had read somewhere that that was what you wrote games in and that was what I wanted to do. Around that time, I was playing an old BBS door game, but not on an actual BBS, I was playing it locally, on my computer. It was a shareware game and I had played through the free part of it. To continue playing I would have to register the game which meant paying someone with a credit card or a check, which wasn’t really an option since I was in middle school and money seemed very adult to me at the time. On a whim, I loaded the game into Borland Turbo Debugger, not really sure what I was trying to accomplish. To my surprise, the author had forgotten to remove the debug symbols. This meant, interspersed between the lines of assembly code were the variable names and function names the author had used when writing the program. It didn’t take long for me to find the function that tested if the program was running in shareware mode or registered mode. I changed a single byte in the executable which inverted the test, making the game think it was registered — and I was done.
For the first time since I began teaching myself how to program, I realized that what I was learning was not only to build things, but how to take things apart.
What followed was a multiyear obsession with cracking. Everything I came across which contained copy protection, I loaded up into SoftICE or ran it through a disassembler. A lot of the time, I didn’t manange to break the protection, but sometimes I did. I began hanging out in IRC channels where some of the people that had cracked some of the games I was playing, hung out. Games were arguably a bigger target for crackers which meant game companies spent more resources on their copy protection schemes than most other companies. By doing this they unwittingly became the Goliath for an army of weird pseudonyms to outsmart.
Back then, breaking copy protections was not by itself illegal as far as I know, but distributing your cracks was. I was faintly aware of this but it wasn’t something I gave much thought. To me, it was just an exciting intellectual puzzle. How could a teenager from his bedroom, in front of a computer possibly do something which would affect a large corporation? My teenage mind found this line of thinking both absurd and a tad bit exciting.
Other than cracking, I did dabble with hacking. The approach is similar to cracking if you focus on the technical aspects of hacking (social engineering being, for example, another possible route). This was the part that appealed to me. The problem for me was that with hacking you have a very direct link to your target (pun intended). This makes it both easier to get caught, something I was very scared of, and it makes it much more apparent that what you’re doing is directly affecting someone else, with which I never felt comfortable.
After a few years other things caught my attention and I began drifting away from the world of cracking. It also dawned on me that what I was doing was in a small way hurting the people doing what I wanted to do for a living. That I didn’t realize this sooner was probably, in part, due to my naiveté, but one has to remember that it was a different time back then. When I was into this stuff computers were in the process of going mainstream. Pirating programs for private use was almost the norm where I lived. Website defacements were usually both pompous and immature, turning them into silly pranks. There was usually a computer savy teenager in every neighbourhood providing tech support and dealing fresh games for people to inject into their newly acquired computers.
A brave new world
Today, governments have to a large part caught up with the internet. Of course the internet is still changing, but they now know it’s something they need to keep their eye on. Cracking has been made illegal in many countries. There have been a number of highly publicized court cases against both pirates and hackers, sometimes resulting in unduly hard sentences. Hackers stealing government secrets or credit card information or personal information, possibly affecting millions of people, are now a normal part of the news.
While companies often paint themselves as the victims in these situations, it’s sometimes due to neglect or cost-cutting on the companies part that these attacks are made possible at all. And it’s questionable who pays the price in the end, sure, the company may get some bad publicity depending on how the manage to spin it, but for the people whose data was stolen, won’t know if or when the stolen data will be used against them.
Of course, hacking has changed as well. There is now incredible amounts of data online so there’s money to be made if you’re ethically challenged, which some people are. Also, governments have now entered the game. Hacking has climbed into a bigger arena and is now serious business.
Now, I wonder if there’s still a place for that kid, taking things apart on his computer out of unfettered curiosity or because he’s good at it. Or will we slap that kid so hard with the law that he’ll never recover? Personally, I think doing that would be a mistake since I believe that kind of curiosity can lead to good things.
Eventually, I hope we’ll find the balance.