Humour

Path of least resistance

T A Balasubramanian on how the most effective way to prevent hacker attacks is to show the same persistence, smartness and vigilance that they do.

“Hackers are, literally speaking, a curious lot,” says Chubby Goldfinger. “Their curiosity knows no bounds or borders. A common bond among hackers is the need to crack the veil on anything they consider to be unnecessarily shrouded. ‘What if I try this?’ and ‘What can I do to make it do what I want?’ are two hacker mantras. But that unrelenting, inquisitive feline quality, sometimes bordering on the paranoid, will also give CIOs and network managers superior quality assurance if they can get hackers to work inside the corporate walls.”

Goldfinger, prime sponsor of the Hacker’s Gold Mine Meet, or HGMM, is holding forth to a rapt audience at one crowded corner of the Techno Over-exposition of Geeks and Gizmos for Lazy Enterprises (TOGGLE), where you, Papyrus Bytewala, CIO of Baffle Corporation, accompanied by Danny DeVito, your CTO and associate, and by Gene Hackman, CEO of Virus Busters, are assembled.

Hackman, intent on nabbing the slippery hacker called Robin Hood, is barely listening to the speaker at the podium. His attention is on the assembly of faces, where he hopes to spot a shifty pair of eyes, or perhaps, a deceptively calm and brooding figure. Clueless as he is, Hackman is relentless in his pursuit of the two notebook computers that this rob-Peter-pay-Paul menace has deprived him of.

“In the past six years, malicious black hat hackers have changed from meddlesome scoundrels who deface websites and spread worms and earn glory within the hacker community to professionals sponsored by foreign governments and organised crime. They target specific government and industry victims and commit real crimes, sometimes for significant moolah,” says Goldfinger, making a dollar sign in the air.

“Great hackers are like perfect elephants with gigantic memories,” he rambles on, expressively gesturing with both hands, “Everything you forget, they will find. Like the proverbial millions of monkeys writing on typewriters to eventually produce a masterly poem. They have infinite resources and infinite time to find weaknesses in your system, even if it is buried under a 10-inch concrete wall.”

“How do they find the weak spots?” you ask Hackman, distracting him from his keen survey of the crowd.

“Huh? Oh, well, they always follow the path of least resistance,” Hackman says, drifting back to earth.

“What does that mean, Gene?” says DeVito, scratching his head.

“The path of least resistance is often through the front door.”

“They can just walk in? Come on, it can’t be so easy.”

“It’s easier than you imagine. Hackers make use of a trap-door. You know, the average computer network engineer is obsessed with efficiency. Now that’s exactly what can be used against him.”

“Huh? How does that work?” says DeVito.

“Well, let’s say you get an offer for a free program that appears desirable, but actually contain something vile. The contents could be something deceptively simple—you may download what looks like a free memory test for your machine, but when you run it, it sneaks in a little code that snuggles down inside your system.”

“Like a parasite, huh?” says DeVito.

“Exactly. Wily hackers, like smart parasites that love to keep their hosts alive and healthy, will hack only enough to insert innocent-looking code that contain keystroke and network sniffers and other means to collect your vital statistics. They can charmingly use this information to fool your system into thinking that they, the invaders, are legitimate users. Once they get into that Trojan Horse, they can come and go as they please without scrutiny. They have, in short put a pair of eyes, or ears, inside you that you don’t know about.”

“Clever little devils,” says DeVito. “And these are the black hats that Chubby wants to foil? The crackers?”

“Well, to be fair, all hackers are not crackers. There is the highly debated matter of intent,” says Hackman. “Almost all hackers follow the path of least resistance, burrowing into the system code to find flaws. On top of the heap in order of intentions, are the noble white hats. They are paid professionals hired by organisations to dig into weak spots and to protect your data, networks and other information technology assets. Like sheriffs and other law enforcement personnel, white hats work within the rules. Military officials have learned the fastest from white hats, and they pay serious attention to what these guys find out when they mess around.”

“While the black guys tend to bend the rules, eh?”

“Right, Danny. Black hats are the villains in the security drama. They are the ones who give the hacking business a bad name. They follow the wisdom of Willie Sutton, a bank thief. When asked why he robbed banks, Sutton replied frostily: ‘It’s where the money is.’ Grey hats, however, pose almost no real risk because they do not act maliciously. They may do it only to point to a flaw, and many of them are usefully engaged by security agencies to deliberately break into a system to test it. In fact, I use a few myself to tinker with my products.”

“How do you know they are grey hats?”

“Grey hats are unpaid tinkerers. They find flaws to improve security for everyone. The best and brightest hackers are grey hats because their passion for tinkering drives their excellence,” says Hackman. “They are not openly destructive but they get their thrills from joyriding through private systems or conducting uninvited ‘security checks.’ Grey hats are not breaking the law, but they do not have to comply with the rules of any organisation, hence their grey status. In practice, though, it can be hard to tell the noble outlaw from the petty criminal. Bending the law in the name of improving the law is rarely applauded, let alone approved by the law.”

“Why is there such an interest in these guys?”

“Well, talented security professionals who actually enjoy digging around in the spaghetti called computer code, such as hackers, are tough to find and hire. The greatest argument favouring the hacking business is that you can make a mighty good living on the right side of the fence. Companies with too much spaghetti massed inside their systems naturally tend to hire white and grey hats who want to have their fun legally, which can defuse part of the threat—since it liberates some of the hackeratti and gives their work legitimacy. It’s like a program to reform ex-convicts. But then, it’s virtually impossible to reach every potential attacker through a job advertisement.”

“And Robin Hood? Is he a grey hat?”

“Let’s just say he’s a grey who’s turning black,” says Hackman. “Though he’s actually making me see red. The line between self-interest and ‘setting information free,’ is easily blurred. And it’s this murky middle ground where my friend, the Hood, most likes to operate.”

“The only long-term way to effectively block or prevent hacker attacks is to show the same persistence, smartness and vigilance that hackers do,” Goldfinger says at the podium. “After all, the million monkeys are working relentlessly, every day, all day.”

“A million monkeys, eh?” says DeVito, grinning.

You wonder what’s going on in your suddenly happy humanoid CTO’s head.