The Myth of the Superhacker

mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."

interesting, amd maybe not surprising

[yagu]

I live in a world where daily I hear people describing their monitor as their computer, and their computer as their "hard drive", or some other such mangled interpretation. That's actually very okay, it's not their job to have to know, and good for them for having some mental map.

What I find not surprising about the article's conclusions is even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work. Hence, much of the alarm over internet terrorism and superhackers potential to bring the IT world to its collective knees spawns from barely literate computer "geeks". At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape (hmmmm, Peter Principle?).

Re:interesting, amd maybe not surprising

[jimbolauski]

The solution to super hackers is simple, hot women need to take one for the team and date some nerds, this way their not in their parents basement but our with a real live girl. Girls on the plus side you can walk all over them and get anything you want.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:You punctuated incorrectly...

[PitaBred]

Your use of "you're" is your mistake, though.

Re:

[PitaBred]

Wait, what? I certainly hope that you weren't directing that at me, and rather at the parent of my post. My grammar isn't impeccable, but it's far from "not much better" than that of the starter of this thread.

Re:

[StikyPad]

I believe he meant "Girls on the plus size."

Re:interesting, amd maybe not surprising

[Anonymous Coward]

ROFL!

"Girls on the plus side you can walk all over them and get anything you want."

You may want to define where that comma should go, or else you're gonna have some angry plus-size girls after you!

Re:

[Flunitrazepam]

maybe, but if they did you sure wouldn't want them walking all over you

Re:

[cyphercell]

Rustbucket Corolla? Great idea let's give him one of those too.

Re:

[tapehands]

psh! A "superhacker" wouldn't politely ask for gas money until next payday...he'd steal her credit card info, and install spyware on her computer!
That is why they can't get dates. ;D

Re:

[vux984]

And it seems the higher up the ladder one goes...

Who was it that thought interwebs is a series of tubes...? Surely not a Senator chairing a committee on internet commerce... oh wait...

Re:

[DynaSoar]

I could easily say the same thing about the people I encounter in science. In particular, the author of this article. In TFA, he defines his term and then deconstructs his own definition. An imaginary straw man. In his linked article on DRM, he calls it empirical despite the fact it's a survey. He draws conclusions despite his admission that it was not statistically significant. It's easy to pull science out of your ass and call it empirical, and apparently to get attention for it, when you're presenting it

Re:

[lmnfrs]

"At the same time I find it a little disturbing. And it seems the higher up the ladder one goes, the less competence there seems to be regarding making intelligent conclusions about the IT landscape.."

You're completely right about that, it is the norm. At every tech job I've had there has been a maximum of 2 levels of superiors being knowledgeable and intelligent. Often, everybody above my immediate boss sounds braindead when trying to instruct their workers. And unfortunately, there are always some worke

Re:interesting, amd maybe not surprising

[Intron]

I recently suggested to my boss that instead of mailing me web pages that he wants me to look at, he mail me links to the web pages, but I don't think that I got through to him.

Re:

[Joebert]

Bosses are tricky creatures, it's much more effective to just do somthing & pretend they're brilliant when they send out a memo informing everyone that they've devoloped a new procedure.

Re:

[Original Replica]

At every tech job I've had there has been a maximum of 2 levels of superiors being knowledgeable and intelligent.

... about tech. That's because it's your job to know about tech, it' their job to run whatever portion of the company they run. They quite possibly think of you as "knowledgable about computers, and nothing else". I think that it normal for everyone to appear unintelligent or ignorant when their area of expertise is far removed from that of the observer.

Re:

[blhack]

These barely literate computer "geeks" really are the real threat though. They are the type of people how get very frustrated at their own incompetence and do stupid things in order to "prove themselves". Also, the reason that the higher up you go, the lower IT knowledge seems to get is that Skills in IT are almost necessarily inversely proportional to management skills. People who lack management skills are forced to compensate by learning more about computers (in the field of IT i mean), while ones who

Re:

[Ant P.]

Argh. If there's one thing I can't stand, it's lusers mincing the terminology. Like calling everything on the screen a "website" - if I hear "wat's dis website" again and see a blank desktop I'll scream.

Re:interesting, amd maybe not surprising

[ResidntGeek]

It's not just the incompetent that think that way, I'd go so far as to say a vast majority of computer-interested people do. Which is more entertaining to read, and think about: Stealing the Network: How to Own a Continent, with its stories of master programmers writing the best rootkits ever made over the course of two weeks to install on the systems they're about to root with their 0days for the purpose of bouncing their traffic around the internet while they use IPv6 to get around firewalls on Japanese military computers as a test to find out if they're worthy to hack the computers of several African banks for a mysterious man named Knuth in conjunction with a phreak gaining access to an African telephone switch by use of a stolen cell phone so that Knuth can intercept the phone calls of an enemy while a third hacker, who happens to be a very attractive female drunk and recently returned from shagging a random good-looking but smart computer nerd she met at the club while on Ecstasy, uses steganography software to send a message across the globe to a chick she met a while back (who is also a good-looking female computer nerd), all this happening at the same time a 16-year-old college sophomore (with a hot, nerdy asian girlfriend) is pulling a sweet hack involving duct-taping a laptop to the back of a computer cabimet and using it to intercept all traffic to a lab computer for the purpose of concealing his SSN-stealing activities on the school's network so that Knuth can sufficiently conceal his identity for his trip to South America where he'll live comfortably off the interest for the rest of his life, free from any government oppression................ or a study showing that almost all botnets are built using one of two common worms?

People want something to aspire to, and the idea of the existence of a superhacker controlling every aspect of the internet at a moment's notice is pretty good at taking up brain space.

Re:interesting, amd maybe not surprising

[ookabooka]

Mod parent up!

Not only is he making a good point, but he did so with a single 1 paragraph-long sentence.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

And spring loaded cell phones. Don't forget that spring loaded cells!

Re:

[ResidntGeek]

http://www.syngress.com/books/ [syngress.com]

Get the whole series. I've read How to Own a Box, Continent, and Identity and will hopefully get Shadow soon. Only Identity and Shadow are still up there, though, you'll have to go to Amazon for How to Own the Box and How to Own a Continent, both of which I highly recommend. You can read a chapter from each of How to Own a Continent and How to Own an Identity on insecure.org.

Re:

[aeoneal]

even in the computer professional world I've met many "whizzes" not much more intelligent about what computers are and how they work

The definition of a "whiz" seems to be "anyone who knows more than I do." Partly this is because people don't understand the subject, but I think mostly it's to bolster our own egos. If the person who knows more is some kind of guru, it's ok that they know more; but if they're just someone who delved a little deeper and perhaps read a few books it casts the know-less/know-no

From 'The Usual Suspects'

[Trigun]

The biggest trick Satan ever pulled was convincing the world he doesn't exist

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

The concept and even the name of Satan predates the catholic church by a long time.

Re:

[marcello_dl]

> The biggest trick the Catholic church ever pulled was convincing the world he does.

I can understand doubts about the existence of a god, but this? You mean that after witnessing Windows and the RIAA you still don't believe in the existence of Evil Design? They are way too evil to have happened by chance.

Re:From 'The Usual Suspects'

[Logic and Reason]

Actually that quote originally comes from the French poet Baudelaire in the 1864 short story "Le Joueur généreux." The Usual Suspects just popularized it.

Re:

[Anonymous Coward]

The biggest trick the period ever pulled was convincing you it doesn't exist.

Quote? YOU FAIL IT!

[drinkypoo]

It's too bad the quote [dailyscript.com] is "the devil" or you might have gotten yourself some free geek credibility there.

Re:

[PitaBred]

http://www.cs.helsinki.fi/u/hprajani/phun/god-v-sa tan.png [helsinki.fi]

Screw that. Give me Satan any day.

Re:From 'The Usual Suspects'

[hey!]

St. Augustine has a worthwhile point to make here.

He was dealing with a fundamental theological problem: how does a good God create a universe in which evil exists. He came up with a novel solution: it's all good, but evil chooses lesser goods over greater goods -- an concept closely akin to the modern economic concept of opportunity cost. You cannot have the capacity to choose without the capacity to choose the wrong thing; if you were forced to choose the right thing all the time then you wouldn't have free will. Therefore free will implies the existence of evil, which is not a thing in itself, but a deficit.

Dante sharpens Augustine's point in the Divine Comedy: evil is really the result of stubborn, even aggressive stupidity. As outlandish as the punishments that are meted out in the Inferno, they're all pretty much people getting unlimited quantities of whatever it was they pursued in life.

The Devil, then, doesn't need to exist; at least if he does he has no power of his own. There is no need to believe in the nearly all-powerful devil of neo-Christian folklore. The power of Satan, both biblically and by orthodox theology, lies in the stupidity and stubbornness of humanity. A near omnipotent Devil is not really any better off than a powerless but tricky one because (a) near omnipotence is not very useful when the other side is omnipotent and (b) it is impossible to spread evil (in the Augustinian sense) by the exercise of raw power.

Which brings us to the Superhacker. There is no need for a hacker to obtain near omnipotent technical skills. In any case people with extremely high levels of technical skills have better uses for them. Instead, a hacker exploits the stubbornness and stupidity of people who own computers. They won't pay competent people to manage them. They'll choose software for superficial convenience. In Augustinian terms they choose the lesser goods of short term cost savings and convenience over the greater good of security.

omnipotent technical skills

[nurb432]

"There is no need for a hacker to obtain near omnipotent technical skills"

Who says that just beacuse you are at that level you are somehow magically honest? Often times its the thrill of cheating the system that appeals to the upper % of the food chain in the first place.

Re:

[hey!]

It's not that you're magically honest. It's that you have more opportunities than the mediocre, opportunities that are more interesting, equally or more rewarding, and don't involve the risk of going to jail.

I'm not saying there aren't technically very strong black hats, but they hardly represent the peak of technical skills.

Can you imagine a Ron Rivest wasting his time devising rootkits? Or Bruce Shneier? That's journeyman work. Yes, it takes some skill, and patience, but is hardly a suitable field for e

Re:

[nurb432]

Oh, but i disagree totally.

Crime attracts the highest of genius for the sheer challenge.. ( and the scum for easy money, but that isnt what we are talking about here )

Re:

[timster]

Crime attracts the highest of genius in the movies. In real life, I can point you to any number of geniuses who took on far greater challenges than any crime... whereas it's rare that a crime is even interesting to read about, let alone a work of genius.

Re:

[woolio]

evil is really the result of stubborn, even aggressive stupidity.

Wow... I should read more... Dantes already knew that our C.i.C would be Evil. I can't exactly call him "Dr. Evil" since he is not educated.

Re:

[istewart]

The biggest trick Batman ever pulled was convincing the world he doesn't exist

This article is stupid

[quokkapox]

There are no super hackers out there.

Disregard that, I suck cocks.

Re:

[Anonymous Coward]

...I suck cocks.

If you're a guy, you should have waited for an Apple/Mac related story. Then, you would have been on topic.

Mods - that was "Flamebait", the parent was "Troll", "Overated" or maybe "Offtopic".

On the other hand, if he/she said "Macs are great!" and then said "I suck cocks.", then that would be on topic, although, redundant.

Re:This article is stupid

[Captain Splendid]

Mods on crack alert. The comment is a direct reference to this bash.org quote. [bash.org] Somebody please sort it out.

Re:

[mahmud]

Heh, I thought he was just using one of kevinsmithisms.

Re:

[Captain Splendid]

Yeah, well, considering this is /. I shouldn't have to explain a top 10 bash.org quote. And I'm not explaining it anyway, I just hate stupid moderation.

Second, I've done "mods on crack" comments before and had the desired results, so yes, it does work.

Last but not least, if you think M2 is anyhting more than a bandaid on a bulletwound, you're insane.

Thanks for playing!

Re:

[Captain Splendid]

Cool link, thanks!

Hmmm

[kildurin]

I just came from a meeting on this very topic. The thing I came away from this meeting is that the real fear is that the Superhacker works for you. Or worse yet, you let him go yesterday. O. M. G.

Re:

[multisync]

I think it's the exact opposite: the more hackers you have working for you, the less you'll have to worry about a "Superhacker" (or a "Superdentist," or a "Superhairdresser," or a "Superanything") threatening your security.

Re:

[Joebert]

Maybe, but what happens when your public relations go down the toilet because you have a bunch of "hackers" working for you ?

Re:

[king-manic]

Maybe, but what happens when your public relations go down the toilet because you have a bunch of "hackers" working for you ?

If you mean black hats then the 6 people who care will boycott your product.

Re:Hmmm

[multisync]

As far as I know, people take much better to being "accounted for" than they do being "hacked".

I don't know about being "hacked." Is that something you do with a machete? Or a scalpel? Or, maybe, a golf club?

I was talking about "hackers."

You must be one of those people who thinks the word "hacker" refers to someone who uses a computer to commit crimes. Actually, we have a word for that already: it's "criminal." Hacker already has a meaning, and that isn't it.

I don't presume to be an authority, and I would certainly never call myself one, but I know people who exhibit the hacker spirit in their work and their everyday lives, and they tend to be leaders in the companies they work for. Hackers are resourceful; they find innovative ways of using tools that get the job done more efficiently in less time. They see possibilities where others see obstacles. Remember that kid who took his toys apart (and probably yours, too) just to see how they worked, and even managed to put them back together - give or take a few pieces? He was a hacker. Or the one who found a new and novel use for something you thought was boring and mundane? Hacker.

Do you have a friend who can fix your car, or a leaky faucet, or get your printer working again? Even though he's never worked with your particular printer or car before? He's a hacker.

We used to celebrate free spirits who had an insatiable curiosity about how things worked, and who shared their knowledge freely with anyone who wanted to learn, and couldn't sleep until they found the solution to a problem they were stuck on. But the media has latched on to a buzz word, so hard working, honest, productive people get slandered by ignorant morons who want to feel superior, at least until they can't get their printer to work. Then they ask that guy in the office who is "good with computers" to help them, and they never see the irony in this.

Someone else in this thread pointed out that most people think their monitor is the "computer," and that box with the wires coming out of it is the "hard drive." These people don't know any better and don't care, until something stops working. Then they ask someone for help, and that person who solves their problem for them is usually someone who possesses at least some of the qualities associated with "hackers."

Yet these same people will hear about an intrusion, or a virus or a worm and say "those damn hackers" because, once again, they don't know any better, and they don't care. As long as their printer works.

And here you are, surfing the Internet and posting on Slashdot, oblivious to the efforts of all the "hackers" who wrote code, developed protocols and designed the computer hardware that would make it all possible.

Hollywood Strikes Again

[gbulmash]

Just as with any other field or profession, hacking is getting more specialized. It's not that the "superhacker" does not exist, but that such an animal's existence is getting harder and harder to maintain merely because of the expanding skillset and knowledge it takes to be a "hack anything" hacker.

That said, a lot of exploits don't come from being a super techie hacker with the skillz to defeat any system through sheer programming ingenuity or brute force. A lot of them still come from social engineering... convincing foolish people to give you enough information that a middle manager could hack them using nothing more than a standard login.

Where the "superhacker" mainly exists is in the movies. The guy who can pull out his laptop at any given location and hack into any given location on demand and with no preparation or research into the target. He's the human equivalent of the gun that doesn't run out of bullets and hair that dries into a perfectly coiffed do within seconds of getting out of the water.

- Greg

Re:Hollywood Strikes Again

[businessnerd]

Agreed... Kevin Mitnick, as we all know is one of the more famous hackers, yet many argue that it was not his technical skills that made him so famous. It was his social engineering skills. He knew how to extract the right information from the right people so that he could then exploit the system.

Interestingly, they did make a movie about him, Takedown. While no Oscar winner, I felt is was one of the better hacking movies Hollywood has put out. As opposed to movies like "Hackers" or even "Swordfish", this movie's dialogue actually made sense to those who know the definitions of all of the acronyms (cause it's a true story), and the computers showed on-screen, actually looked like something people actually use.

But getting back on topic, it's the social engineers that we should all be afraid of. These guys may not be really hackers (at least not in traditional sense), they're really just con artists. You don't need a computer to get pwned.

Re:

[gbulmash]

But getting back on topic, it's the social engineers that we should all be afraid of. These guys may not be really hackers (at least not in traditional sense), they're really just con artists.

Phishing is just a form of social engineering. It doesn't take much technical skill at all... more than my mom has, but way less than I do, and I'm no guru. As a matter of fact, the way most people get pwned is not through a clever worm that finds them and nails them just because they're online. It's by being tr

Here's actually a "good" hacker movie concept

[Opportunist]

Social engineering. What makes it good is simply that you can actually make it realistic AND entertaining.

If you take the "technical" side of hacking, it's boring to film. Pages and pages of source or disassembly, lines and lines of shellcode... blech. So we get flashy interfaces that make you cringe when you know what actually should be there.

SE is a different matter. I mean, think of the ways Eddie Murphy got into various restricted locations in Beverly Hills Cop by inventing some stories and playing on p

Re:

[gbulmash]

Come on, everyone knows the last "superhacker" died off when Zero Cool married Acid Burn.

Nah, it wasn't Acid Burn what killed him. It was a vampire [imdb.com].

- G

The difference between a hacker and a superhacker

[davidwr]

Nobody knows the superhacker was ever there.

Re:The difference between a hacker and a superhack

[dkf]

The other difference: the superhacker wears a grubby t-shirt made out of spandex!

Classic: same as regular crime

[cyberianpan]

A focus of the article is on the over response to the "superhacker" - this is the same knee jerk issue in regular crime. Glorify the criminal - make them all out to be Moriarty calibre - dancing magicians who laugh at us mortals - wheedle about inadequate laws .... rather neat solutions to abrogate your basic security responsibilities ? Fact is that most cybercrime is carried out by fairly basic means but there's an industry of ass covering in pretending otherwise.

Myth?

[necro2607]

Um, since when are super skilled under-the-rader hackers a myth? If they're so good that they never get caught, then they definitely ARE "Superhackers". Of course, we wouldn't know if we never hear about them.

The most advanced hackers will change whatever data they feel like changing, in such subtle ways that no one ever notices. We might not have many (any?) cases of this, but that's the whole point - if you're subtle enough, you'll never get caught.

My high school still has absolutely zero knowledge of

Re:Myth?

[Anonymous Coward]

"My high school still has absolutely zero knowledge of some of the hacks I pulled, and they never will know."

FYI Andrew Matecha of Vancouver BC, there is enough information on your band's website and MySpace page to identify you and figure out which school you committed your crimes against. Not that I care, but you might want to think about that before you brag about illegal activity you've participated in.
 

Re:

[necro2607]

I'm well aware of the URL containing my last name on every post I make... ;)

Re:

[necro2607]

BTW, I didn't say anything about committing crimes. "Not that I care", but calling me out on my full name and city of residence and then claiming some kind of illegal activity when I didn't actually mention as such is a bit slanderous.

Re:

[Anonymous Coward]

No, it's actually that they aren't looking for you, because the secretary found it and fixed it when she got back from the restroom.

You too can be a Superhacker!

[TibbonZero]

Knightmare's "Secrets of the Superhacker"...
http://www.amazon.com/Secrets-Super-Hacker-Knightm are/dp/1559501065 [amazon.com]
Who's afraid of a little social engineering?

I know the Superhacker exists...

[operagost]

I know the Superhacker exists... because he's me. Now, if you'll excuse me, I need to go back to my 3D virtual reality interface, hop on my lightcycle, and infect the alien mainframe with the Michaelangelo virus. If you need me, I'm at IP address 24.75.345.200.

Re:I know the Superhacker exists...

[istartedi]

If you need me, I'm at IP address 24.75.345.200.

Wow! You really are a super-hacker. I could never even get a stack to accept that, let alone have those packets route.

Re:I know the Superhacker exists...

[barrkel]

IPv4 address is a 32-bit integer. Typical notation is in base-256, but you can use other bases.

E.g. on my machine:

ping 66.102.7.104

is equivalent to:

ping 1113982824

Similarly, 24.75.345.200 is actually this address:

PING 407656904 (24.76.89.200): 56 data bytes

Re:

[Anonymous Coward]

This is the lame ass address for the lame ass hacker in the lame ass movie The Net.

Re:

[Woy]

And i hacked slashdot to change that IP byte to 345 to make you appear ignorant.

Who is talking about a super hacker?

[madsheep]

Before I move onto the title of my post, let me just say Kevin Mitnick.

Sure it's an old example, but it is also a great example. Maybe he didn't go releasing chaos in every category, but for a public example this is a pretty good one. Look at the stuff he got into and ahold of. These articles burned my eyes so I couldn't read the all three parts or even all of part one. Sorry, but one other thing -- where exactly is all this concern and discussion about a super-hacker? How can it be overblown, overhyped, etc? I don't hear anyone talking about a super-hacker.

Re:

[multisync]

let me just say Kevin Mitnick .... Look at the stuff he got into and ahold of

Which "stuff" was that? A list of credit card numbers everyone on Usenet had? Some source code Sun gave away for free to academic institutions?

You know, he could also whistle the launch codes in to a telephone to start a nuke-you-ler war.

Ohm's Law

[tjhayes]

Law School professor Paul Ohm
I wonder if he teaches Ohm's Law?

Re:Ohm's Law

[tachyonflow]

I wonder if he teaches Ohm's Law?

As a law professor, I imagine if Professor Ohm sought to teach electronics, he'd encounter a lot of... resistance.

Re:

[Doctor-Optimal]

This is the omega of bad jokes...

Re:

[e9th]

No. There was simply too much resistance.

Re:

[zero1101]

You guys should really resist the urge to make any more silly puns.

Ah, crap

Whois Paul Ohm?

[fahrbot-bot]

I tried to run a "whois 'Paul Ohm'" like they did in the movie "The Net", but it didn't give me picture of his employee ID badge. What gives? Perhaps if I hit the Esc key a few times, I can hack into his computer and get it...

I can't imagine where people get all these ideas about "super hackers" and the like. Now where are my VR goggles? I need to hack a Cray using this pay phone down the street...

Re:Whois Paul Ohm?

[digitalhermit]

All it takes is a little ignorance.. There's a saying that goes, "The man with one eye is king in the kingdom of the blind." I'm hardly a guru and know about as much about DNS, TCP/IP, networking and operating systems as the next career IT guy. But it's cool how things get started..

At one company I was asked to "break into" a Windows machine. The previous user had left and only he had the password. He was not on speaking terms with the company. Luckily, the user had given me the password to another system. Even luckier, he used the same password. So after about fifteen minutes of making myself look busy, I tried his password and got in. No one asked how I was able to get in; everyone assumed that I was able to hack the system.

At another company there was a dusty router that sat in a rack. One day it stopped working. They'd tried power cycling it (their usual troubleshooting step), but that didn't work. So I went in, unplugged it for a few minutes, plugged it back in. I was looking through the manual for a troubleshooting guide when someone comes over and congratulates me.

Richard Feynman had a similar story but it involved safe cracking. And most people know the joke about the plumber, the punchline being, "but knowing where to hit costs $300." Forget the latter, it's not relevant...

Anyhoo, the point I'm making is that it's easy for people to mistake dumb fool luck and bullshit for real expertise. I know this firsthand.

Re:

[Chris Burke]

There's a saying that goes, "The man with one eye is king in the kingdom of the blind."

I thought it was "In the kingdom of the blind, the man with one eye is totally fucked when the sun sets since the blind don't have lamps". I once even read a short story that explored the idea.

That's my random comment for the day. There's certainly insight to the saying, which like most sayings aren't meant to be taken literally.

Re:

[Chris Burke]

Oh, I see.

Well then here's hoping for times of madness, so I can charge ridiculous consulting fees!

control

[wall0159]

Hackers, terrorists, drug dealers, child molesters, communists:

Useful tools for the control of a fearful and gullible populace.

Re:

[ArsonSmith]

Guess you had a big glass of the Koolade.

Odds you will be a victim of

[king-manic]

Hackers

Ever had your credit rating trashed by someone who lifted your financial info through a crack of a third party system? Many thousands of people have.

Odds 1:10,000
worse is you bank with retarded banks.

terrorists

Are you alive? Many thousands of people are not. Another couple dozen just died in Algiers today, killed by the local franchise operators of the same group that has attacked embassies, a US naval vessel, the WTC, the Pentagon, bars, nightclubs, hundreds of markets and restaurants, etc. This month, they are on a new campaign to ambush and kill anyone who reports to work in rural Afghanistan to teach young women how to read. It's super duper, though, that you don't find the people in London, or Madrid, or Detroit that preach the warm-up act for the same crap to be any concern at all. That's comforting!

odds 1:1,000,000
worse if your brown and live in a poor nation

drug dealers

You cite drug dealers, and then complain about "control?" These bastards deliberately seek to make behavioral slaves of generations of their neighbors, and think nothing of the resulting waste of lives and all of the accompanying damage. You'd rather that Wal-Mart sold heroin? Have you ever met someone with their teeth rotting right out of their meth-cooked skull? What is it that encourages you to gloss over the people that seek to make money peddling meth to school kids, or pretend they don't exist?

1:2
But the majority are pot pushers who sell to your kids. Your kids use it like you used to use beer... or pot/lsd. The potential harm for most people is minor.

child molesters

Ever met someone who had their youth stolen by someone like that? Let's find you a few thousand of them, and then you can address them, explaining how the people who did it to them don't exist, or aren't really a problem, and should be allowed to keep doing it. I'm sure you'll be persuasive.

1:100,000
Although these sick bastards affect everyone around their victims, they aren't that numerous. Many people still lead okay lives afterwards with some issues about security and sex. It's not a very homogenous group either.

communists

Well, you've got me there. They only killed a few hundred million people in the last century, so that's not so bad.

0:1
Communism is an idea. What killed most of the people your refering to is mob justice, fear, racial hatred, green, xenophobia, and poor management. Communism is general is a useless idea that was never fully implemented by anyone, could never be so, and used liek religion to clobber people.

Re:control

[petrus4]

Are you alive? Many thousands of people are not.

I notice there's one word you keep using, here. Thousands. Last I looked, the population of the planet was around 6 billion and climbing. My mathematics is hit or miss, but it sounds to me like you're saying that laws that affect at least a major chunk of those 6 billion people should be made on the basis of actions that kill less than 1% of them.

To me, that isn't terribly logical. On that basis, to me it'd make sense that if a War on Terror was going to be valid, surely a War on Ebola would be even moreso, since I'm guessing the number of people it's killed would be higher.

Sounds like someone doesn't know things...

[Grimfaire]

This guy who is a suppossed specialist in computer crime apparently never spent time being a security admin for a network. You know, those guys who spend all day making sure servers and workstations are patched, passwords follow policies, exploits are kept track of, logs analyzed, IDS/IPS systems are up, running and monitored. Who go to sleep at night worrying where the next one is coming from?

He doesn't see large outbreaks as often as before because of people like that. They stay on top of all these thi

Like the Super Terrorist?

[Goblez]

Unfortunately a lot of laws and rules are created and govern the masses based on the few.

And not just at the inconvenience of the few, but rather of the many. Does it make sense? Only if you think that by forcing everyone to do less you can restrain the ones that don't care about the rules.

Oh wait, that doesn't really make sense either . . . well so much for thinking about it, let's just blindly follow . . . Patriot Act FTW!

At root, the article attempts to pervert English

[dbIII]

The guy is aware that the word superuser already has a meaning but wants to invent a new meaning for it. I've seen this behavior a few times with other words being redefined by other people to cause confusion. Is this sort of stupidity common in US Universities now?

The last thing we wnat is this term misused in a law somewhere or even in popular usuage. Some poor sod getting dragged off by security after being heard uttering what will be the suspiciuous words "I'll have to get superuser access" is some stupidity we can live without.

Other than that there are good points - he's talking about the mythical "cyberterrorist" (also a bad word due to distinct lack of angry robots with bombs - but at least it doesn't already have a meaning).

Re:At root, the article attempts to pervert Englis

[SL Baur]

Yeah. First they stole "hacker", now they're trying to steal "superuser" from us too? Enough already!

Too much attention is paid to the powerful user, or the Superuser as I call him. (UNIX geeks, I'm aware I'm overloading the term.)

English pervert or moron.

This article is dumb

[MattW]

The first mistake is to think that anything mentioned even requires you to be a "superhacker". Identity theft is trivial. Stand on a street corner and say you're registering people for a contest, and put name, address, social security number on the form, and 90% of people who stop to fill it out will just put their SSN down. Stealing "software" and "media" hardly makes you a superhacker; hundreds of thousands of people do it every day, 99% have probably never even compiled a program. Virus writing isn't difficult either; it's finding the hole to exploit in the first place that CAN be difficult. But given an exploit, turning it into a virus isn't that tough.

Even when we take it up a notch and look at actually dangerous attackers, like people using widespread vulnerabilities to deploy custom rootkits, we're not talking about superhackers.

Then there's a class of people who, if they are inclined to be lawbreaking and antisocial, are superdangerous. Take a look at someone like Michal Zalewski [coredump.cx], who's been pumping out advisories, proof of concepts, and gems like a hobby OS for...well, a long time. Can you imagine him in the wild as a black hat? Ugh, scary.

Then there's real superhackers. One former coworker built a railgun for fun, cracked DES (key recovery in 24 hours on a p3, given certain fairly common preconditions), cracked the remote management on a major commercial firewall (because we lost the password, and it was easier than going offsite for password recovery), then founded a security company, got rich when they got bought out, and moved onto toy around with things for nasa and the DoD. So, if someone like somehow finds their way onto - and stays on - a black hat path, well, the mere fact that securing something is harder than cracking it means he will always find a way in, if he wants to badly enough. I think they'd have to be unbalanced to stay black hat, since that sort of talent will either get them illegitimately rich enough that they'll avoid danger, or get them legitimately rich enough that they'll give up black hat activities to go legit.

But identity theft? Please. Peanuts. They're more likely to use large scale espionage to find some valuable nugget; perhaps upcoming M&A activites. Then they sell this info to a third party with plausible deniability and a lot of cash - say, George Soros (not that I'm saying he'd buy, but for example) - and let them profit massively off it and take a kickback. Just one significant score like that should be worth 7-8 figures. That's just one example out of a hundred scenarios where a true uberhacker could illegitimately profit. And they'd almost certainly only do it once, if money was their motivation.

A Million Monkeys.

[Kaenneth]

If a million monkeys could eventually happen to write Hamlet, a million typical users could eventually crack important network security. ...redacted document files retaining undo information, poor password choices, nigerian scams...

the more difficult a security system is to use, the greater the chance it won't be used.

employees will write client information and passwords on paper, allow others to use use their accounts, or hit 'yes' to every prompt.

So very wrong

[lostboy2]

I read the abstract of his paper, read the beginning of TFA and skimmed as much of the rest as I could stand and I have to say this guy is so wrong it feels like my head and heart are going to explode. There's no way I can do justice to how wrong he is, and this is going to devolve into flamebait, so I'll just pick a few points:

For example, law enforcement officials talk about the spread of zombie "botnets" to support broader computer crime laws.

Yes, governments and law enforcement agencies use fear tactics to support broader crime laws and curtail civil liberties. Guess what, that's not the doing of IT professionals and computer security experts. Governments and law enforcement agencies have been doing that long before there were computers.

We know that the Superuser's power is often exaggerated for three reasons:
First, some statements of Superuser harm are so hyperbolic as to be self-disproving

So, because some people exaggerate the problem, there is no problem?

Second, experience suggests that some online crimes are committed by ordinary users much more often than by Superusers.

Emphasis mine. So, again, does that mean we shouldn't be concerned about people who DO have the skills to do serious damage? What was that about the ASUSTek website being hacked [com.com]? Was that done by an "ordinary user"? And you're saying that Bob from Accounting is responsible for all of those 0-day exploits? Great, I'll go bash him right now.

The third way to dispel the Myth is through studies and statistics. As one very recent example, Phil Howard and Kris Erickson of the University of Washington released a study which found that sixty percent of reported incidents of the loss of personal records involved organizational mismanagement, while only thirty-one percent involved hackers.

Ah, so 31% is negligible. By that reasoning, I don't have to pay any taxes this year. Plus, that's only one study about reported incidents. How many people reported when their PCs were infested with a virus or trojan? Who would you even report that to?

I've seen new Windows XP computers plugged into a network get pwned before you could finish going through the Windows setup wizard. The reason stuff like this doesn't result in "loss of personal records" is because IT professionals and security experts put in a s**tload of effort to make sure it doesn't. But IT professionals and security experts can't prevent a PHB from putting sensitive info onto a laptop and then taking it home only to have it stolen.

There has never been a death reported from an attack on a computer network or system.

Yeah, well, I work in a hospital. Every time there's a large-scale problem with the network or enterprise system, it seriously affects the staff's ability to perform their duties. That translates to worse care for the patients. So, do you want your hospital to be running smoothly or not? Do we have to wait until someone IS killed to take security seriously?

In stark contrast, experts in the field of computer crime and computer security are seemingly uninterested in probabilities.
The problem is that so-called computer experts tend to have neither the training nor inclination to approach problems statistically and empirically

Buddy, I'll take Bruce Shneier's assessment of security over yours any day.

Re:

[networkBoy]

Right, well your funny aside, the article does mention that they exist, just that they may not be worth catching.
-nB

Re:Ah, just call me...

[ez76]

It is a foregone principle in developing secure systems, that you have to assume every user is the "superhacker" and cannot be trusted.

It doesn't take much reasoning to show why this must be the case.

So why is Ohm resistant?

Re:Ah, just call me...

[gEvil (beta)]

So why is Ohm resistant?

Get out of here! Now!

Re:Ah, just call me...

[JakusMinimus]

+1 insightful
+1 pun

Well done friend, well done.

The math of puns

[Gazzonyx]

Funny. Here on slashdot a pun is +1.
In social situations in the real world (check it out some time, great resolution and killer refresh rates!) my experience tells me puns are -1 and -2 if they're geeky puns!

Re:

[fredNonesuch]

Actually, I don't think he's resistant to that at all. From what I read in TFA, he's arguing for two things. The first is actual data collection on the phenomena so that discussion can go from anecdotal/emotional to hard data based. The second is that our responses should be based on the conclusions FROM fact based discussions rather than hysteria.

One thing that I haven't seen discussed in other posts is the usefulness of hysteria about hackers to law enforcement. It's given them unprecedented access to

Re:Nothing speical about hackers

[ScentCone]

but in reality most of the crimes are committed out of stupidity or drug influence

I don't think that inside theft of database dumps containing hundreds of thousands credit card accounts and SSNs is done by stupid or drug-addled people. I don't think that people who systematically probe for SQL insertion vulnerabilities on transaction systems in hopes of defacing something with some politicized rant are stupid or drug-addled. I don't think that people plant stealth FTP servers to serve up kiddie pr0n from unknowing desktops are being stupid or drug-addled. You're confusing malice with stupidity, and poisoned ethics with drug dependence.

Re:

[Knara]

*sigh* Simile. He's not saying that stupid or drug addled people perform the cracks that you list. He's saying that Hollywood's version of criminal motivation and the types of people that commit them often do not line up with reality.

Re:

[mandelbr0t]

Just be sure the Hackers aren't responsible for or have production access to the audit data :/