344 DEAR HACKER

344 DEAR HACKER

the articles we print here have not shown up elsewhere. And after their articles are printed here, writers can do whatever they want with them, unlike most other magazines. Why it’s such a big deal that we ask you not give us material that read- ers may have already seen is difficult to grasp. Since you already seem to have convinced yourself that we’re exploiting you, we doubt any answer we give is going to satisfy you. We only hope our readers and future writers see the value of these guidelines.

Dear 2600: It’s funny to see 2600 complaining about being associated with those

who took down aljazeera.net฀ on their news page. It seems to me if it talks like a duck, sounds like a duck, feels like a duck, it’s probably

a duck. In other words, when you host mirrors of hacked webpages, publish articles on how to exploit IIS, and advocate hacking websites as a “ form of expression,” it shouldn’t come as a surprise when you are associated with those who do this sort of thing regularly. How is this not blatant hypocrisy? Either these people who hack sites aren’t really hackers, or you’re lying. But if they’re not hackers, why do you call it “hacking” web pages?

Another example centers around some of the articles you publish. Articles that come to mind are “Outsmarting Blockbuster,” “A Password Grabbing Attempt,” etc. What possible relevance does this have to “protecting privacy” and “preserving security?” Teaching readers how to circumvent late fees is nothing short of stealing. Thinly veiling this as a way to get out of a situation similar to arriving 15 minutes late because your car broke down is inexcusable and irre- sponsible. In “A Password Grabbing Attempt,” one is clearly trying to exploit unaccustomed users’ ignorance in an attempt to... grab their password. This is not just pointing out a security hole; it’s pointing out

a security hole and explaining in very close detail how to exploit it for no justifiable purpose. Pointing out a security hole is much more like your article entitled “The Current State of E-Commerce Security.”

I suppose this would be a good time to explain that I don’t find all your articles immoral and unjustifiable. The “History of 31337 SP34K” was

OUR BIGGEST FANS

thoroughly entertaining and a lot of your social commentary rings true to me. The article about setting up a home server was informative, and Comcast’s Operation TIPS talking points sheet was relieving and yet haunting at the same time.

The bottom line is you can’t keep riding the gray area. Either live up to your supposed ethic of protecting privacy, pointing out security holes, and taking necessary steps to assure they’re taken care of, or drop the facade. Dogmatically excusing your exploitations as free speech is almost as inane as the government encouraging fellow citizens to look over each other’s shoulder for “suspicious activity.”

fyrwurxx We’ve obviously bothered you a lot for you to write two such letters in the space of

a month. Let’s start by getting our facts straight. What happened to aljazeera.net was

not something so innocuous as an altered web page that could be fixed with a single command. It was a systematic denial of service attack which had the (in all likelihood intentional) effect of silencing their online presence and cutting off their perspective from the world. It really shouldn’t be too difficult (unless you’re the mainstream media) to see that such actions have got nothing at all to do with hacking and are, in fact, in direct opposition to the open society and free speech that so many of us value. It’s a bit less obvious whether or not those who simply deface web pages should be considered hackers. We think it depends on the motive and the execution. Someone simply running a script written by someone else isn’t really doing anything that requires hacker ingenuity. Unfortunately that’s how a lot of so-called hacked web pages come to be. With commonly available exploits, it’s possible for a site to get hacked without a hacker being directly involved. But that doesn’t mean that creative hackers aren’t still figuring out ways around security.

You may not recognize the value of some of our articles but be assured that there are many who do. While you may see the intent of publishing a particular security weakness as only serving the purpose of someone who wishes to exploit it, it’s not that simple. Showing the end result is an important part of disclosing a security weakness. Seeing that end result is often necessary in order for someone to take action to either fix it or prevent similar occurrences. And learning the methodology is a vital part of any sort of hacking and what better way to do this than to see spe-