The Yin and Yang Of Knowledge

Now that's a funny title, isn't it? I was gonna add some other stuff on Cryptography (there are about 3 more issues), but I thought, what's the hurry? (Besides this, I am stuck at one of the cryptographic bonus challenges at osix so I am not really in the mood of talking about this).

Here we are going to talk about something else. It is about this particular article. Now I am not by any means an expert in computer security. Actually, I am not an expert in anything, but the guy has some strange points in that article. Even more, he is pretty serious about them (if you look over the site you see some similar articles over there).

Let us see some ideas that he very often puts on his site: "Hacking is bad". In the article he mentions "Hacking is cool" as an 'anti-good idea' (sic). I am only going to pick on this particular idea, because this is what got me going. The problem here goes as follows: Marcus Ranum says that it is a bad idea to hire hackers to protect your system. This is like allowing a "reformed wolf" for a shepherd.

This is in my opinion blatantly wrong. In any domain if you are going to get good at something you have to play with that something over and over again. Let's say that you want to become a good piano player. Is it reasonable to think that you are ever going to reach some degree of virtuosity without serious exercise at least 4 hours a day? No, I don't think so. A piano player must gain knowledge on how the piano works and what it makes it tick. However, this is not the most important part. The most important part is to gain knowledge of the music. And this, he gains by repeated play of things that others wrote.

You do not become a Beethoven or a Mozart over night. You first must listen to this kind of music over and over again. Then you must reproduce it.... and to write similar pieces. Probably you will never get as good as Mozart at it, but trying to write stuff from zero, without first playing and listening music, is without doubt fruitless.

In the same way, if you want to be able to fix bugs and to write secure programs you must be able to crack first insecure programs. Otherwise, you will never be able to know what is secure and what is not.

Now another controversial thing... Skript Kiddies (or whatever spelling you have there). They are generally considered the worst there is in computers. They are guys who take the program as is and then compile it just to trash your system.

Well, here is another strange fact. I don't think them as ultimately so bad. After all, the kid who actually has knowledge on how to compile a script to trash a site understands something about computers. Besides, he ultimately will get to become a better programmer, if he is curious enough. Think of it... how many game programmers haven't started the stuff as players?

Herein lies another interesting thing. People who want to do something, will generally do it in spite of artificial conventions. Marcus Ranum treats hackers with outmost disrespect blaming them for almost every problem the internet has ever faced. However, if we think about it, a lot of the internet is powered by hacker products. Think of Linux. Think of Macintosh. Think of Google... and yes, think even of Microsoft. Every one of these companies was started by some guys who could have probably been called skript kiddies and good for nothings.

If it weren't up to some guys who like to break the rules just for gaining knowledge we wouldn't be here today. Yes, we have in equal amount the bad stuff: child pornography, commercialization, spam, etc. The solutions to these problems however, will not come from a suit in some office. They will probably come from a guy in Siberia who night after night buttons the heck out of his keyboard.

This is in my opinion the Yin and Yang of knowledge. New ideas, new informations, are only obtained by those radical enough to gain it. Look at it this way:

In ancient Egypt the fractional numbers were very undeveloped. You only had numbers like 1/2, 1/3, 1/4, 1/5, but no 7/15 or 3/4. Some of the numbers like 3/4 were only expressed as a sum of other numbers (in this case 1/2+1/4). A good question might be issued here: Why in the world were the egyptians so dumb as to not see that you could easily change the numerator from 1 to another number?

The answer is pretty simple: Egyptians wrote this number (the inverses of natural numbers) not as we write it today but in a different fashion. Something like a point and under that the number. For example:

1   .
- = 2
2

1   .
- = 3
3

1   .
- = 4
4

Therefore, they didn't even imagine that there was a 1 hidden somewhere because of the notation. Also, the writing was considered holy (the hiero part from hieroglyphs means holy). To change it would have been a blasphemy. This explains why the writing in Ancient Egypt remained pretty much unchanged from the years of the Old Kingdom up to the days of Cleopatra.

When some irreverent Greeks found about these interesting ideas they started playing with them. They experimented with 2/3 and other similar numbers.

The same is in computer security. To gain knowledge you must not be afraid to play with sacred cows. If you are able to write a secure OS, write it. However, if your knowledge stops only at compromising an insecure OS, write an exploit on it, document it, post in on a mailing list and wait the reactions of others. This will also get you knowledge.

---------------------

P.S.: I for one do not use the term "to hack" a lot. It seems however that lately, I stay around a lot of people who use it in the most interesting senses of which almost none have any relationship to security. A guy recently told me that he "hacked together a script to make his homework" or stuff like that. Now most of the applications that were linked to the word "hack" I generally considered interesting in purpose, if not really cool. So perhaps this is another reason why I picked on the article above.