Kalimat al-Mutafalsif

So, some of my friends, in the past, have asked me to teach them how to hack. I normally agree, depending on who it is, to give them the tools. Teach them UNIX, show them how to find stuff online, etc. What I can't teach, however, is the mentality. I had some fun last night, and I figured I'd share it with you, give you a feel for how a hacker thinks.

First, I have to tell you a little bit about myself.

See, hacking, in its purest form, is not what the government, hollywood, or the media want you to believe. Hacking is merely finding a creative solution to a problem. You might remember my post about Hacking Your GPA. I never once talk about actually cracking a system, except to say it's illegal, instead I focus on how an individual can get the GPA they want with a whole lot less work. I want to make a clear difference right now between "hacking" meaning a creative solution and the "media hacking" meaning click a button, and make a botnet (we call them script kiddies).

I'm a big fan of 2600, the hacker magazine (side note, I love the google impersenation they have up right now) and buy every new issue when it comes out. I do, however, pay cash, just in case it is tracked. Every time I buy it, I end up in the same conversation with the cashier.

"So, this is a hacking magazine?"
"Yea."
"So, you're a hacker?"
"Yea."
"Isn't that illegal?"
"Nope, I hack my own systems, do security audits, anything when I have permission beforehand."
"Oh."
"Why are you a hacker?"
"Because its how I think. I like information, knowing how things work, and it drives me crazy if I can't figure it out. have a nice day."

Some things change, others remain the same. There's always an incredulence to their voice when I admit I'm a hacker, as if I should be scared. At first this scared me. What if they recorded who buys this? What if the media gets the government to go on a hacker witch hunt? Then it pissed me off. These people judge what I do. Assume I'm a no talent script-kiddie, and that I only look to hurt people. Now, I enjoy it. Every conversation I get to enlighten one more person that hackers aren't evil. We're normal people, blessed with an inquiring mind. So, after my last conversation, no one was in line, and I opened up to the cashier. Told her about hacking. Pretty much all of the above. Her response?

"Oh, I never knew that's what hacking was. Thank's for telling me."

It was a good feeling, standing up for a whole culture that gets a bad rap. So, that's what I think of when I say "hacker". I know people assume we're script-kiddies, just looking to hurt people. Dirty guys sitting in dark rooms laughing as they take down government systems. But I have to say I'm a hacker because I have the questioning mentality of needing to know how stuff works, and I'm proud of it.

Background aside, yesterday in my phishing class a guy stood up, and told us of a phishing email his sistere got. How he'd now have to talk to his family about Phishing, and all that. I decided to check out this company (name not mentioned to protect them, and me). Here's how I was thinking.

Reasons
The entire reason I did this was to find out if my classmate's sister was in trouble from these

Recon
First I did a dig on the domain name. Found who's it was registered to, and where it was located. Turns out, it was off shore. later I found an IP on one of their pages, did both a dig, as well as a traceroute on it, to find out where it was located, and how it got into the country.

Next I visited the website, and found it was a gambling site. Interesting.

Cracking
While I was trying to get into the page, I ran into the problem that they actually verified credit card info. Since falsifying that is a crime in this country, I had to find a work around. First thing I did was check the source of the page. It normally yields at least the next place to check, if not the answer. Sure enough they had a poor coding scheme, intro page was 1.asp... I was on 3.asp... so I tried 4.asp. Bingo, it welcomed me, and sent me to their main page. This yielded the IP I tracked down later.

Where to go?
So, you're into the site, where do I go from here? So far everything's looked like it's legit, and I wasn't sure if I needed to poke around more. But, all their gambling programs were flash programs. I like messing with that, so I grepped the source again, and found the name of the files. They were fairly decent in security, in the fact that I couldn't use wget to traverse their file structure. Kinda a setback, but I got around it. The goal here was to prove the flash files were fakes. Turns out, after decompiling, they weren't. This was a legit site.

So what?
Well, I got out of the site, and thought about what I'd learned. As an aside, every hacker should learn something from everything. If its the millionth time you've played this game, look at the one spot you never look at. Analyze your own game play. You'll find something to learn. Anyways, I came to the conclusion that this site had some tricks to it... they made it look like it was secure when it wasn't, and had some nasty stuff in the EULA but was legit. So, it wasn't a phishing scam, the guy's sister and family had no reason to worry, but regular users, if they didn't read the EULA, would get screwed out of a ton of money. Well, if you're frequenting off shore gambling sites, you're probably already losing money.

I realize I mention a lot of UNIX command tools, and general network stuff, so if you're unsure of something, feel free to ask. If anyone wants to learn how to hack, feel free to ask, but I can't teach the thought process, so if you're not naturally inquisitive, forget about it. I feel I should say I didn't break any laws doing the above, and I don't support illegal actions (gotta say that to not get sued/arrested).

Interesting topic today, hacking your GPA. Now, as I'm using this, it probably won't bring you from a failing student to an A student, but it might bring up a letter grade, or more.

What is it?
The basis of this idea, is social engineering, also called Social hacking. This is using the human element of a system to gain entry, or something that benefits you. For instance, posing as a technician for a call center, in order to access call records, or change your phone line.

How can this apply to your GPA? Well, teachers are the human element. If you're a talented hacker, you could attack the grading system (most schools use computer based ones now) and change your grade there, but that's illegal. however, exploiting teachers is not.

For those unconvinced right now, I offer a simpler explanation. If you hack, crack, or in any way attack the school's grade system, you leave behind traces. These can be traced to you. It's illegal, and you can be prosecuted, or just expelled, or both. Now, if a teacher makes the exact same change as you, there is no repercussion, because a teacher is trusted. This is like having a police officer let you out of jail, and breaking out. One brings penalties, the other only benefits you.

How do I do it?
Now, how does one hack a teacher? Some call it sucking up, but that won't work. many teachers can tell the suck ups, and just think they're, well, suck ups. A better route is to genuinly get on the teacher's good side. Demonstrate from the begininng you mean to do well in the class, and you're ready to put work into it (even if you aren't). This might entail going to office hours, but I prefer just to show up to class early, or stay late, and engage the teacher in conversation. Find a common ground, or mutual interest, and get to talking about it. You want the teacher to consider you a trustworthy friend. If you can get the teacher to believe in your abilities, you might not have to prove them.

Examples
As an example, I'm studying a foriegn language (Arabic). I had a course last year, a one on one with a teacher. I did hardly any work for this course, and mainly just used my ability to think on the fly to get my through the course. At the end, I approached her about moving into two classes she taught. Without even thinking she agreed. She'd seen my "talent", and would be glad to let me into more of her classes. Those two courses are relatively easy for me, but mostly because she believes in me. I pointed out that she graded a test too easy (gave me a much higher score then I should have gotten) and she just told me to keep it, it didn't matter to her, as it would "Be the difference between an A and an A+."

In another class, the same thing happened. I was graded way too easy on a test, mainly because the teacher had seen my "abilities" and assumed the answers were correct, without checking them too carefully. He just said "bank error in your favor" and let me keep the high grade. The same teacher requires notebooks in another course. I was way behind on work, and mine waas quite scarce. So I did a few easy lessons, and threw them in. When he graded it, he mentioned that these weren't required, so I replied that Ihad them done anyways. He accepted it, and due to the false lessons, said my notebook looked complete. Also said I shouldn't have to worry about my grade in the class.

See, in the above examples I spent a few mintues being nice to the professor, offering my services (computer consulting, and help) for free. The professor learned to trust me, and as a result assumed I would be correct, rather then wrong. Most teachers assume wrong, and check for correctness. Now, I have four courses (two each of the above teachers) where I'm getting an A, whether I deserve it or not.

Also beneficial is to find the professors who have similar interests. I happened to write a paper on the work of a professor here, and through subsequent conversations, I got invited to his grad course. He also has hired me as a research assistant, and given me an office, out of his own grant money, just so I'll work with him. Did I deserve this? No, I'm not even a CS double major anymore (I do have one of two minors, and will get the other also), nor am I a grad sudent, nor do I have any security background. Merely the fact that I impressed him with my "talent" and represented myself as what he wanted, not necessarily what I am.

So, what does all this mean to the average student?
If you're sitting at a low grade, say C or C-, you might be able to make that a B- or B if you employ these tricks. Choose the rest of your classes carefully, and hack the teachers, teaching assistants, and advisors, you can get far. Invitations to classes you couldn't normally get into, and (positive) discrimination from the teachers being two immediate benefits.

If you're looking for grad school or scholarships, this is also really good. Many teachers just write a basic recommendation letter. If you hack one, you can get something a lot longer, in more detail, and with a lot more praise directed at you. I've happened to read two letters that I got for a summer program, which I never applied for, and both teachers were ones that I'd hacked. They were the best letters of recommendation I'd ever read, with both guys actualy putting themselves on the line vouching for my character, talent, and whatever else. One was a guy I had known a grand total of a month by this time. The other claime his military career as reason why he *knew* I should be accepted to this program, and that the military missed out by not letting me enlist (yes, I tried, for those of you who don't know, they have a height/wieght requirement, I need to gain 30 pounds).

I highly recommend people start trying to hack more teachers, it'll save you time studying, and doing homework. Heck, I've been allowed to skip classes, and not turn in homework because the teacher was "sure I understood the material".