a jaundiced eye: saner heads
for friday, may 30, 1997.

Quackers - the Lost World Incident

It used to be that "hacker" meant a person who was skilled with mechanical and logical things, such as computers, who found clever solutions to vexing problems. Then, when the mainstream media got wind of the idea of computer crime, they corrupted the meaning to refer to someone who maliciously breaks into computer systems. Now, it seems, the term "hacker" means "publisher", or at least that's what we would be led to believe, given the recent publicity stunt by Universal Studios to promote their upcoming sequel to Jurassic Park.

Universal, in a desperate and bizarre attempt to draw traffic to their site, allegedly lied to the media recently about their site being hacked. CNN bit, as did news.com (note the careful use of the term "quaker" ;-) bringing into question the paucity of research and fact-checking that goes into such stories. Others have already documented their reasons to believe that Universal is lying, so we won't go into it here. The interesting thing is not that it is new, for people have been spoofing the media for fun and profit since long before Cardiff Man. What is interesting is that current Internet culture will likely prevent the full truth from being known.

When the Hackers movie site got cracked a year and a half ago, it was ultimately more or less resolved that it was a prank, undertaken by the Internet Liberation Front during a DEFCON conference. Suggestions were made as to how the break-in occurred, but it is uncommon to get full disclosure of exploit details - at least not through usual channels, anyway. Tsutomo Shimomura complained in Takedown about security watchdog organizations' reluctance to provide full disclosure, despite the existence of numerous sources of such information on the Net. Clifford Stoll has also written, in The Cuckoo's Egg and elsewhere, about the dangers of understating the importance of security and providing vague descriptions of exploits.

And yet, the folks at CERT, CIAC, and other computer security response teams still talk in generic terms, preferring to provide workarounds and patches for known problems than to describe them in full.

We'd like to lead the charge for full disclosure by publicly asking Universal Studios to reveal the details of how they were cracked. If their security team is on the ball, the holes no longer exist. If not, well, who knows what might happen to their site next week, or the next, or during the next DEFCON... By providing details as to how their site was cracked, they could do two things:

  • help other web site administrators prevent such awful crimes, and
  • clear their bad name

Steven Champeon

r e c i p r o c a t e

Permanently archived at: http://www.jaundicedeye.com/browse/saner_heads/053097/

© 1997-2001 Steven Champeon. All rights reserved.
All slights reversed.