11-YEAR-OLD code wizard hacks Greedy RuneScape geeks A Trojan that promises RuneScape players gold but instead steals their passwords was developed by an 11-year-old, researchers claim. Antivirus biz AVG said it made the discovery after studying a piece of code masquerading as a cheat tool for the wizards'n'warriors online role-playing game. The malware asks victims for their …
"Before some government tries to prosecute him as a cyber-terrorist." OMG, you're so right! Them dastardly, scheming G-men and NSA Nazis are everywhere, just waiting for an excuse to slap the irons on some innocent guy just because he tried to steal from others. In fact, they probably won't like you pointing out their nefarious plans, probably best you cut off all communications and go into hiding too! Don't forget to wrap your mobile in at least twelve layers of foil, and don't just disconnect your modem, rip the cable out at the junction box 'cos I hear they have alien tech that means they can see you through the wires.....
/If you need a sarc tag you are too stupid to be using a computer.
Typical software geek response... it's not about the end result, only how technically good the implementation. ...the guy sitting on a beach drinking champagne with your money for example,,, it's the exact opposite.
You don't need elegant solutions if you just beat up somebody, then take his purse.
You do need elegant solutions if you want maintainable, reliable, adaptable, testable code. Or at least something viable when you just want to get paid for your shit in the marketplace.
Two totally different things.
"Writing a fake program that asks stupid people to enter their login details != hacking."
Actually, using the proper definition of hacking it sort of does. One of my first forays into 'fun' programs I made in college was something that simulated the network's login process, it captured what people entered and presented them with an error that encouraged them to use a different machine, after a few attempts it shut itself down and let people log on normally.
This was 20ish years ago though, when this sort of thing was harmless fun.
I'm not that AC, but I did do almost exactly this myself, just for my own curiosity. It caused a bit of a sense of humour failure in the IT department when they were given a list of usernames and passwords, some including their own staff.
I had no intention of doing anything nefarious* with these details but these days that doesn't seem to matter. They did considerably tighten up on their security before too long though and at least they understood that I wasn't going to do anything bad with them, didn't do it to intentionally make them look bad (otherwise their reaction could have been different), didn't shout about it around the Uni and even showed them what I did.
* Just had to use that word, it's probably underused.
"...suggests that kids are "digitally fluent far earlier than previous generations..."
Or alternatively, now that any computer-related misbehaviour anywhere in the world leaves you open to extradition and long sentences in US prisons: that adults are hacking, using accounts set up in their kids' names.
I've heard of shop-lifters using a similar technique by encouraging the kids to nick stuff while mum "wasn't looking". Remember though folks, this approach only works while your kids are under the age of legal responsibility!
'suggests that kids are "digitally fluent far earlier than previous generations".'
You might want to explain that to all of us who were coding home computers during the 80s.
Yes, this is just another variant on the "digital natives" myth, which has been widely debunked by pretty much everyone who's done methodologically-sound studies on the question, rather than just make idiotic assumptions of the sort that get you a Wired editorship.
There have been 11-year-old hackers at least since the rise of PCs in the 1980s. I spent many an hour poking[1] around in the address spaces of Commodore, Tandy, Atari, Apple, and IBM PCs in the early '80s, and I'm sure many others here did too. I don't remember anyone I knew personally creating malware at quite such a young age, but I did have a thirteen-year-old friend whose hobby was hacking software for the Atari 800 to disable its copy-protection features.
I spent the summer of my eleventh year writing software for the Commodore PET with my father.[2] We were working primarily on a program to track book withdrawals for the school library, which owned said PET. It was a great introduction to software development: it was a project that the ostensible customer didn't want, performance was lousy (audio-cassette media), it was unreliable (did I mention cassette media?), it took a lot longer than expected, and we never really finished it anyway.
Good times.
[1] Heh.
[2] More precisely, the evenings of that summer. During the day we were residing the house in cedar shingles. Do kids still do that?
How is their security 'idiot' if someone puts an app on FaceBook which users download and enter their details into?
Still, you managed to get a few plus votes by following the usual tactic of insulting someone with an argument which appears on cursory glance to seem sensible. Quite the heights of Reg debate then really...
"......Aka "exaggerate the skills of the idiot who was able to get around our idiot security"....." He did not get around the security system, he used a social engineering trick to get people to load code that captured passwords and logins, presumably so he could then use those to access via the correct security protocols. The only thing he got around was the stupidity of the cheats using the code. The actual game security was just fine.
And?
When I was 11, I wrote a thing in VB (I think it might even have been VB 1.0, I can't remember) which perfectly emulated a Windows 3.1 network login screen (I can't remember the underlying tech, but it was RM-branded and probably Netware-based), complete with working help file and everything.
You logged in as any old dummy account, ran that program, it went full-screen, it even intercepted things like trying to switch away or kill the program (this was pre-Ctrl-Alt-Del providing the logon screen), and it looked and worked pixel-for-pixel identical as a login screen. They you got your target to log in. It faked a password refusal. They would invariably try a couple of times and then move onto another computer. You come along and "log in" with your details and it would let you access ("Must have been typing your password wrong"), and in the user area would be left a nice plain-text list of usernames and passwords tried, which you could then go and try on the REAL login screen at your leisure.
Got admin access to the whole network that way, at least twice, and(because I'm nice) revealed how.
When I was 15, we got admin to the whole network in a way that was so obscure, I had to craft the defence against it for the school network manager, on an OS that had NO concept of security at all (it involved using Word macros to discover hidden drive shares, but it worked and was only about 200 lines of code).
Why is it surprising that 11-year-olds can do this? They *SHOULD* be able to do this already, rather than peeing about in Logo and Scratch. They shouldn't ACTUALLY do it, because of the legal issues involved, but they should be capable of at least worrying the network admin. And I'm a school network admin!
P.S. physics teachers shouldn't use words like "displacement" and make a password like "d15placemen7" from them. Hell, after that I guessed his next 3 passwords without even trying to write a program to do so. Teachers should also NEVER challenge a group of kids to "hack the network, because it'll be a learning experience and you'll find out that we're pretty locked down", especially not when there's a geeky-kid in the room.
I recall the good old days of school computer security... Where the drives were just hidden to secure them, and creating a Shortcut to c: could get you access to them.
I don't think the IT teacher ever figured out I was using winpopup to troll the thickies, and was completely stumped as to how a group of us were playing network games of hearts in the lessons.
I was coding long before I was 11, good old Sinclair basic and computer magazines full of code listings and I learned all sorts from it. Even when I started on pcs it wasn't plain sailing. My first experience of dos was fiddling around with interrupt and dma settings in several vain attempts to try and get some sound in games. Nevermind the joys of EMS and XMS. Kids today have it far too easy to actually learn much from what they are doing.
But things are far too easy and reliable nowadays, nothing ever goes wrong so you don't get people delving into the internals to try and get things working, they may be able to do a lot more than we could, but it doesn't mean they actually know and understand what they are doing.
The school only used VB, so I was spending my school time productively on the products they wished me to learn.
The week before, I'd written an x86 assembly CD-protection-removal "crack" for a game I'd bought. It involved Ralf Brown's Interrupt List and MS-DOS debug.
Geeky enough for you? It was just a waste to use those sorts of things in schools when a simple Word macro or VB interface was enough.
Yes, when I was young I did lots of learning as well.
One thing I thought was pretty common sense though is what is illegal and what isn't.
I could have hacked a whole bunch of things; I might even have got away with it, but I knew it was wrong. Even when I was seven years old I knew the difference between right and wrong. I could have written malicious code then, and could probably make a pretty good virus today, but I choose not to because I understand the potential consequences and take responsibility for my actions.
Unauthorised access to a computer is illegal. Deception is illegal. It is obvious why we have laws against such things.
Sometimes, we may not agree entirely with the letter of the law but we all have to play by the rules. If you do something you know is ethically wrong and then get caught, you have absolutely no room to whine about it.
I'm one of the authors of the new release of the ISECOM Hacker Highschool project, and from what I hear from those who have now taken this into classrooms, kids simply *are* that ahead. They grow up with this technology, so they don't have any barriers when it comes to trying things, and it's up to the older generations (like us, he says, reaching for his Zimmerframe with attached VT100) to guide that into more safer areas.
Switching it off won't work, it just means you lose the ability to guide them towards a safer MO and an understanding of the consequences.
Sigh. Another "digital natives" myth-bearer.
Look into the reliable studies. In general, the current generation is not significantly more technologically savvy in any useful way (eg in understanding how technology actually works, or in awareness of security risks associated with technology). Yes, there are exceptions; but there have been such exceptions for decades.
The only "barrier to trying things" was access, and that began to rise dramatically in the early 1980s. Since then the only changes have been quantitative.
During a 'C' coding course I took in the early nineties I wrote code that emulated the login prompt. The system was Xenix. My code would dump both the user name and password to a file and return "password incorrect" regardless of the password entered, and then run the real login prompt. It emulated the Xenix logon exactly. I managed to do this just a couple of weeks into the course, so I was hardly a wizard or a competent programmer.
I ran it on the terminal that the course tutor used... The silly man always logged in as root.
I didn't consider that hacking because it wasn't... Neither is this.
The thing is, the law doesn't care what an ignorant moron like you considers to be legal or illegal.
We have something called writing which allows the rules to be defined.
May I suggest therefore that you look up the Computer Misuse Act 1990 for a start. Those who are unfamiliar with the concept are also encouraged to read about deception in criminal law which I think you will find interesting.
http://en.wikipedia.org/wiki/Deception_%28criminal_law%29
http://en.wikipedia.org/wiki/Computer_misuse_act
Hardly.
Having seen the "app" in question it's little more than a C# variation of the "Hello World" intro code.
Adding in two text boxes and a drop-down and prettying up the interface, along with the submit button, is a long, long way from hacking.
It even requires the user to download and run the application.
It's social engineering, nothing more.
"kids are "digitally fluent far earlier than previous generations"".
Digitally or what ever, If this wasn't true we would have disappeared long ago.
Kids keep surprising me, and sometimes I wonder what goes wrong later. The disease of growing up and loose ones confidence, fear, religion, teachers or something.
"AVG Technologies said this isn't the first time a child-built nasty has wandered onto its radar, and said the age of the Canadian developer suggests that kids are "digitally fluent far earlier than previous generations"."
Well what do you expect when you give kids the Raspberry Pi and make them learn "real computing"?
Surface-mount madness. Satan on a PCB. Ban them now. Fought two wars. Threat to the Empire. Etc. More Etc.
People are retards, and will always cheat/take the easy way for profit (even if it's just Rune gold).
Also, WTF is with the hardware/games comment pages? Defaulting to a "most votes" ranking seems kind of pointless for the Reg forums. Since a fair % of comments generate further response/follow-up, most of the top voted comments are left displayed with no context. Basically to find out what's up, you need to click through to the "all comments". This would be done anyway if you had any interest in the discussion. This, leaving the "most votes" section at best, a waste of electrons, and at worst an inconsistent eyesore.
yeah,
cos with a few more right thinking people like you then woz and jobs would still be in the slammer (blue box anyone??) and the world would be a better place.
not a bad comment from a self confessed fandroid!
It's frankly astonishing to see so many narrow minded, closed in viewpoints being expressed here. probably envy, but an 11 year old kid saw a 'problem' and fixed it (from the 11 year old's perspective).
they showed some initiative, somewhat misguided i'll concede, but nonetheless initiative.
stick a white hat on them and they could turn out to be of some benefit to mankind.
I guess this is the audience that Raspberry Pi seeks to encourage with their project.
These youngsters should be encouraged to pursue their interests, although not password cracking, and the Canadian authorities should go light on this chap (he has not reached an age of criminal responsibility which is 12 in Canada) so that, hopefully, will keep him from getting a lengthy stretch of incarceration in a US jail, (the present Harper Tory government prostrates itself in front of the US government), or driven to suicide by an over zealous US prosecutor.
"Social" methods of hacking such as ringing people on the phone and asking for passwords have been around for decades. Exploiting people's greed or wanting to get ahead in games without having to either pay for it or earn the advancement by actually playing the game is a newer thing. Why would you not want to play the game though?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
