Script Kiddies
According to Wikipedia: In hacker culture, a script kiddie is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities.
We continue: Script kiddies have at their disposal a large number of effective, easily downloadable malicious programs capable of harassing even advanced computers and networks.
Anyway, according to Wikipedia, I do not know a single person involved in the information security industry today that does not fit the description of a script kiddie. Even the best and the baddest hackers I know can easily be named script kiddies if they change their handle to something you are not familiar with. Here is why:
- Script Kiddies are juveniles - All malicious hackers are juveniles (mind or body) regardless of their skills and abilities.
- Script Kiddies use tools they don’t write - Like you write everything you use? Life is short! Successful people build themselves on the top of the experience and the work of those before them. Why reinvent the wheel?
- Script Kiddies have at their disposal large repository of downloadable tools - You mean like Backtrack? Or perhaps any standard Linux distribution?
- Script Kiddies deface websites and scan the internet for known vulnerabilities - Hackers are opportunists. Skill sometimes is not enough. You need to be lucky too.
- Script Kiddies cannot program - It is perceived that 1337 security researchers are those who know ASM and C and perhaps perl, python or ruby. A junior web developer knows 10 times more languages and has experience with a lot more programming environments.
- Script Kiddies’ objective is to try to impress their friends or gain credit - Everybody wants some type of credit even when they claim that they don’t. They lie. In our human nature there are a driving forces bigger then wealth and these are credit, approval and acceptance among your family and peers.
And this is pretty much all I would like to say about the script kiddies. Make up your own mind.
Comments
Well, I cant agree with you. There are two possibilities: you don’t understand what you’re reading (which I doubt) or you want to say something about something that really doesn’t matter at all.
Exempli gratia:
Yes, of course you shouldn’t reinvent the wheel but you clearly should understand how it works and how to do it if you must to. Script kiddies use tools like others but they don’t understand how tool works at that’s the catch because without understanding you cannot use something properly.
Well, if you really think about hacking you need to know assembler and C also. (C because it’s wide spread not because you really need it, Asm you really need). It doesn’t matter that junior webdeveloper knows because webdeveloper do not need to worry about i.e. properly memory allocation.
Of course but it doesn’t collide with each other. Everybody wants some credit, that’s true but not everybody do something only because they want credit. Hackers want credit like any other human being but they don’t do something only because they want credit (which script kiddies does).
And I can opposite every other argument that you wrote. It’s just pointless because you point out things without logic behind; you just write some dumb acapits to prove you’re right, but you are not.
PS.
Sorry for my poor english.
more ontopic: There is something, which is missing in the description of a script kiddie. Normally they use hacking tools without understanding what those tools are actually doing. I think that the lack of understanding is the main difference between a hacker and a script kiddie.
the reason behind this post is fairly obvious. while I understand that most of the readers will say well yes, script kiddies this and that… bad, bad, bad, no one really asks who are the script kiddies and what the term actually symbolizes. why? because most people have prejudice. it is too hard to think nowadays when you can get most of the answers from other people who don’t have a clue, or the web.
omegalfa, you can find a lot of logic in my thoughts. i can counter argue every point you make but that will be a complete waste of my time. clearly, you think that knowing ASM is a great thing but I can tell you that I’ve taken ASM courses as part of my high school education but this does not make my classmates hackers.
the security scene is full of prejudice. if you are not part of ASM/C group you are out of it. you are a script kiddie. if you don’t understand how the tool works then you are scrip kiddie. you are out of the group. but knowing how to write a tool and knowing how to use it in the most effective way are two completely different things. more over, people that write the tools often don’t know how to use them in the most effective way. i bet that at some point in your life you used a tool that you didn’t understand how it worked. perhaps it was closed source. perhaps you were too lazy to read the code. perhaps at that moment you were a script kiddie!
orlin, parts of your comment were censored out. read the rules before posting.
your comment doesn’t make sense. surely you must have a tiny clue what the tool does before using it. understanding how things work is a very subjective. everybody who claims that s/he knows everything, clearly doesn’t have a clue.
my point is that between you and those that you call script kiddies there isn’t much difference. we are talking about different people at different point of their learning curve.
@pdp
So very true. Anybody claiming that he/she had learnt programming without looking through, running and randomly changing seemingly incomprehensible examples is probably lying. It’s called “learning by example”. I still remember copying-and-pasting the BASIC examples from the help file, and trying to understand what’s going on - possibly running them several times until things get clear. Or using a piece of “dark magic” code (abound in low-level languages).
@omegalfa:
Since when? You are probably referring to “web designers”, which are entirely different species. I’d hate to see a JS/Java/Flash/Silverlight thingie that consumes obscene amount of memory and resources, and crashes every once in a while because of attempted memory corruption. That would make all of us script kiddies in the beginning. What happens next is more important.
and one more:
Surely you understand the absurdity of this claim - are you certain that you know how your microwave, your fridge, your car, your operating system works? Can you duplicate this? Can you improve it? And yet, you pretty much use them on a regular basis. The key phrase is “user interface”.
People who use nmap are scriptkids too, the person who wrote nmap is a scriptkid too according to the official description since nmap uses pre-written C libraries and API’s like making socket connections. (which is hard for a scriptkid to figure out) therefore he only uses high level API’s and libraries, so only diehards write in assembly can be considered not scriptkids.
I think the term is used by intellectual snobs trying to prove something from themselves. nonetheless, beware of the scriptkid, he too can take you down.
;)
@mindcorrosive who said:
“The key phrase is user interface”
User interfaces are sometimes useful for saving time. Actually C is a user-interface also (high level language) for faster programming and development. So they key isn’t user-interfaces. If you still believe that go write a browser in ASM: goodluck, and goodluck in browsing with it.
Well, scriptkid is a useless term. He might know 3 things you didn’t know. All there is for a successful exploitation. Security is like a chain, one parts fails the whole chain breaks. If the kid knows one part that can fail, he can own you.
In other words: you will never know everything about everything you use. You can mitigate a lot on experience, but not everything.
I met a lot of assembly guys and they are living in the past, when I talk about attacking their server they are running with my browser, they kinda stare at me for a couple of minutes. Guess what, I know something they didn’t know.
So whose the kid in this respect? well, no-one or both. In the very end of the day the scriptkid gets his work done, whatever er that may be.
Yes a script kiddie is somebody that uses exploits,tools,software and know nothing about the concept and or pray on milw0rm waiting for the next exploit to drop so they can run it threw Google.
Everybody starts out a script kiddie and its weather or not you want to advance into something more. But nice post about the subject it self I might have to do one.
Let’s talk about hacker mentality and just what that means. Hackers are naturally curious to learn about how things work, and sometimes, even how to break them. But that does not necessarily imply malicious intent. The overall goal of a hacker is (or should be) to learn. Knowledge is thereby obtained to more fully understand systems, and thus also to fix and improve them.
In my mind at least, the connotation of a script kiddie is that of one to whom none of this matters. pdp, mincorrosive, and rvdh have all touched on the fact that there are similarities and overlaps (by necessity) in the methodologies employed by both hackers and script kiddies, but in my opinion it is intent and objective, as well as experience, that define the divide between these two terms. A script kiddie can play at hacker, but really doesn’t grasp the concepts, nor does he have hacker mentality.
It’s great to know of a trick to take down msn chat at will. I think we can all agree to that. But to what purpose? Just to impress friends while sitting around the computer with Coca-Colas and a bag of chips? Or to gain a better understanding of this media to which all of us here are dedicated and build upon it? (Of course, there is that one guy in chat who always gets on my nerves who’d I’d like to …)
Apparently I didnt make myself too clear in my first post, so I will give it a try now, when I am kind of drunk.
We have already defined what a script kiddie is, but we did not define what a hacker is. For my definition I will use RFC1392: http://tools.ietf.org/html/rfc1392 According to it a hacker is: a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
There are quite a lot of differences between a hacker and a script kiddie, and it is not only the knowledge. What we can see from this defintion is that there is nothing about as in . If we think about it a little bit more we will agree with univax on almost every word. What he describes is a whitehat (or maybe an ethical hacker). A hacker might not always hack with the purpose of There are evil hackers as well and even anonymous hackers on steroids (courtesy to Fox news).
@pdp:
That would be true if every script kiddie tries to understand what actually happens when he clicks the button. Which would mean that he/she will acquire the knowledge that he/she is lacking to be a hacker. Most of the script kiddies however do not try to understand and learn, so according to your definition they stay at the same point of their learning curve.
My personal idea of what a script kiddie is, is shown in this thread: http://www.webforumz.com/webfo.....hacker.htm
ps: about the censored stuff, what I actually wrote is something like, that pdp finally admitted being a script kiddie. I meant it in an ironic way, yet today I was told by 5 different people that I am not good at that stuff.
orlin, fair enough, but you are a bit too general with your statement. while I understand what you are trying to say, I disagree:
My definition of a script kiddie is more liberal. Would you call yourself a script kiddie? Perhaps not. I bet that most script kiddies do not know that they are script kiddies. Yet, if you take a test similar to but designed to test your script kiddiness, you may end up being deeply surprised by the results. As rvdh mentioned, this term is useless and let me quote his words:
I know that I dont know anything and this is why I want to learn more. Only once I have understood the concept of an attack I try to execute it and see what happens. If it works - cool, time to experiment some more, if not I try to debug and see why it didnt work.
Because my knowledge is so limied I cannot call myself a hacker. Because I want to understand what is happening I cannot call myslef a script kiddie. If I have to choose what I am - a hacker or a script kiddie, I must be hounest and say I am far nearer to the second category then to the first one. I better description for me would be total n00b.
pdp said that there are two types of people, who craft a weapon and those who use it. Yes, this is so. Yet when you start learning the way of the sword, you use a wooden once and once you have proven yourself you get a better sword until one day you are recognized and recieve a master sword.
Yet today anyone can get a master sword and start with it, skipping all the needed years of trainig. Those people are (should be) called script kiddies.
In one of his posts pdp said that everyone starts as a script kiddie. Yet I should disagree with him. Not everyone starts as a script kiddie, but everyone starts as a noob. And having no idea what is going on is not so bad - you can repair the problem by learning alot. We all start from 0. Yet being a 0 and pretending to be the greatest is something else.
Even thoug rvdh is right - if you have the tools and some luck you can hack a site, compromise a system, etc. That is thanks to the UI which allows us to use complex system without fully understanding them. Yet if you lack any understanding of how a tool works you might make big mistakes. I will take mindcorrosive’s example with the microwave oven - we have all heard examples of people trying to “warm” up different living creatures in a micorwave. I think the most popular one are cats. Though I might not be able to recreate a microwave oven, still will know that putting something alive in there will kill it. As another example I will use the link, which I gave in my last post, to a script kiddie which used a good tool and successfully hacked 127.0.0.1. Yep, because he knew nothing about the loopback, he hacked himself.
In conclusion I should say that the definition of script kiddie in wikipedia is way to broad. The definition of hacker is way to complex. Only the definition of a noob is well written.
ps: I miss the preview feature :/
My idea of a script kiddie (If anyone cares) is someone who uses tools to hack things. He doesn’t care how they work, and doesn’t bother to find out. They’re not interested in learning, and just want to hack for the lols. The main thing about them though is that they understand almost nothing about security besides hitting the hack button, and then they call themselves hackers.
Sure we all use tools to get the job done, and maybe some of them we don’t know all about, but we don’t claim to know about them, even if we don’t.
If one thinks out of the box, one also stops judging of the box. e.g. not placing labels anymore. A hackers mind absorbs anything, yet is attached to nothing.
The term hacker is somewhat vague. Old hackers used to say: If you can hotwire a car, that doesn’t mean you are a car engineer. So the car egineer usually knows more about cars than the car-hacker, because he designed it.
Being a hacker for me, doesn’t mean you know everything about a particular system, but you have the ability to approach it in a different way, look around it, and seeing the system in 4D instead if the 1D that the designer of the system has. A 4D mind sees the whole instead of it’s parts, that why most hackers are left & right brained, and they can switch between them, whereas as the system programmer usually can only think left-brain, linear instead of creative.
One luck is that you can learn to be linear as a rightbrian person, but it’s very hard to be creative for a leftbrain person, since creativity lacks a linear structure, creativity just emerges like spontaneity.
I’ve written a tool that exploits my school’s security system (an old version of Netware), it can crash remote computers with only 2 tcp packets. I’ve proudly told some friends of mine about it.
A few weeks later someone used my tool (my friend leaked it) to crash all computers (~50) at once, because he didn’t know what to do with it. Later he said that it was his tool and he wrote it, he called himself “hacker”.
Now, is there a difference between me and him? Or are we both just script kiddies?
Hmmm…I suppose that script kiddies would be those 11 year old kids who think that batch is 1337? We were all at that stage though, we all wanted to feel cool for at least the slightest moment. Well, what I think about a Script Kiddie / Skid really is that when they do sometimes develop code they use parts from other’s work. Almost everyone has looked at an example code once or twice. Who dosn’t need that motivation to better the code? But I mean common’ at least give credit to the author..who helped you develop the better. So a skid or whatever you want to call them is really up to you..
pdp, can’t agree with you more.
Everybody, since days of 1980-ties, when people where PHreaks and not hax0rs, one should have to read stuff, talk stuff, listen to stuff, in order to learn stuff. Nobody is born 3l337…
I enjoy being a SK. Because I do it for helping people, and for my own pleasure of doing things. Is that bad? Don’t think so.