HackersLab most famous for running a free hacking zone (fhz) in Seoul, South Korea. It tries to provide an environment for hackers to practice and learn ethically, without fear of prosecution. Using the expertise the staff gained by hacking, HackersLab also acts as a security consultancy to businesses in South Korea.
In 1995, Mr. Lee JeongNam was made the head of the Korean National Police Agency's newly created cyber-crime divsion. At the time, hacking and cracking was rife in South Korea, and the government and police had come under intense pressure to protect the public from these youngsters perpetrating crimes most people didn't understand. However, Mr. Lee quickly realised that not only was hacking already popular, it was easy to start, difficult to detect, addictive and potentially extremely destructive. A teenager on a cheap computer with a dial-up modem could fairly easily distrupt the business of a multi-national company, especially in the mid-90s, when network security was poorly understood and sparsely implemented.
Yet another problem Lee faced was that arresting and imprisoning these hackers rarely worked. Many of them were just inquisitive kids with a knack for computers. A custodial sentence would do them far more harm than good, increasing the sense of disillusionment and frustration that may have spurred on their hacking in the first place.
Within a couple of years, Lee realised he was fighting a losing battle; the punishment being doled out by the authorities simply wasn't curbing the hackers' quest for knowledge and recognition. Instead, Lee realised he could wean the culprits off attacking difficult government and military targets by presenting an alternative, legal challenge for the hackers to play with. I have no doubt that many of the people Lee was arresting would have said things along the lines of "I didn't want to do anything illegal, it's just so hard to stop". It was this that spurred Lee into creating HackersLab, a company that hired young hackers before Lee's colleagues in the cyber-crime division caught them. It advised companies on network security and other computing solutions, using the extensive, potentially criminal, knowledge of its employees to protect business and the government, rather than attack it.
Alongside the HackersLab business, Lee launched HackersLab.org, a free hacking zone (fhz) which provided an outlet for anyone with an urge to hack, not just his company's empoyees. The idea of the fhz was to set up a dedicated linux server on which the only rules were that it was not to be used as a staging post for illegal activites or deliberately interfere with the work of other hackers.
The server was administered to by some of Lee's employees, all of them security experts, and all who thought their machine was impregnable to attacks not specifically sanctioned. However, one Thanksgiving, a bored hacker, who worked for a network security consultantcy, decided to test the security of the HackersLab server. Within four days, he gained root, meaning he had complete control over all the HackersLab system. Obviously, this man was something of an asset, and Lee promptly hired him. Hiring hackers who have proved themselves in attacks on him or other organisations is one of Lee's trademarks. At least one of his employees has been in prison for computer-related misdemeanours!
Along with the fhz, HackersLab ran a number of public hacking competitions, including a "King of Kings Hacking Competition" in 1999. The HackersLab effort was so popular by 2000 that the site was launched in English, as well as Japanese and Chinese.
There are a number of linearly arranged challenges, supposedly increasing in difficulty, which cover a wide ranges of topics. The basis of each challenge is that there is a programme, `/bin/pass' which prints the password of the current user when run. Obviously, executing the program when you have only logged in is pointless, because it will simply print the string you just entered to log in. If, however, you can find a way of increasing your executing user ID (EUID), through the use (and abuse) of setuid files, the `/bin/pass' programme can be run with elevated privileges, and hence print out the next level's password.
To start with, only mild obfuscation is used to throw you off the scent: strange file locations, filenames starting with a dot, etc. Later on however, techniques exploiting vulnerabilities such as race conditions and buffer overflows must be tackled, and conquered, before progressing onto the next level. These are the sorts of vulnerabilities that form the majority of real-life problems; just look through the CERT advisory lists and you can see that buffer overflows are responsible for the lion's share of exploits. Having said that, in reality the hardest part of cracking is finding the opportunities to exploit a buffer overflow, whereas in the fhz, the hacker is led to the vulnerable files, and hints are given as to what approach to take.
Is it a good idea?
Obviously, HackersLab has come under some criticism, claiming that it promotes illegal activities, and encourages and even instigates the dissemination of dangerous knowlege. However, there is little support for the argument that it is purposefully causing damage to society. After all, a policeman with two decades on the force set it up, and the main enemy of his company are unethical hackers; why would he set out to create more of them?
Also, for anyone to get beyond the most basic levels on the fhz, there must be a sincere interest, and probably previous knowledge, of hacking. In that case, suppose the fhz didn't exist. These people would still be interested, and there is plenty of unethical hacking literature on the Internet. Instead of having fun in a controlled environment, people would be forced into illegal behaviour in order to educate themselves in something they enjoy. Obviously, there will be a few people who go on from the fhz, crack a Department of Defense computer, accidentally cause the launch of thermonuclear missiles, eventually bringing around a nuclear holocaust, a new ice age and the demise of the human race, but those people would have done that anyway. The fhz isn't a hacking academy, furtively changing happy teenagers into accidental terrorists, it's just a bit of geeky fun!