OnPoint by Keith Ng

213

H4x0rs and You

"No good can come of a hacker talking to a TV journalist," my hacker friend said when I asked him to go on camera for a TV journo. He was goddamn right.

I gave Paul Craig's name to one journalist on Tuesday morning and to a few others after that. I thought it was pertinent that Dimension Data had one of the world's best kiosk hackers on staff, and therefore it was ludicrious to think that they could have missed the shit-simple security hole I used. In hindsight, I really should have paid heed to my friend's advice: No good could have come of it.

Hey Paul - I'm sorry.

Heather du Plessie-Allan's story on TVNZ missed the point for a lot of reasons. For starters, if she'd watched the whole of Paul Craig's Defcon presentation, she would have seen the smoking gun: 12 minutes in, Craig talked about using Open File dialogues as mini-Explorer windows, and discussed how they could be exploited. This was what we used (albeit in a really unsophisticated way). This was Item #2 on Craig's list. It's just not plausible that he would have failed to warn MSD about it.

Second, here's a rule of thumb: If someone is telling you about their hacking, and the system in question hasn't already been reduced to a steaming pile of goop, they're probably not a "malicious" hacker. Craig attacks systems in the same way that a malicious hacker would, so from a security perspective, he is a "malicious" agent. That doesn't mean he's malicious in the "out to get you" sense. I mean FFS, he works for a security testing company. He's *paid* to break into system. It's utterly ridiculous to call him a malicious hacker, and it stems from a total misunderstanding of the context.

Third, the implication that he's a Bad Guy because he's a "Hacking Teacher". Once again, it shows a fundamental misunderstanding of the nature of these security exploits. Standing in front of a conference explaining exploits is what the *good* hackers do (while we're at it, so is selling the exploits to the originating organisation). The bad hackers keep it for themselves, or sell it on the black market to criminal organisations (who then keep it for themselves). The difference is that once an exploit is made public, it usually gets shut down pretty quick. The best way to take advantage of an exploit is to keep it secret while you use it to compromise systems and steal data.

The upshot is, if they're standing in front of you telling you about their hacks, they're probably not the ones you need to worry about.

Same concept applies to Patrick Gower's story earlier this year as well (which I'm rehashing now with my newfound l33t h4x0r credentials... and because I was actually right). If Murray McCully's email was hacked by Russian hackers after military secrets, they would have sat on that email and used it to compromise other systems. They would not have sent out prank emails. See the Wired guy as an example of how you can overrun everything once you have access to an email.

I bring it up because they're both a part of the same problem. Clearly, computer security has moved beyond being just "IT news". Journalists can't report on it unless they have some basic understanding of it, and they can't get that understanding without talking to real hackers. That isn't that hard... unless they keep doing shit like this.

213 responses to this post

First ←Older Page 1 2 3 4 5 9 Newer→ Last