I’m not a hacker. I know very little about the technical ins and outs of what they do. Put a system in front of me and I wouldn’t be able to tell the difference between a 1 and a 0. Let alone what either may mean.
But I’ve grown up with one. I’ve watched my brother go from borderline obsessive teenager to world-renowned security expert. I’ve looked on with a combination of awe and fear and what he’s done, from hacking ATMs to insulin pumps and pacemakers. I’ve watched how he’s been painted by the media. He’s been both a genius and a super villain. I’ve watched him teeter between fame and infamy. I’ve seen journalists take a phrase like “mass murder” out of context and run with it.
I’ve also known him long enough to know that he’s generous to a fault. That he barely has a malicious bone in his body. That what he does stems from a genuine concern about the threats that he finds.
It’s why I took particular interest in Keith Ng’s recent story and the plethora of mainstream stories that evolved. Again, I don’t know a lot, but I know enough to know that, in terms of the hacking side of things, some people were getting it wrong.
So I got inspired to write a story about hackers. From a completely non-technical point of view. I got in touch with “Pipes”, a security consultant who also organises thr New Zealand “hacker conference”, Kiwicon, every year.
For reasons of timing and circumstance the story didn’t happen, but I found the hour-long conversation with Pipes really interesting. It was a conversation that, given the timing, inevitably involved a lot of talk about the MSD security breach and how it was handled. It’s those parts of the conversation that are here.
I feel that it’s important to note that Pipes, like many in the industry, avoids talking to the media. He agreed to speak to me as a favour to my brother.
I also want to note that while Pipes is a paid professional, the thoughts, ideas and comments are his. They don’t belong to any other person or company.
I first “met” Pipes via Skype about a month ago. He was dressed casually, in jeans and a t-shirt. There was no elusive hoody in sight. He was friendly, articulate, open and honest. If he was auditioning for the part of a villain in a movie he definitely wouldn’t be shortlisted. There’s one stereotype busted already.
“That stereotype was definitely there when I grew up,” he tells me. Laughing.
“But it’s certainly being smashed lately. Though there is still that element of anti-authority, fuck the police, attitude around.”
As someone that’s paid to “break things” to “fix things” do you consider yourself a “hacker”?
In a previous life, absolutely. In the current job not so much. It’s one of those things where there’s never really been a clear definition.
Once the difference between a hacker and a cracker; a hacker being the guys at MIT who played with systems with crackers being the bad guys that broke into systems.
Then it becomes the white hat, black hat thing. With the white hat hackers being those who do what I do for a living now, the black hats being those that break into systems.
In a former life I was a hacker, in my current life, it’s just a job.
Would you say there’s a bad public reputation for hackers and the whole security industry?
It can be the case. It’s definitely changing. A large chunk of it is that the computer science industry is relatively new. Security in itself; this whole problem of attack and defence is reasonably immature. We’re talking 25 years.
Also our industry, on the offensive side, hasn’t done a big PR push. It’s gone through periods where people, like the FBI, did publicly push the point that it’s all bad. That concept that if nobody was hacking we wouldn’t have a security problem.
That’s all changing. From a criminal point of view it’s become a monetised industry. When we were growing up if you broke into a system there was “no harm no foul” basically. Now if you break into a system, nine times out of ten it’s for money.
But as an industry there never has really been good handling of PR or visibility of what we do. A large chunk of that comes from fear of talking to the media. Also a lot of the time when you have "the geeks" doing what they do, they’re not used to talking to CEOs or CIOs. There’s always been a big gap there in terms of those two parties communicating. It’s evolved very chaotically. It’s changing again at the moment.
What’s behind the fear of talking to the media?
I think traditionally [our job] has been very difficult to explain. From an industry point of view it’s been very difficult to explain the benefits of it.
Historically, when hackers were hacking just for fun, it was from an extremely anti-authoritive point of view so the dialogue never happened.
As far as the media goes, nothing good historically has come from talking to the media. That got proven just recently with Keith Ng and all the pieces.
In what sense?
Part of the main problem was that MSD came out and blatantly lied on the first day. And then they corrected themselves and when they did they did so vaguely. And now we’ve had the Deloitte report which is pretty bad.
As far as that piece from Heather [du Plessis-Allan] in regard to Paul Craig … I don’t know. Maybe it was good TV for the 6pm news; maybe that’s why she took that approach.
Anyone who spent more than 5 minutes looking at what he does for a living wouldn’t draw that picture of Paul. And she must have spent more than five minutes looking at it. So it must have simply been taking a sensationalist angle because of the political stuff involved.
Traditionally, there have been a couple of really classic examples of people that have talked to the media with the best intentions and they’ve just been smashed. I think it’s just because it’s one of those mysterious things. Hackers and hacking are seen as a mysterious black art. We’re seen as sort of, let the doves fly out of your hand, and all of a sudden you’ve compromised a server and stolen data.
When you look at it though it’s just science.
I think a lot of journalists have taken that approach. “These guys with the hoody on have done this crazy thing. It’s black magic.” It’s not necessarily the case.
Is it simply a matter of reporters tackling these stories who aren’t tech reporters?
There have definitely been a number of publications who have security-centric journalists who are doing good things. These guys can really work as the great equalisers on calling bullshit when other journalists get it wrong.
We’ve only just started seeing that come through. The majority of reporting that comes through, especially since Anonymous came on the scene, is ridiculous.
But we are seeing some of the mainstream media try. Which is good. Hopefully it’s a trend.
But then you see some stuff, like Heather’s piece and some of the print articles that came out about the kiosk stuff, it was really hard to tell whether they legitimately did not understand what happened, or whether they were finding better ratings by taking the twist. I suspect it was the latter.
It’s why I tend to avoid talking to the media.
And the comments from the general public on the mainstream articles didn’t seem to help matters …
Well everyone is an expert. The classic example is someone asks you what you do, you tell them and it’s like, “I had a virus the other day …” All of a sudden they’re a security expert.
Everyone is an expert about computers. That’s one thing that stood out in those comments. Everyone had expert commentary on how the Ministry should have better engaged security assessment or how they mishandled the case.
There’s also no real equalising rebuttal. Someone [who actually is an expert] can’t jump on the Herald site and be all, “Well as a security consultant I worked on this case and this is actually what happened.”
I just don’t read them anymore.
One of the things that came out was the concept of a rewards scheme. How common is that?
It’s on the increase, but it’s one of those new hip things. The Facebooks do it and the Googles do it. Microsoft refuse to do it because they think it encourages bad behaviour. That’s good and well. But a lot of these places spend a lot of money on security. Someone like us can only do 2 percent of the job. So you can hire someone like us but that doesn’t help the other 98 percent. We do what we can but there’s no way of measuring whether we’ve been successful.
So in cases like Facebook they crowdsource that out effectively. For a small amount of cash.
I haven’t seen it adopted by anyone outside of those Silicon Valley companies.
I think that’s because they’re not yet at a scale where they need to crowd-source. If did what he [Ira Bailey] allegedly did, I don’t know any organisation in New Zealand that would say yeah, we’ll give you money. Not one.
There’s been a trend over the years by organised crime syndicates using extortion.
There’d be a fine line between making a living and extortion wouldn’t there?
Yeah, I mean all the work we do, our customers call us. A few people have tried the route of, “I’ll scan everyone and if I find bugs I’ll ring them up and give them a sample. But if you want the full thing you’ll have to hire me.” Every single time that’s been tried it’s crashed and burned.
It’s not a model that works. It’s a very fine line.
There was a classic example in Australia with a guy who’s in a similar line of work to me. His superannuation fund sent him an email and, occupational habit, he clicked the link and found he could look at others’ superannuation details.
He rings them up and tells them and the next thing the AFP is knocking on his door. He wasn’t asking for money he just told them. It was still taken as him being a bad hacker.
It’s hard to know how organisations will respond if you could call them. A lot of people like myself just won’t bother. You just don’t say anything. It’s not worth the hassle.
So will that change over time? I think so. But who knows.
A lot of the research I see seems a little too ‘movie-like’. Are there real-life implications to security breaches that the average Joe should even worry about?
Yeah. It’s a hard one. Should they be concerned? No.
Most situations where you’d worry about such systems – Water, power suppliers etc – they get them tested.
What the concern should be is that MSD is not alone in filing that report into a cabinet, or changing the criticality of the findings, and putting it in the too hard basket. There are a lot of systems we’ve tested over the years and you come back three years later and the original issues are still there.
The risk in New Zealand is not so much that companies are not doing the right thing. The risk is that you can come back to these places and nothing has been done since the initial report.
MSD is the first to have publicly done that. But they are the norm. They are not the exception. The only difference in the way they handled that security report and the majority of other companies is that Ira walked in and told a journalist.
MSD has everyone testing their kiosks at the moment. Every CIO in the country thought, “Do we have kiosks? Shit, we better get them tested.”
But the CIOs didn’t think to check if they’ve had their kiosks tested in the past. And fixing the stuff that was in the report. It’s interesting how the knee-jerk does happen.
But complacency does come back in.
It’s easy to see why it would be tempting to go public then.
Yeah, but people like myself don’t want Heather on our doorstep with a microphone in our face asking, “Are you malicious?”
When you see [an organisation] hurt publicly then privately a lot of people get their shit together, but unfortunately it takes that public failure. High visibility injects fear, and fear induces a response.
In New Zealand we don’t have a lot of high-profile breaches. Significant breaches have happened that have never reached the paper. Because a lot of these places come out of these breaches privately, often without their staff even knowing, a lot of these places haven’t changed their culture either.
One of the things about what Ira and Keith did is it triggered a response. Unfortunately it’s probably just a knee-jerk. Not a consistent change.
There’s not much we can do about that.
One of the scary things for us about the MSD case was how quickly the MSD threw the security assessors under the bus. And they were in a shitty situation because of non-disclosure agreements. They can’t even rebut in the media. If they do they’ve breached disclosure agreements.
Is the ‘hacking’ industry still one of an anti-establishment, anti-authority attitude?
It used to be. It absolutely used to be. It’s changed because the growth in the industry has been so dramatic. Conferences were never about the information; they were just about blowing out and catching up with mates.
But the industry has grown so dramatically that the dynamic changed. It’s more of a maturing industry. A lot of these companies have HR managers and investors that want to know what’s happening with their money. It’s just another business now.
And it’s big money too. There’s a lot of money in this industry.
It is still there though.
There have been some awesome cases recently of people like members of Anonymous being arrested and in jail, releasing statements like “We’re going to burn this jail to the ground”.
It’s like, “Dude, you’re how old?”
There’s definitely an aspect of the culture there. But at the same time, you could get paid to do this for a living or you could go to jail. Sure, maybe you’ll burn that motherfucking jail to the ground but I doubt it. I’m pretty sure Bubba who’s in there for grand theft auto has done much worse that what you’ve done.
One last thing, were you a lego fiend as a kid? Apparently it’s a hacker thing.
[Laughs] I certainly was. Hang on …
Pipes turns to a space in the room I can’t see. “Did you guys play with lego as kids?” he yells to people in the background. I hear muffled replies and laughs. “I did,” one replies. “I just bought some for my kid too.” Another affirmative response and another laughs, “I still do!”
“There you go,” Pipes tells me.
There it is. Lego. It’s a hacker thing.