A few thoughts on "Hackers Wanted"
Sun, 2010.05.23 - 01:13 — müzso
I think the makers of the movie did a fair job in giving a chance to both the hackers and their "victims" to explain their POVs. I liked the historical aspects/flashbacks too.
I can understand both sides, but unfortunately I saw little empathy in either of them for the others' problems.
Some of the company/government guys try to fight and hunt hackers regardless of their intentions and methods. As I understand, this POV has two reasons:
I bet there's a way to have the best of both worlds.
Eg. if I were the security consultant of a Fortune 500 company, I'd suggest regular security contests. A news company like The New York Times (I intentionally picked them as they were the ones who filed a complaint against Lamo) could hire an IT security company to arrange a security contest using their publishing system on a test server (set up just for the contest with bogus content, design and layout). And the winners would get money and/or prizes in exchange of the techniques used to deface the test site. This is nothing new, just think of the annual PWN2OWN contests.
This way you'd allow ethical hackers a shot at testing your security without ever compromizing the live production system. And IMHO the publicity of such a hacker contest is equally appealing to hackers as the public defacing of a website, since the winners would be praised for hacking the real thing. And of course, the winners get "paid" too, which is a lot more appealing than hacking just for free. The company gets away a lot cheaper too: they get a bunch of security holes fixed for nothing (since such a security contest costs nothing compared to the loss of income that the criminal exploit of a security hole could mean).
Unfortunately managers, CEOs, etc. are just people too. They are governed by human emotion (mostly fear if it's about IT security) and it's quite difficult to convince them that hackers can do good too ... they just need to be brought over to the company's side. Probably this job needs "negotiators" who speak the language of both sides (managers and hackers alike).
In the movie there were a few definitons that I'd like to comment on.
"script kiddies"
The Wikipedia definition sounds like this: "In hacker culture, a script kiddie, or skiddie, occasionally script bunny, skid, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks."
I've got a problem with this phrasing. Does any of you know people who don't use programs written by others? I don't think so. In fact, 99.9999...% of the programs we (and I mean IT guys) use are written by others. This is not different for hackers either. They write a new script/program only if it has not yet been written or the existing versions are not good enough for solving a particular problem. Hackers are not morons who start reinventing the wheel.
I'd extend the definition to include this: "... who use scripts or programs developed by others to attack computer systems and networks, but lack the ability to write those themselves and brag about their script using skills at the same time."
To make my point: there's nothing "derogatory" about using the work of others unless you try to (falsely) claim "fame" by doing so.
"exploits"
Again, the same as with script kiddies. The movie's definition stated that exploits are created by pros and are collected and used by kiddies. This must not be true. Don't tell me that all hackers start from scratch, when they try to hack their way into a new system (meaining a system that they themselves have not yet compromised). They'll first scan the system for publicly known vulnerabilities and use a publicly available hack (ie. exploit) to get in if one exists. If there's none, then they'll try to find a new one and write code to exploit the vulnerability. That's how people work in real life and hackers are no exception.
"Marcus Ranum
...
Configured and managed whitehouse.org"
That sounds to be a bit of an exaggeration, especially after reading the first line on the same "slide" stating that he was sec. consultant to many Fortune 500 companies and national governments. He might have been the major consultant/executive in the designing and imlementing team of whitehouse.org, but I doubt that he was actually doing the configuration of the server farm working behind that domain. Of course the terms "configured" and "managed" allow for a wide interpretation, but they suggest that Marcus was the one actually doing the job ... which does not really match his previously estabilished "status" (like being Tenable's CSO, etc.).
Later in the movie Dr. Dorothy Denning said that some people would argue that the NY Times should have thanked Lamo for telling them about the problems he has found and should have even paid him for his services. And she closed the sentence with her being very much against this idea.
Marcus Ranum noted that a NY Times like manager, who is contacted about a security problem regarding their system, will most likely be pissed off since he's most likely going to be fired if the security vulnerability gets public.
I disagree with both opinions.
First of all, the so called gray hat hackers do not ask for money. Lamo certainly didn't. They merely want to be acknowledged for what they achieved ... namely in this case finding a possibly serious vulnerability in the system. One must be a newbie in any business (IT related or not) to assume that there're no serious flaws in _any_ system. It was just a few years ago that people've found a serious flaw in TCP. The protocol has been used on the internet worldwide for over a decade without this flaw being published! And I don't think that it's a global conspiracy and the flaw was well known for years, but kept secret. Should we fire every security consultant who ever analyzed TCP for potential vulnerabilities? I guess not. If a flaw is found, we should thank for the one discovering it and fix it.
Actually Lamo mentioned in the movie that the news editing pages of NY Times were publicly available (without any authorization) so anyone could change any article at will. I bet that an analysis of the webserver access logs would show that there were people exploiting this problem long before Lamo has contacted the Times. This is such an obvious hack that no real "hacking knowledge" is needed for it, just a bit of thinking outside the box. And catching such a vulnerability should have been a trivial task ... no wonder that some people at the NY Times were angry. Some people had to be plain unfit for their job for such a flaw to get to the live site. If somebody had to be fired, then it was the security testing company who did the last security check/audit on the site.
Btw. my opinion on security holes: most of the time somebody knows about them. Eg. the guy who wrote the code might be a prime suspect. It's just that he either had no intention of making it secure (either being lazy or unable to do so) or had no time/resources to do it.
Some people would argue that Lamo should have privately/silently contacted NY Times (and the other companies) about the discovered security hole(s). However -as pointed out in the film earlier- this has sometimes not the desired effect either.
I had my personal experience regarding this too. I've contacted ****.hu (a company engaged in regularly collecting, editing, translating and publishing television, cinema, theatre and concert programme information on the web) several years back (when I started to work with Oracle Application Server based systems) that their website -which was OAS based- can easily be changed/defaced/etc. due to the lack of security on the admin page of OAS. I did never intended to harm them (and I didn't ... not even to test whether I could really change the OAS gateway settings or not). However I never got a response. None. Some time later I checked again and the admin page was secured (or at least password protected). I'm happy that I helped to improve their service, but it was a bit rude not to respond to my mail.
On another occasion I've noticed on a PHP based site that the developers forgot to properly configure their logging on the public/production version of the website and the webpages generated by the PHP code contained tons of HTML comments with debugging code in them (variable dumps, etc. ... so lots of sensitive information that crackers could use to hack into the site). I've contacted them about this and they responded in 24 hours thanking me and offering a job interview in case I was interested. So things like this happen too, although rarely. In case of another PHP site I contacted the developer about some XSS vulnerabilities that I've found. He turned out to be a like minded guy and we became friends over the years.
On another occasion the contacted company did not respond and the flaw did not get fixed (within a few weeks).
So companies' reaction vary on a wide range.
I can understand both sides, but unfortunately I saw little empathy in either of them for the others' problems.
Some of the company/government guys try to fight and hunt hackers regardless of their intentions and methods. As I understand, this POV has two reasons:
- fear from the unknown: they cannot tell/predict what some geek's intentions are.
- fear from failure: if all hackers were allowed to "test" all publicly available systems' security defenses and publish their findings, the amount of extra work to fix all the released vulnerabilities might be more than they can handle (eg. due to lack of resources) and eventually would result in a more vulnerable system than as if such hacking was prohibited.
I bet there's a way to have the best of both worlds.
Eg. if I were the security consultant of a Fortune 500 company, I'd suggest regular security contests. A news company like The New York Times (I intentionally picked them as they were the ones who filed a complaint against Lamo) could hire an IT security company to arrange a security contest using their publishing system on a test server (set up just for the contest with bogus content, design and layout). And the winners would get money and/or prizes in exchange of the techniques used to deface the test site. This is nothing new, just think of the annual PWN2OWN contests.This way you'd allow ethical hackers a shot at testing your security without ever compromizing the live production system. And IMHO the publicity of such a hacker contest is equally appealing to hackers as the public defacing of a website, since the winners would be praised for hacking the real thing.
And of course, the winners get "paid" too, which is a lot more appealing than hacking just for free. The company gets away a lot cheaper too: they get a bunch of security holes fixed for nothing (since such a security contest costs nothing compared to the loss of income that the criminal exploit of a security hole could mean).Unfortunately managers, CEOs, etc. are just people too. They are governed by human emotion (mostly fear if it's about IT security) and it's quite difficult to convince them that hackers can do good too ... they just need to be brought over to the company's side. Probably this job needs "negotiators" who speak the language of both sides (managers and hackers alike).
In the movie there were a few definitons that I'd like to comment on.
"script kiddies"
The Wikipedia definition sounds like this: "In hacker culture, a script kiddie, or skiddie, occasionally script bunny, skid, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks."
I've got a problem with this phrasing. Does any of you know people who don't use programs written by others?
I don't think so. In fact, 99.9999...% of the programs we (and I mean IT guys) use are written by others. This is not different for hackers either. They write a new script/program only if it has not yet been written or the existing versions are not good enough for solving a particular problem. Hackers are not morons who start reinventing the wheel.I'd extend the definition to include this: "... who use scripts or programs developed by others to attack computer systems and networks, but lack the ability to write those themselves and brag about their script using skills at the same time."
To make my point: there's nothing "derogatory" about using the work of others unless you try to (falsely) claim "fame" by doing so.
"exploits"
Again, the same as with script kiddies. The movie's definition stated that exploits are created by pros and are collected and used by kiddies. This must not be true. Don't tell me that all hackers start from scratch, when they try to hack their way into a new system (meaining a system that they themselves have not yet compromised). They'll first scan the system for publicly known vulnerabilities and use a publicly available hack (ie. exploit) to get in if one exists. If there's none, then they'll try to find a new one and write code to exploit the vulnerability. That's how people work in real life and hackers are no exception.
"Marcus Ranum
...
Configured and managed whitehouse.org"
That sounds to be a bit of an exaggeration, especially after reading the first line on the same "slide" stating that he was sec. consultant to many Fortune 500 companies and national governments. He might have been the major consultant/executive in the designing and imlementing team of whitehouse.org, but I doubt that he was actually doing the configuration of the server farm working behind that domain. Of course the terms "configured" and "managed" allow for a wide interpretation, but they suggest that Marcus was the one actually doing the job ... which does not really match his previously estabilished "status" (like being Tenable's CSO, etc.).
Later in the movie Dr. Dorothy Denning said that some people would argue that the NY Times should have thanked Lamo for telling them about the problems he has found and should have even paid him for his services. And she closed the sentence with her being very much against this idea.
Marcus Ranum noted that a NY Times like manager, who is contacted about a security problem regarding their system, will most likely be pissed off since he's most likely going to be fired if the security vulnerability gets public.
I disagree with both opinions.
First of all, the so called gray hat hackers do not ask for money. Lamo certainly didn't. They merely want to be acknowledged for what they achieved ... namely in this case finding a possibly serious vulnerability in the system. One must be a newbie in any business (IT related or not) to assume that there're no serious flaws in _any_ system. It was just a few years ago that people've found a serious flaw in TCP. The protocol has been used on the internet worldwide for over a decade without this flaw being published! And I don't think that it's a global conspiracy and the flaw was well known for years, but kept secret.
Should we fire every security consultant who ever analyzed TCP for potential vulnerabilities? I guess not. If a flaw is found, we should thank for the one discovering it and fix it.Actually Lamo mentioned in the movie that the news editing pages of NY Times were publicly available (without any authorization) so anyone could change any article at will. I bet that an analysis of the webserver access logs would show that there were people exploiting this problem long before Lamo has contacted the Times. This is such an obvious hack that no real "hacking knowledge" is needed for it, just a bit of thinking outside the box. And catching such a vulnerability should have been a trivial task ... no wonder that some people at the NY Times were angry. Some people had to be plain unfit for their job for such a flaw to get to the live site. If somebody had to be fired, then it was the security testing company who did the last security check/audit on the site.
Btw. my opinion on security holes: most of the time somebody knows about them. Eg. the guy who wrote the code might be a prime suspect.
It's just that he either had no intention of making it secure (either being lazy or unable to do so) or had no time/resources to do it.Some people would argue that Lamo should have privately/silently contacted NY Times (and the other companies) about the discovered security hole(s). However -as pointed out in the film earlier- this has sometimes not the desired effect either.
I had my personal experience regarding this too. I've contacted ****.hu (a company engaged in regularly collecting, editing, translating and publishing television, cinema, theatre and concert programme information on the web) several years back (when I started to work with Oracle Application Server based systems) that their website -which was OAS based- can easily be changed/defaced/etc. due to the lack of security on the admin page of OAS. I did never intended to harm them (and I didn't ... not even to test whether I could really change the OAS gateway settings or not). However I never got a response. None. Some time later I checked again and the admin page was secured (or at least password protected). I'm happy that I helped to improve their service, but it was a bit rude not to respond to my mail.
On another occasion I've noticed on a PHP based site that the developers forgot to properly configure their logging on the public/production version of the website and the webpages generated by the PHP code contained tons of HTML comments with debugging code in them (variable dumps, etc. ... so lots of sensitive information that crackers could use to hack into the site). I've contacted them about this and they responded in 24 hours thanking me and offering a job interview in case I was interested. So things like this happen too, although rarely.
In case of another PHP site I contacted the developer about some XSS vulnerabilities that I've found. He turned out to be a like minded guy and we became friends over the years.On another occasion the contacted company did not respond and the flaw did not get fixed (within a few weeks).
So companies' reaction vary on a wide range.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Recent comments
1 year 43 weeks ago
3 years 12 weeks ago
3 years 12 weeks ago
3 years 14 weeks ago
3 years 15 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago