The threat won't be understood until a Cyberdisaster
November 23, 2012 12:52 AM   Subscribe

The Frightening Things You Hear at a Black Hat Conference. (Previously-ish).
posted by MattMangels (49 comments total) 28 users marked this as a favorite

 
"the group discovered that a thermometer in a chamber-owned apartment was communicating with an I.P. address in China."

Sorry, humans. Like printed newspapers, you are all dead but just don't know it yet.
posted by EnterTheStory at 2:22 AM on November 23, 2012 [7 favorites]


Also, how can any government call hacking (as opposed to cracking) a crime? These people are the greatest heroes we have.
posted by EnterTheStory at 2:23 AM on November 23, 2012 [3 favorites]


I think you just answered your own question.
posted by DU at 2:26 AM on November 23, 2012 [5 favorites]


Hacking means breaking into computer systems. That is how the word is used by almost everyone, which is how we find out what words mean. Sorry, you lost this one.
posted by thelonius at 2:29 AM on November 23, 2012 [7 favorites]


Breaking in is good, if no damage is done and the owner is then informed of the weakness so he can fix it. Such people are heroes.
posted by EnterTheStory at 2:33 AM on November 23, 2012 [1 favorite]


In one talk, Cody Brocius, a security researcher, disclosed a loophole in hotel room locks made by Onity, whose locks are installed on more than four million hotel rooms globally.

God, we really hate those Black Hat conferences whenever they meet at the hotel where I work.

OK, you can take the little liquor bottles out of the mini-fridge and fill them with water and we won't notice. Yeah, OK, we get it already.
posted by twoleftfeet at 2:47 AM on November 23, 2012 [14 favorites]


That is how the word is used by almost everyone, which is how we find out what words mean. Sorry, you lost this one.

@thelonius I have a notion you're being ironic in which case I apologise in advance for not getting the joke.

In any field of knowledge there is terminology used with confidence, but incorrectly, by those not versed in the field of knowledge.

I'm sure this is widespread in medicine and the law for instance.

In software circles hacking does not mean breaking into systems. What journalists and other civilians like to think and say is entirely up to them.
posted by southof40 at 2:50 AM on November 23, 2012 [16 favorites]


Dunno, only like a half dozen people use the word cracker to mean people who break into computers. IMO crackers are people who crack software. Sure there are like old bearded lisp guys who say hacker is solely some sort of term for pride for a programming wizard but Honestly I think the word means both.

Sure There are some super cool guys that go to black hat, or DEFCON or hope or whatever, build businesses as security researchers or consutants, and try to disclose exploits responsibly but for every one of those there are 100 trying to steal your credit card or running a botnet.
posted by Ad hominem at 3:06 AM on November 23, 2012


The word definitions don't even matter. It's the actual non-malicious activity that is also illegal. DMCA, for instance.
posted by DU at 4:13 AM on November 23, 2012


We are totally fucked, right? I mean, you can deduce this just from the position that the law-and-order users of this site take: security by obscurity is darn-tootin-plenty, and if you find a way in, even by incrementing a "get" id by one, you're morally obligated to do nothing other than maybe turn yourself into the police. (Indeed, you should never manually type URLs as that is morally fraught--what if you make a typo and see something you shouldn't have?)

The above mindset is about on-par with the why-would-anyone-want-to-do-that? mindset common among engineers--which in turn leads to lovely but stupid systems which trust everyone and have no decent way of ever being reasonably secure.
posted by maxwelton at 4:19 AM on November 23, 2012 [6 favorites]


What journalists and other civilians like to think and say is entirely up to them.

So long as it stays that way and the tedious quests to force journalists to use "cracker" when they mean "hacker" when writing for civilians come to an end.

And soi-disant "hackers" stop getting all uppity when they get negative reactions when using the term to civilians.
posted by fightorflight at 4:36 AM on November 23, 2012 [1 favorite]


"civilians?"
posted by werkzeuger at 4:38 AM on November 23, 2012 [6 favorites]


southof40, as a mathematician who gave up on "begs the question" awhile ago I'm going to say "hackers" need a new term if they don't want to confuse lay people.
posted by monkeymadness at 4:39 AM on November 23, 2012 [4 favorites]


"civilians?"
Definition of CIVILIAN

1: a specialist in Roman or modern civil law
2. a : one not on active duty in the armed services or not on a police or firefighting force
b : outsider
-- Merriam-Webster
posted by fightorflight at 4:41 AM on November 23, 2012 [2 favorites]


But that honor ultimately went to F5 Networks, a security company, for a glitch in a popular security product.

What an odd sentence: it doesn't mention which of their products, nor what the glitch is/was. Is F5 an advertiser with the NY TImes? Does anyone know which CVE this particular glitch has?
posted by devnull at 4:41 AM on November 23, 2012


There are some super cool guys that go to black hat, or DEFCON or hope or whatever, build businesses as security researchers or consutants, and try to disclose exploits responsibly but for every one of those there are 100 trying to steal your credit card or running a botnet.

And sometimes they are the same ones. One upping Jack Daniels and getting his CC becomes 'bragging rights'. Having a remote network of listening posts is how one spots a trend in network usage patterns when you are not an anti-virus vendor or don't run a large ISP.

Its because of the remote stations reporting in is how the STUXNET and FLAME issues become known.

THE THREAT WON’T BE UNDERSTOOD UNTIL A CYBERDISASTER. This year’s Black Hat keynote speech was delivered by Shawn Henry, the Federal Bureau of Investigation’s recently retired top cybercop.

Man who's job it is to assume everyone's a criminal and by finding crime claims crime will kill us all. There is a simple solution - disconnect the machines from the network.

But disconnecting from the network means "the good guys" can't use things like the proposed change in the law to be able to read things on 3rd party hosts without a warrant or launch their own cyber attacks so making that suggestion is cross purposes with other goals.

Need limited message passing? UUCP over serial. How about modifying your 8 pin ethernet so only the transmit pair on one side and receive on the other are connected? (these days with the link integrity you need to build yourself a functional repeater and just not pass one set of data. How does the other side get the data? You have the other side run a sniffer and reconstruct the data. Go ahead - claim the syslog collection server could have been hacked - show me how.)

Stop using the same root password for 20+ years through 5 OS upgrades, then on all the machines as another example.

the cyberthreats we face are only getting bigger and more pernicious

On the oneside you have the 1980's where a certain Nationstate had a contractor modify the code for natural gas valves which resulted in a gas explosion and have proxies self-admit to making computer viri to be used VS another Nationstate. Meanwhile other places have launched targeted attacks VS the cryptographic key system or "plain vanilla" economic espionage http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA500584

The only way to prevent being "150ms from every asshole on the planet" is not to be a part of that network.
posted by rough ashlar at 4:53 AM on November 23, 2012 [5 favorites]


This summer just gone, there was a run of problems with banking systems, ATMs, money going into and out of peoples accounts, at several British banks (example). One would probably be human error, but there were several. Wondered at the time if there was something we weren't being told e.g. successful attacks which must be hushed up so there's no panic. Or whether it was, as more widely reported, cost-cutting leading to poor, outsourced, banking system procedures.
posted by Wordshore at 5:17 AM on November 23, 2012


Breaking in is good, if no damage is done and the owner is then informed of the weakness so he can fix it. Such people are heroes.

I thought such people were called "white-hats", not "black-hats".
posted by EmpressCallipygos at 5:51 AM on November 23, 2012 [1 favorite]


Breaking in is good, if no damage is done and the owner is then informed of the weakness so he can fix it. Such people are heroes.

Will your hero worship remain after they stop by your house while you are sleeping and leave a note on your pillow with a few of the vulnerabilities in your household security. They probably just left a note.
posted by humanfont at 6:11 AM on November 23, 2012 [1 favorite]


F5 is a comforting company name to read as I sit here working from home, logged into my employer's intranet.
posted by emelenjr at 6:12 AM on November 23, 2012 [1 favorite]


There is a simple solution - disconnect the machines from the network.

Bonus: Keeps cylons out.
posted by NoraReed at 6:45 AM on November 23, 2012 [9 favorites]


You know, Jeff Moss (founder, aka Dark Tangent) and the Black Hat Conferences are not wanting for legitimacy at this stage. Moss is on an advisory board of the Department of Homeland Security and helps run ICANN. The Conference itself is a business venture owned and run by CMP Media.

The name stems from its origin as an offshoot of the hacker conference DEFCON. It is specifically acting as a sort of neutral ground for open discussion of security issues, and as such draws attendees from the world of hackers licit and illicit (both black hats and white hats), security professionals, and government regulators and enforcers.
posted by dhartung at 7:16 AM on November 23, 2012 [2 favorites]


*sigh* We'll know the world has changed for the better when "women" stop being listed along with "booze, dancing, [and] prizes" as one of the features of a conference.
posted by not that girl at 7:59 AM on November 23, 2012 [33 favorites]


"booze, dancing, prizes, and overweight men with body odor and no social skills"
posted by idiopath at 8:20 AM on November 23, 2012 [1 favorite]


Wondered at the time if there was something we weren't being told e.g. successful attacks which must be hushed up so there's no panic.
That was simple human error and bad management.
They [senior management] don't even know about the successful attacks so they can't even hush them up.

And before you security experts pop in to explain it's all fearmongering and fantasy, I speak to you people all the time and the one constant message is the look in your eyes which says "I hope to holy fuck I am long gone before this shit falls apart". That and the thousand yard stare while you try to avoid vocalising the parts of your corporate memory which give you that perpetually screaming voice in your head.

There's always more, and it's always worse.
posted by fullerine at 8:22 AM on November 23, 2012 [1 favorite]


I sometimes feel like shit has gotten so complicated that there's both a good chance of their never
being a real, massive cyber-disaster because it's too complex to orchestrate, and an equally good chance that a sort-of cyber-mugging, the kind of easy, low effort crimes that equate with with stealing car radios/ purse snatching, are more and more going to become the norm.

Like NYC in the 80's and 90's, everyone will have stories about getting 'mugged', 99% will be scary but not result in lasting harm.
posted by From Bklyn at 8:49 AM on November 23, 2012


Of course FLAME via a govt (or two) and no one would admit this...more to the point: such meetings are usually filled with govt operatives noting what takes place and who is present.
posted by Postroad at 8:49 AM on November 23, 2012


What an odd sentence: it doesn't mention which of their products, nor what the glitch is/was. Is F5 an advertiser with the NY TImes? Does anyone know which CVE this particular glitch has?

CVE-2012-1493

In the interest of full disclosure: I am an employee of F5 Networks. Not something I keep particularly secret, but as a rule I try really hard to stay away from work-related topics on the green, blue and elsewhere. My opinions and suchlike are my own, etc, etc.
posted by jquinby at 9:20 AM on November 23, 2012 [1 favorite]


Breaking in is good, if no damage is done and the owner is then informed of the weakness so he can fix it. Such people are heroes.
posted by EnterTheStory at 10:33 AM on November 23


No, such people are criminals unless they have been invited by the owner of a system to try to hack it. How about I break into your house, snoop around, crack your safe, find your porn stash, expose your private communications and letters... and then tell you I'm a hero for exposing the weaknesses in your home security? Are you going to agree I'm a hero when you didn't invite me to do all those things? Or are you going to call the cops?
posted by Decani at 9:39 AM on November 23, 2012


I mean, you can deduce this just from the position that the law-and-order users of this site take: security by obscurity is darn-tootin-plenty, and if you find a way in, even by incrementing a "get" id by one, you're morally obligated to do nothing other than maybe turn yourself into the police. (Indeed, you should never manually type URLs as that is morally fraught--what if you make a typo and see something you shouldn't have?)
Who has argued this?
posted by fatbird at 9:53 AM on November 23, 2012 [1 favorite]


That is how the word is used by almost everyone, which is how we find out what words mean.

Doesn't it seem just a little bit weird that people inside this group have a name they call themselves, and a definition for that name, and yet people outside that group are telling them that they are wrong, that their name actually means something else, and that they, the people who the name supposedly describes, ought to pick a different word? I'm going with the "people decide what to call themselves" here.

I helped start a hackerspace. Some but not all of the people who hang out there would call themselves hackers. To my knowledge there have been zero security-related projects pursued at ALTSpace, and yet anyone who is familiar with the idea of a "hackerspace" would instantly recognize it as an instance of the pattern. Perhaps that tells you something about what the label means to the people who use it.
posted by Mars Saxman at 11:07 AM on November 23, 2012 [5 favorites]


"No, such people are criminals unless they have been invited by the owner of a system to try to hack it. How about I break into your house, snoop around, crack your safe, find your porn stash, expose your private communications and letters... and then tell you I'm a hero for exposing the weaknesses in your home security? Are you going to agree I'm a hero when you didn't invite me to do all those things? Or are you going to call the cops?"

Yes, and this is why I won't tell you when I find an obvious hole in your security; when your very URL indicates that you're using web-technology insecurely. This attitude is why I won't contact you when the application you've written is obviously riddled with security holes (how did I find out? I tried to evaluate your technology on my own network, and found all sorts of stupid mistakes). I won't tell you about these things because I don't want to be treated like a criminal, I don't want you demanding that I provide free consulting services to you (if I don't provide these services to you I'm suddenly accused of extorting you).

Nothing to worry about, I'm sure the *actual bad guys* (who don't go around humiliating you publicly - why would they want to tell anyone they can break into your software/service/host if they have actual criminal intents) won't exploit this at all.

The 'palpable despair' noted in the article is completely true. And it's getting worse each year.

(yeah, and no one uses the word 'crackers' in the industry, really, no one, unless they want something to go with their cheese).
posted by el io at 11:51 AM on November 23, 2012 [4 favorites]


"*sigh* We'll know the world has changed for the better when "women" stop being listed along with "booze, dancing, [and] prizes" as one of the features of a conference."

It's worth noting that these are part of the corporate parties, not the actual conference. I've only seen 'booth-babes' once at the conference... And the reaction to this was not positive - the booth that had them was ridiculed.

More than that, when companies even have sales people (instead of engineers) at the various vendors booths it doesn't go over very well (tech folks want to talk to other tech folks about technology, not ignorant sales-folks that can't answer technical questions about their products).
posted by el io at 12:01 PM on November 23, 2012 [1 favorite]


I'm going with the "people decide what to call themselves" here.

Yeah, like the time you told all your friends your nickname would be Lightning McCooly Cool and somehow they kept calling you "Colin".
posted by fightorflight at 12:08 PM on November 23, 2012 [8 favorites]


> Doesn't it seem just a little bit weird that people inside this group have a name they call themselves, and a definition for that name, and yet people outside that group are telling them that they are wrong, that their name actually means something else, and that they, the people who the name supposedly describes, ought to pick a different word?

No, it seems perfectly normal. That's how language works. In-groups can use whatever in-group terms they like, but once the wider world becomes aware of them, their terminology will almost certainly get used in ways they don't like. And they can holler "misuse" until they turn blue in the face and write indignant letters to the editor and sarcastic comments in web discussions, and still the 99.99% of English-speakers who are not members of the in-group will ignore them and use the language however they like. Go read up on King Canute and consider your options.
posted by languagehat at 1:45 PM on November 23, 2012 [3 favorites]


I agree that people should call themselves what they want and be respected in that, but, after almost 20 years of people insisting, to absolutely no effect, that the rest of the world uses "hacker" wrong, I think it's time to let it go. If that culture was a big part of my identity, I suppose I might feel otherwise, of course.
posted by thelonius at 2:00 PM on November 23, 2012 [2 favorites]


Who has argued this?

The comment right above yours, essentially (leaving off my hyperbolic parenthetical)?

As a customer of, say Giant Bank, I would much rather know that people were poking around at their website and trying to discover weaknesses and then let Giant Bank know about it. And if Giant Bank says "fuck you" about fixing the problems found, I'd like to know so I can use a different bank.

It has got to cost Giant Bank way more than, say $20,000 to undo the damage caused by a security hole, so why they don't just have a standing door prize for white-hats who can find ways in is beyond me.

But, of course, Giant Bank isn't interested in being secure, they're interested in whatever the cheapest way of appearing secure is.
posted by maxwelton at 5:06 PM on November 23, 2012 [2 favorites]


"el io a" and "maxwelton" have answered this better than I could, but since the same question has been asked twice I'll answer:

Will your hero worship remain after they stop by your house while you are sleeping and leave a note on your pillow with a few of the vulnerabilities in your household security. They probably just left a note.

How about I break into your house, snoop around, crack your safe, find your porn stash, expose your private communications and letters... and then tell you I'm a hero for exposing the weaknesses in your home security? Are you going to agree I'm a hero when you didn't invite me to do all those things? Or are you going to call the cops?


Yes, and yes. Remember the analogy: there are vulnerabilities that are unknown to me, and for every good guy there are 100 bad guys who WILL smash stuff up. Are you seriously going to let that happen?

Not only will I invite the good guy in, I'll offer a reward, and set aside a special time when it's convenient for me and my valuables are elsewhere.
posted by EnterTheStory at 6:11 PM on November 23, 2012


It has got to cost Giant Bank way more than, say $20,000 to undo the damage caused by a security hole, so why they don't just have a standing door prize for white-hats who can find ways in is beyond me.

It's safe to say that most - if not all - Giant Banks invest quite a bit more than this in ongoing 3rd party testing and auditing. The best of these services employ automated tools and groups of whitehats who can validate the results of the tools. They don't advertise this; perhaps they should. The costs of a breach can be pretty staggering: there's fixing the problem, the PR damage, audits/fines in the aftermath, lost business revenues, etc.

Security, like a lot of things, is about managing risk. And the risks, these days, are really big: the tools available to the average interested script kiddie are wildly effective and very easy to use.

On balance, I think this is good if it causes more scrutiny and attention to good practices in code and design. On the other hand, there are many industries where the state of the art in technology is woefully behind the times, on the order of a decade or more.
posted by jquinby at 6:20 PM on November 23, 2012


Breaking in is good, if no damage is done and the owner is then informed of the weakness so he can fix it. Such people are heroes.

vs.

No, such people are criminals unless they have been invited by the owner of a system to try to hack it. How about I break into your house

You're both right, you know. One way in which computer security is screwed up is that basic, necessary, beneficial research is often made illegal. (Often at the behest of companies selling security solutions: it's expensive and risky to produce a secure product; it's cheaper to produce an insecure product and then intimidate your critics.)

As for the house analogy: Have you ever come home, maybe carrying a bag of groceries or wrangling a kid or something, unlocked your front door, and forgetfully left your keys danging out of the lock for the rest of the day? What if your neighbor or a passerby noticed this and came up and knocked on your door and handed you your keys back? That's really the level that a lot of these vulns are at. In cybersecurity-analogy-world, if a passerby even saw your keys from the sidewalk and waved at you to point it out, they would reasonably fear legal harassment in response.
posted by hattifattener at 7:09 PM on November 23, 2012 [9 favorites]


fullerine: "That was simple human error and bad management.
They [senior management] don't even know about the successful attacks so they can't even hush them up.

And before you security experts pop in to explain it's all fearmongering and fantasy, I speak to you people all the time and the one constant message is the look in your eyes which says "I hope to holy fuck I am long gone before this shit falls apart". That and the thousand yard stare while you try to avoid vocalising the parts of your corporate memory which give you that perpetually screaming voice in your head.

There's always more, and it's always worse.
"

This is going to be a new goddamn back tattoo for me. All in gothic lettering on scrolls and shit.
posted by boo_radley at 8:55 PM on November 23, 2012 [1 favorite]


The Frightening Things You Hear at a Black Hat Conference.

Why was I expecting this to include examples of sexual harassment? I guess no harassment, just plain old sexism.
posted by grouse at 9:20 PM on November 23, 2012


a thermometer in a chamber-owned apartment was communicating with an I.P. address in China

It's probably a neat gadget to have on your wall, but are Turing-complete, always-on, networked thermostats something we really need?
posted by cosmologinaut at 10:05 PM on November 23, 2012 [1 favorite]


Hacker has more than one meaning.
posted by Wood at 10:45 PM on November 23, 2012 [2 favorites]


thelonius: "after almost 20 years of people insisting, to absolutely no effect, that the rest of the world uses "hacker" wrong, I think it's time to let it go"

The thing is, with at least 90% of the conversations where I bring up "hacking", we are talking within the context of a subculture. We both know that I am not talking about breaking into anyone else's machine. It is only when I forget my audience that this annoying issue even comes up. One of the things that defines a subculture is its vocabulary, so shifting nomenclature can be counterproductive.
posted by idiopath at 2:34 AM on November 24, 2012 [1 favorite]


after almost 20 years of people insisting, to absolutely no effect, that the rest of the world uses "hacker" wrong, I think it's time to let it go

As I noted, it seems to be this wider-world usage that is being collectively ignored. The conference is corporately underwritten and the participants appear to suffer no stigma from their association with it, so maybe you're the one who needs to let this dire need for One Universal Term go.
posted by dhartung at 9:54 AM on November 24, 2012


It's interesting that a few posts down in the Munchausen thread there's a similar discussion about language going on about "psychotic".
posted by ODiV at 10:40 AM on November 24, 2012


A few posts up, that is.
posted by ODiV at 10:51 AM on November 24, 2012


Of course FLAME via a govt (or two) and no one would admit this...more to the point: such meetings are usually filled with govt operatives noting what takes place and who is present.

I was thinking this too, but I have no basis for believing this other than 'it makes sense.' Do you have information supporting this, or are you coming at it from the same place I am?
posted by Thistledown at 7:07 PM on November 24, 2012


« Older Can’t get enough of these videos from AsapSCIENCE....  |  5-part series from Conservativ... Newer »


This thread has been archived and is closed to new comments