Tag Archives: bloginfosec.com

Legalize Hacking Now!

“If you don’t hack your systems, someone else will.” The latest data breach statistics (IBM / Verizon / OSFDB) prove the conventional wisdom is still valid. The AT&T “hacking” case of Andrew “Weev” Auernheimer made me revisit my 2007 views on hacking and responsible disclosure, especially in light of the changes in the field since my article was published.

Weev’s case forces one to try to reconcile contradictory views: on one hand, the greater good was served because AT&T fixed a hole that easily exposed much sensitive personal information of their iPad users. On the other hand, after inspection of his code on Git, there is no reason to think it’s not a case of parameter tampering and clearly illegal.

In the broader picture, society needs people who can and are willing to expose information security issues that clearly hurt individuals (or groups of people) either physically or in regards to their privacy. We need a way to give people who have the technical prowess the ability to legally search and report what they find thereby improving and strengthening society.

With the disclosure that Nation-States continuously hack computer infrastructures and the development of industry bug bounty programs offered by Facebook, Microsoft and Google it seems to me it’s time — and society is ready — to legalize hacking. Legalization does not mean we should give just anyone free reign to research another’s online infrastructure property. While I’m not looking to lay out an entire program in this short op-ed, I image such a program would be similar to Facebook’s bug bounty program: the researcher would most likely be required to register (or create a test account) and be looking for specific types of vulnerabilities in order to legitimately engage in the activity. Companies and government entities would be required to have  procedures for receiving and fixing reported vulnerabilities disclosed to them through the “hacking” channel in a timely fashion.

“If you don’t hack your systems, someone else will.” That “someone else” already has, now we must. Legalize hacking now!

SPAM used to sway UK Tax election outcome

It is alleged that Goldman Sachs did this in London:

The Robinhood Tax campaign claimed that one of the two computers used to spam the Internet poll with “no” votes on Thursday, belonged to the investment bank.

Technical staff for the Robinhoodtax.org.uk said that the website registered more than 4,600 negative votes over a 20-minute period starting at 3.41pm.

The number of “no” votes jumped from 1,400 to 6000 before the site’s security was tightened.

I wrote about this possibility — although using a different technique to simply change public opinion — back in 2008 for the US presidential elections.

H1N1 InfoSec Article

My H1N1/infosec article received good reviews from colleagues. Check it out here.

Cloud Computing Article Published on bloginfosec.com

Check out my response to Newsweek’s Daniel Lyons on cloud computing. Be sure to read the second page where most of the commentary happens!

Also, subscribe to my newsletter! Cheers.

Cloud Computing and H1N1

I finished two articles today for bloginfosec.com. The first will be published tomorrow (6AM EST) on cloud computing and can be found here (again tomorrow!!!). The second will be published the day after tomorrow. It’s on H1N1 and it’s relevance to infosec. It will be found here. I have one more article to go!

Two New Columns and WordPress Bugs

I writing two new columns for bloginfosec.com. Hopefully I can get some more work done on the this weekend. They should be published on the next consecutive Mondays.

I was updating my profile and found that the HTML target tags were being automatically removed! Grrrr…