“If you don’t hack your systems, someone else will.” The latest data breach statistics (IBM / Verizon / OSFDB) prove the conventional wisdom is still valid. The AT&T “hacking” case of Andrew “Weev” Auernheimer made me revisit my 2007 views on hacking and responsible disclosure, especially in light of the changes in the field since my article was published.
Weev’s case forces one to try to reconcile contradictory views: on one hand, the greater good was served because AT&T fixed a hole that easily exposed much sensitive personal information of their iPad users. On the other hand, after inspection of his code on Git, there is no reason to think it’s not a case of parameter tampering and clearly illegal.
In the broader picture, society needs people who can and are willing to expose information security issues that clearly hurt individuals (or groups of people) either physically or in regards to their privacy. We need a way to give people who have the technical prowess the ability to legally search and report what they find thereby improving and strengthening society.
With the disclosure that Nation-States continuously hack computer infrastructures and the development of industry bug bounty programs offered by Facebook, Microsoft and Google it seems to me it’s time — and society is ready — to legalize hacking. Legalization does not mean we should give just anyone free reign to research another’s online infrastructure property. While I’m not looking to lay out an entire program in this short op-ed, I image such a program would be similar to Facebook’s bug bounty program: the researcher would most likely be required to register (or create a test account) and be looking for specific types of vulnerabilities in order to legitimately engage in the activity. Companies and government entities would be required to have procedures for receiving and fixing reported vulnerabilities disclosed to them through the “hacking” channel in a timely fashion.
“If you don’t hack your systems, someone else will.” That “someone else” already has, now we must. Legalize hacking now!
Rolling Stone chronicles the lifestyle exploits of Albert Gonzalez, which you can find here in the USA Today article here. Unfortunately I cannot provide a link to the actual RS article because it is paid only. You can find it at your local newsstand.
From the AP wires:
Latvia’s police confirmed on Thursday they had unmasked the man who became a folk hero for hacking tax office data to reveal fat salaries still being paid to state officials despite an official austerity drive.
“Neo” became famous earlier this year for publishing the tax office data of highly paid state officials, some of whom continued to receive salaries that went into thousands of lats or who got bonuses even as the government was cutting old age pensions, raising taxes and reducing spending.
I guess he swallowed the Red Pill.
Posted in News
Tagged data, hacker, Latvia, neo
Data stolen from HSBC in 2006 and 2007 still carry an impact. In this case around 15,000 people could suffer tax consequences. (Naturally, the issue of whether they sheltered money and cheated on their taxes is a separate issue.) The impact is worldwide.
A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, obtained the information between late 2006 and early 2007, the bank said. The accounts, held by individuals worldwide, were all opened before October 2006..
Ultimately this means that the value of data is dependent on it’s relationship to the relevant state of affairs. Put differently, if a credit card account is inactive that data is worthless if someone attempts to use it. If the inactive data ties one back to fraud that occurred last year, it’s still relevant.
In the case of HSBC, the accounts reflect who was (potentially) cheating on their taxes in 2006. If the statute of limitations has not run out the information is still valuable.
Did you know that your car has a blackbox similar to airplanes? Most car companies use an open platform that allows this blackbox data to be downloaded and analyzed in order to aid investigations. In the February 22nd, 2010 issue of Newsweek, Matthew Philips reported that Toyota uses a closed data system. Unfortunately this article is not online so I cannot link to it, but it is on page 12 of the current issue.
The article gives no indication whether or not the data is encrypted or encoded. It is my guess that it’s an uncrypted proprietary format. To me it seems unlikely that Toyota would go though such efforts to protect/encrypt data that they claim is not designed for accident reconstruction but namely intended to “aid research on safety systems such as airbags.”
Given the Toyota recall, we see the double edged nature of closed systems: on one hand, the data is protected from eyes outside Toyota; on the other hand, the lack of transparency (and non-compliance with industry open standards) leaves it vulnerable to attack by the larger justice system for being potentially negligent about the technical malfunctions that leads to a higher crash rate.
I’m not sure I like it when Governments do this kind of stuff.
On Tuesday, German Finance Minister Wolfgang Schaüble said the government had agreed to buy a CD from an anonymous informant that contains the stolen bank details of up to 1,500 people who are suspected of evading German taxes by stashing their money in Swiss bank accounts.
I will most likely write more on this case through bloginfosec.com.