2019 is shaping up to be a really energetic year. Even before January 1st, different events were already set in motion for a colorful round of stories. At the heart of the public’s interest in computing is hacking, the deep and swirling mystery; at the heart of hacking is curiosity: the desire to untangle deep and swirling mysteries. While similar, the two groups couldn’t be farther apart. Any tinker or hacker wonders why common knowledge isn’t so common and common thinkers wonder what all the bother is.
There is a natural law of distribution at work here where it seems the top 1% of bug bounty hunters are earning 80% of the awards but the details that different organizations say they’ve collected to prove different power law sums are disputed. What’s a nice turn for the times is that many organizations consider the open scrutiny of hundreds of strangers a valuable discovery tool. While in-house security detection and correction is still a better choice for most companies, consider this shift in mentality…
A history of access
Years ago, some web surfers were introduced to the idea that ATM passwords remain as their factory defaults. ATM “operator mode” via a master password allows about any imaginable control over the machine. Today, there’s still online access to the factory passwords and that puts a lot of people in a peculiar moral spot; physical access to physical objects is just as intrusive as virtual access to personal data. These days, however, not enough people are inhibited by feelings of wrong-doing when they get their hands on potential ‘keys.’ So there’s a greater factor of importance today on discovering and repairing bugs or exploits or changing default passwords.
Gambling with security
You’d think producers would recoil at the idea of compromised security considering the “treasure troves” they’re often supposed to be accountable for. One blithe and dramatic oversight is playing out right now. A duo of hacker-tinkers stumbled onto a server passing and storing information without encryption. Even unencrypted data takes a while to figure out and they eventually determined they accidentally backdoored a company responsible for Las Vegas casino rewards program members. Present in the data were photocopied IDs, bank accounts, money, Social Security Numbers and virtually nothing stopping real damage or theft from occurring.
The duo connected with a mentor-type who then connected the duo with FBI and the servers owners. A big party-line call took place and the company that owned the servers ended the call by asking if they could go private with the duo and talk about a bounty or reward. The company now has allegedly strung the duo along, never fixed the problem, gained more customers, offered more services that gather more data including points for facial recognition and then there’s the face to face meeting the company didn’t expect at an expo in London a little while ago that “blew up” on social media. How that attention goes for everyone involved hasn’t finished playing out yet but I framed that story this way, “these days, not enough people are inhibited by feelings of wrong-doing when they get their hands on potential ‘keys,’” and this company may have skated too long on good luck.
More eyes are better
Since locks, master keys have always existed but only recently has the culture of jiggling the lock gone from shameful, dirty-for-even-thinking-it, to misunderstood but possibly-a-necessary-evil. What the idea of hacking should do is align in the public’s imagination with other issues of safety where it’s a given that “it takes a village.” That it might take a village is a phrase used when talking about keeping kids safe. On that note…
When government entities find flaws, no one bats an eye as to how it got done. Smartwatches for kids were another case where data at the backend went unencrypted allowing anyone to alter commands to the kid’s watches, speak through them, track them via GPS, sift through data stored on the account and more. It stands as one of the first cases of tech-toy EU recalls though other tech-toys have been cited as dangerously flawed.
The lede in that story doesn’t have to be the smartwatch or the EU recall or the unencrypted server. People like Christian Bernieri, an Italian data protection expert, added to the alarm. Hackers or pentesters or White Hats can point out other dangers that organizations or governments might not be able to discuss or investigate as freely. What Christian brought attention to was that China seemed more in control of the smartwatch and its app than anyone else.
There’s no magic, just people
The chasm between the tinkers and the general consumer is perceived as being wider than it actually is. Take this humble-pie tweet from a respected hacker (with over 18K followers):
I don't know how to hack everything, never will, and neither will any of you. If that makes me a "noob", a word I think is asinine, OK, then that's what I am. I am also not a thought-leader, influencer or expert. I just know some stuff about computers and love them, dearly.— BlackRoomSec (@blackroomsec) January 29, 2019
“I don’t know how to hack everything, never will, and neither will any of you. If that makes me a “noob”, a word I think is asinine, OK, then that’s what I am. I am also not a thought-leader, influencer or expert. I just know some stuff about computers and love them, dearly.” -blackroomsec
It’s really up to the corporations to convince the buying public that it’s magic that powers their products; magic of the deep and swirling mysterious sort. The presence of hackers, tinkers, pentesters (‘penetration testers,’ shortened) and InfoSec onlookers should hint to regular users that there’s no magic going on. While this doesn’t mean every technology has an affordable, $35-dollar Raspberry Pi counterpart waiting to be built, it does mean that the knowledge of what’s happening is within the grasp of regular people regardless of the smoke and mirrors. And there’s evidence that some hackers are ready for the audience.
Not long ago I came across a tweet among the White Hat crowd I follow and it said something to the effect of how they were all just wizards trying to impress other wizards. It certainly stuck with me; what hackers will hopefully gain as the days and months go by this 2019 is a good couple PR events: babies saved, gambler’s IDs protected, phone security locked down and coming across as the brainy and strategic class of folk we need who also need us.