fbpx

Tag Archive for black hat

The Internet of Things

https://hacked.com/hackers-find-way-remotely-switch-smart-sniper-rifles-target/

Now, as a rule, I am all for pushing technology forward.  Building new things, breaking sh*t, changing the way that people think about pretty much everything.  Forward is good.

But incautiously forward is becoming the norm.  While there are hundreds of companies pushing forward the idea of IoT (Internet of Things), they are all, almost invariably, following the “MPB” model (minimum playable build).  The idea behind the MPB is to get your product to market first, start establishing your user base, let your consumers become your testers and thereby get them to buy in to your product.  After all, it’s their suggestions and requests that you are taking and implementing, so they now have some skin in the game.

The problem arises when security gets involved.  When you have a user base of ten or a thousand, you’re often not big enough to attract attention from any serious hackers.  So it’s easy to get lax on security for the sake of time to market.  You can fix it after the fact, right?  But as your development teams turn over and new faces replace the old, those security flaws (which you knew about but planned to fix once you were a viable product, really) get layered over.  They get forgotten, or you hope they never get noticed.

The thing about the kinds of people who hack a system, they love to know sh*t. If you get cool enough or big enough, they’re going to take a look.  They’re going to want to pop the hood to see if your programmers really did something really slick in there, or if it’s a train wreck in a shiny plastic housing.  The flaws will be found out, and if you’re lucky, you were hacked by an ethical bunch, who will be happy to take their turn deconstructing you at Black Hat and may (if paid) help you to fix those flaws before someone gets hurt.

 

The very fine line

https://www.techdirt.com/articles/20150420/05585630727/fbi-united-airlines-shoot-messenger-after-security-researcher-discovers-vulnerabilities-airplane-computer-system.shtml

The above caught my attention the other day, in part because I have an ongoing fascination with transitional spaces.  Those grey areas which aren’t quite “good guy” and not quite “bad guy”.  Most of the ones I encounter are legal grey spaces (rather than moral ones).  A law or a rule has been placed in place that is ignored if the rulebreaker is working for the greater good, and enforced when the rulebreaker is operating with malicious intent.  Needless to say, this kind of inconsistent enforcement can become a problem, especially if clear secondary boundaries are not set.

Take (as a similar example) the bounties that companies like MSFT and Facebook place on finding security holes in their software.  There are potential criminal penalties for finding and exploiting these holes, but if you find one and are the first one to report it (I’m over simplifying here, I’m aware) there is often a bounty awarded.  In both cases, the act of hacking the software is technically illegal (again, oversimplifying), but the company chooses to reward one instance and persecute another (which makes sense, right?  One hack is by a good-guy, helping to make the software more secure, the other is the bad guy, exploiting the hack for personal gain).

But because of these inconsistencies, the laws get hard to enforce.  Law enforcement and the corporate interests may not align.  Hackers and crackers may switch hats with regularity, working on “white hat” projects and “black hat” projects simultaneously or in turn, depending where their interests lie and because of this, law enforcement tends to regard most (if not all) of them with equal suspicion, leading to incidents like the one above.