Forgot your password?
typodupeerror
Security The Media IT

Forbes Offers a Sympathetic Portrayal of Hackers 97

Posted by kdawson
from the we're-not-the-enemy-and-they-know-it dept.
selain03 sends us to Forbes for a surprisingly tolerant article on the recent Defcon. The reporter spoke to several of the event organizers and faithfully conveyed their characterization of the community as motivated by curiosity about technology. The article quotes a Department of Defense cybercrime guy: "Run-of-the-mill individual hackers are just noise as we try to focus on the real problem. We have to investigate every threat, but we're often dealing with ankle biters." A refreshing perspective to read in the mainstream media.
This discussion has been archived. No new comments can be posted.

Forbes Offers a Sympathetic Portrayal of Hackers

Comments Filter:
  • Because that doesn't sound like a sitcom or anything...
    • by syousef (465911) on Tuesday August 07, 2007 @11:53PM (#20152055) Journal
      Because that doesn't sound like a sitcom or anything...

      You're forgetting pwn-ography never makes it to mainstream tele.
  • "ankle biters"? (Score:5, Insightful)

    by timmarhy (659436) on Tuesday August 07, 2007 @11:46PM (#20152013)
    As shown in the past, it's often the very very simple hacks like finding an unprotected machine and installing sub7 on it that brings down the giants. A high level of technical experience is NOT a prereq. for a serious hack
    • Re:"ankle biters"? (Score:5, Insightful)

      by Creepy Crawler (680178) on Wednesday August 08, 2007 @12:25AM (#20152337)
      True that, but is does take a great deal of restraint and expertise to go black hat and not leave a trace.

      Black hats go by a different name: corporate espionage. In that, they are in a profession of spy with computers and data, and not of personal communications.
      • Re:"ankle biters"? (Score:5, Interesting)

        by Opportunist (166417) on Wednesday August 08, 2007 @04:14AM (#20153527)
        You make that sound like it's some cool spy movie. It isn't. It's just plain illegal. Well paid, granted, but illegal. It's neither flashy (you can't even brag about your smooth moves!) nor in any way exciting. Neither is being wanted by some three-letter-agencies. Do you happen to know why they ALL have three letters, no matter what country or nation they belong to?

        The only movie related thing that is real for a black hat is the briefing closing line from Mission Impossible: If anything goes wrong, we don't know you anymore and have never known you even existed.
        • Because clearly, spies operate entirely within the bounds of the law *rolls eyes*
        • by alx5000 (896642)

          You make that sound like it's some cool spy movie. It is. It's just plain illegal. Well paid, granted, but illegal. It's neither flashy (you can't even brag about your smooth moves!) nor in any way exciting. Neither is being wanted by some three-letter-agencies. Do you happen to know why they ALL have three letters, no matter what country or nation they belong to?
          There, fixed that for ya. Boy, that was easy, keep 'em coming!
          • Well, ymmv.

            If you have the skills and think it's something you're interested in, there are a few companies that are hiring in that area.
        • by VJ42 (860241) *

          Do you happen to know why they ALL have three letters, no matter what country or nation they belong to?
          They don't, GCHQ [gchq.gov.uk] is our (the UK) equivalent of the NSA. As you can see, it has four letters.
          /pedant
        • Re:"ankle biters"? (Score:4, Insightful)

          by Lord Ender (156273) on Wednesday August 08, 2007 @11:22AM (#20157067) Homepage

          You make that sound like it's some cool spy movie. It isn't. It's just plain illegal. Well paid, granted, but illegal. It's neither flashy (you can't even brag about your smooth moves!) nor in any way exciting.
          Imagine you have some custom malware which is only in use in a few places in the world. There will be no anti-virus signature for it because its custom. Now imagine it looks for certain words or phrases (such as "earnings") in Word or Excel documents and encodes the surrounding text in to some covert, background-noise packet, like NTP or DNS. You have also programmed your bug to only phone home while the computer is in use, so you don't trigger any off-hour activity alarms.

          You now know whether these companies will beat earnings estimates or not. You can sell short or buy on margin with 100% confidence on the days these companies release their earnings reports.

          So, no, you can't brag or tell chicks at bars that you are a spy doing espionage. But you CAN brag that you are a "trader" and are up 600% YTD.

          Most companies barely fund and train their security departments well enough to stop mass worms--the kind that screw up large numbers of computers and suck up noticeable amounts of resources. There is NO WAY they would find a bug that does not replicate and lives on only a single PC in the finance department. Even if they did, they would likely just reformat the thing and be done with it. No reason starting in on forensics! Time is money!

          Also, there is no huge chunk of money missing from any individual person, so who is going to hunt you down? You've only stolen a fraction of a penny per share from thousands of oblivious shareholders.

          When the rewards are so high and the risks are so low, you can bet that there are many less-ethical people out there who are willing to do it, and would enjoy every minute of it. For some people, it wouldn't take much work convincing themselves that they are no more crooks than the people they are stealing from.
          • You might be surprised. The case you described is far from fiction.

            Though companies do actually put that PC up for forensics. A PC is cheap. Rip it out, throw it to forensics, put in a new machine for the accountant. What really matters is that this MUST NOT happen again. That would cost a fair lot of money (especially if someone leaks that information). That loss would make the cost of a PC including forensic examination look like pocket change.

            Such things do happen. And yes, they get investigated. In shor
            • Perhaps some companies pay for the people, tools, and training necessary to detect a custom bug. Fewer yet may even send computers generating suspicious activity off to forensics for in-depth analysis.

              Most say "We have anti-virus and IDS, and we hired a few people at $60k to look over the systems. We have done our due diligence, so our ass is covered if something bad happens." Such places will also have the occasional meeting with the agenda: "How can we cut costs at our security department so senior exec b
              • I know how I get information back from a bug.

                Only have a bug report when traffic to internet is high. Then post a few hundred bytes to a popular blog (slashdot) and have it xored to a known key.

                Retrieval is easy. Hit target dump-site (the blog) on a wifi network, probably with proxies to even mask that.

                Congrats. You just smuggled data out.
                • One communication channel which I think is interesting is Wikipedia. Even if your bug's stego is edited out, you can view it via the article's history.

                  If the target in question actually uses Wikipedia, this would be about as undetectable as it gets.

                  And yes, for retrieval, you use a power-boosted antenna to public wifi, bounce through a few countries, hit tor and check the wiki page. Though, if your bug uses good stego on a high-traffic page, such secrecy may not be needed.
          • These people really don't understand. They think that hacking is some techno-porn orgy one sees on the "haqr" shows. It sadly is not.

            Good luck trying to find evil-ware when it's custom and yet munged with packers. It'd be better yet if the export was a gpg encrypted to a public key that was packed within. Do you think techies working in IT at a big company have the expertise to properly unpack and dead-list it correctly (assuming that the reverse assembly removes impossible loops)? I think not. Some of the
          • by alienmole (15522)

            So, no, you can't brag or tell chicks at bars that you are a spy doing espionage.
            Why not? It's always worked for me...
      • but with great power, comes great responsability
        • by russotto (537200)
          With great power, comes great responsibility. With absolute power comes no responsibility at all (cut to mad scientist's face illuminated by lightning bolts. Or Galadriel's test in LOTR).
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      I work for a billion dollar privately owned health insurance company, and we recently had an incident where an internal development group connected an internal development machine to the DMZ without adequate password controls, violating several policies (password standards, development system standards, DMZ-house system standards, etc) to do some file transfer testing for an app they'd written. They even had a name setup in our external DNS! Someone ssh'ed in with a service account with the same password
    • A high level of technical experience is NOT a prereq. for a serious hack
      No, but a high level of technical incompetence on the part of the hack-ee is.

      - RG>
      • Re: (Score:2, Insightful)

        by Garridan (597129)
        Not really. People with extremely high technical competence still miss the little things once and a while. Only takes one little hole.
    • Re:"ankle biters"? (Score:4, Interesting)

      by Opportunist (166417) on Wednesday August 08, 2007 @04:25AM (#20153581)
      It is a prerequisite, though, for hacks that aren't executable by clickmonkeys. Granted, pretty much every exploit there is today has been "tooled" to perfection, so that even the most clueless brick on earth can use them to do harm.

      I'm honestly not afraid of hackers. I mean, the old school kind. The "real" ones. The ones that actually know that TCP/IP ain't the Chinese secret service and that a buffer overflow isn't something that requires a plumber to fix. In their growth years, they sooner or later stumbled upon the hacker's creed, and whether they heed it or not, the damage they do is usually minimal. Yes, they may steal your data (which is often enough a severe damage), but they don't destroy data intentionally.

      What I'm afraid of is the scriptkid. The person without a clue, but with a tool. He doesn't know what he does, he doesn't know what he aims for, but he just clicks and hopes, trying to destroy and mess with other people's computers. He's the equivalent of the schoolyard bully. No clue, no skill, no perspective, but the need to once at least "prove" that he's "better" than someone else. If you're looking for wanton data destruction, that's the place to look for it.
  • I can see it... (Score:5, Insightful)

    by thatskinnyguy (1129515) on Tuesday August 07, 2007 @11:46PM (#20152015)
    Who better to design safes than professional thieves?
  • by Anonymous Coward on Tuesday August 07, 2007 @11:46PM (#20152017)
    Some of the Defcon guys thought it would be hilarious to hack a major media outlet and place a sympathetic story about themselves on it. Mission accomplished!
  • by Jah-Wren Ryel (80510) on Tuesday August 07, 2007 @11:51PM (#20152047)
    A Forbes article that isn't hyper-sensationalist and pro-status-quo?
    What, was Daniel Lyons too busy impersonating Steve Jobs to do the piece?
  • by duck0 (1073338)
    Maybe I'm just being foreign, but what' the heck is an Ofer?
    • Maybe I'm just being foreign, but what' the heck is an Ofer?

      http://en.wikipedia.org/wiki/Ofer [wikipedia.org]
      Ofer (Hebrew: ) is a moshav located south of Haifa, Israel in the Carmel Mountains and is a part of the Hof HaCarmel Regional Council. The moshav was founded in 1950 by immigrants from India. Agricultural income is derived from raising cattle, sheep and chickens growing vegetables and flowers, and tourism.

    • Look at the title and then look at the word "ofers" again. Notice any similar ones?
  • by Tatisimo (1061320) on Wednesday August 08, 2007 @12:05AM (#20152165)
    Why didn't the more interesting story about the evil undercover reporter who got pwned made it to the mainstream media? There's no justice in this world for hackers... Won't somebody think of the hackers? ;_;
  • Maybe they saw what happened to the other reporter. *shudders*
  • "They're so cute when they launch missles."
  • About Forbes (Score:4, Insightful)

    by prakslash (681585) on Wednesday August 08, 2007 @12:48AM (#20152447)
    May be it is just me but I find Forbes to be like women's "Cosmo" magazine for dumb guys and wannabes.

    All it has is 3 things: (1) Articles that state the obvious (2) Shit load of Rolex and Lexus ads (3) Those top 10 lists like 'top 10 affordable vacation getaways' where their definition of affordable vacation is something that costs between $30k and $100k.

    Sometimes it is almost like they are taunting the reader, saying "look, drool and weep".

    Even in this article, their 'discovery' is that serious hackers are curious about technology, script-kiddies are just a nuisance.

    Color me surpised...

    • Re:About Forbes (Score:5, Informative)

      by Animats (122034) on Wednesday August 08, 2007 @01:29AM (#20152703) Homepage

      May be it is just me but I find Forbes to be like women's "Cosmo" magazine for dumb guys and wannabes.

      Forbes went downhill after Malcom Forbes Sr. died. Forbes Magazine used to do some hard-hitting investigative reporting. Malcom Forbes Sr's attitude was "Go ahead, sue me for libel. I'm a billionare". They've gone soft since the son took over.

      Business Week, which used to be the cheering section for big business, has improved a bit.

      It's not clear what will happen to the Wall Street Journal under Murdoch's ownership, but it's not looking good. The WSJ has gone downhill in the last few years, anyway. The fundamental problem is that its classic functions, stock charts and major stock-related events, are all on line now. Nobody on Wall Street needs to read the Wall Street Journal; anything that affects trading was on their Bloomberg long before.

      • Forbes went downhill after Malcom Forbes Sr. died. Forbes Magazine used to do some hard-hitting investigative reporting.

        I'd like to take a moment here to mourn American Heritage and its sister publication I & T, or as it was once known, The American Heritage [of] Invention and Technology. Literate, distinguished, gorgeously illustrated.

    • by avatar4d (192234)

      May be it is just me but I find Forbes to be like women's "Cosmo" magazine for dumb guys and wannabes.

      All it has is 3 things: (1) Articles that state the obvious (2) Shit load of Rolex and Lexus ads (3) Those top 10 lists like 'top 10 affordable vacation getaways' where their definition of affordable vacation is something that costs between $30k and $100k.

      Sometimes it is almost like they are taunting the reader, saying "look, drool and weep".

      All it has is 3 things and Point 1 are baseless. All opinion and

    • by sgt_doom (655561)
      Nah...prakslash, it's not just you....why would anyone who has ever done ANY serious hax give a flying f**k what Forbes thinks????
  • Run-of-the-mill individual hackers are just noise as we try to focus on the real problem. We have to investigate every threat, but we're often dealing with ankle biters.
    Wait 'til Tiffany drives a bike into your premises, blowups everything in her path and then turns down your entire power grid with a ssh hack.

    Don't underestimate the power of a desperate hacker in shiny leathers.
  • Own the Box (Score:1, Troll)

    by eric76 (679787)
    I've been curious about the results of the Own The Box competition.

    Did any boxes not get owned? How many?

    How did the various OS's on the box fare?

    Does anyone have any link to the results?
    • by neurovish (315867)
      According to the awards ceremony, nobody fessed up to owning any of them. DT hypothesized that it was because once somebody got into the box, they saw that it was a PIII and felt it wasn't worth their time. He didn't give any more details though.
      • by eric76 (679787)
        Thanks. I've been curious about the results since I saw several requests for systems for the contest.

"Neighbors!! We got neighbors! We ain't supposed to have any neighbors, and I just had to shoot one." -- Post Bros. Comics

Working...