Forgot your password?
typodupeerror
Security

True Tales of (Mostly) White Hat Hacking 35

Posted by samzenpus
from the playing-for-the-right-team dept.
snydeq writes "Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security, writes Roger A. Grimes, introducing his five true tales of (mostly) white hat hacking. 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,' Grimes writes of a gig probing for vulnerabilities in a set-top box for a large cable company hoping to prevent hackers from posting porn to the Disney Channel feed. Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot — 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"
This discussion has been archived. No new comments can be posted.

True Tales of (Mostly) White Hat Hacking

Comments Filter:
  • much worse has happened and it has been someone at the cable head end messing up.

    Like porn on the OTA channel showing the super bowl on cable systems or porn showing up on the EAS / public access channels.

  • 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,'

    It's not gay if we don't make eye contact with each other... Why are you staring at m-- Ohh, my bad. Carry On!

    • Bothered me when I read that too. One thing I never want to hear is, "You all got boners too?"
      I've never watched porn with other guys, nor has any one of my male friends asked if I wanted to watch some porn with them.
      I'm sorry, but watching porn is a private thing.
      • by Anonymous Coward

        If you RTFA, you'll see that their employer specifically asked them to experiment with stealing porn from the porn channels as well as putting porn on family-oriented channels. This isn't a case of some guys at work wasting company time watching porn together, they were legitimately tasked with looking for exploits related to porn on the device.

        • by CheshireDragon (1183095) on Monday July 22, 2013 @06:58PM (#44356107) Homepage
          Yes, I did RTFA. I've done things like this before when I was doing industrial hacking back in the late 90s. I understand the joy they were getting from doing this job and succeeding. What is creepy is how he worded it.

          "Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good," Then he added "The only thing missing was the beer."

          I just see it different. Could also be the fact that when I worked with a team in those days, it was always remote with the others scattered across the country and it wasn't hacking cable companies, but routers. So, there was no TV.
      • by i.r.id10t (595143)

        Buddy of mine would put on porn tapes of just snippets of action during parties - no lighting effects, no music, just 10 to 30 second clips of raw hard farking in various gender combinations. Then mute TV, play at 2x speed, and crank the stereo up. Seemed to work well.

  • i-Guide

    Now did that hack let you get FREE HBO and PPV movies or just local remap channels?

  • Over the years there have been stores of getting big pron PPV / VOD bills for shows they did not see how likely was it that some hacked the box so they where able to get free pron?

    http://consumerist.com/2008/06/21/listen-time-warner-the-60-year-old-english-teacher-didnt-order-1400-of-porn/ [consumerist.com]

  • One of the sillier things that the culture of individualism has brought is heroism: the idea that one person or a very small group of people are supermen, able to challenge all perceived evil and win the day. But it's bullshit. There are only two ways to make a system secure: 1) Have everyone on your side; 2) Have no one use it. 2 is approached by an awful lot of firms: why release an exploit for system X, when you get 100x the exposure with an exploit on system Y? 1 is approached another way: many eyes.
    • by sjames (1099)

      Mostly the 3 guys find the stuff that every bad guy and his brother would find. There's still hundreds out there who could exploit some undetected flaw, but that's down from many many thousand. You can hope (but not be assured) that they'll be too busy having fun with someone else's security holes to get around to you.

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      Ah yes, another Slashtard screaming that if you can't solve every problem then you can't solve any problem. So black and white. So lunkheaded.

      For those of us that live in a world with shade, color and hue? We're a bit more progressing in our thinking. That's what makes us humans.
    • One of the sillier things that the culture of individualism has brought is heroism: the idea that one person or a very small group of people are supermen

      Supermen are not required to secure a system and a few or one intelligent person can challenge the ideas of the day and keep moving us forward.

      Sure I could probably hand pick a group of a hundred people that couldn't set the clock on your microwave or I could find just one person that could build you a microwave and set the clock.

      After all we are individuals, I have no idea what you had for breakfast.

    • by raymorris (2726007) on Monday July 22, 2013 @08:35PM (#44356871)
      Nothing will ever be proven 100% secure because it's easier to break things than make them. However, typical software is akin to a car door that's not only unlocked, but swung wide open. 95% of developers have less than two weeks of security training, often less than 8 hours. They put approximately zero effort into security. It doesn't take a huge team of security experts to close the door and lock it.

      When I started my current job, it took me maybe 40 hours to reduce our attack surface by 90% because my predecessor either knew nothing about security, or just didn't care.
    • Huh? You act like the 'culture of individualism' is something new, possibly American.
      Read Homer's Odyssey. Or most any polytheistic mythology and see what sorts of humans the gods deal with.
      It's all about heroes.
  • 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"

    Not proud? I assume that means that you were not proud of watching porn with three other guys. I don't even want to know what you did that might make you feel not proud.

    But good going with the techniques you used to catch the bad guys,

    Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot

  • ...watching porn...probing for vulnerabilities...
  • by Chas (5144) on Monday July 22, 2013 @05:15PM (#44355143) Homepage Journal

    ...of an idiot who was teaching people how to hack into certain types of setups in an open IRC channel of mine.
    And he was using his employer's servers to do it!

    Now this guy was, at the time, causing ALL sorts of grief for me and several of my colleagues. He kept trying to hack our message boards, hack our e-mails, break onsite computers, tried DDOS'ing us numerous times, was sniffing wifi traffic for all he was worth, etc. All while claiming he was "twice the hacker of all of us put together".

    Anyhow, I was basically logged into my channel 24x7. So I'd logged the whole thing. Including the part where the guy promised to "eventually" get around to cleaning up the hack job they'd used to get in.

    Well, he probably WOULD have.
    Had a copy of the complete IRC log, including the mention of live customer financial data being on that server, NOT found its way directly to the company's owner.

    The next time the guy came in, he was detained, his system was imaged for evidence, and he was let go.
    And it took him nearly 3 months before anyone got around to actually telling him who'd dropped the dime on him.

    And all without doing a single illegal thing.

    I later wound up helping the FBI give him a vacation at Club Fed.
    And it looks like he's going back to stay for a while. [wikipedia.org]

    • Sometimes it is the simplest of things, a client of mine was experiencing random server "crashes". Investigate, and find every single one was a controlled shutdown initiated by the admin user account. I said they should change the admin account ASAP. They said they had tried but other systems where the previous admin had used the admin account would break, and they didn't have a list. To what would be affected. I said and this is better than having someone randomly shutting down your operations, and potenti
  • Oh, for the love of %DEITY....

    Here's a link to the one page version of the story:

    http://www.infoworld.com/print/222831 [infoworld.com]

Things equal to nothing else are equal to each other.

Working...