Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

True Tales of (Mostly) White Hat Hacking 35

Posted by samzenpus from the playing-for-the-right-team dept.
snydeq writes "Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security, writes Roger A. Grimes, introducing his five true tales of (mostly) white hat hacking. 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,' Grimes writes of a gig probing for vulnerabilities in a set-top box for a large cable company hoping to prevent hackers from posting porn to the Disney Channel feed. Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot — 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"
This discussion has been archived. No new comments can be posted.

True Tales of (Mostly) White Hat Hacking More

True Tales of (Mostly) White Hat Hacking

Comments Filter:

  • Re:"three guys" (Score:3, Interesting)

    by Anonymous Coward on Monday July 22, 2013 @05:06PM (#44355049)
    Ah yes, another Slashtard screaming that if you can't solve every problem then you can't solve any problem. So black and white. So lunkheaded.

    For those of us that live in a world with shade, color and hue? We're a bit more progressing in our thinking. That's what makes us humans.

  • Heh. This reminds me... (Score:5, Interesting)

    by Chas ( 5144 ) on Monday July 22, 2013 @05:15PM (#44355143) Homepage Journal

    ...of an idiot who was teaching people how to hack into certain types of setups in an open IRC channel of mine.
    And he was using his employer's servers to do it!

    Now this guy was, at the time, causing ALL sorts of grief for me and several of my colleagues. He kept trying to hack our message boards, hack our e-mails, break onsite computers, tried DDOS'ing us numerous times, was sniffing wifi traffic for all he was worth, etc. All while claiming he was "twice the hacker of all of us put together".

    Anyhow, I was basically logged into my channel 24x7. So I'd logged the whole thing. Including the part where the guy promised to "eventually" get around to cleaning up the hack job they'd used to get in.

    Well, he probably WOULD have.
    Had a copy of the complete IRC log, including the mention of live customer financial data being on that server, NOT found its way directly to the company's owner.

    The next time the guy came in, he was detained, his system was imaged for evidence, and he was let go.
    And it took him nearly 3 months before anyone got around to actually telling him who'd dropped the dime on him.

    And all without doing a single illegal thing.

    I later wound up helping the FBI give him a vacation at Club Fed.
    And it looks like he's going back to stay for a while. [wikipedia.org]

  • Re:The Security of Many Eyes (Score:4, Interesting)

    by CheshireDragon ( 1183095 ) on Monday July 22, 2013 @06:58PM (#44356107) Homepage
    Yes, I did RTFA. I've done things like this before when I was doing industrial hacking back in the late 90s. I understand the joy they were getting from doing this job and succeeding. What is creepy is how he worded it.

    "Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good," Then he added "The only thing missing was the beer."

    I just see it different. Could also be the fact that when I worked with a team in those days, it was always remote with the others scattered across the country and it wasn't hacking cable companies, but routers. So, there was no TV.

  • how many idiots does it take to lock the door? (Score:4, Interesting)

    by raymorris ( 2726007 ) on Monday July 22, 2013 @08:35PM (#44356871) Journal
    Nothing will ever be proven 100% secure because it's easier to break things than make them. However, typical software is akin to a car door that's not only unlocked, but swung wide open. 95% of developers have less than two weeks of security training, often less than 8 hours. They put approximately zero effort into security. It doesn't take a huge team of security experts to close the door and lock it.

    When I started my current job, it took me maybe 40 hours to reduce our attack surface by 90% because my predecessor either knew nothing about security, or just didn't care.

  • Re: Heh. This reminds me... (Score:3, Interesting)

    by chromeronin ( 914748 ) on Monday July 22, 2013 @09:10PM (#44357111)
    Sometimes it is the simplest of things, a client of mine was experiencing random server "crashes". Investigate, and find every single one was a controlled shutdown initiated by the admin user account. I said they should change the admin account ASAP. They said they had tried but other systems where the previous admin had used the admin account would break, and they didn't have a list. To what would be affected. I said and this is better than having someone randomly shutting down your operations, and potentially stealing anything they wanted, or leaving behind Trojans or back doors? 10 minutes later the admin account was disabled, and we just started trouble shifting and changing other system as they appeared broken, then the next user account was was found that started shutting stuff down. Any remote access to these systems? Well the previous IT providor used to use team viewer........ Changed that account and the attacks stopped. Sometimes it really is just the simple things.

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close