Menu Close

Tag: hacking

Perils of the Connected Farm

Note from the editor: My friend Greg Shuflin posted the following story on Facebook. I asked if I could redistribute it here, and he said yes.


It was a pretty crazy day on the farm — the farm of the neocyberpunk 2040s that is, where cybernetically modified agrohackers wielded vast armies of AI-controlled smart tractors and fertilizer drones to eke their genejacked grain out of the dry soil of the post-Ogallala hellscape that was once a polity called “Kansas”.

Old Farmer Mauricio had programmed his cyberbrain to start nanofabbing caffeine molecules at 6am, and ever since then he’d been dealing with shit — some web bandits had exploited a quantum memory zero-day and broken into half of his private cloud’s namespace. Probably some fucking thirty-something LOMPs [low-marginal-product-of-labor proles on basic income] with nothing better to do than fuck with people, Mauricio thought to himself darkly.

Before the sun was finished rising, Mauricio had patched the vuln, killed as many of the malware AIs as he could find on his network, and had started to restore the water-recycler control AI from backup. He grabbed a quick breakfast of rice porridge and a Chinese doughnut, then woke up his lazy teenage nephew Chuck, who was staying with him during the growing season.

“Time to get up, Chucko,” he said, as the sleepy teen fumbled for his ocular implant on the pile of dirty laundry near his bed. “We’ve been hacked. I really need your help today.”

Chuck quickly brushed his teeth, threw on some work clothes, and went to the hovertractor in order to go do a hard reset on the network node out in field #3. But as he pulled the tractor out of the garage, he found that his way forward was blocked.

All of the AI-controlled wheel hoes that his uncle owned were spinning in circles and brandishing their spikes, in the most menacing fashion that their hardware allowed. Of course, the damn wheel hoes were behind the same firewall as everything else! So they had been infected and turned by the LOMPs’ fuckery too.

Mauricio let his nephew set out, with a word of warning: “Watch yourself, kid. These hoes ain’t loyal.”


You may be wondering, “Was that whole story really just build-up for a pun based on a Chris Brown song?” The answer is that yes, yes it was. Watch out for the LOMPs at work today, y’all.


Header photo by Michele Walfred.

Wanted: Rigorous Intuition

A significant part of San Francisco’s public transit system was hit by a cyberattack this weekend. It looks like ransomware, but the hackers haven’t actually asked for anything yet. SFMTA is currently just giving everybody free rides. Their email system was also impacted. Employees aren’t sure if payroll will go through properly.

lol who knows ¯\_(ツ)_/¯

I saw two different people tweet that this virtual hijacking is a sign: we live in a dystopian sci-fi novel after all! (What else is new…) Immediately, I thought of the essay that I linked in response to the election, “On Trying Not To Be Wrong”:

Like many people, I’ve thought 2016 was a surreal year; the Cubs won the World Series, the Secretary of State went on television to warn people about white-supremacist memes, Elon Musk has landed rockets on ocean platforms and started an organization to develop Friendly AI. Surreal, right?

No.

It’s real, not surreal. If reality looks weird, this means our stories about it are wrong. […] And being totally wrong about how the world works is a threat to survival.

Sarah Constantin is right. Reality marched on without those of us who misjudged it. Ironically, since I was so thoroughly deceived by 2016, “The Cyberpunk Sensibility” feels pretty damn correct right now. All those ’80s authors who pioneered computer-noir were more prescient than they probably realized.

Philip K. Dick reality quote. Image via ▓▒░ TORLEY ░▒▓. Quote purportedly from I Hope I Shall Arrive Soon.

Image via ▓▒░ TORLEY ░▒▓. Quote purportedly from I Hope I Shall Arrive Soon.

Venkatesh Rao wrote about engaging with uncomfortable realities in a particularly good episode of Breaking Smart:

23/ This means accepting that your mind will need to go into both distressing and flow regimes as required by the situation, and accepting whatever emotions result.

24/ Perhaps the most important emotion to manage is that of feeling powerless. This causes acute distress and strong retreat-to-prowess urges.

25/ But you’re rarely entirely powerless. You can usually cobble together some meaningful, if clumsy, response to a situation with the skills you have.

26/ On the frontier, where there are no experts, and everybody is a beginner, this is often the only possible response. Unexplored nature is the ultimate asymmetrically superior adversary.

[…]

49/ The world is full of people and groups terrified of wandering beyond situations they are confident about handling. Those who make overcoming that terror a habit have an advantage.

50/ When a group of such people, with better-than-the-rest levels of emotional self-regulation, band together, they can form an unstoppable force. That’s what it takes for groups and organizations to break smart.

We can do it. Well, some of us. Which of us remains to be seen. Honestly, I am frightened that I may not be able to manage this.

You Wouldn’t Steal an Algorithm!

Andy Greenberg reported that comp-sci researchers have figured out how to crack the code (pun very intended) of machine learning algorithms. I don’t usually get excited about tech on its own, but this is very cool:

“In a paper they released earlier this month titled ‘Stealing Machine Learning Models via Prediction APIs,’ a team of computer scientists at Cornell Tech, the Swiss institute EPFL in Lausanne, and the University of North Carolina detail how they were able to reverse engineer machine learning-trained AIs based only on sending them queries and analyzing the responses. By training their own AI with the target AI’s output, they found they could produce software that was able to predict with near-100% accuracy the responses of the AI they’d cloned, sometimes after a few thousand or even just hundreds of queries.”

There are some caveats to add, mainly that more complex algorithms with more opaque results would be harder to duplicate via this technique.

The approach is genius. Maciej Ceglowski pithily summarized machine learning like this in a recent talk: “You train a computer on lots of data, and it learns to recognize structure.” Algorithms can be really damn good at pattern-matching. This reverse-engineering process just leverages that in the opposite direction.

I’m excited to see this play out in the news over the next few years, as the reverse-engineering capabilities get more sophisticated. Will there be lawsuits? (I hope there are lawsuits.) Will there be mudslinging on Twitter? (Always.)

There are also journalistic possibilities, for exposing the inner workings of the algorithms that increasingly determine the shape of our lives. Should be fun!


Header photo by Erik Charlton.

Unsolved Appearance of a Virus

Photo by Steve Jurvetson.

Photo by Steve Jurvetson.

In the beginning there was the Word, and the Word was mainly “database”. Okay, fine, “backup” came into play quite soon, but “database” was key from the start.

After the beginning, there were a lot of other words, but you wouldn’t understand them. Those words were transmitted to the computer in a language that you’re not familiar with, at least not yet. The meaning was understandable to the machine even though most of its administrators had forgotten its subtleties. They didn’t care, since the behemoth did what it was supposed to.

The admin team — five engineers and ten remote devs who supported them — was bound together by stress. Crunch time and emergency restorations smoothed over their differences (while simultaneously magnifying other differences). When you maintain a computer the size of a house, the project consumes all of you. Really, the computer was a house. All the onsite engineers lived there, in the bowels of the machine. Its metal and silicon body occupied the tall column of emptiness that had been retrofitted into the building’s structure.

Sam used to enjoy repeating that cliche: “The bowels of the machine!” It was a joke until he committed suicide. His corpse became part of the computer’s intestinal ecosystem. (No, no, management ordered that it be removed.)

The machine was not sentient. No one ever thought that — Silicon Valley had given up on true artificial intelligence decades ago. Rather, the provocation uploaded through Sam’s brainlink was sabotage. Someone had been monkeying around with the firmware, and then the layer on top of that, and then even the UI. It was silly to mess with the interface — who cared about that part, right? This was an enterprise API endeavor, not a goddam web app.

Of course there were UI designers, and they were pissed off, but they didn’t live with the machine and their concerns were not particularly compelling. Frank and his underlings complained intermittently about clients’ reactions to broken buttons and such, but none of the database folks worried. Frontend could sort it out. (And they did, though it was no small effort.)

The database team did worry about what had happened to Sam. In the kitchen, making tea, Flora said to Gene and Melanie, “The malware had to come from the inside, right? One of us. It could be you two! I don’t fucking know!” She was holding a mug of tea and biting her lip and staring at her fingers as they clenched around the ceramic handle. Flora had done the original forensic trace of Sam’s last actions and cried furiously when she couldn’t find enough information to explain anything.

Of course, despite Flora’s outburst, the culprit was not Gene or Melanie. And it wasn’t the computer either — as I said, this machine wasn’t sentient.


Followup dispatch here: “Whence Came the Intruder?”

Slow Down & Don’t Confiscate My Graphical User Interface

Exploratory bot. Photo by Takuya Oikawa.

Exploratory bot. Photo by Takuya Oikawa.

Here’s a fun headline from The Register: “‘Devastating’ bug pops secure doors at airports, hospitals”. I’m sure we’ve all read similar reports before! Enjoy this snippet of the story, for flavor…

“Criminals could waltz into secure zones in airports and government facilities by hacking and jamming open doors from remote computers over the Internet, DVLabs researcher Ricky Lawshae says. […] Lawshae says the attacks, which can open every door in a building, are possible because of a command injection vulnerability in a LED blinking lights service.”

Wait, what? Why is an “LED blinking lights service” hackable? Allow me to note, very unoriginally, that the Internet of Things is dumb. Not every tool or appliance needs to have wifi access jammed into its design specs. The much-mocked “smart juice” startup is the pinnacle of this awful trend.

can u not chloe

I have similar feelings about the bot services craze. People seem to be jumping on this technology without stopping to ponder how it might turn out. When your next venture capital round depends on glossing over potential problems, it’s easy to assume that the impact of your harebrained scheme will be beneficial.

“Conversational commerce” isn’t quite as problematic as the Internet of Things, because it doesn’t pose a security threat (at least not off the top of my head). But people are still building things without considering whether their chosen medium fits the stated purpose of the tool. The last thing I want from an app is a replica of the phone call, this time rendered in text.

I demand clickable buttons! Give me a GUI or give me death! On the other hand, maybe I’m a dirty Luddite. Perhaps I should resign myself to relearning how to interact with computers every couple of years. I’m not against experimentation — what futurist could be? — but my mood is decidedly curmudgeonly tonight. Also, fuck Snapchat.

Hacking as a Business: Interview with Sean Roesner

Sean Roesner describes himself on Twitter as a “web application penetration tester.” I asked him a bunch of questions about what that entails. Sean answered in great depth, so I redacted my boring questions, lightly edited Sean’s answers, and made it into an essay. Take a tour through the 2000s-era internet as well as a crash course in how an independent hacker makes money. Without any further ado, Sean Roesner…


Origin Story

I got into my line of work when I was thirteen, playing the game StarCraft. I saw people cheating to get to the top and I wanted to know how they did it. At first I wasn’t that interested in programming, purely because I didn’t understand it. I moved my gaming to Xbox (the original!) shortly thereafter and was a massive fan of Halo 2. Again, I saw people cheating (modding, standbying, level boosting) and instantly thought, “I want to do this!” I learned how people were making mods and took my Xbox apart to start mucking with things.

I moved away from Xbox and back to the computer (I can never multitask). Bebo was just popping up. With an intro to coding already, I saw that you could send people “luv”. Based on my mentality from the last two games I played… I wanted the most luv and to be rank #1. I joined a forum called “AciidForums” and went by the names “DCH SlayeR” and “SlayeR”. Suddenly I was surrounded by people who shared my interests. I started to code bots for Bebo to send myself luv. My coding got a lot better and so did my thinking path. I’d come home from school and instantly go on my computer — it was a whole new world to me. I still have old screenshots of myself with seventy-six million luv.

76,000,000 luv.

Bebo screenshot from back in the day — check out the luv stats.

As my coding came along I met a lot of different types of people. Some couldn’t code but had ideas for bots; some couldn’t code but knew how to break code. We all shared information and formed a team. Suddenly I became the main coder and my friends would tell me about exploits they found. We got noticed. I’m not sure how, or why, but I seem to always get in with the right people. Perhaps it’s the way I talk or act — who knows. I made friends with a couple of Bebo employees, “Andy Cutright” and “Brian” (never did know his last name). They were interested in how I was doing what I was doing.

This was my introduction to hacking and exploiting. I moved on from Bebo after coming to an agreement with the company that I’d leave them alone. Sadly my friends and I all lost contact, and it was time to move on.

Next came Facebook. At this point I already knew how to code and exploit. I instantly found exploits on Facebook and started again, getting up to mischief. Along the way I meet James Jeffery and we became best friends because we share the same ideas and interests. Two years passed and again, my mischief went a bit far, so I got in trouble with Facebook. We resolved the issue and I vowed to never touch Facebook again.

I guess three times lucky, hey? I moved my exploiting to porn sites. After a year I was finally forced to make peace with the porn site I was targeting. I was getting fed up with always having to stop… but I was also getting annoyed at how easy it was to exploit. I needed a challenge.

I took a year off from exploiting to focus on improving my coding skills. I worked for a few people and also on some of my own personal projects, but it got repetitive and I needed a change. At this point, I was actually arrested by the eCrime Unit for apparently being “in^sane” from TeaMp0isoN. The charges were dropped since I was innocent. My former friend James Jeffery was in prison for hacking (a quick Google search will yield you results) so I was feeling quite lonely and not sure what to do. I’ll be honest, he had become like a brother to me.

I kept on coding for a bit, feeling too scared to even look for exploits after what happened to James Jeffery. (A few years have passed since then — James is out and he’s learned his lesson.) I knew that hacking was illegal and bad. I’d just like to note that I’ve never once maliciously hacked a site or stolen data, in case you think I was a super blackhat hacker, but the James incident also scared me. Especially since I got arrested too.

Because of this and through other life changes, I knew I wanted to help people. I took my exploiting skills and starting looking. I found some exploits instantly and started reporting them to companies to let them know, and to also help fix them. 99% of the companies replied and were extremely thankful. Some even sent me T-shirts, etc.

I started targeting a few sites (I can’t name which because we have NDAs now; I’m still actively helping many). By using my words right, I managed to get in with a few people. I start reporting vulnerabilities and helping many companies. Months passed and one company showed a lot of interest in what I was doing. I got invited to fly over to meet them. I knew something was going right at this point, so I knuckled down and put all of my focus on finding vulnerabilities and reporting them to this company. Things were going great and I soon overloaded their team with more than they could handle. I started looking further afield at more sites, and suddenly I was introduced to HackerOne. I saw that LOADS of sites had bounties and paid for vulnerabilities. I instantly knew that this was where I wanted to stay. To this day I am still active on HackerOne, but normally I run in private programs now (better payouts).

Fast forward through a year of exploiting and helping companies and now we’re here. I’ve been a nerd for ten years. Eight years coding, and around seven years exploiting.

Business Practices

For companies that don’t have a bug bounty, I tend to spend thirty minutes to an hour finding simple bugs such as XSS (cross-site scripting) or CSRF (cross-site request forgery). I’ll try find a contact email and send them a nice detailed email about what I’ve found and what the impact is. I also supply them with information about how they can fix it. I never ask for money or anything over the first few emails — I tend to get their attention first, get them to acknowledge what I’ve found, and get them to agree that I can look for more. At that point I’ll ask if they offer any type of reward for helping them. The majority reply that they are up for rewarding me, due to the amount of help I’ve given them.

After I’ve helped the company for a while and they’ve rewarded me, etc, I usually suggest that they join HackerOne for a much cleaner process of reporting bugs and rewarding me (it also helps my rep on HackerOne). So far two have joined and one started their own private bounty system.

To sum it up, I’ll start of with basic bugs to get their attention, then once I’ve gotten the green light to dig deeper, I’ll go and find the bigger bugs. This helps me not waste my time on companies who don’t care about security. (Trust me, I’ve reported bugs and gotten no reply, or a very rude response!) I like to build a good relationship with companies before putting a lot of hours into looking for bugs. A good relationship with companies is a win-win situation for everyone — they get told about vulnerabilities on their site, and I get rewarded. Perfect.

In case you wanted to know, I’ve helped around ten companies who didn’t have a bug bounty. Nine of them have rewarded me (with either money, swag, or recognition on their website). Only one has told me they don’t offer any type of reward, but welcomed me to look for bugs to help them (pfft, who works for free?). Out of the nine who rewarded me, I’ve built a VERY close relationship with three of them. (Met with one company in January, and meeting with another in June.)

There are two types of companies. Those who simply can’t afford to reward researchers and those who think, “Well, no one has hacked us yet, so why bother paying someone to find bugs?” AutoTrader is probably the worst company I’ve dealt with after reporting a few critical bugs. They rarely reply to bugs, let alone fix them. It took an email letting them know that I was disclosing one bug to the public, to warn users that their information on AutoTrader was at risk. After that they finally replied and fixed it.

100% of companies should change their perspectives. Again I’ll use AutoTrader as an example. I only really look at their site when I’m bored (which is rarely) and I’ve uncovered a ton of vulns. I wonder what I could find if I spent a week looking for bugs (and if they rewarded me). Companies need to stop thinking, “No one has hacked us yet, so we’re good.”

If a company can’t afford to pay researchers to find bugs, then they should reconsider their business. Hacking is on the rise and it’s not going anywhere anytime soon (if ever). If you honestly can’t afford it, though, then my suggestion (if I was the CEO of a company that couldn’t afford security) would be to run a hackathon within the company. Let the devs go look for bugs and run a competition in-house. Your devs not only learn about writing secure code, but it’s fun too!


Many thanks to Sean Roesner for writing great answers to my questions. Follow him on Twitter and hire him to hack your website 🙂

This post has been edited on 11/17/2016 to reflect than Roesner and James Jeffery are no longer friends.

Excrement Online: The Perilous Connected Home

Mike Dank (Famicoman) wrote an article for Node about the Internet of Things. Here are few interesting tidbits:

“We have these devices that we never consider to be a potential threat to us, but they are just as vulnerable as any other entity on the web. […] Can you imagine a drone flying around, delivering malware to other drones? Maybe the future of botnets is an actual network of infected flying robots. […] Is it only a matter of time before we see modifications and hacks that can cause these machine to feel? Will our computers hallucinate and spout junk? Maybe my coffee maker will only brew half a pot before it decides to no longer be subservient in my morning ritual.”

I think we’re a long way from coffeemakers with emergent minds, and my guess is that machine intelligence will be induced before it starts appearing randomly. But I like the idea of a mischievous hacker giving “life” to someone’s household appliances. Of course, connected devices can wreak havoc unintentionally, like when people’s Nest thermostats glitched (the incident written up in The New York Times wasn’t the only one). The clever Twitter account Internet of Shit provides a helpful stream of additional examples.

Artwork by Tumitu Design.

Artwork by Tumitu Design.

I’m not worried about someone cracking my doorknob’s software or meddling with my refrigerator settings, because I’m insignificant and there’s no reason why a hacker would target me. (Not saying that it couldn’t happen, just that it’s not likely enough to fret about. Especially since I don’t actually have any connected thingamajigs… yet.) Most regular folks are like me. However, I think keeping the Internet of Things secure is crucial, for a couple of reasons:

  1. Physical safety is absolutely key. Data-based privacy invasions can jeopardize your employment, but they’re unlikely to outright kill you or your family. Someone who is immunocompromised or frail (think people who are very sick, very old, or very young) can be seriously harmed by unexpected low temperatures or spoiled meat from a faulty fridge.
  2. In order to feel safe, people need to be able to reliably control their environment. When we go out into the world, events are unpredictable and we can’t be at ease. Home is supposed to be the opposite — it’s your own domain, and you feel comfortable because everything is how you like it. I know that I’d feel uneasy if the Roomba suddenly barged into my bedroom and tried to eat my feet.

© 2017 Exolymph. All rights reserved.

Theme by Anders Norén.