Question:  Regarding the vulnerabilities, I have had the same concerns that you have mentioned with Open Source applications. Do you believe with Open Source projects with code available to anyone, that having more programmers with access to the code to quickly identify vulnerabilities and correct them outweighs the potential for hackers realizing a vulnerability? I don’t have first hand experience, but from previous classes we learned that programers are normally on a time crunch with approaching deadlines, and therefore neglect security and take shortcuts in the applications design. I also read that the programers will often will change companies, leaving another programer in place to fix the identified vulnerabilities and code errors, often times, with no notes from the out-going programer to help in the process. 

 

Response:  I think the Open Source conversation cuts both ways.  With source code readily available, vulnerabilities can be identified quicker and either exploited or patched.  There is also a tangential effect of the Open Source movement where tools are being built in the ecosystem which helps us to detect threats and close vulnerabilities, tools like Snort.  Software development cycles are moving at a much faster pace today than they were ten years ago, rigid release cycles have given way to CI/CD (Continuous Integration / Continuous Delivery) and Blue-Green Deployments.  It’s said that 111 billion new lines are code will be put into production in 2017, that is a lot of code and a massive new attack surface, which will likely be targeted using vectors not previously used.  It’s unrealistic to think that all this code will be vulnerability-free, the question in my mind is always focused on progress, if we live in fear, if we slow release cycles, do we reduce risk and at what cost?  I think the Open Source community is critical to the overall ecosystem, yes there are vulnerabilities, for example, Shellshock which impacted a large number of UNIX and Linux based systems using bash and while we might think that tighter controls and release cycles might have avoided this, it’s unlikely.  With all that said I believe the Open Source pros far outweigh the cons.  When we look around at where we are today most of the progress would not have been possible without the Open Source movement.

 

Question:  So I would like your opinion on a thought process. Which came first, the chicken or the egg? He is what I mean, Lets look at hospitals being held by ransomware. Did this come about from tv shows portraying it then some hacker saying I can do that. Or did it start from a hacker and tv saying what a great idea? Look at how many ideas can from TV and movies and because of fantasy became reality (cell phones, tablets, etc). I’m still new in the IT world, but I don’t ever remember hearing about ransomware attacks on hospitals until after I saw about 3 tv shows with it. Of course I have seen the same trend, not just in hospital ransomware attacks, but other kind of terrorist attacks around the world. So your opinion, are we making hackers famous, or are we giving them ideas? Of course this post is open for anyone to throw their ideas out here on it.

 

Response:  Scott, my general thought is that art imitates life, life does not imitate art so I believe that TV series like Mr. Robot and others are merely just replaying events which have already taken place in a context that can be easily understood by the masses (Law and Order for the cyber enthusiast).  TV dramatizes the stereotype of a hacker because the truth is probably a little dry for mass consumption but I don’t think TV is providing hackers with any new ideas and most hackers prefer anonymity to fame.  The hacktivist group Anonymous (portrayed as fsociety on Mr. Robot) represents a cyber activist group interested in taking credit (anonymously hopefully) for their activities but the number of hacks they take credit for pale in comparison to the hacks that go undetected or undisclosed.

Interesting fact:  100% of ransomware attacks like (CrytoLockerWannaCry, etc…) decrypt the data once the victim pays the ransom.  These are hacks for economic gain.  If there was a report that the ransom was paid but the data was not decrypted then no one would pay the ransom so ironically the idea of ransomware really hinges on the idea that you will get your data back if pay the ransom.  Couple this with the idea that most organizations don’t want to disclose that they were exploited and you have the perfect storm for a booming business.

The first documented ransomware virus was identified in 1989 and was called the AIDS Trojan.
This week I simulated something similar my presentation as an example of a high-tech method of hacking using a device called a USB Rubber Ducky (video:  https://www.youtube.com/watch?v=bOBgquwpvTc).

As for new ideas discovered on TV, let’s explore this for a minute, maybe using the Star Trek Communicator as a good example.  HAM radio started being used in the 1890s and Star Teck debuted in 1966.  My point is that good Hollywood is rooted in reality, even good science fiction is rooted in the ability to visualize what could be based on what is.  With that said I would be willing to agree that Hollywood probably played a significant role in in design and adoption rates, not sure if this or will continue to be the case in the future though.  The Motorola StarTAC and the Star Trek Communicator look pretty similar, coincidence, I think not.  Hollywood clearly played a role in the design choices and adoption rate of the StarTAC but these are consumer goods and the tech was the tech.

There is a sub-culture out there and when you’re not living it is all seems new and shiny.  John Draper (aka Cap’n Crunch) hacked the pay phones with a toy whistle from a box of Cap’n Crunch cereal box in the 1960s, yet phreaking (the idea not the name) wasn’t really done by Hollywood until 1983 in the movie War Games.  The whistle emitted a 2600 MHz tone that allowed free phone calls to be made from pay phones, though the 70s and 80s phreaking persisted as a vibrant sub-culture where hackers, mostly enthusiast tinkerers but some malicious looked at the ever-expanding telephony system as a gauntlet laid down before them. Sound familiar. 🙂

I am an avid reader of 2600 magazine; if you are interested in the hacker sub-culture I recommend it.
If you just want to read some of the best stories they 2600 had published a couple of books which I recommend:
– The Best of 2600: A Hacker Odyssey
– Dear Hacker: Letters to the Editor of 2600