Slashdot Mirror

← Back to Stories (view on slashdot.org)

True Tales of (Mostly) White Hat Hacking

Posted by samzenpus on from the playing-for-the-right-team dept.

snydeq writes "Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security, writes Roger A. Grimes, introducing his five true tales of (mostly) white hat hacking. 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,' Grimes writes of a gig probing for vulnerabilities in a set-top box for a large cable company hoping to prevent hackers from posting porn to the Disney Channel feed. Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot — 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"

21 of 35 comments (clear)

  1. posting porn to, say, the Disney channel by Joe_Dragon · · Score: 1

    much worse has happened and it has been someone at the cable head end messing up.

    Like porn on the OTA channel showing the super bowl on cable systems or porn showing up on the EAS / public access channels.

  2. The Security of Many Eyes by VortexCortex · · Score: 4, Funny

    'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,'

    It's not gay if we don't make eye contact with each other... Why are you staring at m-- Ohh, my bad. Carry On!

    1. Re:The Security of Many Eyes by CheshireDragon · · Score: 1

      Bothered me when I read that too. One thing I never want to hear is, "You all got boners too?"
      I've never watched porn with other guys, nor has any one of my male friends asked if I wanted to watch some porn with them.
      I'm sorry, but watching porn is a private thing.

      --
      "That's right...I said it."
    2. Re:The Security of Many Eyes by Anonymous Coward · · Score: 1

      If you RTFA, you'll see that their employer specifically asked them to experiment with stealing porn from the porn channels as well as putting porn on family-oriented channels. This isn't a case of some guys at work wasting company time watching porn together, they were legitimately tasked with looking for exploits related to porn on the device.

    3. Re:The Security of Many Eyes by SuricouRaven · · Score: 1

      A chihuahua?

      Krystal I can understand. Everyone finds Krystal hot. But a chihuahua?

    4. Re:The Security of Many Eyes by CheshireDragon · · Score: 3, Interesting

      Yes, I did RTFA. I've done things like this before when I was doing industrial hacking back in the late 90s. I understand the joy they were getting from doing this job and succeeding. What is creepy is how he worded it.

      "Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good," Then he added "The only thing missing was the beer."

      I just see it different. Could also be the fact that when I worked with a team in those days, it was always remote with the others scattered across the country and it wasn't hacking cable companies, but routers. So, there was no TV.

      --
      "That's right...I said it."
    5. Re:The Security of Many Eyes by i.r.id10t · · Score: 1

      Buddy of mine would put on porn tapes of just snippets of action during parties - no lighting effects, no music, just 10 to 30 second clips of raw hard farking in various gender combinations. Then mute TV, play at 2x speed, and crank the stereo up. Seemed to work well.

      --
      Don't blame me, I voted for Kodos
  3. same Web server and setup was being used in millio by Joe_Dragon · · Score: 1

    i-Guide

    Now did that hack let you get FREE HBO and PPV movies or just local remap channels?

  4. And yet the cable co's clam nohackers hit your box by Joe_Dragon · · Score: 2

    Over the years there have been stores of getting big pron PPV / VOD bills for shows they did not see how likely was it that some hacked the box so they where able to get free pron?

    http://consumerist.com/2008/06/21/listen-time-warner-the-60-year-old-english-teacher-didnt-order-1400-of-porn/

  5. "three guys" by Joining+Yet+Again · · Score: 1

    One of the sillier things that the culture of individualism has brought is heroism: the idea that one person or a very small group of people are supermen, able to challenge all perceived evil and win the day. But it's bullshit. There are only two ways to make a system secure: 1) Have everyone on your side; 2) Have no one use it. 2 is approached by an awful lot of firms: why release an exploit for system X, when you get 100x the exposure with an exploit on system Y? 1 is approached another way: many eyes. Three guys in a room aren't going to find shit, no matter how much porn they watch (well, unless it's *that* sort of porn). There will always be hundreds among the 7 billion odd people who will spot something you've missed. So, a security team comprising only three people is merely there for show, and the only reason you haven't been broken into is because you've approached close enough to 1 or 2.

    1. Re:"three guys" by sjames · · Score: 1

      Mostly the 3 guys find the stuff that every bad guy and his brother would find. There's still hundreds out there who could exploit some undetected flaw, but that's down from many many thousand. You can hope (but not be assured) that they'll be too busy having fun with someone else's security holes to get around to you.

    2. Re:"three guys" by Anonymous Coward · · Score: 3, Interesting

      Ah yes, another Slashtard screaming that if you can't solve every problem then you can't solve any problem. So black and white. So lunkheaded.

      For those of us that live in a world with shade, color and hue? We're a bit more progressing in our thinking. That's what makes us humans.

    3. Re:"three guys" by pr0fessor · · Score: 1

      One of the sillier things that the culture of individualism has brought is heroism: the idea that one person or a very small group of people are supermen

      Supermen are not required to secure a system and a few or one intelligent person can challenge the ideas of the day and keep moving us forward.

      Sure I could probably hand pick a group of a hundred people that couldn't set the clock on your microwave or I could find just one person that could build you a microwave and set the clock.

      After all we are individuals, I have no idea what you had for breakfast.

    4. Re:"three guys" by Em+Adespoton · · Score: 1

      I have no idea what you had for breakfast.

      The Superman comment might help us narrow that down :D

    5. Re:"three guys" by minstrelmike · · Score: 1

      Huh? You act like the 'culture of individualism' is something new, possibly American.
      Read Homer's Odyssey. Or most any polytheistic mythology and see what sorts of humans the gods deal with.
      It's all about heroes.

  6. Say what? by macbeth66 · · Score: 1

    'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"

    Not proud? I assume that means that you were not proud of watching porn with three other guys. I don't even want to know what you did that might make you feel not proud.

    But good going with the techniques you used to catch the bad guys,

    Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot

  7. The truth revealed writer's choice of words by FuzzNugget · · Score: 1

    ...watching porn...probing for vulnerabilities...

  8. Heh. This reminds me... by Chas · · Score: 5, Interesting

    ...of an idiot who was teaching people how to hack into certain types of setups in an open IRC channel of mine.
    And he was using his employer's servers to do it!

    Now this guy was, at the time, causing ALL sorts of grief for me and several of my colleagues. He kept trying to hack our message boards, hack our e-mails, break onsite computers, tried DDOS'ing us numerous times, was sniffing wifi traffic for all he was worth, etc. All while claiming he was "twice the hacker of all of us put together".

    Anyhow, I was basically logged into my channel 24x7. So I'd logged the whole thing. Including the part where the guy promised to "eventually" get around to cleaning up the hack job they'd used to get in.

    Well, he probably WOULD have.
    Had a copy of the complete IRC log, including the mention of live customer financial data being on that server, NOT found its way directly to the company's owner.

    The next time the guy came in, he was detained, his system was imaged for evidence, and he was let go.
    And it took him nearly 3 months before anyone got around to actually telling him who'd dropped the dime on him.

    And all without doing a single illegal thing.

    I later wound up helping the FBI give him a vacation at Club Fed.
    And it looks like he's going back to stay for a while.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re: Heh. This reminds me... by chromeronin · · Score: 3, Interesting

      Sometimes it is the simplest of things, a client of mine was experiencing random server "crashes". Investigate, and find every single one was a controlled shutdown initiated by the admin user account. I said they should change the admin account ASAP. They said they had tried but other systems where the previous admin had used the admin account would break, and they didn't have a list. To what would be affected. I said and this is better than having someone randomly shutting down your operations, and potentially stealing anything they wanted, or leaving behind Trojans or back doors? 10 minutes later the admin account was disabled, and we just started trouble shifting and changing other system as they appeared broken, then the next user account was was found that started shutting stuff down. Any remote access to these systems? Well the previous IT providor used to use team viewer........ Changed that account and the attacks stopped. Sometimes it really is just the simple things.

  9. how many idiots does it take to lock the door? by raymorris · · Score: 3, Interesting

    Nothing will ever be proven 100% secure because it's easier to break things than make them. However, typical software is akin to a car door that's not only unlocked, but swung wide open. 95% of developers have less than two weeks of security training, often less than 8 hours. They put approximately zero effort into security. It doesn't take a huge team of security experts to close the door and lock it.

    When I started my current job, it took me maybe 40 hours to reduce our attack surface by 90% because my predecessor either knew nothing about security, or just didn't care.

  10. one page version by tomlouie · · Score: 1

    Oh, for the love of %DEITY....

    Here's a link to the one page version of the story:

    http://www.infoworld.com/print/222831