Kris Constable of PrivaSecTech, a Canadian computer privacy and security firm, spoke to The Epoch Times about the culture of computer and information security experts or “hackers.”
“One of the more popular terms is white hat or black hat. A white hat is someone who uses their computer security skills for good, and a black hat is someone who uses their security skills for malicious intent,” he explains
Mistakes in software, internet browsers, operating systems and cell phones are called “bugs.” Once a bug is found, depending on who finds it, a program of malicious code—called an ‘exploit’—can be written to crack the program open and make it do something the owner didn’t intend. The severity of exploits vary from those which cause total collapse, to localized headaches. Some hackers write exploits, some write “patches” to defend against them and others actually pull the trigger and put them into use.
Researchers at Tipping Point, a Texas based computer security firm believe that “in reality, the number of benevolent researchers with the expertise required to discover a software vulnerability is a sizeable, and fast growing group.”
However, Constable adds, “The line is not very clear because you have to understand how the bad guys operate which is from experience on the more nefarious side of things…you have to be one step ahead of them, if you will.” For this reason, information security experts themselves cover a wide, populated zone that’s neither black nor white.
“I hate the color metaphor because it’s all gray,” Dragos Ruiu told The Epoch Times at the computer and information security conference he hosts four times a year in Tokyo, Buenos Aires, London and Vancouver, one of the most significant of its kind. “All the information is dual purpose—it can be used for good and bad. It just depends on the intent of the people and you can’t really tell by talking to someone whether they use this stuff for good or bad. Sure you can say someone is clearly … a bad guy doing bad things but sometimes even good people doing good things inadvertently do things that can be harmful.”
Zero Day, Exploits and Script Kiddies
Once an exploit has been written, the author has to decide what to do next. What he does with it says a lot about what kind of person he is. According to Constable, many with superior talent in computer security only want the recognition and satisfaction that comes with such poignant success.
After finding a backdoor into a system used by millions, some people hand this knowledge over to the company to fix without accepting any reward. In these cases, the feeling that they’re doing the right thing is reward enough. Power, in these cases, does not corrupt.
Others leverage their power for their own gain. An enterprising hacker can sell his (rarely her) knowledge of the bug back to the company for what’s essentially a ransom. This kind of deal must be struck before the company’s team discovers the flaw themselves and before the exploit is either put into use by the author or published on the Web on what’s called a “zero day.”
According to Constable, a zero day is when a malicious exploit is released to the hacker community before companies even have a warning that it’s coming. The exploit author himself rarely pulls the trigger on these disruptive programs. Individuals who actually do send out these programs are called “script kiddies.” They are usually kids without a clue out for a joy ride.
There is now another choice for those with enough skill.
Tipping Point, a computer security firm in Austin Texas, began the Zero Day Initiative (ZDI) to “reward security researchers for responsibly disclosing vulnerabilities.” The company specializes in buying knowledge of software mistakes from individuals and then selling that knowledge back to the affected company. This business model allows the affected companies to keep a lid on crises while still appeasing the desire for reputation and monetary reward. Who says being responsible doesn’t pay?
At the recent CanSecWest Computer and Information Security Conference in Vancouver, British Columbia, the third-ever Pwn2Own contest sponsored by Tipping Point’s ZDI challenged security “researchers” to break into the most recent versions of Internet Explorer, Firefox, and Safari browsers, plus an iPhone, a BlackBerry, a Google Android and the Windows CE smartphone.
In a conference room at the Sheraton Wall Center in downtown Vancouver, otherwise average looking guys quietly hunched over some otherwise normal-looking electronic devices, bending and unraveling the communication systems we rely on every day.
The reward for breaking and entering into these state-of-the-art systems? It’s $5,000 to $10,000, in addition to owning the hacked device. And it doesn’t take these individuals long to meet their objective. In 2008, one man cracked the MacBook Air in under 2 minutes.
The Pwn2Own prize money sounds pretty enticing, but Constable says that $10,000 is actually a small carrot like many of the ZDI’s dealings . So why would hackers choose this route to cash in on their talents?
“Realistically, the black market, the underground market, is way more than what ZDI offers. ZDI is only giving you a fraction of what their getting but they’re saving you the time and hassle of negotiating with those companies,” he says.
Friends Read Free