Are you telling me that if I had found this exploit first, I could just have decided to read the NSA’s files, Obama’s email, stolen blueprints and conducted insider trading without any further work?
The NSA’s files probably aren’t hooked up to the Internet. They might not use Windows, either.
This Windows bug could have made you millions if you’d known about it earlier. Insider trading would have worked if you get someone into the right networks. Blueprint could be stolen. Obama’s email: that depends on whether any computers that have access to it are Windows and on a network, probably not, but you could with a few more zero days. The really expensive hacks “burn” multiple zero days.
Put it this way: if you knew everything in the public domain today about computers and went back 5 years, you pwn >99% of computers out there, and I fully expect the same to be true in 5 years. For starters, you can impersonate any website by using an md5 collision attack. (This was fixed in 2008, so more than 5 years, but you get the point.)
I understand that websites are vulnerable—after all, they are public and have to interact with users. But what about a computer sitting in a basement, not publicising its IP address and just interacting with the blockchain?
Have I convinced you to change careers yet?
Contrary to your assumptions, I am not a bitcoin miner, just an interested layperson. Even if I was, I would simply move my coins into cold storage at regular intervals, and assume that the hackers know they can make more money insider trading and carding then going after a security-conscious bitcoin miner. And if I lost one hot wallet, its not the end of the world.
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
Incidentally, are you a computer security professional of any form?
Every computer getting info from the blockchain publicises its IP address. But you can use proxies which make it harder, or a pool which has its own servers. But pools have websites, and they make up the majority of mined coins, so there’s an attack vector.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
I’ve done my good deed for the day, then.
Incidentally, are you a computer security professional of any form?
No, at least not formally. I have gotten paid for fixing people’s computers as a hobby. (I recently got the code for someone’s ransomware encrypted computer without having to pay by exploiting the attackers’ bitcoin setup. Not as cool as it sounds, they basically used the same address for multiple infections, which was a hole.) I’ve done a little freelance work in web design and SEO.
I read a lot of Hacker News stuff and elsewhere, use Linux for my own computer (plus Whonix for really sensitive things), but I’m not “officially there”. I do want to be someday.
Since there are a small number of mining pools there are presumable only a small number of avenues of attack which must be secured, which helps.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
Well, I have hacked into an email account to prove it could be done (with consent), but in general I have no knowledge of any hacking anywhere near as advanced as finding zero-day exploits. Even disregarding interesting moral questions such as “is it ok to steal money if you give half of it to effective altruism?”, I think there are probably easier & safer legal ways to make large amounts of money.
Isn’t Hacker News mostly about startups are random stuff, not hacking in the sense of breaking into computers?
I use Linux too, plus I try to run anything which might be hostile within a virtual machine. Whonix looks interesting. Dare I ask what sort of really sensitive things you get up to, or would that be completely missing the point?
Here’s the kinds of things having to do with actual hacking I find on Hacker News (just going through my browser history now, so it may not catch everything; anything I didn’t see the comments on is missed):
That should give you an idea of the kinds of stuff I read. There are a lot of posts on HN detailing exactly how someone broke down a system. Not all of these are “breaking into computers”, but a lot are very similar.
Isn’t Hacker News mostly about startups [...] not hacking in the sense of breaking into computers?
Yes. And about “hacking” in the older sense of (very crudely) “doing clever things with computers” and the even older sense of (very crudely) “doing clever things”.
Right, so you go in, pwn a box—oh, look! a whole bunch of juicy info, let me grab it...
And a… slightly alternative view: “What a n00b, blundered into our network, triggered all the IDS systems and is now glued to the honeypot downloading the stuff we prepared for him… Think he’s ripe for swatting?”
If this is serious, then I’d point out that most of these exploits weren’t known by anyone 5 years ago, so they couldn’t have been on the lookout for them.
If someone’s network was still open after these exploits have been revealed, then they are likely be a honeypot, but the chances of (X is a honeypot: X is vulnerable to this exploit that no one will know about for years) is pretty much the chances of any random computer being a honeypot.
Personally, I think if the NSA had known about Heartbleed as soon as it was introduced (around 2 years before it was fixed), it would have been fixed sooner. Maybe you milk all the data you can out of it, then get it fixed, but having that kind of thing open is a disaster waiting to happen, and NSA would try to fix it sooner.
And I’d point out that proper computer security is mutli-layered and does not depend on which particular ’sploit is used against it. Snort, for example, does not care at all whether you got in with a zero-day or not.
How would Snort detect the Heartbleed exploit? It looks exactly like a regular request, and from what I understand the IP address it comes from isn’t even stored in logs at the point you’re exploiting. Not all zero days are equal. It could look like legitimate activity.
How about this? Set up a website using only software and hardware that’s at least 5 years old, make sure you don’t apply any updates, and offer a bounty to anyone that hacks it. I predict anything over $500 will get you results. Do you disagree?
Hm. I don’t think that’s accurate (as either how I think about it, nor how it works). There are a few lines you could draw where anything beyond one line is definitely bad and anything not beyond a different line is not too bad, but not a single line that does that.
What would convince you that my claim about 5 year old software not being secure (or rephrase that however you want that satisfies what you consider enough of a hack) is correct?
I proposed an experimental test, do you have a better/cheaper one in mind? I realize mine is kind of difficult (and probably the hardware can be faked to make it easier, or just use new hardware), so what would you suggest?
The NSA’s files probably aren’t hooked up to the Internet. They might not use Windows, either.
What you’re looking for is the Heartbleed bug. That would have allowed you to hack perhaps 2 thirds of websites http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html (There are different estimates given, but many of the top websites were compromised.)
This Windows bug could have made you millions if you’d known about it earlier. Insider trading would have worked if you get someone into the right networks. Blueprint could be stolen. Obama’s email: that depends on whether any computers that have access to it are Windows and on a network, probably not, but you could with a few more zero days. The really expensive hacks “burn” multiple zero days.
Put it this way: if you knew everything in the public domain today about computers and went back 5 years, you pwn >99% of computers out there, and I fully expect the same to be true in 5 years. For starters, you can impersonate any website by using an md5 collision attack. (This was fixed in 2008, so more than 5 years, but you get the point.)
Have I convinced you to change careers yet?
I understand that websites are vulnerable—after all, they are public and have to interact with users. But what about a computer sitting in a basement, not publicising its IP address and just interacting with the blockchain?
Contrary to your assumptions, I am not a bitcoin miner, just an interested layperson. Even if I was, I would simply move my coins into cold storage at regular intervals, and assume that the hackers know they can make more money insider trading and carding then going after a security-conscious bitcoin miner. And if I lost one hot wallet, its not the end of the world.
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
Incidentally, are you a computer security professional of any form?
Every computer getting info from the blockchain publicises its IP address. But you can use proxies which make it harder, or a pool which has its own servers. But pools have websites, and they make up the majority of mined coins, so there’s an attack vector.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
I’ve done my good deed for the day, then.
No, at least not formally. I have gotten paid for fixing people’s computers as a hobby. (I recently got the code for someone’s ransomware encrypted computer without having to pay by exploiting the attackers’ bitcoin setup. Not as cool as it sounds, they basically used the same address for multiple infections, which was a hole.) I’ve done a little freelance work in web design and SEO.
I read a lot of Hacker News stuff and elsewhere, use Linux for my own computer (plus Whonix for really sensitive things), but I’m not “officially there”. I do want to be someday.
Since there are a small number of mining pools there are presumable only a small number of avenues of attack which must be secured, which helps.
Well, I have hacked into an email account to prove it could be done (with consent), but in general I have no knowledge of any hacking anywhere near as advanced as finding zero-day exploits. Even disregarding interesting moral questions such as “is it ok to steal money if you give half of it to effective altruism?”, I think there are probably easier & safer legal ways to make large amounts of money.
Isn’t Hacker News mostly about startups are random stuff, not hacking in the sense of breaking into computers?
I use Linux too, plus I try to run anything which might be hostile within a virtual machine. Whonix looks interesting. Dare I ask what sort of really sensitive things you get up to, or would that be completely missing the point?
Here’s the kinds of things having to do with actual hacking I find on Hacker News (just going through my browser history now, so it may not catch everything; anything I didn’t see the comments on is missed):
https://news.ycombinator.com/item?id=8876929 https://news.ycombinator.com/item?id=8608941 https://news.ycombinator.com/item?id=8854330 https://news.ycombinator.com/item?id=8839265 https://news.ycombinator.com/item?id=8834595 https://news.ycombinator.com/item?id=8834275 https://news.ycombinator.com/item?id=8814901 https://news.ycombinator.com/item?id=8651675 https://news.ycombinator.com/item?id=6148347 https://news.ycombinator.com/item?id=8758196 https://news.ycombinator.com/item?id=8693980 https://news.ycombinator.com/item?id=8712277 https://news.ycombinator.com/item?id=8808754
That should give you an idea of the kinds of stuff I read. There are a lot of posts on HN detailing exactly how someone broke down a system. Not all of these are “breaking into computers”, but a lot are very similar.
Yes. And about “hacking” in the older sense of (very crudely) “doing clever things with computers” and the even older sense of (very crudely) “doing clever things”.
Also see “hacker”.
Right, so you go in, pwn a box—oh, look! a whole bunch of juicy info, let me grab it...
And a… slightly alternative view: “What a n00b, blundered into our network, triggered all the IDS systems and is now glued to the honeypot downloading the stuff we prepared for him… Think he’s ripe for swatting?”
X-D
If this is serious, then I’d point out that most of these exploits weren’t known by anyone 5 years ago, so they couldn’t have been on the lookout for them.
If someone’s network was still open after these exploits have been revealed, then they are likely be a honeypot, but the chances of (X is a honeypot: X is vulnerable to this exploit that no one will know about for years) is pretty much the chances of any random computer being a honeypot.
Personally, I think if the NSA had known about Heartbleed as soon as it was introduced (around 2 years before it was fixed), it would have been fixed sooner. Maybe you milk all the data you can out of it, then get it fixed, but having that kind of thing open is a disaster waiting to happen, and NSA would try to fix it sooner.
And I’d point out that proper computer security is mutli-layered and does not depend on which particular ’sploit is used against it. Snort, for example, does not care at all whether you got in with a zero-day or not.
How would Snort detect the Heartbleed exploit? It looks exactly like a regular request, and from what I understand the IP address it comes from isn’t even stored in logs at the point you’re exploiting. Not all zero days are equal. It could look like legitimate activity.
How about this? Set up a website using only software and hardware that’s at least 5 years old, make sure you don’t apply any updates, and offer a bounty to anyone that hacks it. I predict anything over $500 will get you results. Do you disagree?
You seem to think about computer security in a very binary manner: pwned or not pwned. In reality it’s, ahem, a bit more complicated.
Hm. I don’t think that’s accurate (as either how I think about it, nor how it works). There are a few lines you could draw where anything beyond one line is definitely bad and anything not beyond a different line is not too bad, but not a single line that does that.
What would convince you that my claim about 5 year old software not being secure (or rephrase that however you want that satisfies what you consider enough of a hack) is correct?
I proposed an experimental test, do you have a better/cheaper one in mind? I realize mine is kind of difficult (and probably the hardware can be faked to make it easier, or just use new hardware), so what would you suggest?