I love #infosec, but hate Skiddies

I love the Information Security world. I love the free flow of information, and the hard work of great people smarter and more amazing than I who fight every day for your privacy. I’m a hacker, I love to trick you into giving up your privacy, or working on breaking things.

one of the main problems I’ve seen in the current fighting in the interwebs, is that many new hackers try to fight for fame, or their 15 minutes, by releasing some DB. These “hackers” generally use cookie-cutter attacks that they copied off some forum or blog. we “affectionately” call them Script Kiddies (Skiddies) because they have no idea how the attacks they are using work, or WHY, but simply just try everything they can find and hope that SOMETHING sticks. This presents a few problems that I would like to outline.

Collateral Damage:
When a company is compromised, and the entire database is leaked publicly for the “lulz” you’re not really hurting the company. You hurt all the users, most of whom have no way to know that an attack happened, or that their account information just got leaked. Compounding that, many of those users reuse the same email/password or username/password combinations on multiple sites to make things easy. This now has impacted other potential customers and companies than the one you were targeting. Many who hack under the banner of Anonymous claim they are targeting companies and governments for corruption and they are trying to help the users, but by releasing the data in the manner that happens most often lately, they do the opposite.

Trust, or the Lack of:
Our industry is an industry of secrets. A secret is the most important and powerful weapon you can wield, and when you scream to the rooftops that you have no ability to keep a secret, you will not gain the trust of ANYONE. and you stand a great chance of losing any trust you have managed to aquire in a field where trust is everything.

Placing Bullseye on your back:
The last drawback I’ll cover regarding public release of data, is that you instantly place a target on your back. The government really seems to be working hard lately on busting hackers, so when you announce “HEY LOOK OVER HERE, I’M DOING ILLEGAL THINGS” all it does is get you in trouble.

I enjoy hacking as much as anyone else, I just worry that all the negative attention thats coming from skiddies is going to undo much of the hard work to bring hacking to the front lines as a legitimate industry.

I’m a ninja, whacha gonna do about it?!

When it comes to hacking, I find myself in a place that many other’s do. I don’t have a vast pool of magical wealth, with which to build a security weapon of mass destruction. I find that the only people with the money to spend on building the BEST hacking machines are one of two people. The first is a Whitehat hacker who is backed by a large pen-testing company, the company will fund the hacker’s machine to the best of their ability because the better he can do on a PenTest, the more profit they will make. This I understand, but being that I am not a Blackhat and I hack as part of my job, it causes a bit of envy of people who can afford the “right” tool for the job.

The other type of person that can devote massive amounts of money onto a hacking computer, would be a Highschool student or early college student (that hasn’t yet come to terms with his massive debt) and has all the free time in the world to learn to do something fun for a while. I have seen many of these computers go to waste, because the person THOUGHT they wanted to learn hacking, but when they learned it was nothing like the movies, and it’s actually quite a bit of work, they give up, and that computer becomes agaming computer.

In the title I state that I am a Ninja, and this is why I think MOST hackers today, could fit better into this bucket. Back in Japan, when the ninja was used as a spy of the day, they were poor people, farmers or average people who HID their identity for fear of being discovered. They also didn’t have money for amazing swords, or armor like the Samurai did, they had to fashion their weapons and armor out of things they could find, and would need to know how to use ANYTHING they found as a means of defending themselves, or attacking the enemy. Sticks, brooms, rakes, chains, kitchen knives, towels, anything you can imagine has a use in attack or defense if needed.

I think we hackers today, are doing this more often than we would stop to notice. We “make do” with the tools we have, we mold other devices into new tools, and push hardware to do things that were never even imagined when it was built. Ninja’s also were not good, they were not bad. They had a job to do, and if they didn’t MANY people would die. A ninja’s main goal was to NOT get caught, so I don’t think some of the big names in the scene are acting as ninja’s.

The scene has become some kind of “Status Club” even among groups like Anonymous, or any of the groups dumping/bragging about their exploits and hacks. when will people see that all that does is draw attention square on yourself. Go ahead, keep claiming your victims publicly, keep bragging about how 1337 you are, as long as focus is on you, it’s not on anyone else who might actually be trying to do some good.

 

sorry.. I got side tracked, but had to get that off my chest.

also, not ALL people who fall into my description of a ninja are ninja’s, I didn’t mention that on top of not getting caught, most times ninja’s were not allowed to kill unless absolutely necessary for the completion of the mission, there were to AVOID conflict at ALL costs. so that the information they collected could be used at a later time, by the ENTIRE armed force.

this translates well to the hacking culture also, so many people are running around “killing” anyone that’s in front of them, but what is the end goal? did you ACCOMPLISH anything? what’s worse is you could have COMPROMISED everything a group has been working on, because you started making too much noise.

they secret in our field is SECRETS, trust, and yes HONOR.

if you aren’t going to help, get out-of-the-way.