Thursday May 25 2023, @05:10PM

In the movies, you can tell the best hackers by how they type. The faster they punch the keys, the more dangerous they are. Hacking is portrayed as a highly technical feat, a quintessentially technological phenomenon.

This impression of high-tech wizardry pervades not just our popular culture but also our real-world attempts to combat cybercrime. If cybercrime is a sophisticated high-tech feat, we assume, the solution must be too. Cybersecurity companies hype proprietary tools like "next generation" firewalls, anti-malware software and intrusion-detection systems. Policy experts like John Ratcliffe, a former director of national intelligence, urge us to invest public resources in a hugely expensive "cyber Manhattan Project" that will supercharge our digital capabilities.

But this whole concept is misguided. The principles of computer science dictate that there are hard, inherent limits to how much technology can help. Yes, it can make hacking harder, but it cannot possibly, even in theory, stop it. What's more, the history of hacking shows that the vulnerabilities hackers exploit are as often human as technical — not only the cognitive quirks discovered by behavioral economists but also old-fashioned vices like greed and sloth.

To be sure, you should enable two-factor authentication and install those software updates that you've been putting off. But many of the threats we face are rooted in the nature of human and group behavior. The solutions will need to be social too — job creation programs, software liability reform, cryptocurrency regulation and the like.

For the past four years, I have taught a cybersecurity class at Yale Law School in which I show my students how to break into computers. Having grown up with a user-friendly web, my students generally have no real idea how the internet or computers work. They are surprised to find how easily they learn to hack and how much they enjoy it. (I do, too, and I didn't hack a computer until I was 52.) By the end of the semester, they are cracking passwords, cloning websites and crashing servers.

Why do I teach idealistic young people how to lead a life of cybercrime? Many of my students will pursue careers in government or with law firms whose clients include major technology companies. I want these budding lawyers to understand their clients' issues. But my larger aim is to put technical expertise in its place: I want my students to realize that technology alone is not enough to solve the problems we face.

I start my class by explaining the fundamental principle of modern computing: the distinction between code and data. Code is a set of instructions: "add," "print my résumé," "shut the door." Data is information. Data is usually represented by numbers (the temperature is 80 degrees), code by words ("add"). But in 1936, the British mathematician Alan Turing figured out that code could be represented by numbers as well. Indeed, Turing was able to show how to represent both code and data using only ones and zeros — so-called binary strings.

This groundbreaking insight makes modern computers possible. We don't need to rebuild our computers for every new program. We can feed our devices whatever code we like as binary strings and run that program. That zeros and ones can represent both code and data is, however, a blessing and a curse, because it enables hackers to trick computers that are expecting data into accepting and running malicious code instead.

[...] Diversion programs in Britain and the Netherlands run hacking competitions where teams of coders compete to hack a target network; these programs also seek to match up coders with older security personnel to act as mentors and direct their charges into the legitimate cybersecurity industry. At the moment, with an estimated 3.5 million jobs unfilled worldwide, one fewer attacker is one more desperately needed defender.

  • (Score: 4, Insightful) by Opportunist on Thursday May 25 2023, @05:36PM (12 children)

    by Opportunist (5545) on Thursday May 25 2023, @05:36PM (#1308151)

    I do pentesting and security consulting for a living. Computer systems are today pretty secure. You can actually create a near 100% impenetrable security setup. Barring zero days, it's very possible to create a secure setup, and those elusive zero day exploits are something that you should not have to worry about unless you're trying to enrich uranium for a country that shouldn't do it according to a bunch of countries that can throw a few millions about just to mess with you.

    The key security problem you're dealing with is not inside the machine but in front of it. The security of a system is not the average of the system's security and the operator's security. It's the minimum function thereof. So where do you put your crowbar, at the system that has been hardened by experienced security engineers or at the clueless moron sitting in front of it who clicks on anything that tell him "your system is in danger, click here NOW or you're hacked, we get a video of you wanking to midget porn, your bank account is gone and your pet dog dies!"?

    • (Score: 5, Funny) by Freeman on Thursday May 25 2023, @05:41PM (1 child)

      by Freeman (732) on Thursday May 25 2023, @05:41PM (#1308156) Journal

      That first paragraph sounds like something you'd tell a client. I'm pretty hopeful that you don't tell them the second paragraph.

      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 3, Interesting) by Opportunist on Friday May 26 2023, @08:04AM

        by Opportunist (5545) on Friday May 26 2023, @08:04AM (#1308278)

        I do.

        My clients are mostly internal. And they're generally very interested in hearing that one of their admins didn't follow protocol. If they're not, they can talk it out with my CISO who'll probably tell them the same. Just more loudly.

    • (Score: 3, Interesting) by JoeMerchant on Thursday May 25 2023, @05:54PM (2 children)

      by JoeMerchant (3937) on Thursday May 25 2023, @05:54PM (#1308162)

      I have always felt that the biggest security risks, after the all too hackable humans authorized to use the system, were the script kiddies. Lots and lots of people out there who don't know much, but they find something on the internet that's supposed to enable a bit of mayhem and, well, why not try it out and see if it works?

      You know what AI is really really good at? Finding stuff on the internet and synthesizing it into responses pertinent to natural language queries.

      I'm kinda afraid to ask ChatGPT "how can I gain root ssh access to the server for without prior knowledge of a valid username and password?" I would hope that triggers some of their built in "protections" - but... does anybody here have a TOR connection setup who is willing to try the query and see what comes out?

      🌻🌻 []
      • (Score: 2) by Freeman on Thursday May 25 2023, @06:01PM (1 child)

        by Freeman (732) on Thursday May 25 2023, @06:01PM (#1308164) Journal

        Talking about security risks, asking ChatGPT about X thing about circumventing security measurements at X government facility. Is probably a good way to increase your own security risks.

        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 2) by JoeMerchant on Thursday May 25 2023, @06:42PM

          by JoeMerchant (3937) on Thursday May 25 2023, @06:42PM (#1308174)

          >a good way to increase your own security risks.

          Thus, the fear. It's only for research purposes, of course. Basic curiosity of: "what would it say?" - never actually intending to use it to put a redirect to or anything like that...

          But, seriously, are the "safety filters" only on .gov TLDs, are our corporate servers open to AI powered script kiddie attack? Whatever the filters are, I'm sure they're not 100%, particularly when the system is so openly available that you can build your own with whatever filters you do and do not want to use...

          🌻🌻 []
    • (Score: 3, Interesting) by sjames on Thursday May 25 2023, @06:50PM (4 children)

      by sjames (2882) on Thursday May 25 2023, @06:50PM (#1308176) Journal

      I concur. I also do pen testing from time to time, and I would say the most common ways in are spear phishing, then mis-configurations. Send out the old standard "click here to log in to your webmail account so we don't delete it" works unbelievably well. I evenget to people whose emails I didn't know because coworkers forward my phish for me. Due to password re-use, that often yields the gold keys to the kingdom.

      The worst mis-configuration I have seen was a Jenkins server that would accept ANY Github credential.

      The obscure stack smashing attacks do happen, but stuffing URLs is a lot more likely to actually work outside of the lab.

      • (Score: 3, Insightful) by Opportunist on Thursday May 25 2023, @07:04PM (2 children)

        by Opportunist (5545) on Thursday May 25 2023, @07:04PM (#1308182)

        The worst mis-configuration I have seen was a Jenkins server that would accept ANY Github credential.

        You sure that was a misconfiguration and not a honeypot? :)

        • (Score: 3, Interesting) by sjames on Thursday May 25 2023, @09:05PM (1 child)

          by sjames (2882) on Thursday May 25 2023, @09:05PM (#1308211) Journal

          Yes. I was contracted to pen test the owner of that box (And I had my signed get out of jail free card). I was then able to steal their AWS passwords.

          • (Score: 2) by Opportunist on Friday May 26 2023, @08:06AM

            by Opportunist (5545) on Friday May 26 2023, @08:06AM (#1308279)


            Yeah, cloud security. It really is like hacking like it's 1999 again, isn't it?

            Every time a new technology makes the round and people jump on it, admins get thrown into having to administrate it without anything that could resemble proper training and then people are surprised when security isn't even an afterthought since the admins are already with 120% capacity busy trying to get the shit to work. The time for making it work securely just isn't there.

      • (Score: 2) by janrinok on Thursday May 25 2023, @07:51PM

        by janrinok (52) Subscriber Badge on Thursday May 25 2023, @07:51PM (#1308191) Journal

        I'm getting a couple of those webmail 'reminders' every day to my SN email addy.

        I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 3, Interesting) by bloodnok on Thursday May 25 2023, @09:36PM (1 child)

      by bloodnok (2578) on Thursday May 25 2023, @09:36PM (#1308214)

      You can actually create a near 100% impenetrable security setup. Barring zero days, it's very possible to create a secure setup, and those elusive zero day exploits are something that you should not have to worry about unless you're trying to enrich uranium for a country that shouldn't do it according to a bunch of countries that can throw a few millions about just to mess with you.

      Yes, of course you can create a secure web site, but not many achieve it. Most sites use so much 3rd party software that it is impossible to audit it all. And even if you do, that's just this week. As soon as you upgrade something you will have to audit a whole bunch more stuff. And then, there is an exploit of something you use and you have to upgrade to the latest version, because that's just best practice, right?. And that requires new versions of X which requires new versions of Y, and there you go: more to audit. And the fashion for releasing new functionality every few weeks really doesn't help.

      And who audits this stuff anyway? Hardly anyone, is who.

      I'd recommend reading Secrets and Lies by Bruce Schneier. He points out that the attack surface of modern computer systems is huge. And we have to secure every bit of it, while the attacker has only to find 1 exploit.

      I've resigned myself to all systems being compromised eventually. The best thing everyone can do is to have security at all levels, including the databases (VPDs please); only store what is necessary for as long as necessary; not use SINs, etc as keys; and have automated auditing and monitoring that is likely to detect an ongoing attack. You are not likely to be able to prevent compromises, but you do at least have a hope of shutting them down quickly, and restricting how much valuable data is compromised.

      <vent>A financial institution that I use had one of its service providers compromised recently. "No financial data was breached, but my SIN was taken. This company had no business having my SIN, yet that was stolen. For the sake of fuck, what is wrong with these people? The service provider provided print and mailout services, so WTF did they need my SIN for?

      We contacted the financial service company and they said that they use SINs for identification purposes and that this was industry standard practice. Well, it may be standard practice but that doesn't make it either good or even acceptable practice. The Office of the Canadian Privacy Commissioner says explicilty on their web site that this is bad practice, and has done for many years. It was known to be bad practice 30 years ago, but the financial institution says its ok 'cos everyone does it. I'll be trying to move my business elsewhere as there seem to be no other penalties these bozos will face.</vent>

      The Major

      • (Score: 2) by Opportunist on Friday May 26 2023, @08:01AM

        by Opportunist (5545) on Friday May 26 2023, @08:01AM (#1308277)

        This is why layers of security are so crucial. I am a very big fan of the onion model of security. Every layer should, preferably, be fully capable of securing your system all by itself, every system has information on a need-to-know base, every piece of data has a normal flow of operation and a deviation from it causes an alarm. There is one, and only one, way to access various crucial systems with administrative privileges, which in turn makes securing that path rather easy since you only have to deal with a very limited number of systems that need to be secured.

        Sorry that I can't go into more detail, but we do spend quite a bit of effort (and money, holy shit...) on getting security down right.

        And that's at the same time the reason why security is in the sorry state it's in in most companies: Money. Security costs money. And it costs a shitload of money. The systems are much but not cheap and the people who can actually do it are insanely expensive as well. Our group has to afford that, because security is one of our key selling point (we never had a data breach and we intend to keep it that way). But that's us, an investment group where, as our CISO quipped, rubber stamping "it's for security" on any document gets it funded on the fast-pass.

        That's by far not an industry standard.

  • (Score: 3, Interesting) by JoeMerchant on Thursday May 25 2023, @05:48PM

    by JoeMerchant (3937) on Thursday May 25 2023, @05:48PM (#1308159)

    Old man hired me straight out of college.

    Six months later old man tries to set me up to be fired, fails, CEO gives me his office to work in.

    Five years later, I was given Old man's job and he was given a "lateral title change" (aka hint that it's time to move on).

    Old man's rant to me one day included a couple of real gems:

    "You remind me of my son, he hates me too." (I had gotten this once before, from an even more obstinate old man / asshole statistics professor, coincidentally "Old man" ended up becoming an obstinate asshole EE professor.)

    and, to TFA: "Everything you do is fast, you walk fast, you type fast, you code fast, I'm not fast like that.... and that's O.K." Yeah, it's O.K. except if obviously scares you enough to behave like an obstinate asshole.

    And that's what movies want to do: instill emotions in the audience. When they see a "hacker" doing "smart stuff" impossibly fast on a keyboard, it tingles that little "wow, I could _never_ do something like that" vibe, pretty much the opposite of the "relatable" interpersonal / romantic relationship interactions they show.

    P.S. I'm just about as Old as Old man now. Even if I don't walk as fast, or code as fast (debatable, I throw less away now), I do still type fast. It's gonna suck mightily when arthritis starts cutting into that. Going heavy on the Ginger, Turmeric, and other anti-inflammatories does seem to make some positive difference.

    🌻🌻 []
  • (Score: 4, Insightful) by pTamok on Thursday May 25 2023, @06:07PM (1 child)

    by pTamok (3042) on Thursday May 25 2023, @06:07PM (#1308165)

    these programs also seek to match up coders with older security personnel to act as mentors and direct their charges into the legitimate cybersecurity industry. At the moment, with an estimated 3.5 million jobs unfilled worldwide, one fewer attacker is one more desperately needed defender.

    Getting into the computer security industry is surprisingly hard: there are no apprenticeships, and especially not for people with experience and no formal qualifications.

    Lots of companies want recent graduates with paper qualifications, but no experience - which is because, for insurance purposes, they want someone who will tick the boxes on a 3rd party audit (run by organisations who offer security courses, like CISSP) - but actual Don't want to know.

    Basically, it's a big house of cards, with no-one actually wanting to take security seriously - because it is a huge cost centre, and it is cheaper to run the risk of loss of data than do the right things to protect stuff.

    The only people I know who take security at least half-way seriously are ones who operate on 'need to know' and 'principles of least privilege' backed by men with guns and no sense of humour. Everyone else is basically doing performance art, badly

    • (Score: 2) by acid andy on Thursday May 25 2023, @07:55PM

      by acid andy (1683) on Thursday May 25 2023, @07:55PM (#1308194) Homepage Journal

      I think much the same thing happens, as far as it is allowed to, for most forms of regulation. They always learn to do exactly what is required to scrape through each audit, and no more. That's business. Box ticking.

      Consumerism is poison.
  • (Score: 3, Funny) by acid andy on Thursday May 25 2023, @07:49PM

    by acid andy (1683) on Thursday May 25 2023, @07:49PM (#1308189) Homepage Journal

    In the movies, you can tell the best hackers by how they type. The faster they punch the keys, the more dangerous they are.

    When I was an overconfident teenager with a somewhat inflated ego, a colleague about my age introduced me to a Linux login prompt for the first time. I thought I'd show off how fast I could type in my login, not realizing this system had a delay between accepting the username and displaying the password prompt. Pretty embarrassing to see my password spewed out in the clear onto the screen as he watched! I learned a lesson that day!

    Consumerism is poison.