Computer Crime, Then and Now

I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.

This is a companion discussion topic for the original blog entry at:

Some people might think that the lesson of Mat Honan’s story is give your phone number to Google, so that hackers don’t get to learn your other email. Problem is Google(or any other service provider for that matter) shouldn’t be displaying any part of your recovery info for any reason.

What would you think, if your password reminder question was like this:
Your favorite dog?

And kudos to Apple and Amazon for using publicly accessible information as part of their id confirmation questions.

I am sorry but I’m failing to see how this was a “people” error and not a “system” error.

This was a very interesting read.

Very good article.
Here’s an interesting approach to dealing with hackers:

Please tell me Amazon have fixed that vulnerability now?

“The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside.”

Reminds me of the xkcd comic:

It is a people error because the system did not decide to display Lssy on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.

Password recovery is kind of a paradoxical thing. From a technical point of view it would be easy to say “this account has password X, do not let anyone in unless he knows X”, but the objective of authentication is not to verify that you know the password, it’s to verify that you are who you say you are, and passwords are forgotten and stolen regularly, so they are ultimately something that’s defeated by its own objective. Reminds me a bit of DRM, which wants to prevent people from copying things wile letting them access them.

Maybe Google should have a “disable all password recovery options” mode for paranoid people who think they can handle that?

@James: “It is a people error because the system did not decide to display Lssy on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.”

The distinction is between how the system functions and prevents intrusion on its own, versus actions that people take that unwittingly give hackers access.

In this example, the system was designed in a vulnerable way. An attack like that is made possible because a hacker can make a frontline assault on the system instead of calling a customer service person or sending the user an email bomb to open.

Also, Happy Programmer’s Day.

I just finished “Ghost in the Wires” it was an amazing book. Reading it confirmed that the weakest link in any security system is the people who use it. The fact remains that 100% security will never be the attainable, simply because of the inherent “trust” we as humans have for each other.

Maybe the companies need to ask for the second to last 4 digits of a credit card. most companies display the last 4, but if the customer service would ask for the second to last 4, this would not be visible. The back end systems could be set to only display this information to the customer service individuals. Still making it secure for the user. It would be similar to a private key that only the user and company would know.

All of these are definitely must-reads. I’d also add this:

The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen

You mentioned Kevin Poulsen as an author, but he also has a book chronicling his hacking.

Kingpin’s Max appeared in an episode of CNBC’s “American Greed”. He was the main subject of the show.

You don’t post for over a month, then you blog about hacking. Should we be worried?

We are willing to sacrifice security for convenience to be able to do business over the phone easily. Some of the glaring weaknesses that are common in the US, such as using social security numbers, dates of birth, mother’s maiden name, or last four digits of credit card as a form of “identification”, are rare in other countries where business over the phone is not as common or businesses are more paranoid.

In Mexico, if you want to do almost anything related to your bank/utility/government/etc. account, you have to go to a branch in person and bring photo ID. Sure, you might fake a photo ID, but that increases the barrier and risk greatly compared to fraud over the phone.

(On the other hand, many people in Mexico are victims of bank fraud that are perpetrated by bank insiders, so things are most definitely not perfect there either!)

Security is never perfect and people are the weakest link by the very fact they are people. The same can be said for lots of things. What’s the ratio of auto accidents caused by mechanical failure versus driver error? Pretty low I would guess.

You also have to factor in that there is little value in making it hard for customers to access your services and buy products. How attractive is a store with steel doors and no windows where you have to show ID and answer personal questions?

This reminds me of the good ol’ dumpster diving technique, which along with social engineering is a real powerful way to acquire valuable information from a target.

Cuckoo’s Egg is one of my favourite books, although I’m not sure I’d describe that hacker as ‘incredibly talented’, just very persistent.

I think you’re missing a big chunk of the picture of the early days by focusing on just the two books mentioned however. I’d recommend this book as a worthy third in the list: – I have a print copy, but the full text can be downloaded from that website.

The book includes the stories of several hackers from Europe, the US and Australia, although it doesn’t provide their real names (several can be found on Wikipedia now though).

An Australian TV documentary was made about two of the hackers whose stories are included in that book a few years ago. A third Australian mentioned has become relatively well known in recent years. In fact his part of the book has been made into a film that premiered just a few days ago at the Toronto International Film Festival:

BTW, I can definitely recommend you don’t read Tsutomu Shimomura’s, “Takedown: The Pursuit and Capture of Kevin Mitnick”. For some reason he felt compelled to detail his eating habits along the way, and it’s hugely distracting.

ahaha these stories are amazing. I didn’t think hacking nowadays just needed some insidious intent with a bit of cleverness than legit and hardcore computer knowledge.

Might have to rethink my plan to take over the world. /O\