I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.
Some people might think that the lesson of Mat Honanâs story is give your phone number to Google, so that hackers donât get to learn your other email. Problem is Google(or any other service provider for that matter) shouldnât be displaying any part of your recovery info for any reason.
What would you think, if your password reminder question was like this:
Your favorite dog?
L*ss**
And kudos to Apple and Amazon for using publicly accessible information as part of their id confirmation questions.
I am sorry but Iâm failing to see how this was a âpeopleâ error and not a âsystemâ error.
This was a very interesting read.
Very good article.
Hereâs an interesting approach to dealing with hackers: http://www.youtube.com/watch?v=nHKDeBBbd-U
Please tell me Amazon have fixed that vulnerability now?
âThe chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside.â
Reminds me of the xkcd comic: http://xkcd.com/538/
It is a people error because the system did not decide to display Lssy on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.
Password recovery is kind of a paradoxical thing. From a technical point of view it would be easy to say âthis account has password X, do not let anyone in unless he knows Xâ, but the objective of authentication is not to verify that you know the password, itâs to verify that you are who you say you are, and passwords are forgotten and stolen regularly, so they are ultimately something thatâs defeated by its own objective. Reminds me a bit of DRM, which wants to prevent people from copying things wile letting them access them.
Maybe Google should have a âdisable all password recovery optionsâ mode for paranoid people who think they can handle that?
@James: âIt is a people error because the system did not decide to display Lssy on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.â
The distinction is between how the system functions and prevents intrusion on its own, versus actions that people take that unwittingly give hackers access.
In this example, the system was designed in a vulnerable way. An attack like that is made possible because a hacker can make a frontline assault on the system instead of calling a customer service person or sending the user an email bomb to open.
Also, Happy Programmerâs Day.
I just finished âGhost in the Wiresâ it was an amazing book. Reading it confirmed that the weakest link in any security system is the people who use it. The fact remains that 100% security will never be the attainable, simply because of the inherent âtrustâ we as humans have for each other.
Maybe the companies need to ask for the second to last 4 digits of a credit card. most companies display the last 4, but if the customer service would ask for the second to last 4, this would not be visible. The back end systems could be set to only display this information to the customer service individuals. Still making it secure for the user. It would be similar to a private key that only the user and company would know.
All of these are definitely must-reads. Iâd also add this:
The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen
http://www.amazon.com/The-Watchman-Twisted-Crimes-Poulsen/dp/0316528579
You mentioned Kevin Poulsen as an author, but he also has a book chronicling his hacking.
Kingpinâs Max appeared in an episode of CNBCâs âAmerican Greedâ. He was the main subject of the show.
You donât post for over a month, then you blog about hacking. Should we be worried?
We are willing to sacrifice security for convenience to be able to do business over the phone easily. Some of the glaring weaknesses that are common in the US, such as using social security numbers, dates of birth, motherâs maiden name, or last four digits of credit card as a form of âidentificationâ, are rare in other countries where business over the phone is not as common or businesses are more paranoid.
In Mexico, if you want to do almost anything related to your bank/utility/government/etc. account, you have to go to a branch in person and bring photo ID. Sure, you might fake a photo ID, but that increases the barrier and risk greatly compared to fraud over the phone.
(On the other hand, many people in Mexico are victims of bank fraud that are perpetrated by bank insiders, so things are most definitely not perfect there either!)
Security is never perfect and people are the weakest link by the very fact they are people. The same can be said for lots of things. Whatâs the ratio of auto accidents caused by mechanical failure versus driver error? Pretty low I would guess.
You also have to factor in that there is little value in making it hard for customers to access your services and buy products. How attractive is a store with steel doors and no windows where you have to show ID and answer personal questions?
This reminds me of the good olâ dumpster diving technique, which along with social engineering is a real powerful way to acquire valuable information from a target.
Cuckooâs Egg is one of my favourite books, although Iâm not sure Iâd describe that hacker as âincredibly talentedâ, just very persistent.
I think youâre missing a big chunk of the picture of the early days by focusing on just the two books mentioned however. Iâd recommend this book as a worthy third in the list: http://www.underground-book.net â I have a print copy, but the full text can be downloaded from that website.
The book includes the stories of several hackers from Europe, the US and Australia, although it doesnât provide their real names (several can be found on Wikipedia now though).
An Australian TV documentary was made about two of the hackers whose stories are included in that book a few years ago. A third Australian mentioned has become relatively well known in recent years. In fact his part of the book has been made into a film that premiered just a few days ago at the Toronto International Film Festival: http://www.hollywoodreporter.com/news/julian-assange-toronto-film-festival-underground-361989
BTW, I can definitely recommend you donât read Tsutomu Shimomuraâs, âTakedown: The Pursuit and Capture of Kevin Mitnickâ. For some reason he felt compelled to detail his eating habits along the way, and itâs hugely distracting.
ahaha these stories are amazing. I didnât think hacking nowadays just needed some insidious intent with a bit of cleverness than legit and hardcore computer knowledge.
Might have to rethink my plan to take over the world. /O\