Junk Hacking Must Stop

[lilrofl]

So I ran across an article, URL below, and I found a lot to agree with in it. Thought I'd drop it here to see what you guys thought.

Look, I get how we all love free trips to various locales other than
Seattle or Boston or whatever (which are not, technically "locales" so
much as just "places people happen to live"). But one more hacking talk
about breaking into some random piece of electronics that people might
use somewhere like a Internet-connected bed-warmer, or a MRI machine, or
a machine people use to make MRI machines, and the whole hacking
community is going to be wearing the cone of shame for a week!

your blackhat talk was not accepted!

Yes, we get it. Cars, boats, buses, and those singing fish plaques are
all hackable and have no security. Most conferences these days have a
whole track called "Junk I found around my house and how I am going to
scare you by hacking it". That stuff is always going to be hackable
whetherornotyouarethecalvalry.org.

I get that Barnaby hacked an ATM. I thought it was stupid then, and it's
even stupider now when your basic ATM runs XP so it can display ads to
you while you take money out of it. But it's not stunt hacking unless it
can *wow* you. If you are wowed by someone owning XP these days, then
you are out of it and need to be re-reading Carolyn Meniel's HappyHacker
website. Yes, there is Junk in your garage, and you can hack it, and if
you find someone else who happens to have that exact same Junk, you can
probably hack that too, but maybe not, because testing is hard.

Cars are the pinnacle of junk hacking, because they are meant to be in
your garage. Obviously there is no security on car computers. Nor (and I
hate to break the suspense) *will there ever be*. Yes, you can connect a
device to my midlife crisis car and update the CPU of the battery itself
with malware, which can in theory explode my whole car on the way to
BJJ. I personally hope you don't. But I know it's possible the same way
I know it's possible to secretly rewire my toaster oven to overcook my
toast every time even when I put it on the lowest setting, driving me
slowly but surely insane.

So in any case, enough with the Junk Hacking, and enough with being
amazed when people hack their junk.

-dave :>

Code: Select all

https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html

[maboroshi]

If you 'hacked' a device by buying one off eBay, cracked the case open,
soldered some wire to the board, injected your own firmware, and then
stuck your penis in the USB port... go away. No shit you can own a device
with that. No shit, you didn't really cross privilege boundaries. If you
can break into my house to take apart my electronics, you can also smother
me with a pillow while I sleep.

I thought this was pretty funny. I agree with the guys post. However I do like the topics that pertain to this in a sense, that involve (as an example) confusing video surveillance by wearing translucent LEDs in a hat.

*cheers

This was some fun to read.

[bad_brain]

I totally agree with that article. "hacking" was taken over by the mainstream and now every moron who burned his toast ("look, I made the toaster do what he isn't intended to do..I totally hacked it!") labels himself as "hacker"....but then again: the ones who label themselves that way never been the real ones, not just since today.

what also annoys the crap out of me is the artificial hype about exploits.
what happened with the good old true hacking spirit of "release full disclosure under anonymous nickname without notifying vendor first"...now it's "inform vendor, release 5 vague blog posts about it before delivering the true info just to promote your shitty never-heard-of-and-never-will-again security company (that is actually a PC in mum's basement), then sell cups and shirts, and never stop bragging about how severe that flaw is and how it almost took down the whole internet"...

[lilrofl]

I couldn't agree more when it comes to the artificial hype surrounding vulnerabilities that were patched yesterday.

There was a talk by Keren Elazari entitled , "The Internet's Immune System" where she details how by exploiting vulnerabilities, hackers make the internet a stronger, and safer place for people by forcing it to evolve. I really like the concept. In order for that to work though, hackers need to keep evolving as well.

This new trend of rehashing the same vulnerabilities on machines that run XP for instance, is lame, and tiring. Most of those machines aren't going to stop running XP; MRI machines for instance were build with Windows Embedded (read XP) for 12 years, and cost between $250K and $500K... they are going to be exploitable forever, and replacing them is cost prohibitive. Exploiting them doesn't amount to hacking anymore I think, it's more akin to a cross breed between a script-kiddy and a spammer.

[bad_brain]

yeah, hackers kinda have evolved....actually more mutated to be precise....into a totally wrong direction. skiddies at least had some kind of purpose by hammering your site/server will all kinds of silly exploits...which forced you to stay up to date with the software and the latest exploits techniques. skiddie attacks nowadays went down at least by 50% compared to maybe 5 years ago, at least when I look at my logs (and the servers I run are even way more populated and visited than before).

now it's all about finding the easiest device to exploit, as pointless as it might be, just to show off with something completely useless.

[Kirk]

I would disagree. I really enjoy all the mindless hacks out there now. Back in the day hacking was just taking something and changing it while cracking was breaking into security. Mainstream media I believe used the term hacker wrong. I could be wrong on this though. But all those mindless hacks give me something to do. A way to learn electronics. Projects for me and my kid to spend time together. I suppose we should create a new word for what this besides junk hacks. Something to separate real hacking and this cause it's more electronic hacking then software or security. Maybe e-hacking for electronic hacking.

*e-hacking is already in use for ethical hacking. Maybe ec-hacking or some such. Point remains the same though.

Usage: check out my ec-hack of this toaster. Or : how to ec-hack an Arduino uno.

Side note. The more the term hacker gets around and the more people who see that hacking isn't just about breaking into the DoDs website the better it is for real hackers. People will become comfortable with the term and not associate with evil purposes thereby extending that to the people dubbed hackers. No longer will they be evil people just nerds in pursuit of pleasure. I see nothing wrong with that. Wish my judge had that view point.

[bad_brain]

first of all: look who's back!

and well, you do make some valid points. I think what matters is "where you are coming from", personally I come from the old school "hacking is about networking" fraction..which means a hack is something that must affect some kind of (semi)public service, it's something where it's you against an admin (or vice versa: you as admin against an intruder).
for me that's what makes in interesting, it's a challenge between 2 (or more) people to see who has a better understanding, more skills and knowledge.

those ec-hacks are surely entertaining and many display a lot of skills and knowledge, but I miss the live challenge and the danger....and with "danger" I don't necessarily mean the one of getting caught, as server admin there is actually an even bigger danger: the one of getting your ass kicked by customers because they lost their sites (fort example).

[lilrofl]

first of all: look who's back!

For truth! How is it man?

People will become comfortable with the term and not associate with evil purposes thereby extending that to the people dubbed hackers. No longer will they be evil people just nerds in pursuit of pleasure. I see nothing wrong with that. Wish my judge had that view point.

There is something to be said for this point of view, and I'm not exactly saying that there is no merit in hacking a toaster to burn some toast (or alternately make it perfect every time since my toaster seems to come pre-burn-hacked), I guess I am just not impressed by the incessant hacking of devices that run Windows Embedded like it's different then hacking the last device that was running Windows Embedded.

It's good to see you kirk, hope to see more of you.