<div dir="ltr">I couldn't have said it any better than Marc .<div>Isn't it our fault as a community to estimate value based on the number of conferences something is presented at or the name/fame of those conferences?</div><div>It's equally ironic how we came from #nobugsforfree to #plentyofbugsthatnobodywouldpayadollarforanyway. </div><div><br></div><div>If there is one thing where junk hacking contributes to better security, it's in the identification of systemic issues. If I can connect to the JTAG interface of 20 random devices and pull crypto keys out of the firmware by just running strings on it, there's something an industry can do better. If I identify a common (broken) component used by several vendors in a specific industry without second thoughts, there's something that industry can do better.</div><div><br></div><div>I agree that the goal of any hacking (not just junk hacking) should not be "a talk" but junk hacking itself has (or can have) a broader impact than what we perceive it to be for the purpose of this eloquent rant.</div><div><br></div><div>What would become of us if we can't hack all the things? Should we just drink all the booze? </div><div><br></div><div>#BMB = Be More Barnaby</div><div><br></div><div>Wim</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 26, 2014 at 12:56 PM, Marc Maiffret <span dir="ltr"><<a href="mailto:marc@marcmaiffret.com" target="_blank">marc@marcmaiffret.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Fade to... A young girl, with greasy blonde hair, sitting in a dark room. The room is illuminated only by the luminescence of the Macbook Pro screen. Taking another long drag from her Benson and Hedges cigarette, the weary Junk Hacker hooks her jtag up to another dollar store Internet connected smoke alarm. Busybox, fuck, no matter she has all night. Pencils Shellshock off her list and does 1990's directory traversal against anonymously accessible wireless diagnostic interface. Evernotes the leet vuln for future Blackhat talk and tiredly hooks up the next potential victim device.</div><div><br></div><div>This seems to be the popular image of a Junk Hacker. Lame as the dudes posting no one cares SQL injection on Full Disclosure and memory corruption in joe bob freeware software. However, there is a far more dangerous type of Junk Hacker out there. Ones who hack ATM machines and fuckin Cars. Ones who don't simply do this for the fame they already have but for trying to drive change in a lethargic industry equally filled with complacent technology companies as some researchers. </div><div><br></div><div>I'll stop there with my bastardization of Farmer and Venema's historically awesome fucking words.[1] <br></div><div><br></div><div>Around ~10 years ago I had the privilege of joining Barnaby and other eEye folk to present a variety of research to intel community and others pre-Blackhat. For Barns part he was presenting remote code execution against soho routers. His payload would provide a shell and also replace existing firmware with modified code that would watch for any executable downloads and every 1 in X executable would be patched with a backdoor. Therefore not only having persistence on the soho router but also compromising machines behind it. </div><div><br></div><div>I think of that every time I see some crappy directory traversal or you name it early 90s style hack of a hardware device. There are plenty of instances where all types of vulnerabilities, both hardware and software, are simply lame because they are unrealistic. More often though I think how little this area of technology has improved while the number of devices has exploded - and the ability to manipulate these devices does matter in plenty of cases. We know clearly the bar of exploitation of say Windows vulnerabilities in the last 10 years has definitely increased. We cannot even begin to say the same about these other types of devices. </div><div><br></div><div>Surely there are plenty of legitimate examples of Junk Hacking like unreasonable scenarios where some wireless electronic lock can be broken but only if it is within a short distance from a mass of radio equipment etc... But to use examples like Barnaby and his work with ATMs or related seems to be reaching much further than is reasonable. The wow is not in hacking XP or 90s style weaknesses. The wow is in that devices that we depend on every day ARE using and vulnerable to these things and there is an absolute ability for abuse and a complete lack of progress.<br></div><div><br></div><div>So yes, you could have as well as many other people hacked and shown how to remotely dump cash from an ATM. Although probably not joked as well to the delivery man that you needed the ATM cause you hated transaction fees. But Barnaby did and many are thankful because that research does help if we are looking to improve things by creating awareness about device vulnerabilities. And one can only hope that in the case of Cars should guys like Miller and Valasek find any nasty remote code execution bugs for their follow up talks that they go dramatic as all hell. If it is real world and can truly be used by bad guys (tm) to hurt people - then do it helmet and no seat-belts, fly out the front windshield and really drive the point home to consumers and car makers to fix their shit should that be the reality of what needs to happen.</div><div><br></div><div>Lastly can we all at least agree to never use Junk Hackers and Internet of Things in the same sentence? Like we realize at some point the tech companies we've made fun of all these years will start making fun of us for coming up with our own terms like this, right? Bueler? </div><div><br></div><div>-Marc<br></div><div><br></div><div>[1] - For those less crusty: <a href="http://www.nsrc.org/netadmin/unixdocs/security/misc" target="_blank">http://www.nsrc.org/netadmin/unixdocs/security/misc</a><br></div><div><br></div><div class="gmail_extra"><br></div></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Wim Remes<br>Security Afficionado
</div>