Author: Chris Roberts, Chief Security Architect, Acalvio
We, as humans, especially the American ones, are pretty good at complaining; at walking nicely up and down the street with banners chanting our support or voicing our concerns for things, and occasionally rioting. But let’s face it, these protests are tame and NOTHING compared to our counterparts in France, South America or other countries that tend to voice their opinions a little more vocally and passionately.
We spend our days chanting or camped out in a park somewhere; we join our concerned colleagues in arms over whatever the protest-of-the-day is and we think we are making a difference…but we are not. The system is not on our side, the politicians and the general masses have little to no power in changing things and that shows itself time and time again in the medium-term outcomes of many of these situations. I watched the CND movement in the UK try to effect change for years, and to what avail? We still have nuclear weapons on UK soil and we have a sufficient stockpile at the very same facilities they chained themselves to the fences at 30 years ago. I watched people camp out and occupy Wall Street at the ridiculous state of inequality in 2011…to what effect? The have’s still have and the have nots still are on the street. Yes, things slowed down for a year or so, but we are still in the very same situation. Nothing changed.
So, what do we do about it?
We look at the electronic spectrum that we now occupy. We take a lead on understanding the digital arena that is the future of interactions and we occupy that – we change it; we assess the attack vectors and pursue accordingly. When we see issues that are not being addressed, we now have the ability to act upon those in a way that was never possible in the real world. You want your healthcare records secured? You can go in and encrypt the data at rest. In doing so, you are basically helping the healthcare office take better care of you in a way that would have gotten a face full of mace if you’d tried to physically march into their facility and demand better security in the olden days. You want to ensure the integrity of the Internet of Things and protect human privacy (because we know the likes of Samsung, Amazon, Google, etc. are not going to care) then you DO have the ability to access those systems, work out the flaws and simply patch them.
This is Altruistic Hacking. Welcome to the new age of protests. Many people have no understanding of security, or the simple fact that so many of the devices they use or introduce into their homes are insecure. Many times, people hand their credit cards over to pay for things, not realizing they are simply waving goodbye to another realm of privacy; nor do they realize that the facial recognition devices installed in so many places are for more than “just securing” us. All in all, it’s not quite Blade Runner…but we are tripping the light in that direction faster and faster each year.
So, we have a population of sheeple, we have insecure systems and we have daily breaches that COULD be prevented if the basics were followed, or if people in the leadership positions treated us more as humans and less as numbers. We have the recipe for a protest! Yet instead of taking to the streets and meekly waving signs until getting watered down or maced, why not take to the electronic highways and actually CHANGE things?
Do you want to fix Samsung’s TV privacy? Then hack it. Work out how to patch it so it doesn’t listen in or record and then deploy that patch…everywhere. Do you want to stop healthcare from leaking all our data? Then access their systems – and instead of taking data to show them once again how bad they are – simply patch their systems, secure the data, separate their networks and remove all the damn default passwords.
Do you want to help limit the drones that are watching us or the cameras that run facial recognition for advertising’s sake? Then simply do the analysis of their systems, work out the flaws and patch them so they can’t be abused, misused, or in the case of crappy advertising, have the camera stream Hamsterdance.com all day instead. Are you concerned about the vulnerabilities in our infrastructure? Then do your assessment of the SCADA systems, and hack them to patch them…not break them, patch carefully or segment thoughtfully, but break in to do GOOD not do harm…it’s as simple as that.
The logic? Because nobody else is going to patch the things, nobody has enough time to fix all the flaws, and honestly, it would be an interesting case study IF you got caught… “The “hacker” broke into the company and instead of simply emptying the data of all the assets, they actually patched the systems, fixed the insecure code, updated the security profiles and encrypted the data at rest and in motion (leaving the keys behind obviously).”
Welcome to altruistic hacking. It’s better than a face full of mace.