I was pretty amused when I was given my assigned hacking target: Sean Draper. Sean is one of the people in this class I have gotten to know outside of class; I knew immediately that I should use this relationship to my advantage. The first day after the assignment, I left class endeavoring to engineer some information from Sean that might prove useful in hacking his account. While there are certainly many technical attack vectors I could’ve employed, social engineering is a method that I have little experience with and I believed would be fun to try. As we were leaving class, I struck up a conversation with him regarding the absurdity of some of the password requirements we were assigned. Specifically, I noted that “there are at most 5 unique high school mascots in the entire state of Texas, those would be crazy easy to guess”, an observation with a bit of truth (it made football games in my highschool awkward when it was the bulldogs vs. the bulldogs for the 5th time in a season). As I had anticipated, Sean responded with (to paraphrase): “Yeah, there are like 10 schools with the same mascot as mine, the Wildcats”. Paydirt! With minimal effort, I had engineered a crucial piece of information that, in the end, led to gaining access to his account. While I had gained this crucial piece of information on the first day of the engagement, I decided to wait until near the end of the assigned window (actually a bit after due to my own absentmindedness) to perform the hack — while not required for the assignment, I found it rewarding to maintain a degree of “stealth” for my hack — my target wouldn’t know who was his hacker until I chose to reveal myself. The rest of the work was rather easy, I was able to obtain his blog username simply by cross referencing known information with all of the first-day blog posts to determine which username was his.
Having gained access to his blog, there was an eerie feeling. While I am frequently engaged to hack websites, steal account information, etc. as part of my employment, in every instance this is performed with the express permission of the client and with a well-understood scope of engagement. In this case, my “victim” didn’t even know who I was, yet I had full access to his account on the course blog. What should I do with this access? What statement should I make, and how should I do it? In the end, I decided to modify his day-one blog post to drastically change his persona.
Specifically, I was interested in making an argument regarding hacking by portraying Sean as a remorseless hacker keen on taking advantage of the weak security practices of banks to fund his education. How would his status as a black hat hacker change his opinions and experiences of the course? While Sean’s original day-one post described hacking as a “necessary evil”, I decided to turn this on it’s head. By framing Sean as a black hat hacker who routinely takes advantage of a flawed system to advance his own interests, I intended to cause my classmates to critically analyze their feelings about such an individual. While many (myself included) may be repulsed by the notion of a black hat hacker stealing money to pay his way through college and provide himself a “luxurious lifestyle”, I hope I have caused some to critically analyze where the blame is laid for such an occurrence. Is it the fault of the corrupt CEO for maximizing corporate profits by exploiting a taxation loophole, or the fault of incompetent or corrupt lawmakers who supplied such a loophole to begin with? Do we blame a dog for leaving a surprise in your front lawn, or do we blame the owner for failing to clean it up? Are the actions of the amoral hacker described in Sean’s day one post solely his responsibility, or must the incompetent IT personnel responsible for the flaws bear some of the blame?
The vilification and demonization of the black hat hacker may be justified, but it’s time we lay blame at the feet of those who allow this injustice to occur. No longer may we regard black hat hackers as some mystical, unstoppable force of evil capable of destroying everything that is good, just, and democratic. A report issued by Verizon indicated that weak security procedures are to blame for over 90%+ of breaches exposing personal information. We all know what it means when Windows says it’s time to install updates — the thought that those tasked with guarding your bank account are too lazy or inept to take such a simple step is inexcusable. The “hacker problem” will not be solved by increased penalties and mandatory minimums for “cybercrime”, but rather by holding those accountable who are truly responsible for creating an environment in which illegal hacking can flourish.