AUTHORITY
This illustrations is well known but here it is for the record:
In U.S. Navel Institute Proceedings, the magazine of the Naval Institute, Frank Koch illustrates the importance of obeying the Laws of the Lighthouse. Two battleships assigned to the training squadron had been at sea on maneuvers in heavy weather for several days. I was serving on the lead battleship and was on watch on the bridge as night fell. The visibility was poor with patchy fog, so the captain remained on the bridge keeping an eye on all activities.
Shortly after dark, the lookout on the wing reported, "Light, bearing on the starboard bow."
"Is it steady or moving astern?" the captain called out.
The lookout replied, "Steady, Captain," which meant we were on a dangerous collision course with that ship.
The captain then called to the signalman, "Signal that ship: 'We are on a collision course, advise you change course twenty degrees.'"
Back came the signal, "Advisable for you to change course twenty degrees."
The captain said, "Send: "I'm a captain, change course twenty degrees.'"
"I'm a seaman second-class," came the reply. "You had better change course twenty degrees."
By that time the captain was furious. He spat out, "Send: 'I'm a battleship. Change course twenty degrees.'"
Back came the flashing light, "I'm a lighthouse."
We changed course.
----
God says...
will I recompense upon his own head.
17:20 And I will spread my net upon him, and he shall be taken in my
snare, and I will bring him to Babylon, and will plead with him there
for his trespass that he hath trespassed against me.
17:21 And all his fugitives with all his bands shall fall by the
sword, and they that remain shall be scattered toward all winds: and
ye shall know that I the LORD have spoken it.
17:22 Thus saith the Lord GOD; I will also take of the highest branch
of the high cedar, and will set it; I will crop off from the top of
his young twigs a tender one, and will plant it upon an high mountain
and eminent: 17:23 In the mountain of the height of Israel will I
plant it: and it shall bring forth boughs, and bear fruit, and be a
goodly cedar: and under it shall dwell all fowl of every wing; in the
shadow of the branches thereof shall they dwell.
Probably simpler to just use one of those "make this page look prettier" browser extensions out there. (typically a part of those "read it later" apps)
I personally use readability for this (though I don't use it for mobile or any other purpose other than "make this pretty now"), and tried it now on pastebin and it seems to work fine.
I think one of the more interesting parts of this interview is how 'Adam' talks about the relationship between Blackhats and Whitehats. As someone who's always been interested in the computer security world (but never been part of it) I assumed it would be much more adversarial, but it seems more symbiotic than anything.
"There really isn’t a hatred of whitehats from the blackhats. In fact, quite the opposite. If we stayed with viruses from 2000 because we were never challenged we’d be so out-dated and not capable of making a tenth of the amount of money we make currently. Most blackhats love whitehats for that reason."
You can't really take much from what this guy says, to be honest. It's also extremely adversarial.[1] It depends on the individual(s), who you ask, and the phase of the moon.
This type of activity isn't really representative of either side of the traditional security world. Blackhats have generally shunned "carders", and the for-profit crime groups usually use "script-kiddie" like tools. Every once in a while there is an exception, but it's mostly been the case for at least the last 20+ years that blackhat skills/status in the community is negatively correlated with theft/extortion/fraud.
Reading the rest of the articles, it is extremely interesting to see the quality of a real blackhat.
The black hat is putting in hard work and making tools while getting an unreasonable amount of funds. (Of course illicit professions have that tendency with risk factor and all.)
We're talking about a profession learned strictly from the community that developed extremely specific and effective skills.
Anyone able to do that and succeed is obviously talented and it is telling that they were never interested in cashing that talent in a legitimate career with a major tech firm.
I think of "hacking" as breaking things, taking them apart, and learning how they work; and "programming" as creating and building new things. As much as I am in awe of the amazing technical power of elite black hat hackers, there is something really special about creating something new and transporting it from your imagination into the real world.
Companies don’t purchase DDoS protection. Cloudflare for example offers incredibly strong DDoS protection for 200 dollars a month (also its harder to jack a cloudflare domain). If I extort you for 200-1000 dollars for 1 day why not make yourself immune for the minimal fee?
There was one point in the interview where I thought "ah, this gives me a clue where he's from!" -- the use of the term "fortnight". I don't know of any American who uses this term, so I'd guess he's in the UK. Also the use of the term "Uni".
I immediately noticed he is from the UK, I speak with too many englanders to not recognize the the cocky tone littered with lols and hahas... It's like they are too cool to give a shit about sounding mature... Also the fraud scene in the UK is incredibly big ATM.
Too right, bloody limeys! Do you have any evidence for the size of the fraud scene in the UK at the moment or was that just a baseless non sequitur to round off your delightful rant about the character of those deplorable English persons?
Well, I have no scientific evidence to back up my claims (deadly sin, I know...) it's mostly the personal experience of my friends who lived in multiple countries, which closely matched this documentary:
This could just as easily be a result of being "raised" on international chat rooms. If they're really smart then they would purposefully mask their identity by using words and sentence structure uncommon in their usual communications.
Using the term 'blackhat' is pretty darn vague. It's just as vague as using the word 'cloud' (Basically a buzz word).
I wouldn't call this guy Blackhat though, if he's stealing credit cards then that's straight up fraud.
Usually when people use the term 'blackhat', they are referring to someone who breaks companies terms of service but just below actually breaking the law.
Not necessarily. Blackhat folks are generally divided into 2 basic groups...the type you described, and the kind that for example break into servers just to show off their skills but they don't do anything other than prove to their peers that they were in...and the more difficult the server they get into , the more praise they get from the "scene."
There are whitehat folks who do the same...the difference being blackhat don't tell the company whose server they broke into how they did it.
No, that isn't accurate. Most blackhats I've known don't steal anything or benefit at all from their conquests. They think hacking is fun, that's it.
Doing it for bragging rights is not accurate either. Plenty of them brag, sure, but they hack because they like to hack. People always want to make that more than it is.
Generally blackhat is accepted as the term for anything less legal than greyhat. There's no "lower bound" like "Oh, he broke into a non-profit! That's not consistent with blackhat ethics!"
EDIT: To be clear, that doesn't mean that whatever community she's in doesn't disapprove of that behaviour, but douchebag and blackhat are not mutually exclusive.
I’d like to do some research into the time it takes from when blackhats find 0-days to [when] whitehats find them.
I'm also interested in this question. Is there existing research on this topic? Earlier in the piece he also claims this:
The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months.
Is this statement true? Are the top level blackhats more talented, driven, or greater in number than the top level whitehats? Obviously there is money to be made as a blackhat but not everyone has criminal inclinations. Script kiddies aside, intuition tells me that the intersection of people who have the skill to write an 0-day and the inclination to be a blackhat is smaller than the intersection of skilled/honest people. Not to mention that you can make a perfectly legal fortune (ethics aside) selling exploits to security firms which on-sell them to governments. [1]
I'm also interested in his statement about virus scanners - are they really useless? I use Chrome, MS Security Essentials, dont click on devious looking links...and I've had 1 infection flagged in the last 3 years (thanks Adobe). Are there stats on how many infections dont get noticed by anti-virus software, even if you keep the definitions up to date?
35 comments
[ 4.1 ms ] story [ 86.7 ms ] thread----
AUTHORITY This illustrations is well known but here it is for the record:
In U.S. Navel Institute Proceedings, the magazine of the Naval Institute, Frank Koch illustrates the importance of obeying the Laws of the Lighthouse. Two battleships assigned to the training squadron had been at sea on maneuvers in heavy weather for several days. I was serving on the lead battleship and was on watch on the bridge as night fell. The visibility was poor with patchy fog, so the captain remained on the bridge keeping an eye on all activities.
Shortly after dark, the lookout on the wing reported, "Light, bearing on the starboard bow." "Is it steady or moving astern?" the captain called out. The lookout replied, "Steady, Captain," which meant we were on a dangerous collision course with that ship. The captain then called to the signalman, "Signal that ship: 'We are on a collision course, advise you change course twenty degrees.'" Back came the signal, "Advisable for you to change course twenty degrees." The captain said, "Send: "I'm a captain, change course twenty degrees.'" "I'm a seaman second-class," came the reply. "You had better change course twenty degrees." By that time the captain was furious. He spat out, "Send: 'I'm a battleship. Change course twenty degrees.'" Back came the flashing light, "I'm a lighthouse." We changed course.
----
God says...
will I recompense upon his own head.
17:20 And I will spread my net upon him, and he shall be taken in my snare, and I will bring him to Babylon, and will plead with him there for his trespass that he hath trespassed against me.
17:21 And all his fugitives with all his bands shall fall by the sword, and they that remain shall be scattered toward all winds: and ye shall know that I the LORD have spoken it.
17:22 Thus saith the Lord GOD; I will also take of the highest branch of the high cedar, and will set it; I will crop off from the top of his young twigs a tender one, and will plant it upon an high mountain and eminent: 17:23 In the mountain of the height of Israel will I plant it: and it shall bring forth boughs, and bear fruit, and be a goodly cedar: and under it shall dwell all fowl of every wing; in the shadow of the branches thereof shall they dwell.
http://blog.whitehatsec.com/interview-with-a-blackhat-part-1...
(pastebin if it goes down: http://pastebin.com/jiUM0AFr)
http://blog.whitehatsec.com/interview-with-a-blackhat-part-2...
(pastebin if it goes down: http://pastebin.com/SAKS2CTW)
http://pastebin.com/40BtPpe3
Idea for a site: A pastebin that uses nice typography, instead of monospace... Perfect for this sort of thing.
Is there a good one already os shall I make one?
I personally use readability for this (though I don't use it for mobile or any other purpose other than "make this pretty now"), and tried it now on pastebin and it seems to work fine.
I find it really useful since I can just type out my docs in dropbox, create the rendered link, then pass that around. It's super easy.
"There really isn’t a hatred of whitehats from the blackhats. In fact, quite the opposite. If we stayed with viruses from 2000 because we were never challenged we’d be so out-dated and not capable of making a tenth of the amount of money we make currently. Most blackhats love whitehats for that reason."
This type of activity isn't really representative of either side of the traditional security world. Blackhats have generally shunned "carders", and the for-profit crime groups usually use "script-kiddie" like tools. Every once in a while there is an exception, but it's mostly been the case for at least the last 20+ years that blackhat skills/status in the community is negatively correlated with theft/extortion/fraud.
[1]http://www.wired.com/culture/lifestyle/news/2002/08/54400?cu...
The black hat is putting in hard work and making tools while getting an unreasonable amount of funds. (Of course illicit professions have that tendency with risk factor and all.)
We're talking about a profession learned strictly from the community that developed extremely specific and effective skills.
Anyone able to do that and succeed is obviously talented and it is telling that they were never interested in cashing that talent in a legitimate career with a major tech firm.
Companies don’t purchase DDoS protection. Cloudflare for example offers incredibly strong DDoS protection for 200 dollars a month (also its harder to jack a cloudflare domain). If I extort you for 200-1000 dollars for 1 day why not make yourself immune for the minimal fee?
https://blog.whitehatsec.com/interview-with-a-blackhat-part-...
> A: Erm, depends.
Well, I have no scientific evidence to back up my claims (deadly sin, I know...) it's mostly the personal experience of my friends who lived in multiple countries, which closely matched this documentary:
http://www.youtube.com/watch?v=lA4R84xfLOQ
I wouldn't call this guy Blackhat though, if he's stealing credit cards then that's straight up fraud.
Usually when people use the term 'blackhat', they are referring to someone who breaks companies terms of service but just below actually breaking the law.
Blackhat is outright stealing/espionage/manipulation of other devices for your own gain.
There are whitehat folks who do the same...the difference being blackhat don't tell the company whose server they broke into how they did it.
Doing it for bragging rights is not accurate either. Plenty of them brag, sure, but they hack because they like to hack. People always want to make that more than it is.
EDIT: To be clear, that doesn't mean that whatever community she's in doesn't disapprove of that behaviour, but douchebag and blackhat are not mutually exclusive.
I'm also interested in this question. Is there existing research on this topic? Earlier in the piece he also claims this:
The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months.
Is this statement true? Are the top level blackhats more talented, driven, or greater in number than the top level whitehats? Obviously there is money to be made as a blackhat but not everyone has criminal inclinations. Script kiddies aside, intuition tells me that the intersection of people who have the skill to write an 0-day and the inclination to be a blackhat is smaller than the intersection of skilled/honest people. Not to mention that you can make a perfectly legal fortune (ethics aside) selling exploits to security firms which on-sell them to governments. [1]
I'm also interested in his statement about virus scanners - are they really useless? I use Chrome, MS Security Essentials, dont click on devious looking links...and I've had 1 infection flagged in the last 3 years (thanks Adobe). Are there stats on how many infections dont get noticed by anti-virus software, even if you keep the definitions up to date?
[1] http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...