podcast August 4, 2020

Podcast 257: a few of our favorite haxx

From the Samy Worm to WannaCry, we chat about a decade worth of security snafus.
Avatar for Ben Popper
Director of Content

This week we sit down to chat with Rachel Troy, a Product Manager at Fullstack Academy working on their Cyber Security bootcamp program.

Episode Notes

No list of great hacks would be complete without the Samy worm that ran amok on Myspace back in 2005. As Rachel points out, lots of hackers start out as experimenters, naturally curious coders who enjoy learning the rules and seeing how far they will bend before they break. 

If any hack made its way into the mainstream consciousness over the last decade, it was WannaCry. It introduced a mainstream audience to the concept of ransomware and, because of the impact it had on critical hospital equipment, showed just how far software has embedded itself into our society.

If you want to learn more about the Fullstack Cyber Bootcamp, you can check it out here. You can find Rachel here or email her- rachel dot troy at fullstackacademy dot com.

This week, as part of our security theme, we skipped the lifeboat, and picked this gem from our Information Security Stack Exchange. Remember, when in doubt, if you absolutely need to erase all data off a drive, a plasma cutter will always come in handy.

TRANSCRIPT

Sara Chipps It’s a story of a young hacker that got carried away. Seeing what was possible with the MySpace platform, which sounds like the beginning of my story. [Paul laughs]

Ben Popper That’s, that’s every programmers novel starts that way.

Rachel Troy This could have been your future, Sara.

[INTRO MUSIC]

Ben Popper Couchbase is an enterprise class, multi-cloud to edge, NoSQL database architected on top of an open source foundation. It’s unique because it was formed by the collision of two ideas from different original projects. Couchbase combines a memory first design built for high performance with a SQL friendly query language called Nickle that accesses key values in JSON documents for flexibility. It’s easy for developers to use, supports mobile development and offers SDKs for Java, .net, JavaScript, GO and Python. Try out their online Nickle query tutorial to see how easy it is to get JSON data back from a select statement. Try the query at couchbase.com/tutorial. 

SC Hello, everyone, and welcome to the Stack Overflow podcast. I’m Sara Chipps and I’m here with my co-hosts, Ben popper and Paul Ford. How’s it going?

BP Hi Saaara. Hi, Sara. Hi Sara.

PF Hello friends. Our stacks are overflowing. It’s just a weird day. [Sara laughs]

BP Yeah, bounty.

SC Our stacks overflow-eth.

BP Bountiful stacks. My son actually loves Stack Overflow, the the name and the logo on the tee-shirt. Because he loves chaos, you know? So he’s like, oh, it means it’s breaking. Right? It’s falling over. And I’m like, yeah, we make things fall over. And he’s like that’s great. [Sara laughs]

PF Cool. He’s think you’re, he thinks you’re like a stunt man in the Marvel movies.

BP Yeah, he thinks I’m he thinks I’m in demolition or something.

PF But you’re in something cooler, which is marketing for Stack Overflow, man. [Sara laughs] That’s, that’s that’s what my kids asked me. They come up behind me with the pandemic and watch me work. And if they’re just horrified

SC Because it’s boring, right. Like they don’t think it’s exciting.

PF It’s so boring. And then every now they’ll catch me looking at YouTube. And they’ll be like, that’s cool. You get to do that at work. And I’m like, uhhh. Anyway, that’s not why we’re here today.

BP Yeah, yeah. Speaking of things crashing and falling. Sara, you want to introduce our guests today?

SC Yeah! Today we have a special guest. Her name’s Rachel Troy. She is a product manager at Fullstack Academy and focuses on what their cybersecurity program. So last week, as we all know, there was a big hack on Twitter, and I thought it would be great to have her on to talk to us about big hacks. How’s it going, Rachel?

RT Hey, guys, so nice to be able to chat with you this morning.

PF So wait, Rachel, can you describe the Twitter hack?

RT Uh, I’m definitely not an expert. My understanding is that there was, it seemed like it was somewhat of an inside job, right. Someone had access to these admin panels and was selling the ability to sort of rewrite the recovery email address so that you could take over the account and someone seems like they paid for access to the whole admin account, and once they had access to the account, they could turn off two-factor authentication so that people weren’t getting text messages when these emails were being reset. And then they were able to take over those accounts and set up these Bitcoin scams.

PF Such low stakes, they could have started a war but no…

RT Nope, they just wanted money. Greed apparently.

BP Wait, but I’ve heard speculation now that maybe the Bitcoin scam was just the front and they were they were mining the DMs the whole time.

SC Where did you hear that speculation?

PF On the Discord servers where Ben spends most of his time.

BP Yeah, you know. 

PF What I love is they finally, someone finally found a way to pay for Twitter’s product, you know, like non advertised?

BP Ohhhhh. Oh, sick burn.

PF Zing! Okay, alright. That was a bad one. And like the rest of the computer industry that caused us to suddenly think about security for the first time in about two years.

SC Yeah, it’s really, you know, I think every team was like, Hey, we don’t do this, do we? At work?

PF Oh, yeah, we don’t have one of those admin tools. Stack was kind of proud that it doesn’t, right. Like it doesn’t have an admin takeover function.

BP But then we looked into it, and we’ve got some stuff we need to fix. We were proud of it, and we brag but on Twitter, and now we’re fixing some things. 

PF This is all of us and our bodies and our racism and sexism like this is all of us. Ben, it’s not. It’s not just our security. We’re working on it every day.

BP Rachel, I guess one of the things that interests me about that is that in some ways, they’re exploiting the security system to make it more difficult to derail them. Like once they’ve gotten in, is that something that’s talked about in cybersecurity, like, the idea that you build these defenses and you build these, you know, two factor authentication methods, you know, sort of authenticity checks, but if somebody gets deep inside those connections or to be used against you?

RT Yeah, absolutely. I think that we often will build features for convenience and security is sort of like a second thought. And so, to me the idea of an admin panel for which you can turn off two factor authentication seems like a real security concern, but I can see from the other side of things where you’re just trying to help someone who may have legitimately lost access to their account, and you can’t do so without sort of these additional features. So I think that in general security has in the past been, not forefront in terms of product development. But I think that is changing. What’s really interesting to me about the Twitter hack is that, and I think it’s true in a lot of hacks is that the weakest link in your security is often the people that work for you, and not necessarily the feature that is getting hacked or the vulnerability that’s being used.

BP Yeah, it’s not the zero day that nobody thought of and some super genius came up with it’s just their repeated phishing emails. Is that one of them finally connects.

PF Yeah nobody disassembled a binary on this one. Yeah, I mean, I’m sure there was like a chat room. The root cause always seems to be good intentions. Like when you get it all the way back. It’s always like, well, we thought that would make it a lot easier for everyone to oh boy. So Rachel, we asked If you knew of any other good hacks, and you sent us an amazing list of like all the hacks, so first of all, explain that, like you’re you’re apparently a huge hack fan. And like, tell us a little bit about how you got to be a huge hack fan and and were this part of your career came from?

RT Sure, yeah, interesting question. So I have a background in sort of working in technology education. So have been at Full Stack Academy, which is a tech bootcamp for two years, both on the web development side, and then they launched the first cybersecurity bootcamp in partnership with New York City A year ago in 2019. And so I transitioned to help with launching that product. And what was really exciting for me about making that transition was seeing this sort of, I think, more and more we hear about these security breaches every day through the news that we read. And you know, it’s very mainstream, even like it was not very difficult for me to put together this list, because it’s very, it’s becoming very common. And so that was really what got me interested. In this as a CEO, cybersecurity as a field, and I think that’s the like kind of sexy part of cybersecurity is like all the hacks and how people pull them off and what they did with whatever it is that they want. And I think that’s kind of what can draw you in. And then of course, there’s all the great stuff underneath that, too. So that’s how I got here. Rachel, what what is the connection between the boot camp and New York City? Like, what is the government connection there? Sure. So the city of New York established 100 million dollar private public investment fund called cyber NYC that they they spread out those funds over six work streams that were designed to sort of make New York City, the Silicon Valley for cybersecurity. And so there are a couple different work streams, there’s an accelerated space, there’s sort of like a community space and the workforce training element that they are partnered that they chose with Fullstack Academy. So they helped us launch that first boot camp.

BP And so I guess one of the other things But I wanted to ask and Sara if you have any questions, please feel free to jump in. But when I was a reporter one of the things that was most interesting to me, and then this came up when I switched over into communications because we had a big kerfuffle, with it at DJI was the bounty bug bounty programs. I think, to me, that’s so interesting, because it mimics in some way you know what a Stack Overflow does, where anybody on the public web can come and start to poke around. And you can report these problems. And if you do it enough, you gain a certain amount of reputation, and you’re trusted, and then you can start to get paid for finding these problems. And that, to me, seems like the only way at scale and obviously you’re not gonna find everything, but the only way at scale to really do you know, cover all the attack surfaces, which is basically to say, like, go Feel free to try and attack us but we’re going to pay you up front a pretty good price and you don’t worry about going to jail. You know, after this is over. What’s your take on bug bounty programs? I thought that they were fascinating. I don’t know how old they are. But it seems like you know, there’s now like these startups like hacker one that are kind of trying to make a bug bounty out as a service. 

RT Yeah, I think bug bounty programs are awesome. I think that there are a lot of people who hacking and penetration testing is in sometimes for some people, even an addiction, it’s like something that’s like, very fascinating and they can be very passionate about and, and it’s really hard to do and it’s very involves a lot of creativity. And so I think finding a way for those skills to be used in a beneficial way is a great way to, like you say prevent these skills from being used in sort of malicious attacks. And it benefits the companies and it benefits the people who are doing it. So I don’t know if you’ve ever listened to the Darknet Diaries podcast. It’s all about cybersecurity. I can highly recommend it. But they interviewed a hacker who was sort of on the wrong side of law for many years, went to jail, had a really hard time getting like computer oriented job when he came out and started doing bug bounty programs and is now making you know, six figures a year just hunting down bugs. And I think that that’s a pretty great success story.

BP Yeah, I guess the thing that that makes me think is when you say like, it involves a lot of creativity, and it can be almost addictive. It’s like, Oh, yeah, this is what people think about when they think about being really good at coding, you know, like, it’s like that. It’s like this fun. peeking under the hood pulling things apart. You know, kind of like puzzle solving.

SC Wearing rollerblades.

BP Exactly.

PF I mean, that’s the fantasy of the engineer, right? Yeah. And it’s actually such a destructive fantasy, because most engineers are people who go to work and do kind of boring work and then get it done and go home and they’re proud of the things they did as opposed to like, staying up until two in the morning hacking into the mainframe. But I mean, Rachel, do you ever do you ever get like the get the itch? Do you ever go like, you know, I could really do some damage right about now. I have a little bit of information in my pocket. Tell us on this podcast. No one’s listening. 

RT Yeah, no, I you know, I am definitely new to start. Security. And so I would say that I get the itch to learn, you know how to become dangerous. I wouldn’t say that I’m dangerous just quite yet. But I do really enjoy the sort of like problem solving aspect of it. I think it is really about sort of looking at a system and trying to see or even like a set of rules and see like, what is outside this set of rules? What is you know, if I change the orientation of this thing, is there some weakness point here? Is there something that is sort of not covered in the mindset of the person who designed this system? I think all of that sort of analytical and problem solving thinking is really interesting. And so maybe in the future, I’ll be able to have the skills to utilize those passions.

SC What do you see about the people that are taking your program? Do they have the drive for that? Why are they getting into cybersecurity?

RT Yeah, it’s a good question. I think it’s different for a lot of people, interestingly enough, which makes me feel good about the world that a lot of people are interested in doing. Because they see it as a way of protecting society and like giving back, you know, sometimes it’s nice to feel like people want to do that as their life’s work, especially when it’s in a field that can be so malicious and nefarious. So I would say that there’s an interest in like justice and do-gooding, I think that there’s also some people are in this space where they are looking for something that is maybe like, cool, or like, you know, counterculture or something. And, and they get to do they kind of like get to break the rules, but do it in a way that they’re not going to be punished. I think that that’s an attractive force. Also, of course, there are people who are just like interested in technical training and really love computers. And oftentimes, we’ll see people who have like backgrounds in it and want to sort of further their understanding of, you know, how systems work.

PF Rachel, what is your favorite hack of all time? There’s so many.

RT Oh, so there’s so many.

PF There’s so many of these little, like, pets!

BP Rachel, you sent us this awesome list and I was reading through it and the MySpace one really stood out. [yeah] Can you talk us through that one a little bit? I think that’s safe territory since MySpace is…

PF So yeah, what happened? I was like, I vaguely remember this. Okay, so MySpace, the early social network one, and you could hack MySpace, right? You could mess with it.

RT You could mess in the early days.

PF In a good way, like, change your CSS, right? Some HTML, so and so forth. So somebody figured out how to just like, what happened?

RT Yeah. So I like this one. Also, it’s pretty old back in 2005. This individual Sammy Kamkar was like a young hacker. He dropped out of high school around 16 started his own technology company and was sort of like messing around on MySpace. He was really into the fact that like you said, you could manipulate HTML and CSS and sort of customize MySpace. And he wanted to see similar to what I mentioned earlier with people like trying to see what is as possible and what’s not possible he wanted to see like, Okay, what? You know what rules are here and what can I break? And so he started with photos. I think my face was like you can only have 12 photos and he was like, I want 13 photos. I don’t know why you need 13 photo but you do.

BP Because then you’re really cool and people like wait your profile has extra photos. How did you do that?

RT I mean, who’s counting how many photos? But anyway.

BP Oh, wait, wait, wait. At that point in time Facebook only let you have one photo. Oh, I don’t recall that so you can only have one profile photo you had to choose?

RT Well, the difference between one and two and 12 and 13.

PF  I don’t know, Sammy. Anyway. Okay, so he wants it lucky 13.

RT Yes, Lucky 13. And so he he figured out how to put up a 13th photo, great and he’s like, Okay, what more can I do? I guess they had a relationship status dropped down. I have to admit I never had a MySpace, but he wanted you know, there it was like single married in a relationship. And he wanted to it to say in a hot relationship and so he figured out how to do that. I guess that was a call out to his girlfriend. And so he keeps messing around with the site. Such a great mind going to such important work.

BP A touching tribute, definitely. To a significant other.

RT And so he decides that he wants to do like a little, he wants to like prank his friends a little bit. And so he developed a cross site, he developed a cross site scripting worm, which was kind of new and most sites were vulnerable to at that point in time, and this worm would if you visited his site and ran the malicious code on his site, then your profile would friend request him and it would under heroes add most of all, Sammy, I think.

PF Okay, so your friend and it would add like but most of all, Sammy is my hero.

RT Sammy is my hero. And then he part of the code was that anyone who he realized that like not so many people would this would happen to just because he didn’t have that many friends. So he made it self replicating. So it would pass to that person’s profile. So anyone who visited Sammy’s profile, or that infected person’s profile would also get this cross site scripting worm, and would become Sammy’s friend, and Sammy would be their hero. And so within something like 24 hours, Sammy had a million friend requests and MySpace had to be taken down because of this variant worm. In the lead up to that Sammy felt really bad and he tried to email them anonymously and tell them how to take it down. But he never got a response. And you know, the site came down, they fixed it up, it went back up, I think the next day, and you know, Sammy was thought that he might have gotten, you know, off free, and then about six months later, he gets a warrant. His place gets searched, he get’s charged for computer crimes. And he ends up doing he ends up getting he pleads guilty. He gets three years of probation without a computer, which now sounds like impossible. But the story has a happy ending Sammy Kamkar is now a very famous security researcher. And he says that he actually enjoyed his three years out of computer time. So..

BP So when you say that that they would visit Sammy’s page, and then they’d have to run the malicious code, was that just visiting his page? Or was that clicking on the 13th photo? Or like, how would he get it to execute? That’s my one. The one question I have.

PF Oh, I mean, maybe explain explain what XXS bug is.

RT So cross site scripting is an injection of malicious scripts into benign websites. And it can be hidden anywhere, like it could be in a photo, as you mentioned, it could be you know, if you there’s a couple different ways you could do it, if you like injected a malicious script into sort of like a form you could do it that way. And so when the malicious page in this case is loaded the script is run and executed and and takes place. Whenever the…

BP So it could have just been loading his profile page. That could have been enough.

RT Yeah, exactly. Yeah.

SC Yeah, I remember I remember these when MySpace was out, because I used to use them all the time. Another thing you could do on is inject code on your page that would would just take the names of anyone that visited your page, you could do this in the beginning of Facebook as well. And so that you could see who was looking at your MySpace page, and how many times they visited, which was great. I now pay $30 a month for LinkedIn.

BP Have the same sort of stalking awareness.

PF Yeah, you could get that with Grease Monkey or you know, with a little with a little bug lit. Look, I mean, let’s just say it very clearly, Sammy did nothing wrong. Sammy. I’m looking at the Wikipedia page as you’re talking. And it’s just like, Yeah, he was rated in 2006 by the United States Secret Service and electronic crimes force expanded from the Patriot Act and it’s just like, come on. Yeah. Sammy wanted everyone to know that he was their hero. He wasn’t coming for it.

SC Yeah. Another one on your list that I think is really interesting. We’ve talked about on the podcast a little bit is the Nests devices that were hacked. Can we talk about that one? A little bit?

RT Yeah, totally. There have been a couple of accounts of Nest cameras and thermostats and other sort of home devices that have been hacked. In the last year or two. What I read was like a woman heard from her small child that there was like a monster in the child’s room and she didn’t believe…

BP Oh my god.

RT Yeah, really terrible, really terrible. And, you know, they, she didn’t believe her kid and then when it came in, and there was someone talking to her child, like through a camera. Yeah, it’s it’s nightmare stuff. From what I read that these weren’t actually hacks of the systems and the Nest system itself, but rather of the like WiFi network the system was on. But security researchers have proven even back in like, 2016 that this is possible. And you know, and you can think of these terrible scenarios that involve like ransom or other awful things, right? One funny one would be like if someone hacked your Nest thermostat and turned it up to 90 and you had to pay X Bitcoin to like get your thermostat back down. But there are some pretty much more scary options.

BP Oh, wow, that’s an interesting ransomware when I hadn’t heard about. Yeah, messing with people’s heat. That’s an interesting one.

SC Yeah. Speaking of the which, the one another one on the list is the wannacry hack. Do you want to talk about that one a little bit, too?

RT Sure. I think wannacry is pretty famous. I think like, even outside of the industry, people are sort of like have heard of wannacry. So wannacry is in line with that idea of ransomware. So essentially, it’s malware. That would infect your machine, and basically encrypt all of the information on that machine. And you would need to pay a ransom, usually in some sort of cryptocurrency, to decrypt the information on that machine. Wannacry in particular was particularly difficult because it used something called eternal blue, which was an exploit developed by we believe the NSA to exploit a vulnerability in the Windows OS system that would allow you to remotely execute code. And so that’s sort of how they would get into these systems. And then they would run this malware that would encrypt your information and demand ransom. I guess the why it’s so famous is because they infected a large percentage of the National Health System machines in the UK and shut down that system for a little bit.

PF Oh yeah, the NHS. Yeah, yeah, that’s right.

BP It got in to all these hospitals and they couldn’t use their you know, whatever oxygen you know, meters for the without paying Bitcoin.

RT Yeah. Pretty terrifyiing. 

PF Imagine like be working at the NSA and you open up the paper in the morning because you probably still do read a paper because you’re in DC and like a dog brings it to you and you’re just like, you just see all the news and you’re like yeah, that was me. Huh? Oh, damn it. Oh wow, I told Mike not to do that. 

BP We’re supposed to keep that one in the box in the basement not supposed to let that one out.

PF I try really hard not to let internet brain disease ruin me but when you get into stuff like this, everything is a like it goes seven levels deeper than you ever thought man and you know, just like Alec Baldwin is gonna walk in at any moment and say shut it all down. It just gets so, this world in particular because everything is, it feels like both people are spies and are playing spies and it’s just bananas.

[MUSIC]

BP Usually at the end of the podcast, I read a lifeboat which is a badge That people when for answering a question on Stack Overflow that has had a score of negative three or more, and it went up to a score of 20 or more, but today, I’m going to do a special, switch it up and do something special. This is from our information security Stack Exchange, and it says emergency method to erase all data off a machine within seconds. Imagine you’re carrying a highly sensitive information with you maybe on a mission in a war zone, you get an ambush and quickly need to erase all the files before they fall into the wrong hands. This has to happen within seconds. And then there’s a few answers here. 

SC Fascinating! I’m so interested. What are what are the answers?

BP Well, the answers are plasma cutter or thermite. Oh, basically, you need to destroy the hell out of that machine. [Paul & Rachel laugh]

PF Oh, good. Yeah. No, you know what? Nuclear fusion!

BP Literally disintegration.

PF That’s a low code solution to your problem. I love it. 

RT I feel like that’s sometimes the only solution though. 

BP Yeah. And there’s no addendum here. Addendum as Artem pointed out in his answer, for most use cases, encryption is enough. But if there was some information that was so valuable, that even in 50 years when Quantum codebreaking may become a reality, it cannot be released. So.

PF Programmers, I gotta say, sometimes we all live a little too far in the future. Maybe, maybe we should just put it in the bathtub and hit it with a hammer. Anyway, good lifeboatin’.

BP Yeah. So thank you to the information security Stack Exchange for providing that delightful information. Rachel, thank you so much for coming on and sharing all of this wonderful history and knowledge with us.

RT Yeah, of course. Thanks so much. It was fun to chat hacks.

BP If people want to find you online. Or learn more about the work you’re doing or sign up….

PF Oh, she’ll find them.

BP Yeah, exactly. Share a few places and spaces where people can find you or find a cool way to sign up for your cybersecurity education.

RT Yeah, so if you’re interested in learning more about cybersecurity and training for it, you can check out the Fullstack cyber boot camp cyber.fullstackacademy.com and you can reach me rachel.troy@fullstackacademy.com.

BP Alright. I’m Ben Popper, Director of content here at Stack Overflow. And you can find me on Twitter @BenPopper.

SC I’m Sara Chipps, Director of Community here at Stack Overflow. And you can find me on GitHub @SaraJo.

PF I’m Paul Ford, co-founder of Postlight. And we’re a software firm you can check us out postflight.com and I’m a friend of Stack Overflow!

BP Wonderful.

[OUTRO MUSIC]

Tags: , ,

Related

newsletter August 7, 2020

The Overflow #33: Accelerating our mission

Welcome to ISSUE #33 of the Overflow! In the age of GPT-3, this newsletter is still written and curated by the Stack Overflow team and Cassidy Williams at Netlify. And if it wasn’t, how would you know? Read on to learn about our Series E fundraise, a React component for rendering guitar chords, and the…