В докладе описывается использование технологий для нападнения и получения прибыли от мировых держав и крупных корпораций. Подчеркиваются реальные атаки против компаний из Fortune 500 таких, как AT&T, Apple и Amazon, а также мировых правительств.
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
Andrew Auernheimer - Hacktivism for profit and glory
1. Hacktivism for profit
and glory
Using technology offensively and
profitably against world powers and
major corporations.
2. One person can change the world.
• You can easily fight powers
that appear bigger and
stronger than you.
• I make lots of history,
influencing nation states and
Fortune 500 companies.
• I do this with no external
capital or influence.
• Everybody who tried to stop
me failed.
4. Why I became a hacktivist
• The status quo is not
fair to hackers
• Tech industry
billionaires can’t even
buy influence.
• America makes its
hackers suffer greatly:
Swartz, Moore, Love
5. Changing the world is profitable.
• Know the outcome of an economic event?
Profit in financial markets.
• In financial markets, you only have to be right
for a few hours.
• Know the outcome of an election? You can
make profit in prediction markets.
6. I started small.
• Pick a venture
capitalist that funds
tech startups
• Announce your
presence.
• Destroy his portfolio
company by company
until he pays you to
go away.
8. 2009: First Fortune 500 attack
• XSRF: Cross site request forgery – no unique
token to scrape to perform command on a
site. Site wrongly trusts user’s browser.
• Can we use this to troll a corporation and shift
a its value by billions of dollars?
9. Amazon had a XSRF-vuln
• There was a “Report Inappropriate Content”
button on every Amazon page for logged in
users that was a simple HTTP GET with any
product ID at the end.
• Function automatically removed content from
the search rankings if it got enough reports. It
was still sold, but you couldn’t search for it.
10. This was so easy. Really bad code.
• An enumerated list of gay book product IDs:
11. Reported all gay books as
inappropriate thousands of times.
• Put a hidden iframe on many websites that
did a 302 redirect to the report as
inappropriate function.
• Used cookies from bot-registered Amazon
accounts to report it myself
• Net effect: you couldn’t search for gay faggot
books on Amazon anymore.
12. What next? Make markets react.
• Contact gay bloggers, say Amazon was
censoring homosexuals: #amazonfail
13. This bug was stupid.
• I couldn’t have ever sold it to anyone.
• Amazon wouldn’t reward me for reporting it.
• Objective market value was $0
• But I used it to drop Amazon’s market cap by
$3.2 BILLION dollars for long enough for a
short position to be profitable.
14. 2010: Second Fortune 500 attack
• June of 2010, first Apple iPad 3G released,
exclusive to AT&T.
• On iPad billing/registration server a simple
HTTP GET with no authentication.
• Integer in URL is the integrated circuit card
identifier (ICCID) – unique ID for device SIM
• Takes ICCID and returns email of registered
user.
15. Oops.
• Apple and AT&T made this for convenience, so
when you visit the billing site it would
automatically fill in the email of your device to
login faster.
• It’s just an HTTP GET, and the ID is just a
number. What they really did was publish a
complete list of iPad users on the Internet.
16. Exploitation
• Once again, very simple. Numerical IDs are in
sequence. As simple as let count, while true, do curl
$i, done.
• I have a full list of Apple iPad 3G owner emails and
the corresponding ICC-IDs.
• What can I do now?
17. Risk assessment
• If I were a bad guy, I would send a Safari
exploit to every iPad. (and we had one)
• The IMSI can be derived from the ICCID
(unique to AT&T) which would allow for IMSI
catchers and man in the middle attacks.
• Targeted advertisements: iPad accessories.
• I could do any of these things, but I’d rather
do the right thing and change the world.
18. Public disclosure.
• We had an name from
offensive Internet
meme: Goatse Security.
If you have not heard of
the Goatse meme do
not look it up.
• “Subsidiary of” GNAA
troll organization
• Adds embarrassment for
AT&T and Apple.
22. Now the hard part comes
• Kidnapped thousands of
kilometers to foreign
territory, beaten by US
Marshalls along the way
• The parts of America that
the feds bring you to are
hell on earth
• Banned from the Internet
for years
23. Liberty must be defended.
• I accessed a public
webserver and told a
journalist about what
was on it.
• This is unequivocally not
criminal activity.
• If accessing a public
webserver is a crime the
Internet only contains
criminal activities.
• None of this mattered to
American courts.
24.
25. Free at last
Eventually a higher
court admitted my
conviction was based
on lies from the FBI
and DOJ and violated
my rights.
Total time lost:
39 months
28. August 2016: methods are mainstream
• Muddy Waters now
using software vulns
for financial
intelligence
• The FBI said my desire
to short sell off of vuln
was evidence of
criminal intent, and
now it is a common
industry practice.
30. Takeaway
• Technology enables agile individuals to act
with more efficacy than the world’s biggest
empires.
• Every day that goes by, smaller entities grow
more effective than big entities.
• Be relentless, you’ll eventually be proven right
and see your positions legitimized.