Shostack + Friends Blog Archive


Attackers Are Evolving, Are You?

When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the information was about skill, demonstration, and teaching, as well as doing (little) harm, and not hacking for money. (Incidentally, Boyd [link to no longer works] would have called this the hacker ‘orientation.’)

These hackers were succeeded by the script kiddies, who took the demonstration tools (or scripts) that hackers wrote, and used them to break into systems, to deface web sites, and make a nuisance of themselves. The cultural heritage of the hackers started to dissipate.

Today, a new generation of attackers are out there. They only hack for money. They’re phishing, they’re building spyware, they’re running DDOS extortion rackets. They’re hanging out with mobsters. The types of attacks they engage in are changing. The goals of those attacks are changing.

As I’ve been working on this post, Rob Lemos has reported that ImmunitySec had found four vulnerabilities [link to no longer works] in MacOS X, and given them to their subscribers, but not Apple. Well, people didn’t like full disclosure, this is one alternative. I expect more and more private disclosure like this, from researchers who see that there’s money involved. I guess my preference for responsible, full disclosure makes me a dinosaur.