Hacking: Why We Need To Do More Of It

Let’s get the obvious out of the way. I DO NOT condone hacking for malicious purposes that harm innocent people.

Hacking is generally divided into three hats: black, white, and grey. Black hats are generally labeled as the bad guys but that honestly depends on framing. Hacking to shutdown a city for money while denying services for citizens? Bad. Hacking to prove there is unbridled corruption in a questionable government? Could be a good thing though this is still black hat territory.

White hats are almost always good. These are the people who are paid by the target to hack the target. Doing this can expose vulnerabilities in a company or system so that it may be fixed or mitigated. In the long run, a company would be saving money instead of shelling out cash to fix an attack, recover/rebuild lost data, defend their reputation through PR, and possibly pay legal fees.

Grey hats are the people that come in a myriad of flavors. There people who want free stuff. People who do bug bounties. People who want to mod the electronics. People who just like poking around. People who want to tip the game in their favor. People who want to improve a product. The list can go on.

As a society, we typically lump hackers into two categories: good and bad. The good hackers are working for respectable groups and are paid for sanctioned hacks. The bad is anyone else. This binary view of hacking is a detriment to society for it lumps grey hats in with black hats without thought. It discourages people who may be curious about hacking from trying it. Although we now have courses to teach people to become white hats, many people get their start from being a grey hat! Some do go off and do black hat work but many more do white hat work to apply their skills for the benefit of society at large. And the cyber security industry always seem to bemoan that there aren’t enough people to fill in the gaps.

Of course, not every position that needs filling requires hacking skills. A SOC analyst or security engineer isn’t going to fire up a laptop and start furiously hacking away and get paid for it! Though…that would be kind of cool. However, knowing how to hack means that these people will know how to improve security. It means that people can detect and interpret threats better. Learning how to hack introduces new concepts to people and forces them to think outside the box. Malicious hackers are thinking outside the box all the time to find ways to trick the system. The ability to do the very same is a crucial skill needed in the cyber security world.

And hacking isn’t just for hoodie wearing youngsters. Anyone can learn the basics of hacking! You don’t have to be super smart. No offense. Fortunately, security awareness training is a great tool to teach the basics of hacking. Besides knowing about phishy emails, check the urls of links. Look at the email header. See strange text that looks out of place? Report it! Are you entering your personal information to a site without a green padlock next to the url? I wouldn’t unless you really, really know for sure that it’s safe. Think you don’t need to follow all of the security protocols because you are “too low” in the business hierarchy to matter? A hacker doesn’t think that. If fact, a hacker probably views you as their best friend. Often times, it is the least guarded that malicious hackers exploit to get their foot in the door. If it helps, think of malicious hackers as a very hangry bear. You can outrun the bear or not be at the back of the group of runners. The bear doesn’t care who it mauls. It’s happy to catch anything delicious.

In the near future, society has to discard the blind binary view on hacking and judge it in the context of how it is used and to what end. We need to encourage responsible disclosure of vulnerabilities from people who weren’t hired to find it. We need reformed black/grey hats who know all the tricks of the trade. We need tinkerers and explorers of technology who occasionally break things so they can figure out how the technology works. Anyone who has ever used a computer will know that those impish little boxes do weird things just to savor our frustrations and confusion. These explorers strike fear into computers. It’s why a bad computer suddenly behaves when such a person threatens to fix it. I feel confident of this!

Bottom line is that technology is becoming more complex. Complexity introduces chances for exploits. We can’t just sit back and let men in white labcoats…or hats… protect us. We need to be proactive in defending ourselves from cyber attacks. And if I may quote one of my favorite books:

Know the enemy,
Know yourself,
And victory
Is never in doubt,
Not in a hundred battles.

He who knows self
But not the enemy
Will suffer one defeat
For every victory.

He who knows
Neither self
Nor enemy
Will fail
In every battle.

–Sun Tzu, The Art of War

Creating Static

For the first ever blog entry here, I decided to talk about a simple project that has been on my mind for a few months. But first, let me ask this. Do you have a LinkedIn profile? Do you use a neat clean photo of yourself so recruiters and HR know who to expect? I did and if you’re like me, you may wonder if people are making hiring judgments based on your image versus your profile as a whole. And if you’re like me, you may be suspicious of LinkedIn being a goldmine for potential hackers to gather information on you.

So delete your profile, right? Sure…if you don’t have a life. Since I do have a life, deleting my profile isn’t really option. Plus, you don’t want some random stranger to take your name, make a profile, and LinkedIn stalk people with creepy messages. Your reputation is at stake after all. This is where I had the idea to remove the picture of my beautiful face and replace it with an edited version of a stock photo. You know. The very generic image of binary cascading down the screen in Matrix green. Pretty cool and this was fine until a new thought occurred: Do I need to be the owner of any photo posted?

Honestly, I am too lazy to find the answer to this question so I decided to just make a photo. This way, the image is of my own creation, looks cool, and shows off some of my abilities. Plus, it would be more fun to make than looking up legal terms.

First things first. I needed to figure out how to make an image. Naturally, I wanted create the image using a programming language. Python was my poison Then, I worked out in broad terms how to create the image which goes something like this:

  • Create a blank image file.
  • Read in some text.
  • Take a pixel at a time and set its color based on the ASCII values of the current three characters of the text stream.
  • Marvel/cringe at creation.

FUN TECH STUFF!

This the part of the blog where I get a bit more technical for a moment. If you want, you can skip this paragraph. As most people know, computers uses binary (0,1) as the building block of everything it does. A bit is simply a 1 or a 0. A byte is 8 bits put together and typically represent a value. I won’t go into too much binary math but keep in mind that 2 to the power of 8 is 256. Since 0 is the start of binary counting, subtract 1 and we get 255 as the largest number a byte can represent in binary math. The fun thing is that letters like ‘A’ are represented as a byte. Guess what else is represented as a byte? Color values! And pixels each have 3 color values (RGB). So we can take the byte representation of ‘A’ and use that as one of the RGB color values in a pixel! Simple programming!

I fired up my computer and jumped on a Linux VM. Since I have never done image manipulation in Python before, I had to look up what I would need to make this happen. There is a python module called PIL that would handle everything I needed. To use this, I had to download dependencies and install through pip. Of course, the add-on to install is called Pillow and not PIL because why make life easy?

Once all of that was done, it was time to break out trusty, old VIM and incrementally build the program. First, I made sure I knew how to create an image file. Then, I ran tests to open a file, copy its contents to a variable, access individual characters in the variable, and get the ascii value of said character. Next, create my double loops to get each pixel and set its color based on the current character and the following two characters in the variable. Finally, once all the syntax errors were conquered, marvel my creation.

It worked…but it was ugly. Sure, it’s supposed to look like static but it was ugly static. Not only that, I was using a text file with maybe 15 words in it. Clearly time to do a little cosmetic work. I went online and browsed to a journalistic website. Got the article url and ran cURL to download the source code as a text file. Now I have plenty of characters to create an image! I plugged in the new file and got a new image. Still a little ugly and it looked dark and depressing. I tried adding a random number to all of the color values to brighten the image which worked but it still looked off to me. It looked a bit clunky. I thought of ways to try to make the color values more random while using the modulus operator to make sure the number result does not go over 255.

After more playing and tweaking, I felt that I finally had a nice program to generate static images. I saved one of the images, hopped on to LinkedIn, and slapped the image on as my profile pic! I’m pretty happy with the resulting image and I dare say it looks kinda badass.

Where to from here? I think it would be nice to pass in variables like the image size, which file to read from and what to save the image as. Things I can add later. For now, one more roadblock for potential hackers to link me to my place of work. No social engineering for this guy! (I hope)