Black Hat 2008: French hacking failure


French reporters at Black Hat crossed the line when they sniffed fellow reporters’ login info on the designated “safe” wired network. Proud of their handiwork, they were nabbed when they tried to get their spoils posted on the wall of sheep, which is used to publicly post attendees credintials. It turns out that monitoring communications without informing one of the parties involved is a felony, so although it is legal to sniff convention goers’ login info with their knowledge, hacking reporters covering the event is a no-no. An FBI agent we ran into commented that in his experience, they’d probably just turn it over to the local US attorney’s office to see if they wanted to proceed with an investigation.

We’re in the Defcon press room today and there’s still a buzz about these “sleazy” French reporters. We’re tunneling through our cell connection like any sane person at a security conference.

Comments

  1. Ken says:

    I would think they’d be appreciative of someone discovering a security vulnerability and reporting it before more damage can be done. But instead they kick them out of the conference and may be considering pressing charges?

    “Black hat” indeed.

  2. ryan says:

    what the hell. seriously. kicking hackers out of a hacker conference for hacking? what’s next, people being kicked out of mcdonalds for eating a damn cheeseburger? yeah, “black hat” indeed.

  3. Kayzon says:

    Very hypicritcal…

  4. michaelb says:

    @1,2: What are you talking about? (Assuming you read the article.) The press room was designated secure, and off limits for such activity. Besides that, it is against the law seeing as I don’t believe the other reporters would agree to being spied on anyhow.

  5. anthony says:

    Considering there are two separate networks (one for reporters, one for attendees), and that packet sniffing like that is illegal in most of the civilized world (and most of California), they should have known better. Besides, because of it being at a hacker conference, it’s unlikely the reporters are going to be charged with anything other than “being rather naughty.”(Judge: “You got hacked…at a hacker conference…” Violated Reporter: “Yes, your honor” Judge: stifled laughter)

    Besides, if they wanted to see how secure the other reporters were, they should have organized something ahead of time with the Wall of sheep dudes.

  6. Eman Ontogevi says:

    I guess it is a fail from all parties here :
    1/ Hacking in a restricted zone, without warning anybody ( fail from those hackers )
    2/ Considering that safe zone as safe in a hacking convention ( fail from the others reporters )
    3/ kicking out those hackers ( after all a funnier way of punishing them could have been to put THEM on the wall of sheep )

  7. Ken says:

    @3,4: Well why don’t we just label everything “secure, do not hack” and forget about all the computer security business?

    The “secure” network obviously was not. And since when does whether it’s illegal or not have any relevance to the ethics of hacking? They didn’t harm anyone or do anything for personal gain. They discovered a security flaw, and reported it. I thought this was what the spirit of hacking computer security was all about. Or does everything have to be through sanctioned official channels now?

  8. cliff says:

    @ 1,2,6,7 instead of talking out your ass how about you tell us how you would secure it. besides they were stealing other peoples work, yeah as in theft. black hat operates under the explicit rule that everyone that can be hacked knows that they are a target, if they hadn’t punished the reporters, i am quite sure the FBI agents would have been more than happy to close the convention.

  9. Ken says:

    @8 How is “how I would secure it” at all even anywhere near to close to relevant to the point in any way whatsoever?

    Also, what “work” did they steal? The article linked didn’t mention anything like that but maybe it’s incomplete.

    Yes yes they broke convention rules, therefore they got kicked out. Since when is everyone so concerned about following the rules? The point is the rules are stupid. A hacker conference shouldn’t set up a “secure network” by saying “o hay this network is secure so don’t hack it please.” They should put the policies and procedures in place to make it actually secure, and provide an avenue for anyone who discovers vulnerabilities to report them so they can be fixed. Security by legal consequences isn’t any better than security by obscurity.

  10. Ok Hang on. This was not a “secure” network. The reporter network was set up so that those covering the convention would not have to fear this kind of action. The attendee network is no holds barred please-test-my-firewall-and-configs network. There you can get hacked as you are almost expecting it.

    The reporter network was setup for reporters to get on and report out the happenings. If they stuck to this connection the conference organizers said that it was more “secure” network as the normal activities were not supposed to take place on it. It was in the rules not to hack it.

    These french guys looked at it and went “hmmmmm…. we could hack it”. they then proceed to violate their fellow (and potentially unprepared) reporter colleagues. These other reporters are there to spread the news and give hacking a better public image, not get their credentials posted.

  11. I’m with ken:

    “Well why don’t we just label everything “secure, do not hack” and forget about all the computer security business?”

    This made me laugh in particular:

    “their fellow (and potentially unprepared) reporter colleagues”

    Unprepared…for hacking…at a hacker conference…?

    Sounds like “HEY, NO TAG-BACKS!” from elementary school.

  12. Riax says:

    I’m with hal on this one (comment #10). Okay, disregard for a moment that it was a hacker conference. If I were a reporter at any kind of convention or conference, and I was given a list of rules that I wasn’t supposed to break during my time there, common sense would dictate that I _obey the freaking rules_.

    Their job was to report what was going on at the conference. Blatantly disregarding established conduct rules doesn’t strike me as the greatest way to do that.

  13. Shadyman says:

    It’s not that the network was secure in that it had crypto and such, it was secure in that it was a “do-not-touch” for attendees.

    There was no technologically “secure” aspect of it, besides the fact that attendees were to leave it alone.

  14. Chris says:

    I wouldn’t have kicked them out of the conference as much as put them on the hackable network.

  15. ryan says:

    this is a damn hacker conference, and no one with half a brain makes a “no hacking” rule (anywhere) at a hacker conference! yeah, it isn’t nice to go hacking unsuspecting reporters, we get it. but just because stealing is bad doesn’t make it a smart move to leave your wallet in the middle of dark alley with a “please don’t steal me” sign on it. the truth is, if everybody followed the rules all the time, there wouldn’t be security conferences. if they wanted their network to be safe, (*hint* *hint*) maybe they should have actually secured it! and then, instead of a “do not hack” rule, it should have been more like “feel free to hack this if you can, but if you do, please don’t do any real damage, and help us fix the hole when you’re done showing off”.

  16. James says:

    WTF is with you cowboys saying, in effect, that anybody in the building had better get hacked and like it, because it’s a hacker conference? Imagine you’re running a paintball tournament, and you tell the reporters covering it that they won’t get shot. Now, somebody shoots a reporter — on purpose, with intent to wound, just to show off (/be a jerk). That’s OK?

    Man, I’m glad I didn’t go through high school with you assholes.

  17. Mark says:

    To everyone who’s suggesting they should have secured the wireless network: this network was set up for the reporters to use. Meaning, I assume, that the SSID and encryption key needed to use the network were provided to the reporters (including the French reporters in question). What were the convention staff supposed to do, create a unique access point and passkey for each reporter?

    It’s courtesy to provide reporters (who are not hackers) a “safe” network they can use without being hacked. It’s a complete lack of courtesy to abuse credentials you were given for that network to hack your fellow reporters. Just my 2 cents.

  18. Sensi says:

    So hypocritical that it is pathetic. Xenophobic people seem to lose any kind of humor as soon as some french people are involved. These french journalist hacked that network for the “Wall of sheep”, reported it to the organizers, etc, thus nothing nasty was involved. Yet some ludicrous people are crying foul and whining, speak of “abuse” and “lack of courtesy”, that’s just ridiculous. Imo the only problem here was that they were french, it seems obvious at the reading of some “indignant” comments here and elsewhere. Once again it is pathetic.

    “Sleazy”, alright. :rollingeyes:

  19. steve says:

    So. Somebody got hacked at a hackers conference? And the hackers call the police? rofl! lmao! What do most of these guys do all the time? Just legal stuff? And when the french come they call the police. This is so ridiciulous!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,244 other followers