In 2012, the contributor of Keddr.com got an opportunity to talk with Jeff Moss, who came to Moscow to speak at RIGF. Being one of the top 5 most famous people in cybersecurity, Jeff Moss shares insights on how it’s like to be a white hat hacker.
As a well-known hacker in the past, Jeff Moss is a founder of Black Hat and Defcon hacker conferences. Jeff Moss held leading positions at Secure Computing and Ernst & Young companies. He is a member of The U.S. Homeland Security Advisory Council and advises organizations on providing the security of computer networks.
Currently, you are working in the organization providing protection from cyber-threats. However, you used to be a hacker. What made you switch to the Light Side?
Jeff: I’ve always been on the Light Side. It used to be a compliment when people called you a hacker. It meant that you have knowledge allowing you to do something others can’t. Then, the malicious users appeared and they started to commit organized crimes. As a result, instead of calling these people computer criminals, they came to be called the good word ‘hackers’.
For me, a hacker is a set of knowledge and skills but intentions aren’t included in the term. The term was ruined and now people talk about white hackers and black hackers trying to add those intentions in the meaning.
Representatives of an old school are still calling themselves hackers, with the good meaning. However, youngsters are calling themselves computer specialists now.
Have you ever used your skills for personal gain of any scale?
Jeff: I’ve never made any money. First of all, you have to understand that in the early days of the Internet, there was nothing in the network that you could steal. The ethics were the following – look with your eyes, not your hands. If we heard from the news that a buddy got busted, then they had violated the ethics.
Furthermore, when I was young, there were no regulations banning hacking. So, I just got lucky. I could have made mistakes but couldn’t really incur serious problems.
However, nowadays, I am very concerned about the future of young people because the penalties and the punishment for downloading a hacking tool in order to play and try it out are so serious that they can destroy your entire life.
You said that the most dangerous cyber-threat nowadays are the botnet networks. It immediately reminds the recent Apple and Dr.Web cases. Can this situation be called the first hint for the Cupertino team? How dangerous is it for the “Macheads”?
Jeff: This is the first publicity stunt connected with an Apple security. I mean, they were warned several times and now it’s starting to happen. It seems like about 600 thousand botnet-nodes were detected. Such a magnitude just can’t be ignored.
In my opinion, what really happened is that Apple reached up to 6 – 7% of the market. This is a huge share and now it makes sense to encroach on them.
Does it make sense for ordinary people to try protecting oneself from cyber-threats? If yes, then name the three simplest ways to do that.
Jeff: You shouldn’t worry. I’ll give you one advice, though. If you need to do something in your browser, like financial or banking transactions, then you should open a separate browser window, do what you have to do and close it. Often all the problems come from the opened windows with banking transactions.
What pushes hackers towards doing their job: personal gain, vanity, boredom, or something else?
Jeff: I think the main reason is the challenge. And, partly, showing off, of course.
When I was young, for example, I couldn’t afford an expensive computer. So I had to hack it. Because I wanted it to work faster. As a child, I had money only for one video game while my friends hd another video game which was copyright-protected…
Anyway, I had to learn how to copy games.
I think there are altruistic hackers still which give people access to something. Actually, there could be many motivations.
If you were asked to handle cybersecurity at the government level and offered the corresponding position, where would you begin? What your first steps would be?
Jeff: To start off, it’s necessary to assess the scope of the problem. I would enforce regulation obliging to report attacks. It means that if your company was attacked then you MUST report to the government. Maybe you shouldn’t make public announcements and jeopardize the company’s reputation, however, it’s absolutely necessary to inform the government. Such an approach would have given the companies an opportunity to unite while keeping their clients’ information private. The ones that share the data with the others are the most protected. Such an exchange allows understanding what’s working in fighting against cybercrimes and what’s not. Thus, by collecting an information about the types of attacks and how often those occur, you can build the defense.
If this were any other country, for example, would the approach be the same?
Jeff: Basically, yes. Such a coordination could have helped in many aspects of our lives. Insurance companies could have taken a commitment to insure against cyber-attacks. Now they simply have nothing to rely on. There is no information that could have helped them to make the calculations.
As I said earlier, if I became the King of the Internet for one day, then I would issue an executive order for the regulators of all the countries to impose standards on the Internet. Those will include simple rules for a cybersecurity hygiene but standardized.
Let’s assume you know someone’s email address. How much time will you need to get access to the letters?
Jeff: Do I have a reason for that? Actually, it all depends on whether your server identifies my attempts to match the password.
How much time will it take you?
Jeff: Five minutes. I will send you a letter containing a malicious application.
In 2013, Jeff was appointed a non-resident Senior Research Officer of an Atlantic Council connected with the Cyber Statecraft Initiative in the Brent Scowcroft International Center for Strategy and Security.
In 2014, Jeff joined the Cybersecurity Consultation Committee of the law school of Georgetown University.
In 2017, Jeff led the creation of DEF CON Voting Machine Village. After debuting in DEF CON 25, Voting Machine Village allowed hackers to check the security of the electronic voting machines including several models which are currently and actively being used in the USA. The machines were compromised by some DEF CON participants within several hours after the opening. The extensive media coverage of all the vulnerabilities of the tested machines has aroused a national dialogue and inspired Virginia legislation.
In September 2017, the Voting Machine Village Company carried out the “Dick CON 25 Voting Machine Hacking Village: a report of cyber vulnerabilities in the American voting equipment, databases, and infrastructure” which summarizes its conclusions. The conclusions were publicly revealed at the event organized by the Atlantic Council and the document had all the chances to win the O’Reilly Defender Research Award. In March 2018, DEF CON Voting Machine Hacking Village received the award for the excellence in cyber-security.
Hacken is a cybersecurity company. It is a place where white hat hackers can be who they are and show their competencies. We help companies become stronger by hacking your systems. Contact us to stay protected!
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.