

Interview with a Blackhat (Part 3/3) - kayge
http://blog.whitehatsec.com/interview-with-a-blackhat-part-3/

======
corry
Here are links to part 1 and 2 for anyone unable to "hack" the URL scheme. ;)

[http://blog.whitehatsec.com/interview-with-a-blackhat-
part-1...](http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/)

(pastebin if it goes down: <http://pastebin.com/jiUM0AFr>)

[http://blog.whitehatsec.com/interview-with-a-blackhat-
part-2...](http://blog.whitehatsec.com/interview-with-a-blackhat-part-2/)

(pastebin if it goes down: <http://pastebin.com/SAKS2CTW>)

~~~
ra
The site has gone down, so thanks for the pastebins.

Idea for a site: A pastebin that uses nice typography, instead of monospace...
Perfect for this sort of thing.

Is there a good one already os shall I make one?

~~~
delluminatus
I've found myself using <http://gist.io>.

~~~
lelandbatey
Alternatively, if you don't host your stuff on gist, but instead use raw text
files, I wrote a simple markdown rendering site: <http://xwl.me>

I find it really useful since I can just type out my docs in dropbox, create
the rendered link, then pass that around. It's super easy.

------
Everlag
Reading the rest of the articles, it is extremely interesting to see the
quality of a real blackhat.

The black hat is putting in hard work and making tools while getting an
unreasonable amount of funds. (Of course illicit professions have that
tendency with risk factor and all.)

We're talking about a profession learned strictly from the community that
developed extremely specific and effective skills.

Anyone able to do that and succeed is obviously talented and it is telling
that they were never interested in cashing that talent in a legitimate career
with a major tech firm.

~~~
calhoun137
I think of "hacking" as breaking things, taking them apart, and learning how
they work; and "programming" as creating and building new things. As much as I
am in awe of the amazing technical power of elite black hat hackers, there is
something really special about creating something new and transporting it from
your imagination into the real world.

------
spdy
Good advertising if this interview is legit.

 _Companies don’t purchase DDoS protection. Cloudflare for example offers
incredibly strong DDoS protection for 200 dollars a month (also its harder to
jack a cloudflare domain). If I extort you for 200-1000 dollars for 1 day why
not make yourself immune for the minimal fee?_

~~~
matznerd
Clouflare is legit.

------
bitops
There was one point in the interview where I thought "ah, this gives me a clue
where he's from!" -- the use of the term "fortnight". I don't know of any
American who uses this term, so I'd guess he's in the UK. Also the use of the
term "Uni".

~~~
k1kingy
These terms are not just used in the UK. Very common in Australasia.

~~~
jon2512chua
And quite a lot of the commonwealth countries.

------
AlexDanger
_I’d like to do some research into the time it takes from when blackhats find
0-days to [when] whitehats find them._

I'm also interested in this question. Is there existing research on this
topic? Earlier in the piece he also claims this:

 _The thing you have to remember is the black hat world is 10 steps ahead of
what’s commercially available. When a 0-day is released blackhats have used it
for months._

Is this statement true? Are the top level blackhats more talented, driven, or
greater in number than the top level whitehats? Obviously there is money to be
made as a blackhat but not everyone has criminal inclinations. Script kiddies
aside, intuition tells me that the intersection of people who have the skill
to write an 0-day and the inclination to be a blackhat is smaller than the
intersection of skilled/honest people. Not to mention that you can make a
perfectly legal fortune (ethics aside) selling exploits to security firms
which on-sell them to governments. [1]

I'm also interested in his statement about virus scanners - are they really
useless? I use Chrome, MS Security Essentials, dont click on devious looking
links...and I've had 1 infection flagged in the last 3 years (thanks Adobe).
Are there stats on how many infections _dont_ get noticed by anti-virus
software, even if you keep the definitions up to date?

[1]
[http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...](http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-
for-zero-days-an-price-list-for-hackers-secret-software-exploits/)

------
kayge
I think one of the more interesting parts of this interview is how 'Adam'
talks about the relationship between Blackhats and Whitehats. As someone who's
always been interested in the computer security world (but never been part of
it) I assumed it would be much more adversarial, but it seems more symbiotic
than anything.

 _"There really isn’t a hatred of whitehats from the blackhats. In fact, quite
the opposite. If we stayed with viruses from 2000 because we were never
challenged we’d be so out-dated and not capable of making a tenth of the
amount of money we make currently. Most blackhats love whitehats for that
reason."_

~~~
lawnchair_larry
You can't really take much from what this guy says, to be honest. It's also
_extremely_ adversarial.[1] It depends on the individual(s), who you ask, and
the phase of the moon.

This type of activity isn't really representative of either side of the
traditional security world. Blackhats have generally shunned "carders", and
the for-profit crime groups usually use "script-kiddie" like tools. Every once
in a while there is an exception, but it's mostly been the case for at least
the last 20+ years that blackhat skills/status in the community is negatively
correlated with theft/extortion/fraud.

[1][http://www.wired.com/culture/lifestyle/news/2002/08/54400?cu...](http://www.wired.com/culture/lifestyle/news/2002/08/54400?currentPage=all)

------
Matsta
Using the term 'blackhat' is pretty darn vague. It's just as vague as using
the word 'cloud' (Basically a buzz word).

I wouldn't call this guy Blackhat though, if he's stealing credit cards then
that's straight up fraud.

Usually when people use the term 'blackhat', they are referring to someone who
breaks companies terms of service but just below actually breaking the law.

~~~
batgaijin
No, that's greyhat - the morally grey area. It's finding a hole and dicking
around to see how it works.

Blackhat is outright stealing/espionage/manipulation of other devices for your
own gain.

~~~
sev
Not necessarily. Blackhat folks are generally divided into 2 basic
groups...the type you described, and the kind that for example break into
servers just to show off their skills but they don't do anything other than
prove to their peers that they were in...and the more difficult the server
they get into , the more praise they get from the "scene."

There are whitehat folks who do the same...the difference being blackhat don't
tell the company whose server they broke into how they did it.

