

Ask HN: Is black-hat hacking harder now than it was 20 years ago? - andreim

As a kid I was fascinated with stories of people hacking into high security places like the pentagon. But I recently realized that, while this was surely no walk in the park even 20 years ago, it must have been easier then that it is now. Things like ssh or vpn weren't around back then, and even though I'm sure they had equivalents, they were probably proprietary and thus not as secure as today's time-tested open source solutions. What do you think?
======
roundsquare
Interesting question. I'll add one more to it if you don't mind. Even if
getting into the pentagon might be harder, do you think there is more data
that is a) easy to get via hacking and b) useful? If so, this is an important
way in which hacking is easier than it was before.

I might think there is more data like this since more people put more data on
computers with less knowledge about how to protect it.

------
mock
I'd say no it isn't in the aggregate harder. There are a few of forces at play
that I think lead to this.

First of all you can now buy pretty good hacking tools in a can (CANVAS, Core
Impact) that come complete with non public exploits. If you don't have the
money, metasploit is pretty good as well. This drastically reduces the need to
know the details of a particular exploit, and reduces the amount of
toolsmithing required to pull off a penetration. Also, the reality is that
exploits are now a business - they're for sale, for better or for worse, on
the open market. If there's one thing our PWN2OWN competition at cansecwest
proved, it's that for a sufficient amount of money someone will find you a
hole in anything. If you have money, even if you're not that knowledgeable,
being a blackhat isn't that hard.

Second, there is more stuff to exploit now than there has ever been before,
both on and off the net (I'm looking at you SCADA). At least some of that
stuff will be low hanging fruit built by programmers who either did not
understand how to build secure systems, or didn't expect that those systems
would be reachable in the way they are now. As the internet expands, and stuff
keeps getting more smarts added to it, I think there is probably a trend in
which new insecure stuff is being built faster than the old stuff is being
secured (not that I can prove that). Things that previously weren't considered
to be security critical, now are (XSS is still barely considered a "real"
exploit).

Third, information about exploits, how to write exploits, and how to find
vulnerabilities is now massively more available, both because of the change in
philosophy around full disclosure, and because we now have more than a decade
(two maybe?) of open research into the field. Bugtraq can be argued to have
revolutionized security research because it opened up what was previously
secret to the eyes of interested amateurs and academics. Today there is a
community of security researchers who openly publish information that
previously was only the domain of governments and the occasional large defence
contractor. I think probably the public community is better at it too.

Balanced against this is all the research and technology on the defensive side
(also helped by full disclosure), the forced public shaming to fix-their-
broken-shit of various vendors (full disclosure again), and generally better
knowledge of security best practices (anyone want to guess what I attribute
this to?). All of which is to say that the things that worked 20 years ago are
harder today than they were 20 years ago (social engineering sadly seems to be
just as easy, and if anything more prevalent now) but it hardly seems to
matter since lots more is easy now.

------
jodrellblank
I have been fascinated with stories of really clever hacks into systems. I've
also been told to setup a scheduled database backup and when I opened the
first backup to check it was going to work, found unencrypted credit card and
billing details (only a year or two ago). Only a few weeks ago I found a small
company system which ships with a default admin password (a dictionary word,
no less) which the end user cannot change. Weird.

Putting two and two together, I suspect that some extremely clever hacks
happened (and still happen, I guess), but many many more were probably
fortuitous stumbling on horrible or utterly absent security in some overlooked
corner; as per dnsworks comment, except - is logging into a password-less
account really 'hacking'?

------
dnsworks
Absolutely. 20 years ago telcos didn't bother adding password protection to
digital "switches" because they didn't even consider war dialers or the
proliferation of internal documentation through bulletin boards. Unix vendors
like Microsoft (Xenix), SCO, and Sun left password-less accounts (like Root,
Operator, Sync) on workstations which were then immediately plugged into a
shared-bus network. Not to mention the wide-open nature of the various X.25
networks like Sprintnet which were used for inter-bank communications.

~~~
wmf
OTOH, learning about that stuff was much harder in those days; it was much
more underground and word-of-mouth.

~~~
dnsworks
I don't know about that. Within a month or two of buying my first modem in
1992 I was on bulletin boards that had FIDOnet subscriptions, which quickly
gave me enough information to be dangerous.

