
Who can I hire to hack me? - edent
https://shkspr.mobi/blog/2019/03/who-can-i-hire-to-hack-me/
======
mikejarema
A somewhat related and interesting read is Jameson Lopp's [1] efforts to make
himself vanish: [https://www.nytimes.com/2019/03/12/technology/how-to-
disappe...](https://www.nytimes.com/2019/03/12/technology/how-to-disappear-
surveillance-state.html)

His goal was to make himself relatively anonymous in the real world and scrub
his (actual) personal info from public/for-sale databases. And while he didn't
hire anyone to pentest his digital identity, he did hire a PI to try and find
him.

 _To make sure he didn’t make any mistakes, Mr. Lopp paid private
investigators to try to find him. It was an investigator who helped him figure
out that his D.M.V. registration was making him vulnerable, which led him to
getting a decoy address._

[1] [https://twitter.com/lopp/](https://twitter.com/lopp/)

~~~
smhenderson
So it’s ok to lie to the DMV about your address? I had to give them three
documents to prove my address to get a license and my wife did as well to get
a state ID. Is the assumption that he knows he’s breaking the law and ok with
it or is there some scenario where you can provide a false address and that’s
ok?

Maybe ir differs state to state?

~~~
blattimwind
Do you need to get a new driver's license every time you move?

~~~
zdragnar
In at least some states, yes, your driver's license needs to have your primary
residence on it, or so an officer told me when I was pulled over and i hadnt
updated mine yet.

~~~
jjeaff
How would the officer know that unless you told him? My address goes to a
mailbox in a different state. If asked, I'm just living in the area
temporarily for business.

~~~
itake
I think you run into problems when your current vehicle registration expires
and you need to update it.

~~~
jjeaff
Luckily, the state where I have it registered has online renewal.

------
swiftcoder
> If not, is this a million-dollar start-up idea?

The niche market of folks with enough security-savvy to know they need the
services of a pen tester is pretty small. That said it's also a pretty wealthy
niche, so a boutique "personal security coach" business could probably thrive.

~~~
rmason
Companies spend lots of money on security. But then it happens that they're
vulnerable when an employee is hacked. I can see in the future companies
paying to test their employee's individual security. They might even promote
it as an employee perk.

I already know of a company that was hacked due to an email exploit. So they
cleaned things up and gave employees specific training. Then six months later
they launched their own email attack, something like ten percent of their
employees failed that test!

~~~
tptacek
If the question is, are there services that target individuals (or individual
employees in a corporation) to help protect them from attacks, yes, that
exists. Tall Poppy is one of them (tallpoppy.io).

~~~
aboutruby
Thought it was going to be a phishing testing service which I don't remember
the name of (maybe [https://www.getusecure.com](https://www.getusecure.com)).

(Seems like tallpoppy is focused on harassment)

------
tptacek
You probably can't reasonably pay someone to attack third parties that protect
your information. For instance, at several of the startups we run security
for, even with your password, a suspicious new pattern of login anomalies will
generate an investigation that will consume resources on our end, and we'd be
pretty pissed to find out that we'd done it because of a stunt you paid for.

~~~
lukecameron
While I agree with the general unfairness of this, on the other hand we
currently have an ecosystem where SaaS products are used by most people to get
their work done and generally manage their lives.

Shouldn't we have the right to know or be able to check how secure our data
and identity is on these services?

~~~
tptacek
No. As a matter of fact, you do not have the general right to "check" how
secure a SAAS provider is.

~~~
danShumway
> _Shouldn 't we_

> _you do not_

I don't think this answers the question. Of course unsolicited pen testing is
already illegal; that's not an interesting question imo. What I'm more curious
about is security industry opinions about whether or not the current law is a
good idea.

Are there any changes you would make to the law if you had the ability to do
so, or do you see a more general danger in allowing customers to attack their
own accounts?

~~~
tptacek
I would change the way CFAA charges are sentenced. I would not eliminate the
general prohibition on hacking other people's computers.

------
HenryBemis
From my years of working in big Banks, none would appreciate a stunt like "hi
I gave the approval to hackerX to try and steal money from my account in YOUR
bank."

Apart from an obvious black list you are looking at a world of pain both by
the bank's lawyers AND the authorities. It may be YOUR money but tampering
with a bank's systems is very much criminal activity in most countries.

~~~
HenryBemis
Also... play this imaginary dialogue between you and a Judge:

Judge: who gave you the right to invite someone to hack a company's e-banking
security process or Facebook's security processes?

You: it is my data

Judge: it is THEIR system, see you and your friend in 5-to-10 (or whatever the
penalty is in whichever country)

~~~
quakenul
I do not think it is that clear cut. Unless the bank assumes full
responsibility for _any_ kind of security breach, including social
engineering, you need to be allowed to take care of protecting yourself
(including the crucial step of testing the measures). It falls to the systems,
both the banks and political/judicial, to have measures and rules in place to
allow and account for that.

If they don't, I feel there's a rather lopsided situation.

~~~
pavel_lishin
How does that translate to the physical world? What happens if I pay someone
to break into the bank and access my safety deposit box? What if they break
into the branch manager's home to steal their key?

~~~
davidgh
I’m not saying physical security is easy, but it’s better understood in
general, and at the very least, it’s pretty easy to insure against. Most banks
offer insurance on safety deposit boxes so if your item goes missing, you are
compensated.

I was talking to a guy who provides online security services for financial
institutions. I asked him what happens when someone loses money due to a hack.
I found his response amusing and horrifying.

“When someone breaches your online account and steals money, if the amount is
$50, the bank will restore it at their expense to keep you happy as a
customer. If the amount is $50,000... well, the bank doesn’t care about having
you as a customer that much.”

~~~
HenryBemis
> When someone breaches your online account

The bank will seek to see who/what was at fault. If you handed someone your
passwords etc, they carry no responsibility and kiss that 50k goodbye. Your
pin/passwords are yours and yours alone. You should protect them. At least in
the UK there have been plenty of cases were people were tricked to hand in
their passwords. They never got anything back from the banks.

If someone breaks in physically and steals the contents of your safety deposit
box they will hunt-them-down. If you come forth and you say "I know who it
was, I helped him/her as part of a pen-test" then you are going down with
them.

~~~
davidgh
And yet I get much more assistance in keeping my login secure from a two-bit
social media site than I do from virtually every bank I’ve had an account with
(speaking of banks in the USA).

Two factor using something like Google Authenticator? Nope.

Two factor using a less-secure text messsge? Rarely.

An email asking for secondary confirmation when logging in from a new device
or IP address? Forget it.

A history within my account that shows all logins and login attempts, along
with the request IP address and location? I wish.

I’m sure banks do stuff behind the scenes to secure my account. But it seems
they could do a lot more to empower me to help in the process. I understand
that it’s difficult to pin the blame on a bank for a password stolen by a
virus a customer picks up that had nothing to do with them. But it seems
they’d do a whole lot more to help me protect my account.

I’m generalizing, I know, but I find it comical (and frustrating) at how often
I see banks _attempt_ to do things in the name of security that don’t help at
all, but go a long way to destroy UX, or even decrease security.

\- Prevent paste on the password field.

\- Security questions, often with ridiculous questions.

\- “Security” phrase and image.

\- Shocking password restrictions.

~~~
HenryBemis
> \- Prevent paste on the password field.

For Firefox users, I use "don't f... with paste" addon. It works like a charm.

------
zrobotics
>>I can find some which claim to test the security of CEOs and celebrities.
But I can't find anything for ordinary people.

Those are the services for "ordinary people". The thing is, they advertise to
celebrities & CEOs because there aren't many people willing to pay for
pentesting. That will always be an expensive service, since it by definition
requires highly-skilled employees. A service that advertises to celebrities
would almost certainly be willing to work with an ordinary individual, but how
many people are willing to pay for the service? Certainly not enough for this
to be a million-dollar idea.

~~~
DaniloDias
A service for “ordinary people” would likely involve targeting services which
are not operated by the customer (e.g. brute forcing gmail or fb creds).

The tester would be taking on legal risk for performing any kind of account
takeover.

Consequently, I don’t see this as a viable service offering.

------
close04
> When an organisation asks me to set a recovery question, I generate a 32
> character passphrase

This is not actually the best way. For some services eventually you get to a
person in a call center who can actually check those security questions to
perform a password reset (when all else fails). Having a random string opens
the door for someone to claim "oh I think I put something random in there, I
really forgot what" and it's likely they'll pull it off. Especially if the
hacker _knows_ (somehow[0]) that you put a random string there and it's
exactly 32 characters long.

Just go with a plausible name that's still not straightforward to guess.

[0] You may blog about it... Or discuss it loudly and is overheard.

~~~
lstodd
No, this is the best way.

I go another step and do not keep that recovery answer once put into the form.
Does wonders to make sure everything else does not fail.

In your scenario the service is already broken and the door is wide open no
matter what you choose as the recovery answer.

~~~
close04
> In your scenario the service is already broken and the door is wide open no
> matter what you choose as the recovery answer.

You'd be safer with this assumption anyway. But again, after telling the whole
internet you're using random 32 character strings for that it's likely that
you just lowered the bar a little for social engineering. It is easier than
you think to call a call center and convince someone to perform a password
reset or a SIM porting (for hijacking). At least don't give them another
plausible avenue.

------
edoo
I would go with a company that has a reputation. If you go find some randoms
in an IRC channel they might take advantage of anything they find. A little
crowdsourced service that offers rewards for finding vulnerabilities in your
system might be a success but good luck managing that and dealing with the
people you got tricked into hacking.

One thing to consider is the password manager generated security questions.
Half the customer service agents out there will accept "it is just a bunch of
random characters i typed". Security questions should go the "correct horse
battery staple" route.

~~~
edent
My security answers are often random "junk". I've tried to social engineer my
way into my own accounts a couple of time - and _all_ of them have insisted on
me reading out the full "answer".

~~~
zrobotics
This doesn't work for Wells Fargo, at least IME as of 9 months ago. I didn't
have access to my main password manager (only a phone, I was on a trip), but
they did just accept my answer of "random chars generated by a password
manager". After that, I went and changed security answers on anything
important, I just made a script that pulls random words from a dictionary.

While some services are secure, without testing it isn't safe to assume that
any particular service is. And even with testing, it can vary depending on the
particular CSA. So in general, I don't think this is a good idea, since there
is no way of knowing if any particular service will be secure.

~~~
edent
Looks like it is time for you to switch bank :-)

Here in the UK, it seems that most reputable organisations are GDPR conscious.
I've deliberately got my birthday slightly wrong to see what they do - 100% of
the time they refuse to proceed.

Perhaps I'm just lucky.

~~~
zrobotics
Oh God, I already did. Believe it or not, they don't check for case-so at some
point the password is in plaintext. So Asfd=asdf

------
berbec
I would love to find a service like this. I, and some individuals I know,
would definately pay for this.

------
OliverJones
The real question:

Is this service available to public figures like:

* John Podesta (of the US Democratic National Committee, phishing target)

* John Brennan (former CIA director, whose AOL account was pwnd by teenagers while he held that job)

Of course it is. But these sorts of powerful people always think somebody else
is the target.

Mr. Eden's proposal is a good one. Too bad such a business would need more
lawyers than pentesters.

~~~
peteretep
> John Podesta ... always think someone else is the target

You’re aware that Mr Podesta flagged the email as being suspicious, sent it to
their security person, and was given the all clear before following it?

~~~
who-knows95
it was a typo right "this email is legit" which was meant to said illegitimate

~~~
peteretep
I mean sure, whatever, I’m not trying to beat on the guy, but Podesta did the
right thing

~~~
who-knows95
oh no, sorry i agree, it was more just putting it out there. a typo led to
that infection.

------
goshx
I went to an event recently dedicated to CIOs/CTOs/VP's of Engineering where
they had a few talks about cyber security.

It's amazing how those people don't really have much clue about it all.
Imagine who's not in the tech field.

I had the same idea at the time. I am not sure if people would pay for such
service, but they definitely need it.

~~~
tastroder
Those people would likely benefit much more from the awareness trainings
pentest shops usually offer as well, snake oil reports without changes in
behaviour really don't secure anything.

------
kimperly
Do you need expert help in gaining access/passwords to Facebook, gmail,
Instagram, bbm, yahoo-mail, snap-chat, twitter, Hotmail, badoo, zoosk, various
blogs, icloud, apple accounts etc. Password retrieval, breaching of bank
accounts: (for local and international banks, block transfers, make
transfers), clear debts, pay for bills at give a way rates also provide cheap
Holiday booking, breach of web host servers, firewall breaches, application
cracks, change of school grades, professional hacking into institutional
servers, clearing of criminal records, mobile airtime recharge, keylogging,
smartphone,tablet portable device hacks, pc hacks on any OS and ip tracking
and general tracking operations..........contact :wizardcyprushacker@gmail.com

------
motohagiography
Was going to talk a bunch of smack about pen-testing, but instead, if someone
were offering this service, I'd love to go head to head with them to determine
who delivered more value over time and money, a pen-test vs. a risk
assessment.

------
tgsovlerkhgsel
Simulating a highly targeted attack is expensive, and the protection most
people have against those is that they're not interesting enough to spend so
much effort on.

For the average person, the main threats are various forms of social
engineering, mostly the kind that is really obvious to anyone who has a rough
idea how security works ("This is a secure document, please click yes when it
asks you to allow this document to execute arbitrary code"), and software so
far out of date that common exploit kits have pre-packaged exploits.

------
etaerc
Most people probably forget how you could use a "stalk my ex" russian bulletin
board service for $50 to stalk yourself. Russian script kiddies are probably
happy to comply since the FBI can't really harm them.

But I think in most countries you would still be liable to Google/FB etc if
the attack gets detected and linked to you.

------
aboutruby
You could use "hacker for hire" services on Tor.

You could also hide a bounty somewhere (e.g. in an email, in a private Github
repo, etc.).

You don't even need to mention this is your account, e.g. "I want the email
password of X for Y bitcoins".

Both solutions comes with its own issues, but I don't think there is a legal
way to do a full pentest.

------
gitpusher
To make such a business profitable, you'd need to invent a slew of new
techniques for bringing down the cost of pen-testing. This would have
applications far beyond the scope of your business idea.

------
alexnewman
i’ve done it for free. You can have your identity back by sending btc to ...

------
abhinai
If anyone decides to start a company for this, please sign me up as your first
paying customer.

------
dboreham
This is a Bezos-level service, no? I mean it exists but is going to cost
O($100k).

------
IOT_Apprentice
Russian, China, North Korea, Saudi Arabia, UAE, NSA, 5 eyes spring to mind.

------
alexnewman
the person who bezos used was mentioned in the articles v.v. his recent
confidentiality breach

------
world32
> I can find pentesting services for companies. I can find some which claim to
> test the security of CEOs and celebrities. But I can't find anything for
> ordinary people.

I'm sorry to be harsh on this person but this is quite a dumb post. What is
the difference between hacking a celebrity vs an ordinary person? None.

Any penetration testing / security consultancy will be able to do what you're
asking for, provided you can pay their rate.

> Does this service exist? If not, is this a million-dollar start-up idea?

No it is definitely not a million-dollar startup idea. It also wouldn't be a
startup it would be a consultancy. Penetration testing firms can easily charge
clients up to around $1000 / day. How many individuals are going to pay
multiples of $1000 to see how secure their online data is?

~~~
tptacek
You cannot in fact pay a pentest firm to hack a SAAS provider that has your
data. The companies claiming to do this for "CEOs and celebrities" are, to
some extent, lying.

~~~
goshx
Please share more information on the "whys".

~~~
tastroder
One why would be, as long as you don't have a clause permitting this in your
contract with the SaaS provider (which "ordinary" people as in this context
usually don't have) it would be considered an offense in most countries.

If you're a company and the SaaS provider is of similar or small scale you
might be able to work with them if you have special security concerns that
exceed their regular customer base. You could maybe even get them to hire a
consultancy to check or recheck their services but in no case would you ever
just go out and do that of your own volition.

Independent of that, even in a personal context, people use SaaS providers
because they trust their ability to do a certain job better and/or cheaper
than you could do yourself. That usually includes the factor of securing their
data, if only because it's in their best interest not to have PR disasters and
lose customers.

