Hacker News new | past | comments | ask | show | jobs | submit login
Romanian Hackers Infiltrated 65% of DC Outdoor Surveillance Cameras (cnn.io)
257 points by QAPereo on Dec 21, 2017 | hide | past | favorite | 80 comments

When I was an irresponsible high school grey hat (2001) I was part of a small group of people that shared exploits. We weren't that talented, but one of the guys in our group was still able to get into the cameras in the parking lot of the CIA.

This is the problem with cyber security: Even if you're the most knowledgeable organization on earth you still fuck it up. Any one person can fuck up any one thing and if it isn't part of your predetermined threat vector analysis then it gets through and you lose everything.

The guy took steps to hide his identity then reported it to the CIA. They emailed back with a job offer. Back then we assumed it was trap to get him to travel to the USA from Canada, but these days, based on what I've seen, I think it was legitimate.

Sometimes I like to let thoughts simmer:

In 2001 a shitty high school hacker had a reasonably credible offer from the CIA.

> This is the problem with cyber security: Even if you're the most knowledgeable organization on earth you still fuck it up. Any one person can fuck up any one thing and if it isn't part of your predetermined threat vector analysis then it gets through and you lose everything.

It isn't just cyber security but surveillance infrastructure in general. If you cultivate a large group of surveillance assets (even people) with a method of collection that can be effectively attacked, you are creating something worth the effort to attack.

By creating a position that can be attacked, you will get attacked. And given enough attacks you will get attacked successfully sooner or later.

It is safer to not build the surveillance apparatus in the first place because you _always_ lose control of it sooner or later.

I disagree with your conclusion, but I think your comment has a ton of truth to it. It's like that meme with the smiling black guy: "You can't write any bugs if you don't write any code."

But the truth is that all the infrastructure for surveillance is going to be built anyway, if not by us then by our enemies or private industry. It's better to accept that it is going to be built and use our resources as best we can to protect the world.

> But the truth is that all the infrastructure for surveillance is going to be built anyway, if not by us then by our enemies or private industry. It's better to accept that it is going to be built and use our resources as best we can to protect the world.

Of course. And then you attack _their_ surveillance infrastructure and take the fruit of their investments periodically.

Attacking surveillance infrastructure (tbh) seems more productive than building it.

I agree with the rest of your points, but that "shitty" high school hacker managed to hide his identity from CIA. You're underestimating him. Majority of wannabe hackers would screw up some detail and get discovered.

Or, since he's taken steps to protect his identity, CIA might have offered a fake job offer for the purpose of him revealing his identity.

I think this what happened.. the government has very formal hiring procedures, a government employee can’t just send spurious offer letters to foreign nationals.

An email is not a job offer. It's just an invitation to interview. There are no procedures against that.

He literally said job offer.

I may have misrembered. It was so long ago.

This is not necessarily the case for organizations that have special hiring authorities and/or contract dollars for use rapidly.

If a hacker reports themself to the CIA, its the government who gets involved, not a contractor.

Right, and they can offer specific "cyber" related competitive authority positions to that person, or ask them to come on board as a 1099 or via an existing contract vehicle where they implicitly instruct a company to bring the person on as a subcontractor. Or, you know, just dump a pile of money on them as a single outlay. I'm sure there are plenty of options created specifically for this scenario.

"Hiding your identity" is a relative premise, not an absolute one.

If we're to believe the Vault 7 leaks, it seems like the CIA's cracking abilities are rather run of the mill. The NSA appears to be where the real hacking chops.

I totally believe that in the Swordfish era of the early 2000's they would have legitimately hit up a high schooler with some demonstrated ability.

I received an offer from the FBI in 2003 for something I did in 2001. I was similarly distrustful even though I had already been caught and punished. It was the most surreal and frankly unnerving experience.

You managed to go through the legal system in under two years? Impressive.

I think a combination of it being pre 9/11, me being 15, and expensive lawyers helped things along. I was arrested in February of 2001 and it was done by my birthday in September.

> This is the problem with cyber security

This is why I think cryptocurrency is a terrible idea. Even if nobody ever finds a problem with the system itself (unlikely on an infinite timescale), every bank will get hacked at some point, and with no rollbacks it will eventually end in disaster.

but there are so many things that have this 'irreversible' property in the real world. Identities. Secrets. Exploits. Once (hacked) you cant get the genie back in the bottle. I feel this irreversibility is what is of real value in an information economy.

Cryptocurrency is similar. Its 'real', unlike USD/EUR/etc, which are insured. At best its a record in a centralized db.

Please rethink your position on disaster :-) If 2017 is anything to go by, the world is more resilient to disaster than believed.

> the CIA

this is why anything sensitive is air gapped and inside a SCIF... but good luck getting everyone to adhere to that all of the time. it's a hard problem to solve when people want things to "just work".

True. Also, the problem with air gaps is that people come to depend on them. According to documents about stuxnet and the Snowden leaks, the CIA has said that air gaps have never stopped them, so why should we think that it's any different?

Also, many places people think are air gapped aren't any more. Think smart lightbulbs and bluetooth worms. A hacked android device that gets too close to the perimeter can infect the lightbulb which infects the next one on and down the chain. If someone networks the control computer for the lights to the same network with the classified files it's lights out.

I think of the internet less of a binary thing these days and more of a spectrum. Things can be "pretty dark" like in the basement of NORAD or "white hot" like the twitter feed of Donald Trump. But twitter still goes down sometimes and data can be exfiltrated in so many ways. What's the baud on opening and closing vents and reading it from space satellites?

>What's the baud on opening and closing vents and reading it from space satellites?

Here's an example where researchers used a scanner in an office building to exfiltrate data from the network. Malware on the network activates the scanner in a certain pattern, which lights up the room. The difference in lighting is recorded using a drone outside across the parking lot:


They emailed back with a job offer. Back then we assumed it was trap to get him to travel to the USA from Canada, but these days, based on what I've seen, I think it was legitimate.

I think it is a trap of sorts --- "join us and help build the future dystopian surveillance state, or we'll find out who you are and arrest you".

> . We weren't that talented, but one of the guys in our group was still able to get into the cameras in the parking lot of the CIA.

Well, by now, 16 years later perhaps you will have learned about the concept of honeypots.

How do you imagine a camera honeypot at the CIA parking lot? They'd still be leaking a lot of information if the image was true.

Not if the DVR is actually in their lab and video inputs are fed with streams coming from a place where trained personnel will show only what they want to show.

I can't even imagine what the purpose of this sort of honeypot would be. What a waste of money that would be. It's so absurd an idea that I would laugh at it if I didn't know how much money was spent and wasted by the federal government. Really the only way to explain it is this sort of thing.

"Let's set up a whole fake parking lot, hire people to come and go in it, get a bunch of fake license plates, buy a bunch of cars, setup a camera surveillance system and feed it out onto the internet and see if anybody finds it!"

"APPROVED! I don't care how much it costs!"

You could probably save on reusing the video footage of another parking lot, instead of using actors.

"You could probably save on reusing the video footage of another parking lot, instead of using actors."

Live or recorded video footage from somewhere else can be spotted as fake (car license plates, distant shop signs, different weather conditions, etc) and recorded footage will also eventually wrap around revealing it's recorded. It all depends on what they need to accomplish.

Did they go there in person and verify it's an actual CIA parking lot?

IIRC, which isn’t garunteed due to the years involved, it was on an IP that when he did a reverse lookup for others on the subnet associated with a cia.gov subdomain or something like that. Plus it just looked American. But we could have misinterpreted it. And it could have just been a recruiting tool or honey pot. I get lost in forests of mirrors.

Why do you imagine the CIA parking lot would leak information? Keep in mind the CIA has been fighting an adversary they believe to have significantly infiltrated the US since at least the 30s. Anything that would be leaked by personnel being associated w/ the CIA is probably not done at the building with CIA on the side to begin with.

Metadata. They can't keep everything in check.

I think he meant the job offer.

DVR devices are insane. I do regular surveys of random IP addresses and find these devices everywhere. They're easily identified by the headers that the embedded servers respond with.

Typically they're cheap devices from China using the same tech just with slightly different branding.

They usually have default passwords like admin:admin that users aren't required to change and often have vulnerabilities that grant access to the rest of the network. And people expose the ports for these things to the entire internet. Maybe people just assume nobody will happen upon their IP address?

The irony, of course, is that people install these for security.

Remember when wifi devices rarely had passwords and you could use your neighbors internet? What caused the change to the modern practice of unique strong passwords by default? Was it consumer driven or was there some other factors? Whatever happened, we need that for IoT devices too.

A big factor might have been ISP-provided routers coming with random passwords printed on the underside of the router instead of uniform defaults. The same tactic would work with many IoT devices but the incentive isn't there.

The pressure was probably from the ISP side. This is easy to make for the ISP, just one extra line in the request for tender.

For IoT devices it is harder to push through, there are no real incentives to spend on security except the potential for bad marketing once systems are compromised. In my company we usually have unique device and server generated public/private keys so compromising one device will not make the whole fleet vulnerable. This is just one of the methods. In most cases security is really hard to sell to the project managers at early stage of R&D unless they have had prior unpleasant experience or market mandated stringent requirements themselves. After all, making systems more secure is usually going to make projects longer and more costly on the paper. "Security is not part of the MVP and we will worry about it later" is way too common reaction.

I wonder if we'll someday see ISP-issued modems and routers gently probing their customers' local networks, and sending out emails when they identify known vulnerable devices.

What incentive pushed the manufacturers of those routers in that direction though?

Torrenting and child porn, I would guess. I remember the slow transition from people using open networks to securing the shit out of them, and there was this big fear that someone could use your network to download copyright-protected and/or illegal material, and it would be tied to your IP.

Indeed, 10-15 years ago in almost any area with a population you could easily find an open network to get onto the Internet when you wanted to. I could check email and lookup some quick things even while riding public transit, without needing mobile data. There was also a grassroots movement of sorts to "share your WiFi", and even a well-known security professional opened his: https://www.schneier.com/blog/archives/2008/01/my_open_wirel....

Now there's almost none of those left, and what places do advertise "free WiFi" are captive/login portals. It was more free and open back then, I actually quite miss those days...

I miss them too, though less than I did in the period between when people started locking down Wi-Fi and when mobile data became cheap.

Anyway, this is just yet another example of computing getting worse the more money there is to be made in it from mainstream use.

I suspect it was the ISPs who made the decision, not the manufacturers. Removing the common excuse of "my network is open, who knows who did it!" for torrenting may be the reason. Another could be to make open/easily accessible networks rarer as they started selling Wi-Fi via the provided routers.

could be ISPs trying to improve user security generally to prevent lots of their customers becoming DDOS zombies resulting in more contention & customer complaints.

Not a bad rationale, even if consumers don’t complain. DDOS sucks up a lot of bandwidth in aggregate, and this is a cheap way to reclaim some of it.

That's highly unlikely as we've recently learned from "Internet Chemotherapy": https://news.ycombinator.com/item?id=15946095

ISPs are unfortunately the problem, not the solution.

I don't know what happened at scale, but here in Germany what happened is that you are legally responsible for what happens via your router, so better take care you are the only one using it.

Much kudos to submitter for using the text-only cnn.io version. Instead of loading a megabyte of executable crud, moving images etc for three paragraphs of text I got...three paragraphs of text!

Thanks, but all credit goes back to HN for turning me onto cnn.io in the first place.

TIL I needed this. -- do you use any other text based sites?

NPR also has a text only version:


I don’t, sorry. I’d certainly upvote and appreciate someone who put together a list of good ones though.

Too many cameras exploits in the wild these days indeed.

Need a OSS system for the cameras, just like OSS firmware such as Openwrt to replace vendor firmwares.

Camera itself does not have enough resource to deal with DDOS or brutal-force attach or updating-with-CVE-quickly if they'are exposed to the public internet _directly_, they should sit behind some firewall. I hope those important cameras, or privacy-concerned cameras, are at least not installed with a public IP, not sure if that is true though, otherwise more exploits will keep coming.

Doesn't open wrt have a pretty shoddy security track record

any source? openwrt can't fix kernel security bugs, or OpenSSL issues, but it can provide a fast fix after those exploits are announced at least.

i have not hearded wide spread problem with openwrt yet.

That may be based on vendor implementations - I think there are a bunch of consumer routers or there that are based on reskinned old versions of OpenWRT.

yes the key is OSS openwrt instead of vendor-specific openwrt, which is normally lagging behind still, probably slightly better than closed vendor firmware, but not that much better.

true OSS openwrt has the fastest updates and security fixes, and it's solid.

It is 65% of outdoor cameras operated by the DC city police, not 65% of all outdoor cameras in DC.

That would have been impressive, Person of Interest style.

Yes 65% is a soundbite.

Cameras are notoriously easy to break into. I would venture to say those 123 cameras has the same manufacturer and share the same reset instruction.

A false soundbite.

The first sentence of the article has more detail but is still false. Then the second sentence of the article contradicts the first sentence, adding the phrase "of the DC city police". Shall we believe that version?

I'd like to take this time to remind everyone of the Internet of Shit project:


Welcome to the IoT age. It's not going to get better, only get worse.

Are there any actually secure ip cameras? Somehow I don't think this is a badge of honor for the "romanian hackers". They probably just scanned for default passwords and known vulnerabilities.

How is that not hacking? Many hackers use known exploits to break into systems.

Who said it's not hacking? However, it's on the "unskilled labor" side of hacking.

Cyber security issues are only recently becoming a point of awareness in the surveillance industry.

Some manufacturers have hard-coded backdoors/authentication bypasses, any vulnerable devices spread across the US, and the rest of the world.

Here is an example of one vulnerability from one larger manufacturer (Hikvision): https://ipvm.com/reports/hik-hack-map

> They were traced through their registered email addresses, one of which roughly translates into "selling souls" in Romanian, according to the affidavit.

I wonder if it's a reference to Dead Souls (https://en.wikipedia.org/wiki/Dead_Souls).

Hacking aside, it's great to see the perfect diversity score: 50% male/female. Silicon Valley should take note.

In Eastern Europe women in engineering has tradition. Its all about role models and social norms.

Here's a recent article about it:


In the west, the woman is traditionally the housewife.

It's also a side-effect of the "communist cultural heritage"... Engineers were quite respected in communist societies (at least in EE & Rusia), and women were also welcomed/forced to join the industrial workforce (because industry was inefficient and required tons of labor).

Hence, a smart woman wanting high social status kind of had two options: become an engineer or a doctor. First option was easier and also less painful (doctors were also subjected to nasty shit like having to relocate to unpleasant places without choice because there was a demand for their services there, some areas like surgery were also much less women friendly etc.).

Also, dunno about Rusia, but in Eastern Europe, even now, there is a good "girls in math" story. Maybe less in physics or computer-science, but in pure and applied math there's lots of girls. Probably most of the smart ones jump ship more towards finance than tech though, when they realize they can't really get a nice paying job with a math degree alone.

This is what makes me skeptical of the diversity movements in America. In Romania and even Russia it seems women are very well represented in tech and there are no movements there. It seems to me that these movements are mostly used for political maneuvering and are not helpful at all.

I'm from Romania. The general balance is pretty far from 50/50, and there are some not-so-nice jokes about women in CS (e.g. "mamma had 2 girls; one was smart & beautiful, the other one went on to study computer science"). Still, from what I saw (I work in a US company) - I suspect it's far better than US, and maybe even western europe[1]. There's no expectation that if you're a girl you must suck at math (or science/engineering in general), and in general I'd say programmers want/ like to have girls around. But it's still a fairly masculine environment, with some fair level of "bro" culture, so it must be somewhat tougher for a girl. It's double-edged though... the US "positive discrimination" culture is making inroads here, so on some aspects it's easier to be a girl in tech (I suspect it's actually easier to get a job compared to an equally-qualified guy).

The thing is - positive discrimination doesn't solve the problem, because it comes from school. You need to encourage girls to take science classes - it has to be expected of them that they do so (rather than go towards, e.g., humanities). That, I don't think is actively happening in the US or even some parts of western europe.... by the time you're dealing with graduates, it's already too late to fix the gender-imbalance problem.

[1] My little daughter's godfathers are German (she grew up in Romania, but he didn't). She told me that among german women, it's a thing of pride to be bad at math. And that her daughter was praised in school that "you're pretty good, for a girl". With that sort of attitudes during childhood... it's bound to be hard to get gender balance later (that "praise" would be perceived as insult here)

> There's no expectation that if you're a girl you must suck at math (or science/engineering in general),

When I was going to school girls were usually better at math. I remember getting help from them with some calculus problems.

My CS teacher in high school was a woman as well and before teaching she worked as a programmer. She was a great role model for girls I'd imagine. Well she was a great role model for me too because she was a great teacher.

At my University in Timisoara Romania, in my class in pure Mathematics 75% were women, I think the men were attracted more to the computer engineering at the other university but I do not have numbers, anyway girls still loved Math when I was at university 15 years ago

As someone from Eastern Europe, all of the women (three generations) in my family are/were in scientific/engineering roles and it didn't seem like a big deal 30 years ago or now. It was just the way things are. I have an aunt who knows COBOL.

Not being familiar enough with history of this in US/Silicon Valley, want to ask: were things always "unequal", or did things go wrong somewhere along the way?

Same here - my grandmother was a programmer, and my mother was an electrical engineer.

What it says to me is that women are just as capable of men in the engineering fields, and America has a unique problem that keeps women out here.

So yes, it makes sense to have a movement for diversity here, because something is pushing women out of these fields, so we have to push back.

There is a big movement in the US! Many organizations akin to girlswhocode.com. However, with the right wing in control right now, there's a real effort to suppress the legitimacy of that movement.

Eh, what? Russia still faces a lot of violence and discrimination against women: http://www.bbc.com/news/world-europe-21474931.

I'm not sure for the increased participation of women in tech though. Maybe better education? Maybe less of a "computer lovers are all nerds" culture? I honestly don't know.


Please don't do this here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact