"...Hacker culture was born in the US as a counterculture, but that origin only remains in its aesthetics — the rest has been assimilated. At least they can wear a t-shirt, dye their hair blue, use their hacker names, and feel like rebels while they work for the Man."
I dunno. I like being able to go to work in a t-shirt and shorts, make really good money, and not look over my shoulder wondering if today is the day one of my co-workers fucks up their opsec and gets me caught up.
Phineas Fisher can look down their nose at me, but I got clean money and avoided the drugs and gang culture that took out so many of the associates I had growing up. If working for the man is losing, give me another L.
>and feel like rebels while they work for the Man."
it is significantly more subversive to slowly, dilligently and without much attention change existing institutions rather than 'sticking it to the man'. That's the difference between teenager hacktivism and effectively pursuing change. The boring, blue haired kids at gov. institutions are going to run them in 20-30 years.
Obnoxious, loud, visible activism or counter-culture usually just exists to draw attention to itself while generally getting nothing done, and even taking pride in that fact.
The two types of activism are symbiotic. The obnoxious, loud, and visible activism takes the attention (and resources) while test ballooning the expanding or moving of the Overton Window. Changing institutions without drawing attention is way easier when someone else is drawing the attention, and louder activists are also a great 'stick' for convincing others to do things your way: "Well, if we don't do this, those people might be the ones making these decisions...'
And from a loud activist point of view, the slow and steady/sneaky workers are the ones who can do things like bail people out of jail, funnel money and information, etc.
This was a tactic used by the german far left around rudi dutschke and to some extend the RAF.
https://en.wikipedia.org/wiki/Long_march_through_the_institu...
imho it didn't go very well, they all got assimilated in the end. ( for germans see Joschka Fischer ).
Last year there was a meme going around in the German hacking scene when Google received Pwnie’s “lamest vendor award” for closing 11 zero-days. The reason for that award is that western intelligence agencies abused these exploits for “counterterrorism operations”, so Google essentially shut down a whole spying op.
The joke about it was that closing security holes is never “lame”, and that the American hacking scene consists to a large extent of FBI, NSA or CIA, which explains the award.
To quote Felix von Leitner [1]: “They can say “Ex-“ a hundred times, but you won't get rid of the stench by declaring the termination of your employment.”
The quote you're replying to is from one (admittedly, from several years ago). It does seem to be getting rarer, but consider that the ones still active might not want to make themselves publicly known.
Yes, I have a friend who does this for a living. The trick is apparently to get a high enough rating that companies give you software pre-release, and you can vacuum up the low hanging fruit before everyone else.
He claims legacy car companies are bad at security and pay a lot.
There definitely still is... But I think after circa 2012 when people found out the Anonymous movement was just a cia/fbi Honeypot, no grass roots hacker groups publicly advertise.
Due to the nature of it being a label anyone can take on it can be used by anyone, including state actors, just to rack on a layer of extra plausible deniably when wanted. That doesn't mean the organization itself was ever or always compromised, just that the label could be used by pretty much anyone.
The essence of hacking culture remains with Hacktivism, hacking "for the Man," and everything in-between as it is all still...hacking. The profession attracts a very specific type of person and greatly rewards those who excel. Why is the culture considered lost if state-sactioned? In my opinion, that would be some of the most exciting exposure, with an added benefit of zero legal woes.
In my opinion this genuinely only works if you are doing this separate from The State. Like I always told myself if the PRC actually invades Taiwan, I'll drop everything and dedicate my life to solo / group finding ways to harm the PRC digitally. I bet there are agencies in the USA where I could get paid to do the same, but then I'm working for the USA government, who is also the enemy of my values, maybe not as much as the PRC but still.
It's a pretty common trope that a revolutionary (a cultural mindset I think hackers adopt) will sometimes / inevitably need to adopt the tactics of their enemy, but even if that's a truism, you certainly don't need to work for them. You can find your own way, especially in hacking.
Because when you go to the NSA to hack Russia, you have no guarantee you'll actually be assigned that task. They might ask you to first hack the leader of a "potential terrorist organization," then you do so and it turns out it was an activist leader in the Black Lives Matter movement. What are you gonna do, complain to your boss? And, now you're a Fed. Now you can't even turn around and be a whistleblower or whatever because the State knows EVERYTHING about you, background checked you, and can smack you with a legal baseball bat if you act against their interests, slapping you with charges like "sharing state secrets" or whatever else they can dream up about confidential State information and technology.
No thanks. Like others are say, you can't be punk and a fed.
Anyway we're drawing fake lines in the sand here. Even if the PRC and the USA are at war, they're probably doing so at the whims of the real "Man," that being capital interests, corporations and billionaires. By plugging into the USA "side" you're just working for corporate interests in the end.
But being the underdog is not necessarily the most exciting part. It's standing against a formidable adversary, autonomy, and mastering the technology so deeply as to use it well past its design limits what attracts many hacker types. It can be pretty compatible with being a secret agent at Her Majesty's service, for instance.
(These qualities are not entirely unlike the qualities that define e.g. an elite fighter jet pilot. But you can't realistically be an elite fighter jet pilot and an underground punk.)
That's just called being a boot. You don't have much choice in fighting off Putin or environmentalists in third world countries when ordered to, you're now Serving Your Country.
> hacking "for the Man," and everything in-between as it is all still...hacking.
I think it would be fair to distinguish between the activity of hacking and the spirit of hacking. The author of the quote is pointing out the cognitive dissonance in regards to the spirit.
True. People either get old and less idealistic in the process or they just realise they don't have the power to change things and instead focus on other things which they do have power to change e.g. their position within society or the the amount of interaction they have with society.
Regardless of how good it feels to express discontent towards the status quo there is a cost to giving society the middle finger.
The content="text/html; charset=windows-1252" was interesting to me since I'm so used to seeing utf-8. Caring about charset seemingly makes little sense here, given everything is embedded into the image. I wonder if this page was created by a generator.
I love the random Canadian flag in there, because apparently every other country's police forces' crest should be recognizable to everyone on the internet, but the Canadians ones are just too obscure.
I suspect the block with the Canadian Flag, RCMP logo, and Sûreté de Québec logo were placed as a block at the request of the cooperating Canadian agencies together as their logo for Canada’s involvement, and that the Canadian flag is not placed there because the FBI is singling Canada out differently.
Also I bet that the design guideline of most of these logos mandate a wide whitespace around them. These jokers even smushed the logos of the Finnish and the Netherlands police together. “Oh i see you let a bit of space in your logo empty. Mind if I push in an other logo there?”
(PS.: Can't edit my comment any longer, but the parent commenter completely altered their question sometime after I answered. Amusingly, the answer to the new question can also be found in my reply: the Canadian police is the "RCMP" in English, or "GRC" in French.)
This was a joke on some security podcast I listened to. More realistically, some nerd in the agency does it graphics on his/her free time and shows it to their boss.
Or is just the newest, youngest recruit who has any type of experience with Photoshop (or mspaint even) that gets a list of images and has to put the image together, which they then paste into Microsoft Office Publisher 2003 and voila, done.
FBI agent in a hoodie looking at a monitor with a similar person in a hoodie as the wallpaper reminds me of AI-generated images (when AI doesn't know when to stop with the prompt and repeats same object several times, especially somewhere in the background)
Government agencies often have fun when they have occasion to produce art. You might enjoy this collection of mission patches from National Reconnaissance Organization satellite missions [1].
They do, actually! There's a whole laundry list of guidelines Federal entities have to adhere to when making websites, both internal and external. You can learn more here: https://www.section508.gov/
> Been active on Genesis Market? In contact with Genesis Market administrators? Email us, we're interested: FBIMW-Genesis@fbi.gov
This has big "congratulations, local felon, you've won a ticket to the Super Bowl" energy [0]. But if it was enough to fool criminals in 1985, it's probably enough to fool criminals in 2023.
Not necessarily. There’s nothing illegal about contacting criminals if you have no intention of committing a crime. The FBI might in good faith be looking for witnesses to come forward and be available to testify in a criminal case against the administrators.
It’s actually entirely reasonable for regular people to contact botnet administrators without any intention of purchasing criminal services. Security researchers sometimes do this when investigating the source of botnet attacks or when tracing machines they deliberately allowed to be infected (honeypots). The FBI may be very interested in getting testimony from these security researchers, even outside the scope of expert witnesses they may select out of the researchers they’re regularly in contact with.
I mean, I've gone to websites similar to this in the past, after seeing them mentioned on sites like Krebs, simply out of sheer curiosity (as mentioned elsewhere in the thread, a lot of my curiosity stemmed from a place of, "Hold on, this sort of site is publicly hosted and easily available to anyone!? I can't believe that"). I've never registered or posted, but some of those sites/forums are wide open for the public to peruse. I'm not even that technologically savvy or into security research, yet I've made it there, so I imagine the number is a bit higher than you'd expect.
A very tiny fraction. But I have to assume that most criminals on there would be smart enough not to reach out to the FBI unless they were facing far worse trouble than the possibility of being charged with a crime for this. I could be wrong, there could be criminals dumb enough to expose themselves to prosecution — they are criminals after all — but I would expect them to be smarter than the average street criminal.
Most of those vendors would flip and cooperate once pressed even a tiny bit by law enforcement. They're probably just regular ole nerds who made money in a bad and stupid way.
> There’s nothing illegal about contacting criminals if you have no intention of committing a crime.
The resoundingly consistent legal advice from any lawyer you can find regarding communicating with cops will ALWAYS be: "don't."
I can't fathom why anyone would go out of their way to have a chat with the FBI.
If the FBI needs to talk to you for whatever they're up to, they can find and contact you, and then have a pleasant conversation with your lawyer. If they absolutely need to talk to you, they should only do it after forcing the matter with the subpoena, and your lawyer should be there.
These processes and protections exist for a very good reason.
I work, kind of, in this space - and it's been wild to me how incredibly easy it is to embed myself into public Discord servers that offer fraud/abuse bots. That might speak to the sophistication of what I find (vs. groups with better OpSec). I agree though, I'm surprised this was operated on the public internet with a great domain name.
They need to sell to people so the Discord/Telegram and website need to be easy to access.
And Discord/Telegram and websites want it to be easy to make stuff with/on them. The alternative is some vetting process where you submit a form for what the site is for and then someone from an authority logs in and checks manually.
I'm under the assumption that there are groups that require reputation to join (e.g. on private Telegram) that have a higher barrier of entry than a public Discord invite.
Back when Brian Krebs was still on twitter, it was a pretty constant parade. New cybercrime site goes up, it's compromised by LEO on week two, they hang out collecting evidence for a year, then roll it up and send everyone to jail. A month later, a new site goes up...
Well, it’s worth considering that FBI had control over it long ago and ran it themselves for a while (hence it’s ability to be so public), and the impetus to give it up could be any number of things from threat of revelation to the more mundane cause of it having outlived its usefulness or just new projects taking priority/reassignments.
This is not conspiracy, the FBI seriously does shit like this.
So, as a web programmer, I'd like to infer how this data got into the marketplace in the first place. The offerings are all powered by browser data exfiltration! Which means their vector is another process on the host, or it could be a malicious browser extension, or a resource 0-day. Or the tokens could be exfiltrated from from the server-side, too.)
Chrome has a browser extension API which allows plugins to access all cookies, but its use is considered suspicious and a red flag; an extension which uses it would generally get caught during initial review. However, Chrome extensions are also allowed to “hotload” portions of their own code/scripts from external 3rd party servers.
So an extension will seem benign when it initially gets checked by Google as part of becoming part of its submission to the Chrome Store. Then, later, the external “3rd party” script that is hosted remotely will get replaced with a different, malicious script. The malicious extension carries on stealing cookies, credentials, and fingerprints until someone reverse engineers it and reports it to Google.
Google will not always recognize the issue immediately because the 3rd-party malicious code is not strictly “part of” the extension so there’s a bit of a song and dance while the person who reversed it convinces Googles reviewers that “yes, this really is actually malicious, you need to analyze the third party code that loads later” and then Google eventually takes it down after a semi-involved back-and-forth where extensive documentation and video walk-throughs are provided by the exasperated white-hat Good Samaritan.
Remote loading of code has been banned by Google and Mozilla for several years now. The automated review tools pick up script injection and eval() calls. Unless you can craft something unique, you’re not going to get past the automated review.
I’m guessing the malware is something else besides a browser extension.
stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect
let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
let toAccess = 'func';
//do stuff that seems legit
if(true) {
let toAccess = 'harmlessExternallyLoadedString';
}
harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
//later on
setTimeout(harmless.func, 1);
now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.
Genesis infect your computer with a persistent malware (the "bot" as mentioned in the article) which let their customer who bought access do anything on the infected machine. There are plenty of way your computer can get compromised, which will install the botnet client as the final payload.
Wait so its not a market? I thought this was a resource where black hats go to sell their data. But you're saying that Genesis is the only black hat, and their "market" is just selling their own data?
Yep. But there was nothing stopping a black hat from contacting the admin and selling their own botted data to genesis shop. Criminal organizations have supply chains.
I don’t have any insider knowledge or anything but only suspicions - I have friends who have developed relatively simple browser extensions like dark mode ones / filtering ones etc.
Once they get to like 100k DAU popularity level you’ll start getting emails from people who claim to want to purchase the extension from you for a few thousand or “sponsor” the development by supporting you with ads.
You either sell it, or include some JavaScript that later (few weeks) turns malicious and starts harvesting.
That’s probably how. Like I say, I have no idea if that’s how these people work, but it seems a likely attack vector.
malware spread by email. this is how yotube channels get hacked for Elon crypto scam livestreams. the session is hijacked too.
a second way is through chrome extensions that log cookies and form data. the old cookies can be replaced with the new, stolen session via cookie editor
Genesis Market provided access to a wide list of services with user accounts from all over the world. Among them were Gmail, Facebook, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, Zoom, and Ebay.
This is why 'strong passwords' will never be good enough when hackers simply control the actual session
Imagine a DAO Contract using Chat GPT to re-opening such markets with laundered drug funds every time the last one expires.
Talk about whack the mole debugging of the virtual by the real space. It could even come to a "arrangement" with the agents, increasing the number of markets to "bash" over time, so a metric for success exists and grows.
Sounds like it and it sounds like they built a chrome extension that effectively acts as a proxy for traffic through the target IP with the appropriate metadata to trick fingerprinters.
I'm just waiting for hackers to seize fbi.gov and replace their page with a "this page has been seized by Anonymous" (or whoever). I will laugh my ass off when it happens.
https://genesis.market/
The FBI agent in a hoodie, eating a cookie while hacking into the Matrix is just too good.