It’s not ‘hacking’ if you guess someone’s PIN

I do wish people would stop giving hackers and hacking a bad name.

Hackers, in my experience, are extremely competent people who often have a pretty acute if not always ‘comfortable’ or mainstream sense of ethics. Unlike ‘script kiddies’, certain private investigators and other wannabes who often seem to lack – or fail to understand why it might be worth earning – the knowledge required to build or understand the tools they use.

To the ignorant, amongst whom we unfortunately must count the majority of our elected representatives, civil servants, the press and (I suspect) the judiciary, ‘hackers’ are in a similar broad category as ‘viruses’ – i.e. bad things that they can’t understand that make bad things happen with computers… which they dont understand.

The reality is that the majority of fraud / computer crime is perpetrated by insiders. I’ve seen figures around the 70% mark, but whatever – it’s certainly more than half.

Most competent systems administrators – which doesn’t necessarily include the police, the military or (all of) the spooks, folks – change the default passwords and patch the known ‘back doors’ in their systems.

Many exploits characterised as ‘hacks’ are actually little more than exercises in social engineering, or the application of common sense to a little bit of publicly available information… in the absence of any reasonable constraint.

If I were to have, say, a list of telephone numbers and wanted to listen to the voicemails for as many of those phones as possible, would I need to ‘hack’ the phones? No. I could just, say, pay someone to do the very boring but utterly simple job of calling up the numbers one by one and plugging in the default PIN for each network. Apart from pressing a few buttons, the entire exercise might require software no more complicated than a spreadsheet to note down the successes or victims or idiots – depending on how you look at it.

If you want a sense of what a proper ‘hack’ is, take a look at http://rfidiot.org/ – which required thought and effort, knowledge and expertise. And which was done to demonstrate a wider danger.

What I found quite shocking at the time – but I guess less so, with hindsight – was how desperate the journalists were to engage the services of the chap who did this when (while we were demonstrating how easy it was to steal the data from the chip on the passport, even from inside the sealed envelope it was originally sent in) he showed them just how easy it was to take over their phones via Bluetooth. He wouldn’t do it, of course.

Some people know where to draw the line.

This entry was posted in privacy. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.