How to hack a city - and why we should
Hack the planet
(Republish with translation from: THE KERNEL MAG, "Hack the Planet,
How to hack a city and why we should", By Jonathan Keane on August 2nd, 2015)
Nobody thinks of the servers and infrastructures that "run" cities: at least not until something goes wrong, such as flooding, power outages or traffic jams. Information security professionals, however, are increasingly becoming aware of how a linked city can be vulnerable to attacks and are beginning to think about how to make it safer.
Through smart technologies, wireless connectivity and the explosion of the Internet of Things (Internet of Things, IoT), cities and critical infrastructure have taken a technological breakthrough in recent years. The Amsterdam investigates various open source projects and cities like Barcelona in Spain are in the process of modernizing the energy supply networks and traffic lights. But these new initiatives open new vulnerabilities (vulnerabilities).
Last year's security conferences, for example, Cesar Cerrudo, IOActive's security technology chief, did a demonstration of myriad problems in traffic with the systems at traffic lights. It showed how attackers could target embedded sensors on the streets that send data to traffic control systems. How could switch-over circles change traffic signals to traffic jams and send cars on the wrong routes or roads that would potentially cause road accidents.
This may sound like an abstract threat, but attacks on infrastructure are already happening. 2014, one steel factory in Germany, was attacked by cyberaggressors who stole the input data through a malware-loaded email and gained control of the factory control systems. (Of course, that reminds the Stuxnet virus created by the US and Israel to target Iran's uranium enrichment units). The damage from the attack to the steelworks has not been quantified in detail, but the official report describes it as "enormous" where a blast furnace could not close properly.
"Cities, like any complex system, are potentially prone to hacking. The important question is how vulnerable are they? "
Researchers have thought about such threats in the this year's Black Hat conference for safety, researchers from Drawbridge Networks and by US Military Academy at West Point presented "Pen Testing a City". "Penetration testing" is security terminology for finding vulnerabilities an attacker could exploit, and cities, like any other complex system, are potentially prone to (malicious) hacking. The important question is how vulnerable are they?
A city is not a single entity, it is an ecosystem, explains Tom Cross, CTO of Drawbridge Networks. And the bigger the city, the greater the complications.
"Once the scope is determined, there are all kinds of levels you look at, not just computers connected to the Internet. You have many wireless networks."Said Cross. "There are many unique areas in a city that a typical organization does not have".
We could show examples of these unique areas for attack, such as when Kaspersky Lab found significant shortcomings in networked surveillance cameras. Cameras are often Internet-enabled and this allows the authorities to watch the shots from a distance. In one case, however, the cameras used in a city, not mentioned in its name, were found to transfer their data without encryption. More worrying is the fact that the researchers found that these cameras had really strong security measures, but they were not used enough. A poor set of network parameters in surveillance cameras could leave it open to counterfeiting, which in turn could hinder law enforcement.
Kaspersky researchers found vulnerability because they could connect to the web with surveillance cameras over the internet. But most of the time municipal systems are not open to independent testing. This means that vulnerabilities are not discovered and are not corrected quickly enough. "If these systems do not have a sufficient amount of security controls, a sophisticated intruder could find the vulnerabilities that exist and bring them to the surface"Said Cross.
"Cities are developing technology that has more vulnerabilities within it. The vulnerabilities in these technologies have not yet come to the surface "
Over time, systems in a city are often a patchwork of old and new technologies. "People create new systems and use them, and then end up going back and reforming them"Says Cross. This presents two different types of problems. New technology is often not tested. "This means cities are developing technology that has more vulnerabilities within," Cross added. "The vulnerabilities in these technologies have not yet been revealed".
But obsolete technology can also bring its own vulnerabilities. "There is a large city in the United States of America that still uses it Netscape Enterprise Server in the 6 version, which released 2001. Not supported anymore"Says Cross. (The Cerrodo of IOActive claimed that the Burj Khalifa in Dubai, the world's tallest building, runs its systems on Windows XP. Burj Khalifa management did not respond to our request for comment).
So, who are these invaders? Cross reports that so far, cities have benefited from the fact that their systems are difficult to access: Classic hackers leave them for new goals, they do not want to embark on their efforts. But, he says, "You are also worried about the nation-state bodies, because they can also access these systems".
Again, this is not just an abstract threat. 2007, the Estonian government was the victim of a distributed denial of service attack (DDoS) believed to have come from Russia as a result of a dispute over the relocation of a statue from the Soviet era. The sites of the Estonian government, the banks, the broadcasters were all attacked. Estonia accused the Russian government of orchestrating the attack, a claim Moscow refused. A year later, a person of Russian nationality was condemned and was fined for his involvement in the attack.
"The reason these attacks have had such an important impact on Estonia is that many of the government and public services rely on a brand-new infrastructure and everything is based on the Internet"Said Cross. Estonia, sometimes referred to as e-Estonia, is known for elections with online voting systems and e-government services, for example. "Because everyone has this new technology, it depends very much on whether the internet works well if the internet works then and their government works well". This created vulnerability to the attack.
"Cities must do pen tests. It should be done in all areas and not only in restricted segments "
But the attackers do not have to be a suspected nation-state hacker or target new and sophisticated systems. Again, because cities are so complex, there are often many areas open to attack. In September of 2013, a 3,5 mile traffic tunnel at Haifa in Israel, was closed από μια cyberattack που έπληξε τις κάμερες επιτήρησης της σήραγγας και των συστημάτων ελέγχου της κυκλοφορίας και μάλιστα δυο φορές. Η πρώτη επίθεση προκάλεσε delay 20 λεπτών. Την επόμενη μέρα, το σύστημα έκλεισε κατά τη διάρκεια της ώρας αιχμής το πρωί και παρέμεινε κλειστό για οκτώ ώρες. Hackers “από μια παρόμοια ομάδα όπως η ομάδα hacking Anonymous"Were initially accused, given the team's history in targeting Israeli sites, although the company managing the tunnel later refused that any attack had taken place. A few months ago, Israeli officials argued that a failed cyberattack in Haifa's water supply system had begun by the Syrian Electronic Army (Syrian Electronic Army).
Tom Cross, thinks cities need to do more to secure their infrastructure. "I think the cities will have to do pen tests, and that's where our work points out. Checks should be done in all areas and not just in some departments. We have to look at it from a perspective of the bigger picture, "he said. This would mean simulating attacks or sticking to the system and clearly assigning responsibility for the whole IT team.
The IOActive security company also [pdf file, 20 pages in English] a "cyber security review checklist", Which gives cities a guide to the right encryption and licensing standards. Other suggestions include wider training for city workers, implementation of corrections, 24 / 7 emergency responses, and the creation of a special computer emergency response team (CERT) for the city.
The Japanese government has adopted a similar approach as it prepares for the 2020 Olympic Games by creating a new Cyber Security Strategy Groupcybersecurity strategy team). The government has conducted cyber security drills in its various departments to secure national security issues and intends to educate up to 50.000 citizens, τόσο στον ιδιωτικό όσο και στον δημόσιο τομέα και να βελτιώσει τις ικανότητές τους στους υπολογιστές μέχρι το 2020, για να αυξήσει τα πρότυπα ασφαλείας των πληροφοριών και για την protection από επιθέσεις και εκμετάλλευση των ευπαθειών, συμπεριλαμβανομένων των επιθέσεων σε ιστοσελίδες και στο συστήματα πωλήσεων εισιτηρίων των ολυμπιακών εκδηλώσεων.
"Communication between the city's executives (will) is the key"Says Cross. With computer technology becoming an integral part of how a city operates every day, technology must be as strong and resilient as we can do the most. And we have to prepare for the possibility that even our best-designed and more rigorously tested systems will be spoiled.
"The point is"Says Cross,"that this is a real problem and must be a priority".
Illustration by J. Longo
Hacking our way to a better world
Hack the Planet, Part II
(Republish with translation from: THE KERNEL MAG, Hack the Planet, Part II, "Hacking our way to a better world", By Jesse Hicks on August 9th, 2015)
In the "The Misfit Economy"(Alexa Clay's Affordable Economy) and co-author Kyra Maya Phillips, examines the unexplored areas of economic life. The manifesto shows how hackers, terrorists, pirates, drug dealers, fellow travelers and others, both volunteer and non-smoker, make a living.
The answers are not always obvious: For example, Clay and Phillips detail how pirates of the 18 century may have evolved coming as a response to the hierarchies and the exploitation of their legitimate counterparts, merchant ships. Pirates lived out of the law, for sure, but they also set up systems that provide greater freedom to those who chose to join with them. And while the allegory of "10 things CEOs can learn from mob bosses" (10 things that CEOs can learn from mob mob bosses) are old, Clay and Phillips show that there is something important that we can draw from the lessons "Misfits", not just how to create more efficient, productive workplaces, but also how to make them more satisfying and possibly even more human.
By telephone from Berlin, Clay talked to us about how the hacker ethos can open new spaces and new ideas, how LARPingLive Action Role-Playing game) can help us build a better Wall Street and why the so-called sharing economy (sharing economy) has not released us from the tyranny of work.
* Tell me a bit about the subject of the book and what it was that interested you about this material.
First of all, the focus was precisely on really bringing attention to different kinds of business behaviors and actors outside of the usual stereotype of costume-type-Mark Zuckerberg entrepreneur Silicon Valley, so we wanted to look at people who were gang leaders or were involved in running drug businesses or have a business mindset but creating a college of hackers rather than starting a startup business. Or someone who had artistic performances but he was totally weird about how he brought this art to the market and how he found ways to do that.
I therefore believe that the real objective was to focus on people who are in the margins of the economy in many ways but who often have a very entrepreneurial mindset.
* Let's talk about hacking as one of your important references to the inappropriate economy. What is it that is important about hackers and hacking?
I had friends who were members of them Anonymous or grow up as teenagers, I had a hacker friend who stole credit card details from some people and made purchases with a home address address to his parents' home. So I think there has always been a subculture that has fascinated me, but now it is that I really started to be interested in how hacking, more as a moral or a set of behaviors, was shed on mainstream culture.
So now, companies are organizing hackathons, or people are talking about IKEA hacks or just the hacking verb, some would say it is combined - in other ways, and it's really built in to apply to many different behaviors. And I think the people that interest me are not necessarily pure hackers in the IT world, but people who hack systems in general, people who really have a keen knowledge of how specific systems have been built and are trying to boost these systems and evolve these systems.
And so, for example, the story of Gary Slutkin -who went around trying to figure out how to completely redesign our approach to violence, saying he treats it as a contagious disease, and for that reason, someone like him, piqued my real interest in him. Or even the UX, the collectivity of underground hackers (underground hacker collective) in Paris that genuinely created a different community model.
"In a world where so many people have this commercialized personality, Facebook identity or LinkedIn person, the UXs are completely anonymous and underground"
* You talked about hacking as a morality, that crosses the establishment today. You also referred to Steven Levy's book on the ethics of hackers. How do you think our moral hacker permeates along with the simple use of the verb "hack"?
I think it's definitely there, I think one of the first foundations of hacking is that I do not need permission from anyone else to do anything. And I think this is incredibly inspiring: People do not fit within a workplace and a specific job description, but they do things because they want to do things or because they want to see things happen. The underground collectivity of UX is able to make these incredible hoards, both from the point of view of Pantheon [penetrating Pantheon and within a month's work, restoring a clock of 19 century], and doing these underground cinema nights. Even some of the provocateurs, on whom we focused, are Yes Men And them The beard, are capable of hurting public places and even hacking the media in ways that are really interesting.
And I think everything starts from a courageous area - a place where some people worry less about the expectations of others or what is what society thinks about a certain thing and more guided by your consciousness in specific ways. And I think you will see this in some of the informants who were hackers, with cases like this Edward Snowden and such things. But beyond the limits of activity by denouncing the malfunctions, I think that's all that's a challenge spirit, really.
* You mentioned the UX and their project to restore the clock to the Pantheon and that they did it without any permission and through a long, complicated process. Can you tell us a little about what they were doing and how do you think this fits with the hacking ethics?
First of all, one of the interesting things about hacker communities is how they create different forms of organization. So in the context of the Anonymous group, for example, the group is completely headless. There is no one person who determines what the team takes on in the world. And so, anyone can initiate an action and others can join. And there's a really decentralized and volunteer spirit about it and the same goes for UX. They are not nor do they have a command and control system. Certainly there are people who will rotate through different specialties, but they also have the commitment of operating without a leader (leaderlessness).
Within the La Barbe group, the feminist activist group, I think the hacking principle there is around decentralization and that's really obvious, no person is the representative of that organization. And so, every time the media invites, someone else is always present. So, I think, how this is something that is really interesting too, about the UX. She is a different person who speaks at a time.
And there is also an anonymous identity. I think that in a world where so many people have this commercialized personality, this Facebook identity, or the person on LinkedIn, the UXs are completely anonymous and underground. And people have their "normal" day jobs, "overtaking" occupations and responsibilities, but at the same time they also have a different world to which they can enter that still has the feeling that it is something with higher values -to restore forgotten objects of French culture or to break down, to get into places where many are afraid to go. And I think this gives people freedom and autonomy.
So I believe that, in many ways, the hacker's instinct is the result of that feeling you can rely on. We often control the instincts of large multinational corporations or the instincts of the government - and what I love with UX is what they did in the best interest of the public. But they do not comply with any of the rules, they really appreciated their own autonomy. And I think it was something that really inspired me and that talks about that morality.
"So if you want the financial system to look different, what if we created a LARP around it to live up to what it could be?"
* There is also a sense that we can bring together many different kinds of behavior under the present umbrella of "hacking". Thus we have informants, such as Edward Snowden και η Chelsea Manning, που πιθανώς εμπίπτουν μέσα σε αυτήν. Έχουμε ανθρώπους που έχουν κάνει hacking στην ΙΚΕΑ και λένε “έκανα αυτό και πλέον δεν θυμίζει μια ντουλάπα ΙΚΕΑ” -αυτό είναι ένα IKEA hack. Και τότε έχεις, όπως ήδη αναφέρθηκε, την εργασία του Slutkin σχετικά με τη βία. Που έχει να κάνει περισσότερο με κάτι σαν ένα hacking πάνω στις αντιλήψεις μας για τη βία και τον επαναπρογραμματισμό τους από τη στιγμή που τις καταλαβαίνουμε.
So, I wonder how will all these behaviors come together? How can we all understand them as parts of "hacking"?
It is basically not to expect to get a license, just in each of these cases, that's what someone tried to do, something different in the world. It is also in each of these cases, people who really understand the system. I mean, it may be less for an IKEA hack - because it's simpler because you got it to do with furniture - but in the case of some of the informers hacks and Gary Slutkin, it took five years understanding and research on how to proceed to cope with violence and how to diagnose violence in that country.
And that knowledge contributed to the type of approach he designed. And I think similarly speaking more and more, we need hackers to participate and not just to question some of the monitoring systems that are being created, but they are the ones who know how these systems work and they are the ones who have the ability to transform them , because they know them so closely.
In both of these cases, it's a really deep dive into a specific subject or a field and to be able to create that kind of change. There is a kind of revolutionary spirit in both. We should care less about what other people think. Often, we have more than one kind of identity as outsider.
Gary Slutkin is believed by some in the regime, from the traditional police force or even from mayor offices in some cities, that what he is doing is something that is devastating and threatens the status quo and that it can be scary. And I think similarly, many anonymous hackers or hacker whistleblowers do something that is equally inconvenient and poses new challenges to the status and existing power systems. And I think they really have great respect for each other.
* One of the most bizarre examples in the chapter on hacking is the pirates of 18 century, and you are confronting them with merchant ships, operating in a highly hierarchical, disciplined, almost authoritarian way and that meant that a little- many on the ship somehow had exploited them. And contrary to this, pirates had set up a much more shared environment and were much more willing to share wealth and allow everyone to participate in decision-making.
So, I think one of your points is that challenging systems and calling for more radical transparency in these systems is one way that the hacker's ethos is so long-lasting and may become even more mainstream these days.
The example of pirate culture is really interesting and it is also associated with people who are currently trying to find ways of hacking cultures and cultures. I do a bit of research about LARPing (live-action role-playing) and people who use this kind of game are no longer nerds running around in the sword forest, but it's really a way of modeling emerging species of civilizations.
So if you want the financial system to look different, what would happen if we were creating a LARP around it to live what it could be? If you want to design a more communitarian kind of society, how will you feel to live in it? Basically you can use LARP as a way of life, living some of these different scenarios. I think that this may be more and more a way that we can get to the point of hurting cultures / cultures in the same way that pirates created this marginal culture that operated with more alternative and equal principles than the commercial ones ships.
* Let me go to a slightly more generic position and talk about the book in general and your perception of the issue of inappropriate economy. How does hacking match your wider idea of the unprivileged economy and what exactly is that idea?
The Unobtrusive Economy, in many ways, is basically a manifesto for people to actually embrace their own inappropriate, parody or counter-culture, their personality. I think that if we look at the historical form of capitalism and labor at the factory, it was really a system of command and control where you put an outfit and present yourself at work and leave your values and your quirks and everything you do, you, at the entrance door there. And this is a truly anonymous kind of environment.
"I think everyone realizes that the freelance economy, the sharing economy movement, all these emerging things are not as utopian as we thought they were"
And so the inappropriate economy examines the ways in which we can bring a greater degree of authenticity and originality to economic life and to real thinking on cultural / cultural formation in a very different way. No one has a job for a life anymore, in the traditional sense. Increasingly, there is this development of the independent economy (freelance economy). I think it's really about looking for ways - if the scale went too far in the direction of standardization and central structure and centralized power and administration, and in command-and-control systems-to be how we can move forward with greater informal way and with improvisation and how to do it by bringing more of ourselves out of the things we do.
* We could, in a sense, in this context and bring more of ourselves to economic life in a more authentic and fulfilling way. But it could also simply end up being made to allow for precariousness under its flag, "everyone is a freelancer now," in a way that might be a consensus or a resignation in a certain way of economic life. Was that something they also thought about?
Yes. I guess I'd like to figure out, what are you precarious about?
* In the context of an inappropriate economy, you have things like hustle (do something strong, hurry, push or push), hack (hack, change something to work differently) and copy - part of cause I think are considered inappropriate economic approaches, or that they are out of mainstream, is that we have built a system that does not actively or vocally embrace these ways to achieve or even simply to make a living. So these seem to be both coping mechanisms and new ways of dealing with the economic reality. I know a lot of freelancers who both hustling and working continually and still feel anxious about the uncertainty of their financial situation. In a way, they could feel more complete, but they also feel like they hustling all the time, and that's exhausting.
So, I'm just curious about whether there was a tendency for you when thinking about people who have moved to more informal economies that are almost by definition because of their informality more precarious?
I think about what we have seen with the sharing economy movement or what happened with Uber and how she cares for her employees - or does not take care of them. I think of the many people who have been forced to turn to the shadow economy to provide them with a more precarious existence, and certainly these are the drug dealers we talked about, that hustling is a way of life because they were born in poverty and this is not ideal.
But our system really breaks in so many different ways, and it turns into how it is organized. And even later this month, I'm going to go to this hackathon for people who come across the old-age movement and the trade union scene to be in talks with emerging techno-for-good start-ups trying to build some of these solutions for, "Well, how can we build collaborative patterns for freedom?"
At the time of the financial crisis, I thought we were going to have this massive shift towards alternative forms of economies, in the direction of new economic models. And instead of having such a thing, we really had a system of the kind that kept itself and kept the assigned power systems and saved many of these institutions. And this has, in many ways, detrimental to an even more populist type of economy.
I think everyone realizes that the freelance economy, the movement of the sharing economy (sharing economy movement), all these things that are emerging are not as utopian as we thought we were. And I guess the question is, "Well, how can we reschedule these systems and design solutions and different kinds of models for these systems and not just try to spread the old kinds of industries whose business models quickly die anyway? "Does that make any sense?
* Yes. One thing you brought to the hacking section of the book is Mark Zuckerberg, who says, "It's better to do something than try to be perfect." (Paraphrase). So it seems like we are in the middle of it right now: going on our way through what the next economy is going to look like.
I think that's just the right thing. I do not think the inappropriate economy is a draft for a new economy. I would have liked it very much, but I think it is really a set of skills for a transition economy, and that's where we are right now.
Photo by Alexa Clay
References:
