Author Archives: Jeremiah Grossman

Aaron’s suicide: System Contributed, Society Perpetuated

Posted on by

If you are unfamiliar with the circumstances surrounding Aaron Swartz’s suicide, the rest of what I have to say will not make any sense to you. 

Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] ‘computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is more than someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that’s not enough.


If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as Aaron’s father does, their actions contributed to his sons death, I’m with ya. At least 43,666 share similar outrage with you, well, us. A White House petition is calling for Ortiz’s removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.
You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they’ll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron’s suicide. They’ll focus rage on the prosecution’s behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!
I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice. 

Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law & Order. Like “justice,” getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these “constitutional rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, one of Aaron’s prosecutors admitted as much right here:
“I must, however, make clear that this office’s conduct was appropriate in bringing and handling this case.”
Carmen Milagros Ortiz, United States Attorney for the District of Massachusetts
Please don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn’t matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That’s the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system’s perspective, it was! Appropriate.
You don’t agree? I don’t blame you. If this was anything about justice, please explain to me why on the same website, in the Office of the US Attorneys’ own mission statement, does the word “justice” appear exactly nowhere.
A clever, curious, person might ask, “if not justice, what is all of this really about?” Well, if you work for the U.S. Attorney’s office, or work as any trial lawyer for that matter, your career is weighed and measured by your Win – Loss record. And in case you didn’t know, plea deals are a “Win,” for all the attorneys, no matter what side of the divide they are on. Plea deals are faster, cheaper, and again where the defendant has little to no “rights,” which is why power loves ’em — protects them.
Secondly, taking on high-profile cases like Aaron’s and “winning” are worth extra points. It gets the attorneys name out there, helps them differentiate from their peers, and advance careers. It’s all about the money power baby. Don’t believe me? Ask Gloria Allred. Ask Aaron’s attorney. Don’t bother, Wired already did:
“Heymann [prosecutor] was looking for “some juicy looking computer crime cases and Aaron’s case, sadly for Aaron, fit the bill,” Peters said. Heymann, Peters believes, thought the Swartz case “was going to receive press and he was going to be a tough guy and read his name in the newspaper.””
Unconvinced? Biased source right? Check out the press release from U.S. Attorney’s office website about the case. “Alleged Hacker Charged With Stealing. Over Four Million Documents From MIT Network.” Yes, that’s a PRESS RELEASE! PRESS PRESS PRESS. Why does this impress you society? And it does, because they wouldn’t do it otherwise. I’ll tell you what lawyers are NOT graded on is their appropriate application of that nebulous word, “justice.” Otherwise we’d see big headlines about expousing that. We don’t. Still too cynical for you? Maybe this will help, but it won’t make you feel better:
“Ortiz [prosecutor] said it was a generous deal her office offered, and it took into account that Swartz’s actions were not financially motivated. She said Swartz would have been confined to a “low security setting.”
Please show me where appropriate application of justice entered into the thought process, especially when there were no plaintiffs left at that point. I’d be willing to bet law school systemically eliminates justice-minded do gooders. Now, have another look at that US Attorneys’ mission statement again. See what does appear?
“United States Attorneys are appointed by, and serve at the discretion of, the President of the United States”

Ask yourself, are political appointees selected on their careers merits or on the basis of their political clout? Bzzz. Sorry, trick question. The answer is already on US Attorney Carmen Ortiz’s very own wikipedia entry. Says it right there in the second sentence, immediately after her title. 


“In 2009, she was nominated to the position by President Barack Obama. Ortiz is both the first woman and the first Hispanic to serve as U.S. attorney for Massachusetts.”

Unless you count being born a women and hispanic as an accomplishment, the answer is plain as day. Make the boss man look good! I know this comment borders on racist, sexist. Please understand I’ve no intention of diminishing her personal accomplishments in this regard. I’m sure she had it tough. What we must question, as her customers subjects, is how this make her qualified to administer justice. And apparently we think it does, otherwise why would her gender and ethnicity be highlighted first.

Oh, and I’m also sure the possibility of Ortiz being a potential Democrat gubernatorial candidate in Massachusetts had zero effect on things. Right.
Under these circumstances, if you change or repeal the law. So what? It was never about the law, or application of justice, remember. Go ahead, call for her dismissal. Change the political appointee in the same power structure. So what? Another similar minded and well-trained appointee will gladly take their spot before the day is out. Focus on defining “appropriate behavior” when the incentives are perverted against justice. Good luck with that.
Do all these things. Declare your victory! Get your social justice and pound of flesh. What you’ll also do is protect the system that manufactures felons and contributes to suicide of our best and brightest. Do everything, but ask the dangerous question… WHY. WHY does basically everyone take a plea deal. WHY do prosecutors prefer them? You better ask it because it’s the only justice system any of us are likely to experience. You do know most everyone is committing three felonies a day right
And so what if Oritz is fired. It’s not like she is going to be disbarred. She’ll immediately go across the street to a private firm working the other side of the table, probably making far more money too. And if you are in a similar position as Aaron, you’ll find her credentials impressive. A “former” U.S. Attorney appointed by the President of the United States, who knows all players and the plea bargain process. Hell yeah. Because when YOU are facing hard time you’ll not be the slightest bit interested in justice after all. What you want is to get off, and she’s the best person for the job. Did you know Aaron’s attorney, Elliot R. Peters (Partner at Keker & Van Nest LLP), previously worked in the U.S. Attorney’s Office, Southern District of New York?

Let’s explore one layer deeper into the perversity of the system. Upon Aaron’s death Federal prosecutors were forced to dismiss the charges against him. Not because a lack of evidence mind you, but because there is no defendant obviously. In addition to a PR hit, we must assume a “dismissal” counts against the prosecutions Win-Loss case record. From that perspective, the prosecution did NOT want Aaron to die. They would have much preferred him to live, take a plea, or at least suffer a conviction. On the other hand, Aaron’s attorneys scored a dismissal — a “Win.” 

Whoa, whoa there. I’m not saying Mr. Peters or Keker & Van Nest LLP wanted Aaron to die. No. What I’m saying is that system is set up such that when something like this happens, something that sparks true outrage, then that rage needs to be directed, and that the defendants attorneys don’t lose. That’s important because otherwise they wouldn’t play along in the farce. 

But that can’t be, the thought is too terrible to bare. I agree with you. Their defendant committed suicide after all. What do they do then? Aaron’s attorneys immediately focus rage on the prosecution for being, what’s the word they used, “intransigent.” Whatever. They, the prosecution, are the real problem here! Right! Wrong! Whatever you supposedly chosen on your own doesn’t matter one bit. The point is you picked a side and played along. The point is you society bought it. Burn the witch!

All that happened here was Aaron died and the system won.

WhiteHat Security is a leading provider of website security services.

Continue reading Aaron’s suicide: System Contributed, Society Perpetuated

Posted in Uncategorized

Aaron’s suicide: System Contributed, Society Perpetuated

Posted on by

If you are unfamiliar with the circumstances surrounding Aaron Swartz’s suicide, the rest of what I have to say will not make any sense to you. 

Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] ‘computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is more than someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that’s not enough.


If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as Aaron’s father does, their actions contributed to his sons death, I’m with ya. At least 43,666 share similar outrage with you, well, us. A White House petition is calling for Ortiz’s removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.
You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they’ll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron’s suicide. They’ll focus rage on the prosecution’s behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!
I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice. 

Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law & Order. Like “justice,” getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these “constitutional rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, one of Aaron’s prosecutors admitted as much right here:
“I must, however, make clear that this office’s conduct was appropriate in bringing and handling this case.”
Carmen Milagros Ortiz, United States Attorney for the District of Massachusetts
Please don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn’t matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That’s the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system’s perspective, it was! Appropriate.
You don’t agree? I don’t blame you. If this was anything about justice, please explain to me why on the same website, in the Office of the US Attorneys’ own mission statement, does the word “justice” appear exactly nowhere.
A clever, curious, person might ask, “if not justice, what is all of this really about?” Well, if you work for the U.S. Attorney’s office, or work as any trial lawyer for that matter, your career is weighed and measured by your Win – Loss record. And in case you didn’t know, plea deals are a “Win,” for all the attorneys, no matter what side of the divide they are on. Plea deals are faster, cheaper, and again where the defendant has little to no “rights,” which is why power loves ’em — protects them.
Secondly, taking on high-profile cases like Aaron’s and “winning” are worth extra points. It gets the attorneys name out there, helps them differentiate from their peers, and advance careers. It’s all about the money power baby. Don’t believe me? Ask Gloria Allred. Ask Aaron’s attorney. Don’t bother, Wired already did:
“Heymann [prosecutor] was looking for “some juicy looking computer crime cases and Aaron’s case, sadly for Aaron, fit the bill,” Peters said. Heymann, Peters believes, thought the Swartz case “was going to receive press and he was going to be a tough guy and read his name in the newspaper.””
Unconvinced? Biased source right? Check out the press release from U.S. Attorney’s office website about the case. “Alleged Hacker Charged With Stealing. Over Four Million Documents From MIT Network.” Yes, that’s a PRESS RELEASE! PRESS PRESS PRESS. Why does this impress you society? And it does, because they wouldn’t do it otherwise. I’ll tell you what lawyers are NOT graded on is their appropriate application of that nebulous word, “justice.” Otherwise we’d see big headlines about expousing that. We don’t. Still too cynical for you? Maybe this will help, but it won’t make you feel better:
“Ortiz [prosecutor] said it was a generous deal her office offered, and it took into account that Swartz’s actions were not financially motivated. She said Swartz would have been confined to a “low security setting.”
Please show me where appropriate application of justice entered into the thought process, especially when there were no plaintiffs left at that point. I’d be willing to bet law school systemically eliminates justice-minded do gooders. Now, have another look at that US Attorneys’ mission statement again. See what does appear?
“United States Attorneys are appointed by, and serve at the discretion of, the President of the United States”

Ask yourself, are political appointees selected on their careers merits or on the basis of their political clout? Bzzz. Sorry, trick question. The answer is already on US Attorney Carmen Ortiz’s very own wikipedia entry. Says it right there in the second sentence, immediately after her title. 


“In 2009, she was nominated to the position by President Barack Obama. Ortiz is both the first woman and the first Hispanic to serve as U.S. attorney for Massachusetts.”

Unless you count being born a women and hispanic as an accomplishment, the answer is plain as day. Make the boss man look good! I know this comment borders on racist, sexist. Please understand I’ve no intention of diminishing her personal accomplishments in this regard. I’m sure she had it tough. What we must question, as her customers subjects, is how this make her qualified to administer justice. And apparently we think it does, otherwise why would her gender and ethnicity be highlighted first.

Oh, and I’m also sure the possibility of Ortiz being a potential Democrat gubernatorial candidate in Massachusetts had zero effect on things. Right.
Under these circumstances, if you change or repeal the law. So what? It was never about the law, or application of justice, remember. Go ahead, call for her dismissal. Change the political appointee in the same power structure. So what? Another similar minded and well-trained appointee will gladly take their spot before the day is out. Focus on defining “appropriate behavior” when the incentives are perverted against justice. Good luck with that.
Do all these things. Declare your victory! Get your social justice and pound of flesh. What you’ll also do is protect the system that manufactures felons and contributes to suicide of our best and brightest. Do everything, but ask the dangerous question… WHY. WHY does basically everyone take a plea deal. WHY do prosecutors prefer them? You better ask it because it’s the only justice system any of us are likely to experience. You do know most everyone is committing three felonies a day right
And so what if Oritz is fired. It’s not like she is going to be disbarred. She’ll immediately go across the street to a private firm working the other side of the table, probably making far more money too. And if you are in a similar position as Aaron, you’ll find her credentials impressive. A “former” U.S. Attorney appointed by the President of the United States, who knows all players and the plea bargain process. Hell yeah. Because when YOU are facing hard time you’ll not be the slightest bit interested in justice after all. What you want is to get off, and she’s the best person for the job. Did you know Aaron’s attorney, Elliot R. Peters (Partner at Keker & Van Nest LLP), previously worked in the U.S. Attorney’s Office, Southern District of New York?

Let’s explore one layer deeper into the perversity of the system. Upon Aaron’s death Federal prosecutors were forced to dismiss the charges against him. Not because a lack of evidence mind you, but because there is no defendant obviously. In addition to a PR hit, we must assume a “dismissal” counts against the prosecutions Win-Loss case record. From that perspective, the prosecution did NOT want Aaron to die. They would have much preferred him to live, take a plea, or at least suffer a conviction. On the other hand, Aaron’s attorneys scored a dismissal — a “Win.” 

Whoa, whoa there. I’m not saying Mr. Peters or Keker & Van Nest LLP wanted Aaron to die. No. What I’m saying is that system is set up such that when something like this happens, something that sparks true outrage, then that rage needs to be directed, and that the defendants attorneys don’t lose. That’s important because otherwise they wouldn’t play along in the farce. 

But that can’t be, the thought is too terrible to bare. I agree with you. Their defendant committed suicide after all. What do they do then? Aaron’s attorneys immediately focus rage on the prosecution for being, what’s the word they used, “intransigent.” Whatever. They, the prosecution, are the real problem here! Right! Wrong! Whatever you supposedly chosen on your own doesn’t matter one bit. The point is you picked a side and played along. The point is you society bought it. Burn the witch!

All that happened here was Aaron died and the system won.

Hack Yourself First: Jeremiah Grossman

Continue reading Aaron’s suicide: System Contributed, Society Perpetuated

Posted in Uncategorized

Written Speech: TEDxMaui — Hack Yourself First

Posted on by

Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage — nothing short of amazing — life changing. While the Hack Yourself First video recording was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary. Everything I really wanted to say, in the written version…

—–

Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually. 


And do you know why?

Because hacking is easy. Because hacking works.

I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.

More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack — all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet. 

I’ve been invited to teach these skills, publicly, for the past decade — to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.

I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all. 

I call this approach, Hack Yourself First, a concept that can, and must, be used as a means to defend ourselves.

I feel so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.

In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system — all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.

And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.

These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them. 

So, Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses, we call them vulnerabilities, and the good guys who find and fix them. Unfortunately, no one is quite sure what group has more people. It would not surprise me if the good guys are outnumbered when it comes to Internet security, as anyone with an Internet connection can become a malicious hacker these days, and earn money doing it.

What you might find interesting is that many hacking techniques are not sophisticated. There are tricks that really anyone can do. In fact, I’d like to teach one of our tricks right now.

*REDACTED* Watch the video! 😉

See, I’ve now taught the people at TED how to hack. Keep an eye on the people sitting next to you. They’re hackers now!

I’ve also shown methods to steal or reset someone’s passwords, monitor their email, snap pictures of them with their computer’s built in webcam without their knowledge, siphon money out of their bank account, find out what websites they visit, make it look like they downloaded child pornography, and list goes on. Doing any of this requires only slightly more sophistication than what I just described in many cases. If I had an hour, instead of 15 minutes, I could teach you how these things are also done. 

I should mention that firewalls and anti-virus software don’t provide any sort of real protection to any of this. It’s kind of like wearing sunglasses and expecting not to get a sunburn. They’re better than nothing, but far from solving all your problems. 

We all have a vested interest in the Internet and its future. 

A few years ago I recognized that the bulk of not only my professional life, but my personal life as well, was spent in front of a computer. 

One day I wanted to get out and do something else, anything else, for a few hours as long as it wasn’t it front of a computer screen or on a cell phone, which is nothing more than a tiny computer these days. I considered watching TV or a movie, listening or learning music, reading a book, writing a book, research something new, buying something nice for my wife, etc. 

The trouble was these things are typically done on a computer these days. I had to try really hard to think of things that have nothing to do with a computer – something that gets increasingly more difficult each year with technological advancement.

It occurred to me that the vast majority of my life, and the lives of those around me, are completely tied to pervasive computer use – and an Internet connection. That’s when it really hit me that that my work on Internet security is important to just about everyone. Look around at how many of you here brought your laptops, your iPads, and smart phone, and are right now connected to the Internet. Without the Internet, many of us might not even know when and how to get to our next appointment. 

By the way, are you using the public WiFi? Just curious.

The Internet has been instrumental in helping overthrow oppressive government regimes.  At the same time our leaders, from the US and UK governments, are on the record having reserved the right to retaliate against cyber-attacks with militarily action. Bombing computers and computer hackers is part of the plan. I guess you might call this policy bombs for bits, a policy that should really concern us.

When you think about it that way, Internet security, computer security may now be more important to you than it was a moment ago. Isn’t it?

I’d bet that everyone – everyone here, everyone who will be eventually watching this video – at some point has had their computer hacked into and been infected with viruses, had one or more of their online accounts previously taken over, or at the very least knows more than one person who has. 

Does anyone here want to claim they’ve never been hacked? If so, please raise your hand, I’d like your email address and we’ll get that sorted out.

Hacking, malicious hacking, cyber-crime, has already touched all of our lives, and does so more often than we are lucky enough to be privy to. These days many experts believe you are more likely to be a victim of cyber-crime than any other crime. 

For you, most of the time getting hacked means a slow running computer, annoying pop-ups, losing some money, your personal information exposed, identify theft, and perhaps some public embarrassment.  Bad, but not THAT bad.

If you are a politician, celebrity, news outlet, or a corporate executive, your position, your access, puts you at even more risk  — including those closest to you – the bad guys will hack their way closer to you, one friend or family member at a time if they have to.

For businesses and governments, who are also hacked into daily, the damage is often far more severe. Professional cyber-criminals who target them of course are after money, but they also want intellectual property, trade secrets, and military capabilities, which can be worth much more than the contents of any bank account. These things are vital to our economic well-being and national security. 

Even more revealing is who they work for and what motivates them. For this I’d like to quote Ian Bremmer, President of Eurasia Group.

“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations — that’s a pretty good description of a war.”

There is a reason why the Chinese fighter jets and rockets look suspiciously familiar to our own.

I don’t mean to single out China, they are certainly not the only ones being called out for engaging in cyber-crime and cyber-espionage. On that list is also France, Russia, Estonia, Romania, Ukraine, etc. There is no solid confirmation, but it wouldn’t surprise me if most countries in the modern world are actively engaging in cyber-offense.

Mr. Bremmer goes onto say…

“National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.”

That is exactly right! 

How can a corporation, even the largest, let alone small businesses and individuals, possibly defend themselves against such an adversary — literally, armies of well-funded nation-state sponsored hackers. Hackers professionally trained, with no reason to fear our laws, who are equidistant from their victims, that’s US, and operate 24 hours a day, 7 days a week, 365 days a year. 

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens when it stays up. I’m worried about the long-term economic damage, the loss of our ability to innovate, the inability to take advantage of the opportunities that the Internet provides. Most of all though, I’m concerned what happens if the majority of people, all of you, lose confidence in the system — the security of the Internet – and either stopping or limiting your use of the Internet.

New laws against hacking are not going to help this problem. Conventional warfare tactics are not much good either. The perpetrators can be geographically located anywhere, are extremely difficult to identify, prove attribution, track down, even harder extradite, and then finally successfully prosecute. Not to mention foreign governments are highly unlikely to turn over soldiers in their own hacker army.

Having said that, improving international cyber-crime law enforcement is a path necessary to pursue as part of a larger program, but we should be realistic about its limits.

People ask me all the time, what do we do? How do we secure our computers, our networks? How do we secure the Internet? The reality is a problem as diverse and wide reaching as cyber-crime, and cannot be solved by any one thing, but I’ll tell you this — protecting the Internet requires a completely new way of thinking. I have an idea, an idea worth sharing. Hack Yourself First. An idea furthered by teaching people to hack, and in a manner of speaking, making hacking legal.

While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense. Offense can be used to inform defense. 

Hacking a system, that doesn’t belong to you, without consent of the owner is against federal law, as it should be. The problem arises when system owners don’t provide consent, which only serves to ward off good samaritans who would have gladly shared what they knew and helped protect their users. The bad guys, the real bad guys, do not care and are not deterred.

What most don’t realize is that any individual, business, government department and so on can actually invite hackers, to test their systems lawfully, and provide a safe way to share their results. Put simply, allow anyone who wants to, can try and hack in. I realize for many that suggesting such an approach might appear counter intuitive, but what it’s not is unprecedented.

Recently a few forward-looking companies started new programs and did exactly that — openly welcoming hackers, they use the term “security researchers,” to attack their systems and publicly credit them for their discoveries. It’s almost like crowd-sourcing Internet security. Some are even rewarding those who point out serious security gaps with stacks of cash. The industry calls this Bug Bounty programs.

The companies offering these programs are far from obscure, these are some of the biggest sites, who have hundreds of millions of users, transacting billions of dollars, and are some of the most visible companies on the Internet. You may have heard of a couple of them. 

Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla. All of which have directly felt the pain of nation-state sponsored attacks and/or organized crime. They’ve committed not to sue or press charges against security researchers who find vulnerabilities in their systems and discreetly share the details with them. Collectively they’ve awarded millions of dollars to security researchers and resolved thousands of previously unknown issues that protect us all.

These companies have stated their programs have proved extremely cost effective, helped them identify and hire security talent, eliminated many negative PR headlines, and improved security for themselves and their customers. Huge wins for everyone. All the warnings detractors gave about why bug bounty programs were bad idea simply failed to materialize.

Unfortunately, Internet security history is littered with counter examples where other companies have responded hostilely to those trying to help. Such as the likes of Daniel Cuthbert, Patrick Webster, and dozens of others.  

This reminds me of Rule #1 of recreational hacking: 
Never ever, ever touch government or military systems. 

A rule written well before they mentioned anything about a militaristic response. Anyway, the rule reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit.

So imagine the excitement if our government and military officials truly started to embrace “Hack Yourself First” and offered up bug bounty programs! Let me tell you, every aspiring and well-known hacker out there would jump at the chance to match their skills against the cyber-defenses of whitehouse.gov, fbi.gov, army.mil, and the thousands upon thousands of other systems. The street-cred alone would be worth it to many, but a bonus would be helping to protect their country.

There is no reason such a strategy could not be adopted by just about anyone. Doing so could end up being the most important long-term economic and national security decision.

I used to work for Yahoo. 12 years ago I hacked Yahoo Mail. More accurately I hacked into my own Yahoo Mail account, to see if I could do it. Some people have hobbies like artwork, sports, cars — I hack. I found a way, several ways actually, to get into my inbox without needing a password. I let Yahoo know the details – promptly and privately. In return they gave me a t-shirt. I was pretty excited about that.

A dialog followed with one of the founders, which later earned me a job — to hack everything that Yahoo had, before the “real” bad guys did, and my experience there led to a career. 

A company with a different point of view might decided to call their lawyer, or the cops, filed a lawsuit, cost me my job, and the freedom of a 21 year old. In which case, I wouldn’t be been in front of you here today — teaching you how to hack and the importance of Internet security.

Remember, security is optional, but so is survival. 

It has been said that if you are a playing a game that you can’t afford to lose, then you must change the rules. Hack Yourself First.

WhiteHat Security is a leading provider of website security services.

Continue reading Written Speech: TEDxMaui — Hack Yourself First

Posted in Uncategorized

Written Speech: TEDxMaui — Hack Yourself First

Posted on by

Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage — nothing short of amazing — life changing. While the Hack Yourself First video recording was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary. Everything I really wanted to say, in the written version…

—–

Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually. 


And do you know why?

Because hacking is easy. Because hacking works.

I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.

More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack — all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet. 

I’ve been invited to teach these skills, publicly, for the past decade — to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.

I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all. 

I call this approach, Hack Yourself First, a concept that can, and must, be used as a means to defend ourselves.

I feel so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.

In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system — all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.

And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.

These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them. 

So, Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses, we call them vulnerabilities, and the good guys who find and fix them. Unfortunately, no one is quite sure what group has more people. It would not surprise me if the good guys are outnumbered when it comes to Internet security, as anyone with an Internet connection can become a malicious hacker these days, and earn money doing it.

What you might find interesting is that many hacking techniques are not sophisticated. There are tricks that really anyone can do. In fact, I’d like to teach one of our tricks right now.

*REDACTED* Watch the video! 😉

See, I’ve now taught the people at TED how to hack. Keep an eye on the people sitting next to you. They’re hackers now!

I’ve also shown methods to steal or reset someone’s passwords, monitor their email, snap pictures of them with their computer’s built in webcam without their knowledge, siphon money out of their bank account, find out what websites they visit, make it look like they downloaded child pornography, and list goes on. Doing any of this requires only slightly more sophistication than what I just described in many cases. If I had an hour, instead of 15 minutes, I could teach you how these things are also done. 

I should mention that firewalls and anti-virus software don’t provide any sort of real protection to any of this. It’s kind of like wearing sunglasses and expecting not to get a sunburn. They’re better than nothing, but far from solving all your problems. 

We all have a vested interest in the Internet and its future. 

A few years ago I recognized that the bulk of not only my professional life, but my personal life as well, was spent in front of a computer. 

One day I wanted to get out and do something else, anything else, for a few hours as long as it wasn’t it front of a computer screen or on a cell phone, which is nothing more than a tiny computer these days. I considered watching TV or a movie, listening or learning music, reading a book, writing a book, research something new, buying something nice for my wife, etc. 

The trouble was these things are typically done on a computer these days. I had to try really hard to think of things that have nothing to do with a computer – something that gets increasingly more difficult each year with technological advancement.

It occurred to me that the vast majority of my life, and the lives of those around me, are completely tied to pervasive computer use – and an Internet connection. That’s when it really hit me that that my work on Internet security is important to just about everyone. Look around at how many of you here brought your laptops, your iPads, and smart phone, and are right now connected to the Internet. Without the Internet, many of us might not even know when and how to get to our next appointment. 

By the way, are you using the public WiFi? Just curious.

The Internet has been instrumental in helping overthrow oppressive government regimes.  At the same time our leaders, from the US and UK governments, are on the record having reserved the right to retaliate against cyber-attacks with militarily action. Bombing computers and computer hackers is part of the plan. I guess you might call this policy bombs for bits, a policy that should really concern us.

When you think about it that way, Internet security, computer security may now be more important to you than it was a moment ago. Isn’t it?

I’d bet that everyone – everyone here, everyone who will be eventually watching this video – at some point has had their computer hacked into and been infected with viruses, had one or more of their online accounts previously taken over, or at the very least knows more than one person who has. 

Does anyone here want to claim they’ve never been hacked? If so, please raise your hand, I’d like your email address and we’ll get that sorted out.

Hacking, malicious hacking, cyber-crime, has already touched all of our lives, and does so more often than we are lucky enough to be privy to. These days many experts believe you are more likely to be a victim of cyber-crime than any other crime. 

For you, most of the time getting hacked means a slow running computer, annoying pop-ups, losing some money, your personal information exposed, identify theft, and perhaps some public embarrassment.  Bad, but not THAT bad.

If you are a politician, celebrity, news outlet, or a corporate executive, your position, your access, puts you at even more risk  — including those closest to you – the bad guys will hack their way closer to you, one friend or family member at a time if they have to.

For businesses and governments, who are also hacked into daily, the damage is often far more severe. Professional cyber-criminals who target them of course are after money, but they also want intellectual property, trade secrets, and military capabilities, which can be worth much more than the contents of any bank account. These things are vital to our economic well-being and national security. 

Even more revealing is who they work for and what motivates them. For this I’d like to quote Ian Bremmer, President of Eurasia Group.

“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations — that’s a pretty good description of a war.”

There is a reason why the Chinese fighter jets and rockets look suspiciously familiar to our own.

I don’t mean to single out China, they are certainly not the only ones being called out for engaging in cyber-crime and cyber-espionage. On that list is also France, Russia, Estonia, Romania, Ukraine, etc. There is no solid confirmation, but it wouldn’t surprise me if most countries in the modern world are actively engaging in cyber-offense.

Mr. Bremmer goes onto say…

“National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.”

That is exactly right! 

How can a corporation, even the largest, let alone small businesses and individuals, possibly defend themselves against such an adversary — literally, armies of well-funded nation-state sponsored hackers. Hackers professionally trained, with no reason to fear our laws, who are equidistant from their victims, that’s US, and operate 24 hours a day, 7 days a week, 365 days a year. 

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens when it stays up. I’m worried about the long-term economic damage, the loss of our ability to innovate, the inability to take advantage of the opportunities that the Internet provides. Most of all though, I’m concerned what happens if the majority of people, all of you, lose confidence in the system — the security of the Internet – and either stopping or limiting your use of the Internet.

New laws against hacking are not going to help this problem. Conventional warfare tactics are not much good either. The perpetrators can be geographically located anywhere, are extremely difficult to identify, prove attribution, track down, even harder extradite, and then finally successfully prosecute. Not to mention foreign governments are highly unlikely to turn over soldiers in their own hacker army.

Having said that, improving international cyber-crime law enforcement is a path necessary to pursue as part of a larger program, but we should be realistic about its limits.

People ask me all the time, what do we do? How do we secure our computers, our networks? How do we secure the Internet? The reality is a problem as diverse and wide reaching as cyber-crime, and cannot be solved by any one thing, but I’ll tell you this — protecting the Internet requires a completely new way of thinking. I have an idea, an idea worth sharing. Hack Yourself First. An idea furthered by teaching people to hack, and in a manner of speaking, making hacking legal.

While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense. Offense can be used to inform defense. 

Hacking a system, that doesn’t belong to you, without consent of the owner is against federal law, as it should be. The problem arises when system owners don’t provide consent, which only serves to ward off good samaritans who would have gladly shared what they knew and helped protect their users. The bad guys, the real bad guys, do not care and are not deterred.

What most don’t realize is that any individual, business, government department and so on can actually invite hackers, to test their systems lawfully, and provide a safe way to share their results. Put simply, allow anyone who wants to, can try and hack in. I realize for many that suggesting such an approach might appear counter intuitive, but what it’s not is unprecedented.

Recently a few forward-looking companies started new programs and did exactly that — openly welcoming hackers, they use the term “security researchers,” to attack their systems and publicly credit them for their discoveries. It’s almost like crowd-sourcing Internet security. Some are even rewarding those who point out serious security gaps with stacks of cash. The industry calls this Bug Bounty programs.

The companies offering these programs are far from obscure, these are some of the biggest sites, who have hundreds of millions of users, transacting billions of dollars, and are some of the most visible companies on the Internet. You may have heard of a couple of them. 

Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla. All of which have directly felt the pain of nation-state sponsored attacks and/or organized crime. They’ve committed not to sue or press charges against security researchers who find vulnerabilities in their systems and discreetly share the details with them. Collectively they’ve awarded millions of dollars to security researchers and resolved thousands of previously unknown issues that protect us all.

These companies have stated their programs have proved extremely cost effective, helped them identify and hire security talent, eliminated many negative PR headlines, and improved security for themselves and their customers. Huge wins for everyone. All the warnings detractors gave about why bug bounty programs were bad idea simply failed to materialize.

Unfortunately, Internet security history is littered with counter examples where other companies have responded hostilely to those trying to help. Such as the likes of Daniel Cuthbert, Patrick Webster, and dozens of others.  

This reminds me of Rule #1 of recreational hacking: 
Never ever, ever touch government or military systems. 

A rule written well before they mentioned anything about a militaristic response. Anyway, the rule reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit.

So imagine the excitement if our government and military officials truly started to embrace “Hack Yourself First” and offered up bug bounty programs! Let me tell you, every aspiring and well-known hacker out there would jump at the chance to match their skills against the cyber-defenses of whitehouse.gov, fbi.gov, army.mil, and the thousands upon thousands of other systems. The street-cred alone would be worth it to many, but a bonus would be helping to protect their country.

There is no reason such a strategy could not be adopted by just about anyone. Doing so could end up being the most important long-term economic and national security decision.

I used to work for Yahoo. 12 years ago I hacked Yahoo Mail. More accurately I hacked into my own Yahoo Mail account, to see if I could do it. Some people have hobbies like artwork, sports, cars — I hack. I found a way, several ways actually, to get into my inbox without needing a password. I let Yahoo know the details – promptly and privately. In return they gave me a t-shirt. I was pretty excited about that.

A dialog followed with one of the founders, which later earned me a job — to hack everything that Yahoo had, before the “real” bad guys did, and my experience there led to a career. 

A company with a different point of view might decided to call their lawyer, or the cops, filed a lawsuit, cost me my job, and the freedom of a 21 year old. In which case, I wouldn’t be been in front of you here today — teaching you how to hack and the importance of Internet security.

Remember, security is optional, but so is survival. 

It has been said that if you are a playing a game that you can’t afford to lose, then you must change the rules. Hack Yourself First.

Hack Yourself First: Jeremiah Grossman

Continue reading Written Speech: TEDxMaui — Hack Yourself First

Posted in Uncategorized

TEDxMaui — Hack Yourself First

Posted on by
Update 04.12.2012: Video of the presentation embedded below.                                                  Ten years ago if you would have told me that I’d be back living in Hawaii, founder of a fast growing technology company, and a TED speaker — I would’ve said, “What’s a TED?” Preparing for TEDxMaui was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.

I wanted everyone, both the viewers in the audience and those who would eventually watch the video, to deeply appreciate the crucial importance of Internet security. I want everyone to know that to discuss Internet security is really to discuss our economic well-being and our national security, and I want everyone to know that both are under attack — every single day. Most of all I wanted everyone to know that hacking, and people learning how to hack, is absolutely essential to defend ourselves. I labelled this concept Hack Yourself First, the title of the presentation. Hack Yourself First advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.
Before presenting Hack Yourself First I had to first imagine how the audience would respond. Most watching undoubtedly have only had negative experiences with the words “hacking” and “hackers.” All they likely knew of hacking is in relation to viruses infecting their computers, stealing money out of (their) bank accounts, TV interviews of shadowy characters wearing Guy Fawkes masks, salacious articles featuring cyber villains, and of course bad hollywood movies. Whether we like it or not, these are the ambassadors of hacking, so the idea of teaching cyber-offense skills might be considered akin to illegal activity. Just the same, there I was on stage revealing that, “Yes, I am a hacker — but not like them.” 
I don’t know what precisely it was that I said, but the message of Hack Yourself First undoubtedly resonated in a big way. No less than a hundred people introduced themselves to me afterwards excitedly asking, “How do I learn to hack myself first?” Perhaps I shouldn’t have been, but I was blown away. And not just the very young or student age, I’m talking about people 45 up to 70 years old with zero technology background. Maybe it was because I taught them a simple hacking trick, a simple hacking trick they could grasp, and even do, like those from my “Get Rich or Die Trying” presentation. Suddenly the fascinating subject of hacking, which they previously assumed was too complicated to learn, was suddenly approachable. I taught a TED audience how to hack! How cool is that!? 🙂
Many in the information security industry have been trying desperately and in vain to raise Internet security awareness among the masses. We repeatedly give people laundry lists of what not to do, and it isn’t helping. Better awareness, better overall Internet security, could be accomplished through Hack Yourself First. Teach anyone and everyone who wants to learn how to do the actual attacks the bad guys use against them, perhaps packaged up in a Capture-the-Flag format.  That would be a lot of fun for everyone. When people know precisely how hacking works, they’ll be in a better position to spot attacks against them and be on their guard.
I came to TEDxMaui to share my ideas with a wider audience, but what I came away with was more ideas from them about where we can take Hack Yourself First. 

WhiteHat Security is a leading provider of website security services.

Continue reading TEDxMaui — Hack Yourself First

Posted in Uncategorized