Chatting and hacking
Opinion columnist Andrew Kouri chats with the hackers behind @R00tTh3B0x
I’m surprised to be writing this, but I think this week’s virginia.edu hacking incident is terrifically ironic. Before I chatted online with the two hackers, who go by the handles “x86” and “n3tcat,” I thought that the episode could be an important milestone for computer science and information technology at the University. Now, I think there are a few takeaways. First, the incident serves as a reminder that we must never rest assured systems are, and will always be, secure. Second, improperly managed software can cause unanticipated problems. And finally, a quick response does not always equal the best response.
I chatted with x86 and n3tcat using an encrypted application called Cryptocat, which prevented me from determining their IP addresses and consequentially protected their anonymity. My purpose for chatting with them was to find out their motives and to see if they shared my view that we should always push technology to its limits for the purposes of testing and furthering our general security.
I asked them why — if they had access to everything (as they claimed) — would they only take down the site’s homepage, leaving the University’s other online systems intact.
Their response was that they are different than the typical “script kiddies” who “don’t have a passion for it, [but] just want the fame.” They “simply dislike the rest of the hacking community” and are trying to hold the data, making “MBs to GBs, GBs to TBs, etc.”
I decided to dig further into this statement, which implies that they are stockpiling the University’s data for release at a later date.
I asked: “So what do you want from [the University]?” They replied that they wanted neither money nor recognition, but that they wanted “[the University’s Information Technology Services] to apologize to the community, and to admit that we have access to plenty of data that they say we don’t. Then we will leave the University of Virginia alone, and move on.” To that, I replied: “But you don’t. You’re bluffing.”
As proof, they sent me an image of a database file that they had supposedly downloaded. It did not contain any specific information, nor was there evidence that the file was any more than just a random database. After some bickering about the validity of their proof, I asked them if they had a specific time for when the data will be released. “No,” the hackers said.
At this point, it became apparent to me that these two were not as dissimilar from the “script kiddies” from whom they dissociated themselves. Still, their actions leave us to scrutinize the way in which the University maintains its websites.
The hackers admitted to “exploit[ing] UVa through [the University’s] ‘honors’ [sic] wordpress.” Wordpress is an open-source blog platform that was found to have a vulnerability two weeks ago. Site owners were encouraged to create strong passwords and update their installations to the latest version of the platform’s software, but it seems the Honor Committee’s website managers did not fortify their page.
R00tTh3B0x said that they were trying to “teach [ITS] a lesson” and “[let students] know that nothing is secure.” Distilled to an actual credible point, I think that if x86 and n3tcat taught us anything, it is that there is no such thing as “set it and forget it” in software. Patches are constantly being published for security holes, and if left unmaintained, “we enter and wreak havoc.” Because, “whose [sic] to say we don’t want to watch everyone panic?”
So what about the University’s minimal response? I think it is a prudent move. When I asked about their communications with ITS, x86 responded: “They’ve ignored.” And there is no concrete evidence that the hackers have any worthwhile tricks left up their sleeve. In an attempt to prolong their media attention, R00tTh3B0x tweeted a masked link to trick those who may not know about this age-old Internet trick. If the University had panicked and released a statement quickly, it would have fueled the exploiters’ desires and taken credibility from our network administrators, who responded quickly and effectively to the threat to ensure that no personal data was lost.
In our conversation, the hackers assured me that “Only time will tell. If we aren’t acknowledged by ITS, then we will release plenty of information against UVa.” Though I believe there is no threat, the cyber attack nonetheless serves as a reminder that, as the hackers say, no system is entirely secure.