Black Hat


When I first moved to Galveston in 1990, my social circle was very small. In fact, it was Curtis O’Neal. We were the two people we knew who played Axis & Allies, D&D, and, wait for it, computer games. Not Atari or Nintendo or Odyssey (all console games) but PC games. New on the home front was a fast action flight simulator, Jetfighter.


For those of you who do not remember, there were some weird security features in PC games back in the day. The most annoying was the need to keep the CD in the drive, even after loading the program. This feature made sharing the software pointless. Another trick was asking periodically for a password from the manual. Not from a list of passwords. Too easy to copy. But the fifth word on line 9 of page 17. A different word EVERY time, what a pain in the ass! Even if you owned the game.


Jetfighter went a different route. It required you read the instructions for a carrier landing, and then perform 3 successful landings, before allowing unrestricted play. This demanded a lot of reading and the kind of time needed to fly the landing pattern three times. Well, the time to fly the pattern many times if you kept crashing.


Being the young Mavericks we were (see what I did there), we had a different plan. Jetfighter was a DOS game (that we played on an 8086-chip set). Displaying the code side by side in both ASCII and hexadecimal, we could weed out the “training” missions played compared to the number required. We simply changed the numbers to equal each other and resaved the code. Opening the game up again, Viola! Good to go.


Why, pray tell would I drag up this arcane trivia? Because it is exactly, on a more sophisticated level, what serious hackers are doing to get into Bank of America, Google, WhatsApp, and the Phoenix Municipal Police Department to gain access to your personal information.


No, hackers are not just changing a “1” to a “3”. They are exploiting bugs already within the software that you use every day. They are silently embedding key loggers, tasks, detours, and eavesdroppers (among other things) to turn your software against you. They are changing addresses and rerouting the data, YOUR data, and marketing it, or just making it available to the public.


Won’t anti-virus software and firewalls stop these? The answer is no. We have graduated from that. Viruses, trojans, and worms are yesterday’s news. More sophisticated exploits now run off of weaknesses within the software that run your devices. Entire servers are dedicated to replicating legitimate websites and collecting your data.


A modern phishing scam will masquerade as an email from a trusted friend or business. The email will contain a link, also genuine looking. The URL in the link looks like a link you use. For example, “bankofąmerica.com” instead of “bankofamerica.com”.


Or, it is shorthand for a longer address and the only part you see (unless you expand it) is “bankofamerica.com”, instead of “www.russianhackers.givemeyourmoney.sucker!!!/ whichbankshouldwepretendtobetoday.howabout/ bankofamerica.com.ru”.


In the early days of the internet, porn sites were famously targets, or sources, of viruses and exploits. A demonstration scared me away from internet porn early on. An acquaintance of mine thought he had found the most amazing porn site. The site was the more appetizing because it was billed as free, but as soon as he clicked on the link his screen was inundated with pop-up windows dealt too fast and too furious to close, and his machine was locked up in a Denial of Service attack. I’ll stick with them sticky old magazines, thank you.


Does the Operating System matter? Well, kind of. Windows machines were always more susceptible to attack. Microsoft was lazy, modeling their business on volume, not quality. And most new computers came preloaded with Windows. Macs were considered immune. Not because they weren’t hackable, but because they garnered less than 20% of the market. They weren’t worth the hacker’s time.


But, what kind of phone do you have? Not long ago an Israeli security outfit (with Nation State backing) launched a package chock full of Zero Day Zero Click exploits targeted at iPhones. Binge watch Mister Robot to catch up on these terms, and Google “Pegasus Spyware”. Did it work? Well, Saudi Arabia is suspected of using it against American journalist Jamal Kashoggi to track him to the Consulate in Istanbul before strangling him and hacking him into little bits. His crime? Reporting against the crowned prince of Saudi Arabia. And this program was sold to over 100 actors, including many Nation States such as Mexico and the US FBI.


Will your anti-virus catch it? Oh my naïve little Luddite! Did we learn nothing for the Maginot Line? How much do you really think your freeware will stand up to software that has been rumored to sell for around $55 million? And some reports say most antivirus companies were bullied into setting their anti-virus and firewalls to IGNORE Pegasus.


What does all this mean? It means, get your shit together. Never mind the “dark web”. Those are bogeyman stories. Practice computer hygiene. Slow down on the clicks. Segregate. Compartmentalize. Don’t use your personal computer for work, or vice versa. That is a tunnel just waiting to be dug. Keep your shit on an external hard drive and unplug when you’re done. For that matter, turn off your Wi-Fi and Bluetooth when not online. Hell, put it in airplane mode while you’re sleeping. Get an RFID shield for your credit cards and work badge.


Sound spooky? Buddy, I’m not even scratching the surface. But why should you listen to me? Because I use Linux OS (not saying the flavor) on a Raspberry Pi and my kids speak Python, Java, and C++. However all I should have to say is - in 1990 I was playing Jetfighter for free. Yes, I’m proud of that one.


For more uplifting stories, listen to the podcast Darknetdiaries.com and check out the website Citizenlab.ca.

Featured Posts
Recent Posts