Security Talk Highlights Five-Stage Reaction And Former Teen Hacker
When I attended a keynote address earlier this year on security issues in the embedded industry, I really didn’t know what to expect. The speaker was Robert Vamosi, a senior analyst at Mocana, a company whose mission is to secure the “Internet of Things.”
Vamosi also is the author of a book called When Gadgets Betray Us. His engaging lecture had a few key takeaways as well as an update on the former high-school electronics whiz who was the first to hack Apple’s iPhone.
Five Stages of Hacker Grief
Vamosi talked about how companies typically respond to the revelation that a device of theirs has been hacked, usually when the hacker informs them about it. He said the response follows a pattern he called the five stages of hacker grief. It basically follows the five stages of mourning.
First, the company goes into denial and isolation. It says, “Well, it takes the resources of a nation state or it takes sophisticated programming skills to get this accomplished.” But the company finds that this isn’t necessarily the case.
Then the company moves to anger, which can result in lawsuits. It also can result in accusations going back and forth. The company might even disparage the integrity of the hacker or researcher who discovered the security problem.
The company next gets into bargaining, when it realizes it needs to start cleaning up its act. It decides the problem is serious and that it needs to start doing something. So, the company tries bargaining with the hacker.
And then there’s depression. Even with the bargaining, something fails, and the company bottoms out. Finally, the company rises, finds acceptance, goes forward, and survives.
The Sony Saga
Vamosi used Sony as an example. Sony released the PlayStation 3 in November of 2010, boasting about its security. Of course, since Sony is in the gaming industry, it needed to make the PS3 secure. Otherwise, there would be rampant theft of service. The security of the PS3 was based on a public-private key.
But about a year and a half ago, George Francis Hotz hacked the PS3. Readers may remember him from stories in the news—he’s well known in the hacker community—or from the reports published right here at Electronic Design. We published three stories about him back in the summer of 2007, just as he was leaving for college at the Rochester Institute of Technology.
Hotz lived just a few miles from our offices in Paramus, N.J., at the time, so we considered them local stories. You can still find “Teen Unlocks iPhone For Use With Other Networks,” “iPhone Unlock Sparks Services And Legal Issues,” and “Hotz Shows How To Use The Internet As The Ultimate Collaboration Tool” on electronicdesign.com by searching for “Hotz.”
Vamosi explained that Hotz’s hack was very public—he blogged about what he was doing. But it seemed that Sony wasn’t paying attention. Or if the company was, it really wasn’t calling attention to the fact that he was out there. Sony basically ignored him. So, there was denial and isolation. Hotz eventually cracked the private key and published it on the Internet.
Sony turned around and sued him—it got angry. Hotz decided to push the envelope. He wrote a rap song including the key and put it on YouTube. Sony then tried to get Google to give it the IP addresses of everybody who downloaded and watched the YouTube video. This didn’t work.
Eventually, Sony settled with Hotz. But because Sony was trying to stop the YouTube users from finding out that code, the company angered a lot of different groups. These people decided Sony needed to be punished for its lack of security and went after it with various denial of service attacks and data breeches, stealing the card numbers of the subscribers to various PS3 services.
Eventually, Sony bottomed out. It took the PlayStation network offline and re-architected the solution. It took a couple of weeks, but Sony brought the network back. Vamosi said this episode cost Sony up to $1 billion.
Lessons Learned
The thrust of his talk from that point on was that the myriad gadgets connected to the Internet today—the Internet of Things—are being designed without a lot of care about their internal security, with plenty more gadgets to come. Vamosi called this a huge threat landscape that designers need to start thinking about today so they don’t have to go through the five stages of hacker grief later.
As for Hotz, he was last reported working for Backplane, a startup funded by Lady Gaga.