Angry in the Great White North

In order to protect his clients, he has asked to remain unnamed in this piece.

First, he said that the incident as described in the media is not only plausible, but inevitable. Systems like the LED displays are routinely designed without even a minimal level of security because, shockingly in this day and age, application and product designers still consider security as a design afterthought, and not as a integral component to be designed into the system from the ground up, with the exception of financial and pharmaceutical systems.

Which explains why people like him are still gainfully employed.

That GO Transit and Exclusive Advertising were caught flat-footed is noteworthy only in that it took this long for the problem to surface. There are other wireless networked systems in place, he points out, with questionable security protection. For instance, the Ontario road sign system works on a similar principle.

Is the road sign system password protected? He couldn't say (or wouldn't say). But consider the chaos that could ensue if the Ontario road signs were hacked -- there would be a potential for serious traffic trouble, even injury and death.

He pointed out that the media interest in the story, propelled by blogs, serves a valuable purpose in that many firms that use similar systems are probably performing security audits, quietly and without fanfare, in order to plug up similar holes. But not all firms are that responsible, for the simple reason that for many companies, reacting to problems after they have surfaced is still the standard operating procedure. In the end, they will only do the work is their customers demand it. Often it is a simple cost analysis -- the cost of the breach is perceived to be less than a security needed to prevent it.

I asked him what, if anything, should be done to the hacker if his identity is ever firmly established. He mentioned that an US Department of Defense study on computer vulnerability found that in the general population, about 4% exhibited a "skewed value system", meaning they would consider vandalizing electronic systems a public service of some kind, either because of the political message they can spread (as in the case of the GO Transit hacker) or because they are revealing the problems in the system so that they can be fixed (though that "value" usually manifests after the hacker is caught). Though 4% seems like a small number, it represents a large number of individuals, many of whom are very skilled with computers and other technology (their skewed value system tends to make them social outcasts, which then drives them to technology as a means of expression).

As such, he felt that both as a way of protecting shareholder value and for the greater good, hackers should be prosecuted to the full extent of the law. In Ontario, though, that might mean a civil suit, since we lack laws that focus specifically on electronic hacking. He brought up the example of California, where SP-1386 "The California Security Breach Information Act" forces a company that has suffered any kind of security incident in which personal information is compromised to inform all people who have data in that system of the breach. Though not directly relevant to the GO Transit incident, it is the kind of law that forces firms to be proactive about security, since now the cost of a breach can be devastating, far in excess of the direct effect of the breach itself.

Is Exclusive Advertising out of danger now that passwords have been implemented? For a while, probably. But that doesn't mean hackers don't have plenty of other targets:

[Adam Laurie] is known as Major Malfunction in the hacker community. He also revealed how infrared used for garage door openers and car-door locks could be hacked, using simple brute force programming techniques to decipher the code that opens the doors.

"No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it)…. If the system was designed properly, I shouldn't be able to do what I can do."

Ifrared [sic] is used in vending machines, scrolling LED public display signs, air conditioning systems, hotel minibars, robotic toys and home automation systems that control lighting and air conditioning from a console.

The most lucrative target? Hotel TV systems. Not only can you use a hacked TV set-top console in your hotel room to get 24-hour porn, you can use it to access to other systems, altering minibar bils and room-cleaning status reports. With that sort of control, you could empty the minibar for free, and trash you room, confident that the front desk clerk will see nothing reported when you check out.

Not surprisingly, hackers are not popular at hotels. The yearly hacker's convention, DEFCON, is now banned from many Las Vegas hotels for past incidents of hacked security systems, billing systems, elevators, room locks, etc.

The point is that for many people, what we call mischief and criminal trespass they consider good clean fun or a even a public service -- part of that skewed value system. Our friend Joshua denies being the hacker, but he won't say what the hacker did was wrong -- he simply doesn't seem to see it that way. That so many systems are still unprotected means that these people have plenty of opportunities to cause trouble, the sort of trouble that earns them praise from fellow hackers and hacker groupies, the sort of praise they never get in the real world where people like us see their actions as malicious and destructive. My friend is very concerned that critical systems are still vulnerable. Even vulnerable non-critical systems, like the GO Transit signs, represent important investments for firms and important sources of cash flow. These vulnerabilities will continue to be exploited, and one day, people are going to get seriously hurt.