Lorenzo Franceschi-Bicchierai writing for Motherboard: No, You Don’t Need a Burner Phone at a Hacking Conference
If you work in the infosec industry and you really believe you need a burner phone for these conferences, you may need to do some soul searching. What’s the point of having a $100 billion industry if it can’t secure phones in a place where a bunch of hackers gather?
Also, as well-known hacker Space Rogue said, the Def Con network is now one of the safest (and better monitored) in the whole world. That means it’s harder to do mischievous stuff on it, and if you do, it’s easier to get caught.
As Marcus Hutchins, also known as MalwareTech, wrote on Twitter, “Defcon burner devices are yet another example of how people in an industry that should be largely focused on threat modeling can’t come up with sane threat models.”
Infosec conversations, like HUMINT, reward the paranoia that sees demons in every corner. I’ve only attended a couple of information security conferences, and the levelheaded speakers do talk about how things are bad, and could be better, but the world isn’t burning. There have been a few speakers that casually talk about how everything is insecure and there are definitely people working right now to topple your house of cards. The Motherboard article is a great illustration of the reality that the information security industry is hard at work at making things as secure as possible. Previous statement isn’t true if we’re talking about consumer IoT devices, however. As another illustration, Motherboard previously had a piece arguing that Apple offering up $200,000 as bug bounty for secure boot firmware components would yield likely no claims, since $200,000 is too low of a price tag for such a rare and exploitable bug.
So, this guy made some malware a few years ago, and was brought into the US to face trail for damages done with those tools, despite it appears that he made the tools, and never personally used them. Strangely this legal logic doesn’t apply to weapons makers when their customers use them to commit crimes. MalwareTech’s trial should, first of all, never happened, but, secondly, shouldn’t have taken as long as it did. MalwareTech may have saved our planet billions of dollars worth of damages. A brief passage from the article:
Hutchins, from Ilfracombe in Devon, was credited with discovering a “kill switch” for the WannaCry ransomware, which hit the NHS and many other organisations around the world in May 2017.
Malware is frequently captured by the aforementioned companies that work in information security, and then let loose in virtualized computing environments, so the researchers can watch how it behaves, to then formulate how to mount a deliverable protection against that malware. WannaCry, being a cryptoworm that would encrypt a system’s hard drive and then demand a ransom, would reach out to a lengthy domain name that no one owned and was not registered. The reason that it did this is that better engineered malwares do this because the researchers who turn them lose in the virtual machines will have all external communications register as valid, so they can capture the traffic that the malware is sending out, which will then add to their methods of countering it. WannaCry reaches out to what shouldn’t be a real server, connects to something, decides this means that it’s being observed, so it shuts itself down. MalwareTech observed this behavior, registered this domain, and WannaCry, wreaking havoc on the global Internet, immediately stops its spread.
Despite his own write up claiming that he accidentally stopped a global cyberattack, I really hope that that action was weighed considerably in his trial.