“Journalists want convenience, not security” – Daniel Cuthbert at Hacks/Hackers London

Hacks Hackers London logo

OK, so it isn’t quite lost episodes of Doctor Who, but I’ve dug out my notes from a Hacks/Hackers London meet-up back in May 2013 that I never quite got round to writing up at the time. Here’s the first instalment, a look at security with Daniel Cuthbert

Daniel Cuthbert works at Sensepost, and they describe themselves as “hackers for hire.” Not in a bad way, you understand, but in the way that you can hire them to test how robust your defences are. They also try and expose flaws in common protocols, with Daniel observing “Pretty much you name it, we’ve broken it.”

Talking about mobile phones he said “we put so much into these devices”, and he outlined a scenario where a flaw in the wifi protocol could allow people to scrape data from your phones in public places, even without you actively connecting to the network. To illustrate his point, during the evening he put up a chart showing how many phones were in the room, and which makes and models. None of us had connected to their honeypot network.

The talk had been scheduled in the aftermath of some high profile Twitter hacks, which had seen news organisations lose control of their accounts. Daniel said he had laughed when one of the companies had announced that they had now “secured their accounts.” Losing control of Twitter, he said, is an underlying sign that your entire digital life belongs to the hackers. People think “It’s just my password – I can reset that” but they don’t realise the ease with which people can have inserted software into your devices that keep you monitored even once you’ve regained control of the affected account.

Daniel exposed a lot of technical ignorance in the audience, asking difficult questions about how you know to trust a shortened URL, or whether you trust the people who have written the extensions that you have willingly added to your browser. He said it is not a case of if you will be hacked, but when you will be hacked. He criticised the companies selling mainstream anti-virus and security software as selling “snake oil.”

People are too trusting he said, especially around the visibility of their devices. “You’ve got your fancy new Jesus phone,” he said, “and without you knowing it, it is like the chatty person at a party. Our phones at Sensepost say ‘hi’ and nothing else.” The iPhone 5, he said, is “a spook’s wet dream” because it is always on, always connected. “People want convenience,” he said, “not security.” He scoffed at Yahoo!’s recent acquisition of Tumblr for $1bn, saying no company would be prepared to invest that much in security, but they should be.

The atmosphere was quite antagonistic during this talk, to be honest. I think the audience were evenly divided between people who thought Daniel was talking a load of exaggerated bollocks, and people who looked terrified and seconds away from throwing their phones out of the window. Daniel had inferred that he could very quickly hack into and take control of any smartphone in the room, and quite a few of the tech-savvy hacks were exasperated when he wouldn’t do a demonstration, although in fairness to Daniel he would have been breaking the law to do so.

And I noticed that when one of my friends asked a difficult question, one of the Sensepost team at the side of the room covertly took a photograph of them. I made a note at the time questioning whether that was paranoia on their part about anybody working against them. There was an element where you felt that Daniel had so much at stake personally in never being hacked, that you wondered whether he ever used his phone or computer at all.

I also thought they did over-state their case a little. At one point Daniel said that the hackers who broke into Sony’s ID system of the PlayStation “managed to destroy Sony in a really spectacular fashion.” Well, as far as I can tell, the Playstation 4 launch looks like it is going ahead just fine.

And then came Edward Snowden…

As I say though, those notes were from May, before anybody had heard of Edward Snowden. I’d be very interested to see what the reaction of the audience would be post-NSA leaks. I mean, assuming Louise Mensch wasn’t jumping up and down in the corner yelling “Treason!” for even wanting to discuss security. Daniel had described his phone as “hardened”, but presumably, if he ever called colleagues in the States, his metadata was just as likely to end up in an NSA database as anybody else.

I get the impression, to be honest, that he’d get a much more sympathetic hearing now. Part of his schtick was that people don’t think Sensepost look like hackers because his team aren’t renegade Brazilians, or an Eastern European criminal gang. Now that we realise the biggest threat to the privacy of our electronic communications in this country is our own government, we’re rather more used to the idea of sharp-looking Western European guys in suits pwning our devices.

Next…

Next up I’ve got some more notes from back in May, with Trushar Barot talking about the BBC UGC hub

You might also like these posts about talks at Hacks/Hackers London…

“Anyone referring to journalism as ‘a product’ should be shot” – Quartz’s Leo Mirani & Jason Karaian
“Do Assad’s men wear trainers?” – the BBC’s Trushar Barot on social media verification
“Telling the story of Firestorm” – The Guardian’s Jon Henley & Robin Beitra
“We aren’t here to steal anyone’s lunch” – Buzzfeed’s Luke Lewis
“The future for investigative journalism funding” – David Leigh
“Journalists want convenience, not security” – Daniel Cuthbert