Andrew Auernheimer - Hacktivism for profit and glory
Download as PPTX, PDF1 like1,009 views
Andrew 'weev' Auernheimer, a professional hacktivist, discusses his experiences leveraging technology to challenge major corporations and nation-states for profit and influence. He outlines how he executed attacks on companies like Amazon and Apple, manipulating vulnerabilities for personal gain while advocating for hackers' rights. Despite facing significant legal repercussions, he emphasizes the growing power of individuals in technology to effect change against larger entities.
Andrew Auernheimer - Hacktivism for profit and glory
- 1. Hacktivism for profit and glory Using technology offensively and profitably against world powers and major corporations.
- 2. One person can change the world. • You can easily fight powers that appear bigger and stronger than you. • I make lots of history, influencing nation states and Fortune 500 companies. • I do this with no external capital or influence. • Everybody who tried to stop me failed.
- 3. Andrew “weev” Auernheimer Professional hacktivist.
- 4. Why I became a hacktivist • The status quo is not fair to hackers • Tech industry billionaires can’t even buy influence. • America makes its hackers suffer greatly: Swartz, Moore, Love
- 5. Changing the world is profitable. • Know the outcome of an economic event? Profit in financial markets. • In financial markets, you only have to be right for a few hours. • Know the outcome of an election? You can make profit in prediction markets.
- 6. I started small. • Pick a venture capitalist that funds tech startups • Announce your presence. • Destroy his portfolio company by company until he pays you to go away.
- 7. 2008: First nation-state attack
- 8. 2009: First Fortune 500 attack • XSRF: Cross site request forgery – no unique token to scrape to perform command on a site. Site wrongly trusts user’s browser. • Can we use this to troll a corporation and shift a its value by billions of dollars?
- 9. Amazon had a XSRF-vuln • There was a “Report Inappropriate Content” button on every Amazon page for logged in users that was a simple HTTP GET with any product ID at the end. • Function automatically removed content from the search rankings if it got enough reports. It was still sold, but you couldn’t search for it.
- 10. This was so easy. Really bad code. • An enumerated list of gay book product IDs:
- 11. Reported all gay books as inappropriate thousands of times. • Put a hidden iframe on many websites that did a 302 redirect to the report as inappropriate function. • Used cookies from bot-registered Amazon accounts to report it myself • Net effect: you couldn’t search for gay faggot books on Amazon anymore.
- 12. What next? Make markets react. • Contact gay bloggers, say Amazon was censoring homosexuals: #amazonfail
- 13. This bug was stupid. • I couldn’t have ever sold it to anyone. • Amazon wouldn’t reward me for reporting it. • Objective market value was $0 • But I used it to drop Amazon’s market cap by $3.2 BILLION dollars for long enough for a short position to be profitable.
- 14. 2010: Second Fortune 500 attack • June of 2010, first Apple iPad 3G released, exclusive to AT&T. • On iPad billing/registration server a simple HTTP GET with no authentication. • Integer in URL is the integrated circuit card identifier (ICCID) – unique ID for device SIM • Takes ICCID and returns email of registered user.
- 15. Oops. • Apple and AT&T made this for convenience, so when you visit the billing site it would automatically fill in the email of your device to login faster. • It’s just an HTTP GET, and the ID is just a number. What they really did was publish a complete list of iPad users on the Internet.
- 16. Exploitation • Once again, very simple. Numerical IDs are in sequence. As simple as let count, while true, do curl $i, done. • I have a full list of Apple iPad 3G owner emails and the corresponding ICC-IDs. • What can I do now?
- 17. Risk assessment • If I were a bad guy, I would send a Safari exploit to every iPad. (and we had one) • The IMSI can be derived from the ICCID (unique to AT&T) which would allow for IMSI catchers and man in the middle attacks. • Targeted advertisements: iPad accessories. • I could do any of these things, but I’d rather do the right thing and change the world.
- 18. Public disclosure. • We had an name from offensive Internet meme: Goatse Security. If you have not heard of the Goatse meme do not look it up. • “Subsidiary of” GNAA troll organization • Adds embarrassment for AT&T and Apple.
- 19. I disclose the issue to a journalist.
- 20. If you want to change the world: social sophistication is equally as needed as technical sophistication.
- 21. Surprise! I
- 22. Now the hard part comes • Kidnapped thousands of kilometers to foreign territory, beaten by US Marshalls along the way • The parts of America that the feds bring you to are hell on earth • Banned from the Internet for years
- 23. Liberty must be defended. • I accessed a public webserver and told a journalist about what was on it. • This is unequivocally not criminal activity. • If accessing a public webserver is a crime the Internet only contains criminal activities. • None of this mattered to American courts.
- 25. Free at last Eventually a higher court admitted my conviction was based on lies from the FBI and DOJ and violated my rights. Total time lost: 39 months
- 26. Let’s do more of this.
- 27. Have it your way USA, I’ll go.
- 28. August 2016: methods are mainstream • Muddy Waters now using software vulns for financial intelligence • The FBI said my desire to short sell off of vuln was evidence of criminal intent, and now it is a common industry practice.
- 29. 2016: Latest nation-state attack
- 30. Takeaway • Technology enables agile individuals to act with more efficacy than the world’s biggest empires. • Every day that goes by, smaller entities grow more effective than big entities. • Be relentless, you’ll eventually be proven right and see your positions legitimized.