How the Cloud and Big Data Might Help Win the Hacker Wars


Hewlett-Packard’s senior VP and head of its Software Enterprise Security Products, Art Gilliland, is speaking today at the RSA Security conference in San Francisco. Security is turning out to be one of those small but bright spots within HP in its long, slow but encouraging turnaround effort. During last week’s earnings conference call, CEO Meg Whitman said that security products within the software unit experienced double-digit revenue growth.

Whitman didn’t get more specific, and yes, that growth would have to be off a small base relative to the rest of HP. But I’ve been sort of positive on security as an opportunity for HP for a while. Remember that over the last few years, HP has beefed up its security assets via acquisition: It has TippingPoint by way of its acquisition of the networking company 3Com, and it also bought ArcSight, a security software firm.

So with this in mind, I had a quick chat with Gilliland a few minutes before he was to take the stage at RSA.

Gilliland said it’s time for the security industry to start thinking about ways that it can disrupt the steps in the process that attackers follow as they break into corporate systems and steal data. “The industry needs to focus on the adversary in a little different way than it has in the past. We spend a lot of time on the actors themselves, and we don’t spend enough time focusing on the marketplace in which they participate. That marketplace behaves in a very specific way.”

Attackers, Gilliland said, are good at sharing and monetizing intelligence, much better, in fact, than the security industry itself. Because of that, he suggests a few things.

First, build new capabilities to disrupt the attackers’ processes at every stage. “We spend most of our budgets on literally one step of their process. We spend five times more on the break-in stage than we do on any other stage,” he said. Disrupt all the steps in that process, he argued, and you make it more costly and difficult for attackers to do what they do.

Big Data can help focus on the other two areas. The second piece is finding attackers while they still have access to the system — that is, after they’ve broken in but before they’ve made off with whatever it is they’re trying to steal. “That’s the most damaging stage, and so we need to focus more energy there,” Gilliland told me. “We need to find them after they’ve gotten in but before they’ve stolen any data. As an industry, we’re pretty bad at that.”

Finally, he’d like to challenge the industry to harness the cloud and big data technologies to build a security- and intelligence-sharing infrastructure. Such an approach would help companies share the expense, while benefiting from each other’s experiences. “We could use those technologies for collective security. We can collaborate together, and big data allows us to consume massive amounts of data. If we do that effectively, I think we can win.”


You May Take Away My Freedom, But I’ll Always Have My Crunchie!

On June 14th, 2010, Michael Arrington awarded a Crunchie to two members of Goatse Security via a blog post for discovering, publishing and trying to fix a pretty egregious security flaw that they discovered on AT&T’s public website.

Ansel Halliburton, a contributing TechCrunch writer from ComputerLaw Group, explained what happened in this TechCrunch post:

GoatSec found that when a user visited the site from an iPad, the user’s email address was pre-populated. AT&T accomplished this by using a unique number associated with the hardware in individual 3G iPads, called ICC-IDs. If the website received a valid ICC-ID, it would serve a login page with an iPad owner’s email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners. GoatSec wrote an “account slurper” script that tried thousands of possible ICC-ID numbers and recorded the email addresses the website leaked – ultimately getting more than 100,000 of them.

After talking about what to do with the vulnerability and the list of email addresses, GoatSec eventually decided to take it to the media, as they had done with other vulnerabilities they’d discovered in the past. Gawker published the story on June 9, 2010, along with blacked-out snapshots of the list of email addresses. The next day, GoatSec’s members agreed to delete their copies of the email address list. The full list never leaked to the public. Gawker got a lot of traffic, the press went nuts briefly, AT&T issued a lame apology for its lame vulnerability and disabled the pre-filling “feature,” and the FBI started an investigation.

A lot has happened between the time of that initial blog post and now. In January 2011, a case was filed against two Goatsec members, Andrew Auernheimer (aka “weev”) and Daniel Spitler (aka “JacksonBrown”). Daniel took a plea deal and is helping with the case against Andrew. Andrew was convicted on November 20th, 2012 and is awaiting his sentencing. While he waits to find out if he will face two consecutive five year terms, Andrew is forcing himself to live in an austere and cold environment to prepare himself for prison. He sadly cut himself off from his loved ones already. He doesn’t want things to be good. He wants prison to be nice in comparison to what he’s putting himself through now.

Andrew and his attorney plan on appealing his sentencing and taking this case as far as they can go, with the ultimate goal of not only his freedom, but overturning the Computer Fraud and Abuse Act that is sorely outdated as it was formed in the 80s. In the video interview I do with Andrew, he mentions that he’s fighting primarily for his freedom, which makes sense, but I’ve talked to him and I know he’s also fighting for every one of you. For this, I think of Andrew as an American hero. He didn’t fall. He didn’t take a plea. He’s fighting to destroy something terribly bad and we all benefit from his fight.

Think what you want about Andrew and his version of performance art, aka trolling, but stop and think for a minute about what this case means for you, our children or startups. This case ultimately means that it could be illegal to access public URLs. Kids are curious. Engineers are curious. Google’s a bit more than curious. Andrew losing this case is catastrophic for web tinkerers and sets very bad ground for future cases to come.

Before going to jail, Andrew’s bucket list of what he wanted was the Crunchie that TechCrunch awarded to him. He was awarded that statue for public service and typically there’s a whole process around being awarded a Crunchie. You are usually nominated by the public, voted on by the public and presented your award in an Oscars style award ceremony where you give an acceptance speech, wave your giant Gorilla in the air and then celebrate with everyone during an after party. Goatse’s Crunchie was special. The voting polls for the Crunchies were closed by months, the party was over and the next Crunchies award ceremony was over a half a year away. So, sadly, the actual physical award fell through the cracks for a while. We’ve corrected that mistake and Andrew was finally awarded his Crunchie at the New York TechCrunch office and he gave his acceptance speech, which is towards the end of our interview.

I think you will enjoy it. In his speech, Andrew mentions the Founders Fund Manifesto. It is worth reading if you haven’t seen it yet. Also, if you are moved by this case and you believe the Computer Fraud and Abuse Act should be challenged, I urge you to donate to Andrew’s legal defense fund. His attorney has donated much of his time and they have fought this case long and hard with little to no money. Andrew barely found the money to buy a suit to wear to court so he could look presentable. Anything and everything helps.