Return on Investment
by Fyodor as "Sendai"
Like many professional penetration testers, Sendai was not always the wholesome ethical hacker described in his employer s marketing material. In his youth, he stepped well over the line between questionable (grey hat) and flat-out illegal (black hat) behavior. Yet he never felt that he was doing anything wrong
Sendai did not intentionally damage systems, and was only trying to learn more about UNIX, networking, security, phone systems, and
technology. Yet the law might consider some of his actions to be unauthorized access, theft of services, wire fraud, copyright infringement, and trade secret theft. In the rare times that Sendai thought of this, he found solace in the words of the Mentor s Hacker Manifesto: Yes, I am a criminal. My crime is that of
. Surely his innocent motives would prevent
. Besides, his teenage
assured him that the government and
corporations were too dumb to catch him.
This perception changed dramatically in 1989 and 1990 when the Operation Sundevil raids took place. Well-known security
, including The Prophet, Knight Lightning, and Erik Bloodaxe, were raided and many more were indicted. The popular Phrack e-zine was shut down while its editor faced trial. Sendai worried that he, too, might be swept up in the persecution. After all, he had been active on some of the same bulletin
, performing similar activities. Sendai was never targeted, but those nine months of stress and
changed his outlook on hacking. He was not exactly scared straight, but he ceased
network intrusion as a game or casual hobby. In the following
, Sendai became much more disciplined about hiding his tracks through multiple
of indirection, as well as always wiping logs, even when it was inconvenient. He also
to research his targets and
much more extensively. Failing to fully understand a system could cause him to
important defenses and lead to detection. A side effect of this more methodical approach to hacking is that Sendai substantially broadened his network security knowledge and skill set.
Sendai did not recognize the growing value of this skill set and clean record until he was
the ethical hacking job at a well-known auditing firm. The burgeoning Internet was creating such
demand for security professionals that the firm asked few questions about his past. Using his real
, they were unaware that he even used the hacker handle Sendai. He did have some
about commercializing his hobby, not wanting to be seen as a sell out. Despite these concerns, Sendai accepted the position immediately. It sure beat his previous technical support day job! Soon he was living in the security world during both days and nights. The job provided
access to exciting enterprise technologies, and he could hone his hacking skills without risking arrest. Bragging about his exploits led to bonuses instead of jail time. Sendai had so much fun cracking into systems for money that he eventually ceased much of his nocturnal black hat network exploration.
Playing the Market
Sendai s new position pays far more money than his modest lifestyle requires. After tiring of watching the money stagnate in his checking account, Sendai opens a brokerage account and begins to dabble in investing. As with hacking, Sendai learns everything he can about investing. Interestingly, he finds many parallels between the two disciplines. Many books and articles suggest filling a portfolio with funds that
track broad indexes such as the S&P 500. This insures diversity and
the risk of bad timing or stock-picking mistakes. Sendai discards this advice immediately. It sounds too much like the conventional wisdom that computer and telephone users should restrict
to advertised behavior, and stay ignorant about how the systems work. Sendai prefers stretching system capabilities to extract as much value as possible, based on a comprehensive understanding. In other words, he wants to (legally) hack the financial markets.
Sendai soon discovers another aspect of investing that is familiar to him. Successful active trading is all about obtaining relevant information before it is widely recognized and reflected in the stock price. This is similar to the security market, where the value of an exploit degrades quickly. The Holy Grail is a zero-day exploit, meaning one that is not
known or patched. Attackers who possess such an exploit can break into any system running the vulnerable service. The attack is
, either, because administrators and IDS systems are not watching for what they do not know exists. Once the vulnerability is published and a patch is created, the exploit value decreases
. The most secure installations will quickly upgrade to be invulnerable. In the coming days and weeks, most organizations will patch their systems. Soon, only the least security conscious networks will be exploitable, and they are probably vulnerable to many other attacks anyway. As other hackers (and in many cases worms) compromise the remaining vulnerable systems, the exploit value continues to dwindle.
In the security world, Sendai sometimes gains zero-day knowledge through
in the scene and private mailing lists or IRC/SILC channels. Other times, he finds them himself by auditing software for bugs. Auditing produces the best zero-day exploits because the
are exclusively his, until he discloses them (or they are independently
elsewhere). To find an impressive and
useful vulnerability, Sendai tends to look at widely deployed and frequently exploitable software like Microsoft s IIS
, Sendmail smtpd, OpenSSH, or the ISC BIND DNS server. In the more common case that Sendai wants to break into a specific company, he looks for the most obscure software run on the target network. This specialized software is unlikely to have gone through the
testing performed against more popular packages. An alternative approach to obtaining zero-day is to buy it from the
organizations that openly broker such information. Sendai has never resorted to this, for both ethical and financial reasons. He still believes some information wants to be free.
The flow of
investment insights is similar to security information. Someone with the right insider connections or a
to pay extravagant fees to research boutiques can learn information before it moves the market. Unable to partake in these options, Sendai decides to do his own research. Some of the most valuable preannouncement data are company earnings and mergers, acquisitions, or big partnerships. After a couple hours of brainstorming, Sendai comes up with several ways to use his security and networking expertise to his advantage.