Tag: #securityvulnerabilities

Why Does the Hacker Hack?

February 5, 2019 / / 0 Comments

On Episode 84 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard, about why hackers hack!

Sections

Why Does the Hacker Hack?
Hackers: Making a Name For Themselves
What’s Interesting at DEF CON & Black Hat
Alternative Conventions to DEF CON and Black Hat
Hacker Conventions Today Versus In The Past
Recommended Places To Find Information On Hacking
Advice For The Budding Hacker
The Definition of Hacking
More Episodes
Show Notes

Why Does the Hacker Hack?

Why Does the Hacker Hack?

Paul: So, from your experience and from your experience and knowledge of other people you know, why does the hacker hack?

Adriel: It all depends on who they are and what they’re really, I guess, geographic location is, monetary position, you know. So the majority of bad guys that are hacking right now hack for financial gain. They steal information, and they’re able to sell it on the black market. Some information sells for more than others, and that is always changing.

Then, of course, you have nation states. They’re hacking because they want to know about their foe. They want to learn about their enemy.

And then you have the guys that hack on behalf of their country, but they’re not directly affiliated with their country. They go out, and they steal information. The Chinese are notorious for this. They have groups of people that will hack and steal information about aircraft and all kinds of interesting things, and then they sell it to the next highest bidder within their country. And so that’s sort of a way of trying to say, “Hey, we don’t do this stuff,” but they buy the information. So, they’re not hacking, but they’re funding it by buying the information.

Paul: Sure. Let’s peel that back a layer, though. It’s maybe a superficial view, but why does the person sit down and spend that time searching for these obscure ways to exploit systems. What drives that emotion? Because they’re not necessarily going to get paid. So, I’m not saying they’re evil. I’m not saying they’re bad. But why is it that I’m going to try and do everything I can to break into this house, and I’m not going to give up either.

Adriel: Right. So, for some of us, it’s just a puzzle. It’s just a challenge, and it’s fun. It just boils down to that. Why is my partner, Phillipe, why is he building a robot to take his trash and haul it down his driveway that’s a quarter mile long? I mean, he’s literally doing that. And he’s found a way to build this crazy robot that will take his trash out for him. He’s doing it because it’s fun, and it’s a challenge, and it’s exciting. It’s the same reason why we do a lot of the things that we end up doing too.

Hackers: Making a Name For Themselves

The other angle to that is notoriety. Sometimes hackers will hack something because they’re trying to make a name for themselves, and so they’ll perform research against a really challenging target, write up, a white paper or publish something on it. And that makes the press. And all of sudden, those hackers, they’re well known. I can think of some pretty good hacks that happen with DNS and other types of things that they really helped companies promote themselves. So there’s that kind of angle.

And then, you tie it back into the monetary angle when you get to the zero-day market and zero-day exploitation. Hackers will perform research against like your iPhone, for example. They find a single vulnerability in an iPhone. Today that sells from anywhere from four to six million dollars per vulnerability. So, the motivation there is a lot of money. For a single, maybe three months of work, you make $6 million. It’s not a bad payday.

Paul: So it sounds, it sounds sorta like panning for gold.

Adriel: Yeah, in some cases it really can be because you never know what you’re going to encounter. And if you get the big nuggets, you’d be very rich very quickly.

Paul: And it could be that the gold that you get is notoriety. It could be just the fun of doing it, or it could be that you get a big chunk of gold. Interesting. So, I agree. It is interesting to see, and it would be interesting to have the same conversations with executive, CEO levels of saying, “Why wouldn’t you disclose this?”

And I can imagine it’s like “Well, we don’t want to admit that we knew the bridge was going to fall down,” if they were being really honest. And it’s like “What I don’t know, I can’t be held accountable for.” There’s a lot of that, I think.

Adriel: Yeah, there is.

What’s Interesting at DEF CON & Black Hat

Paul: So, we were talking about Black Hat and DEF CON. And what else did you see there? We heard a lot. I heard a lot in the press because I was listening for it. But our listeners are pretty diverse. What’s new? What’s interesting?

Adriel: Not much.

Paul: Is it like all old news already? Or is it just…?

Adriel: Yeah. I remember we were actually staying at the Caesar’s Palace so we could watch the talks from our rooms for DEF CON. And we were watching the talks. And some of them sounded very exciting. We thought there were new methods of doing things. And, I’d say just about every single time, when we got excited, we were very disappointed because the method that people were talking about were methods that we had already known about for years. That had already been used for years.

Unfortunately, DEF CON and Black Hat, I think they’ve outgrown themselves in much of the same way that the RSA Conference has and things like that.

Paul: I was wondering about that.

Adriel: Yeah. They’ve become very politicized, and they’ve got these vendor booths where vendors are spending a lot of money to advertise their products. That’s not really all that appealing anymore, to hackers that are strictly interested in learning about hacking.

They are still the biggest hacking conferences, and hackers will still go there. I mean, we were hanging out with Kevin Mitnick, and a bunch of other people were out there. But those people go because it gives you the option to meet other people that are going. So, we went there. We ended up meeting with a lot of our friends. And these guys are really hardcore researchers and the hardcore security people. And we also met some of our clients and things like that. So it’s a good team building exercise. From the perspective of learning something new, though, unless you’re talking to somebody or you know people that are going to be doing new research, you’re probably not going to pick it up at Black Hat and DEF CON.

Alternative Conventions to DEF CON and Black Hat

Paul: So is there something else out there? Blacker Hat or DEFfer CON? Something that’s a little better?

Adriel: There should be. DerbyCon is a little bit better.

Paul: DerbyCon?

Adriel: Yeah, DerbyCon. It’s a little bit better. A lot of the people that we associate with will go to DerbyCon. They’re growing in size too, but their content seems to be more aggressive. I guess you could say newer than what you’re seeing at those. And then, of course, there’s BSides, which, unfortunately, I’ve never been to, and I always intend to, but I never make it. BSides, from what I’ve heard, has a pretty good reputation for being fairly serious. A lot of the higher end people — and when I say “higher end,” maybe more capable researchers, more experienced researchers that I know have talked about going to both DerbyCon and BSides.

Paul: Interesting.

Adriel: Yeah. And they seem to really like those. Then you have your obscure conventions in Europe and things like that. I know some of my researchers go to those. Some are really good. Some are not.

Hacker Conventions Today Versus In The Past

It’s a lot different than it was in the ’90s and early 2000s. I mean, in the ’90s and the early 2000s, hackers were driven by curiosity and driven by research, and they met up with each other because they had something to share and something to discuss and, and so on, so forth. These days, it’s become so mainstream that you literally have groupies. You have people that show up in bizarre clothes with purple hair and all kinds of things. And they’re trying to show up and trying to fit in just because they think it’s cool. But they have nothing to offer. And that kind of distills things. And that kind of makes things less interesting.

And when I went to DEF CON, just this past DEF CON, I remember walking through these crowds of people, and I’m looking at these people, and I’m thinking, wow, the majority of these people are probably people working in IT or in security for corporate America. Very few of these people are actually hackers. And it’s unfortunately true. Very few of them were really the kinds of people who would be the researcher, the curiosity-driven kind of person.

It’s not to say that the conferences are useless because people do get a wealth of benefit from them, especially with regard to the training and the courses. And especially for businesses, IT people — IT personnel and security personnel — will learn a lot about the new technologies, the way hackers think and so on and so forth. And they’ll get to meet people that really are the real deal. So it’s much more useful, I think, if you’re going to business purposes now as opposed to if you’re a hacker trying to share knowledge and learn new things and so on, unless, of course, you’re networking.

Recommended Places To Find Information On Hacking

Paul: So do you have any recommended websites or places that you frequent that give valuable cutting-edge hacker information?

Adriel: There used to be. I mean, now the majority of the information I get is going to be from Reddit and Twitter. There are interesting posts that happen once in a while and conversations that happen once in a while if you follow the right people. You can follow places like The Hacker News and all that stuff. But they tend to not really provide anything that would be underground, as they would say.

IRC still exists, but it doesn’t really live in the same capacity that it did before. Back in the day, you could hang out on IRC, and you could get all kinds of really interesting information about who was being breached and so on and so forth. But now it’s not really working that way. Now what we actually see a lot of is we see different hacking groups. They have their own silk servers or servers or their own Slack setups — whatever it might be. And they kind of chat in a closed group like that.

You know, back in the day, you could login to IRC and, if you do a list search for the word “hacking,” you’d have thousands of hacking posts. And you had people who were doing all kinds of interesting things, and you could engage people in private conversations and private messages and really learn interesting stuff. It’s not quite the same anymore. It’s all been, I guess, distilled or intended it at some level or another.

The way that we stay sharp is literally, we all have Twitter accounts, and we pay attention to what people talk about. People know us through reputation, and so if people who are doing really neat work approach us and they say, “Hey, let’s talk about this. We need some help in this area,” then we learn about something. So, we end up staying in the loop because we’re approached just because of our name, brand, and our names as individuals. People want us to be involved in that stuff.

But unless you’ve established that kind of credibility and unless you already have this networking capability, I couldn’t really point you in any direction for anything that would be particularly eye-opening, aside from pay attention to the new vulnerabilities that are released. Pay attention to the names of the researchers associated with those vulnerabilities. Follow them on Twitter.

Advice For The Budding Hacker

Paul: So, if somebody woke up and said, “Hey, I want to be a hacker.” A ten-year old kid says, “I want to grow up to be a hacker,” it’s not like it used to be. You sort of can’t get that initial set of information. So what would your advice be to the budding hacker?

Adriel: Yeah. So anybody that tells me that they want to be a hacker, they’re probably never going to be a hacker. If you want to be a hacker, it’s because you almost already are. You’re born with this innate sense of curiosity. You’re born with this drive, this hunger to learn and tear things apart and solve problems and fix things, and you just love it. And because you love it, it doesn’t matter what you do in life. You’re always hacking something. You could be building the trash robot like Philippe because that just seems like a fun idea. Or maybe, like Kevin Finisterre, you’re building drones and then finding out ways to knock them out of the sky because you’re curious. Or you’ve got some of my researchers that do research on iPhones and all that. And they do it because they think, “Wow, there’s going to be a way to bypass this, even though Apple says we can’t. Let’s do it.” So it’s a curiosity thing.

So anybody who comes to me and says, “Hey, how do I become a hacker?” My answer is, you don’t. You either do this stuff natively—

Paul: You either are or you’re not.

The Definition of Hacking

Adriel: Right. You have that drive and you fix things in obscure ways. And, really a definition of hacking is creating an effective and a simple solution to an overly complex problem. And so if you are a solution creator and if you are able to take a problem of some sort — and the word “problem” is defined very loosely — and you were able to solve that challenge using a creative and effective and fairly easy-to-use solution, then you’re a hacker.

And I would argue that there are a lot of hackers that don’t know they’re hackers. Look at these guys that live off the land in Alaska. They have no technology to speak of. But, some of the things they put together to get water and to hunt and to trap, they’re ingenious! They’re hacking. They have a problem. They’re creating an incredible solution to a problem, and a lot of times, that solution gets used by other people in the same community. So that’s really what the essence of hacking is. So yeah. You’re born with it. You’ve got that talent and a gift or you don’t.

Paul: So I guess that in the venerable words of Yoda, “There is no try. Just do.”

Adriel: Right. That’s right.

More Episodes:

This is Part 2 of our interview with Adriel Desautels.
Be sure to listen to Part 3, “Computer Security: Is the Sky Falling?,” here!

If you missed Part 1, “What’s New in the World of Cybersecurity,” you can listen to it here!

Show Notes:

What’s New in the Cybersecurity World With Adriel Desautels

January 22, 2019 / / 0 Comments

On Episode 83 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard about what’s new in the cybersecurity world!

Sections

Introduction
Netragard’s New Product: A Breach Detection Solution
Netragardian BDS
What’s Going on at DEF CON and Black Hat?
Hacking Medical Devices
Vendor Hostility Toward Researchers
Government Networks & the Vulnerability of Voter Information
Why Do People Feel Threatened By Research Hackers
Security Researchers Are Experts at Breaking Software
Finding Flaws in Software
More Episodes
Show Notes

What’s New in the Cybersecurity World With Adriel Desautels

Introduction

Paul: Hello.

Adriel: Hey, Paul.

Paul: Hey, how are you?

Adriel: Doing quite well. I love the fact that even in this day and age we have continual technical difficulties.

Paul: Yeah, well, it keeps people like us in business, so…

Adriel: It does. Yeah.

Paul: So, where are we finding you in the dark, unreached places on Earth? Are you from your secret lair or…?

Adriel: Right now, yes. This is very much my secret lair, which is a library with a ladder that’s been converted into an office.

Paul: Alright. There you go. We’ll cut that out or encode it in way so that only certain people can listen to that.

Adriel: There you go. Yeah, it’s pretty cool.

Paul: So, how are you doing now? How’s security in the world?

Adriel: It’s doing incredibly well. We’re becoming more and more and more well known for the level of service that we provide, the depth, the quality, and really the aggressiveness of it. We’ve also launched a product, and the product is selling faster than we can sell it. So it’s really quite remarkable.

Paul: Well, we’re talking with Adriel Desautels from Netragard, and we’ve talked with him once in the past, and he’s a great resource for technology and security, and we’re going to talk about that a little bit day.

Netragard’s New Product: A Breach Detection Solution

Paul: So, tell me about this product. What is this? Is it a shampoo or a floor wax or…?

Adriel: It’s a security shampoo.

Paul: There you go.

Adriel: It prevents malware from getting into your hair. No, no, we call it Netragardian VDF. It is a breach detection solution, and it is based on our own experience in breaching networks over the past two decades, really. What it is does at a very high level is it exploits the methods that hackers use to breach a network, whereby enabling you to identify their activity before they actually have a chance to move laterally throughout the network. So, it doesn’t prevent a breach, but it provides you with a false positive free method of detecting a breach. So, when you get an alert the alert is, in fact, real. And it’s so incredibly effective that you can use it to generate positive indicators of breach and respond to those positive indicators and quite literally completely avoid damage.

Because in this day and age the name of the game is no longer breach prevention. That’s just a known impossibility. The name of the game is damage prevention. So what the solution does from a higher level, is it allows you to see that people are breaching your infrastructure, and it allows you to respond to that event and block it before it has a chance to escalate into something damaging. The response window is minutes to seconds, depending on how fast you can move.

Paul: Wow.

Adriel: So it’s, it’s pretty cool.

Paul: So where do I find out about this product?

Adriel: We would have to tell you about it. You can contact us or website.

Paul: Well, that’s an interesting way to sell something.

Adriel: Yeah, yeah.

Paul: I have something you don’t know you need but you might want, but I’m not going to tell you about it.

Netragardian BDS

Paul: So, alright, so hold on. What’s the name of it? Spell it.

Adriel: So it’s Netragardian. It’s N-E-T-R-A-G-A-R-D-I-N. And then BDS. Bachelor, David, Simon.

Paul: Okay. Cool.

Adriel: Yep.

Paul: So, it’s a secret product. Only people with an invitation can buy it? Or, how does that go?

Adriel: Sort of. So right now, it’s a product that our clients are able to purchase. e don’t advertise it at all yet. We will be in the fairly near future, I think, mid-to-late 2019 when we start advertising it. But right now, we’re trying to push it out to our clients specifically, or they’re really picking it up from us.

Paul: Oh, very cool.

Adriel: That’s the first line. As soon as our clients have this up and running, then it’s going to be the next stage, which is to publicize it and really get people aware of this.

Paul: Well, excellent. Well, we’ll have to talk about that some more.

Adriel: Definitely.

Paul: Really, I’d be fascinated to talk about that.

Adriel: Yep. Absolutely. When we do talk about it and you hear about how this works, it definitely follows the keep-is-simple-stupid rule. It requires virtually no maintenance whatsoever. There’s no patching, no updates that are required. The agents that are associated with it do absolutely nothing of value, as far as the business is concerned. And so if there’s any kind of an outage or, or anything like that, it has zero impact on the business’ ability to function.

Paul: Cool.

Adriel: It is not an intrusion prevention system. It was not a network intrusion detection system. In fact, it has nothing to do with analyzing network data. So it’s a super-efficient and lightweight system that works.

Paul: Very cool.

What’s Going on at DEF CON and Black Hat?

Paul: So, I thought it would be cool to talk about what’s been going on recently. I imagine, just because I saw it on your feed, that you went to DEF CON and Black Hat.

Adriel: Yep. Absolutely.

Paul: How was the weather?

Adriel: It was hot.

Paul: So that’s about all we want to cover today. We heard lots of different things about hacking, voting machines and a few other little things — some drones stuff. What was the interesting things that you saw there?

Adriel: So, when we were at DEF CON and Black Hat, honestly, not a lot of the presentations that were there this year were particularly interesting. What was more interesting were the side conversations that were going on and sort of the private parties that we got ourselves invited to. There is a lot of research that’s been going into not just voting machines, but the government infrastructures that house voters’ data, the State of Kansas and things like that.

Hacking Medical Devices

Adriel: Particularly interesting too is the medical devices and critical infrastructure. There’s actually a pretty big emphasis on doing research against those things as well.

And the, the good news is that largely, it’s the good guys doing the research right now, but as the trend would be, if the good guys are looking into this, then you can rest assured that the bad guys are also looking into this.

Paul: Yeah.

Adriel: To kind of give you an understanding of scale and impact, hacking medical devices is something that can be done from afar. So, if you end up using pacemakers from specific vendors or insulin pumps from specific vendors, it’s entirely possible and realistic to cause those things to malfunction in lethal ways from as much as 90 meters away. There’s right now a general consensus that, oh, you have to be close to the device so you can program the device. But that’s not entirely true. There has been research done that demonstrates that fact.

And then, looking more into the medical devices too, these devices are running operating systems that are the equivalent, when it comes down to security, of a Windows desktop or a MacBook Pro. Their operating systems are buggy. In fact, if you look at the vulnerability databases that exist, you could find vulnerabilities that are perfectly exploitable for these.

Then, to make matters even worse, a lot of the manufacturers that are producing these devices are, frankly, hostile to researchers rather than embracing research and researchers, and saying, “Hey, we really like the work that you’re doing. Thank you for doing this. We realize you’re doing it, probably for free…” They’re saying, “Why would you look at our device? What’s your angle? Let’s quash you, and let’s threaten you with legal action and so on.”

So, the general consensus around researchers in general is, yes, we want to do this because we care about this, the big problem, but we’re very nervous about the approach with the vendors and how to handle the vendors and so on. So there’s that.

Vendor Hostility Toward Researchers

And then, of course, when it comes down to critical infrastructure, the approach is very similar. When it comes down to critical infrastructure, we see the companies who make SCADA technologies and other kinds of similar technologies, we see them also respond with hostility as opposed to sort of “Yeah, come do the research. Help us find things” —that welcoming embrace. That bug bounty-type mentality.

What that tells me is their mindset is antiquated. Right? They’re stuck back in the late ’90s, early 2000s when most vendors were really hostile, and they had yet to realize the researchers aren’t there to hurt them. They’re there to help. So I think, that one of the things that I’ve seen is that that still exists, and I think these vendors really do need to move forward in that capacity.

Government Networks & the Vulnerability of Voter Information

Now you look at government networks. Kris Kobach in the State of Kansas. We actually offered — I believe it was Kansas. It was a free penetration test because we were called out by Gizmodo, and we were asked to do a quick reconnaissance project against the state network. And we did, using open source intelligence technologies. Nothing intrusive and all that. And we found that their network was massively vulnerable. We found that they didn’t have two-factor authentication anywhere. They had VPN endpoints that were very likely brute forcible that were exposed to the internet. They had printers that were exposed to the internet. All kinds of things were just publicly accessible. And these networks were the networks that contain voter data!

We offered, we said, “Hey, guys. You know, we recognize that this is…” This was in relation to Cross Track, actually. This was the Cross Track Network. And so we said, “Hey, guys, we recognize that there’s some really sensitive information here, and we recognize that this approach of being really called out by the media about your vulnerabilities is not that great. So we’ll offer you a free test to help you harden these things.”

They never responded to that offer, despite the fact that it was being pushed by various different people. There was somebody from the Democratic side that called. We created a proposal. We issued a proposal to them. Never heard anything back, even though it was free. They said, “Hey, we were going to go with the Department of Homeland Security and gets things hardened,” but according to the sites like Census.io and other kinds of open source sites, their network hasn’t really changed posture at all. So, when it comes down to the voting information, voter information is massively vulnerable because the people that are responsible for it are not taking their security seriously. What they’re doing is they’re saying, “Hey, yes, this is hardened. This is secure. This is safe.” But it isn’t.

Paul: Right.

Adriel: And that’s really, unfortunately, the way things are on a lot of fronts when it comes to security.

Why Do People Feel Threatened By Research Hackers

Paul: So you sort of talked about the old-school mentality and the mental approach to things or the way people think about things. Let’s try and put ourselves in their shoes and why they feel so threatened by these hackers that are out there who just do all this stuff. Now, I think it’s helpful to role play this a little bit because this is the issue. So, go ahead. What do you think of that?

Adriel: Yeah. So, I think it comes from a variety of things. First off, researchers are there to identify problems or faults in something. Or identify security issues with regards to…security researchers do that anyways. And these security issues are emotional for some people because we’re effectively saying, “Hey, your baby is ugly,” or, “You didn’t do a good job,” or, “You screwed up.”

And, and rather than hearing that and saying, “Wow, okay. That’s good. Thank you for the help,” what they’re saying is, “What are you attacking me? Why would you insult my capabilities?” Or maybe it’s, “Why are you threatening my job? What are you threatening my business? Why are you trying to make me look bad?”

And so the approach that a lot of the researchers have, especially today, they no longer take that kind of thought into consideration. And if you were to approach somebody else through a bug bounty program or Facebook, Google, whatever it might be, and you were to say, “Hey, there’s a vulnerability here,” what they say is, “Great. We understand that everybody is vulnerable. Everything is vulnerable. We understand that we’re going to make mistakes. So thank you for bringing this to our attention so that we can fix it,” as opposed to “Why are you trying to make me look bad.”

Paul: Sure.

Adriel: And the reality of it is we’re not trying to make anybody look bad, but we find critical flaws in technology. And the people that created those flaws are the vendors. They are the manufacturers, and they are the ones through deliberate mishap, mistakes, or maybe accidentally, most likely they’re the ones that create the vulnerabilities that are inevitably exploited that lead to damage. So they’re the ones that are, in the end, responsible for fixing the code and becoming aware of these vulnerabilities.

But I think that what’s happened is some companies have begun to realize that they really have to embrace the hacking community and allow hackers to do this research and say “Thank you” because it’s effectively it’s elevated quality assurance.

Paul: Oh, of course. Yeah.

Security Researchers Are Experts at Breaking Software

Adriel: And it should have been done. Right? But instead of, instead of doing that, they’re offended. I think a part of this comes into play. It’s not to say that software developers are imbeciles, because they’re not. But software developers are experts at developing software. Security researchers are experts at breaking software. So, we can’t expect every single software developers in existence to also be an expert when it comes to security. And that’s where the issue comes into play, because as a security researcher I can tear networks apart. I can tear technology apart. I can find vulnerabilities in almost — with the exception of one thing — I can find vulnerabilities in everything with the exception of one piece of technology. And that’s my job. That’s my expertise. I couldn’t go to a developer and say, “Hey, find vulnerabilities in all these different things.”

They’re going to say, “Well, that’s not what I do.”

And likewise, I couldn’t go and develop something that a developer could build. I mean, sure, I can write code. I can make something work, but it’s not going to be a professional-grade product if I develop it. It’s going to be a site that’s kind of hacked together. So, it’s a different expertise.

And, and I think that that is something that is somehow missing in the communication or the thought process. When a researcher approaches somebody, that somebody, in an ideal world, would think “Oh, great. This is an expert that’s trying to help me by telling me that I have a fault in this piece of technology.” But instead, they’re saying, “Who are you to come and tell me that I got this problem? I pay my developers a lot of money, and they do a really good job. And you want to insult their work?” And that’s just not helpful.

Finding Flaws in Software

Paul: Well, and then the counter question to that is, is that “Would you rather not know that this has a flaw?”

Adriel: Right. Well, actually, what we’ve seen in some cases with some vendors — not just critical infrastructure and medical but we have seen that they would not only rather not know that there is a flaw, but we have seen that after we tell them that there is a flaw that they would rather not tell their customers and just hide it altogether. And, that is terrifying. When you see a vendor that knows that vulnerabilities exist in technology, and they continue to sell that technology, they’re quite literally putting their clients at risk. And they’re doing it at some level, knowingly.

Paul: Well, sure.

Adriel: And then, of course, then you have ethical questions that come into play there and things like that. And we’ve seen this blow up. In the past, there have been instances. In fact, we were involved with a very first instance way back in the day with HP and Tru64 where, where vendors have tried to quash research, and then later, the research became exposed, and the community said, “Hey, what’s going on?”

And their clients say, “Wait a second. These guys come to you telling you about a critical vulnerability, and you try to hide it from us? What’s the deal?” That doesn’t make clients feel particularly good either.

The, the appropriate approach would be, like I said initially, “Thank you for telling us about the vulnerability. Let us fix this. Let us coordinate how to notify our clients and how to tell the world. And let’s do this in a way that really helps everybody.” And if they take that kind of approach, that’s great because clients get notified, patches get produced, and so on and so forth.

More Episodes:

This is Part 1 of our interview with Adriel Desautels. Be sure to listen to Part 2 here! We’re talking with Adriel about why hackers hack!

Show Notes:

Latest Podcasts

Archives

Categories

© 2025 Paul Parisi

Theme by Anders NorénUp ↑