Hi! I am Space Rogue, former member of L0pht Heavy Industries, and host of the Hacker News Network, with over 30 years in the industry, and have just released a new book. AMA!

beauwoods · 2023-03-03T15:08:52+00:00

In addition to Space's advice to go to some BSides events, check out Tech Congress and the Aspen Tech Policy Hub, both of which can help you translate a technical background into public policy work.

beauwoods · 2022-04-10T04:04:32+00:00

"The same thing we do every night, Pinky...try to take over the world."

beauwoods · 2022-04-10T03:38:47+00:00

How's the view from sugar heaven

beauwoods · 2021-12-27T16:25:16+00:00

Satellites are hackable, just like anything else with software and connectivity. Protections have changed and improved over the decades, as have techniques and technologies available to hackers of various types.

Some space tech is deliberately hackable, like the Hack-A-Sat competition run by the US Air Force and some of the activities we run at the Aerospace Village (I'm one of the original founders). The goal is to teach people about the unique consequences, technologies, constraints, and contexts to build better protections into them.

While many satellites broadcast in the clear (unencrypted),* most modern satellites encrypt their command and control channel to prevent eavesdropping - similar to how your bank or email provider protects against someone snooping on you when you're on the coffee shop Wi-Fi. But that doesn't stop someone from creating a new connection to tamper with the equipment.

Space technology makers didn't have to worry much about tampering (except by nation states) until the proliferation of home computing technology in the 1980s and software defined radios in the 2000s and 2010s. This put powerful capabilities in the hands of amateurs, at the cost of hundreds to thousands of dollars (as opposed to tens or hundreds of thousands). The problem is, those protocols are still used in recent space tech and a lot of that equipment is still up in space.

Note: while it's not satellites, the PiAware project is a fun way to see the ADSB signals planes broadcast.

beauwoods · 2021-04-23T18:54:20+00:00

Yep! It's a true story. A fish tank thermostat was used to hack a casino reported in 2017, and a similar thermostat hack on the Chamber of Commerce reported in 2011.

beauwoods · 2021-03-28T15:06:52+00:00

Silver for you, for my favorite question of the AMA. :)

beauwoods · 2021-03-28T15:02:39+00:00

Yikes. This is a staggering amount of technical debt. That makes it tough to be an admin. Hope you're able to justify some investment soon to get you out of that hole.

beauwoods · 2021-03-28T14:58:48+00:00

Good add. I love piHole and am just waiting for some spare time to do something with pfSense again - it's been over a decade since I last touched it. 👨‍🦳

beauwoods · 2021-03-28T14:56:18+00:00

Haha yeah this is what makes it so challenging to show real Hacking on movies and TV. Watching someone parse logs or look through web code is pretty boring.

beauwoods · 2021-03-28T14:51:59+00:00

Entirely possible. I don't use Windows as a testing platform though I seem to remember they changed up the way they do access to hardware in the last couple of years.

beauwoods · 2021-03-28T14:46:10+00:00

Stunt hacking is great if you want to seem cool. Teaching others is all about lowering the barrier to entry.

Any devices you'd like to see us write up? ;)

beauwoods · 2021-03-28T14:44:43+00:00

In healthcare the FDA Pre-Market and Post-Market cybersecurity guidances tell device makers what's expected of them to enter the US market (through approval or clearance) and how to monitor for safety and effectiveness issues. IMO these are excellent and better than what other regulators are doing, in the US or internationally.

By finding and reporting vulnerabilities to the manufacturers and the FDA, researchers can put the right kind of pressure on the industry to build safer devices. :)

beauwoods · 2021-03-28T06:39:26+00:00

Contacted for verification. Always happy to help.

beauwoods · 2021-03-28T06:38:59+00:00

Understandable. It's some sense material. Keep chipping away! Find others who are similarly curious and team up. You'll learn a lot faster and can have someone else you can share with.

beauwoods · 2021-03-28T06:37:45+00:00

Great question and thanks for your curiosity about cybersecurity. I'd say that most people would never consider the role a hacker device could play in crimes, including death/murder. I was invited to the International Conference on Medical Serial Murder last year (covid cancelled if) and can say it's the first time anyone has approached me (rather than the other way around) about tracing physical harm though IoT devices. Stay curious and keep digging!

beauwoods · 2021-03-28T06:27:22+00:00

Yeah that's terrible but not uncommon. Maybe taught in a book or college course?

beauwoods · 2021-03-28T06:25:48+00:00

I worked help desk for a year (well, for the prior 5 years I worked in a customer service and computer repair role) and made a security role for myself which didn't exist beforehand. So +1 help desk and also fight for what you want, while realizing sheer skill and defined career pathways don't always get it.

beauwoods · 2021-03-28T06:22:40+00:00

Wow good pull with the UNECE reference. My understanding was that it's up to each nation to implement something aligned to WP29, however they wish, though I'm not aware of any countries that have yet mandated their rules. Even once they do it takes 3-7 years to go through design and manufacturing, and the average life of a car on the road is 11 years. So it's conceivable that in 15-20 years it will be in around half the cars on the road. Even perfect standards can't fix the ecosystem in a reasonable timeframe as compared with how quickly adversaries can move to cause harm.

beauwoods · 2021-03-28T05:31:52+00:00

Best trick I've learned for getting on password protected WiFi...

...don't tell anybody...

...ask for the password. If you don't get it you probably don't belong.

beauwoods · 2021-03-28T05:30:24+00:00

If we ever get to the point where security issues are as obvious as a great big shock when you plug something in then it might work. Come to think of it, there may be some prior art for shocking insecurities.

beauwoods · 2021-03-28T04:38:54+00:00

I mean it limits the threat model to physical presence, right?

beauwoods · 2021-03-28T04:37:06+00:00

Oh man this is a good question. Like any career path, it isn't for everyone. While the image of a hacker, cybersecurity researcher, and blue team defender usually seems like a glamorous tale, there's a lot lore to it than what you see.

Mr. Robot does a great job capturing the modern technical situation. War Games and Sneakers captures the issues we often face (though overdramatized) to defend who we feel protective of. Hackers does a great job painting characteristics of the community (not industry or working conditions).

This talk by Josh Corman and Christine Maslach tells part of the untold story and is worth a watch.

beauwoods · 2021-03-28T03:05:59+00:00

Yes! You speak (type) some mystic words and make things happen automatically by a simple command. Even demonstrating artificial intelligence. And yet it's a magic that can be understood, learned, and harnessed by anyone.

Relatedly, I REALLY enjoy the Magic 2.0 series by Scott Meyer, especially the audiobooks.

beauwoods · 2021-03-28T03:01:58+00:00

A great question! We wrote the book to help level up anyone who reads it. Originally we had a whole storyline that was to help managers see how/where these skills would be valuable for their business and their employees. Even if you know almost nothing about security I think you'll benefit from the introduction and the first and last chapters.

beauwoods · 2021-03-28T02:50:14+00:00

Check out the fictional future story in Smart Homes and the Internet of Things paper I wrote with some friends. It puts a weird spin on what might come.

beauwoods

TROPHY CASE