Security Sense: Hacking Ain’t Hacking

Security Sense: Hacking Ain’t Hacking

Did you see that 5 year old who hacked the Xbox One last year? No really, he totally hacked it, broke right through all the parental controls (incidentally, how proud is his dad that clip?!) and got unfettered access to the games he wanted to play.

Speaking of hacking, in local news down here it seems that Twitter has been hacked again. Oh you hadn’t heard? Apparently there is indeed a Twitter hacker who successfully gained control of a rather controversial movement’s account and posted things contrary to their views.

Then of course the really big one this last week, GitHub was hacked. Allegedly it was the Chinese hacking it by way of massive DDoS attack. In fact according to very clever security researcher Robert Graham, everyone visiting Baidu from outside China participated in the attack against GitHub so it was kind of like a massive globally distributed hack. Many people were successful hackers and they didn’t even know it!

Except were these really “hacks”? Did the 5 year old genuinely hack the Xbox or merely fat-finger the controller? Was Twitter actually hacked or did the ReclaimAus account just apply some questionable account management practices? And as for GitHub, did they really get “hacked” or did the Chinese (allegedly) simply round up enough requests to make life difficult for them? I know what I read in the headlines and I also know what a great headline “hacked” can be, especially when it’s applied to a recognisable brand. Frankly though, it’s all getting a bit silly.

Now there are a few issues all this raises and the first is that we really need a better way to measure “hacked”. Dan Lohrmann had a great article last week on Why data breaches need their own Richter scale and he makes some very salient points around the severity of the incident and that not all data breaches are created equal. Same goes for hacks (and arguably they’re often very closely related to data breaches) because frankly, the kid’s Xbox handiwork is not exactly on the scale of Sony Pictures when it comes to circumventing security controls.

Secondly, classifying attacks such a DDoS as hacking both gives the teenage culprit too much credit and judges them too harshly in the eyes of the law. And frankly it is usually a teenage culprit (unless it’s China – allegedly) and as stupid as a DDoS attack using tools like LOIC usually is in terms of actual effectiveness, it’s the digital equivalent of standing in front of the door, not breaking the lock and pilfering the store. This is not “hacking” and the legal ramifications that follow shouldn’t be based on that presumption.

Can we just tone it all down a bit? GitHub wasn’t hacked and to claim it was is both disingenuous to the good work they do there to secure their things and gives too much credit to the perpetrators which one can only assume couldn’t actually hack it so they resorted to throwing data packets at it out of frustration instead. Twitter certainly wasn’t hacked any more so than when any of what I can only assume must be thousands of incidents per day result in someone losing their account through sloppy practices. In fact out of the whole bunch of them here, the only one I actually feel inclined to give any degree of hacker status to is the kid! He did actually circumvent a security control by identifying a vulnerability, Microsoft even recognised him on their Security Researcher Acknowledgements page! The others are just amateurs compared to him.

Troy Hunt
Microsoft MVP - Developer Security 

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.