Hacktivism for profit and glory

Using technology offensively and profitably against world powers and

major corporations.

One person can change the world.

• You can easily fight powers that appear bigger and stronger than you.

• I make lots of history, influencing nation states and Fortune 500 companies.

• I do this with no external capital or influence.

• Everybody who tried to stop me failed.

Andrew “weev” AuernheimerProfessional hacktivist.

Why I became a hacktivist

• The status quo is not fair to hackers

• Tech industry billionaires can’t even buy influence.

• America makes its hackers suffer greatly: Swartz, Moore, Love

Changing the world is profitable.

• Know the outcome of an economic event? Profit in financial markets.

• In financial markets, you only have to be right for a few hours.

• Know the outcome of an election? You can make profit in prediction markets.

I started small. • Pick a venture

capitalist that funds tech startups

• Announce your presence.

• Destroy his portfolio company by company until he pays you to go away.

2008: First nation-state attack

2009: First Fortune 500 attack

• XSRF: Cross site request forgery – no unique token to scrape to perform command on a site. Site wrongly trusts user’s browser.

• Can we use this to troll a corporation and shift a its value by billions of dollars?

Amazon had a XSRF-vuln

• There was a “Report Inappropriate Content” button on every Amazon page for logged in users that was a simple HTTP GET with any product ID at the end.

• Function automatically removed content from the search rankings if it got enough reports. It was still sold, but you couldn’t search for it.

This was so easy. Really bad code.

• An enumerated list of gay book product IDs:

Reported all gay books as inappropriate thousands of times.

• Put a hidden iframe on many websites that did a 302 redirect to the report as inappropriate function.

• Used cookies from bot-registered Amazon accounts to report it myself

• Net effect: you couldn’t search for gay faggot books on Amazon anymore.

What next? Make markets react.

• Contact gay bloggers, say Amazon was censoring homosexuals: #amazonfail

This bug was stupid.

• I couldn’t have ever sold it to anyone.• Amazon wouldn’t reward me for reporting it.• Objective market value was $0

• But I used it to drop Amazon’s market cap by $3.2 BILLION dollars for long enough for a short position to be profitable.

2010: Second Fortune 500 attack

• June of 2010, first Apple iPad 3G released, exclusive to AT&T.

• On iPad billing/registration server a simple HTTP GET with no authentication.

• Integer in URL is the integrated circuit card identifier (ICCID) – unique ID for device SIM

• Takes ICCID and returns email of registered user.

Oops.

• Apple and AT&T made this for convenience, so when you visit the billing site it would automatically fill in the email of your device to login faster.

• It’s just an HTTP GET, and the ID is just a number. What they really did was publish a complete list of iPad users on the Internet.

Exploitation

• Once again, very simple. Numerical IDs are in sequence. As simple as let count, while true, do curl $i, done.

• I have a full list of Apple iPad 3G owner emails and the corresponding ICC-IDs.

• What can I do now?

Risk assessment

• If I were a bad guy, I would send a Safari exploit to every iPad. (and we had one)

• The IMSI can be derived from the ICCID (unique to AT&T) which would allow for IMSI catchers and man in the middle attacks.

• Targeted advertisements: iPad accessories.• I could do any of these things, but I’d rather do

the right thing and change the world.

Public disclosure.

• We had an name from offensive Internet meme: Goatse Security. If you have not heard of the Goatse meme do not look it up.

• “Subsidiary of” GNAA troll organization

• Adds embarrassment for AT&T and Apple.

I disclose the issue to a journalist.

If you want to change the world:social sophistication is equally as

needed as technical sophistication.

Surprise! I

Now the hard part comes

• Kidnapped thousands of kilometers to foreign territory, beaten by US Marshalls along the way

• The parts of America that the feds bring you to are hell on earth

• Banned from the Internet for years

Liberty must be defended.• I accessed a public webserver

and told a journalist about what was on it.

• This is unequivocally not criminal activity.

• If accessing a public webserver is a crime the Internet only contains criminal activities.

• None of this mattered to American courts.

Free at last

Eventually a higher court admitted my conviction was based on lies from the FBI and DOJ and violated my rights.

Total time lost:39 months

Let’s do more of this.

Have it your way USA, I’ll go.

August 2016: methods are mainstream

• Muddy Waters now using software vulns for financial intelligence

• The FBI said my desire to short sell off of vuln was evidence of criminal intent, and now it is a common industry practice.

2016: Latest nation-state attack

Takeaway

• Technology enables agile individuals to act with more efficacy than the world’s biggest empires.

• Every day that goes by, smaller entities grow more effective than big entities.

• Be relentless, you’ll eventually be proven right and see your positions legitimized.

Fin.

@rabite

weevlos

weev0

weev