Presente Lisbeth Salander, la punk-hacker-scoppiatissima eroina della trilogia Millennium di Stieg Larsson (Uomini che odiano le donne, La ragazza che giocava con il fuoco, La regina dei castelli di carta)?
Nei libri se la cava alla grande come hacker e, aiutata da alcuni compari, riesce ad infiltrarsi serenamente nei PC di tutti, amici e nemici.
Vanity Fair ha avuto la bella pensata di chiedere ad un vero hacker (Kevin Poulsen, ex hacker passato dal lato oscuro della forza alla rubrica Threat Level di Wired) se e quanto le sue imprese fossero verosimili.
L’intervista è interessante, sopratutto la parte finale in cui Kevin valuta da difficoltà di azioni tipo lanciare un missile nucleare, cambiare il vincitore di un Oscar etc, la metto nello spoiler:
Anyone who has read the late Stieg Larsson’s vastly entertaining Girl With … novels knows that the titular character, Lisbeth Salander, is a hero for our Internet-addicted era: a virtuoso hacker who uses her near-omnipotent mastery of cyberspace to compensate for her generally appalling social skills. Again and again, Salander breaks into closed corporate networks, acquires off-limits records, and all but effortlessly gains open-ended access to hard drives belonging to friends and foes alike.
All of which got me thinking, Holy crap, can hackers really do all this stuff? So I placed a call to Kevin Poulsen, a reformed “black hat” hacker who now edits Wired.com’s Threat Level blog. Poulsen, who once rigged a radio contest so that he would be guaranteed to win a Porsche, was kind enough to assuage some of my fears (no, a hacker probably won’t arrange for Snooki to win best actress) while reinforcing quite a few others. With the Swedish film adaptation of The Girl Who Kicked the Hornet’s Nest due in U.S. theaters tomorrow, VF Daily presents an edited transcript of our chat.
Michael Hogan: Is there anything that Lisbeth Salander did that struck you as implausible?
Kevin Poulsen: The interesting thing is, everything that she does is completely plausible—it’s the way she does it that is for the most part completely nonsensical as a technical matter.
Can you explain?
Well, she uses a device given to her by her other hacker buddy—she puts it over the co-ax cable of the corrupt financier, Hans-Erik Wennerström. The entire description of how that works and how she uses it to get control of his computer is just a fabrication. She describes taking his computer and basically setting it up so that when this guy thinks he’s logged in using his computer, he’s actually using her server—and she’s able to monitor everything.
That isn’t how it would be done. But you certainly are seeing these days attacking somebody’s P.C. instead of attacking their server, and logging their key strokes and all of that. This is exactly what the hackers are doing right now. That’s what they are doing in financial crimes in particular. When you get down to the technical details, it’s all very fictional. But the actual capabilities are all completely real.
Did any of the details ring true to you?
One thing I liked about it is that the amount of work put into the various hacks—the proportionality of their work versus the payoff and all of that—is about right. You always have this problem in fiction dealing with hackers: the authors make the most farfetched, complex, and elaborate plots seem as easy as the trivial ones. You know: “The hacker sat down at the keyboard and transferred $5 million into the bank account in a few keystrokes.” Larsson didn’t do that. The big caper at the end of The Girl With the Dragon Tattoo, where she is pulling all the money from the bank accounts, is portrayed in exactly the amount of effort that would be required for something like this.
So in some ways, the book predicted what are now common cyber-crimes?
Yes—like with Wennerström. At one point, while she’s looting his bank accounts, it’s described that there was software on Wennerstrom’s machine that, when he checked his bank account balances, or bank activity online, would show that there was nothing taking place—while in reality, the bank accounts were being sacked.
The book actually predicted, in that respect, something that is going on right now. Just in the last year, hackers have begun using software that, if you get it installed on your machine, will not only be able to take over your online banking, but will also mask itself—it will rewrite your bank statements on the fly as you look at them on your P.C. This is to disguise the fact that transfers are going out from your bank account. So that was actually a really nice prediction of a technique that is actually being used with great success right now.
“Nice” is one word for it. What about the way she is able to keep tabs on everyone’s computer that she is interested in? Is that pretty simple to pull off?
That is the most common type of hacking currently going on. The easiest way it’s done is to trick a victim into running what they call a Trojan Horse program. The hacker can see everything that you can see on your screen, as well as do things that don’t involve your screen and that you can’t see. They could rummage through your files and go back out through your Internet connection to do other bad things.
And that’s Hacking 101.
Yeah, that’s Hacking 101. These days it’s extremely organized and automated. Hackers have networks of—in some cases—5 million or more hacked computers, all around the world that they can control either individually or in unison. They’re called botnets.
They could have all the computers scour their hard drives for financial data and send it. They could have all the computers simultaneously flood a Web site with traffic in order to take down the Web site. A substantial number of machines around the world are secretly owned by hackers in this manner right now. So that was completely feasible.
Is there any way I can find out if my machine is secretly owned by hackers?
Anti-virus software will catch a lot of it, eventually. But your machine might be owned a little bit for a while before it detects it.
So is the average person’s machine owned by three different hackers right now?
A lot of peoples’ are, yeah. It depends a lot on how vigilant you are in keeping your software up to date. Having the latest Windows updates and patches and having anit-virus software helps. These attacks tend to go for the low-hanging fruit. They’re going for quantity rather than quality. If your security is O.K., then you’re far less likely to be victimized—but it still can happen.
In the book, Salander is portrayed as a hacker and as a romantic figure. There is something very “lone gunman” about these characters—is that your experience?
These days, most computer intrusion is profit-oriented, but they do have an extremely high level of technical sophistication. It’s more like organized crime than it is the tradition romantic figure, as you described it, and it’s mostly coming out of Eastern Europe. The sub-culture that you saw in the ’80s and ’90s, of teenage hackers seeing what they can do, exploring and playing around—that’s very much in the background now. There is not nearly as much as that, as proportion of total hacking.
Is it dangerous for a kid to get into hacking now? More dangerous than it was in your time?
Dangerous in terms of prosecution?
Not necessarily. Are you more likely to be sucked into a certain underworld? There’s something very beautiful and innocent about the hack you did, where you won the radio contest and got the car. If there is a big organized-crime scene now, I imagine hacking today has a more sinister aspect.
If you’re a hacker that shows talent, you could wind up being pressured to get involved in this sort of thing. Temptation is far more likely than threats or pressure to pull a hacker into this. You can just make so much money so easily and with so little risk—particularly in the Eastern European countries, where they are lagging in prosecuting these crimes. For many years, hackers in Russia and former Soviet states have been operating with near impunity—and making, in some cases, millions and millions of dollars.
What’s a book that describes what it’s really like to be hacker?
Kingpin by Kevin Poulsen, due out by Crown in February.
There you go.
As far as I know, it’s the first book that’s really taken a detailed look at the history of hacking, by telling the story of a particular hacker who started off as that romantic figure—and wound up getting into the whole sophisticated criminal thing.
No, it’s a true story.
It is not. It’s about a hacker named Max Vision, who was once a white-hat hacker very respected in the computer-security world for using his skills to help people secure their networks. He wound up getting busted doing a kind of innocent romantic hack, and while he was in jail, he met serious hardcore white-collar criminals. He hooked up with them when he got out, and embarked on a crime spree that got him 13 years in prison.
That sounds really good. And now, if you’ll bear with me, I want to put a couple of scenarios to you and you can say whether they would be easy, medium, or hard to pull off. First: Gaining complete access to the contents of another person’s computer.
It depends on the person, but for the average target, that’s easy.
Siphoning money out of a series of shell companies and transferring it to a Swiss bank account.
How much money?
A few million.
A few million? Um, medium.
Remotely shutting down the security cameras in a bank.
That’s farfetched, but when it’s possible, it’s medium to hard.
Publishing your own message to the world on the homepage of The New York Times’ Web site.
Beaming your image onto the Jumbotron at Yankee Stadium.
It’s too specific to give an accurate appraisal, because we don’t know the configuration of their Jumbotron. We’ve seen pranks where digital billboards have been taken over—it’s one of those things where hitting a specific target like the Jumbotron at Yankee Stadium could be hard or even impossible, but if your goal is to hit just any vulnerable Jumbotron, then it drops down to feasible and probably medium level of difficulty.
Shutting down the Northeast power grid.
Hard to impossible.
That’s a relief. Fixing the Oscars.
You mean they’re not fixed?
/Well, fixing them to your own liking.
I would expect that would be hard to wholly impossible.
Launching a nuclear weapon.
I was afraid you were going to say easy.
So, so, so many layers of security are around that.