White Hat Hacker Contacted a Man Through His Security Camera

focbde said:
Or, due to the publicity, NEST push out an update or take other steps to increase security?

It sounds to me like you intensely dislike someone having an opinion that differs from yours. Good luck with that.
Click to expand...


Wait, which is it?

focbde said:
His only legal recourse really would have been to inform NEST - what do you think the chances are that they'd do something about it?
Click to expand...

Not at all. I'm fine with differing opinions. But when someone condones illegal actions, unethical behavior, etc, because they see some "greater good" I start looking very hard at what's going on. There are a lot of people out there today who seem to think that when someone else does something that they feel is wrong, that it's a justifiable reason for doing more wrong. And what's more, other's are accepting these excuses and giving them a pass for their own transgressions.

I don't think that anyone can objectively look at this and not see that the researcher took liberties that he didn't need to take. At the very most you can say that he at least motivated the man in Arizona to change his passwords on his computers and maybe some accounts. Not a bad thing except that he could have just sent the man an email. If the man's personal information really was compromised the researcher could have added a link to the information if he wanted to open the guy's eyes. He did not need to violate the man's camera system in order to help him out if that was his motivation.

But if his motivation was to try and make a "splash" and as you said, create publicity to motivate NEST into fixing their vulnerabilities, are you sure the vulnerability is in NEST's software, or is it a problem in other code that is licensed or free for NEST to use?

Are there other camera systems like NEST's that don't have the same vulnerabilities? If so, why the difference?

Maybe you should look at how NEST works with real Security Researchers;
https://hackerone.com/nest
If you’re a security researcher and think you’ve found a security vulnerability, we want to hear about it right away. We ask that you give us a reasonable amount of time to respond to your report before making any information public. Please don’t access or modify user data without permission of the account owner and act in good faith not to degrade the performance of our services (including denial of service). If you comply with these requests, we won’t take legal action against you.
Click to expand...

https://nest.com/support/article/KRACK-vulnerability

http://fortune.com/2017/03/07/nest-thermostat-security/

I think this doesn't sound like Alphabet isn't doing anything about their security issues with NEST products. In fact, as I read the article again, I come to realize that this White Hat didn't actually hack the camera, or exploit a vulnerability, he used a password that he got from hacked passwords gained from websites with poor security. He used a known password from compromised third parties, no vulnerability at all was exploited in the NEST camera. He lied to this man, he wrongly convinced him to shut off his camera. He could have just told the guy that one of his passwords was out there and he should change his passwords.

Tell me I'm wrong.
 
Last edited:
B00nie said:
Strictly speaking a hacker is anyone who, say, reprograms his car computer or finds out ways to use devices which they werent originally intended for. Hacking is not just breaking into other peoples systems.
Click to expand...

Standard English definition is - a person who uses computers to gain unauthorized access to data.

This was the work of a white hat hacker. He gained unauthorized access, and then instead of doing something bad he notified the homeowner. This is pretty cut and dry.
 
doublejack said:
Standard English definition is - a person who uses computers to gain unauthorized access to data.

This was the work of a white hat hacker. He gained unauthorized access, and then instead of doing something bad he notified the homeowner. This is pretty cut and dry.
Click to expand...


A white hat would never gain unauthorized access. A W.H. would be like a pentester who was given explicit(written) permission, or someone trying to hack their own equipment. This would be gray hat actions, where he did violate the law, but without malicious intent. If anyone can find any more actual FACTS about this one way or the other, that may change. But based on the limited information posted here, his action fall under the grayhat label.


And I'm loving the posts that say we don't know his intent, then make arguments based on their own assumptions. My comments are based on the information provided.
 
Gaining unauthorized access = illegal and unethical = not a white hat

If the guy contacted this security guy and said "Hey, I just put in a Nest camera, can you see if it's accessible from the internet?" and then the guy got access, he'd be a white hat.

Snooping the internet for open shit that isn't yours that you haven't been given explicit permission to access = illegal according to current law
 
Biznatch said:
A white hat would never gain unauthorized access. A W.H. would be like a pentester who was given explicit(written) permission, or someone trying to hack their own equipment. This would be gray hat actions, where he did violate the law, but without malicious intent. If anyone can find any more actual FACTS about this one way or the other, that may change. But based on the limited information posted here, his action fall under the grayhat label.


And I'm loving the posts that say we don't know his intent, then make arguments based on their own assumptions. My comments are based on the information provided.
Click to expand...


I am really liking the way you work here. This article, like so many that we bat back and forth on, lacks essential detail and verification. Many of us are guilty of making assumptions on those details that fit preconceived viewpoints on issues.

The article says that the hacker made a few claims;

A. That the man's personal information was already compromised and on the internet
B. That he used a password from his data that had been exposed from a hacked 3rd party website
C. That he had no malicious intent, didn't mess with this man's systems or data, etc
D. And that his NEST device was vulnerable
E. That the "White Hat" is a member of Anonymous and is a Canadian citizen

How much of this do we take as fact when any, or even all of it, could be fabricated?
 
You must log in or register to reply here.
Back
Top