back to article So you're thinking about becoming an illegal hacker – what's your business plan?

It's something every aspiring crook needs to consider before they attempt to break into the world of cyber-crime: what's the business plan? Fortunately this week, a couple of pointers have emerged thanks to miscreants who broke into production company HBO, and the ongoing US federal case against Michael Kadar, who allegedly …

  1. corestore

    "The basic difference is this: hackers build things, crackers break them.

    If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers." - ESR

  2. lglethal Silver badge
    Go

    Wow

    I have no doubt that the IT guys at HBO got one hell of a kicking after the stuff was released, but lets look at this, a hacking group was willing to invest 6 months and at least half a million Dollars (not counting the labour costs they invested in that 6 months) on a dedicated hack of HBO. Defending it were (I'm guessing) a relatively small team of IT folk on the lowest wages HBO could get away with, and a Budget dedicated for use on security which was almost certainly less than a million a year.

    Surprised they were hacked? I'm more surprised it took that long. So actually maybe the IT Team did a good Job, but you can only play whack a mole so often before you miss one...

    1. Tom 38

      Re: Wow

      a hacking group was willing to invest 6 months and at least half a million Dollars

      Allegedly; for all we know they spent half an afternoon and £5 and are just trying to justify what they are asking for

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        On the other hand, it might have taken six months but not full time. They probably already have full time jobs, or something to make them money on the side while they're trying to get into HBO. Maybe they try what they know and fail, but figure out a few things about HBO's setup so they ask some other black hats "hey anyone have a hack for xxx" and every week or so they try another method, or learn something new that leads to different avenues to pursue. They might take a few days on a particular attack, but it will just be a script running against the target. It isn't like someone is going to need to be there driving it.

        The "$500,000" investment they made has to be their time. I can't see how you could spend that kind of money, unless you were buying gobs of cloud computing time to try to crack a password. Maybe they did actually spend that, if they are also credit card fraudsters who aren't spending their own money.

  3. David Roberts
    FAIL

    The threats

    Didn't seem worth the money.

    Early release (spoilers) is still publicity.

    1. hellwig

      Re: The threats

      Content producers have learned fans are fans and pirates gonna pirate.

      There's an argument against the supposed losses pirates inflict which basically goes "If a pirate is willing to pirate they probably were NOT going to pay in the first place".

      How many people who are actually fans of GoT, and therefore pay HBO a monthly subscription, would even bother going to an illicit site to download video or scripts (and potentially who knows what malware or viruses)? Just wait a couple days and watch it at your leisure via live TV, on demand, DVR, or streaming app.

      Sure, Sony got hacked and then decided not to release "The Interview", but they made their money back on the movie with legitimate streaming and home sales anyway (and really, did they expect a blockbuster with that movie)?

      TV shows and movies are not so sensitive that a studio is going to give up millions of dollars. You have to go after really sensitive data if you want to make a dollar. Private financial records of some shady corps like Halliburton or medical records stored by supposedly trustworthy third parties (please, no more hospitals). In some instances, even the fact that you hacked them is a profitable piece of information.

    2. Brian Miller

      Re: The threats

      Early plot release doesn't jeapordize income. The income is from advertisers. If they found a way to drive off the advertisers, then that would be a threat. As the hackers found out, scripts be themselves aren't worth anything.

  4. Anonymous Coward
    Anonymous Coward

    Business model

    A couple more complications for the budding evil hacker:

    a) An exit strategy - specifically, when you're going to say, "that's enough, I've made sufficient, I think I've got away with it, now I'll destroy all the evidence I can, and give up my life of crime and become a mysteriously wealthy but law abiding citizen". This is a key failing for all types of criminal, they never know when to give up, and keep going until they get caught.

    b) Money laundering capabilities. Easier said than done, and Bitcoin and other blockchain currencies are not as anonymous as Kadar and the masses may think. And even if you can anonymously collect your "earnings", how do you hide and then spend that sort of money without appearing on the Fed's radar?

    1. a_yank_lurker

      Re: Business model

      About b) - Banks and other financial institutions are often required to report various types of transactions to prevent money laundering.

      1. LaeMing
        Boffin

        Can't spend it.

        I once spent a walk home from work thinking about if I found a big bag of money on the side of the road, how much I could spend without raising flags. My weekly groceries and a few bits and bobs from local shops for cash was all I came up with. Too much of my big-item shopping is necessarily via online or directly bank-to-bank these days, so the money would have to be fed through a bank account indexed to my tax file number. An initial new-home-appliance glut of 10k, then a further 10k a year if I was trying really really hard is the best I could do.

        (I'm too geeky to have any interest in handbags or shoes or other stupid wastes of money beyond the pragmatic.)

  5. Doctor Syntax Silver badge

    "Obviously, using pseudonyms is a must. Changing them frequently is also an excellent idea, even though it may entail additional work on your part."

    Using a pseudonym associated with a security researcher could be a good wheeze (see framing someone else).

    1. Flocke Kroes Silver badge

      Are there any security researchers left in the UK?

      I thought May made security research illegal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Are there any security researchers left in the UK?

        That would explain why a UK rag is running an article about transitioning to illegal work...

        Honestly, it sounds like a crap job. It's boring, repetitive, low-paying unless you hit the jackpot, which is unlikely now that everyone's doing it, and there's nothing quite like watching your back 24/7 always wondering which of your coworkers is an undercover cybercop.

  6. Version 1.0 Silver badge

    6 months? It was probably automated.

    Most weeks I have someone taking a shot at an account on our in-house email system, it's automated, the incoming IP addresses change every time but the target stays the same and the passwords are cycled. Plus there's the daily batch of "invoices" that are overdue, links to follow because "email has been suspended" and "orders" written in javascript - I would expect that the HBO attack was run in a similar fashion and then one day they got lucky.

    1. TheElder

      Re: 6 months? It was probably automated.

      No doubt about that. I get shit like that in my server log constantly. I also leave one e-mail address a bit more open than the others so I can see what they are up to. There is code I could post here but I won't of course. I was just talking with a young lady about updating my net phone and she was just recently wiped out by the wanna die. I instructed her on how being curious can kill the cat.

  7. Pascal Monett Silver badge

    Spread the risk

    Good for the financial side, disastrous for security.

    Secrets are best kept between one person. Adding another one is a risk. Adding a third is a liability. After that, you can be sure that someone will squeak - especially if the law is breathing down your necks. Someone will break, and then you're all screwed.

    Although I admire the intellectual knowledge required to find ways into a network you are not supposed to access, I have only contempt for people who do that with the intent of extorting money. It is good to see that at least some of them are getting caught.

    1. Flocke Kroes Silver badge

      Correct number is three

      Act as a man in the middle between your colleagues and pretend to each that you are the other. On retirement day dob them both in and hope they blame each other. Get it right and it still works if both your colleagues are doing the same, even if one of them retires first.

      1. Anonymous Coward
        Anonymous Coward

        Re: Correct number is three

        You got a TV series idea there... I wonder if HBO is watching.

  8. nickx89

    HBO don't need to pay anyway.

    For such crackers, what's the point of working till you get jackpot? You will be living your lives in fear of being caught and sentenced. Moreover, taking risks is another story. HBO don't need to pay anyway because people sees one episode on Sunday regardless of it being leaked.

  9. Anonymous Coward
    Anonymous Coward

    Targets like HBO make the headlines, but it's not where you can make money from. Other targets may have better reasons to pay than a script or episode.

  10. Anonymous Coward
    Anonymous Coward

    I've got a hackery trick I'm now prepared to share with you all...

    It's easy. For every website you visit, simply add the following to the end of the URL, depending on the sort of site you're visiting:

    1. A bank or building society:

    ?source_account=yours&destination_account=mine&money=all

    2. A newspaper:

    ?celebrity_name=paris%20hilton&reveal_all=yes&show_nude=yes

    3. Any eCommerce site (also works with banks):

    ?decrypt_all_passwords=true&list_credit_cards_and_pins=true

    4. A government site:

    ?credentials=theresa%20may

    5. Any school:

    Robert'); DROP TABLE students;--

    Posted as A/C, for obvious reasons. Please leave one bit coin in a paper bag under the arches if successful.

    1. Sir Runcible Spoon

      Re: I've got a hackery trick I'm now prepared to share with you all...

      What does a bitcoin actually look like then? Are they like Ningy's ?

      1. Number6
        Coat

        Re: I've got a hackery trick I'm now prepared to share with you all...

        Something like this?

        OK, mine's the one with the toothbrush in the pocket.

    2. LaeMing
      Unhappy

      Re: I've got a hackery trick I'm now prepared to share with you all...

      1 bitcoin? At today's rates? Sheesh!

  11. TheElder

    Are they like Ningy's ?

    No, a Ningy is a form of fiat currency as is a PU. Bitcoin is imaginary.

  12. WinHatter
    Pint

    Isn't HBO a bit too visible ?

    First rule of business when you do something illegal : keep it quiet.

    Don't go HBO, don't brag and if it fails don't release your treasure trove as you are losing all leverage and creating yet another trail.

    You need to be reasonable and forgettable.

    Gimme a bitcoin worth of beer so I can forget all about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like