A challenge for “hackers”

A challenge for “hackers”

After encountering a bug and finally finding a work-around, I documented the circumstances and fix and posted it here.  A day later, I found that the page had been defaced and all that remained was a message to the effect of “HACKED BY TINYNUTS“.

It turns out, the version of WordPress used on the site (4.7.1) needed to be upgraded to 4.7.2 because of a content injection vulnerability in the JSON REST API (which I don’t use but is enabled by default, ugh).

Though I’d solved my own problem with that mystery bug, I still took about an hour to collate all the info and the fix and then prepare a blog entry in the hopes that it might be useful to others facing the same issue.  When I do things like this, I’m not expecting anyone to give me a high-five and buy me a beer (though I’m always open to either).  Still, you’d think that the worst response I might expect is simply to be ignored, rather than having my efforts summarily destroyed for no particular reason.

Dear “hackers“, I am not Goldman Sachs, or McDonalds or the military-industrial complex.  I’m just a guy who thinks that we can move forward if we share our findings and work together, which is why I post open source software, hardware projects and information on solutions I encounter.  So when you show up and attack my website, you are not the Che, or Neo or even a hacker by any definition.

A hacker is someone who enjoys exploration, finds creative solutions and actually produces things.  Using some script, exploiting a vulnerability someone else has found, just doesn’t fit.  You’re acting more like someone who leaves a graffiti tag in an alley, which is basically nothing at all and impresses pretty much no one.

The Challenge

I think your energy and creativity is being squandered pissing around like that.  If you’re interested in security, there are tons of Capture the Flag games online where you can hone your skill and have some fun.

It’s true that the version of wordpress here was lagging, so if you really want to play with live sites you could have actually contacted me and let me know.

So here’s a little challenge. Even if I doubt it, I hope you’ll accept–it might prove illuminating.

I challenge you to go to 3-5 random people (not script-kiddies defacing websites, people who actually make or do things that serve a purpose) and carefully explain what you do (maybe you should say “a guy I know”, rather than saying it was you).  Use a concrete example, like what happened here, so:

  • explain that there was a bug in some open-source and free software, found by someone else;
  • describe where you got the script you used (probably made by someone else);
  • describe the target site, a personal blog where some random guy releases software and information for free;
  • describe the post that was defaced–a solution for a problem other people may have; and
  • tell them the useful information was replaced by “HACKED BY TINYNUTS” (you may change the handle for your own, if you like)

Once you’ve done all that, ask them whether they feel this picture accurately depicts the “hack”:

I’m betting most people will agree that it’s a pretty accurate metaphor.

Should you actually do all that, and find that people think it’s a worthy endeavor, then I’m the one who’s confused so feel free to keep up the good work.