The main difference between a hacker and what’s known in the trade as a cracker is THEIR REASON FOR DOING IT
And that the password is robust: more than eight characters, letters, numbers, symbols NOTHING PREDICTABLE, LIKE YOUR NAME FOLLOWED BY 12345
I’m sure you know what you’re doing. You have different passwords for your mail, Twitter, Instagram... and change them frequently. And you’re on the ball when it comes to the permission you grant apps, and you would never think of trying to steal your neighbours’ wi-fi data. Yet, cybercrime is real. The net, like everything else, can be used for good or evil. And we can’t be naïve about these things. Deepak Daswani, an expert in cybersecurity, has been in Barcelona presenting his book published by Ediciones Deusto: The Hacker Threat. In fact, he himself is a hacker. Careful though, as hacker is not synonymous with someone who acts with bad intentions, or what’s known in the cybersecurity world as a cracker.
The term hacker is often still used to talk about people acting in bad faith. Dictionaries sometimes even only use that connotation of the term. Can you clear it up for us?
The main difference between a hacker and what’s known in the trade as a cracker is their reason for doing it. Hackers are people who obviously want to go further, want to break the boundaries of technology, want to enter where they are not allowed to, but their motivation is the personal challenge. What they have is a thirst for knowledge, a passion for furthering some field, making progress in the knowledge of any matter. In the most romantic sense, it could be applied to science or to arts, politics, economics... Being a hacker is an attitude, but obviously it’s associated with the technological field, because it was first conceived in this world.
It’s being curious.
Curious, restless. The term hacker defines a person who wants more than to just send hearts through WhatsApp, one who wants to gain advanced knowledge of technology, break barriers and identify holes in security, with the goal of strengthening technology, making systems more secure, proving their ability. Then, those who use this knowledge, the fruits of the research by different hackers to do evil, they are cybercriminals.
The line that separates the two is a very thin one. Explain to me how this works with detecting security problems and notifying companies of them.
Yes, it’s a very thin line... Especially when you investigate a security problem and you think you’ve identified one in an organisation and you decide to inform them so they can remedy it. Let’s take a closer look. There are large companies, such as Google, Yahoo and Apple, which have reward programmes, and there are more and more small companies that are hacker friendly. They thank you for reporting the vulnerabilities, because it’s as if you were doing a free audit.
Hackers would leave it there, without looking for any economic recompense from the find. You don’t look for a reward, then?
When you identify a security problem in an organisation without them asking you to, you hand over the information so that they can correct it without looking for anything in return. There are cases whereby you inform them and they thank you, and there are other cases in which you inform them and they don’t listen to you, and then it’s a disappointing experience.
You’ve had some disappointing experiences, like the one with the Club Deportivo Tenerife website, as you explain in the book. Any others?
I had one related to a sports centre app. A company in Almeria developed an app for gyms. My gym’s on it. I investigated it and found that you could hack into the reservation system for activities, and that it was vulnerable to certain attacks via wi-fi... The most critical of all, however, is that you could access all the training routines of users of the app: name, surname, coach, routine. Imagine the number of gyms that use the app, around 1,600! That’s about 10 million potentially affected clients. The most serious thing are other data beyond the activity routine. The data contained in the client’s report, with a photo included, which is done periodically after reviewing their physical progress: metabolic age, body fluids, percentage of fat, body mass index... I could access my report and those of the other 10 million users. I don’t care if anyone sees my report, the results are good! But joking aside, the reports contain private, sensitive information. I informed the company and explained that critical information was being exposed.
One thing that is clear from your book is that perfect security does not exist. And, in fact, if there is cybercrime it’s because someone has not protected themselves.
Yes. There is cybercrime because there is a vulnerability somewhere, a technical or human error.
We’re all vulnerable, starting with those who use the same password for everything and never change it.
Start changing your password!
We are very exposed!
Yes! We are all vulnerable: users, individuals, organisations, small and large, governments, states... We are all, by using technology, exposed to a series of risks. And what is safe today may not be tomorrow, because someone can uncover a security problem and take advantage of it. Exploits [programs designed to attack systems, devices or technologies once a vulnerability has been detected] are one example, but there are a lot of risks that can be avoided if you follow the code of good practices that I propose, and you can then live with relative confidence in your level of security.