Share this post

🔑 Key Takeaways

  1. Passion and curiosity can lead to unconventional thinking and unexpected outcomes. By viewing things in a different way, like how Samy Kamkar saw computers as puzzles to solve, we can create something new and impactful.
  2. Samy's curiosity and experimentation with game hacking led him to gain extensive knowledge of software networking, but also resulted in dropping out of high school.
  3. Pursue your passions, take risks, and be open to new opportunities to learn and grow. Don't be afraid to face challenges if it means creating something meaningful and fulfilling.
  4. Samy's ability to exploit vulnerabilities in web applications highlights the importance of addressing and fixing such issues to prevent unauthorized access and manipulation of data. It is important to regularly update and secure web applications to protect against hackers.
  5. Creating a virus unknowingly can lead to significant damage and is hard to control once it spreads. In the age of the internet, being cautious and responsible with online content is essential.
  6. Curiosity in programming can lead to unintended consequences. It is important to be cautious with programming tools as even a small experiment can have significant ramifications.
  7. As a developer, it's important to be responsible and think before taking actions that could have serious consequences. Samy learned this the hard way after accidentally taking down MySpace and facing the possible consequences of his prank.
  8. When facing legal challenges, it's important to mentally prepare and know the outcome. Honesty and transparency are essential, even in difficult situations.
  9. Losing everything can be an opportunity for growth and self-discovery, leading to valuable life lessons and a new appreciation for what we may have taken for granted.
  10. Samy demonstrates that ethical hacking and continued research can improve the security of vulnerable systems. Using simple and inexpensive devices, he shows that these attacks can be easily performed, but also educates vendors on safety measures.
  11. Processors use varying amounts of power for different instructions, which can be measured for secret key recovery. Cookies can be stored in various locations on a user's device, allowing websites to track them even after cookie deletion.
  12. Evercookie helps modern browsers protect user privacy by testing against tracking mechanisms. Skyjack aims to expose security risks in drones and encourage better security measures.
  13. The vulnerability of wireless drones can be exploited by unauthorized organizations. Public awareness is crucial to pressurize companies to resolve the issue. Consumer rights non-profits like the Electronic Frontier Foundation can provide support.
  14. Smartphone tracking through Wi-Fi MAC addresses poses a threat to online privacy and security. We must understand how our data is being collected and used to protect our privacy and be aware of the consequences of sharing personal information.
  15. Android and iPhones collect user data through WiFi MAC addresses and GPS coordinates to create traffic data. This data can be exploited, so users must be aware of the privacy violations going on when using their phones.
  16. Openpath offers a modern, cloud-based, and secure solution for physical access using phone-based encryption and Bluetooth technology, making it more convenient and safer than traditional methods. Led by Samy Kamkar, Openpath aims to revolutionize the way we secure buildings.

📝 Podcast Summary

The Hacker Mindset: Unconventional Thinking and Unexpected Outcomes.

The hacker mindset involves ignoring the intended use of something and finding new ways to employ it, like how Samy Kamkar saw computers as a puzzle to solve. Samy's early fascination with computers led him to study programming and practice video games, eventually finding himself addicted to them. The story illustrates the power of curiosity and passion in leading to unexpected outcomes and unconventional thinking, as Samy's love for computers pushed him to explore beyond the usual user experience and led him to create the now-infamous Samy worm.

From Counter-Strike to Cheating and Beyond: Samy's Journey Through Software Networking

Samy learned about packet sniffing, memory injection, and intercepting function calls while playing Counter-Strike. He used this knowledge to create cheat software that allowed him to do things like automatically aim at people, remove smoke grenades, and add zoom to all weapons. However, he eventually got bored of playing the game and instead started playing against the engineers of the PunkBuster program that was designed to detect cheating. By trying to circumvent PunkBuster's detection methods, Samy learned even more about software networking and continued to update his cheats. This experience taught him a lot and was like rapid training for him, which ultimately led him to drop out of high school.

The Power of Passion and Persistence: Samy's Story

Samy's story emphasizes the importance of passion and persistence in learning and growth, as well as the value of seizing opportunities when they arise. He wasn't a good learner in school but learned to code on his own, and when a chance to work remotely came up, he jumped at it and eventually started his own company. Despite not getting paid at first, he was driven by his desire to learn and create something meaningful. Samy's story shows the value of pursuing what you love, even if it means taking risks and facing challenges, and the importance of being open to new opportunities and experiences in order to learn and grow.

Samy's XSS worm and the vulnerability of web applications

Samy, the creator of the first XSS worm, got bored and started playing with MySpace. He bypassed the photo upload limitation and the relationship status rules by exploiting the browser's interpretation of tags and executing JavaScript in a CSS tag. This enabled him to upload more photos and change his relationship status to In a Hot Relationship, which was not an option in the drop-down box. Samy's ability to bypass the MySpace restrictions showcased the vulnerabilities in web applications. His knack for finding loopholes in the system highlights the importance of addressing and fixing such vulnerabilities.

SAMY's Viral Mistake - The Danger of Unknowingly Creating a Worm.

SAMY created a MySpace worm unknowingly that spread quickly and led to 10,000 new friends. A virus that spreads itself like a worm is hard to remove, and it doesn't stop spreading easily. SAMY realized he wrote a virus and gets flooded with messages. It was time for him to do damage control. So, he e-mailed MySpace anonymously to delete the virus. One mistake like SAMY's can lead to significant damage, and viruses are hard to control once they spread. In the age of the internet, it's essential to be cautious and responsible with what you create and post online.

The Consequences of a Curious Mind in Programming

A small mistake can lead to unanticipated consequences. Samy's curiosity about the number of friends on his MySpace profile led him to create a worm that spread rapidly and ultimately brought down the entire website. Samy realized how big of a mistake he had made when the number of his friends started to grow exponentially, but by then, it was too late to stop the worm. He even considered going to the MySpace office to apologize but decided against it, fearing that he might end up in jail. The incident highlights the importance of being cautious when playing with programming tools, as even a small experiment can have significant ramifications.

Accidentally Taking Down MySpace: A Lesson in Responsibility

Samy accidentally took down the largest social network in the world but heard nothing back from MySpace or the police. Although he got famous, he learned a lesson. The secret service, the LA District Attorney's office, and the California Highway Patrol officials showed up at his place six months later. They suspected his new, fancy car was stolen. With his fingerprints all over the worm, he realized the gravity of his actions. He got lucky and didn't have to face any charges. He learned that playing such pranks was foolish and vowed never to do it again. The incident taught him to be more responsible as a developer.

Samy's experience with law enforcement and the legal system was challenging, but ultimately he was able to negotiate a plea agreement that resulted in no prison time. The experience made him realize the importance of knowing the outcome and mentally preparing, even for difficult situations. His livelihood and skills were dependent on his ability to use a computer, and facing a potential lifetime ban on computer use was scary. However, he was able to come out of the experience with a renewed appreciation for the importance of being honest and transparent, even in difficult situations.

Losing everything led to a new beginning for Samy

Getting into trouble with the law and losing everything may seem like the end of the world, but it can also be an opportunity to learn and grow. For Samy, losing his computer privileges forced him to try new things and explore the world outside of technology. He discovered new hobbies, made friends, and learned how to socialize. Although it was a difficult journey, Samy persevered and completed his community service, leading to the lifting of his probation and the ability to use computers again. This experience taught him valuable life lessons and helped him appreciate the value of technology in his life.

Ethical hacking with Samy

Samy, even after not being allowed to use computers for two years, continued to think about new exploits and ways to manipulate systems. He eventually started looking into hacking credit cards, specifically the NFC and RFID chips on them, but not with malicious intent. He wanted to show that the system was not secure and teach others about safety involved with these products. Even though vulnerabilities will always exist, Samy continues to research in an ethical and safe way, sharing his findings with vendors. He uses simple and inexpensive devices such as the two-dollar chip or an Arduino to show people that these attacks can be easily performed. The key takeaway is that through ethical hacking and research, the security of vulnerable systems can be strengthened.

Processors require different amounts of power for different instructions and this power usage can be measured using a phone's microphone. This measurement can be used to perform timing and power analysis to recover secret keys used for encryption. Additionally, cookies are a tracking mechanism used by web browsers that can be stored in various locations on a user's computer, including Flash cookies and HTML 5 storage. Samy created an open-source JavaScript library called Evercookie to demonstrate all the different ways data can be stored on a user's computer without their knowledge, making it easy for websites to track their users even if they delete their cookies.

Evercookie and Skyjack - Two Tools for Testing Browser Protection and Drone Security

Evercookie is a tool that is effective in testing the protection of browsers against tracking mechanisms like local storage. The tool is updated to incorporate new techniques, and it is a useful asset for modern browsers seeking to ensure user privacy. While some governments use Evercookie to track browser users, it is only effective on those who do not update their browsers or operating systems. Skyjack is an open-source project that aims to address security concerns around drones. The project allows for the hijacking and takeover of drones that lack proper security mechanisms like encryption. Skyjack seeks to highlight security vulnerabilities in drones and promote the implementation of better security measures.

Risks Associated with Wireless Drone Takeover

The vulnerability of wireless drones to remote takeover has always existed, and it is not limited to just the drones owned by Samy. There are potentially many organizations that have developed the necessary software and hardware to control a swarm of drones for their benefit without revealing it to the public. By demonstrating the issue publicly, Samy believes that it can provide the necessary pressure to the companies to resolve the issue. Releasing a proof-of-concept helps in highlighting the underlying problem with the protocol. Although Samy has faced cease-and-desist orders, he has been fortunate to receive support from non-profits like the Electronic Frontier Foundation that look out for consumers' digital rights.

The Dangers of Smartphone Tracking and the Implications of Sharing Personal Data

Samy discovered that smartphones were tracking their users through Wi-Fi MAC addresses. Google used this information from Google Street View cars to locate the MAC addresses and track their movement. Even encrypted wireless routers revealed their location. Android phones were potential wardriving machines, allowing Google to further expand their tracking. This revelation led to a class action lawsuit. Samy demonstrated how he could use this API to track website visitors without their authorization. This technological advancement raises concerns about online privacy and security. It is essential to understand how our personal information is being collected and used. We must be vigilant in protecting our privacy and aware of the implications of sharing our data.

The Privacy Concerns Surrounding Android and iPhone's Location Tracking.

Android phones are wardriving machines that collect WiFi MAC addresses and GPS coordinates, which Google uses to track location and traffic data. iPhones also collect and send similar data to Apple. Samy created a proof-of-concept app that could exploit this data and trick Google Maps into diverting drivers away from a route by simulating thousands of other Android devices reporting zero miles per hour. This highlights the underlying issue of users unknowingly sending their exact location to these companies, leading to Google and Apple appearing on Capitol Hill. Although they've resolved some issues, phones still collect this data and users should be aware of this violation of privacy.

Openpath's Revolutionary Secure Access System without Physical Cards

Openpath is a company that uses phone-based encryption and Bluetooth technology to provide secure access to buildings without the need for physical access cards. This technology is not only convenient but also more secure than traditional methods. Despite advancements in technology, security for physical access has not improved much in the last decade. Openpath aims to change that by providing a modern, cloud-based, and secure way of getting into buildings. With Samy Kamkar at the helm of this endeavor, it's clear that the company will continue breaking new ground in the field of technology, as they aim to make the world a more secure and convenient place.