Tinker aka @TinkerSec is a hacker who shares his experience on Twitter. In his most popular thread, he narrates with details and intrigue, like a tale, a pentest he performed. He’s also a co-organizer of the Dallas Hackers Association, a group of hackers who meet every month to talk about their latest achievements.
Interview published on May 21, 2019
Q. Could you introduce yourself in a few sentences?
A. I'm a hacker. Professionally, corporations hire me to hack into their computers and break into their buildings. As I'm able to do that, I show them how I did it so they can build defenses to prevent others from doing the same. I'm full scope, which means I hack into logical systems (computers, networks, web pages, mobile apps), physical systems (door locks, security access badges, industrial control system devices), and social systems (phishing folk through email, posing as someone over the phone, conning folk in person). I've built up, trained, and managed penetration testing teams and have hacked into systems and broken into buildings in the United States, Canada, and various places in Europe.
Q. How did you get into hacking?
A. This was a while ago... Windows 95/98 days. I think the statute of limitations has passed (joke!). I found an open network share in my high school that belonged to my high school registrar's computer. I found I could lay down a keylogger, edit win.ini to load the keylogger when the computer started, and capture the school registrar's username and password. Those credentials could be used to telnet into the school district's main frame and access all student information and grades. I knew a guy that worked for the district's IT team. I showed him how I could do it. He thanked me but suggested that I let him know about things like that in the future before working the whole thing out! The issue was fixed and I had a peek into a different world!
Q. Did the hacker manifesto inspire you when you were younger?
Q. Social engineering is still the most effective way to hack a system, is there a specific case that had an impression on you?
A. I'd argue that default credentials are the most effective way to hack a system. No one changes the password and it's hard to detect the attack. When you SocEng a person, there's a record, a memory, of the interaction, even if it's a bit skewed. They can feel something wrong in their gut and tell a person in authority. But, you're right, Social Engineering is a very effective means of gaining initial access to a system.
I have a lot of stories around this, but one story in particular illustrates an interesting point. A colleague and I were in Italy and France, breaking into retail stores. We would pose as computer technicians and auditors from the corporate headquarters and tell the store employees that we were there to upgrade their computers before a big sales rush. We printed out fake authorization letters and business cards. I even managed to get ahold of official corporate apparel. We looked the part. Every place let us in and we gained access to all of the point of sale systems and even pivoted into the internal network.
Everyone except one. He stopped us cold and said he needed to call his boss. We tried to get around him but he wouldn't let us. He was very polite but firm. His boss didn't know us, so they called up and up the chain. Finally they got to the person who hired us and the test was over. We told him who we were and congratulated him, but he wasn't happy. He was angry. He was angry that we lied to him and that we weren't actually there to upgrade his systems. Here's the thing... he believed us. He fell for our con, but he followed his internal policy and procedure which stated that he needed to verify anyone who came in unannounced.
I think this speaks volumes. We don't need to always find the bad, we just need to know what the right thing to do is.
Q. You’re a member of the Dallas Hackers Association, what does that entail?
A. The Dallas Hackers Association is a den of thieves, criminals, and hackers and I’m exceedingly honored to be a co-organizer of the group, along with WhiskeyNeon, Commander, Moe Bius, and Wirefall. On the first Wednesday of every month, we get around 150 folk who meet in a dimly lit, neon soaked, cyberpunk, Korean karaoke bar. It's an unhealthy mix of 1337 hackers, script kiddies, and federal agents. There are whitehat, blackhat, and grayhat hackers. We have a lot of curious folks who will poke their heads in and see what's going on.
The core aspect of the group are the fire talks. We speak for about 10 minutes on what we've hacked the last month and how we did it. The talks are dense and get straight to the point. We speak about new ways in, old ways that still work, downloading Chinese government ELF malware binaries and reverse engineering them, and we drop the occasional 0day. The 0days are fun. They're ways into a system that even the maintainers of the software don't know about, so there's no patch or protection against them. Gives folks in Dallas a bit of a lead on hacking into systems that others don't know about.
In the back of the place, we have a guy named C0mmand3r who runs a Capture The Flag environment. You can bring your laptop and hack into his systems and learn a lot. If you get into, say a database, or hack his web site, you get a digital flag that you can enter into the scoreboard and brag about. You can watch the scoreboard and see who the best hackers at the event are at any given time. If you’re into breaking into places, Moe Bius can walk you through lock picking with her locksport area. She’ll even teach you how to get out of handcuffs!
Q. You wrote a thread about a pentest that went viral, can you tell me more about your decision to share it?
A. I'll write narrative threads like that every so often. Two things come out of it. First, is folks can learn from it. Learn what works in hacking and what works in defending against hacking. They can look at their own environments and ask if it could happen to them and how they might stop it.
Second, is other hackers will read it and give their opinions on how they would have done it! Folks will join the thread and say "I would have done this!" or "Did you try that?" or "Why didn't you do this, this, and this?" That is awesome! I hear things that I never would have tried and learn things that I never thought to learn! Other folks will then answer the questions, conversations and debates will begin, and there's a frenzy of ideas and discussion! The feedback, the back and forth, the raw sharing of knowledge is huge in the hacker community!
Q. What do you think of the current state of cyber security?
A. The attacks are more sophisticated. The defenses are more sophisticated. The cat and mouse game continues forward.
Q. According to you, what’s the future of the Internet?
A. Government control and corporate surveillance for the masses. Hidden pockets of privacy and anonymity for those that have the patience and dedication to learn. And that's shit.
Q. Any book you recommend?
A. Two books:
Zen and the Art of Motorcycle Maintenance: An Inquiry into Values, by Robert M. Pirsig. - This is the hacker's philosophy book. Dives into the meaning and metaphysics around the concepts of Quality, how things work, and how to make things work outside of their intended means. It doesn't have much to do with literal modern day hacking, but then it doesn't have much to do about Zen or Motorcycle Maintenance either.
The Diamond Age: Or, A Young Lady's Illustrated Primer, by Neal Stephenson. - This is a great work of post-cyberpunk fiction that covers hacking, cryptography, and post-scarcity society. It illustrates the core foundations of computing, hacking, and various societal and cultural duties and concepts. Big thing is, it gives hope. How to function in a world of omnipresent computing and ubiquitous apparatus of control.