And... Who Are You?
I really hate the phone calls… they are, unquestionably, the worst.
But sometimes, there isn’t any other way to actually get someone to pay attention. Emails are deleted… Tweets are ignored… Sometimes it comes down to me picking up the phone and telling someone:
“Hi. This is probably something that you don’t want to hear… but your website has been hacked.”
The reactions run the entire emotional gamut: from midly hostile to exceedingly hostile.
(Yes, I realize that’s a somewhat limited range for a “gamut.”)
As a rule, we never want to think that we’re one of those people - you know… them. Deep down inside we believe that we’re good natured and emotionally balanced. We’re not the kind of people who, when we’re given bad news, will lash out… We’re not someone who would shoot the messenger.
I’m here to tell you: Us messengers get shot at… a lot.
It’s been about 16 years since I first began contacting people who have compromised systems, starting back when I first wrote LaBrea and caught worm-infected sytems in my very own tarpit.
The phone calls sucked a bit less back then. I think that the world has become collectively more “scammy” over the past 16 years, to the point that a sort of paranoia has infected nearly all of our interactions. There is a deep-seated suspiciousness that lingers in the background of any new conversation - like the “stranger danger” we’ve taught our kids has come full circle.
“And… who are you?”
That’s the question that I get asked the most. Who are you to know that our website was hacked? How is it you know, when we don’t?
I used to get offended by that question. When you think about it, there’s a pretty nasty implication barely hiding behind those words: Did you do this?
Yes. I admit it. I’m the one that hacked your site. In fact, I’m the person who hacks ALL the websites. I do it and then, in a fit of pique, I try to ease my guilty conscience by calling my victims and informing them what I’ve done.
Because that makes total frickin’ sense…
That’s what I say - inside my head - every time someone pulls that “parental” tone on me and asks, “And… who are you?”
But I don’t. I patiently explain who I am and how I know about their problems. They’re so keyed up and their mind is moving so fast that I’m pretty sure they only hear about half of what I say (and only understand a quarter of that) but, generally speaking, it calms them down. I suppose they probably believe that if I really was a “bad guy” the parentally-asked “And… who are you?” would’ve caused me to panic, hang up, and run far, far away.
I give them generic advice. I commiserate. I remind them to keep things up-to-date and change passwords… and we part ways.
I hang up the phone, bandage up the bullet-holes, and promise myself that next time I’ll try letting them ignore a few more emails before I make another call…
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 18, 2016