The Digital Skeptic: Hacker Barnaby Jack Knew Dollar Value of the Truth
NEW YORK (TheStreet) -- Barnaby Jack knew better than anybody I'd ever met what to do when the information companies coddles turn to dust.
"I remember when I told Triton, one of the ATM outfits I'd analyzed, that, yeah, I could make their machines spit out cash," I was told a few years back by Jack, a so-called white hat security analyst at IOActive, a global information security research firm with an office in Seattle. "They actually took it in stride and said, 'OK, let's fix it.' That's not what often happens."
The native New Zealander, during a chance conversation at a San Francisco conference, explained to me patiently the intricacies of how with no inside knowledge of Triton's business he fooled a commercially available ATM into blowing money all over the floor.
"It's all public by now, so I can talk about it," he explained. "The machines aren't really that locked down. I could get a USB drive into one of 'em, upload some software. And that was that."
Now comes the sad part: As much as I would love to get Jack's deep, investor-focused dive into what to look for as companies and governments handle the never-ending stream of digital age security blunders, I can't. Tragically, this 35-year-old security genius died last week, just before the Black Hat security conference in Las Vegas.
"He was a compelling figure," Henry Schwarz told me on the phone -- which is about the last thing I would expect this man to say. See, Schwarz was the software project director for the Mississippi-based ATM maker, with more than 200,000 machines worldwide, that Jack took down.
"It is a blow," he acknowledged. "It is not just the damage to your products and your company's good name. But there is a deep, emotional cost to having your machine hacked."
And yet, Jack was somebody Schwarz came to admire.
"As much as they are the last people you ever want to hear from," he said, "when they knock on your door, you have to respect them as a legitimate security analyst and not to vilify them."
Fix It first. Fight about it later.
Schwarz has blogged and spoken about his experiences ridding thousands of Triton ATMs of the vulnerabilities sussed out by Barnaby Jack. And he has real lessons for investors who wonder if the security nightmare will ever end.
"The trick is not to panic," he said. The easy thing for an organization to do, he said, is to look for ways that don't face the hard technical problems. He's seen companies consider legal options or punitive civil actions in court or otherwise find some way to evade the hard work of solving a real problem.