back to article Reg meets 'Lokihardt', quite possibly the world's best hacker

If Jung Hoon Lee is not the world's best hacker, he can't be far from the top of the dais: the 22 year-old South Korean better known as Lokihardt has an uncanny knack for finding zero-day exploits in the world's most popular and most secure systems. Lee is a fixture at global hacking competitions like Pwn2Own and PwnFest where …

  1. Anonymous Coward
    Anonymous Coward

    Can I ask a stupid question?

    Kudos to JHL, we need more talent in this space. But I'm curious what the legal rules of engagement are around this sort of research.

    If I install VMW Workstation, there's going to be some long EULA that prohibits me from picking apart the software, using a debugger/disassembler on it, etc. So if I do that, and find a zero-day, aren't I exposed to VMW coming after me?

    If I poke at a web site because they offer a bug bounty, and succeed in having their IT systems do something they shouldnt, can't the owner come after me? Does the presence of a bug bounty competition automatically insulate me from claims?

    I'm curious whether the rules of hacking have really been tested in the courts. Until then, it all seems highly dependent on whether the target organization decides to be nice to a hacker, or throw the book at them.

    1. Grade%

      Re: Can I ask a stupid question?

      IANAL, but "intent" would come into play -- I believe there is dispensation for being a security "researcher. Elimination of that allowance by the DMCA has proven to be problematic for American academics.

      Not a complete answer to your question, a place to start.

      1. Yet Another Anonymous coward Silver badge

        Re: Can I ask a stupid question?

        Sensible companies find it cheaper to pay and get the vulnerability fixed than have the scene go underground and have the bugs sold to the bad guys.

      2. bombastic bob Silver badge

        Re: Can I ask a stupid question?

        I was under impression that the DMCA has been modified in that regard. Or, at least it SHOULD be.

        Maybe that's why a guy from S. Korea is doing the research?

        In any case, I say 'welcome aboard' to someone who makes his living by acting *LIKE* a bad guy, and not *being* one.

    2. PyLETS

      Re: Can I ask a stupid question?

      Good question as I wish more IT people knew the answer. In general it makes sense to think of the difference between buying a padlock from a hardware shop and trying many different ways to break it or saw or drill it open in your own workshop. It's your lock and so you're entitled to test it. If the lock is on your neighbour's shed and you test it without authorisation of the system owner, this becomes an offence based upon who owns the lock or property its protecting. The UK Computer Misuse Act makes the correct distinction here.

      As you suggest there are possible exceptions to this general analogy. If the software being tested isn't fully "yours" e.g. if it is leased together with some kind of support agreement, rather than purchased outright, then your security testing of it on your own system may invalidate the support part of the deal, depending upon the license small print you agreed to but, probably didn't read.

      George Hotz discovered a futher risk when Sony went after him , and though their case may not have succeeded, Sony's persuance of this probably cost them a lot more in reputation than it cost Geohotz. However, Sony's claims of Digital Millennium Copyright Act infringement against Geohotz were more threatening. This was potentially a criminal complaint. Sony's copyright infringement blustering would more probably have come under civil law, concerning which you may lose money but you don't go to jail. It may be that Sony's case was badly flawed, but it's an unfair playing field when a big corporation which can spend millions on lawyers can tie up an individual based on a dodgy case where the corporate can force the individual to make many journeys of thousands of miles to a jurisdiction of Sony's choosing.

      So if you want a clearer boundary between what's "yours" and what isn't, then you're better off choosing open source in preference to licensing copyright restricted products under one sided terms which prohibit testing and subsequent speech concerning what you've discovered on your part. The DMCA and equivalent legislation this side of the pond attempts to deny you your fundamental human rights of freedom of expression here - and this denial is as yet untested in the highest courts such as SCOTUS or the ECHR.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can I ask a stupid question?

        EULAs are full of terms that aren't worth the paper they're written on and the companies in question would rather not have to try them under unfavorable circumstances. In the case of modifying the code they'd much rather use it to try cases against people they believe have stolen parts of their code or broken DRM then people testing for vulnerabilities. While both using similar techniques one set of those looks better in the news paper and jury box than the other.

        Some companies will go after you regardless and it tends to look pretty bad for them. Much like some companies will always try and steal your youtube revenue even if it's within fair use (oddly often a similar set of companies) oh well.

  2. Will Godfrey Silver badge

    I think you'll find these contests are sponsored by the 'victims'

  3. YARR

    If they've got that kind of money to throw at hacker competitions, why don't they employ someone full time to find vulnerabilities in their own products? That way they'd uncover way more vulns much sooner.

    1. goldcd

      They do

      and they don't find them.

      Mainly as they won't pay the internal staff to the levels they will external folks, so it follows the better folks go external.

    2. patrickstar

      Many of the companies relevant here have very good in-house and/or contracted staff. They have found and eliminated a lot of bugs - not just these particular ones. Even long after release, it's actually not very common that two third party researches find the same stuff.

    3. Unbelievable!

      To quote Pratchett "million to one shots always pay off"

      Anywhere is never the same as anywhere else. Mix into that availability, skillsets and budget... you'd never cover the expanse or expense. Real world is the ONLY way to beta test. Take a look at M$ then look at MS *SP1 uptake necessity.. even perfect labs don't come close to real world.

      1. Anonymous Coward
        Anonymous Coward

        $150,000 what's that, 1 good corporate security expert for a year? Probably demotivated from years in the corporate world?

        You do it to get fresh sets of eyes that come at a problem from a completely different angle.

  4. Destroy All Monsters Silver badge
    Paris Hilton

    He discovered it by deleting a single line of code from a Microsoft patch.

    I don't understand how this leads to an exploit?

    1. John H Woods Silver badge

      Enquiring minds ...

      "I don't understand how this leads to an exploit?" --- Destroy All Monsters

      I concur. For a moment I thought that he took a patch and modified it so that it actually introduced a vulnerability, but surely that would break the signing and the patch would be rejected.

    2. g00se

      ... plus, i thought that exploitation began after patching had been done, so why are patches coming into the exploits at all?

      1. patrickstar

        I read this as the "inspiration" coming from the patch, and then the explanation getting mangled in reporting.

        Possibly that there was a certain buggy code pattern repeated across several exposed paths and the patch didn't fix all of them. Also would account for the short time needed to develop a working exploit.

  5. Steve Goodey

    Lee says laughing. "I worked for Samsung for a little while, but not anymore."

    Was he their battery guru and they let him go?

  6. Sam Paton

    Of course he hasn't got a job. He tried but none of the recruitment consultants called him back as he didn't have a degree or 5 years experience.

  7. Anonymous Coward
    Anonymous Coward

    Someone said computers, competition and money and he was like "Is that an e-sport? My APM is well low but we can't have an e-sport without a top Korean this sounds like the game for me!"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon