Las Vegas Sun

July 31, 2014

Currently: 84° — Complete forecast | Log in | Create an account

Q+A: Ralph ‘The Ethical Hacker’ Echemendia talks Snowden, Feds and DefCon

Image

Ralph Echemendia.

Click to enlarge photo

Ralph Echemendia.

Thousands of security experts and tech enthusiasts are gathered in Las Vegas this weekend for back-to-back hacking conventions Black Hat and DefCon at the Rio, where industry experts like Ralph Echemendia — known as “The Ethical Hacker” — will be part of the continuing dialogue about hacking.

With more than 24 years of hacking expertise, Echemendia has written and delivered training on hacking and other information-security topics to the U.S. Marines Corps, NASA, Google, AMEX, Boeing and Microsoft. He also is a leader in digital security for the entertainment world, having handled large breaches and hacking cases such as “Twilight: Breaking Dawn.”

In the following Q+A, Echemendia discusses the art of ethical hacking, its role in the gaming industry and why the Feds aren’t invited to this year’s DefCon.

What is ethical hacking, and how does it fit into the entertainment world?

My background comes from doing the breaking in — hacking into different kinds of systems for the purpose of securing them afterward. You can’t have protection without understanding what exactly might be wrong. In Hollywood and production systems in music and film, every part of the process has become digital, so any kind of breach could cripple or affect a production in many ways. What I focus on is testing that environment and at the same time creating a 360-degree view of what is being sent around digitally to ensure that it does not get into the wrong hands.

How specifically do you do that?

For example with “Twilight,” there was about 101 pictures and four videos that got leaked almost a year before its release while it was being shot. Investigating that meant going on set, having to work with everyone, from interviewing the director, the writers, anyone who had access in any way to the leaked footage, and determining how it happened. A lot of these things that happen are because someone on the inside gets hacked, like with phishing attacks and weaponized email attacks. All it takes is clicking on what looks like a normal link, and vicious code is executed through your browser that gives them access to your computer. It’s more the result of opportunity is the way that it’s been happening. Not many of them are targeted.

How has the role of ethical hacking evolved in the gaming industry in recent years?

It’s expanding, there’s no doubt. I’ve worked through contractors for a number of entities out of Las Vegas who do gaming. They spend a lot of money on doing the sort of testing that we do against the software that they’re using. And at all levels and aspects of the gaming industry, not only on the computer systems that use to do finances and that sort of thing, but all the way down to the actual machine. They’ve been a lot more proactive in the past five years than a lot of other industries.

Why only in the past five years, though?

You walk into any casino and the slot machines are almost entirely digital. Up until recently, it was largely mechanical. So because of that, there definitely is a lot more emphasis and growth in their budgets to ensure security. Regulatory issues in gaming, when it comes to technology, are not as clear as in other fields like banking. Casinos weren’t testing the machines before they bought them, just like you don’t think to test an iPhone before you buy it. So the casinos now started doing that, where they have their own team of hackers see if they can hack it, and, if they can, the company will have to fix it before they buy it.

How does one become a hacker? To what extent can you formally learn how to do it?

It’s something you pick up and learn formally. I spent about seven years of my career teaching the Certified Ethical Hacker, which is a certification that is one of the requirements by military and U.S. government for certain positions in I.T. So, yes, there are formal classes you can take. There is a global, multimillion-dollar education industry that exists on just hacking. But, with that said, you cannot learn in a week what took me 10 years to learn. As much as we can make that easy and provide you with a structured way to learn, it does take a lot of time to really learn when you walk out of a class.

One of the controversial things about learning it in a classroom is that Edward Snowden went to a CEH class — for all I know, it could’ve been one of mine. And that would’ve given him the knowledge on how to do what he did. That was often a question when I was actively teaching — “Aren’t you teaching people how to do bad things?” And that’s a misconception. No, I’m not teaching them how to do bad things. I’m not teaching intent; I’m teaching information.

How much has Snowden and the NSA scandal impacted the ethical hacking community? I’m sure that will be a huge topic at DefCon this year.

It’s a real doozy. You’re gonna have people on both sides of the argument. Jeff Moss, who started DefCon, he put out a note saying the Feds aren’t invited this year. They’re not welcome, as he put it — “We need some time apart.” DefCon has been the place where we all get together without caring about whether you’re a Fed or not; it’s just an exchange of information. The actual reason we do that is very much the hacker ethic — we believe all information should be free, we should be sharing that information, and that it’s for the better of mankind.

Well of course that sounds like the Snowden issue, right? It’s a really touchy subject because it does raise the question of what is ethical hacking. Did what Snowden do, can that be considered ethical hacking? Well, that’s the big question -— it’s not a hacking question; that’s an ethics question. I’d say for the most part, at a conference like DefCon, the majority would see Snowden as a hero. It goes back to the hacker ethic and the hacker manifesto.

Is what Snowden did going to cast a shadow on other digital security specialists such as yourself?

If you let it, it does. I have great friends on all sides of the fence, some work on the federal sides of things and some work on the shadier side of things. But at the end of the day, it hasn’t for me because my personal choices when it comes to my personal ethic have not really made it be an issue.

Follow Andrea Domanick on Twitter at @AndreaDomanick and fan her on Facebook at Facebook.com/AndreaDomanick.

Join the Discussion:

Check this out for a full explanation of our conversion to the LiveFyre commenting system and instructions on how to sign up for an account.

Full comments policy