What has been done will be done again, the old saying goes. There is nothing new under the sun.
That applies to a RankMyHack.com, a new website that has turned hacking into a game of sorts. Hackers submit details of their latest attacks so that members can award points for their complexity or difficulty. The main page is a simple leaderboard of registered members and their point totals. More than 700 members have joined the site since it opened in July, according to The New York Times.
Site activity is booming. In mid-August a hacker “Mudkip” dominated the leaderboard. Most of his points came from breaching The Huffington Post, worth 1,666,666 points on the site. A week later “m-script” was far ahead of any other hacker. He breached Yahoo for 37,500,000 points.
Then came news that RankMyHack got hacked. Two hackers decided they didn’t want to follow the rules where they had to submit proof of their hacks. Unfortunately, their effort was only worth 717 points.
RankMyHack looks like it could be the latest front in the war between security professionals and hackers, but really it’s nothing new. It’s just a little more public.
10 years ago website defacement was the way hackers unofficially traded “points” or credibility. When a big search engine or financial site was hacked and vandalised—sometimes with graphic design that looked like spray paint—hackers took screen grabs and traded them around like baseball cards in online forums. Soon it caught the attention of the press.
What happened back then may happen to RankMyHack. Generally speaking, hackers didn’t create any real harm outside of reputational damage to targeted companies. If anything they simply exposed security flaws. But law enforcement didn’t make that distinction and came down hard.
Many of these RankMyHack attacks, as best as I can tell, are not launched to steal information or damage the websites in question. They’re simply executed to expose and call attention to security vulnerabilities. But back then, and I expect we’ll see this soon again, the increased media attention brought on a decade of computer security witch hunts. Laws were changed, stiffer penalties were put on the books, funding for digital crime fighting spiked.
Hackers became a prime target for law enforcement back then. The result was that some of them ended up in jail. (Often these were “script kiddies,” or newbie hackers, who weren’t clever enough to cover their tracks, even if they didn’t cause any real damage.) A lot of security firms and law enforcement agencies saw budget increases.
The problem then was that the good guys never distinguished between hackers hacking to point out vulnerabilities and hackers hacking with malice. I’ve always been sympathetic to the former.
But now with a website like RankMyHack those white hats are going to feel more heat.
, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.