No Pain, No Gain: Let´s Hack 2021
"No pain, no gain", you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body cult, sport and self-care are more fashionable than ever. If 20 years ago the daily practice of sport was limited to a few, nowadays practically everyone tries to dedicate as much time as possible to exercising their body. Not only for this purpose in itself, but also for the benefits it brings to one’s mind. Today there is no doubt about the great effects that regular physical exercise has on our psyche and our health at all levels.
This well-known motto was first associated with the world of bodybuilding. If this expression has transcended the mainstream and is so popular today, it is because it perfectly reflects the contradiction inherent in sport: it is necessary to suffer in order to get results. In those last few reps when you lift the bar with an endless number of discs on each side in a bench press, or during those despicable squats, as well as when you still have one more round to go in the ring. You can think of any example you like, whatever sport you do, the feeling is similar. You have to get through those moments when you are tempted to give up, to leave it for tomorrow or for another day. Those moments when we pull ourselves together and suffer the unspeakable are the ones that make it all worthwhile. No pain, no gain.
There is no need to say that all of the above makes sense as long as this suffering is within healthy limits. We already know that extremes are not good, but the truth is that the message is motivational and inspirational because it appeals to the epic, to sacrifice, to effort, perseverance and courage. Those values which are so often associated with sport that make us tremble and shiver, even when we are not the ones practising it, but rather enjoying it from the couch watching those professionals blessed by the gods.
Hacking: Effort & Passion
These are values that really apply to any area in life, for instance in the professional world. Especially in a discipline as complex as hacking. If there is one thing that those of us who work in this field know is that without effort, there is no reward. It means spending many, many hours reading, experimenting, making mistakes, reading again, experimenting and making mistakes once again until we achieve our goal, or not. Since in this field, we have the added complexity that suffering does not guarantee results. Often there may be a lot of pain, but little gain. Sometimes, we must invest hours and hours in following a path that can lead to a dead-end labyrinth. So-called rabitt holes. Likewise, all the hours spent studying and researching always add up to something and do not fall on deaf ears, sometimes the pain does not match the gain. It does not pay off in terms of cost-benefit. Fortunately, associated with the div of a hacker is always the passion that moves one to solve a challenge, overcome an obstacle, break the limits that technology offers or satisfy our thirst for knowledge. Without this passion, it would be impossible to bring together the amount of patience, perseverance and determination required for this philosophy of "Try Harder" (OSCP's well-known motto).
The world is constantly changing and evolving. And if not, just have a look to this 2020. As Heraclitus said, everything flows all the time. In the world of security, of course, things are also constantly changing. In fact, the approach has been changing for almost a decade now. Where once people tried to prevent incidents from occurring at all costs, as time has gone by, people have come to realise that this is not possible. This has led to the need for creating an incident response plan, so that organisations know how to react when an incident occurs. Assuming that at some point this is bound to happen.
In recent years, we have become more aware than ever of the fragility in this regard. We do not demand that any system or organisation is perfect and always 100% in terms of integrity, confidentiality and availability. We have become used to seeing that all types of organisations, whatever their size, can fall victim to. Nowadays, companies are not judged by how they suffer from incidents, but by how they react to them.
It's All About Learning From Your Mistakes
We have several curious examples of how user trust can vary from one extreme to another when dealing with security issues. Technology companies that are up one day and down the next, or the opposite. Blackberry never recovered from the crash its users suffered in 2011. It faced an irreparable reputational damage, which also coincided with the entry into the market of Apple and Android. Sometimes the network gives you a second chance, and sometimes it does not.
During the first months of confinement back in March 2020, users and organisations started to become testers of the different video calling alternatives available on the market, for obvious reasons. The one that generated the most attention and reception was Zoom. Precisely as a result of this, various vulnerabilities began to be discovered and published that put the security and privacy of users at risk. To such an extent that the company's CEO had to issue a statement to silence the criticism and ask for users' trust. A gesture like this is understood if it is accompanied by work on the path of continuous improvement. In this sense, Zoom managed to recover and today continues to be widely used as an application for personal, corporate and event video calls.
Another globally known application, which has been the king of instant messaging systems so far, WhatsApp, has been in the news for its security issues throughout its history. From starting by not even encrypting conversations, to using encryption correctly but exposing users' phone numbers (which prompted my WhatsApp Discover tool back in 2014) and finally changing its protocol completely and adopting Moxie Marlinspike's end-to-end encryption in 2016. So far, through improvements and updates, WhatsApp has been recovering from each and every problem, maintaining the trust of users. Now, however, it seems that it may have run out of opportunities. Not because of a security problem. In this case, because of a voluntary decision that affects users' privacy. A change in the terms of conditions that has generated a lot of commotion in recent weeks, and which has caused an exodus of more than 25 million users to Telegram in just a matter of days. We will see how this ultimately affects us over time.
What seems to be clear is that in this life nothing is permanent. Much less the success of a model, technology or business continuity. In fact, the events of the past 2020 have had serious consequences in many sectors, where independent professionals, SMEs and large multinationals face the need to adapt to the new scenario and reinvent themselves in order to continue searching for their success. For many who, with great effort, had been able to achieve a balance or a position in the market, perhaps the new normal that we are now experiencing has put them back to square one. Terrible and unfair, but true. Fortunately or unfortunately, we have no choice but to be resilient, to keep learning from our mistakes and working every day towards different goals. To contribute to a more secure digital society, designing more secure systems and technologies, as well as to achieve our professional and personal, individual and collective goals. And we can only do this through sacrifice, effort, perseverance and determination. Epic or not, giving the best of ourselves every day.
No pain, no gain and let´s hack 2021.