Exploit: Zero Day

Rosette Diceless

Exploit: Zero Day: Collecting Hacking Tactics

Exploit: Zero Day: Collecting Hacking Tactics

In writing for Exploit: Zero Day, we need to have characters using hacking techniques that aren't too far off what we think is possible. Thing is, neither of us are (or have ever been) hackers.

I (Melissa), however, have some specific sources I use to seed ideas for tactics characters might use: cybersecurity news.

It sounds boring, like reading dry academic papers of new tweaks on cryptographic techniques. Or ho-hum, like yet another hospital attacked with ransomware.

But not only are there some unusual events going on, there are also witty commentary, well-crafted journalism, and surprisingly science fictiony techniques at play. It's pretty fascinating to keep up on, even if you aren't specifically writing in the cyberpunk genre.

So here's where I get my news in a pretty low-key way:

SANS Newsletters

Just let the SANS newsletters roll into your mailbox and give them a quick read. I particularly find the NewsBites one to give solid summaries with good links to the original reporting. Often, the SANS editors will add a little note that gives some great context or generalizes the situation nicely. Regarding a story about newly discovered vulnerabilities in the wifi Dragonfly protocol—itself a useful idea and bit of jargon for writing EZD—editor John Pescatore in the Aug 6, 2019 issue wrote,

Making new security-improved protocols backwards compatible with previous insecure protocols usually seems to result in new insecure protocols. Security researchers have learned to zero-in quickly on those features, time for the WiFi Alliance to do so before releasing new versions.

This produces a few other bits of knowledge to pack away: backwards compatibility as a security flaw; protocol advocates/recommenders relying in part on the public to find issues; that non-profits might be the groups making these decisions; etc. I can apply those ideas to a bunch of things, even if they aren't real things that have happened.

The SANS newsletters I've found most to be the most useful sources are:

  • NewsBites
  • @Risk: The Consensus

CYBER Podcast

Ben Makuch (twitter) is an excellent host with some verve, and they have a great way of framing stories to give a sense of the impact of the topic at hand. There have been a couple bits of sensationalism, and it's generally not a technical podcast, but the narrative/journalistic angle is still very valuable.

You can find CYBER in your podcast app of choice.

Vice Motherboard

The parent of the CYBER podcast, Vice Motherboard is the place to go for the equivalent in written form.

A prime example of something cool: as someone who hasn't owned an iPhone for personal use since the iPhone 3G, I had no idea that jailbreaking iPhones is no longer A Thing (despite Apple's recent blunder). After listening to the CYBER ep "The Prototype iPhones Hackers Use to Research Appleā€™s Most Sensitive Code", I followed up and Motherboard had some great articles over the years about the industry of IPhone jailbreaking.

As for specific techniques, one of my real favorites is a new zip file explosion technique. This one will definitely be making it into an EZD story soon.

Swift on Security

I don't follow their every tweet, but just poking my head in usually helps me hear some news, like the Lenovo Superfish shenanigans back in 2015, or the Cloudflare regex explosion (which I've definitely used in "Headless Swarm").

Tracking and Using

I don't have a fancy tracking system for these. Often I'll toss them in Slack to see if Gregory has a strong or interesting reaction to them, but generally they go into a morgue file (in the form of Google document) where I might note when and where I heard about it, then just cross it out when I work it into the story.

This might not be a perfect method, but for a long-running story where I don't need to get hung up on the technobabble, this chill method of collecting security knowledge and news works pretty well. It has passive methods (newsletter and podcast) and more active methods (Vice Motherboard and twitter), which gives me good flexibility.


If you haven't already, take our community survey! We really want to hear how you want to hear from us.

While you're hanging out, play our little guerrilla gardening tactical game "Cultivating Insurgency" and check out Exploit: Zero Day. EZD is our browser-based cyberthriller puzzle game with living story where you roleplay as a social justice hacktivist by making tricky moral choices and solving puzzles to hack servers. You can make and share your own puzzles and story using built-in tools! Register today for free for immediate access to the "Black Echoes" season of story and all user-created puzzles.

Previously: Next:

Similar entries

comments powered by Disqus

Pingbacks

Pingbacks are open.