Introduction
This story has been unfolding as I was writing this piece. I was in process of doing my final edits when I received a phone call from one of my sources. For reasons that will become obvious as you read the rest of this piece, the FBI has been contacted regarding the data breach at GW Micro/AI Squared. Stay tuned for updates as I get them.
As this is the most popular independent blog in the blindness space and one of the rare regular publications in this field willing to write about issues of controversy in a critical and data driven manner, I get a fair amount of email from random individuals interested in blindness and technology containing what they believe to be an important idea for a story. These emails sometimes describe an issue in accessibility about which I hadn’t written previously but, more often than not, they contain some bit of what I consider to be gossip about one person or another inside the AT biz and wouldn’t be of much interest to a broad readership.
Then, this morning, I received an anonymized contact from an individual only self identified as the hacker who cracked Window-Eyes and the Serotek systems. I’ve alerted individuals at both companies that I’ve been contacted by said hackers and shared with them the information I’ve received thus far.
In light of the Sony data breach, I thought you would enjoy a story about a pair of recent hacks in the access technology industry.
The Message I Got Today
This morning, I awoke to a message from an anonymous sender claiming to be the person who hacked both Serotek and, in the past 24 hours, GW Micro/AI Squared. The message said that the hackers would send me the complete Window-Eyes user database and included some sample records from such. The message also said that the hackers have in their possession the Serotek 2012 and 2013 financial reports and other information they had downloaded in November. In the GW Micro case, it’s clear that these people have user names, passwords, serial numbers but not credit card information as it isn’t in the file they shared with me. From the snippets of data they elected to quote from the Serotek financial reports, it was unclear to me if, indeed, the data is genuine as I’ve no way of checking it for accuracy.
I have sent the data that I received to AI Squared and have deleted it from my system and no longer have it anywhere as I’ve even emptied the trash on my Mac.
The Strange Thing
As it’s clear that these hackers possess some information that could be tremendously damaging to either of these companies, it’s unclear as to why they didn’t just post it to some public but anonymous site rather than just communicating the fact that they had said information to a blogger like me. In fact, the hackers chose to make statements in support of radical Islam from within Window-Eyes and on the Serotek Twitter accounts, allowing the public to see their hacking work without causing any real damage. I’ll assume these people see themselves more as clever vandals than actual data thieves but anything I suggest about them is purely conjecture as we don’t have a personal relationship.
I do not for a second, however, believe these hackers are actually Islamic radicals but, rather, to me they seem to be bored individuals from within the community of people with vision impairment who’ve learned some advanced hacking skills and chose to apply them to companies in this business.
The Window-Eyes Hack
The hackers were able to get into the Window-Eyes database of registered users, and download all of the account information but, most interestingly, they managed to change Window-Eyes itself so, when its users awoke and turned on their computers this morning it updated and, once per minute or so, would make an announcement in support of the Islamic State. From my own hacker perspective, I must tip my hat to these guys for creativity in the technological equivalent of graffiti as actually forcing a product to update just to pull a prank is pretty damned clever, albeit annoying to its victims.
What Motivated the Hackers?
Again, I’m stepping deep into conjecture here but, as the hackers have chosen not to just dump all of this data onto a public site releasing potentially private information on Window-Eyes users and insider financial information about Serotek, I’ll assume they think of themselves as “grey hat” hackers. They have some fun with some minor malice while electing not to do anything that could cause irreparable harm to either the individuals or companies they’ve targeted.
At some level, I think the AI Squared and Serotek people got off easy. If these hackers had chosen to, they could have inflicted some truly heinous fuckery onto these companies, their employees and their users like what is assumed to be the North Koreans in their attack on Sony Entertainment. Instead, they make some silly statements intended to anger some people and write to me about their efforts knowing that I’d tell the world about their hack.
Is Your Information Safe?
If you are a registered Window-Eyes user and you use the same password for other services as well, I strongly recommend that you change not only your GW Micro password but, assuming you use the same email address for Window-Eyes as you do for Amazon or some other place where your credit card information might be exposed, change that too. I do not know how to decrypt your passwords in the sample data I had received but something tells me that these hackers may have such tools and, while their activities have been relatively benign so far, one cannot be too careful these days.
I assumed the same would be the case for users of Serotek products but, this morning, I spoke on the phone with Mike Calvo and he assured me that it was not the Serotek system that was compromised but, rather, it was his own account which, of course, had access to a lot of interesting business information but not to user information, databases, passwords and such that was hacked.
Conclusions
Data breaches are the news of the day with Sony and the numerous reports of shopping and other web properties being hacked. Typically, the blindness business is way behind the mainstream curve but, regarding security failures, I suppose this time we’re running even with the state-of-the-art.
All kidding aside, there has been an historic schism between the security and the accessibility communities. As I’ve written here and on my BlindConfidential blog, it is essential that accessibility related tools be seen as fully secure as they are essential to people’s employment in positions where security is a very high priority. A lot of blind people work in government positions, many dealing with very sensitive data. Events like a security breach at an AT company, while it says nothing to the reality of whether or not the AT itself is a security problem will not leave those responsible for security in large installations with a warm and fuzzy about our community.
Thus, while the hackers in the Serotek and AI Squared cases seem to have thought of this kind of activity as a lark, a game to play or a prank, I recommend, for the sake of the industry’s reputation, that such activities stop immediately. To quote the astro-physicist Phil Plate, please, don’t be a dick.
my uneducated guess would be that those figures were the number of registered window eyes users minus, the number of window eyes users taking advantage of the Microsoft free window eyes promotional deal with office.
Security and accessibility always seem to be in the same boat to me: needed from the beginning as built-in, usually forgotten or considered an “extra” instead, and ultimately either not being added, or being bolted-on later at a high cost, and more often after an “incident”.
So you’d think folks from the two groups would have serious conversations with each other, seeing’s how they’ve got such common themes and problems. But they don’t. Different blogs, different conventions/conferences, and it seems one group rarely if ever thinks of the other. Strange, and unfortunate.
I have a foot on both sides of that line, and try to facilitate conversations and teamwork between accessibility people and security people as much as I can. Part of the problem though is there’s a lot of mistrust and perceived conflicts on both sides, and neither side is in a position to make compromises. Security less so, because things can go very very wrong when security is compromised. Plus, there’s not a lot out there that tells/shows the security community where the conflicts genuinely are, how accessibility fits into the equasion, and how a product can be designed and built securely while also being accessible. It also doesn’t help that when security-minded people call a certain accessibility vender, the stock answer is something along the lines of “that user has to have administrative priveliges.” That’s not something security folks like to hear when they’re adding users to an active directory setup or similar. Hell, security folks don’t like to hear “Windows”.
Just my two cents.