Jack made headlines for his showmanship when sharing his research on security vulnerabilities in digital systems. At the 2010 Black Hat conference in Las Vegas, he hacked an ATM to spit out $20 bills while flashing "JACKPOT." That work, along with his more recent research on embedded medical devices, illuminated a new frontier for penetration testing as more and more electronic devices are becoming able to communicate wirelessly with the outside world.
The news of Jack's passing spread through the computer security community Friday morning, triggering shock and sadness. Organizers at Black Hat called his death the loss of a family member and announced that they won't be replacing his pacemaker talk on Thursday. Instead, the hour will remain open for attendees to come join "a celebration of his life."
David Marcus, a researcher at the security technology company McAfee, says that Jack's work on embedded devices was at the "bleeding edge" of security research. When Jack worked at McAfee, he turned his attention to insulin pumps, eventually figuring out how to cause the devices to erroneously dispense potentially lethal doses of insulin from up to 300 feet away. Carrying on his flair for the dramatic, he presented it last year using a clear mannequin torso, red liquid and a handheld antenna. His most recent work at security firm IOActive Inc focused on embedded devices, including the pacemaker hack he was to present at the conference.
"The internet gets hacked all the time."
The number of devices are being connected to wireless networks is growing. Security researcher Dan Kaminsky says that pacemakers are a prime example: They "are not a new technology; they've been around for decades. But more and more pacemakers, like other technology, are looking like the devices we use to run the Internet."
That advancement is troubling, he notes, because "the Internet gets hacked all the time." The Internet, Kaminsky argues, has been able to innovate so much partly because "if you screw up nobody dies. Nothing that bad happens. Someone's Facebook page is corrupted, oh well, we'll fix it. Someone's computer crashes? Oh well, whatever."
And according to Kaminsky, nearly everything is moving to the Internet model because, "it's easier to maintain, it's easier to fix, and all of those other metrics like usability and performance are a heck of a lot easier to manage when it works like the Internet, not like hardware from 30 years ago." But as our cars, our houses and, yes, our medical devices are getting shifted into Internet mode, the security stakes are raised.
"If you want these flaws to be dealt with" Kaminsky advises, "you need to have this community that's able to say we have many engineering requirements. Software has to be usable, fast, reliable, and yeah, it actually has to be secure too." Especially when talking about connecting devices that consumers are literally trusting their lives with to a network. Barnaby Jack's research spurred companies that built embedded devices to take security more seriously.
A "hacker's hacker"
"He was a hacker's hacker" says McAfee's Marcus. "He had the kind of skills the rest of us wish we had." Jack had a knack for looking at a system, determining its weaknesses figuring out how to fix them -- before the bad guys did damage.
Marcus laments that some people have misconceptions about hackers that seem to come straight out of '90's movies: "They seem (to) think it's some pimple kid in a basement or some evil organization trying to steal credit card numbers" when many people who consider themselves hackers would take "true offense" to that stereotype, he says. For computing security researchers like Barnaby, hacking was a means to "solve big problems, keep people and data safe" by beating the adversaries in finding problems.
Jack was well-known in the security world. "Everyone had a drink with Barnaby, or an 'I had a good time with Barnaby' story," Marcus recalls of the "just such a likable little imp." After one conference, he remembers Jack calling him from across a bar. Marcus joined him for drinks, throughout which Jack occasionally shot him in the face with water from a compromised insulin pump while they spoke about ways to demonstrate the vulnerability.
Similarly, Kaminsky says, "there's the model of the hacker as the trickster in literature, and that described (Jack) to a T." Recalling a Black Hat conference in Abu Dhabi, he says Jack treated the cultural briefing of things not to do like a "to do list."
The one time he could recall seeing Jack spooked was at that conference, Kaminsky says. The hotel had an ATM that dispensed gold bars, and one evening, having received permission from the hotel, Jack tried to see what he could make of it. But, according to what fellow hacker Tiffany Strauchs Rad told Reuters' Jim Finkle, the hotel didn't actually own the gold dispensing machine and the American Embassy had to be called to resolve the misunderstanding. Afterward, Jack met up with Kaminsky, who missed the shenanigans because he was riding a camel, eager to share the excitement.
Kaminsky laughs while recalling the tale, noting "Barnaby's the kind of guy who makes you realize your life sounds like a comic book, I mean, his name is Barnaby Jack." After the UAE incident, Kaminsky recalls, "(t)hose machines were quite disconnected from absolutely everything until all hackers had left the country, thank you very much."
"No one likes to hear their kid be called ugly"
Both Marcus and Kaminsky note there is always a certain level of tension between hackers conducting penetration testing and the manufacturers and developers creating products and software.Jack was no exception: "Barnaby had uncomfortable meetings with ATM manufacturers, medical device manufacturers" Kaminsky says.
That's understandable to a certain extent, as Marcus jokes, "no one likes to hear their kid be called ugly." But, like it or not, Kaminsky says, "we are becoming so dependent on these devices that quite literally our lives depend on them -- and they're literally not learning the lessons of security that we've had to learn painfully in desktops and laptops."
Kaminsky says "there are a lot of engineers who wish security vulnerabilities were theoretical" or would like an excuse to argue "no one would actually do that." But Jack's flashy exploits helped drive home that, yes, someone would actually do it -- and that if Jack could figure out how, it's likely potential bad guys could, too.
"There are a lot of people in this world who if they find a bug that will make an ATM fire $20 bills, they're not going to go onstage and talk about it, they're going to be standing in front of ATM and cashing themselves out," adds Kaminsky.
Penetration testing can find bugs early, allowing companies to fix them. Or, Kaminsky says, some guy out there is going to find the problem later, and the publisher or manufacturer is going to have a bad day. It's also cheaper to make the fixes ahead of the game. Kaminsky knows a little bit about this: In 2008 he uncovered a DNS protocol flaw that he jokes resulted in "tens of thousands of pizza boxes" being ordered over the six-month period it took for administrators to patch their systems.
Working to make the digital world a safer place, he says, is "a much harder path, but that's what it takes." The easier path can be to sell the exploits to the highest bidder -- with major, zero-day research earning huge payouts from state and corporate stakeholders. Last year, Forbes' Andy Greenberg reported on a middleman who helps hackers hoping to go this route. The man, who goes by the handle "the Grugq," was said to be earning a 15 percent commission on financial deals, primarily made with Western governments, ranging into the the hundreds of thousands of dollars for major flaws .
The DNS flaw served as a good reminder of security's uphill battle. Catching a bug is only part of the process -- researchers also need to resolve the problem while ensuring the program still functions as intended. Because there's a only a select group of people with the ability and skills necessary to do the job, it often puts hackers in a unique position of critiquing products from the outside.
Kaminsky suggests the work is somewhat analogous to environmentalists approaching a power plant about an air quality problem, adding that just like "no one wants to breath polluted air, no one wants a pacemaker that will blow up on you."
Jack believed "(w)e can't taking this loosey-goosey, sloppy crap we use to make Web pages work and not be aware of what happens if we start betting our lives on it," according to Kaminsky. And Jack's news-catching way of presenting those flaws was a way to guarantee that creators took notice.
After all, Kaminsky says, "Barnaby wasn't the only person in the world who was hacking these devices; he was just one of the few who would talk to you." Beyond being a personal tragedy, his death meant the loss of one of the security community's' "major ambassadors to the embedded world about the need for real security."
"It's easy to be inspired by a guy that hacked like Barnaby"
"He really made me laugh, I think I'll miss that the most," Kaminsky says later, his voice dropping. The day the news broke he was sharing tales about Jack with another security researcher friend. They joked that if anyone would fake their death to make for a big reveal at a conference, it was the guy they nicknamed Barns. But now they have to face that it's no joke; Jack was gone.
As far as his legacy in computer security, some part of it will be the acknowledgement that with embedded device technology flaws, "if we don't deal with this problem, it's certainly going to deal with us," Kaminsky says.
Marcus feels most sorry for Jack's family as they and the computer security community mourn the lose of their prankster brother. But he also hopes Jack's memory can inspire future researchers "to hack on to their own greatness.
"It's easy," he says, "to be inspired by a guy that hacked like Barnaby."