When we asked the security community who is their hacker hero, it was unsurprising to see that Eva Galperin, Director of Cybersecurity at EFF and co-founder of the Coalition Against Stalkerware was a finalist on the list.
Galperin is a hacktivist known for her rage tweets that help her fight the good fight to protect vulnerable groups being targeted. Most known for her work to track down APTs, she also champions personal privacy and taking down stalkerware. Oh and she’s done a TED talk. Let’s get to know her:
Tell us about Eva:
I’m from the generation of security professionals before security was professionalized. I wanted to become a lawyer specializing in human rights and tech law, so I completed my degree in political sciences. I got a job at Electronic Frontier Foundation (EFF) on the way to law school and haven’t left since.
From there, I got into activism, explicitly focusing on Internet censorship worldwide and the protection of activists and journalists. This then led me to malware research, writing about APTS, and then mobile malware research. Eventually, it led me to the protection of vulnerable populations online, including victims of abuse, and taking down stalkerware.
Who is your hacker hero?
Richard Feynman, a Nobel prize-winning physicist. He looked at systems and was interested in how to break them. If somebody gave him a set of rules, his first instinct was to test their limits. His lectures were the first time that I had ever encountered this sort of hacker mindset that was really aimed at breaking things in this sort of well-meaning and innocent way. Note that his attitude towards women is terrible, and the things he wrote about women were really disappointing.
“The unsophisticated things get ignored by the security industry because they aren’t shiny. I think it’s our job [as security professionals] to change that.”
How did you get into the hacktivism scene?
I started with looking at Facebook’s real names policy and how this put certain vulnerable cohorts in danger. About 10 years ago, they were cracking down on accounts that used fake names on their site and I only saw red flags.
I launched a whole campaign with Jillian York to create awareness on how forcing real names could be detrimental to journalists, activists, and people who don’t want to out themselves online in authoritarian countries. The anonymity allowed them to do vital work, and without that, they were vulnerable to being picked up by law enforcement, arrested, possibly beaten up, and killed. The stakes were very high.
Around this time, I also started to see cases where governments were spying on internet traffic. It was unencrypted, and our team took this evidence to Google, Twitter, Facebook, and others to convince them to enable TLS by default, as many people thought SSL was enough. For those unfamiliar with this, the unencrypted traffic meant that sensitive information entered into forms like credit card information, passwords, etc., could be intercepted and possibly used against you.
You’re known for tracking down APTs. Were there moments they tried to stop you?
I was traveling all over the world to conduct training on privacy and security for vulnerable populations. The journalists and activists I worked with were in grave danger and sketchy situations, and they faced challenging threat models while doing their work. They increasingly started to see emails and messages with malware attached. I got them to send me their malware, and this is how I discovered my first APT. The Vietnamese government also sent me and EFF staffers some malware directly, probably not knowing I am a malware researcher. I wrote it up, and they did not send me any more malware after that.
“You might think, “if I don’t do it [unethical hacking], somebody else will do it,” but if enough people don’t do it, it won’t get done. It starts with you.”
How has awareness of APTs changed in your view?
When I first started, the tech industry was largely uninterested in unsophisticated APTs that were just sending malware and attachments. These things were too primitive and boring for larger cybersecurity research companies that issued reports on sophisticated Chinese and Russian actors; the toolkits used weren’t “sexy.” Not discouraged, I kept on tracking APTs in Syria and Lebanon, which sparked my campaign to fight stalkerware.
Today, I see that more companies are also focusing on the harm done and less on the sophistication of actors, which is a giant leap forward.
What motivates you to be an ethical hacker?
The kind of security work I am passionate about starts with the people that I want to protect. It starts with thinking about who is left out of the conversation or who’s not in the room. I also get to use my technical skills, reverse malware, demonstrate harm, or eventually yell at a company but I always start with the people.
Finding out I worked with a serial rapist was a turning point in my career – I did a TED talk on it. One of his survivors was terrified that he would hack her, so I immediately took action to help her. Fueled by my rage, I tweeted to reach out to all sexual violence victims finding themselves in the same situation to help them and offer my hacker skills to check their devices for stalkerware. From there we founded the Coalition Against Stalkerware, which I continue to champion today to get the FTC to ban it all.
I hope to inspire people with the technical knowledge to start thinking about protecting vulnerable populations. It’s key to begin your security research with the people before applying technical skills. If you don’t, you might emphasize new techniques that overshadow old – still dangerous – methods that can effectively hurt people. The ‘unsophisticated’ things get ignored by the security industry because they aren’t shiny. I think it’s our job [as security professionals] to change that.
That time I got really mad and decided to kill an industry. https://t.co/KD1URyM3j7
— Eva (@evacide) April 3, 2019
What is your hacker superpower?
My hacker superpower is the rage tweet. That’s fun – get angry, tweet about things, and then things happen.
My real hacker superpower is looking at finding who’s not being helped, not in the room, left out of the discussion, and moving those people to the center of the problem. That drives my research and my activism. It is what drove me to found Threat Lab at EFF. I think that is a superpower that we can all develop.
What is the main thing blue teams can do to help make the Internet safer?
If you work in security or tech, there’s a high chance there are people who ask you for advice. Make an effort to give good accessible advice and learn how to teach. I’ve observed security practitioners give a bunch of frightening advice that makes people feel frozen and it doesn’t end up being useful.
If you give security advice to somebody but they don’t make a change, take the time to find out why and what it was about your suggestions that didn’t work for them. Does it not work with their workflow? Does it not fit their threat model? Were the tools too expensive or perhaps not compatible with other devices that they used? That way, you can start giving helpful advice to people who are relying on you for information.
How can other hackers use their powers or skills for good?
First, make sure you’re an ethical hacker, and I define that with thinking about who/the people affected by your work.
Secondly, know that you don’t have to work for everybody; you don’t have to take every job. It’s an excellent time to be in security, and we security professionals have our pick of jobs to choose from, which means we can choose not to do unethical things, even if somebody offers us money. You might think, “*shrug* if I don’t do it [unethical hacking], somebody else will do it,” but if enough people don’t do it, it won’t get done. It starts with you.
“The Vietnamese government sent me some malware directly, probably not knowing I am a malware researcher. I wrote it up, and they did not send me any more malware.”
When you’re not hacking, what are you doing?
I’m climbing 30 feet up in the air, turning upside down and spinning – I’m a circus aerialist. When I’m doing that, it is impossible to think about hacking or work, and I have to be in my body to pay attention because the moment I stop paying attention, we will have some very serious problems.
While this may not be for everyone, I encourage hackers to find something that really puts you in your body since hacking is so cerebral, and it is easy to just disappear into your brain.
Favorite media portrayal of a hacker?
I have a particular appreciation for Hackers and its metaphorical power that I’ve grown into over the years that I did not have when it first came out. My friends and I joke that when you watch Hackers as a kid, you think you’re Acid Burn, and then when you grow up, you realize you’ve become Mr. The Plague.
We’d like to thank Eva for giving us her time to share her story and thoughts about how we can make the Internet safer for everyone. Make sure to give Eva a follow on twitter to keep up with all the rage tweets and great work she’s doing.
Make software safer to use with your next payload
Being part of the Detectify Crowdsource community means being surrounded by people with a common goal – to make the Internet a safer place. Crowdsource hackers collaborate with the Detectify Research team to put the latest security vulnerability research into the hands of security teams, and ultimately protect end users.
Are you ready to join the best? Take the challenge and apply over on the Crowdsource website.