An Interview with Brad Haines

An Interview with Brad Haines

By David Bevans

Brad Haines is chief researcher of Renderlab.net and co-refounder of “The Church of WiFi” wireless think tank. A noted expert in the hacker community in the field of wireless security, Brad has spoken at many international conferences and taught several classes on free wireless assessment tools. He is also author of the forthcoming Seven Deadliest Wireless Technologies Attacks and a contributor to RFID Security and Kismet Hacking. He took some time to answer some questions about his personal life, his work, and swing dancing.

Q: People recognize you because of your fedora. How did you come about wearing your trademark?

A: I started wearing a black fedora back in the late ‘90s during the swing music revival. I really like the music and the fashion of the era. It very quickly became natural for me to wear it day to day, and I feel strange being out without it. People are often confused that my black fedora is a statement that I'm a “black hat,” but I usually explain it as "White hat by trade, black hat by fashion."

Q: Speaking of your hat, I’ve read that a lot of white hats start out as black hats—going from hacking for self-satisfaction to helping other people and companies big and small. Did you follow this path as well, or have you always been looking out for others?

A: Most of my early path was directed by teachers in high school in the mid ‘90s. They saw that I had an aptitude for computers and decided to put me to work doing maintenance on the labs. Very quickly I learned that a high school network is an incredibly hostile place and that it was a constant challenge to keep things running. From there, my interest was cemented, and I've been interested in security ever since.

Q: Why the moniker RenderMan? I always see these names and wonder where they come from. Your Web site says it’s from your days of dreaming of becoming an animator. But how did it stick? Also, would you consider Syngress your RenderFriends?

A: In high school I was interested in computer animation and video production. I often did projects for the school, like promotional videos and presentations. These projects usually had some amount of computer animation in them and a short timeline. This usually led me to taking over the lab full of computers to do network rendering. At the time, Pixar was doing amazing things with their RenderMan engine, leading to the movie Toy Story. Whenever I would take over the lab, others would exclaim "Oh, RenderMan is at it again". I began using the name in online gaming and it stuck. When I began in the hacker community, the name followed. I have since found out that I have no artistic talent to speak of, so I no longer do any animation, but my identity and reputation are firmly attached to the name, and it's what I'm used to. My friends and family call me Render just as easily as Brad.

Q: Computers aside, what do you like to do in your free time?

A: I am one of those individuals where there is little difference between work and play. In my free time, I'm usually doing some sort of technical project, be it new wireless attacks and tools or adding electronics to some childhood toy. My nontechnical free time is spent dancing, mostly ballroom and swing (note to geeks everywhere: Ladies love a guy who can dance!). I also spend a lot of time with a wrench in my hand, working with my dad to rebuild my grandmother’s 1971 Dodge Demon, hacking it from front to back to create a modern hotrod.

Q: What got you started on warwalking, wardriving, warriding, and all other variations of searching out and securing wireless networks?

A: My interest was first piqued at DEF CON 9 at the first talk about wardriving by Pete Shipley. Shortly after I got my first laptop, I got a wireless card compatible with Netstumbler. When I first started up Netstumbler, I found a neighboring business with an open AP. Realizing the risk this entailed, I went to talk to them about it. They dismissed it as not important. Early wardrives showed a large number of APs were wide open, and I could not just sit by, so I began an effort to map out Edmonton and publicize the results. The rest is just history.

Q: You’ve were quoted at the ICE information technology conference, saying, “If your consultants say your system is secure, they’re lying.” Obviously, just because no vulnerabilities are found, that doesn’t mean the system is secure. So how can we secure our networks if nothing is ever really secure?

A: As Bruce Schneier says: "Security is a process, not a product." Just because something is secure today, does not mean that it will stay that way; you need to stay on top of things and be aware of the ever-changing world around you. Often I've said that the hacker community is two-five years ahead of the general public. When something becomes passé to the hacker world and we've moved on, then the public discovers it and suddenly it's important. I've seen many consultants that are genuinely not aware of what is just around the corner and fail to plan ahead for inevitable failures in technology and keeping ahead of the curve. We saw it with WEP, where the hacker world knew that WEP was broken and useless, but many people continued to assume it secure enough. It is thinking like this that led to the TJX attacks and the resulting damage.

Q: Your upcoming book, Seven Deadliest Wireless Technologies Attacks expounds upon a multitude of different wireless attacks one can face or pull off. These attacks seem to be able to be come from anywhere, at anytime. At what level of security risk are we, for instance, when we are just sitting in a coffee shop with our laptops connected to a free WiFi network?

A: In short: You’re screwed. While it has been known for a while that it is possible to inject arbitrary content into open wireless connections, no one went much beyond injecting shock images into unsuspecting users. Recent work by Dragorn (and some small contributions by myself) has taken this to a new and more terrifying level. It is possible to inject malicious Javascript and other content into clients to do pretty much whatever we want. Since the attacker controls the TCP stream, they can force this malicious code to be cached permanently and carried from the coffee shop, back into secure networks at the office. Basically there is no real defense except VPNs but even then, the opportunity exists to still pull off the attack since most coffee shop networks have an insecure landing page that can be attacked and gain leverage once the VPN is established. Seven Deadliest Wireless Technologies Attacks releases in March 2010.

Look for it on www.syngress.com.