Monthly Archives: September 2017

The World Needs More Hackers (Or, why it’s OK to be wrong).

The word “hacker” can bring up a lot of feelings. To the general public, there may be fear associated with hackers and hacking. Hackers may be associated with crime, software piracy, or fraud.

You may ask, “Why would the world need more hackers?” I intend to look at this question and hopefully answer it.

The actual process of hacking is honestly usually really boring. You may spend hours (days, weeks) and find absolutely nothing. You may spend an hour or two on the wrong trail, which looked mighty promising at the time. You might spend hours digging through code or logs, or perhaps working entirely blind. And at the end of the day, a lot of the stuff you try won’t work. You’ll be wrong. A lot.

I grew up in a great era to learn computers. To get an idea, when I started tinkering, I remember orange monochrome monitors (green too!). I spent a fair amount of time on Bulletin Board Systems (BBSes) playing text based games. Most of my friends had 9600 or 14400 baud modems, and I was lucky to have a 33.6 kbps when they came around.

I hacked my first device when I was about 6 years old. For my 5th birthday, I got a little machine called the “PC Pal.” It came with a few game cards, and you could purchase more of course. When I got bored with the games that I had, I started tinkering and looking at the device differently. The game cards were just plastic. I didn’t see any electronics in or on them. I quickly devised that the holes punched in the cards were not game data, but just identifiers telling the PC Pal which game ID to choose. There’s no way the game was actually on the card; it had to be that all the games were already built in. And so, with some index cards and a hole punch, I made myself all the games for my PC Pal.

This went further into the era of DOS games. I learned DOS as I was learning how to read, and I learned hex editing not much later after that. “Back in the day,” games would often come with a code book or code wheel. As the game started you’d be instructed to open to a certain page, or line the wheel up a certain way, and input the code. This was a primitive form of copy protection. Even if you copied the floppy disk and gave it to your friend, they’d have to call you for the code or they couldn’t play. Now that I think about it, we made a lot of phone calls to neighbors for this reason.

Once I learned to hex edit, I took a game with a missing code wheel, and edited every answer to be the same. No matter the question, the answer was the same thing. And so, I had my game back. This was way before p2p sharing or anything like that, so I never did share this work. I think it was a baseball game if I remember right.

Of course the ethical implications of this are lost on a 6-8 year old. In the case of the missing code wheel, I did in fact own the game, but I also completely hacked it to regain my ability to play it. I did get in trouble for stealing once before I was a teenager, but I learned my lesson quite quickly with the amount of time I had to spend on my newspaper route to pay the fine. That, however, did not deter me at all from continuing to mess with computers and technology. These incidents were only the start, and helped build the skills I carry with me in my IT career to this day. You would be amazed how many IT and IT Security companies are founded by people with criminal records from their younger days of hacking. I almost guarantee you that you use a product from at least one of them.

In a recent discussion with a friend of mine, we talked about how children naturally test boundaries. It’s what they do. They have to test limits to find them. Sometimes they do some things that are wrong, and they learn a lesson.

And there in lies the glory of being wrong; you can learn. Now, the word “wrong” I look at in a couple of ways. One being of course an incorrect answer or conclusion (literally wrong), but the other is the tendency to avoid an action that is seen as wrong (morally wrong, perhaps). School and society programs us to be afraid of both. It’s horrifying for children to get things wrong in school, and they seem to be taught that it is one of the worst things they can be. For me to be successful, I have to be wrong. I’ll rarely figure anything out otherwise.

A wise man once told me, “if you can build it, someone can hack it.” Now, this is no reason to throw caution to the wind. I could write a lecture on how “not being the lowest hanging fruit” is probably good enough for most businesses (COUGH COUGH EQUIFAX), but that’s a discussion for another day. The point is simply that “someone can hack it [with enough effort].” Would you not want “someone” to be a good guy?

The American school system is failing us. It isn’t providing us “good guy” hackers. We get plenty of builders, but not so many breakers (I’ll get to this in a minute). While I’ll never encourage anyone to leave college, for my I.T. career it was one of the best things I ever did. I’m really thankful for teachers who helped me take an alternative path through high school to graduate quickly with my diploma. I personally don’t feel classroom learning is really that effective for IT work when the core skill needed is not necessarily technical knowledge, but rather the ability to problem solve, research, learn, and work efficiently and logically. I’ve been blessed to cross paths with people in my career who have helped teach me this. Stay in school kids, if not for the information, for the work ethic.

Hacking is absolutely essential to data security. This is where we get back to builders and breakers. In the life cycle of most things IT related, there are builders and there are breakers. If you do not have breakers, some will be appointed to you in the form of end users. By encouraging breakers to break things ethically and responsibly, we learn how to prevent malicious people from breaking the technology that we all rely on the exact same way. It’s amazing how much software gets put on the market with little to no real security testing, to the point where mistaken or unforeseen user interaction (perhaps even non-malicious interactions) can cause unpredictable or dangerous behavior.

Some companies really get this. It’s evident often which ones do. A good sign can be companies that implement bug bounties. Bug bounty programs reward responsible security researchers for reporting security flaws. Did you know that you can legally try to hack Facebook? Not your ex girlfriends Facebook, don’t get me started (I’ll cut you). But seriously, if you agree to some terms, you can be rewarded for finding security flaws in Facebook. This encourages breakers to be a healthy companion of the builders. Want to ask facebook for profile id=$tacos? Who cares? You won’t get in trouble. If something breaks, just tell facebook before you tell anyone else, and facebook will likely literally pay you actual monies. Had this been common when I was a kid I would have had SO. MUCH. FUN.

Other people and businesses do not get it. Some time ago a researcher found that bank statements from his financial institution were not properly protected. While browsing his statement he noticed the statement ID was displayed in the URL path. He incremented some numbers and was presented with data he was not allowed access to. This was not in the US, but in the US that can technically be a felony under the anciently dated CFAA (Literally accessing anything you’re not supposed to on a PC is basically a felony. It’s dumb and stupid). Rather than blaming their software engineers for a security flaw that a 1st grader could have found by spilling milk on his dads iPad, The financial institution responded swiftly with legal action. Eventually I believe charges were dropped in the case, but things like this obviously discourage brilliant and honest people from breaking things (hey, that’s WRONG!) for the right reasons.

This can extend into every day life. I was taking the trash out recently and noticed a parked car had the interior light stuck on. Another neighbor was also outside (it was late, I’m a night owl). She said “I guess they’re gonna have a dead battery.” I though to myself, as a person of the hacker/breaker mindset, that there are more possibilities than that. They don’t have to wake up with a dead battery if we can turn the light off. For all I know, the car isn’t even locked. (Spoilers, it wasn’t; I turned off their dome light, closed their car door, and went about my business.)

Some people might have been scared to open someone else’s car door, or even try. I honestly wasn’t that worried about it. I’m legitimately trying to do someone a favor. Is there risk? Absolutely. If someone saw me and knew that was not my car, (or worse, knew it was their car) I could have a lot of questions to answer. Did I do it anyway? Of course, it was for the right reasons. I’m not after a gold star; it’s the mind set that’s the important part here. I would think that doing the “wrong” thing by opening someone else’s car is totally fine in this situation.

Don’t be scared to break things sometimes. Better yet, just try to figure out how things work (breaking them is a great way if it comes down to it). You’ll get better at rebuilding things every single time. Don’t be scared to go through an unlocked door (or hell, pick a lock) if you’re in the right. And if it comes to a matter of facts, don’t be scared to be wrong. Perhaps the person who proved you wrong has a simpler answer to the problem at hand, and that actually helps you and/or saves you work. Don’t let fear of being wrong stop you from putting an attempt out in the first place. Better yet, “Don’t let perfect be the enemy of better.”

The world needs more hackers. If we ever want to begin to recover from the current state of internet security (spoilers: it’s pretty bad), then we need to start encouraging responsible and creative people to break the shit out of it. Break the ever loving shit out of the internet. For the right reasons.**

-AK

**Or just cash out some bug bounties. I don’t judge. Just be responsible about it, eh?