I’ve been on WordPress for exactly a month now, and so I thought it fitting to make a post that was a little more reflective in nature. I’m going to explore a subject I’ve thought extensively about… specifically I’d like to talk about what it means to hack, what it means to be a hacker, and why this has become central to my identity. Although I have written a little about security and exploits in the past, I don’t feel it was at all a central focus, so this is still more or less new territory for me. But I feel it’s territory worth exploring, because it’s a subject I’ve been meaning to get into with this blog, though I’m not quite confident enough in my knowledge of penetration testing that I feel I can write extensively on it. But I figured I could at least start with an examination of hacking, both from the perspective of cyber security and from the perspective of the hobbyist.
First, let’s define a hack. A hack can be defined as any clever trick that makes use of a piece of technology in a way it wasn’t intended to be used. Hacking is the art of discovering and employing such hacks – using technology in ways that the designers didn’t initially anticipate. A hacker, then, is someone who hacks – a clever person who comes up with their own tricks, techniques, and methods for making technology do nifty things. Cleverness is pretty much key to being a hacker. It’s half technical knowledge and half creativity. Hacking is an art as much as a science.
The question has often been posed: Does breaking into a computer system, stealing files, or other “black hat” activities make you a hacker? There are those who will say definitely not, that these people are crackers, not hackers. I half agree and half disagree. If you break into a protected system using an exploit that you discovered, that no one else thought of, then you’re just as much of a hacker as Eric S. Raymond or any other legendary representative of the hacker community. You’re not any less of a hacker just because you’re using your hacking skills for nefarious purposes. The distinguishing trait of a hacker is creativity and cleverness, not ethics.
If, on the other hand, you’re cracking by blindly applying methods that someone else discovered, or worse, just running scripts, then you’re not a hacker at all. You’re just a script kiddie. Hackers are defined by cleverness, script kiddies by a lack of cleverness. You can also be a script kiddie without necessarily doing evil. A Python programmer who mindlessly tacks together algorithms that other people wrote with no understanding of how those algorithms work and no desire to learn about the underlying mechanisms has the script kiddie nature. It’s the same mentality. So to conclude the last two paragraphs, the question of whether someone is black hat or white hat has absolutely zero bearing on whether that person qualifies as a hacker. It is a complete non-factor.
To me, hacking is not about taking down big corporate servers, although that can be one of its results. It doesn’t even necessarily have a specific goal. Hacking is less about trying to accomplish a well-defined mission and more about tinkering, experimenting, playing with things and exploring possibilities. That’s where the joy comes from. The joy comes from being able to take a piece of hardware or software and just mess with it until eventually you come up with something you never thought you’d come up with. I can spend an entire day getting lost in a project, becoming hyperfocused on building and exploring to the point where all other concerns disappear. That’s what I love about hacking: it puts me in The Zone, so to speak.
For me, one of the greatest joys in hacking is looking at a system and trying to find weaknesses that I can exploit. There’s an extra challenge to it, because there’s actually someone trying to stop me from doing it. When there’s no one trying to stop you, it’s less challenging. You’re not competing with anyone. Any barriers to your progress are simply there by accident. No one actually put them there. The only place where you can find barriers that were deliberately put there to stop you, and look for ways around those barriers, is in the area of penetration testing. There’s a certain thrill that comes from violating security, and this is the primary reason for it.
I find cyber security fascinating, both from the point of view of the attacker and from the point of view of the defender. My mission is twofold – to improve my own security while finding exploitable weaknesses in other people’s security and thus improving my access to their systems. Most of what I’ve done is theoretical, and there are many exploits I’ve come up with that I haven’t implemented yet, so in a lot of cases I don’t know if they would even work. Sometimes the aim is to find weaknesses in my own security so I can patch them. For example, I’ve done a lot of thinking about various ways someone could steal my passwords – Van Eck phreaking, acoustic cryptanalysis, everything from the conventional to the obscure to methods that I’m not even sure anyone has tried yet. I brainstorm vulnerabilities, and that has led to a lot of my best ideas when it comes to penetration testing, whether I’ve actually implemented them or not.
There are of course several exploits I’ve discovered that I’ve employed in real life. For example, I’ve figured out a way to easily reset trial software back to Day 1, essentially allowing me to crack it and use it forever without paying for it. In fact the method I use is fairly obvious once you discover it, and you’ll probably be wondering why you didn’t think of it before. I’m not going to tell anyone what my exploit is because if I did then word would get out and the vulnerability I use would quickly be patched. I don’t want that. I want to be able to continue using the exploits I’ve discovered. Maybe someday in the future, when I’m rich and don’t have to pirate stuff anymore, I’ll tell people how I did it. It might make for a good blog post, sharing the cracks I used to use to get by in the times of hardship. But that’s far off into the future.
This illustrates what I think is a more fitting definition of black hat hacking: Black hat hacking is the act of using knowledge of technology to violate someone else’s intentions for that technology. This is an extremely broad definition, but I think it’s a definition that is more appropriate to the modern cyber security landscape than “breaking into protected systems”.
I feel like I’m focusing a little too much on the security side of hacking, and I really should get back to the core idea of the subject, because there’s really so much more to hacking than just the security aspect. I’ve kind of defined a large part of my identity and philosophy of life around the main idea of hacking, which is the employment of cleverness to achieve ends. One of my favorite sayings is “You are good for nothing unless you are clever.” I totally agree with that saying. Your intentions don’t matter. How hard-working you are doesn’t matter. The only thing that matters is what’s between your ears and how you use it.
Hacking doesn’t even necessarily have to be about technology. The employment of cleverness and creativity combined with technical knowledge, in any area of life, can be considered hacking. It’s really just the engagement of both the right brain and left brain at the same time. One area of hacking that I’ve been exploring a lot recently is hacking business. I’ve put a lot of effort into finding creative ways to market myself, tricks and techniques that you wouldn’t find in a book on business or marketing.
There are basically two kinds of people: those who succeed by memorizing a procedure and then applying it in appropriate situations without truly understanding why they’re doing it that way, and those who understand the core concepts and are able to use that understanding to invent their own procedures, and also adapt them to different circumstances. People in the latter category will be much better at adapting to change and will have a significant edge over traditional textbook learners.
In recent years there’s been an effort, particularly in the programming community, to do away with meritocracy and create a system where everyone’s contributions are accepted regardless of whether they are actually good or not. I fundamentally disagree with this. I know it’s not considered politically correct to say this, but some people are just better, smarter, and more capable than others. In the end, the only thing that matters is the results. Your effort doesn’t matter. There’s a name for a system where people are all given equal treatment regardless of what they produce: it’s called communism. Now I consider myself to be a moderate liberal, so I don’t believe in anarcho-capitalism by any means (in fact I’ve been pretty staunchly anticapitalist in a lot of cases), but for something like a coding project where the quality of the code matters more than anything else, I think a meritocracy is by far the best system.
In the end, the only thing that matters is competence. The world doesn’t give a fuck about you as a person. The world only cares about what it can get from you. So what can you do? What skills do you have that would make you valuable to others and thus allow you to climb the social ladder? The sooner you accept that no one truly cares about your efforts or how much of a “good person” you are, the happier and more successful you will be in the end.