Schneier on Security
A blog covering security and security technology.
« Doublespeak and the War on Terrorism |
| Defeating a Coin-Op Copy Machine »
September 14, 2006
What is a Hacker?
A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.
I wrote that last sentence in the year 2000, in my book Secrets and Lies. And I'm sticking to that definition.
This is what else I wrote in Secrets and Lies (pages 43-44):
Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn't. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife's teeth. A good hacker would have counted his wife's teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)
When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have a key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren't out to do damage -- stealing stuff wasn't their objective -- although they certainly could have. Their hobby was the power to go anywhere they wanted to.
Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn't like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked -- that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.
Richard Feynman was a hacker; read any of his books.
Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, are the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It's all out there, waiting to be discovered.
Computers are the perfect playground for hackers. Computers, and computer networks, are vast treasure troves of secret knowledge. The Internet is an immense landscape of undiscovered information. The more you know, the more you can do.
And it should be no surprise that many hackers have focused their skills on computer security. Not only is it often the obstacle between the hacker and knowledge, and therefore something to be defeated, but also the very mindset necessary to be good at security is exactly the same mindset that hackers have: thinking outside the box, breaking the rules, exploring the limitations of a system. The easiest way to break a security system is to figure out what the system's designers hadn't thought of: that's security hacking.
Hackers cheat. And breaking security regularly involves cheating. It's figuring out a smart card's RSA key by looking at the power fluctuations, because the designers of the card never realized anyone could do that. It's self-signing a piece of code, because the signature-verification system didn't think someone might try that. It's using a piece of a protocol to break a completely different protocol, because all previous security analysis only looked at protocols individually and not in pairs.
That's security hacking: breaking a system by thinking differently.
It all sounds criminal: recovering encrypted text, fooling signature algorithms, breaking protocols. But honestly, that's just the way we security people talk. Hacking isn't criminal. All the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.
I remember one conversation I had at a Crypto conference, early in my career. It was outside amongst the jumbo shrimp, chocolate-covered strawberries, and other delectables. A bunch of us were talking about some cryptographic system, including Brian Snow of the NSA. Someone described an unconventional attack, one that didn't follow the normal rules of cryptanalysis. I don't remember any of the details, but I remember my response after hearing the description of the attack.
"That's cheating," I said.
Because it was.
I also remember Brian turning to look at me. He didn't say anything, but his look conveyed everything. "There's no such thing as cheating in this business."
Because there isn't.
Hacking is cheating, and it's how we get better at security. It's only after someone invents a new attack that the rest of us can figure out how to defend against it.
For years I have refused to play the semantic "hacker" vs. "cracker" game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. "Hacker" is a mindset and a skill set; what you do with it is a different issue.
And I believe the best computer security experts have the hacker mindset. When I look to hire people, I look for someone who can't walk into a store without figuring out how to shoplift. I look for someone who can't test a computer security program without trying to get around it. I look for someone who, when told that things work in a particular way, immediately asks how things stop working if you do something else.
We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system -- an ATM, an online banking system, a gambling machine -- and criminals will try to make an illegal profit off it. They'll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they'll figure it out first -- and then we can defend ourselves.
It's our only hope for security in this fast-moving technological world of ours.
This essay appeared in the Summer 2006 issue of 2600.
Posted on September 14, 2006 at 7:13 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Beyond Fear? I think I saw those paragraphs in Secrets & Lies?
Start looking at the 8-12 year olds, it is around about this time their very curious nature tends to become "what if I did"
A lot of old generation hackers where from a background that naturally led them into electronics (via valve radio's etc).
As has been observed any child with an inate curiosity in the locks on doors etc is almost cursed to become an old style hacker (resources and envioronment permitting).
A young child with a great deal of curiosity and a very good imagination could easily be "trained up" as a hacker. Perhaps the Government should start looking for the type early on, much in the same way that the Australian Gov profiles children for sporting ability.
The small cost involved is likley to reap big dividends fifteen years down the road. The only trouble is what Gov thinks fifteen years down the road (except for the Chinese).
Though I've read this before I have to officially thank you for it.
Reading your description of what a hacker *is* brings me great relief and inspiration. Hopefully others will some day "get it".
Rock on, Bruce.
My knowledge of hackers is limited to computer software. My first impression - from many years hence - is that a hacker is an ameteur attempting to do a professional's job. A city person with a kitchen knife (or a few them) can hack down a large tree, but he know little of how to make it fall right, and nothing of how to choose which to tree to fall.
The romantic, explorer vision you present is what was grafted on to the word hacker when the dope smokers took over.
Lets change the way hackers view our files these days and no longer target computer security. Until now so many people have been unaware of how powerful encryption is and how it can truly secure all of your files in a few simple steps.
How about if hackers could no longer cheat and we would never have to worry about bullying us around the playground again?
Sound reasonable enough?
Dropping all network security and switching everything to crypto simply means that the next thing to hack would be crypto. You cannot stop the "bullies" by changing the game. It simply means that bullies will change their game or that you get different bullies.
If the game is cheating, how do you cheat cheating?
Whatever you call it, the profile describes who I would hire for a job in a SOC.
Excellent. You should speak at Defcon. You would security geeks fainting with some of your brilliant veiws on security.
You would be WELL received.
I agree with your view of hacker -- after all, this is what I/we did/do... but this is not the common understanding today. Much as it hurts me, we -- those that think of hackers, and hacking, as you point out -- are going to be looked at as purists, clinging desperately to an archaic understanding of a word.
Languages are dynamic, and the meaning of words change with their usage.
Indeed. Working on the children of today will guarantee not only the hackers, but also the thinkers of tomorrow.
But... this is then a bit more serious: the children of today, at least in the US, are being trained, by the public school system (and this is a generalisation, based on my personal experience with my sons) to be ignorants.
Currently, form is more important than content. Curiosity has to be fed, and (at least initially) directed. Our school system nowadays feeds boredom only.
Maybe I am getting to be old and cynical.
Schneier does speak at Defcon.
I'm assuming that the attack Snow was commenting on must have been what we now call a "side channel attack" - as far as I can tell that term covers precisely the interesting class of attacks that "break the rules". I suppose there are other ways - multiple target attacks, for example - of breaking systems in practice without violating their theoretical properties.
Bruce, you're a little unfair to Aristotle. He was a phenomenally able biologist and zoologist, and an extremely acute observer and taxonomist, who so far from inventing theoretical constructs ad vacuo actually performed much anatomical work on many creatures.
He was the first person to envision biological study as a systematic activity, ever. He basically invented the science. The fact that some of his ideas were wrong, and aren't that useful in a modern lab is not really a valid basis for criticising his outlook. If his kind of curiosity-driven exploration and conceptualization isn't hacking, then I don't know what is.
I knew I had read this somewhere before. I read it between talks at HOPE, actually.
I read it in 2600 a month ago.
Pre-9/11, I was dating a girl who wondered why they took so many details (drivers licence etc) when buying a pre-pay cell-phone or sim card. (I was not in the USA). I explained that its to be able to track down the terrorists/criminals who could use phone to blow stuff up or for illegal activities. She didnt understand, so I explained how the terrorist/criminal can use a pre-pay for various things (bomb/office bug/ransom demand etc), and how law enforcement need the phones details (phone residue, time of call, location etc), and how they then need to tie this to a person.
She thought I was nuts for 'thinking this stuff up' and thought I was the dodgy one. I explained that its because i'm actually security concious, and can see flaws in the current model, and that is why I think of, and learn these things....
The lesson: If you point out flaws in the system to some people, they will think YOU are the terrorist/criminal.
I disagree with the notion that hackers are cheating. To cheat, a hacker would have to break the rules. The software and hardware that makes up a computer system constitutes a set of rules for the system. A hacker's goal is to learn these rules so well that s/he can have the system do things that the designer's didn't intend. The fact that these thigns are unintended does not remove the fact that the system's rules allowed them to happen.
Really I think hackers have a lot in common with lawyers. Both have to learn elaborate sets of rules that are incredibly confusing to outsiders and then find loopholes that allow them to do what they want.
"Beyond Fear? I think I saw those paragraphs in Secrets & Lies?"
"You should speak at Defcon."
I used to be a regular speaker at Defcon. I haven't been there in recent years, because I have a conflicting committment.
You're right; I should get back there.
But Bruce, I thought that finding out who bad hackers are, what they're trying to do and attempting to stop them from doing it (intelligence) and then reacting to whatever slips through the cracks after the fact (emergency response) was the best option. That spending time and money on identifying specific threats and changing our defenses was a waste. That hiring good hackers to try to identify vulnerabilities before they are taken advantage of was just overhead, costing money and occasionally impeding our civil liberties, and realized little or no benefit. I thought that there were too many threats and that vulnerabilities were evolving too quickly to make improving our defense systems a good tradeoff.
How are good hackers, and the work/solutions they're devising, in the computer security field different from good hackers in the physical security world? How is analyzing a smart card and its use different from analyzing the process for inspecting luggage at an airport?
Perhaps you should also consider whether the security difference between PACS and LACS are also semantics. If the difference is semantics, then good hackers in both physical and logical security systems are either worthwhile or not and the Intelligence and Response argument either holds water for both or for neither.
"Bruce, you're a little unfair to Aristotle."
The earliest definiton of hacker I ever heard (and this may be worth "what you paid for it") is that it comes from the old Jewish work 'Hak', which translates to
"someone who makes furniture with an axe."
I think this definition is very accurate - it can mean two things:
To "bodge" something with poor quality or
To produce something (of ok quality) with inappropriate tools.
Of course, neither relates to security today, but early security folk were certainly software/hardware 'hackers'.
Share and enjoy.
"Computer hackers are just people who understand the program better than the one who wrote it." I think I read that in a Linux Magazine article in 2002.
... the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.
-And they were therefore criminals under the DMCA, which cares not why or for whom you circumvent a security measure.
The best definition I ever had of the types of hacker comes from the book "Out of the Inner Circle" by Bill/William Landreth.
It's a very cool book, written by the kind of person you detail above: a 'Student Hacker' in the book's terms.
Bill Landreth, where are you? Your time of silence is up, come out and enjoy the sunshine of praise from a 1000 hackers - each born of your book, and your wisdom.
Where ever you are Bill: thanks and good luck.
I know many professionals who are hackers. Most of them got to be pros by starting as hackers, and they never lost the mental agility and thirst that defines hackers.
I also know some professionals who weren't hackers and never will be. This doesn't detract from their knowledge, skills, or professionalism.
Some hackers produce shoddy work, but so do some non-hacker professionals. I can't correlate being a hacker only with slipshod work, nor being a professional only with quality work. Reality is more complex than any two categories can ever express.
I totally agree with the article apart from the terminology of a bad hacker - "there are good hackers and bad hackers, just as there are good electricians and bad electricians". Maybe I am just being perdantic but should that not read "there are good ethical hackers and unethical or criminal hackers, just as there are good electricians and bad and bloody dangerous electricians". I know there is a whole white, grey and black thing but to "bad hacker" does not really work. If a hacker is an expert how can he be bad? He can be malicious, criminal, etc. but a bad expert? Harold Shipman was probably a great GP to those he did not kill but was he a "bad Doctor"? Or a good GP and a murderer? Maybe I am being perdantic and I should take myself off to bed!
"My knowledge of hackers is limited"
That says it all.........
My favorite hacking story is the one where James T. Kirk "reprograms" the Kobayashi Maru test.
There are hackers and there are security professionals. Blurring the lines is a dis-service to the professionals and the kids.
A 14 year old dateless male stomping around the local bank's file systems has a completely different mindset than the security professional you hired to help secure that network. The 14 year old has no inclination or need to be careful because it doesn't matter to him if he destroys or accesses something sensitive or important. He also has no reason to alert anyone about his findings except possibly his dateless compadres..."D00d! Look! I just deleted your mom's bank account!"
The security professional, OTOH, has every need to be careful and thorough in his examination and reporting. It's his job to both find and fix the problems without causing unnecessary disruption. The professional is also more skilled. A hacker, for example, isn't going to wonder why your backup mainframe is in the basement of a building in an area that periodically floods - they don't care.
The only similiarity between the two is that they work on the same problem - security vulnerabilities. However, the hacker exploits it while the security professional reports on it and mitigates it.
Glorifying or shrugging off electronic breaking and entering or trespassing only makes educating the kids more difficult because you've given them a pass by saying it's ok. "They're just being kids"
isn't much solace when dad has to go bail his son out of juvenile detention.
Who do you think figured out how to fell a tree? Who do you think figured out which trees to fell? Somebody who looked at his log house and said, "I could build this better, if only I had trees that did..."
Hackers and Ingenuity and creativity. Hackers are the designers, the inventors, the people who make the world work better.
Hackers break systems, and some do it maliciously or for personal gain, but most do it simply to build better ones. "Professionals" are no more than cogs in the machine: If something happens that they cannot deal with, they will not find a way to deal with it, they'll leave it unfixed to cause further problems. Hackers find solutions.
It's true, hackers often create shoddy work when expected to do the work of a "Professional". They're rarely concerned with the mundane work. Most can't stand documenting code that seems obvious and self-explainitory to them. That's a problem of the work they're given, not of the hackers themselves. Don't ask a Hacker to walk the path. Ask them to blaze a new trail.
"A 14 year old dateless male stomping around the local bank's file systems has a completely different mindset than the security professional"
Consider Bruce's definition with the first and last sentence removed:
"It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them"
I cannot help thinking that is a reasonable stab at describing a sociopath.
I'm not saying that hackers are sociopaths but maybe their different outlook on life is closer to a sociopath than most people?
Should be interesting to see the recation this gets. Now where's that flameproof suit ...
Very interesting definition. I guess I've been a hacker my whole life then, as I've always wanted to know how and why things work. I have always tinkered with things trying to get them to break or work in a different way, only to get them to work normally again. Wow, I really never thought of it that way -- in that I (and probably just about everybody here) was a hacker all along.
you're forgetting a far better reason to break a system than malice, personal gain, or to improve it:
you break it because it can be broken.
"Hacking isn't criminal. "
Bruce seems to waver here and there when it comes to semantics ;)
When the article came out in 2600 I had just figured they pulled an old article out of the drawer from some time ago. Glad to see your upgrade.
IIRC, William Landreth later left a suicide note and disappeared. He was later found alive, and was arrested for violating his parole. I don't know anything after that.
In the book, Landreth felt that security in the future would be greatly improved by increased use of passphrases over passwords, and by training users to be more security-conscious. Unfortunately, passphrases are rarely used (even though many programs support them these days), and given the increased numbers of people using computers with little additional training, the average user may well be dumber now than when the book was written.
Aristotle's failing was that he made claims about the number of teeth that women have without actually counting them. Since you're setting the record straight, I'm trust that you wouldn't make the same mistake. So, how many sets of teeth did you count? What were the actual results?
My point: not only does this story give a false impression of Aristotle's contributions to empirical science (as Carlo Graziani points out), but it's usually trotted out by people who are guilty of the very thing they accuse Aristotle of.
The lesson, I think, is that even the greatest scientific minds can't independently verify every fact that they rely upon.
> "That's cheating," I said.
Ah, the naivete of youth, eh, Bruce?
I knew I was on the path when solving the rubix cube as an 8 year old I just broke it apart and put it back together in the correct order. People said that was cheating I just thought it was solved.
"When the article came out in 2600 I had just figured they pulled an old article out of the drawer from some time ago. Glad to see your upgrade."
I actually have gone back and forth and back on this issue. Although I still think that we've largely lost the war on this one, at least in the popular vernacular.
We can all smile at Burtrand Russell's observation about Aristotle's thoughts on womens teeth and the fact he had two wives. It is often (mis) quoted as an example of surety and pride in the profession (hubris).
However one Prof does not think that much of Russell (in an amusing way),
But hey Russell took ten years to prove that 1+1=2 provided you took some things on faith (i.e. Axioms) (see "Principia Mathmatica", Whitehead,Russell).
This feat did not however stop Russell going on to argue (fairly successfully) that life is based on chance (Causality & no "first cause") as in the the throw of a dice, but it is not the hand of god that holds it (upseting amongst others Einstein "God does not play dice"). For which Russell has received condemnation from Christians and other's who have faith in deities ever since.
So as you can see Aristotle is not the only "Big Thinker" to have beliefs that nowadays appear down right odd to some people.
"False belifes are like the money in a drowning misers hand, beyond all rationality they remain firmly grasped until death"
Oh by the way there was a news artical on the Radio yesterday, apparently a scientist (Ontario psychologist J. Philippe Rushton) has "proved" that women are less intelegent than men. The results of their study (apparently) show that women are 3.63 IQ points behind...
I think I hear another round of ridicule rising for a "thinking scientist" ;)
"I knew I was on the path when solving the rubix cube as an 8 year old I just broke it apart"
Me too (only I was quite a bit older), I was showing this at a friends party for fun as a silly party trick. When a relative of his runied it by showing that he could solve the dam thing faster than I could get it appart...
I suppose proving (as was pointed out to much hilarity) that "cheats don't win"
Oh and to rub it in the "annoying relative" went on to win several major competitions and quite a bit of money for his ability. And yes I hate him still ;)
"I'm not saying that hackers are sociopaths but maybe their different outlook on life is closer to a sociopath than most people?"
I think the difference between a hacker and a sociopath is the same as the difference between everyone and a sociopath: a moral system.
Just because a hacker can figure out how to blow up an aircraft doesn't mean that goes out and does it, or even wants to go out and do it.
Anent hackers, not so many years ago, Digital Equipment Corporation (DEC) was the second-largest computer company in the world, and its VAX computers were extremely popular. Some hackers broke into some VAX clusters, and caused something of a stir, since the various computers in question contained sensitive information. The hacks gained some international notoriety in the computer press.
When asked at a press event what he thought of the hackers who had done the deed, and what should be done with them, President and Founder Ken Olsen was reported to have said, "I'd like to hire them. They're the kind of people we need."
Stephen A. Kallis, Jr.
Another attribute of the "hacker mindset" (in the Feynman, etc sense) is _not_ doing the sensible thing. What I mean by that is that a lot of the time what you're doing doesn't look like it's the sensible course, and an awful lot of the time it doesn't lead anywhere. For example, why would you think about how you might theoretically shoplift from a store when you could be thinking about how to advance your career, or what you ought to say to your wife, etc. All these things have a guaranteed payoff. And even in the case of the renowned stories, like Feynman figuring out how to open the Los Alamos safes, surely in advance it would have seemed much more profitable to work on more fission physics, or his next trip home, or whatever. Again, something much more likely to be "useful".
I mention this just because society constantly tells people to be "sensible" and it takes a degree of
self-confidence to just mess around at some out-of-the-box idea that'll probably never work, just because you can't resist it. And in the modern world there are too many voices telling people to do the "sensible" thing.
What difference is there between a good and a bad hacker? And is it possible for your system to be safe enough from possible viruses?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.