So You Wanna Be a Hacker?

SR DeckerCyberpunk is an amalgamation of the words cyber (of or relating to computers, cyberspace,) and punk subculture (anti-establishment, anti-authoritarian, etc.) What better example of the essence of both these words then the greatly celebrated geek stereotype of the hacker? Hacking is an activity that the ignorant fear, the computer geeks defend, and the experts engage in. It has a dual interpretation, and even in the breaking-and-entering version there is ethical and moral debate about it. Hacking is one of the greyest areas in digital security, and the threat of being hacked is something everyone with an online account has worried about. But what does hacking actually entail?

The kind of hacking we’re going to discuss today deals directly with the act of entering into a secure area of cyberspace when you’re not supposed to. It is directly analogous with lock-picking, safe-cracking, and other kinds of snooping in the real world. There is another, similar definition that is much more innocent which refers to coming up with clever bits of code called hacks. We’re going to leave that definition alone and talk strictly about the illegal kind. Or is it really illegal?

Many hackers defend the practice of hacking on the grounds that they’re exposing dangerous security flaws. If a company can’t protect their system then they deserve what they get. Hardware hackers specifically argue that they can do what they want with their own property, and that providing hacking information is not itself a crime. A famous example of this is is Hacking the Xbox, a book written by Andrew Huang as an introduction to reverse engineering. Unhappy at the exposure of what they deemed corporate secrets, Microsoft tried to prevent the publication of the book, but with the support of his lab faculty at MIT, Huang settled with Microsoft out of court and published independently.

While these rogue security experts may be of dubious legality, there are also “white hat” hackers who are employed by software companies to find the weak spots in their security–usually prior to package release. But much as the never ending flow of new computer viruses create a market for anti-virus software, there are also “grey hat” hackers who will hack a system in order to inform the owner of the flaw, and offer their services in fixing it. While nobody wants to accept help from someone who proves their capability by embarrassing their future employer, it is a valuable side-effect that overall cyber-security is constantly improved by these types of activities.

Hacker PasswordBut not all security is a matter of having secure passwords, encrypted archives, and unsearchable user indexes. As Kevin Mitnick demonstrated in the 70’s, the weakest link in any secure system is its human element. Sometimes hacking is less a matter of running a decryption program, and more an example of social engineering. This is a tactic that has been used by con men for as long as con men have existed, and it’s also what Edward Snowden used to get access to the NSA data that earned him global notoriety. Social engineering can be seen as taking the easy route–why spend weeks trying to guess a password when you can call up the account owner and simply ask for it? People will give up their passwords to a variety of people, especially those claiming to be with technical support. Modern understanding of computers is still limited enough that IT personnel can often ask for the moon and have it handed to them with no questions asked.

Hacker LockSo where does social engineering meet security flaws? To demonstrate how real world hacking works, let’s take a look at the 2014 hack of Sony Pictures Entertainment. Easily one of the worst cyberattacks in American Corporate history, the hackers claimed to have obtained 100 terabytes of data from the company and got away clean. The resulting embarrassment and financial loss, while not enough to “ruin the company” has certainly given Sony pictures enough bad press and lawsuits to severely cripple them, and did cause Amy Pascal, co-chairperson, to resign in early 2015. So how was it done?

Setting aside the official theory that the hack was perpetrated by North Korea, security experts agree that the hackers must have had inside help. Sony Pictures Entertainment has no shortage of enemies and disgruntled employees, and the extent of the damage caused by the attacks smack of revenge. But Sony has also been criticized for their poor security. A security assessment report dating from only two months prior reveals massive lack of communication between security departments that left firewalls and other security devices unmonitored and open to tampering and attacks. The cyberattck itself revealed that the company was storing usernames and passwords, in addition to other sensitive user data, in simple text files labeled “Passwords.”

Hacker 680So take shoddy security and some ex-employees with extensive knowledge, both of hacking and Sony’s particular weaknesses, and you get a classic hacker story with the kind of repercussions you thought could only happen in movies. Is it legal? Absolutely not. Would it make an amazing cyberpunk movie? Totally.

What have we learned today? Don’t have passwords called “password.” Don’t store your passwords in unencrypted text files. Don’t give the hackers in your life any reason to hate you enough to put all your personal emails on-line. And most of all–don’t ever work for Sony.

Flourish 1

Katie's VC Ad

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar