Hackers Are People Too

For those who didn’t see it, the early section dealt with Steve at University and I think gave a glimpse of how the roots of the IT industry based in San Francisco Bay area (aka Silicon Valley) overlapped with the tail end of the hippy movement.

To a large extent that non-conformist view of the world still persists to this day and it’s not just in big organisations like Apple. Earlier this year I caught up with a mate who had been working in Saudi Arabia for a few years since we’d last worked together. My favourite story of his was when he was working in San Francisco during the .com boom. There were hammocks for employees and posts out the front specifically designed to tie up your pets (if you didn’t want to bring them to your desk…) Perhaps with the exception of a few players like Google and Amazon, most of this wave of innovation went bust or got gobbled up by the big players once the money dried up. But it does describe the strain of avant-garde curiosity and sense of downright mischief that is still a major driving force in the IT industry.

Although some civil libertarians may support “hacktivism” through groups such as Anonymous or WikiLeaks as a non-violent form of protest on particular issues, by and large Hacking is a bit of a dirty word now. Every month or so there will be a mainstream news media story about some sort of criminal gang that has systematically ripped off consumers, small businesses or banks. Often the scale of these scams run into the millions and a large part of my career has been spent trying to help organisations assess how likely these sorts of events are and devise ways to prevent, detect and react. But it wasn’t always this way. In the early days, to be a hacker was a mark of respect from your peers – it meant that you were good at your job, but in a creative way. Like a Steve Jobs.

I think the term is now beyond rehabilitation, but I can describe the thought process that makes one a good hacker because I use it all the time myself. Here’s how it works:

Step 1 – understand in depth how the system works in the mind of the designer. At this stage we’re completely in line with bread and butter IT practice. Think of this as determining the ground rules for the system.

Step 2 – try and fiddle with individual elements of the system in a way that the designer hadn’t forseen.  This is where hacking starts to diverge from traditional IT. It requires curiosity, creative insight and the ability to put convention to one side while you explore possibilities. Think of this as bending our established rules in some way to see what happens.

Step 3 – see if this unexpected use can benefit you or someone else in some way. I often need to do this in my security analysis. In the industry we give it the tag of “threat modelling”, but really I’m just hacking the system in exactly the same way that those up to no good are.

Hopefully you can see how the non-conformist strain of thinking from west coast US was key in giving us some of the more elegant improvements that we’ve seen emerging to change conventional thinking for companies such as Apple and Google. If we stack up conventional thinking against this approach, we can see IBM in 1995 spending three and a half billion acquiring Lotus for what turned out to be dead end spreadsheeting and email products.  Similarly, Bill Gates was reported in a 1994 conference declaring “I see little commercial potential for the Internet for at least 10 years”.  There’s a lot of mythology around Microsoft and they executed a pretty swift U-turn on their previous internet strategy shortly after this, so the exact quote may be apocryphal, but both of these examples show us that traditional thinking can at best allow us to continue exploiting current revenue streams or market domination.

I work in IT industry, so I recognise this all the time in IT kind of ways, but you may also recognise the same process in other fields – performing card tricks, hotting up cars, inventing the “frosbee flop” technique in high jump or the winged keel for the America’s Cup. All of these are in some sense breaking the mould, and traditionalists in the area might argue, they are breaking the rules.

In a future article, I’ll get back to how the bad guys exploit abnormal behaviour and how we can defend against this by designing systems that catch problems at a general level rather than trying to second guess the particulars of what they are up to. But for the moment, let’s pause and consider the positive benefits from creative IT thinking – perhaps the next time you pull out your smart phone, check on your friends online, then google something up on the internet…