The following is a guest post from career white hat hacker Aaron “dyn” Grattafiori.

In the purest form, hacking is a mindset about pushing the envelope of what is thought as possible. For a given target, it’s not “bending the spoon” in The Matrix, but realizing there is no spoon.

Great hackers are sprinkled throughout human history. The first human to rub two sticks together and create fire was a hacker. In the more recent (but still old) days, those experimenting with physics and chemistry to push science and develop technology were hackers. Michelangelo was an elite hacker. In more modern times, Hot Rodders making cars go faster were hackers of their day; or the NASA engineers and contractors in Mission Control during Apollo 13, who solved a number of problems to bring the crew home safely. L0pht industries in Boston or the Phrack Zine paved the way for modern security shops and released entirely new bug classes – all real hacking.

While the term has recently been coopted by development companies or workshops, hacking (to me) has its main roots in computer and network security. Security analysis is always hacking in the purest form because actual hacking (not just running a security scanner or tool) only manifests itself through outside-of-the-box thinking or by discovering unintended uses of technologies, programs, information or access. It’s about taking things apart, doing reverse-engineering, challenging assumptions and discovering vulnerabilities. That could be in DRM protected coffee machines or everyday vehicles driving down the highway and everything in-between.

To quote Bruce Schneier, “Attacks only get better, they never get worse”.

Computer and network security or “cyber” security is often in the news today. Data stolen, NSA watching, a company compromised, a website defaced or an Iranian nuclear program derailed. For every news story about a hack, countless more have occurred that nobody ever hears about, either because the company never discovers it, or it isn’t required to release the details.

Two major “camps” of security work and attackers exist out there, on both sides of the complicated ethical fence. The security community also continues to debate ethical questions regarding vulnerability disclosure, the sale of vulnerabilities to government agencies or exploit brokers, and cyber weapons such as Stuxnet. My opinion is a complex one, and I don’t think the situation is black and white on these matters, so let’s leave that for another day. 🙂

Malicious hackers or “blackhats” are always working to exploit flaws or gain unauthorized access to information in order to steal, sell, publish or otherwise perform some evil.  Malicious hackers cover a wide range of “threat actors” from the top where massive government sponsored teams such as Tailored Access Operations (TAO) within the NSA or China’s PLA Unit 61398 use purchased exploits or custom developed attacks. At the bottom are individual curious kids or disgruntled teenagers looking for a “cyber cause”. When it comes to blackhats, the best hackers are the ones you never hear about and it makes sense to defend against the most likely group to target your organization or your person.

0146695

On the other hand, good hackers, “whitehats” and pentesters are working to help companies improve their security, which ends up indirectly helping consumers at large. In this age of mass and unchecked surveillance, hackers and cypherpunks have also develop encryption tools for end to end secure messaging, email, backups or to browse anonymously via Tor. Tools to bypass censorship have helped countless people in oppressive situations obtain information freely or provide a push for change by leaking information or video evidence. Hackers have a real impact on keeping the digital area a safe place for online banking, e-commerce, wireless communication, protecting industry secrets or just your Candy Crush Saga score (should the company want protect it). Whitehats, not unlike Tron, fight for the user.

 

Hack the planet. 🙂

Aaron "dyn" Grattafiori

Principal Security Consultant at iSEC Partners/NCC Group
Aaron makes bad things happen to good software. He performs security assessments and penetration testing for everything from networks, web and mobile applications to building automation systems, slot machines and vehicles. He also helps direct security research as one of two research directors in iSEC's San Francisco office, and has spoken at several hacker cons.

Latest posts by Aaron "dyn" Grattafiori (see all)