Hacking: Why We Need To Do More Of It

Let’s get the obvious out of the way. I DO NOT condone hacking for malicious purposes that harm innocent people.

Hacking is generally divided into three hats: black, white, and grey. Black hats are generally labeled as the bad guys but that honestly depends on framing. Hacking to shutdown a city for money while denying services for citizens? Bad. Hacking to prove there is unbridled corruption in a questionable government? Could be a good thing though this is still black hat territory.

White hats are almost always good. These are the people who are paid by the target to hack the target. Doing this can expose vulnerabilities in a company or system so that it may be fixed or mitigated. In the long run, a company would be saving money instead of shelling out cash to fix an attack, recover/rebuild lost data, defend their reputation through PR, and possibly pay legal fees.

Grey hats are the people that come in a myriad of flavors. There people who want free stuff. People who do bug bounties. People who want to mod the electronics. People who just like poking around. People who want to tip the game in their favor. People who want to improve a product. The list can go on.

As a society, we typically lump hackers into two categories: good and bad. The good hackers are working for respectable groups and are paid for sanctioned hacks. The bad is anyone else. This binary view of hacking is a detriment to society for it lumps grey hats in with black hats without thought. It discourages people who may be curious about hacking from trying it. Although we now have courses to teach people to become white hats, many people get their start from being a grey hat! Some do go off and do black hat work but many more do white hat work to apply their skills for the benefit of society at large. And the cyber security industry always seem to bemoan that there aren’t enough people to fill in the gaps.

Of course, not every position that needs filling requires hacking skills. A SOC analyst or security engineer isn’t going to fire up a laptop and start furiously hacking away and get paid for it! Though…that would be kind of cool. However, knowing how to hack means that these people will know how to improve security. It means that people can detect and interpret threats better. Learning how to hack introduces new concepts to people and forces them to think outside the box. Malicious hackers are thinking outside the box all the time to find ways to trick the system. The ability to do the very same is a crucial skill needed in the cyber security world.

And hacking isn’t just for hoodie wearing youngsters. Anyone can learn the basics of hacking! You don’t have to be super smart. No offense. Fortunately, security awareness training is a great tool to teach the basics of hacking. Besides knowing about phishy emails, check the urls of links. Look at the email header. See strange text that looks out of place? Report it! Are you entering your personal information to a site without a green padlock next to the url? I wouldn’t unless you really, really know for sure that it’s safe. Think you don’t need to follow all of the security protocols because you are “too low” in the business hierarchy to matter? A hacker doesn’t think that. If fact, a hacker probably views you as their best friend. Often times, it is the least guarded that malicious hackers exploit to get their foot in the door. If it helps, think of malicious hackers as a very hangry bear. You can outrun the bear or not be at the back of the group of runners. The bear doesn’t care who it mauls. It’s happy to catch anything delicious.

In the near future, society has to discard the blind binary view on hacking and judge it in the context of how it is used and to what end. We need to encourage responsible disclosure of vulnerabilities from people who weren’t hired to find it. We need reformed black/grey hats who know all the tricks of the trade. We need tinkerers and explorers of technology who occasionally break things so they can figure out how the technology works. Anyone who has ever used a computer will know that those impish little boxes do weird things just to savor our frustrations and confusion. These explorers strike fear into computers. It’s why a bad computer suddenly behaves when such a person threatens to fix it. I feel confident of this!

Bottom line is that technology is becoming more complex. Complexity introduces chances for exploits. We can’t just sit back and let men in white labcoats…or hats… protect us. We need to be proactive in defending ourselves from cyber attacks. And if I may quote one of my favorite books:

Know the enemy,
Know yourself,
And victory
Is never in doubt,
Not in a hundred battles.

He who knows self
But not the enemy
Will suffer one defeat
For every victory.

He who knows
Neither self
Nor enemy
Will fail
In every battle.

–Sun Tzu, The Art of War