it.gen.nz

Today on Radio New Zealand National I talked about hackers and what they do.

The term “hacker” has two quite different meanings. Some people are proud of being hackers, and they mean that they are clever programmers rather than computer vandals. Others, sadly, use skills – or sometimes just programs that other cleverer people have put together – to break into computers and generally cause problems.

Read on for my speaking notes or pull the podcast.

Q: Now to hackers – what does the term mean?

A: The use of the term “hacker” is nearly as controversial as the subject.

Q: How so?

A: It used to be – back in the early days, this is, when giant mainframes stalked the Earth and the little upstart mammals, the Unix boxes and microcomputers, were still beneath most peoples’ notice, that hacking referred to programming a computer. It was a term used by the hackers themselves in a slightly self-effacing way to refer to the act of creating new programs or altering old ones. I’m not sure why the term “hacking” was used, but anyone who has been involved in significant programming efforts will recognize the way in which every new programming effort is built out of pieces of previous ones. Why re-invent the wheel, after all? So, programmers, when faced with a task, have always taken an older program and started to hack at it until it did what was required.

Q: So a hacker is just a programmer? Normally it means someone who breaks into computers.

A: Sadly it has come to mean that. I think there was an element of Hollywood about the change in meaning – a hacker, back in the days when most people had no idea about computers, was some who knew enough to get them to do things you didn’t think were possible. And people didn’t understand just how vulnerable computers were – and many still are – were appalled by the ease with which someone who understood them could take control of them.

And there has been a shift in what’s regarded as acceptable. As more and more people have started to own computers, we have changed our view on what is acceptable. Most of us would not think it is reasonable, for instance, for someone to walk down the street trying door handles, for instance. Especially if he said: I’m only going in to look around, I won’t touch anything, and it serves them right for not locking their door anyway.

Like most countries, New Zealand has changed its law to define the limits of acceptable behaviour in regard to computers so that it’s roughly parallel to the laws about entering someone’s house. Trespassing someone’s house is illegal even if you don’t intend to steal anything. And so is entering someone else’s computer, since a law was passed a few years ago.

Q: Hackers are criminals, then?

A: Not most of them. Most people who regard themselves as hackers are simply people who are proud of their programming skills and not people who break into others’ computer systems. There are some people who do that who have been called hackers in the media and that has rather poisoned the term. I don’t tend to use the term “hacker” unless I have time to explain what I do mean.

Q: Just how easy is it to break into computer systems? We see people doing it in movies all the time.

A: It’s a common Hollywood plot line, isn’t it? You have a group of people trying to accomplish something, and with them they have a bespectacled nerd who can seemingly extract any information from any computer in the world or seemingly start World War Three in moments. It’s not that easy. In fact, it’s so hard that those plot lines are fanciful to the point of being insulting.

Breaking into home PCs connected through broadband happens with monotonous regularity. That’s not hard, mostly because some clever people, some of whom have pretty loose morals, make it easy for people by creating and distributing programs which exploit weaknesses in systems. Also, the home systems are set up to be as easy to use as possible – no-one would buy them otherwise – which can make them easier for people to break into. Advice here – always secure your home PC. You are responsible for doing that and if you don’t, you and your PC can get taken over and become part of the problem. Be part of the solution – I’ve linked up a web page at NetSafe which tells you how.

Q: You said they exploit weaknesses in systems – how does that work?

A: Computer systems are extremely complex. Most operating systems have tens of millions, or hundreds of millions, of lines of code. They are built by large teams of people working together and separately. For recent operating systems, we can be sure that the individuals working on the system had security in mind when writing their piece, but even so it’s hard to be certain that such a thing is perfectly secure; that there’s not some interaction between parts or something that no-one has thought of, that could lead to someone being able to break in.

Fixing those problems as they occur is the job of the manufacturers. Microsoft pushes updates to Windows every month on a day called “patch Tuesday” – I think it’s the first or second Tuesday of the month but don’t quote me. If you have Windows Update turned on and a broadband connection your machine should automatically update itself. That gets rid of any flaws, or vulnerabilities as they are called in the trade, that might have come to light since the last patch. And it’s not only Microsoft that does this, by the way, Apple pushes patches by a similar mechanism, and so do the people behind Ubuntu Linux.

Q: What if someone discovers a weakness and doesn’t tell Microsoft about it?

A: That’s what’s called a zero-day exploit – meaning that the vendors have had no time to fix it. They are very scary to computer security folks. There’s only so much you can do to prepare for an attack you don’t know about.

Breaking into big government systems or into banks, say, would be a lot harder because they aren’t just PCs, basically. They aren’t susceptible to the common attacks that PCs fall to, and because there aren’t many, and they mostly aren’t connected directly to the Internet, there’s no way to get it. I mean – if you were in charge of computer that could launch missiles, would you connect it to the Internet? That’s why I think those kind of plot lines are fanciful in the extreme. We wouldn’t believe it if the film had someone lifting a truck with his bare hands, neither should we believe the old cliché of the tame hacker getting into missile command in two minutes flat.

Q: What is a hacker if they aren’t someone who breaks into computers?

A: As I said the term refers to a clever programmer. There’s a whole mindset that programmers get into. Some people talk about being in the zone. It requires real focus on the part of the programmer, but when you get there it’s very productive. I haven’t written programs in anger for years but I still recall the bursts on intense concentration. Hours and hours can go by while you concentrate on building something excellent. That’s why many programmers wear music headphones at work – they are trying to drown out distractions. Concentration is key!

Q: Lots of jobs need you to concentrate.

A: I’m sure they do, but programming has the unique attraction that you are building something up through your own concentration that you can test and see it grow before your eyes. It can be a mix of enormous frustration and enormous satisfaction.

Q: How do you program a computer?

A: Obviously you spend time sitting in front of a screen, using a keyboard. The actual process consists of building a program – that’s a set of structured text in a computer language, and repeatedly changing it and testing the results. There are tools to help you figure out exactly what is going on in the program when the computer runs it, but its still hard. The real problem here is that we see things in human terms while the computer is supremely logical. It’s been said that the programmers’ anthem is “Ahhhh….” – the sound you make when you realize how stupid you’ve been all along. And so much of programming is like that, just trying to get the human mind to think like a machine – something we are innately not suited to do.

Q: What kind of people make good programmers?

A: You can do a degree in it. But that’s not the only way to learn it. When I used to hire programmers, I didn’t necessarily look for Computer Science graduates. I always wanted to hire people who could create something rather than just someone who could follow recipes.

Q: What’s your definition of a hacker?

A: I think being a hacker is a mindset, it’s a skill and it’s liking programming. And it’s a way of thinking, of approaching life. One definition I’ve heard is that a hacker is anyone who thinks that the plural of “mongoose” should be “polygoose”.

There are some good books about hackers. There’s a book called “Hackers – Heroes of the Computer Revolution” from 2001 which traces the development of the hacking ethos, and tries to get you inside the mind of some very bright people as they invented what we now all take for granted every day.

Then there’s the “New Hacker’s Dictionary”, which is a paper version of something called the Jargon File, which you can find on line. The Jargon File is a collection of definitions of hackish terms and of stories about the hacker mindset. I find the Jargon File a little self-conscious, but funny. It’s also quite old and probably more reflects what my generation remembers rather than what the gen-Y’s who are pushing the Internet along these days do.

Links

As always, you can discuss this broadcast at it.gen.nz.

Keeping your computer safe.

The Stephen Levy book on hackers.

The New Hacker’s Dictionary, which is a paper version of the jargon file.