Hack The Planet

Because if you don't, who will?

Wednesday, June 27, 2018

What is in a name?

An ongoing conversation in the Information Security community, or hacker community, or Cyber Security community, is all about what we should call things, people, etc. You can see this in the first sentence. I have written about this before I am sure, but over the last few weeks I have seen an uptick in what this or that word means and what words we should use instead. As an example we have recent LinkedIn conversations about the use of the word “hacker”.

The word “hacker” is constantly being debated, as well as if they wear black hoodies (hint: just like everyone else, some do, some don’t). I am going to try, as many others have before me, to add some context to the ongoing discussion.

An early reference to the word “hacker” comes from gnu.org, and says that a hacker is someone that enjoys playful cleverness. It doesn’t call out computers, networks or any technology. You can be a food hacker, or a film hacker, or anything else. I think this use of the word was behind the movie Hackers from 1995. The characters were playful, creative, and just wanted to have fun.

Another reference to hackers comes from the “The Conscience of a Hacker”, or as it is commonly known “The Hacker Manifesto”. In it, Loyd Blankenship, aka The Mentor, explains what it means to him to be a hacker. He describes the freedom, curiosity, connections and unity of being a hacker, “after all, we’re all alike.” I find it still relevant today.

Bugcrowd put out a blog this week in which they try to define the word hacker. I think they do a good job of summing up a lot of the issues, and I appreciate their Burglar/Locksmith == Cybercriminal/Hacker analogy. We as an industry and community have tried to find alternatives to the word “hacker” for the media and others to use when describing cybercriminals. Sadly, hacker is sexier than cracker and will always get more clicks.

To add more to our naming crisis, we run into hurdles describing what we do as hackers. In a recent Paul’s Security Weekly there was a discussion about pentesting, red teaming and others and what they all actually mean. When engaging with customers I also find that not all of them understand the differences between penetration testing and red teaming. Because the industry is always evolving we see new companies coming out claiming to do one thing, but really it is something else but because they can sell off of the misunderstanding they do.

We see the same confusion over EDR, Threat Intelligence, Machine Learning and Artificial Intelligence. It is no wonder that people outside our industry have no idea what we do, when those of us inside it can’t agree on what to call our solutions or even ourselves. I am not even going to get into the issue with our job titles because the “Am I an Engineer? Am I an Architect? Senior? Principal? Staff?” debate, which leaves our customers and peers with no idea of what we do drives me crazy.

In the end, what is in a name? A lot! Use your words carefully, because they can mean many different things to many different people.

Updated: Motherboard has also commented on the word “hacker” and wants to change the definition of it. From their glossary:

“Hackers can now be used to refer to both the good guys, also known as white hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or “black hat” hackers, or “crackers.””

I have a feeling this won’t be the last article we read about the definition of hacker.

posted by holliday at 4:00 pm  

Sunday, June 3, 2018

A few thoughts on hacker culture (or cultures)

Over the last few weeks I have read a few different threads on hacker culture. As I was reading them a lot of things crossed my mind, and it made me think about what someone who was just starting their career or hobby in Information Security, Cyber Security, or hacking for fun and profit, would think about the world they were entering. Here are a few of the discussions and my thoughts and feelings on them.

What is appropriate to wear to a conference?

This is a good example of multiple competing cultures within the hacker community. Some folks in the community want to try to shock people with what they wear, or how their hair is cut. Others in the community are more on the business side of things and expect a certain level of professionalism. Which side of the fence you sit on, I would guess but have no metrics to prove it, comes down to how you came into the community, or your lifestyle outside of it.

It also reflects a feeling I have seen in the community over who is actually part of the community and who isn’t. There is an incredible amount of “Imposter Syndrome” in hacker land, and it is only exacerbated by the divisiveness between groups/cultures. If you don’t have a mohawk, you aren’t really a hacker. If you don’t drink, you aren’t real. If you wear a shirt with buttons, then you aren’t “1337”. In the end, the only thing that should matter is whether you want to be part of the dysfunctional family that is our community or not. How you look, talk, drink or act doesn’t determine it. Sadly, we don’t all agree on that.

One I have enjoyed is what does the DEFCON conference mean to you.

I have been attending Defcon for over a decade, which funny enough still makes me a bit of a n00b. Saying that, I have always loved attending and find new people to hang out with and learn from every year. A large part of our community, I would even say the vast majority, are very welcoming of everyone. The ability to learn many different skills, from lock picking to car hacking, in one location is incredible. Defcon to me is like Summer Camp. A place to reconnect with friends and learn some new skills.

One of the biggest differences I have seen among the different cultures in the hacker family tree is the word “cyber”. Some people love it, some people hate it, and it seems that most people like to argue about it. There was a recent post by Lenny Zeltser on this, and I appreciated the explanation from Jessica Barker:

“The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.”

While I may be partial because I use the word “cyber”, I also agree with this thinking. When I tell someone what I do, or want them to know I am an expert and am there to help, I have to use language they will understand. If I start using jargon they are not familiar or comfortable with, then their understanding is limited and I won’t be as affective. If we are not confident enough in ourselves, that we want to be cool and not use words we feel are just marketing buzzwords, then we are not helping our customers, our fellow citizens or ourselves.

In the end, being part of this community, or extended nerd family, means dealing with many different, often competing, cultures and being able to figure out where (or if) you want to fit in.

posted by holliday at 9:40 pm  

Powered by WordPress