The Hacker Evolution: What have we become?

alright so um I have this is a talk I put together because I I have kind of some interest in the word hacker and where it comes from right and I mean there's there's a long history of the word and these days when you look in the in the media if you look at the movies it tends to have sort of a dark sort of connotation with it is if it's something that's probably bad probably evil probably committing a crime of some type so so this is quick summary of me principal security consultant that secure ideas I do some open source software stuff brew beer and of course I'm a hacker but not the evil

kind I was just talking about okay so so this is a talk about labels and what we tend to call ourselves and what people tend to think of us as and and how hopefully we can maybe over time change that back to something that it you know is a little nicer a little little better representation of what we are what we do so I know we got some fantastic in the room and you know some over there so want to be over there um you guys do pen testing no ok that's ok I won't hold it against you that's it but when you when you're thinking about this reason i was asking with that is when

somebody asks you what do you do what do you do for a living i get asked that question and I always hesitate because I mean the first thing that comes to mind is well I'm a hacker but then I'm thinking we'll wait should I say that is this person going to think about it the wrong way are they going to think immediately then I'm a criminal because that's the way that you know the media presents it so I'm you know I usually I'm same security tester I do computer stuff computer security stuff and they're happy with that but you know among friends I'll say I'm hacker I'll admit it so um when you hear the word hacker

what do you think what are you thinking are you thinking about this guy here this is what everybody thinks about right Elliot um we have you know that the token mr. robot type of representation of they've done a pretty good job I think of representing all the different things that are involved in in today's version I guess of hackers and tools and the types of things that happen there but they do kind of put it on sort of a dark side like it's it's something that there's criminal aspects to it like we all know that a lot of the stuff they're doing is it's against the law but it's okay because we're doing it against the

evil Corp so you know who cares now if we look at that came out in 2015 real hackers in my opinion started back in nineteen fifty eight so it wasn't that guy in the hood it was all these guys in the nerdy glasses okay so this is at MIT all right this was the the model the tech Model Railroad Club is what they call themselves right so you're thinking trains was that have to do with hacking so so the club was actually broken into two different groups they had the people who built all this stuff on top of the table so that's you know you're the actual trains and the trees and the models and all that

kind of good stuff and then they had people who basically worked on all the elaborate switches instead underneath the table and that's what these guys did okay so so they did they did a lot of that stuff and an MIT had I mean they had a big like whole floor dedicated in the I think they called it the AI lab dedicated to an IBM monster of a machine but then they also had I think it was on the floor above the what they called it tick so over DX 0 which is what they start a place playing around with now this computer was donated to the school it originally had 64 K of memory and

they because memory was so expensive back then they actually got rid of 60 of it like they kept 60 to move on to the net whatever it was the tx1 or whatever the next version of the computer was they were going to use they actually took a memory from this one which was sort of a prototype and then left them with 4k so they had 4k no operating system and here go play with this thing so these guys of the tech Model Railroad Club basically sat down started messing with it and they basically wrote rudimentary operating system debugger they were able to get sound to come out of it they did a lot with 4k of memory now I think

about that I had a I had a Commodore vic-20 I was the first computer i owned and it started off with 20k but the operating system took up about four actually is a little bit more sorry took up a little bit more than 16 of that so I had 4k total to write programs in these guys had to not just write the program in the 4k but they also had to basically write everything else the operating system debugger so on and so forth so they were also very restricted on their instruction sets they didn't have much to work with to me that's hacking that's that saying we have this piece of technology it only does so much let's make it do more than

it was ever designed to do that's that's the epitome of it so the hacker ethic which I will sort of quote out of a book here Steven Levy he wrote a book called hackers here of the computer revolution and he kind of put this together here so access to computers and anything that might teach you something about the way the world works should be unlimited in total okay I'm always yield to the hands-on imperative I think that last part is probably one of the more important ones for us is it you know you can read about something all you want but actually try it do it get your hands dirty and play with it that's how you're

actually going to really learn things I guess that applies outside of hacking as well but that's really what it's about on the information about the information should be unlimited in total back in those days computers were seen as these things that only experts were allowed to even come near they like if you weren't trained properly you weren't even allowed in the same room as the IBM beast that was on on that ground off the floor so these guys I mean they had that the tick so they could play with but prior to that they didn't really have they couldn't even have access to the IBM it's very very restricted in there that's sort of you know build your program on a punch

card and run it through but so they kind of started this hacker ethic and the part about information should be unlimited in total that doesn't mean credit card numbers and social security numbers just in case anyone's thinking that it's really information that has to do with like how do things work so stop making computers a big secret open sourcing things is a really good idea you know sharing our knowledge making the world a better place that's what it's all about ok so next they got a better computer the PDP one so this was donated by DC and they actually they made they made a few of these but they they just gave one brand new justice is this time they

didn't take all of the memory out of it no they gave it to the tech monorail because they heard about the type of stuff they were doing and their did so the awesome thing about the PDP one is this is this is kind of the advent of computers aren't these big things that are sitting in rooms that only experts can use this was the concept that you know maybe they can be more personal computers can be things that individuals can interact with so the concept of a user interface it looks pretty rudimentary here right this is called a flexor writer here on the right and then they have the screen which is not like any screen we're used

to and of course the first really cool thing they wrote with it they did a few different things but their worst really cool thing they did with it is they built the game I think that's cool so if they wrote it's a multiplayer game called space for and you may have heard of it but this is this what they did so they kind of see this online you can actually you can find space for online there's I don't off this flash would you have a script or whatever they've come up with simulations of it here and you two player game and they actually built joystick like things actually got a picture those next here these are some of those guys later on

and they have you know joystick type contraptions so so the first really cool user interface interactive thing that was ever built on a computer was a video game I think that's awesome see games the games they still kind of push the envelope especially when it comes to graphic cards which we can now use to to crack hashes conveniently as well so it's kind of cool um sir so this guy here he's Steve rustles he was the mastermind behind space war he was a mean guy who did it doesn't look at all like typical hacker does he doesn't have the hood on he's and I'm know now he looks kind of like a geek very proud 12 I'm sure so

so we move forward some so this was mi T's more on the East Coast computers started making their way for using them with in clubs and playing with them and hackers in general started making their way further further to towards the west coast and then you had you know schools within the the Bay Area which you know kind of led into Silicon Valley later on so that by around nineteen seventy this hackers became in several areas became kind of enthralled with another game this one was well sort of a game is called the game of life you may have seen this thing before there's there's these certain rules it's actually the game mesh it was was it

came up a mathematician John Conway came up with a concept of the game itself and so there's there's a certain rules around you know how long a pixel survives whether or not there's other ones in its proximity does it become crowded and die or does it die from being alone you know there's so there's or does it replicate and so this sort of thing happened and this the reason why this is significant to those of us in the hacker world is because one of the main symbols that we use is called the glider actually comes directly from this game and I'll show you a picture of a modern-day hacker some people may know this guy move mixes

his handle okay and he's he does the what's that metasploit minute this is probably what he's most well known for but the reason why I pointing this out is because look at what's on his hat all right that is a set of pixels from the game of life and specifically that's the set that makes something called a glider and here's what a glider does when it follows the rules for the game life

hope there goes okay see how that goes right so basically it maintains himself but just keeps gliding along this rain so they thought this was this was a really interesting thing the so the guy who came up with this Conway he offered at the times of 1970s nice little bonus fifty dollars to anybody who could come up with something called a glider gun a glider gun would have been a pattern inside of the game of life that would spawn gliders so would create multiple gliders went after another and a guy named hacker named Bill gossipers the one who came up with with this pattern which does exactly that game Alexa another thing you can find

that in a lot of places online as well just see after the pattern kind of levels out just start seeing gliders come down through the middle see there's one now right so he earned his fifty dollars so but hey they would spend all night staring at different powders and trying to figure out how to make it do different things which these days would like us like so what a bunch of pixels I was Korean minute but that the point is it's so much time and effort was put into this that we actually made a symbol out of it and i've seen at 2,600 conferences I've seen people who have tattoos of the glider there's the Hat

with the glider on it I've seen people you put it on various different things so when you see that symbol around now you know where it came from so one other guy you you guys know who this guy is right Steve Wozniak here's a pic I'd like this picture better actually so another hacker he was a you know definitely I guess sort of the epitome of the hardware hacker when it comes to personal computers right because he he came up with single-handedly the apple one basically build in the garage and came up with concept and he just did it because it was fun it was part of a computer club and was something really cool to do it turned into a course a

major corporation but that was in 76 he came out with that so pretty awesome stuff so that's all the good stuff about hackers that's how like the way things used to be I'm going to talk about when you know what changed because things are not like that anymore so I would blame the movies to start with they kind of have an impression on the general population so hackers back in those days they knew when hacking was and it was movies such as war games that was probably the first one that had any way that really made an impression that had hacking in it or some form of hacking now the hacking that happens in war

games if you think about the actual applies anybody remember seeing this movie yeah it what do they do what's kind of actual hacking stuff david.aileen he did your war dialing yes there's the main thing war dialing and the other thing is he guessed passwords okay that's it that was the extent of AI mean I watched through the whole movie you didn't do anything else that was hacking he guessed some passwords because he didn't run any brute-forcing or anything like that he just think what would be a good password you know tighten it may be it may be a little bit of open source intelligence you know did some research on I forget the name of

the professor that he was falken that's it yes yeah but but other than that that's pretty much all I did so Matthew Broderick is a hacker and we know that because he did it again and Ferris Bueller's Day Off so he took his skills from war games and use them one more time he was uh in this part here this is where he turns were out of the camry says you know i asked for a car for my birthday and instead i got a computer then he turns around and he changes his absences or something like that on us on his school report he broken supposedly broke into the school they don't really show how he did it so that's another one

now this one here everybody know what this one is sneakers figures so great thing about sneakers for me it made an impression this this was the first time that I saw in the movies there was this concept of an actual real penetration test like the idea that somebody would pay you to hack into their system and tell you how to do right so sneakers is it for that I know there's this whole other plot in there too but to me this was like the first movie that that really made this kind of impression so I don't know that this is necessarily a negative one but it was definitely impressionable and then of course we have probably the

one of the most impressionable some of the worst graphics ever but the movie hackers right so hopefully everyone in the room scene hackers if you haven't you should you should watch it in my opinion it actually has more relevance today than it did in 1992 when it came out alright you look through from different aspects of it okay maybe the clothing styles have changed okay they didn't wear hoods back then now we all wear hoodies right now but they do all the all the same stuff right so the phone phreaking they talk about I guess we don't really do phone phreaking so much but dumpster diving they talk about that just you know the various hacking into systems probably

the passwords have gotten a little bit better since those shoulders yes yeah shoulders the exact is shoulder surfing so all these things we talked about so when we're talking about doing pen tests and the different aspects of it they touch on all that stuff inside of hackers they do a pretty good job of that um you know they also have the bad guy side of the two this is a quote from the movie so they have whose name agent agent dick Gill guy this guy here with glasses he says hackers penetrate and ravage delicate public and privately owned computer systems infecting them with viruses and stealing materials for their own ends these people they are

terrorists and I don't know that the way he he spoke in this movie because I watched you recently and just to kind of refresh my memory on it and do the things that he was saying throughout the movie like this this is just one of many quotes where he says you know hackers are bad they're evil they were criminals so on and so forth is very much in line with what the media says these days about hackers right just that using that term the word hackers so that's um that's all i have for movie stuff at least for now i'm going to move on to some other stuff I didn't want to keep going with movies because they kind

of got worse as time went on in terms of like what they do with hackers and now you'll notice there's there's an a single TV show that involves criminal investigations that doesn't involve requiring a hacker to get things done we're talking with that last night so yeah they're on every show now they try to make the hacker person cool but they're almost always have some kind of dark criminal background too so so this is a hacker lexicon so wired magazine's supposed to be our friends they've come out and said gray hat hacker who came forward to save the day for the feds I think they're talking about the the iphone when they were trying to get access to the iphone

with the one of their criminal investigations the part that i was actually getting at here is at the bottom there are three types of hackers white hats black hats and gray hats okay who has ever spoken to anyone who's introduced himself as a black hat I'm a black hat hacker hacker anybody no I don't think it'll ever house is a unique I mean they might claim it under an alias maybe so 80 it kind of makes me mad actually that we're all of a sudden hackers are divided into three categories right we're either good or evil that's what white hat and black hat supposed to be or where somewhere in between right so what color hat are you

you can't really tell by the visual you know what do you wear I have actually have a black hat somewhere in my bag here I could put that on but it doesn't make me evil right just because I decide to wear a piece of clothing so we might as well just break up the entire alignment and okay go from lawful good too chaotic evil so where are you now so I know we have a lawful good paladin in the room Eriksson back but yeah so it's going to be somewhere between that really doesn't make sense i mean why not just keep going and break out the entire dungeon dragons character sheet just hand this out to everybody

say yeah this is who I am right categorize me so it that really bothers me because hacker is is kind of it's the way you think about things it doesn't mean that you're good or evil or Eve so I'm even somewhere between its its it can be any of the above just like you can have I'll take police officers right you can have police officers that are good you can have police officers that are bad they're doing bad things and then there's probably a bunch that are kind of in between so so let's take a look at some fairly current news play a little bit of game and looks at look at what's wrong with this picture

so we've he's a supposedly a great hat hacker but if you read on a member of an anti-semitic network of computer hackers that wages cyberattacks against universities so he actually like they openly say well he commits crimes but that's considered gray that's okay thanks you know it's necessarily good he's not preventing crimes so at what point does it become black I mean how bad do you ready draw the line where do you say okay it's it's okay versus no that's definitely wrong [Music] so that's a March 2016 for those who didn't know he he claimed credit for hid so it was printers and universities that had anti-semitic messages on them breaking into stuff another thing that

really makes me mad is this concept of a security researcher I mean what is a security researcher okay so we have people out there who basically they hide behind this label to make it okay to hack into things I'm just a security researcher did you ask permission to hack into that do you have a contract in place are you actually are you doing this just to become famous or are you telling somebody because you actually see a security flaw that you think is somebody's informations in jeopardy of being stolen like what is the reason fine so that they basically use this label as a way to get get away with stuff and make it okay I'm

not a hacker no I'm not hacker I'm a security researcher so security researcher supposedly is better than hacker now to be clear I mean I do believe in the concept of a security Reacher researcher but to me that's somebody who actually puts together a lab environment and does uses the scientific method to prove something I mean that that to me is security research hacking into a website and then saying well my intentions were good therefore I'm a security researcher so it's okay is not okay so one example of this I know you know pictures a little bit hard to see with the lights in here but basically you kind of see a pop-up now this was a

guy named david levin who in this thing was state of florida elections he found a sequel injection flaw okay on an election website and he had this interview we've made this interview and he shows in the interview how we hacked into it some of the accounts he got logged into it this is all on youtube this where i got this video okay i just pulled it off youtube and [Music] that goes through okay this part of it anyway so he puts all this information out there then after he puts out his video he tells the organization by the way there's a security flaw in your system does that sound like responsible disclosure anybody right so yes it's it kind of is

our responsibility since we have the knowledge to if we notice something that looks wrong to to tell somebody about it it's really hard to do people have actually been threatened from saying hey you have a security issue and then they come back with threats sometimes even even a potential arrest in there but but we still have that responsibility to to try to do that try to do the right thing when we can so some of the things that he did wrong here first of all he disclosed things in the incorrect order that was one of the main things right the other thing is if you find a sequel injection flaw somewhere like let's say you put a single ticket and you get a

sequel a sequel message back don't go and see how much data you can get out of the system and then don't post that on youtube I mean there's I don't think he did anything right so it's bad don't do that stuff make a choice Oh what are we gonna find out all right so this is the moonshine of the

it's a fruit juice yeah so anyway don't do that so in one of my one of my best examples of what not to do or what we shouldn't do as hackers is what this guy does so Gregory Evans self-proclaimed hacker number one he and I don't even remember the list and I don't care but he's basically claimed credit for every major awesome thing a hacker could ever do to try to basically gained fame and fortune out of it okay and that's not what it's about we're trying to make we're trying to make computers available to people we're trying to make it a better place and you know his approach is just all wrong there's there's whole websites that

basically cover all of the claims that he's made and debunk everything so basically he's full crap it's all I need to know about Gregory ovens okay so in the media this is fairly recent stuff and yeah here we go more than 130 restaurants in the cici's pizza chain were the recent target of hackers okay and customers credit cards may have been stolen so these were probably cyber criminals maybe they use computers to break in but that doesn't mean they were hackers we we don't know from that article exactly what they really did did they actually come up with some new technology way of breaking into stuff or do they just run some automated tool there's another one researcher accused

of hacking voters lists so now we're talking about now researchers are even bad anybody ever read the hacker news this was an article from there the hacker tis twenty six-year-old hacker has been sentenced to three hundred thirty-four years in prison for identity theft as well as mass bank fraud and targeted it sounds like this was a fraudster and a thief doesn't sound like a hacker right but the article I mean it really does this wrong it's saying okay hacking is bad you get 30 34 years for hacking it wasn't for hacking it was for stealing stuff thief hackers from across the world will also be on the prowl trying to exploit the international event was this the Olympics yet the Olympics

so this came out shortly before so again it's not there's not going to be any criminals there or thieves or fraudsters and I think just hackers that's all we need to worry about because we're the bad guys so it's a perception thing that's a problem right it's it's okay so hackers for charity great organization great intentions they do a lot of good work the I hacked charities if you ever wear one of those shirts around you start getting weird looks from people because they're like that's bad right so this is this is an example of a good use of it but it still gets perceived incorrectly that's that's kind of why I wanted to point that out

it would be really nice if when people saw this in general they recognized that this means these are people who try to make charities work better they try to really help the people who need to be helped you know there's there's so many organizations that claim to be charities that basically a lot of the money gets sucked in and delivered to the top level CEOs and whatnot inside of the organization that the people actually need the help don't ever receive as much as they should

so how do we fix this I don't know if we can but we can start by using the right label in places okay so if you're talking about your job I'm a pen tester I'm a security test or I'm a security consultant that's what you do if I talk about what I like to do I like to hack things which means I like to fix them right that's a that's an activity hacking is an activity it's not really a job security testing is more the job or you could say I don't know red team or something like I don't I don't know what we be another way to put it but i don't i don't see hacker as actually a job as

more of an action and then there's researcher if you're working in a lab and it's a controlled environment maybe a researcher there's a bunch of other things that we could put out there too i mean we could put script kiddie out there but i don't think anybody want to actually call themselves a script yet so if all you're doing is you have pulling the latest tool off the internet and running it against stuff and hoping keep your fingers crossed and hope that you actually get wait could you looking for script kiddie maybe this one here I think might make a difference so despite all the articles that go out there if someone says yeah hacker broke into this you can maybe try

to correct them say you mean a thief broke into that or a fraudster stole a bunch of stuff I mean just because they use technology to do it that doesn't mean they're a hacker right so maybe they scam somebody maybe they're an intruder they break into a system they're an intruder breaking and entering you know the other thing we can do is we can just do the right thing and do it correctly so when we find a problem where we see something that's an issue don't go overboard if you see like the sequel injection example you find SQL injection somewhere because you put a single tick into a field and this error pops up the

last thing you should be thinking at that point is well I wonder how much information I can get out of unless you actually have a contract in place that says that's okay you can let them know that hey I got this error message I think this means that you have a problem with your database or a problem about you know rather than rather than trying to you know prove that there's a problem by taking data out of it that can be very problematic for you and it is crossing a line and it can get you in a lot of trouble thrown in jail that sort of thing so and that's pretty much it so that's my talk hope you enjoyed it maybe

you learned a little bit of something maybe you learn that computer games is where everything really starts you know start of the space war and if you have any questions or anything want to talk about this later let me know I guess some references here to

thank you