Bruce Schneier recently wrote an article, published in 2600 (the summer 2006 issue; go out and buy it – I’ll wait) discussing the elements of the hacker mentality. It is interesting to see 2600 publishing (and having the clout to publish) an expert of such stature – a welcome change from the often trivial and outdated hacks that have plagued 2600 issues over the past few years. I hope the future brings more article of similar quality from others of his caliber, not just from security and cryptology, but from all fields of interest – EE, telecom, OS developers – and even from those in fields not obviously or directly related to traditional hacking – linguistics and physics, for example. True, this would be of less immediate value in a practical sense, but such articles contribute to a timeless treasury of thought, not easily rendered obsolete from the constant state of technical development.

With respect to his article, much of it was a rehash of the classic definition of a hacker as defiant explorer, whose principle resources are his curiosity and disregard of common beliefs. While little of it was original or groundbreaking, there were two aspects worth noting in what he did say, and one in what he didn’t.

First of all, he quite rightly does away with the hacker/cracker issues. For the uninitiated, most old school hackers have come to call malicious users of exploits “crackers” in response to the demonization of the term “hacker” in the media, in an attempt to reclaim the term for the innovators who struggle against the boundaries of established systems. While the impetus behind this endeavor is well intentioned, it is ultimately self-defeating. Hacking, Schneier avers, is solely about the struggle against boundaries, limits, and definitions. How the hacker proceeds to use that knowledge makes him good or bad. Removing morality from the definition is something uncommon from the pages of a magazine which calls itself “the Hacker Quarterly,” as they, more than most, need to decriminalize hacking to avoid the condemnation of their work. Ultimately, however, supporting a definition which is largely reactionary is self defeating. It leads to terms no one other than hackers will use anyway – white hat, black hat, and gray hat – as if CNN will start using mage classes in their articles to evaluate the intentions of hackers! Schneier is simply returning to the classic definition by discarding the moral cruft now attached to the word and leaving the morality to an evaluation of intent and practice. Again, by definition this is not an innovative thought, but it is a corrective attempt, notable for the medium in which he chose to make it.

Similarly, Schneier holds that as a rule – and perhaps the ultimate rule of hacking – there is there is no concept of “cheating.” Just because an attack on a secure system does not rely on theoretical math, but employs a “mundane” approach like a side channel attack, makes the hack no less worthy of a first rate hacker. While his reasoning is rooted in the fact that he sees the hacker as motivated by the actual implementation of knowledge – hacking as applied thought – (and it should be noted that Schneier has admirably critiqued some of his own academic work for being too “ivory tower” – perhaps secure mathematically, but less so in real world implementation, when subject to the laziness of users and the needs of usability) but critiquing a hack based on certain rules of how one should think is the very antithesis of the outside-the-box thinking that hacking should both develop from and engender.

As far as I can tell, he is right in both respects; but then again, bright people often are. What surprises me is while he attempts to relate computer hacking to other activities – phreaking, lockpicking, and the defiant science of men like Galileo, he does this only while providing a background for the mindset of the hacker and its corollaries. At the end of the article, he is a bit more timid and falls back on the most obvious use of a hacker’s knowledge – security hardening. I don’t think anyone will seek to minimize the value of applying hacking knowledge to strengthen real world systems. However, if the only application he can think of is systems security, Mr. Schneier may need to step outside the box himself.

At dinner, on the first night of this past Rosh ha-Shana, I had the pleasure of discussing a range of topics with a very bright man, who happens to work as a medical physicist. When the conversation made its way over to cancer, he simply said that cancer would be cured by a ruthless mind, and probably a criminal one at that. (He then proceeded to list a number of brilliant and accomplished researchers who have done time for certain business practices. In any case,) Here too, there is no cheating, Mr. Schneier. The hacker mentality serves in all real world problems and often in the theoretical as well – for any theory that is not subjected to every rational attack is weaker for it.

In any case, if Bruce Schneier has never been on your reading list, he should be – and this article is a decent and digestible place to start. Ultimately, of course, Applied Cryptography is what you want to tackle if you have any interest in how these things actually work – from simple historical ciphers to public key systems.

This entry was posted on ‍‍ג׳ תשרי ה׳ תשס״ז - Monday, September 25th, 2006 at 02:59 and is filed under ruminations, tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.