In movies, the word "hacker" is interchangeable with "wizard." Screenwriters can have a character mutter something about "nodes" or "encryption," slap the shit out of a keyboard, and acquire godlike powers over the natural world. They figure the average person doesn't really understand computers, so anyone who can hack one might as well be a mythical creature. Well, this is one of those times when the Hollywood version of a job is somehow even more hilariously off the mark than usual.
My name is Caleb Brinkman. I'm a white hat hacker, which means I only hurt websites to make them stronger. Read on and you'll learn why everything movies and NCIS taught you about hacking is ridiculously wrong ...
#5. Myth: You Can Hack into Any Mainframe Over the Internet
If you hear the words "hack the ..." in a movie, the next word is almost certainly "mainframe." It's a common enough occurrence to qualify as a trope:
We tend to imagine a website as the facade for this giant pile of secret records and internal details. Hack deep enough into the CIA's website and you can get into their mainframe. There you'll find all the records of their undercover agents and schematics for their wristwatch-mounted lasers. When I got into hacking, I assumed I'd be searching out mainframes, running decrypters, and breaking my way into all these systems.
I bought this exact pattern of Hawaiian shirt in preparation.
But the idea that you can get into any major computer system through the Web is just false. They may have a database with, say, username and password information that you can access through the Internet, but their records aren't going to be kept in any kind of public-facing database, because that's incredibly stupid. You won't find the nuclear launch codes hidden in anything attached to Defense.gov.
Websites are less like facades and more like handbills stapled to telephone poles. You can scribble all over that Albertson's ad in crayon, but no amount of doodling will let you steal a big pile of steaks. It's the same thing with all those movies where some supervillain hacker cracks his way onto the power grid: You'd have to know a ton of secret internal information to have a hope of getting in. Even the word "mainframe" itself is kind of an anachronism, because they've been largely replaced with server farms. Those servers are connected to a company-wide intranet, but why would Microsoft or Lockheed Martin pay to host all their billions of gigabytes of secret files in the cloud? That would be like paying thousands of dollars to install a solid glass gun safe in your front yard.
Thinkstock Images/Stockbyte/Getty Images
"But what if we put our secret files up on the Internet, where everyone can find them?"
Look at Edward Snowden, the guy who made off with all of those secrets about the NSA's spying program. He didn't steal that data by punching some hole in the NSA's website and sucking up all their secret goo. He got it all from the inside, because he worked there as a high-ranking system admin. There's very little hacking required when they hand you the keys.
#4. Myth: Hacking Is Illegal
There are obviously people out there who hack in the service of evil -- without them, I wouldn't have a job. I work as a "white hat" hacker paid specifically to stop those people. But most of the hackers I know spend their time and brain juice on research. We analyze source code to figure out ways we might exploit it. Call it preventive vandalism -- people pay us to break into their websites and then tell them which window we used.
"In the future, you might want to invest in the fist-proof glass."
The other side of white hat hacking is more mercenary: finding bugs in Web applications and collecting bounties. It's like we're questing in an MMORPG, only the rewards are straight up cheddar. Facebook pays $500 minimum for evidence of a bug. Google pays up to $20,000 if you can find something serious enough. They've paid out $2 million in the last three years, because operating the world's largest search engine makes you a money pinata filled with vulnerabilities.
Justin Sullivan / Getty
Much like Google co-founder Sergey Brin.
So yeah -- real hackers spend most of their time trying to break into high-profile websites. But they aren't doing it because they're crazy anarchist rebels fighting the Power; they're doing it to help make those websites safer, and because every bug they find nets them piles of big sexy money (as tempting as it would be to replace your boss' profile picture with an ejaculating penis, wouldn't you rather turn that vulnerability into a year's rent?).
There's even a website to collect all these bounties: Bugcrowd.
Justin Sullivan / Getty
It's like being a hit man, but with a higher rate of adult-onset diabetes.
So, since hacking can actually be a real J-O-B job where you make a legitimate living (and white hat hacking is a big business), that also knocks down another movie stereotype: that hackers are all eccentric, socially disconnected basement dwellers living off the grid. Here's the hacker "Warlock" from the fourth Die Hard movie in a pretty typical hacker basement:
This is actually how I'd always imagined Kevin Smith's bathroom.
And here's a typical movie hacker boasting that he works for "Star Trek tapes and Hot Pockets":
Well, our team works in a typical office, and most of the people here are married. And we're not some kind of isolated pocket of normal people in a world of freaks, either -- hackers have public trade shows where our best and brightest drink heavily and exchange business cards. Black Hat and Def Con are two such events, both filled with networking and even people in suits (although T-shirts are much more common). The keynote speaker at Black Hat this year was none other than the director of the freaking NSA, and for your reference, the crowd he spoke to looked like this:
If you've spent any time in the tech industry, you'd recognize this as a pretty normal group. Only one dude had a fedora, and he took a ton of shit for it.
#3. Myth: Hacking Requires All Sorts of Exotic Software
Here's how hacking looks to Hollywood:
Or maybe like this:
"The red stuff is computers, and the white stuff is Internets."
Obviously Hollywood sexes up hacking applications to give the audience something dazzling to look at -- it's the same treatment movies give to everything from car crashes to archaeology. But this gives the impression that most hacking involves working with interfaces quite a bit more alien than what the actual aliens were using in Independence Day. Well, here are some ACTUAL hacking tools in use:
Webroot Threat Blog
Note the distinct lack of skulls.
If those look like they're something that runs in a Web browser, you're right. The most common kind of hacking these days is called Web application hacking. You're looking for vulnerabilities on different websites. White hat hackers do this to make them safer, and black hat hackers do this because they're dicks.
So if you came by our office, it'd look like we were all just browsing the Web. Endless, flowing green text looks cool, but the human brain does a lot better with something sensible, like this:
Hacker's Online Club
Losing that second "L" is the only reason this tool wasn't buried under an avalanche of Craftsman ads and porn.
In fact, a lot of my job is just reloading Web pages over and over again -- it's one of the ways you can try to break the filters on a site. You keep trying slightly different exploits and reloading the page dozens of times until you find something that works.
But note that just because it doesn't look exotic doesn't mean any old hardware can do the job. Strangely, the same movies that portray hacking as requiring some kind of futuristic virtual reality interface also show hackers doing their work with laptops. Remember Justin Long in Live Free or Die Hard, popping open his laptop and rolling out his little keyboard? If you're a badass outlaw hacker, you can't be tied down to a desk, damn it!
Nor can you be arsed to button the top 3/4 of your shirt.
But most hacking is about brute force: trying hundreds or thousands of different things in slightly different ways until something breaks. You need horsepower for that.
Now, you could maybe get by with a laptop for a while ... if you're only working on one app or site in one particular field at a time. But when you're talking about serious industrial work, you need to be able to test hundreds of sites and parameters simultaneously. And that's going to melt the processor in your little laptop (literally -- I have a nice gaming laptop, and whenever I run a test on more than one or two parameters, I have to cool it down with a fan). That's why most serious hackers I know do the bulk of their work on something akin to a high-end gaming PC. These usually don't have the seven monitors seen in the Swordfish setup, however:
We also tend to prefer backlit keyboards to a half-dozen lamps.
And speaking of guys furiously hacking while getting blown with a gun to their head ...