5 Hacking Myths You Probably Believe (Thanks to Movies)

We tend to imagine a website as the facade for this giant pile of secret records and internal details. Hack deep enough into the CIA's website and you can get into their mainframe. There you'll find all the records of their undercover agents and schematics for their wristwatch-mounted lasers. When I got into hacking, I assumed I'd be searching out mainframes, running decrypters, and breaking my way into all these systems.

But the idea that you can get into any major computer system through the Web is just false. They may have a database with, say, username and password information that you can access through the Internet, but their records aren't going to be kept in any kind of public-facing database, because that's incredibly stupid. You won't find the nuclear launch codes hidden in anything attached to Defense.gov.

Websites are less like facades and more like handbills stapled to telephone poles. You can scribble all over that Albertson's ad in crayon, but no amount of doodling will let you steal a big pile of steaks. It's the same thing with all those movies where some supervillain hacker cracks his way onto the power grid: You'd have to know a ton of secret internal information to have a hope of getting in. Even the word "mainframe" itself is kind of an anachronism, because they've been largely replaced with server farms. Those servers are connected to a company-wide intranet, but why would Microsoft or Lockheed Martin pay to host all their billions of gigabytes of secret files in the cloud? That would be like paying thousands of dollars to install a solid glass gun safe in your front yard.

Look at Edward Snowden, the guy who made off with all of those secrets about the NSA's spying program. He didn't steal that data by punching some hole in the NSA's website and sucking up all their secret goo. He got it all from the inside, because he worked there as a high-ranking system admin. There's very little hacking required when they hand you the keys.

The other side of white hat hacking is more mercenary: finding bugs in Web applications and collecting bounties. It's like we're questing in an MMORPG, only the rewards are straight up cheddar. Facebook pays $500 minimum for evidence of a bug. Google pays up to $20,000 if you can find something serious enough. They've paid out $2 million in the last three years, because operating the world's largest search engine makes you a money pinata filled with vulnerabilities.

So yeah -- real hackers spend most of their time trying to break into high-profile websites. But they aren't doing it because they're crazy anarchist rebels fighting the Power; they're doing it to help make those websites safer, and because every bug they find nets them piles of big sexy money (as tempting as it would be to replace your boss' profile picture with an ejaculating penis, wouldn't you rather turn that vulnerability into a year's rent?).

There's even a website to collect all these bounties: Bugcrowd.

So, since hacking can actually be a real J-O-B job where you make a legitimate living (and white hat hacking is a big business), that also knocks down another movie stereotype: that hackers are all eccentric, socially disconnected basement dwellers living off the grid. Here's the hacker "Warlock" from the fourth Die Hard movie in a pretty typical hacker basement:

And here's a typical movie hacker boasting that he works for "Star Trek tapes and Hot Pockets":

Well, our team works in a typical office, and most of the people here are married. And we're not some kind of isolated pocket of normal people in a world of freaks, either -- hackers have public trade shows where our best and brightest drink heavily and exchange business cards. Black Hat and Def Con are two such events, both filled with networking and even people in suits (although T-shirts are much more common). The keynote speaker at Black Hat this year was none other than the director of the freaking NSA, and for your reference, the crowd he spoke to looked like this:

If you've spent any time in the tech industry, you'd recognize this as a pretty normal group. Only one dude had a fedora, and he took a ton of shit for it.

Here's how hacking looks to Hollywood:

Or maybe like this:

Obviously Hollywood sexes up hacking applications to give the audience something dazzling to look at -- it's the same treatment movies give to everything from car crashes to archaeology. But this gives the impression that most hacking involves working with interfaces quite a bit more alien than what the actual aliens were using in Independence Day. Well, here are some ACTUAL hacking tools in use:

If those look like they're something that runs in a Web browser, you're right. The most common kind of hacking these days is called Web application hacking. You're looking for vulnerabilities on different websites. White hat hackers do this to make them safer, and black hat hackers do this because they're dicks.

So if you came by our office, it'd look like we were all just browsing the Web. Endless, flowing green text looks cool, but the human brain does a lot better with something sensible, like this:

In fact, a lot of my job is just reloading Web pages over and over again -- it's one of the ways you can try to break the filters on a site. You keep trying slightly different exploits and reloading the page dozens of times until you find something that works.

But note that just because it doesn't look exotic doesn't mean any old hardware can do the job. Strangely, the same movies that portray hacking as requiring some kind of futuristic virtual reality interface also show hackers doing their work with laptops. Remember Justin Long in Live Free or Die Hard, popping open his laptop and rolling out his little keyboard? If you're a badass outlaw hacker, you can't be tied down to a desk, damn it!

But most hacking is about brute force: trying hundreds or thousands of different things in slightly different ways until something breaks. You need horsepower for that.

Now, you could maybe get by with a laptop for a while ... if you're only working on one app or site in one particular field at a time. But when you're talking about serious industrial work, you need to be able to test hundreds of sites and parameters simultaneously. And that's going to melt the processor in your little laptop (literally -- I have a nice gaming laptop, and whenever I run a test on more than one or two parameters, I have to cool it down with a fan). That's why most serious hackers I know do the bulk of their work on something akin to a high-end gaming PC. These usually don't have the seven monitors seen in the Swordfish setup, however:

And speaking of guys furiously hacking while getting blown with a gun to their head ...

A lot of movies show hackers furiously typing on keyboards, commands flying across their screen too quickly to see -- movie hacking is a fast-paced job, requiring video-game-honed reflexes. It makes sense: You've got to outrun security, other hackers -- it's the computer equivalent of a gunfight. In the typical hacker duel, the attacker is firing commands and viruses at the system, while the target's own staff of nerds is racing to cut off the attack in real time, trying to chase down the hacker while he jukes and dodges with complex keyboard commands.

In the real world, most hacking tools are fire-and-forget. If you want to break into a site or an IP address, you just pick the right tool, "aim" it, and hit go. Then you walk away from the computer for a while until the tool finishes trying stuff. A lot of hacking is pressing "start" and then rolling out to grab some coffee.

This is not to make hacking sound effortless -- those tools are only right a certain percentage of the time, and the rest of the time will do absolutely nothing. But they do show you where the problems are. I'll spend maybe an hour letting the tool find a weak spot and then 15 minutes actually working out how to break in.

If this is making it sound like even professional hacking doesn't require an expert, well, let's take on the biggest myth of them all ...

The reality is that we go to career fairs at colleges and frequently hire people with almost no computer experience at all. It doesn't require years of study and dedication -- we can take someone from zero to hacker in six months. Security hacking -- what I do -- is actually an easy field to get into at entry level. You don't need years of training and a hearty Seth Green beard to start breaking into websites.

When you come on board, we assume you have no knowledge of how the Internet works, so we begin by explaining how websites respond to requests and move on to finding vulnerabilities. It doesn't take years of obsession to make an everyday hacker. It's a trade, like welding or bartending. And while the world has artisan metal workers and master mixologists, the everyday dudes who are just sticking metal together and pouring drinks for a paycheck keep those respective fields going.

The truth is, there are only about 50 different types of threat recognized by the Web Application Security Consortium, and each individual person at our company might only need to know how to track down a handful of those. It takes maybe a week or two to get the very basics of hacking down, and from almost the first day you're practicing on real applications. HackThisSite.org can train you up in the basics and have you doing hacks in a matter of weeks.

Learning and testing for vulnerabilities is the easy part of hacking (this ethical hacking course boasts a 90 percent success rate). The hard part starts if you decide to exploit that weakness. But there's more money (and fewer arrests) in resisting the urge to replace the background of Bank of America's website with your trusty ol' ejacupeen.jpg.

For example, I won "Notable Hack of the Month" at work last February because I found a vulnerability on a client's website, one that meant that in maybe an hour I could have written a script that would delete every user on that site ... or replace all the links in their accounts with hardcore Swedish Fish-based pornography. But I turned down that temptation for the chance to write a blog post about my achievement and the knowledge that I'll keep drawing a salary. Although I do have to live with the fact that they'll probably never make a movie about me.

Caleb Brinkman works for White Hat Security. You can visit his website here and his twitter here. Robert Evans is Cracked's head of dick joke journalism and manages the article captions. You can contact him here.

Related Reading: For more of Cracked's special brand of journalism, why not read this inside look at life as a prison guard. Next, let us bust some myths about drone warfare courtesy former drone pilot Brandon Bryant. And if you're planning to ship anything this holiday season, you owe it to yourself to read this article by a former UPS loader.