5 Hacking Myths You Probably Believe (Thanks to Movies)
In movies, the word "hacker" is interchangeable with "wizard." Screenwriters can have a character mutter something about "nodes" or "encryption," slap the shit out of a keyboard, and acquire godlike powers over the natural world. They figure the average person doesn't really understand computers, so anyone who can hack one might as well be a mythical creature. Well, this is one of those times when the Hollywood version of a job is somehow even more hilariously off the mark than usual.
My name is Caleb Brinkman. I'm a white hat hacker, which means I only hurt websites to make them stronger. Read on and you'll learn why everything movies and NCIS taught you about hacking is ridiculously wrong ...
Myth: You Can Hack into Any Mainframe Over the Internet
If you hear the words "hack the ..." in a movie, the next word is almost certainly "mainframe." It's a common enough occurrence to qualify as a trope:
We tend to imagine a website as the facade for this giant pile of secret records and internal details. Hack deep enough into the CIA's website and you can get into their mainframe. There you'll find all the records of their undercover agents and schematics for their wristwatch-mounted lasers. When I got into hacking, I assumed I'd be searching out mainframes, running decrypters, and breaking my way into all these systems.
I bought this exact pattern of Hawaiian shirt in preparation.
But the idea that you can get into any major computer system through the Web is just false. They may have a database with, say, username and password information that you can access through the Internet, but their records aren't going to be kept in any kind of public-facing database, because that's incredibly stupid. You won't find the nuclear launch codes hidden in anything attached to Defense.gov.
Websites are less like facades and more like handbills stapled to telephone poles. You can scribble all over that Albertson's ad in crayon, but no amount of doodling will let you steal a big pile of steaks. It's the same thing with all those movies where some supervillain hacker cracks his way onto the power grid: You'd have to know a ton of secret internal information to have a hope of getting in. Even the word "mainframe" itself is kind of an anachronism, because they've been largely replaced with server farms. Those servers are connected to a company-wide intranet, but why would Microsoft or Lockheed Martin pay to host all their billions of gigabytes of secret files in the cloud? That would be like paying thousands of dollars to install a solid glass gun safe in your front yard.
"But what if we put our secret files up on the Internet, where everyone can find them?"
Look at Edward Snowden, the guy who made off with all of those secrets about the NSA's spying program. He didn't steal that data by punching some hole in the NSA's website and sucking up all their secret goo. He got it all from the inside, because he worked there as a high-ranking system admin. There's very little hacking required when they hand you the keys.
Myth: Hacking Is Illegal
There are obviously people out there who hack in the service of evil -- without them, I wouldn't have a job. I work as a "white hat" hacker paid specifically to stop those people. But most of the hackers I know spend their time and brain juice on research. We analyze source code to figure out ways we might exploit it. Call it preventive vandalism -- people pay us to break into their websites and then tell them which window we used.
"In the future, you might want to invest in the fist-proof glass."
The other side of white hat hacking is more mercenary: finding bugs in Web applications and collecting bounties. It's like we're questing in an MMORPG, only the rewards are straight up cheddar. Facebook pays $500 minimum for evidence of a bug. Google pays up to $20,000 if you can find something serious enough. They've paid out $2 million in the last three years, because operating the world's largest search engine makes you a money pinata filled with vulnerabilities.
Much like Google co-founder Sergey Brin.
So yeah -- real hackers spend most of their time trying to break into high-profile websites. But they aren't doing it because they're crazy anarchist rebels fighting the Power; they're doing it to help make those websites safer, and because every bug they find nets them piles of big sexy money (as tempting as it would be to replace your boss' profile picture with an ejaculating penis, wouldn't you rather turn that vulnerability into a year's rent?).
There's even a website to collect all these bounties: Bugcrowd.
It's like being a hit man, but with a higher rate of adult-onset diabetes.
So, since hacking can actually be a real J-O-B job where you make a legitimate living (and white hat hacking is a big business), that also knocks down another movie stereotype: that hackers are all eccentric, socially disconnected basement dwellers living off the grid. Here's the hacker "Warlock" from the fourth Die Hard movie in a pretty typical hacker basement:
This is actually how I'd always imagined Kevin Smith's bathroom.
And here's a typical movie hacker boasting that he works for "Star Trek tapes and Hot Pockets":
Well, our team works in a typical office, and most of the people here are married. And we're not some kind of isolated pocket of normal people in a world of freaks, either -- hackers have public trade shows where our best and brightest drink heavily and exchange business cards. Black Hat and Def Con are two such events, both filled with networking and even people in suits (although T-shirts are much more common). The keynote speaker at Black Hat this year was none other than the director of the freaking NSA, and for your reference, the crowd he spoke to looked like this:
If you've spent any time in the tech industry, you'd recognize this as a pretty normal group. Only one dude had a fedora, and he took a ton of shit for it.
Myth: Hacking Requires All Sorts of Exotic Software
Here's how hacking looks to Hollywood:
Or maybe like this:
"The red stuff is computers, and the white stuff is Internets."
Obviously Hollywood sexes up hacking applications to give the audience something dazzling to look at -- it's the same treatment movies give to everything from car crashes to archaeology. But this gives the impression that most hacking involves working with interfaces quite a bit more alien than what the actual aliens were using in Independence Day. Well, here are some ACTUAL hacking tools in use:
Note the distinct lack of skulls.
If those look like they're something that runs in a Web browser, you're right. The most common kind of hacking these days is called Web application hacking. You're looking for vulnerabilities on different websites. White hat hackers do this to make them safer, and black hat hackers do this because they're dicks.
So if you came by our office, it'd look like we were all just browsing the Web. Endless, flowing green text looks cool, but the human brain does a lot better with something sensible, like this:
Losing that second "L" is the only reason this tool wasn't buried under an avalanche of Craftsman ads and porn.
In fact, a lot of my job is just reloading Web pages over and over again -- it's one of the ways you can try to break the filters on a site. You keep trying slightly different exploits and reloading the page dozens of times until you find something that works.
But note that just because it doesn't look exotic doesn't mean any old hardware can do the job. Strangely, the same movies that portray hacking as requiring some kind of futuristic virtual reality interface also show hackers doing their work with laptops. Remember Justin Long in Live Free or Die Hard, popping open his laptop and rolling out his little keyboard? If you're a badass outlaw hacker, you can't be tied down to a desk, damn it!
Nor can you be arsed to button the top 3/4 of your shirt.
But most hacking is about brute force: trying hundreds or thousands of different things in slightly different ways until something breaks. You need horsepower for that.
Now, you could maybe get by with a laptop for a while ... if you're only working on one app or site in one particular field at a time. But when you're talking about serious industrial work, you need to be able to test hundreds of sites and parameters simultaneously. And that's going to melt the processor in your little laptop (literally -- I have a nice gaming laptop, and whenever I run a test on more than one or two parameters, I have to cool it down with a fan). That's why most serious hackers I know do the bulk of their work on something akin to a high-end gaming PC. These usually don't have the seven monitors seen in the Swordfish setup, however:
We also tend to prefer backlit keyboards to a half-dozen lamps.
And speaking of guys furiously hacking while getting blown with a gun to their head ...
Myth: Hacking Requires Lightning Reflexes
A lot of movies show hackers furiously typing on keyboards, commands flying across their screen too quickly to see -- movie hacking is a fast-paced job, requiring video-game-honed reflexes. It makes sense: You've got to outrun security, other hackers -- it's the computer equivalent of a gunfight. In the typical hacker duel, the attacker is firing commands and viruses at the system, while the target's own staff of nerds is racing to cut off the attack in real time, trying to chase down the hacker while he jukes and dodges with complex keyboard commands.
"Hack harder. Faster."
In the real world, most hacking tools are fire-and-forget. If you want to break into a site or an IP address, you just pick the right tool, "aim" it, and hit go. Then you walk away from the computer for a while until the tool finishes trying stuff. A lot of hacking is pressing "start" and then rolling out to grab some coffee.
This is not to make hacking sound effortless -- those tools are only right a certain percentage of the time, and the rest of the time will do absolutely nothing. But they do show you where the problems are. I'll spend maybe an hour letting the tool find a weak spot and then 15 minutes actually working out how to break in.
If this is making it sound like even professional hacking doesn't require an expert, well, let's take on the biggest myth of them all ...
Myth: It Takes an Expert
There's a reason movie hackers always seem to live in basement hacker caves: They're the sort of people who spend every hour of their lives getting better at hacking. They're warrior monks, but with more Cheetos stains.
Those orange robes also hide Monster stains surprisingly well.
The reality is that we go to career fairs at colleges and frequently hire people with almost no computer experience at all. It doesn't require years of study and dedication -- we can take someone from zero to hacker in six months. Security hacking -- what I do -- is actually an easy field to get into at entry level. You don't need years of training and a hearty Seth Green beard to start breaking into websites.
The floodlights, however, are an absolute necessity.
When you come on board, we assume you have no knowledge of how the Internet works, so we begin by explaining how websites respond to requests and move on to finding vulnerabilities. It doesn't take years of obsession to make an everyday hacker. It's a trade, like welding or bartending. And while the world has artisan metal workers and master mixologists, the everyday dudes who are just sticking metal together and pouring drinks for a paycheck keep those respective fields going.
The truth is, there are only about 50 different types of threat recognized by the Web Application Security Consortium, and each individual person at our company might only need to know how to track down a handful of those. It takes maybe a week or two to get the very basics of hacking down, and from almost the first day you're practicing on real applications. HackThisSite.org can train you up in the basics and have you doing hacks in a matter of weeks.
Blue jean jacket not required.
Learning and testing for vulnerabilities is the easy part of hacking (this ethical hacking course boasts a 90 percent success rate). The hard part starts if you decide to exploit that weakness. But there's more money (and fewer arrests) in resisting the urge to replace the background of Bank of America's website with your trusty ol' ejacupeen.jpg.
For example, I won "Notable Hack of the Month" at work last February because I found a vulnerability on a client's website, one that meant that in maybe an hour I could have written a script that would delete every user on that site ... or replace all the links in their accounts with hardcore Swedish Fish-based pornography. But I turned down that temptation for the chance to write a blog post about my achievement and the knowledge that I'll keep drawing a salary. Although I do have to live with the fact that they'll probably never make a movie about me.
Caleb Brinkman works for White Hat Security. You can visit his website here and his twitter here. Robert Evans is Cracked's head of dick joke journalism and manages the article captions. You can contact him here.
Related Reading: For more of Cracked's special brand of journalism, why not read this inside look at life as a prison guard. Next, let us bust some myths about drone warfare courtesy former drone pilot Brandon Bryant. And if you're planning to ship anything this holiday season, you owe it to yourself to read this article by a former UPS loader.