The Hacker Mind Podcast: Ethical Hacking
Is hacking a crime? The US Justice Department says it will no longer prosecute good-faith security researchers, but what constitutes good-faith security research?
Bryan McAninch (Aph3x) talks about his organization, Hacking Is Not A Crime, and the ethical line it draws on various hacking activities. He also talks about the future generation of hacking, what motivates young people today to think outside the box in a world where infosec is increasingly becoming vocational and expected.
The Hacker Mind is available on all podcast platforms.
[Heads Up: This transcription was autogenerated, so there may be errors.]
Vamosi: Hackers. I first became aware of the term back in 1988, when as a kid, I saw Dan rather on the CBS Evening News talk about Robert Morris Junior, who had just launched the first computer worm.
CBS Evening News: Cornell University graduate student Robert Morris was indicted today for planting a virus that infiltrated more than 6000 computers across the country. Morris's defense and includes that he intended only a low grade. What he touched off instead was a rampant epidemic last November that infected a national defense network of computers among others. If convicted, he could face up to five years in prison, a fine of $250,000 plus restitution to damage parties.
Vamosi: And then, a decade later, I got work alongside Kevin Poulsen at ZDNet and CNET before he went to SecurityFocus and then Wired.
Kevin Poulsen: If you go back before that I myself was a hacker in the late 80s In the early 90s. I used to hack the phone company quite a bit . It was what the kids today would call an advanced persistent threat. I was like living in our systems for years and I want to get in some trouble for that. In part because I use my access to cheat at radio station phones in contests and win prizes. Like Porsches and trips to Hawaii.
Vamosi: In 1994, Kevin Poulsen served 51 months in federal prison and was banned from using computers without permission. And some hackers avoided prison all together.
Lauri Love: Celebrating with the broadest of smiles and a kiss from his partner, Larry loves relief at winning his appeal against extradition to the US was overwhelming, very happy and relieved. Very thankful for the judges. Thankful for all of the support that we've had about which I'm not sure I would have made it this far.
The 33 year old from suffer faced charges from US prosecutors as hacking into computers at various American agencies. His lawyers argued that Asperger's and depression would make any extradition oppressive. Today, the High Court agreed.
Vamosi: Only for some, the threat of going to prison was too much.
CNN: A brilliant computer programmer, a world class university and a federal prosecutor. A three way collision that some speculate led to a deepening depression or 26 year old Aaron Swartz Schwartz was best known as the co-founder of Reddit. A widely used social news and entertainment website built around user submitted content. President Obama even used Reddit to reach more than 5 million voters during his reelection campaign, most of them young people in his short life he became a folk hero pushing to make web content free. But with prosecutors pressing serious charges. Schwartz hanged himself Friday and his Brooklyn apartment lawyer says he doesn't know what put him over the edge.
The charge against Swartz could have landed him in prison for up to 35 years along with a billion dollar fine, and for what? He was indicted on charges of stealing millions of academic articles and journals from a digital archive at MIT. But MIT didn’t press charges. Instead, the US government did, saying quote Stealing is stealing whether you use a computer command or crowbar and whether you take documents data or dollars. Unquote.
Vamosi: I started The Hacker Mind podcast, in part to take back the word hacker, which simply means to take apart. Either in courts or in the media, hackers have been demonized. The organization Hacking is Not a Crime.org is trying to change the narrative around hacking. And in the moment, I’ll interview it’s founder.
[music]
Welcome to The Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living.
I’m Robert Vamosi and in this episode I’m talking about hacking, specifically ethical hacking, and whether ethnical hacking should be legal and under what circumstances. It’s a nuanced discussion, and one that I’m happy to share with you in this episode.
[MUSIC}
Vamosi: While I was producing the episode, The United States Justice Department announced an important policy shift. It will no longer prosecute good-faith security research that would have otherwise violated the Computer Fraud and Abuse Act (CFAA). Specifically it said, “Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” So what is is the common good?
McAninch: you know, I'm a my Aph3x pseudonym, handle, moniker or whatever, that's fine. I know I'm gonna say like, that's pretty synonymous with my real life name at this point. You know, I can kind of compromise anonymity. Pretty much hacking is a crime, but I'm even prior to that, and I had kind of been involved in the hacker community and I've done some talks and things like that. So whatever you prefer, you can say, Brian McAninich, also known as Aph3x, whatever.
Vamosi: In 2002, I wrote an article for ZDNET titled “Jail Time is Not The Answer to Cyber Crime.” I wrote about the pending Cyber Security Enhancement Act of 2002 (CSEA) and said: “The problem with this legislation is that it's often very difficult to determine who is responsible for any given cybercrime. Let's say someone hacks into the local power grid and, as a result, a hospital loses power to its critical patient care units. Who is responsible? Is it the hospital, which should have had a power backup? Is it the power utility, which should have maintained better computer security? Or is it the thrill-seeking 13-year-old, who probably had no idea what he or she was doing?” Further, over the years I’ve strived to say criminal hacker where appropriate, and hacker or researcher everywhere else.
McAninch: Excellent. I wish there were more like you. I've been in touch with some notable names and media and they've you know, they've assured me that they'll make a best effort. And they've promised me that you know, when the time comes we'll have a sit down interview like this, but um, yeah, it's, it's been an uphill battle because let's face it, you know, that the whole image of a hacker draws people in to read articles and advertising them articles and then make money off of advertising. So it's kind of a business model, right? It's part of it.
Vamosi: I also noted in the ZDNet article that at the time time the average length of a sentence around the crime of rape is 3 years in the United Staes, but at times, there have been sentences of 10 years or more for violating the computer fraud and abuse act.
McAninch: You're never going to understand what it's like to be a rape victim unless you're a rape victim yourself. However, I think people can get a pretty good idea of, of what something like you know, the consequence of what they should be for rape. I certainly don't think it should be three years, especially if you're comparing it to something like computer crime or whatever. I'm the CFAA. But that's a really interesting disparity.
Vamosi: So one of the things that I've been asked and wrestle with is how do you make that distinction between someone who's a bad occur and somebody who's a good hacker
McAninch: And that's a great question. I'm glad we're able to discuss it because I think there is, you know, my whole idea behind a lot of this was to, to bring about some unification within the hacker community. And there's been some debate and good debate, you know, the whole point of this was to bring this into public discussion, public discourse, and let's talk about the nuances of this. And our message is very nuanced. Some have said, well, hacking hacking is a crime. It's, you know, you have the Computer Fraud and Abuse Act, which I think is what Mitnick was probably prosecuted under right. So, you know, it's hacking is not a crime is more of an assertion. Some had said hacking should not be a crime. Well, yeah, we agree with that. But hacking should not be vs. Hacking is not. We wanted to go a little bit more for the guerrilla marketing type message. So we went with hackings not. But over the course of the last couple years, some really valid points have been raised about. Mostly, and we tweeted about this, just a few days ago. There's a somewhat of a conflation of and distinguished this distinction between ethics and legality. Right. And we've, from day one always focused on ethical intent.
Vamosi: And that then becomes the question: What is ethical hacking?
McAninch: I mean, there's Well, I mean, we could go off on a lot of tangents here. I think. I grew up as I mentioned, and a lot of subculture circles and I've always been very anti establishment anti authoritarian. type of personality. You know, my mother working two, three jobs as a single parent household wasn't around a lot. You know, I was kind of left to do my own thing. And I would get in trouble as missionaries, because we didn't have a lot of, you know, oversight. But, you know, when she was around, she would try to compensate for her lack of being there. Again, she was working two or three jobs, so I can't blame her for it, but she tried to overcompensate by, you know, coming down hard with the hammer and I think that kind of turned into this snowball effect of like, well, I'm not gonna do that. I'm gonna get around what you want and that kind of evolved into this hacker mindset. So I think when I mentioned all these different permutations of ethics, and legality, right, I think there's a lot of unethical things that go on in the world that are completely legal. Right? There's just insider trading on massive scales. There's, there's so many socio economic and justices in the world that are completely legal, because the powers that be make them legal, it's the you know, it's the inner, the inner circle of trust, so to speak. So I think one of the reasons like you said rape and for three years or CFAA for 10 I think it's a little bit because our community, our industry, what have you, is a lot it's very esoteric to people they don't really understand it. And when people don't understand something they feel threatened by it. When people feel threatened by it they want to throw the book at Yeah.
[music]
Vamosi: Perhaps we should talk about a specific example, something in the media, where we can discuss where to draw the line on Are they ethical or are they criminal? I wrote a book with Kevin Mitnick, a convicted felon. But is Kevin criminal, or just curious about the world?
McAninch: So you know, with Mitnick, and I'm going off of some very old memory here I remember in the late 90s When you know, free Kevin Mitnick thing 2600 was all on it. And that's kind of right when I got into security and had an interest in hacking. And I've read about his attack on it.
Vamosi: Tsutomu Shimomura is a Japanese-born American physicist. He’s also a computer security expert and is perhaps best known for helping the FBI track and arrest hacker Kevin Mitnick. At this point, KEvin was a known fugitive from the law, and was using alias to stay one step ahead of the FBI. What Kevin was convicted of doing was looking inside Shimo mura’s computer to see what, if anything, was known about his current whereabouts. IT proved to be the thing that got him caught.
McAninch: I think he used like TCP blind IP spoofing and I was like reading this and was like, this is brilliant. Of course, it's a lot more difficult to do now because they have, you know, more entropy and TCP sequence numbers and all these other things, but for that day, that was really cutting edge. I was like, This guy's brilliant. So then I guess the question would be, what was he doing ethically? I think you know, I think Kevin, I respect the guy because of his technical acumen. I don't, it was definitely illegal. Because I think it was, you know, it was someone else's property was intruding, I guess one could claim but I don't know if you know, I don't really see it as an unethical act because did he do any damage? I don't I don't recall him actually doing any damage. I thought he was just doing it for kicks and giggles kind of thing right? And correct me if I'm wrong here again, this is going off of a 25 year old memory here is something but uh yeah, it was a really interesting case study. So yeah, was it a crime? Well, according to the law, it was. I think that kind of borrows down into another level of nuance. Is he being ethical by doing? I don't think he's breaking anything. I don't think he's, you know, holding their data hostage or exposing any sort of intellectual property. I don't I don't even know if the Shimamura, whoever it was, even suffered any loss. I don't know. How that was argued in court. But I can argue it was ethical, but it was definitely illegal. According to the CFAA anyway.
Vamosi: Bryan has a simple rubric he uses to define hacking and what is criminal activity. Imagine a grid of four quadrants, with ethical and legal forming the x and the y axis. So In the upper left you have ethical and legal -- which is what you want to be. Adjacent to this, in the upper left, is Ethical illegal. In the lower left, Unethical and Legal. And in the lower right, unethical and illegal. Right away, we can dismiss the unethical. That’s a red line that his organization draws.
McAninch: So when you're talking about ethics and legality, we have tried to keep this straight in my head. You have ethical, legal, ethical, illegal. You have unethical, legal and unethical illegal. So just kind of right off the bat. We are no way support anything that's unethical. Whether it's legal or illegal, right? Is we want to we want to narrow down that nuance to what we can really focus on and have impact. We fully condone and support. Ethical legal obviously and where we're really trying to have an impact is on the ethical illegal.
Vamosi: So if you are ethical and doing something legal, that’s fine. But what if you are ethical and doing something illegal? This is where whistleblowers come in. They are ethical people who see something wrong. Sometimes they must perform an act of civil disobedience and break and NDA or even break a law. This is the Ethical Illegal side of the quadrant.
McAninch: Sure. Yep. You know, I think we've had Daniel Ellsberg. I think it was right Pentagon was it David Ellsworth or Daniel Daniel, Daniel Ellsberg? You know, whistleblower type stuff. I think that's important. Transparency and society so that you know the constituents know what's really going on. I'll go on the record and say, you know, I'm a fan of Snowden. So things like that. I think there's, there's a conversation to be had about how we approach that but we've been growing so quickly, just in popularity, that we have to move the needle slowly on on the messaging, right, because we don't want to take some huge leap one way or the other, because then we may gain 10%, but lose 20 And now Now we're losing ground on it. So we've got to move the needle slowly.
Vamosi: So how do you move the needle slowly?
McAninch We want to, we're advocating for global policy reform. So some of these nuances I think, have really, you know, again, stirred up some good discussion, but we've gotten a lot of really good. We'll call it feedback. visits. It's a controversial topic. You know, to some degree, a lot of people have a lot of strong feelings about what we're what we're bringing to public discourse. So that's kind of really where we're focusing on.
Vamosi: Staying with the legal for a moment. We've have the Digital Millennium Copyright Act (DMCA) in the US, and only recently have we started to see some carve outs that allow hackers to, you know, look at cars, look at certain industries, maybe it should be broader than that. There’s also the Right To Repair movement, which I discussed in Episode 14.
McAninch: Yeah, that's kind of another thing that we support is there's that right to repair coalition, I believe it's called. And, you know, a lot of this kind of gets back to the property rights topic is, you know, if I buy an iPhone should I be able to modify it or if I buy a car, I think there was something in that last year. I think there was some legislation going through in Massachusetts that was supposed to set precedent for if you could have the right to repair your own car or if they effectively want to lock you out and make you go to the dealership or some authorized mechanic. Which of course, then they're going to prosecute price gouge you. So we're really big advocates of the right to repair and the DMCA obviously falls into that as well.
Vamosi: Right away, we can dismiss the unethical. That’s a red line that his organization draws.
McAninch: Yeah. And again, we condone ethically lega, we don't condone unethical, illegal, unethical, illegal, but we do want to see, you know, policy perform globally. For ethical reasons. There's a lot of unethical legal things going on out there that ethical illegal could fix. I hope that wasn't too confusing. It confused me when I was spinning around in my head thinking about all this one day.
Vamosi: Long time ago, I was told that saying you were an ethical hacker was not great. Not a great thing to say. So just don't go there. How do you feel about people calling themselves ethical as opposed to what we just discussed being ethical?
McAninch: Yeah, that was kind of one of the first con concepts I think we came across when we when we during our inception right of the org were ethical hackers we like to say that we believe all hackers are implicitly ethical. So to say that you're an ethical hacker is to say that Matt Blaze had I'm trying to find it here. He had a really good tweet a couple of weeks ago. People who call themselves ethical hackers make me nervous in the same way. I've made people nervous. If I call myself a non cannibal professor. It's funny, but it's true. I mean, it's almost like saying, Oh, well, I'm an ethical doc. Or I'm an ethical journalist. Well, I hope you are. So it should go without saying but it doesn't. So a lot of people still like to, you know, pull that ethical hacker part in but we're very much of the opinion that all hackers are implicitly ethical. So we don't really, we don't really like to push for that whole ethical hacker apart.
Vamosi: There’s also a list of words commonly used in infosec that are being challenged. For example instead of staying White Hat, say White Hat, Hacktivist, Researcher, Whistleblower . And, instead of saying Black HAT, say Attacker, Malicious Adversary, Threat Actor HAcking Is Not a Crime is facilitating a discussion around these alternatives.
McAninch. Yes, we show you know this. I think the the I remember correctly and this is very ironic. I think the whole white hat black hat thing came out of DEF CON, circa 2000. Maybe it was either black hat or DEF CON I can't remember but it was meant to kind of differentiate the the good guys and the bad guys. I don't know. But yeah, you mentioned black and white just don't have the same. The same context anymore. It's kind of like GitHub changing their repos from master and slave to primary, secondary or whatever they chose to go with. So words matter intent matters. And so we want to kind of align with that. So we're going with there's so many different names and characters. That you can you can describe with this but white hacker we want to go with hacktivist. So you could be I'm an activist, I'm an actor and I'm an activist. So I'm an activist, security researcher or even whistleblower, we recently came across some stuff where there were leaks of personally identifiable information or some sort of previously unknown surveillance of people or employees. I think it's important that things you know, transparency and whatnot are provided to the public about things like that. So those are what we would consider white hat quote unquote, black hat would be very generically an attacker what you know, what's the intent and the motives here? Is this to you know, is this for the better good? or is this some sort of self serving, kind of intent? So attacker, malicious adversary a threat actor? We do have we do have some people on the internet who have expressed concern about, you know, cyber criminal, I think is what we were originally going with. And I tend to agree you know, even though I'm a OG kind of hacker I've been in the end, you know, in the game and the community for a long time. The Cyber thing just kind of never really liked the term personally. So we, we kind of did away with the cyber criminal thing and was just stuck with more. I don't know acceptable terms of attacker or malicious adversary and threat actor which really kind of get the point across without saying, hacker or ethical hacker,
[music]
Vamosi: If you came of age in the 1980s and 1990s, you may remember this. Skateboarding was huge then; everyone had a board. Even I did. I had this amazing ability to always land on my feet even after a major wipeout -- but that’s a story for another day. Bryan was also into skateboarding. And this was before skateparks. This was before ….
McAninch: Um, you know, the whole story really? Goes back to my childhood days. There's a couple of places I can start, but I'm kind of, we can, we can move back a little earlier than this point in life. But when I was young as a skateboarder in the 80s, and, you know, I was your prototypical Gen X or my parents were divorced and dad was pursuing his career around the country. So as a single parent household mom worked two, sometimes three jobs so we were kind of poor. And, you know, I don't have the luxury of building a halfpipe in my backyard. I didn't have the luxury of skating in swimming pools like they do in San Diego. Do my pools in Ohio. So I was skateboarding and my only option would be to skate on public and private property. Whether they were like, you know, stairs and handrails or embankments, or curves or whatever it was. At the time, I escaped from the age of six to 14. Maybe during that time, probably when I was about 12. I didn't really understand the concept of property rights. Public private property and things like that. But the police would harass us and many skateboarders just for you know, being out with their friends. You know, and in retrospect, private property, okay, I get it. And then, you know, at that time, there was the whole skate destroy mantra, which probably didn't kind of lend itself to our, you know, our pristine character. But, you know, police would harass us on both private and public property. So, the public's a little different, you know, it could be a park. It could be a, you know, PlayStation, could be in Iowa City Hall, something like that, which is taxpayer subsidized. So, it got to a point where, just in my small town that I grew up in, several parents got together and petition City Hall and said, Hey, look, we understand the private property. is one thing you know, if they get their permission to be fine. But on public grounds, you know, it's taxpayer funded, or kids should be able to stay there kind of a quite the First Amendment kind of thing, but it's the same concept, right? It's public property, we should go to go and use these facilities and just be able to skate around. And it was about that time that a skateboarding is not a crime sticker came out was pretty popular. And think, you know, kind of fast forwarding. However, many years later was 2018. I was sitting down with wireform, who's one of my local hacker friends here in Dallas. He's the founder of Dallas hackers Association. And we were sitting down after a meet up having a beer. He's kind of OG-likeme and goes way back. And we were just our I got brought up. We were talking about the stereotype and the derogatory imaging and whatnot, of hackers and the hacking community. And we were talking about the imagery, the hoodies and things like that and it just kind of I just kind of blurted out like, yeah, hacking is not a crime and then in my head, skateboarding is not a crime. That was something you know, a little nostalgic, but then I was like, that sticker really took off. So I designed a prototype for it. And there was another gentleman from the Dallas hybrid community by the handle of an unspecific or otherwise mad hat. And he really like graphic arts design and stuff, so he helped me kind of brush up our sticker design. And in 2018, I bought five hover 100 of them on sticker mule, and took them to DEF CON. And they were gone like the first day. Like, okay, you know, I don't have time to order more, but the next year in 2019, I took 5000 and I didn't attend a single talk. I just handed out stickers, and it kind of just, it started taking off from there, I think. And then in 2020 pandemic, you know, DEF CON was all virtual. And, you know, I had the Twitter account ID set up in 2018. I had tweeted this video, it's pinned on our Twitter account hack, not crime. It's something to the effect of what most people think hacking is when versus what hacking really is. And it's, no it's this short video. It starts off with this like, you know, uptempo like techno beat and it shouldn't have these flashy graphics of encryption and decryption, you know, payload and loading things like that. And it cuts over to this guy, coding Java. And he, you know, hits, hits a button, and he gets his IO error for Heroku something, whatever it was, and he goes over to Google to troubleshoot. It, you know, it's kind of the iterative learning process, right? of hacking, you know, you try something breaks, go back, try a different way. So, anyway, in a nutshell, in summary, that's kind of the short version of a long story of where it kind of originated the concept and where hackings on a crime came from. And I've always, for some reason or another have always been kind of affiliated with some sort of subculture. I don't know why I just enjoy being part of the outer circle society. But I mean, it's very much like skateboarders, we're going through the 80s. But I think with all due respect to current skateboarders, of course, I think our cause has a potential for a much greater impact. on society. Because as we become more dependent on technology and security, I'm sorry, more dependent on technology, security, and privacy is gonna become more important in our lives. So I'll stop there.
Vamosi: So given that Bryan and I agree on these terms, even share some of the history, has there been any pushback within the security community? Do people want to see hackers dismissed as perjorative? Or are they willing to embrace it again?
McAninch: Not so much InfoSec and for like the hacker community that I'm part of there have some there's been some detractors who I won't go into names here. I don't want to call them out or anything but you know, we've gotten some DMs on Twitter and emails and you know, again, our message is very nuanced. So I think sometimes people misunderstand some of it and take it for oh, well, what about just talking about Kevin Mitnick? What about Kevin Mitnick? And how hacking is a crime he was prosecuted. So you've got the world out there who's not part of the hacking community that just don't understand it at all, which is mostly why we're, we're trying to spread this message. It's the point of our callers but within the hacking community as well, there are people who feel that you know, maybe a bit more anti establishment that want to, as I mentioned a moment ago, uncover unethical things. And so then we get into a discussion of well, you know, if you've compromised somebody and you've exposed some sort of unethical Act, is that considered ethical and you know, that's that's that's part of the debate now, right? And again, that's that that's why we formed this, we want to have those conversations.
[Music]
Vamosi: You may have seen the Hacking Is Not A Crime stickers. They're well designed. They've been showing up at conferences, and in some infosec videos.
McAninch I think really what helped us grow so quickly, almost too quickly is it's admittedly been kind of a struggle at times to keep things from boiling over just growth. But we, you know, guerilla marketing has been why things have caught on so quickly. It's part of the branding of the logo. And you know, that's, that's the reality of running a nonprofit or a business or even even personally, people have personal branding, right. So you've got to market yourself or whatever it is you're representing. And, you know, part of that was that assertion that hacking is not a crime. Over the course of the last couple of years, we've had a lot of lively public discourse about things like this. And we're finding other nuances outside of the scope that we were originally focused on. Right, so I brought up you know, whistleblowers and stuff earlier. I think it's very ethical to expose unethical things. And so, you know, we're slowly moving the goalposts a little bit to kind of encompass elements of that type of mindset as well. is, as I mentioned before, is as we become more dependent on technology, so to will our personal privacy and security be impacted and if we're not actively looking for vulnerabilities or actively exposing unethical acts, I think, just as a global society at this point, we're all going to suffer in the end. So I know we've got some folks out there that don't necessarily agree with us, but I encourage them to be patient and supportive as they're willing to be because I really want to make this a unifying theme among the hacker community. Because I think a lot of our society's things are very divisive right now. And I would hate to see something like that happen to the hacker community because I think there's a lot of really great people out there. We just need to have their public discourse and come to an understanding of everyone's wants and needs.
Vamosi: Right. And so to your point, then how do you start that nuanced discussion? you clarify that it is nuanced upfront, and then have the discussion?
McAninch: Yeah, well, I mean, we've had some recent updates to our website that you know, call out you know, specifically, here actually read it miss had it pulled up. Hackers simply an inquisitive core is a critical thinker, who solves complex problems with unorthodox means. The actions and method by which these problems are solved, either social, financial, economic, political, technological, or otherwise, it's called Hack. So, you know, you've got the whole life hack of you. There's a website called, like life hacker or something like that life hacker.com I think, okay, yeah, technically, you're kind of you know, doing something in an unorthodox manner. You're hacking something, but I think hacking, the mindset can be applied in so many different contexts. So we wanted to clarify just right up front on our website, that it could be, it could be social, financial, economic, political, it doesn't have to just be technological, which is where Hacking has really been focused. But getting back to my earlier point, we're more and more dependent on technology. But it's a means to an end of maybe some of the other ones right, the social, political, economic, whatever.
Vamosi: After this podcast, head on over to the Hacking is Not a Crime dot org website. There you will see a few terms that you feel are antiquated and that certainly is a discussion not only because of gender and other things, but just in general. So you have alternatives for what to call a white hat hat her like at hacker.
McAninch: Yes, we show you know this. I think that I remember correctly and this is very ironic. I think the whole white hat black hat thing came out of DEF CON, circa 2000. Maybe it was either black hat or DEF CON I can't remember but it was meant to kind of differentiate the good guys and the bad guys. I don't know. But yeah, you mentioned black and white just don't have the same. The same context anymore. It's kind of like GitHub changing their repos from master and slave to primary, secondary or whatever they chose to go with. So words matter, intent matters. And so we want to kind of align with that. So we're going with so many different names and characters. That you can describe with this but white hacker we want to go with hacktivist. So you could be I'm an activist, I'm an actor and I'm an activist. So I'm an activist, security researcher or even whistleblower, we recently came across some stuff where there were leaks of personally identifiable information or some sort of previously unknown surveillance of people or employees. I think it's important that things you know, transparency and whatnot are provided to the public about things like that. So those are what we would consider white hat quote unquote, black hat would be very generically an attacker what you know, what's the intent and the motives here? Is this to you know, is this for the better good? or is this some sort of self serving, kind of intent? So attacker, malicious adversary, a threat actor? We do have some people on the internet who have expressed concern about, you know, cyber criminals, I think is what we were originally going with. And I tend to agree, you know, even though I'm an OG kind of hacker, I've been, you know, in the game and the community for a long time. The Cyber thing just kind of never really liked the term personally. So we kind of did away with the cyber criminal thing and was just stuck with more. I don't know acceptable terms of attacker or malicious adversary and threat actor which really kind of get the point across without saying, hacker or ethical hacker,
Vamosi: Right. And so to your point, then how do you start that nuanced discussion? you clarify that it is nuanced upfront, and then have the discussion?
McAninch: Yeah, well, I mean, we've had some recent updates to our website that you know, call out you know, specifically, here actually read it miss had it pulled up. Hackers simply an inquisitive core is a critical thinker, who solves complex problems with unorthodox means. The actions and method by which these problems are solved, either social, financial, economic, political, technological, or otherwise, it's called Hack. So, you know, you've got the whole life hack of you. There's a website called, like life hacker or something like that life hacker.com I think, okay, yeah, technically, you're kind of you know, doing something in an unorthodox manner. You're hacking something, but I think hacking, the mindset can be applied in so many different contexts. So we wanted to clarify just right up front on our website, that it could be, it could be social, financial, economic, political, it doesn't have to just be technological, which is where Hacking has really been focused. But getting back to my earlier point, we're more and more dependent on technology. But it's a means to an end of maybe some of the other ones right, the social, political, economic, whatever.
Vamosi: so beyond coming up with a clever mantra and beyond coming up with stickers and new names for old terms, what does Hacing Is not A Crime actually do? Have you done any events? Have you sponsored anything? Is there legislation that you're looking forward to is there?
McAninch: So we have throughout the last year, year and a half, we've reached out to a lot of different media outlets. You know, our site states very clearly that you know, a lot of this image and characterization of hackers in the hacking community comes out of global media and pop culture sources. And, you know, to the point where we're talking about earlier, fear, uncertainty, doubt tactics, draw in viewers or, you know, link clicks or what have you, because it generates revenue off of that. So, and the same for, you know, movie plots. You've got to have a villain, you got to have a compelling plot. Let's have an evil hacker, right. They do have some good movies like hackers, and I hate to even bring up swordfish, but the guy was, God, that movie was bad, but it was a cheesy bad, right. You know, so I think where we've really started to focus in the last couple of years is just spreading awareness, laying the groundwork and then having open conversations with people like yourself. You know, we've talked to some other digital rights groups. We've got some really good partnerships going. We've got a couple of one for I've lost count now. 100 and something plus advocates out there advocating our message. And we're currently in the process of building out local chapters. And you know, we've these advocates who would kind of lead those endeavors. And being that they're located, we've got a global presence now in Asia, Africa, Europe, North America, South America. At the beginning, we've got some in Australia but we don't have anything in Antarctica yet. But the idea is to kind of grassroots movement, start small, get some community involvement at the local level, and then grow from there. So you know, start, start at the top, get the awareness out and then bring it directly down to the bottom and gorillas from the ground up. So that's kind of the approach we've been taken.
Vamosi: So what would a local leader be tasked to do as opposed to at your level?
McAninch: So you know, our primary responsibilities at the high level is most mostly branding, marketing, getting the message out, managing Twitter account and discord and you know, all of our other communications channels, LinkedIn, Facebook, what have you at the local level, what we're trying to do is kind of offset particularly by myself, specifically, offset some of the the logistics challenges. I obviously can't be in three places at once or more. So when there's a conference at a local level, we want to send out advocates, maybe they're nearby, kind of just, you know, spread the workload a little bit more evenly. And then, you know, we would continue as we have been having, having conversations like this one where we can speak on behalf of the organization itself.
[Music]
Elliot Alderson: "Hello friend. God, that's always been lame, hasn't it? Sorry I never came up with a better name for you."
Vamosi: we are seeing a new generation. Is there still the same sort of impetus to become hacker today, given the ubiquity as opposed to when we were in the 80s and 90s?
McAninch: That's a good question. I haven't been asked that one. Think you know, I do a lot of mentoring. Both like a meetup that I organized, and some local high schools here in our school district where I live for kids and you know, I get a lot of questions about what certification where I need to get what career path and all these different things and have advised them, you know, kind of looking back on my own. When I got in, I've been in tech all my life. I've been coding since I was a so when the.com era hit, it was like, Oh, this is this is a great opportunity. And that coupled with my kind of subversive personality, I you know, hacking and security were just a really good fit. But back then to your point, technology wasn't quite as ubiquitous. There wasn't as much specialization. So I was kind of a jack of all trades. I did. I was a coder by nature, but I got into networking security and picked up Linux. You know, my first Linux distro I actually bought was Red Hat five one. And, you know, I was a jack of all trades, so I knew a little bit of everything. And now it's a lot more difficult to really, especially if you're young, I think it's really difficult to identify what you really like because it all looks so appealing. Now you've got in addition to all the other things that have evolved and as quickly as they have evolved, you've now got cloud and IoT. You've got some folks that are, you know, interested in industrial control systems, because that's kind of an untouched area, even though it's been around some legacy systems, but that's kind of a new landscape. Artificial intelligence with machine learning algorithms and things like that. So you've got all these different applications of privacy and security that you can specialize in. But it's really daunting to kind of understand, well, how do I get to that? And so I've always kind of default into, you know, pickup coding. First and foremost. Because I think that really lays a foundation for having that logical mindset. Understanding what exceptions to the rules are, I think, is really paramount in the hacker mindset. There's always one if you're presented with two options, there's always a third one right. And then, now based off of whatever their interests are, whatever they're most passionate about. I've often advised people to pursue that path that really get a solid foundation on the legacy technology or legacy concepts of coding, networking and system administration type stuff. So I think a lot of up and coming hackers now have the benefit of tons and tons of information available to them. But I think it can also you know, there's great choices but there can also be too many choices where you're overwhelmed with it and really don't know where to begin. So I think there's is a bit of a pro and con it it kind of cuts both ways. Whereas I could definitively say yeah, I want to do I'm gonna go do this and I want to focus on hardware or software or whatever it was, I think the the next generation of hackers if we want to call them that have a lot of choices, but it may be difficult for them to really hone in and identify what their passion and focus might want to be.
Vamosi: I guess what I'm fishing for is that we grew up without role models. The generation now not only do they have all this information available to them wherever they are in the world, but they also have role models that they could look to they have like Elliot Alderson you know, and they think that is what a hacker is, as opposed to self identifying that I'm doing all this curious work. Maybe I'm a hacker, are we going to get another generation or has it become vocational in that? Well, of course, I'm going to go work in the tech industry. And of course, I'm going to code and of course, I'm going to debug this.
McAninch: Yeah, good question. Um, I think there's a little I mean, you know, part of our mission is the influence that media and pop culture has on how our character is characterized. A persona is characterized. So I have met a lot of people that their first idea there of what a hacker is, or what a hacker does might be something like Mr. Robot. Not necessarily bad, in a sense, I mean, it does get good people. Maybe it inspires them to pick up coding or OSL a command prompt, what was he doing and they find out it's Linux and maybe they discover Linux. Vocational. Yeah, I mean, I think it cuts both ways there too. I mean, it could just be maybe all along. They've they've had this kind of itch with science and technology. We didn't really cover that. Part of like my childhood, but that's certainly where I, where I started. So, you know, with this being a lot more prominent in society for good or bad however, the hackers are portrayed. I think there is some benefit that it might just kind of inspire the next generation to pick up a book and read about, you know, computer networking, or maybe teach themselves how to code or something. Right.
Vamosi: I did talk with jack cable last year, and I was incredibly impressed with all that he's been able to do and he's only like, 22 years old. Yeah. He struck me as someone that had been identified early and went mainstream by working with, you know, the government and Sisa and Bo woods and all those great people, but it he also what we talked about was his ransomware thing where, you know, a friend had an uncle who had a problem and just off the cuff, he looked at it and was like, Well, what if I did this so even if you are mainstreamed and you're kind of like channeled to do the hacking for good. You still have that wildness, like you still have a curiosity about the world. So I hope that there are a lot more people like that. I'm impressed that you're helping the high school there's to learn about hacking and stuff because high schoolers are a challenge
McAninch: fortunately, the ones I'm working with are seniors and it's part of like this capstone project that they do is they call it an independent study and mentorship. So they each of the students, whatever field they want to go in, reach out to someone in the local community for that field. And my main just, I want to I want to start up, and if you look up cybersecurity, Dallas, it's in the first it's in the top 10. Right, so my name pops up. And I have been contacted several times for that. So but it is it is a lot of fun. They're there. They're all seniors. They're very, very passionate. Which I'd love to see. The first student trying to think back was in 20. I think it was 2016. The first the first mentee I worked with found an IDE or vulnerability in this image hosting website reported it and got a CVE assigned as a senior in high school, so like just right off the bat, this guy is going to CVE can put on his resume and I found this as part of my capstone project. I think that's really cool.
[Music]
I’d like to thank Bryan McAninch for discussing the term hacker, and sharing his personal history as well. Not everyone who hacks is a bad actor, not everyone who takes things apart should be demonized. There are TV shows, movies, and even podcasts that glorify the crimes of some people -- and that’s fine. But the vast majority of us are just curious and sometimes have a real need to expose wrongdoing in the world today. It’s great that the US Justice Department is enlightened enough to recognize research being done for the common good. Let’s continue to push the envelope. Let’s continue to see hackers as they are -- hyper bright, curious people -- and feel free to talk about criminal hackers as that-- criminals.
Let's keep this conversation going. DM me @RobertVamosi on Twitter or join me on Discord you can find the deets at the thehackermind.com
For The Hacker Mind, I remain not a criminal, just a hacker, Robert Vamosi.
Add Mayhem to Your DevSecOps for Free.
Get a full-featured 30 day free trial.