This is a question that Jennifer Steffens, IOActive CEO, often asks hackers she meets on conferences around the world. More often than not, the answer is movies: War Games, Hackers, The Matrix, and so on.
But today, it is the real life hacking that is inspiring the movies of tomorrow. “Hackers are doing epic stuff,” she says, and they are now inspiring movies and comics, she pointed out in her keynote at the Hack In The Box conference in Amsterdam.
People are coming up with crazy new technologies every day, and that technology is getting to the larger public at an ever increasing pace. With it come new ways to exploit the technologies in unexpected and often malicious ways, and there is an increasing need for people who will research the security of these new technologies.
As CEO of IOActive, Steffens has the opportunity to work every day with some of the brightest in this field, and she says that they are a daily inspiration.
So, what makes a good researcher and a good hacker? For one thing, to break something you first need to know how it’s made, you need to understand the technology.
Case in point: Mike Davis, IOActive’s principal research scientist and head of the embedded devices department, got interested in testing the security of the computers operating nuclear bombs. Needless to say, this is the kind of technology that a government is unlikely to share with anyone from the “outside,” so he decided to try to recreate the tech by himself, taking for inspiration a device from the movie The Manhattan Project.
Another thing that you need to have to be a good hacker is seemingly inexhaustible curiosity, and to know how to look at problems from angles that no-one has contemplated yet. Also, be persistent – despite many failures – and work hard. And when the game doesn’t give you satisfactory results, you have to know how to change it and keep playing.
Take for example IOActive’s researcher Ruben Santamarta. After he discovered many design and security flaws in satellite communication systems, and being practically ignored by the vendors when he shared his research with them (only one responded), he wrote a report and released the research to the public. One hour later, the industry took notice – all because he knew how to change the game, change the language, reframe the question and bring to the fore what mattered: how the exploitation of these flaws could impact people.
He is not the only one that knows how to play the public attention angle. As Steffens says, sometimes a good researcher means also to be a good showman. When researchers Charlie Miller and Chris Valasek (the latter is the Director of Security Intelligence at IOActive) researched and discovered flaws that can be exploited to hijack car computers and, consequently, cars, they went public in a spectacular way, giving journalists a terrifying real-life demonstration.
The public took notice. Now when some people go buy a new car, they ask about the security about the on-board computer system, says Steffens. The game has changed – manufacturers are beginning to see why the issue is important to their bottom line, and some of them have moved to employ researchers who will aim to keep the systems safe.
Some hackers and researchers are motivated by money, but most of them are more interested in “playing with toys.” Most of them are also interested in helping with things that affect people directly, and want their research to really matter.
One such researcher was the late Barnaby Jack. His first claim to (wider) fame was the famous ATM hacking, but he later turned to researching the security of medical devices, mainly pacemakers. One of the ways he approached the research was by interviewing Steffens’ father, who had one inserted following serious heart problems. Jack wanted to know how was it like to have a pacemaker and how it affected him, in order to know on what attacks to concentrate on.
Another thing that Steffens deems important for a good hacker: “No excuses.” Determination and dedication are crucial.
“If you want to change the InfoSec scene, get involved in InfoSec,” she says. “At IOActive, we’re looking for bright minds, cool ideas, passionate and hardworking people.” They want the people who want to do research whether they were paid to do it or not.
She finished with some advice for hackers: Ask questions, start breaking things, get to know the community, disclose responsibly and, finally, be inspired!