How it all began – section written by VP of Services, Mikael Lagström.
Back in January 2014 we got a call from an old colleague asking vaguely if we could be interested in talking to a friend of his that got an assignment to write a book that involved hackers and hacking. He was not allowed to say more than that, but his author friend needed some guidance, advice and inspiration for his upcoming work. Since it sounded quite fun, and unusual, and that we like to help out and we, of course, said OK, to having a chat with his friend.
A few days later the author called me up, presenting himself, and also his assignment.
Having read and enjoyed the original trilogy about Mrs. Lisbeth Salander from late Stieg Larsson, I was really happy to hear that the author in the call was David Lagercrantz, and that the book he was to start up his work on was the 4th book and to be named “The Girl in the Spiders Web”.
David didn’t have much knowledge of our industry or the hacker world, besides what is in the earlier books from Larsson, so he simply wanted some inspiration and guidance to secure that he doesn’t end up with a story that wouldn’t be realistic but still entertaining and understandable. Being in charge of our global Services team of ethical hackers, I also took great help from senior hacker and the company CSO, Martin Jartelius and we scheduled some starting sessions, where David put up some of his ideas, and questions, and where we guided him through “our world”
It then took some months before we heard from David again, and he come back to us for a follow-up call, to verify that he got things right, and in an understandable way, for people outside of the hacking world, and that it all made sense.
At this time, we were still before summer in 2014, and up until summer of 2015 we more or less forgot about this, and then the release date came closer. David had in the early stages talked about this huge success his upcoming book would become, but we couldn’t really understand or realize it would become completely outsold in 40+ countries right away. Neither did we expect all the attention we got too, from the mentioning in the “Thanks from the author” in the book from media.
For this text, we were asked to produce the same thing for our internal marketing team as we helped Mr. Lagercranz to look closer at – The mindset and traits of a hacker.
The mindset and traits of a hacker – section written by CSO, Martin Jartelius.
The problem with that is that there are few distinctions. You will find lots of blog posts on the topic, as well as magazine publications on the topic, likely books, and presentations. Today, they are more or less wrong. This is due to the widening of the term hacker.
There are “life-hackers” today – It used to be extremely advanced and insightful or creative ideas, today it’s been reduced to ‘Use the lid from takeaway coffee and you will not get molten ice-cream on your car seats’.
That is not a hacker from the term we will respect.
It could also be “Someone who constantly when walking through life observes patterns and behaviors and how social rules enforce the actual security around us” – A very general term. It will hold true for a load of persons most of us will agree are hackers, but it’s too specific to encompass all, and it will also encompass fraudsters, criminals, politicians and most decently it qualifies policemen. So it’s not a good definition.
Hacking changed as well. To hack “Evil Corp Inc.” may be difficult, but hacking “Any server on the internet which is vulnerable to this attack I found online and don’t understand” is not.
The last group earlier referred to as script-kiddies and today often calling themselves, for example Anonymous or using any other loose formation, or acting as individuals, have had their potency for bad digital behavior enhanced. There are tools available for almost anything. Its space elevators – It takes a really smart person to have the idea. This would be the traditional hacker, or maybe just a smart engineer, but someone who usually have a deep insight into how the bits of something fit together, and where to give it a good kicking to make it fall apart. It takes some engineers a bit of time to make it happen, they don’t have to understand WHY they do something, in fact, they just need to understand what to do. It may well be complicated to do it of course, but you don’t need the detailed insight. Here you find the tool-writers who arm the masses.
What changed here is that the security researchers started automating their process as well, so more and more frequently errors and issues are found by tools, then transferred into tools, meaning someone took one step above the hierarchy and equipped tool writers with the ability to hack. Anyhow, in the physical world here is where we find the guys who send the space elevator into space, they don’t really need to have the ideas, they are just darn good at what they are doing.
Now we have all the others using the elevator later. They can go to space. They don’t know how, they don’t know how the elevator got there, but they are decently fit to push the buttons in the elevator. Or they can read the manual, should the buttons be designed by and engineer and not a human-machine-interface designer.
All the guys above are in media, and in the face of the public as well as the organizations they harass or attack considered hackers.
To us, hackers are a far wider group. It is a social movement, like everyone used to play soccer in Europe regardless to a good extent their social class, background or education, the same holds for hackers. The structured ones working as security specialists, who mainly just work with tools and research of others, are often well educated, but if you look at the cutting edge research ones, it is not a defining fact to have an education or formal technical background. Many have the potential to do it, some choose to develop the skills. Today due to the better overall insights, it is rarely an art, it is a skill.
You know what? They are not interesting for Mr. Lagercranz. Lisbeth Salander is not an amateur working with others results and ideas, she is a self-thought hacker with deep insights into her areas of interest. She has the traditional mindset of full focus on a task, the lack of respect for protections consisting of rules. She is not constrained by her own assets as an ethical researcher, the internet is her learning ground. How can you describe the psyche of a person and their method of operations? It takes one to know one, and this is where we ensured that all the above, as well as how you break in, how you tell if an attacker were skilled or careless, how you determine if the code is efficient or bloated, all those parts we could tell. But it was also time to put Mr. Lagercranz in contact with our friend and former colleague Mr. David Jacoby from Kaspersky Labs, who started with the same self-thought background and hold the right mindset.
We could teach Mr. Lagercranz what a hacker does, and how, but not who they are. It was time to move from understanding the attack to getting to know Lisbeth, and we felt safe in making the recommendation. The rest you all know.
//Mikael & Martin