identity & security

The Hacker Mindset

How thinking like a hacker can increase your cybersecurity (really)

I’m going to say something we don’t usually say in our blog: ‘hacker’.

If you’re not a security professional, I’ll bet right now you’re thinking of an evil dude in a hoodie doing bad things to computer systems like swiping your sensitive data to sell on the dark web.

But that’s not a hacker; that’s a criminal.

Hackers break into computer systems to do good. How can I make that claim? Because at 15, I started my career doing something that could have gotten me into a lot of trouble.

Instead, the man who could have turned me in rechanneled my energy. I’m the staff security engineer for offensive security at Auth0, a certified ethical hacker, hold two DEF CON black badges and have 26 years of experience across IT and cybersecurity.

I’m sharing my story to help you understand how hackers think so you can put that mindset to work, helping secure your business. But first, a bit of context via a brief history of hacking.

Brief History

Brief History: Why ‘Hacker’ Is an Overloaded Word

Reading this post on your smartphone or personal computer? You can thank hackers and the phone phreaks who inspired them.

(What follows is a quick summary of the history. For more details, check out the documentary “The Secret History of Hacking”.)

In the 1960s and 1970s, global telecommunications relied on a series of tones to connect calls — and you could replicate the tones with a toy whistle included in a box of Captain Crunch cereal (or sing them if you had perfect pitch). Phone phreakers freely shared knowledge and did some social engineering by talking their way into trunk code access or even walking away with phone company technical manuals, says “The Secret History of Hacking”.

By 1971, they’d shared knowledge with an Esquire reporter and businessmen, stockbrokers, autodealers, and more or less anybody who wanted to make free long distance calls could phreak. This led to jail time for several phreakers but also inspired two college kids: Stephan Wozniak and Steve Jobs, who would go on to start Apple Computing.

At this time, “hacker” still meant someone who was super-curious about computers, how they worked, and how to make them do unexpected things like produce color on TV monitors — and they shared that information with each other freely because that sharing and exploration was the root of the hacker ethos.

Wozniak’s exploration was also the root of the personal computer. He built one in his bedroom, and Jobs secured a deal for $50,000 for Apple Computing. Wozniak and Jobs went from sharing information freely to having to focus on creating a product (there’s a bit more here, but go check out the documentary for more detail).

As computing became more about business, what was originally considered teenage pranks started being taken seriously as criminal offenses. The meaning of hacker changed (about the same time as Hollywood came out with the hacker movie “WarGames.”)

But the thing is that the internet as we know it was based on sharing information. This means that security and, even later, privacy have been bolted on. All of the cool things that we can do with computers today harken back to the original curiosity and exploration of hackers and phone phreakers.

While this allows bad actors to pull off attacks like ransomware or account takeovers using “hackerlike” behaviors, there are people like me using their hacker skills to do good. They’re known as ethical hackers.

What is ethical hacking?

Ethical hacking is looking for vulnerabilities within systems, applications, and companies within legally agreed upon constraints with the intent of sharing your findings with the company to make the system or app better — hacking for good —but also for street cred.

More on that after I tell you how I almost became a criminal.

How a Childhood Hack Jump Started My Career

My first computer was an Epson 286. It was a gift from my grandfather by way of my dad. Both of them also shared their love of tinkering with me, solving problems on our farm in Minnesota with whatever was at hand MacGyver-style.

Dad inadvertently opened the door to potentially criminal behavior by connecting that computer to the outside world. He installed a screechy dial-up modem to access our two-line local bulletin board (BBS), and I poked around until I hit a restricted area. Only I didn’t stop there.

If most people see a big red button and don’t know what it’s connected to, they probably won’t push it. Most hackers I know want to see what happens if you do. So I pushed buttons until I guessed the password. Like any teenager, I bragged to all of my friends. It wasn’t long before my gloating got back to the system operator (sysop) of that network.

Instead of turning me in, the man who would become my mentor put me to work repairing computers after school for $4.75 an hour. While I repaired, Jim Terwee, owner of Northland Computing and BBS sysops, taught me about reverse engineering, programming, and what it really meant to be a hacker. The experiences I’ve had? The work I do now helping secure more than 5 billion global logins a month for Auth0? It’s because Jim was able to redirect my curious energy.

This is something you can do by engaging ethical hackers to help protect your company or even inspiring your colleagues or yourself by exploring the hacker mindset.

The Top 4 Hacker Mindset Characteristics

In The Secret History of Hacking, they spend a lot of time talking about how hackers “think differently” from other people. Given the big red button example, I would say I agree, but neuroscience has taught us a lot about brain plasticity since that documentary was made. Even if you don’t naturally lean towards hacking, I think there’s a case to be made that computers have taught people to push buttons to find answers. These characteristics can be found in many professions: many athletes, artists, and business leaders rely on the same four.

Curiosity: If I had to pick only one characteristic, curiosity could probably be expanded to include the other three. But anyone engaged in ethical hacking or “hackerlike” behavior is curious about how things work. If they push the red button, what happens? If they send just the right packet, can they break into the system? If they ask the right set of questions when they call the front desk, can they get an executive’s email address?

Creativity: Different people define creativity differently. For me, it’s about how you approach a problem. For example, I typically don’t want access to the code base when I’m helping test an app or platform. I want to come at it the way the user might encounter it in the wild. This constraint increases my ability to come up with interesting approaches, forcing creativity, where knowing the code base or architecture gives me far too many options but is useful. Constraints help force creativity.

Respect for diversity of thought: The internet is not the work of one person. I know that may seem obvious, but thousands of minds (maybe hundreds of thousands) make all the apps and sites we use to get food, learn, access healthcare, and make sure we have enough funds to shop at our favorite retail sites. As I mentioned earlier, the internet was born to share information; we can describe security and privacy as being “bolted on.” All those minds all over the world are doing things in different ways at the same time; bad actors are also all over the world figuring out ever-evolving attacks. It just doesn’t make sense to put together a security team of people who come from the same background, went to the same college to study with the same teachers, and end up listening to the same music and sharing the same meme content. Different people come at problems differently. This makes diverse teams more effective at securing sites, winning DEF CON black badges (more on that in the next section), and really doing anything —and there’s recent research that says diversity of thought even helped teams do better during the pandemic.

Tenacious: Ethical hackers and malicious actors strongly share the characteristic of stubbornly not giving up. Neither of us is going to have a look at your app, click the mouse a few times, and decide we can’t break into it. Code is written by humans, so it’s fallible. That means sooner or later; we will come up with a vulnerability. An ethical hacker may have been hired to do this for a company or may be operating independently, in which case it’s good to help ethical hackers know how to reach your security team. Like I said, I am stubborn. When I was operating independently, I wouldn’t stop at not being able to easily reach your security team for a serious issue. I would have reached out to your sales team. Tell the sales people there’s a problem with the security of their product, and you’ll get a response. They’re tenacious, too.

Diversity of Thought in Action: DEF CON Black Badge Case Study

DEF CON is one of the world’s largest hacker conventions. It’s where we get together to swap tools and ideas, learn things, and meet new people. It’s also where you can participate in cool hacking competitions and win prizes. One of the most coveted prizes is the DEF CON black badge because it means you get entrance to DEF CON “for your natural life.” They’re also super-cool (see mine below.) My team’s won twice, but we didn’t start out as winners.

DEF CON Black Badge

Ryan Clarke, also known as LostboY, created the mystery challenge. A hacking challenge run at DEF CON where the points, rules, and challenges were a mystery. Skills like lock picking, working with electronics, breaking ciphers, acting, communication, the list goes on and on were are all tested. People were encouraged to collaborate on the challenge.

The first year I played, I was lucky to join a team with some friends that played challenge the year before. We didn’t do very well, but we had fun and made new friends. For years we returned, more prepared than the year before, doing anything we could to win. (Being prepared for a mystery sure sounds like defending a network a bit, doesn’t it?)

Over the years, the team grew, bringing in members with different skills, knowledge, and interests; physical security, hardware hacking, social engineering, making (turns out some makers are really good at forgery). We continued to grow and diversify our team until five years after our first try, we won! And then our team (Team Psychoholics) did it again. At DEF CON 28, we also won the TeleChallenge phreaking challenge.

Betting you’ve picked up on the pattern — creativity, tenacity, curiosity are all required, but you need diversity to have a winning team.

Whether or not you have the budget for an internal security team or to hire an ethical hacker, I have an ethical hacker exercise you can try right now that could improve your cybersecurity (provided you’re willing to act on what you’ve learned).

Your Turn: Thinking like a Hacker

Let’s say you have five people at your company. Get them to sit down at the real (or virtual) lunch table and ask them two questions:

  • How would you steal our company’s data?
  • What do we have that’s valuable? And how would you steal it?

Everyone is going to have a different perspective. Your engineer may identify certain parts of your code as valuable. Your chief marketing officer might point to your customer relationship management (CRM) database. The thing is, they’re all going to have different insights. Then you ask the next question:

  • How would you stop them? For example, if the building is on fire, you probably have an alarm. In most countries, you can dial emergency services and have them come to put it out. Do you have systems in place? Where are the holes?

That diverse range of answers will help you identify your gaps. Then you need to take action. For many companies with small or even larger resources, the easiest way to access ethical hacking talent is to pay them.

Thinking like a Hacker

Why Your Company Needs a Bug Bounty Program

Hackers are continually poking at various apps and sites. When they find a vulnerability, they want to share it with the company so that changes can be made. But some companies don’t make reporting those concerns easy. This can lead to hackers getting frustrated and performing full disclosure in public without coordination with the company. While the frustration is understandable, it doesn’t always protect consumers.

A bug bounty program pays hackers to find vulnerabilities by establishing constraints around things like when and where the vulnerability will be published and how much time the company has to fix the problem. This means you get a diverse range of people checking your app or site within your guidelines, and you pay when they find something that would likely result in a fine or even legal action. Many companies combine bug bounty programs with third-party penetration testing and in-house staff. Frankly, every company should have a bug bounty program, but if you’re not quite ready, make sure you at least have a way for hackers to report concerns to you.

Here at Auth0, we have our own bug bounty program. It runs on Bugcrowd, a way to crowdsource your app security that involves accessing a lot of diversity of thought.

Did I Change How You View ‘Hackers’?

Hopefully, by now, you’re seeing something different when you see the word “hacker.” There’s more I could tell you about the difference between white hats and black hats and how there are even gray hats, but that’s for another post or satisfying your own curiosity.

If you’d like to learn more about defending against “hackerlike” attacks, please check out our inaugural report on identity security, The State of Secure Identity or reach out to me on Twitter @adam_baldwin.