If you ask most people to picture a hacker, their description probably sounds something like this: a shadowy figure in a black hoodie, typing furiously at a screen glowing with green-on-black code scrolling faster than anyone could read. (Hard to visualize? Treat yourself to a look at Google image search results for “hacker.”
It’s true there’s no shortage of black hoodies or console-inspired color schemes at events like last week’s DEF CON, but this one-dimensional image misses a lot of the truth. On the long trip home from Vegas last week, I found myself thinking about the better angels of many hackers‘ natures, the side a lot of folks don’t get to see.
The first step in a hacker’s journey is always the security mindset – a different way of looking at the world that bypasses the hype of new features to look for the juicy bugs, an impulse to ignore the clearly-labeled front door and look for secret passages instead. Because the people who lean toward this mindset tend to question authority and have a rebellious streak, hackers are usually dismissed as troublemakers or agents of chaos.
While there will always be destructive skiddies and those just doing it for the lulz, more often this rebellion serves a purpose. Hackers are naturally drawn to explore what can be done, and when rules that only define what’s supposed to be done stand in the way of that answer, curiosity often beats compliance. Each time their curiosity unearths a vulnerability before an attacker can exploit it, it helps keep us all safer. To stop attackers, one has to deeply understand how they think.
Information security isn’t a level playing field. Attackers always have an advantage, and anyone defending against them has to work longer and harder just to keep up. This raises a question: If applying the same set of skills to do the wrong thing is often easier and more profitable than doing the right thing, why do so many researchers dedicate their time and efforts to defense? Why would someone accept a $1,000 bug bounty when they could sell a $100,000 0day?
The answer goes beyond rules to something deeper: It’s the right thing to do, and someone has to do it. Or, as others have proverbially summed up, “Think bad, do good.”
If there were a single golden rule for hackers (and getting everyone to agree on one thing is never easy), it would be “information wants to be free.” Knowledge is power, especially when it comes to security – if knowing is half the battle, then learning better be the other half. This is partly practical, because we can better defend against threats we understand and learn more collaboratively than alone.
It’s also a philosophy that brings this community closer to being a meritocracy than anywhere else I’ve seen. Anyone can find a place in the community if they’re willing to work hard and learn all they can. It’s not always easy, and asking lazy questions that can be answered with a Google search might earn a resounding chorus of “RTFM,” but the point remains: a lot of misfit outsiders have found a home in security.
Signs of this community were everywhere in the halls of Caesar’s Palace – villages where experts helped newbies learn about an unfamiliar subject, workshops to help coach first-time speakers on how to overcome their stage fright and submit a talk, nearly as many privacy and education nonprofit tables as actual vendor booths in the vendor hall. DEF CON is definitely a “hack hard, play hard” sort of scene, and organizers made sure that recovery meetings were scheduled all week so those who needed support could find it. And as a trans person, seeing more people like me in three days than I do in a year of business conferences made me proud.
So to those who weren’t sure they’d fit in at DEF CON, or those who were afraid to go for fear of getting pwn’d, I say this: Come next year, say hi, and make a new friend! Most people you’ll meet don’t bite, I promise. You should still probably turn off Bluetooth and wifi, though...