Hacking the Hacker. Grimes Roger A.

      Foreword

      Roger Grimes has worked in the computer security industry for nearly three decades, and I’ve had the pleasure of knowing him for roughly half that time. He’s one of a select few professionals I’ve met who clearly has security in his bones – an intuitive grasp of the subject that, coupled with his deep experience catching bad guys and rooting out weaknesses in security defenses, makes him uniquely qualified to write this book.

      Roger first began writing for InfoWorld in 2005 when he sent an email criticizing the work of a security writer, a critique that carried so much weight we immediately asked him to contribute to the publication. Since then he has written hundreds of articles for InfoWorld, all of which exhibit a love of the subject as well as a psychological understanding of both malicious hackers and the people who defend against them. In his weekly “Security Adviser” column for InfoWorld, Roger shows a unique talent for focusing on issues that matter rather than chasing ephemeral threats or overhyped new technologies. His passion for convincing security defenders and their C‐suite bosses to do the right thing has been steadfast, despite the unfortunate inclination of so many organizations to neglect the basics and flock to the latest shiny new solution.

      In this book, Roger identifies the ethical hackers in this industry who have made a difference. Their tireless efforts help hold the line against a growing hoard of attackers whose objectives have shifted over the years from destructive mischief to the ongoing theft of precious intellectual property and millions of dollars from financial institutions and their customers. We owe these people an enormous debt. In providing a forum for the likes of Brian Krebs, Dr. Dorothy Denning, and Bruce Schneier, Roger pays tribute to their efforts while delivering a fascinating compendium that entertains as well as informs. It’s essential reading for anyone interested in computer security and the people who strive against all odds to keep us safe.

      Introduction

      The intent of this book is to celebrate the world of computer security defenders by profiling some of the world’s best whitehat hackers, defenders, privacy protectors, teachers, and writers. It’s my hope that you’ll walk away with a greater appreciation of the behind‐the‐scene efforts it took to give us the fantastic world of computers we live in today. Without all the good people on our side fighting against those who would do us harm, computers, the Internet, and everything connected to them would not be possible. This book is a celebration of the defenders.

      I want to encourage anyone contemplating a career in computers to consider a career in computer security. I also want to encourage any budding hackers, especially those who might be struggling with the ethics of their knowledge, to pursue a career in computer security. I’ve made a good life fighting malicious hackers and their malware creations. I’ve been able to explore every single hacking interest I’ve had in an ethical and law‐abiding way. So, too, do tens of thousands of others. Computer security is one of the hottest and best paying careers in any country. It has been very good to me, and it can be for you, too.

      For most of this book, I provide a chapter that summarizes how a particular style of hacking is accomplished, and then I follow it with one or more profiles of computer security defenders lauded in that field. I’ve tried to pick a variety of representative industry legends, luminaries, and even some relatively unknowns who are brilliant for what they have accomplished even if they are obscure outside their industry. I tried to choose a good cross‐section of academics, corporate vendors, teachers, leaders, writers, and private practitioners located in the United States and around the world. I hope readers interested in computer security careers can find the same motivation I did to help to make computing significantly safer for all of us.

      Go fight the good fight!

      1

      What Type of Hacker Are You?

      Many years ago, I moved into a house that had a wonderful attached garage. It was perfect for parking and protecting my boat and small RV. It was solidly constructed, without a single knot in any of the lumber. The electrical work was professional and the windows were high‐quality and rated for 150 mph winds. Much of the inside was lined with aromatic red cedar wood, the kind that a carpenter would use to line a clothing chest or closet to make it smell good. Even though I can’t hammer a nail straight, it was easy for me to see that the constructor knew what he was doing, cared about quality, and sweated the details.

      A few weeks after I moved in, a city official came by and told me that the garage had been illegally constructed many years ago without a permit and I was going to have to tear it down or face stiff fines for each day of non‐compliance. I called up the city to get a variance since it had been in existence for many years and was sold to me as part of my housing purchase. No dice. It had to be torn down immediately. A single day of fines was more than I could quickly make selling any of the scrap components if I took it down neatly. Financially speaking, the sooner I tore it down and had it hauled away, the better.

      I got out a maul sledge hammer (essentially a thick iron ax built for demolition work) and in a matter of a few hours had destroyed the whole structure into a heap of wood and other construction debris. It wasn’t lost on me in the moment that what had taken a quality craftsman probably weeks, if not months, to build, I had destroyed using my unskilled hands in far less time.

      Contrary to popular belief, malicious hacking is more maul slinger than craftsman.

      If you are lucky enough to consider a career as a computer hacker, you’ll have to decide if you’re going to aspire to safeguarding the common good or settle for pettier goals. Do you want to be a mischievous, criminal hacker or a righteous, powerful defender? This book is proof that the best and most intelligent hackers work for the good side. They get to exercise their minds, grow intellectually, and not have to worry about being arrested. They get to work on the forefront of computer security, gain the admiration of their peers, further human advancement in the name of all that is good, and get well paid for it. This book is about the sometimes unsung heroes who make our incredible digital lives possible.

      Most Hackers Aren’t Geniuses

      Unfortunately, nearly everyone who writes about criminal computer hackers without actual experience romanticizes them all as these uber‐smart, god‐like, mythical figures. They can guess any password in under a minute (especially if under threat of a gun, if you believe Hollywood), break into any system, and crack any encryption secret. They work mostly at night and drink copious amounts of energy drinks while littering their workspaces with remnants of potato chips and cupcakes. A school kid uses the teacher’s stolen password to change some grades, and the media is fawning on him like he’s the next Bill Gates or Mark Zuckerberg.

      Hackers don’t have to be brilliant. I’m living proof of that. Even though I’ve broken into every single place where I’ve ever been hired to do so, I’ve never completely understood quantum physics or Einstein’s Theory of Relativity. I failed high school English twice, I never got higher than a C in math, and my grade point average of my first semester of college was 0.62. That was composed of five Fs and one A. The lone A was in a water safety class because I had already been an oceanfront lifeguard for five years. My bad grades were not only because I wasn’t trying. I just wasn’t that smart and I wasn’t trying. I later learned that studying and working hard is often more valuable than being born innately intelligent. I ended up finishing my university degree and excelling in