When you think of a “hacker” what do you picture? Is it a child computer genius with incredible math skills? A wild former spy with a unique skillset and a grudge? A criminal working to undermine the security of the world by “breaking in” to things? Or what about a tinkerer, a creator, a maker?
Certainly, all of the people described above could be referred to as “hackers” in different contexts. Which leaves us with the question: “what exactly is meant by the label ‘hacker’?” This elusive definition has been troubling me for quite a while. So, I started looking into it. I spent a fair amount of time thinking about this subject, drawing from my 9 years of experience in Infosec, and my work as an “ethical” hacker; as well as my connections and travels within and without the infosec community. Finally, I think I have an answer.
You won’t find what I’m about to tell you in a textbook anywhere. It’s not in the dictionary, and its certainly not understood by the layman. If you think my analysis is incorrect, I would like to hear any challenges you might have to offer. Let’s get to the bottom of this.
There are essentially two different definitions of hacker, and two different hacker communities. Both of which have significant overlap. These two communities share many of the same people, networks, contacts, goals, etc. But they are both centered around two very distinct centers of power. The first of these two communities is the “SANS” style hacker.
This community is built around the nexus of power that is the government. The people within this community are the same types of people that you might generally see at a SANS conference. They might work for the government directly, or otherwise be employed in a job which in some other way, directly or indirectly is subservient to the regulation imposed upon them by the demands of law. These people are often everyday security practitioners, many of whom value above all else, access.
Think, members of the US Department of Defense, employees of large corporations, multinationals, banks, etc. The rigidity of government regulatory activity defines the nature of this community’s operational modality. Essentially, this community’s demands are placed upon it from the top down. That is, someone somewhere sends down an edict to “do security”. This edict then must be carried out to the best that the lower group’s technical resources can muster. Therefore, it is no wonder that the primary driver of this group is: “access”, how to get it, how to keep it, and how to keep others from it. Their whole world is defined by the necessity of “cybersecurity” in daily operations, or in light of government regulation.
It is for this very reason that SANS training is largely a condensed computer science degree. Designed to offer to those who might not otherwise be able to develop their own techniques, tools, exploits, etc… The knowledge to empower them to prioritize the tips, tricks, secrets, etc… of the illustrious “hacker”; and thereby learn to execute in their mission -> to gain and manipulate “access”.
Others outside of this core community who accept the same definition of hacker, and seek to gain knowledge of methods by which “access” may be manipulated; will often be at least partially pulled into this one particular community and world; be it, through watching podcasts, conference talks, or reading blog posts/whitepapers generated from within this community. This eventuality arises because of the shared goal of “access.” Those others who find themselves drawn to this community also idolize the idea of “access”, into applications, networks, and organizations.
But there is another definition, a definition that comes from a completely different world, promotes an entirely different mode of being and action; and for which a completely independent community nexus exists. This second hacker community does not prize hacking as being fundamentally about “access”. Rather, in this community to “hack” means to create an elegant, unique and efficient solution to a given problem; most specifically, often a solution which arises from the novel combination of resources previously seen as unrelated or tangential.
This community finds its nexus not around those centers of power from which edicts and regulation arise. In fact, this community prides those within it for being the source from which the power of its institutions itself are born. This community is centered largely around the networks of people within the world of academia; both at its core and fringes. This community replaces public servants and IT professionals en masse for computer scientists and mathematicians. Where the goal is no longer to “do security” as the daily demands of running an organization and protecting it from attack are not at the forefront. This community is instead motivated by the idea of building, creating, and advancing the science and the world in any and every possible way.
Does that mean that this community does not have any love for the idea of “access” as per the primary pop-cultural understanding of the hacker. Not at all. To cleverly apply yourself to a problem, and solve it using a novel solution not easily understood or inferred is precisely how someone gains access. The question is only which type of “problem” you’re seeking to solve.
The very important note here, is that a “hacker” as per the second definition is not wholly motivated to solve only those problems which give them access to a computer network, for good or ill. If hacking is solving problems in order to manipulate systems at large, that can mean a lot more than just a computer network. A clever hack can change the way we call for a cab, or how we book lodging when we travel. A clever hack can bring our entire social lives online, can change how we make payments globally, or wipe out malaria. If to be a hacker means to be clever and resourceful, then this community trades logging into someone’s Facebook because they left it open, for world altering solutions to any and all systemic failures.
So… which kind of hacker are you?