October 2017^ DISCOVER^53
FROM LEFT: MIKKO HYPPONEN; ZINGBOX; JAMIE LYTLE
email account can simply search for
password reset instructions and sail
into the system. Margulies also noticed
that the only information he had to
supply to the company was his street
address. That, too, was a bad move: It
means that an attacker who gets into
the company’s system can simply pull
up the list of addresses, a directory of
vulnerable openers ripe for the picking.
As a responsible hacker, Margulies
emailed his concerns to the
manufacturer. He outlined the flaws
and the risks they carried — and
stashed the internet-connected part of
the device in his closet, relying instead
on old-school offline functionality.
Knowing whom and what they’re up
against is a key part of being a white
hat. “We used to have only one enemy,”
says Hypponen, who launched his
hacking-for-good career in the early
1990s, when few devices were online.
His early investigations of computer-
based crime focused on malware that
spread via floppy disks — magnetic
storage devices that look like plastic
squares and could store about one-
third of a pop song. “The attacker
at that time was very, very simple to
define,” he says. “All the attacks, all the
viruses were being written by bored
teenage boys.”
Hypponen received his first home
computer when he was 13, in early
- His response was powerful
and irreversible. “I immediately was
lost into it.” Electronic devices and
hacking culture have co-evolved in the
decades since then, but he says at least
one thing hasn’t: People who discover
hacking as a vocation know it from a
young age.
“I think the best hackers have pretty
much always known that they’re good
at this,” he says. “They’re probably
mathematically gifted, or gifted to do
technical stuff. Geek stuff.” Hackers
were the kids who walked down the
street with their parents’ automatic
garage door openers, holding down
the button to
see which doors
would open.
Talented
hackers,
Hypponen
says, analyze
a system and
see something
different from what the designers
intended. For example, say you wanted
to break into a system through its login
screen. But instead of typing a login
name, you do something radically
different — like copy and paste a
massive image in the username box.
“Maybe the creator of the website
didn’t think of that, and it breaks the
system,” says Hypponen. If the hacker
is lucky, he says, that crack exposes
a vulnerability.
People interested in tinkering with
software often end up breaking the
law, but nowadays they also have
legitimate avenues of expression.
Hypponen points to “bug bounties” —
reward money offered by companies
to hackers who expose flaws. “You can
try to break the system, and you have
permission to do it,” he says. “Use
your skills, scratch your itch. I know
people who live on bug bounties.”
F-Secure, the company Hypponen
works for, encourages people to try
to break into their system. “If we
have vulnerabilities in our servers
or software, we want you to tell us,”
he says. “We want you to sell that
information to us, not to others.”
WITH OUR POWERS COMBINED
It’s a change in culture that has
benefited people like Samy Kamkar.
He began intruding into private
online communities as a teenager,
and he attended his first DEFCON
convention — which has become the
best-known underground hacking
conference in the world — at age
- Now 31, the Los Angeles-
based Kamkar hosts a popular
YouTube channel called Applied
Hacking, where he exploits security
weaknesses in everyday objects like
combination locks, locked cars and
locked computers. His views number
in the millions.
In one memorable episode, he
Digital security experts
Mikko Hypponen (left),
May Wang and Ted
Harrington agree malicious
hacking will likely increase.
PEOPLE INTERESTED IN TINKERING WITH
SOFTWARE OFTEN END UP BREAKING THE
LAW, BUT NOWADAYS THEY ALSO HAVE
LEGITIMATE AVENUES OF EXPRESSION.