Mutually Assured Cyber Destruction
With its clean, white-linoleum floors and bulletins on the walls, the Merrill Engineering Building at the University of Utah seems like a typical campus building. Yet the students are anything but typical. Here, you’ll hear students having hallway conversations about Bernoulli’s principle. Or you’ll see a student wearing goggles with wires trailing to a laptop, which is carried by another student walking down the hallway.
In Matthew Might’s office, framed photos of Star Trek’s Captain Kirk hang above his desk. Stacks of books line the wall—there’s a Linux manual next to Sun Tzu’s The Art of War. I sit down with Might at a conference table emblazoned with the logo of Starfleet Academy.
Might, a professor in the university’s School of Computing, exudes an easygoing manner, even when awkwardly deflecting questions about his youthful hacking.
“I’ll tell you one thing, at one point I was worried about my home phone line being tapped, so I built a box that would drain the power out of the phone line if it got lit up by a trace,” Might says. The only problem was that his box set off the security alarm in his parents’ house.
“My parents just thought it broke,” Might says with a laugh. “I don’t think they ever knew it was me.”
Might says the power to control machines has always been incredibly appealing to him. Now, he says, the research he’s doing at the U is helping not only Utah’s emerging cybersecurity industry, but also the national cyberwarfare defenses. While U.S. technology is advanced, he says, it’s not foolproof, especially when it comes to cyberdefense.
“Just because we’re the best doesn’t mean many others aren’t good,” Might says. “In fact, many countries are extremely good at offensive cyberwarfare, including China, Iran and Russia. And, honestly, if it came to all-out cyberwarfare, there’s not a lot we could do to defend ourselves right now.”
Might has a habit of dropping these fun facts about America’s meager cyberdefenses the way another person might casually talk about the poor defense of a basketball team.
“Most all of the nightmare scenarios are possible because every piece of equipment we’ve got is vulnerable,” he says.
How bad is it? Well, while most movie depictions of hacking are inaccurate when it comes to attackers coolly punching some keys and then gaining access to high-security systems, the hacks themselves are largely within the realm of possibility. Power grids could be taken down, satellites taken offline, military technology “Rick-rolled” to the point of being rendered useless and thereby leaving the country vulnerable.
“There’s been a recognition in the past few years, even by the military, that the situation has gotten out of hand, because even the military gets compromised on a daily basis now,” Might says.
That’s why Might is working to revamp cybersecurity for the U.S. military, thanks to two research grants from the Defense Advanced Research Projects Agency. His goal, he says, is to create a system that will reboot the cybersecurity paradigm.
Currently, he says, when software is developed, patches that users can download are created later to catch bugs or fix vulnerabilities. The problem is that the good guys don’t always find the vulnerabilities before malicious users do. And even when the good guys spot the problems first and release the patch to customers, this also points out to hackers exactly where the vulnerabilities lie. If the user doesn’t download the patch—and a lot of users, annoyed at the thought of interrupting work or play with yet another download, don’t—then they’re very exposed.
One solution Might is working on to replace the “patch & pray” model of cybersecurity is an automated computer scan to identify problem areas before software is released to the public.
“Every programmer makes mistakes; we’re human,” Might says. “That’s why it’s better to rely on machines to do the checking.”
Might says the program will identify common programmer errors through automated systems. If you’re worried that this cedes a little bit too much authority to the machines and puts humanity on the path to a future at war with Terminators or Cylons, Might’s program plan also has humans verifying the machine’s work with mathematical proofs that can be checked by hand.
Might hopes that such measures can help shore up the country’s cyberdefenses. He points out that countries like North Korea have “tremendous” cyberwarfare capabilities. One reason such countries have withheld from a major cyberattack against the United States might be that they know that such an attack would likely result in the United States responding with actual force.
But what if the attack could also cripple the military, thus removing the threat of the United States responding to a cyberattack with bombs and bullets?
“That’s what keeps me up at night,” Might says.
While the prospects of cyberwarfare sound terrifying, it is comforting to know that Utah research universities are working hard to shore up our digital defenses and train cybersecurity experts. But while you can get a degree in cybersecurity, members of the state’s thriving hacker community argue that the real art of hacking is something you just can’t get in a classroom.
Da Vinci Was a Hacker
Neil Wyler took the handle “Grifter” at the age of 8, when he began his love affair with hacking. At the time, computers and the Internet were new to everyone, even the military specialists and universities that were the first to embrace the new technologies. Now in his mid-30s, Wyler says the technology has changed into something so user-friendly that the average user doesn’t appreciate the magic of the technology.
“My son who’s 5 years old, he looks at the computer like it’s a toaster,” Wyler says. “As far as he’s concerned, it’s just another appliance that is in the house. It’s not this sexy, magical thing.”
Wyler says that’s an outlook he hopes to change, but he says it’s a common attitude among many technology users nowadays who are looking for one-click solutions and simply resort to the aid of genius bars and geek squads to fix their technology when it malfunctions.
An old-school hacker, Wyler went from using his skills for less-than-legal purposes as a teen to enrolling in the military and, now, doing consulting and working as an information-security engineer. Having hacked most of his life, Wyler says that much has changed since hacking’s early days in the ’80s and ’90s.
“Before, you’d have to hop over a fence of some company and go rooting through their Dumpster or pick the locks off their trucks and get the manuals and go running off into the night,” Wyler says. But now, he says, the digital sharing of our Interwebbed world has made hacking a much more accessible art, with online communities readily sharing and disseminating hacking skills and info to anyone interested.
“For people like us, we are in absolute heaven. We’ve been waiting for this kind of shit for so long, we’re losing our minds,” Wyler says. “It’s like the renaissance of nerd-dom.”
According to the folks of DC801, a hacker is someone who, once they know how something works, wants to see if they can make it do something different, run better, operate faster or more efficiently.
“There are probably as many hackers today as there have been throughout human civilization, because they haven’t always been recognized that way,” Wyler says. “Leonardo da Vinci was a hacker, even though he didn’t have a computer. Bootleggers were hackers, and that’s where NASCAR was born. They were always pushing to see ‘how can I get this car to go faster and faster and faster.’ That spirit has always been there; it just manifests itself in a different way depending on the generation.”
Hacking’s negative connotation is tied to pranks, identity theft and the less-than-honest means to acquire specialized knowledge of computers and networks, how “black hat”—malicious—hackers made technology prowess a dark art. If the layperson treats his computer like a kitchen appliance, it’s no wonder that black-hat hackers have gained a nasty reputation. If someone took over your toaster and turned it against you, you’d be angry and terrified, too.
“The only thing that makes a hacker bad is a lack of integrity,” says Kevin Howard, aka “Lean,” one of the founders of the SLC hackerspace.
Howard, like most of the members, works in information security and uses the space for controlled “hacking.” The members attack “hostile servers” or set up virtual machines on which they’ll unleash the latest worm to see the damage it does. Dissecting attacks, spam, malware and different hacks gives members the upper hand in learning how to help the companies they work for defend against them. And there are plenty of problems out there.
DC801 member Metacortex, who asked that his real name be withheld, sees the “user-friendly” innovations in technology as having opened up plenty of vulnerabilities, with blogs and websites getting infected and spamming others. When spam lands in his e-mail, he’ll trace the e-mail back to find its source, and says it’s often the most well-meaning people who are spreading the nastiest stuff.
“I have seen so many church websites running blogs on Wordpress that are serving up malware or porn,” Metacortex says. “All it takes is one click to set up a website, but no one knows how to secure it.”
While the hackerspace provides the freedom to learn new skills in a community environment, Howard stresses that members involved in any illegal or “black hat” activity will be promptly kicked out. Still, he points out that spaces like DC801 are crucial for getting ahead in the cybersecurity biz. Computer degrees can be attained at universities, but higher-ed curriculums can’t keep up with all the latest threats.
“There’s so many avenues through which you can learn, but unless you’re actually getting your hands dirty and securing systems, you don’t have a lot of value” in the job market, Howard says. “If you can’t do the attacks, then you can’t defend them.”
Deven Fore, also known as “decaf,” got the itch to tinker at a young age, growing up in rural Ephraim, where he and his father took every machine apart to figure out how it worked. His latest project is community tinkering, having founded the Orem Transistor, a 5,000-square-foot space in Orem, across the freeway from UVU in a small business park. The community’s November 2012 move to the space was a big upgrade, as the hackerspace had previously occupied a small attic in Provo. Now, members pay a small monthly fee for creative space in The Orem Transistor.
Fore is sort of the godfather of the Utah hacker community. He formed a company to rent the space and organize it into a creative powerhouse of local hackers, whom he considers the true geniuses driving the space.
And the geniuses hold him in high regard. Taking this reporter on a tour of the Transistor on a recent Saturday, Fore was stopped by a fellow member who had a question about something and showed him a laptop screen with what appeared to be the Matrix, or perhaps a schematic for the engine of a spaceship or something equally incomprehensible to this tech-unsavvy reporter. The conversation itself was as undecipherable as listening to modems talk to each other. Whatever the message, the fellow hacker got it, and Fore continued on.
Not only did Fore get the Transistor up and running, but he also helped DC801 set up its space in Salt Lake City as a kind of an extension of the Orem space. The Orem space is not just focused on information security, as DC801 is, and offers more space for electronics and hardware experimentation. In the Orem space, the unspoken mantra is that if you can think it, you can hack it.
“People have this explorer’s attitude ingrained in them, and hackers are definitely not limited to computers and information security,” Fore says. “We have people building a refractory so they can melt metal, we’ve got guys interested in brewing so they’re building a microbrewery here, we’ve got 3-D printers … it’s definitely all aspects.”
The 3-D printers print small bits of hardware, toys and even the pieces needed to make more 3-D printers. And the gadgetry doesn’t stop there. Members have created flying helicopters and a computer-controlled CNC router saw. There is even a lounge where hackers have made their own arcade game, dubbed Keep the Change, which has old-school joystick controls and is loaded with dozens of old Nintendo-generation games.
It’s a spirit of unconstrained tinkering and invention that Fore is particularly proud of in the space. “This generation’s hacker is last generation’s do-it-yourselfer,” he says.
One hacker in the space, Justin Rossetti, aka “Asiago,” refers to himself as a “hardware hacker.” His workspace is illuminated by a Chinese lantern, which has an electronic light simulating the flicker of a candle, and his desk is cluttered with jars of herbal tinctures, including myrrh and licorice root. His biggest project at the moment is a “tiny home” he’s constructing in the rear of the hackerspace warehouse. It’s a project motivated mostly by curiosity—the same fuel that moves most of the hackers, supported by a learning space where goals aren’t based on job expectations or getting a grade to pass a class, but just by an itch to tinker.
“It’s important to me to have the ability to learn how I like to learn,” Rossetti says. For Rossetti, the purity of the hacker spirit fostered at the space is something that’s very American.
“I think it’s essential to the continued survival of our American culture—it’s who we are,” Rossetti says. “It’s important to have an interest in the world around you because if you don’t, then you’re never going to progress.”
Whether the classroom is an Orem warehouse full of eccentrics, a workshop in Salt Lake City or an advanced university laboratory, Utah’s hackers continue to innovate out of an innate curiosity and fascination with technology that may benefit the state’s tech business and, perhaps, even the entire country. At first glance, the likes of folks like Grifter and Dr. Unicorn would seem unlikely assets to the nation’s cyberdefense, but for U professor Might, the hacker-hobbyists in Utah and elsewhere might just be our secret weapon.
“These groups get together just for the fun of it,” Might says. “But I think these people are some of our nation’s most valuable resources. These are the people we want helping us if there is ever real cyberwarfare.”