Hacking Hackers. PHOTO: Cybercrime Magazine.

Lockpicking Is Not A Crime, Unless You’re A Burglar

Bruce Schneier on stereotypes about hackers

David Braue

Melbourne, Australia – Feb. 4, 2022

Hacking may have been indelibly linked with cybercrime for decades, but Bruce Schneier is waging a campaign to change that by highlighting the ways people were hacking long before computers even existed.

Pop culture’s consensus about hackers — hoodie-wearing criminals lurking in the shadows and ready to break into any computer system, anywhere — has tainted many people’s perceptions of the cybersecurity profession, fed by the 1970s and 1980s hysteria when almost nobody understood new computer technologies and the activities of phone phreakers like Kevin Mitnick were akin to magic.

Mitnick “got caught in a period where we were terrified of hackers,” he told Cybercrime Magazine, recalling that Mitnick was banned from using even a normal telephone while in jail “because they were afraid what he could do with it.”

“His punishment made no sense based on his crime, because everyone was scared. You had some movies come out that portrayed them as very dangerous, and what they could do was magnified out of proportion. … In the popular imagination, hacking has been tied to doing something wrong.”

Society’s stereotypes about hackers have persisted despite the efforts of people like Schneier — whose many decades in the industry has made him a cybersecurity industry guru — to take back the word and foster better understanding of why hacking is a fundamental human trait.

Cybercrime Radio: A New View On Hackers

Pop culture has it wrong

“In my head, hacking is a technical ability,” he explained, “like lockpicking. You can be either a professional locksmith or a burglar. We tried to say that ‘cracking’ was the illegal thing and ‘hacking’ was a legal thing — but we kind of lost that battle.”

Schneier — a prolific author and self-described “public-interest technologist” who lectures at Harvard’s Kennedy School, sits on the board of EFF, and currently works with World Wide Web creator Tim Berners-Lee as chief of security architecture at Inrupt, Inc. — has been working to expand the perception of hacking, working on a book that argues humans have been hacking for millennia.

The Ancient Romans, for example, learned to hack the political process by inventing the filibuster while many Orthodox Jews have, Schneier said, learned to work around strict laws without actually breaking them.

“There are an enormous number of hacks of Jewish law,” he said. “Orthodox Jews are masters of following the letter and violating the spirit to get something done. It is not done maliciously, but it is this way of thinking about how to subvert systems.”

That subversion — and not the criminal intent attributed to hackers in popular portrayals — is the core of what it means to be a hacker, Schneier argued, pointing out that American financial systems are riddled with traders, venture capitalists and private equity firms that “do a lot of hacking of the rules.”

In this light, he continued, hacking’s real meaning becomes clearer: “it’s an ability to look at a system, figure out what it can do and not what you’re told it can do, and whether it can do things that its designers didn’t intend or anticipate.”

The association with computer hacking may have come to dominate the public discourse, but Schneier believes people will understand both criminal and non-criminal hackers better if they just expand their perception.

“It’s that desire to figure out the limits of what a system can do — and whether a system can be subverted turns out to be a really valuable technical skill in the computer world that is the start of many a computer security career.”

A trade built on curiosity

Schneier’s own career — which he referred to as “a series of generalizations” — grew out of his own interest in hacking, fostered during degrees in physics and computer science that propelled him into a career as a serial entrepreneur, technology journalist and, famously, the authoring of the seminal 1994 book Applied Cryptography that was the first mainstream book about the use of cryptographic algorithms.

That book was groundbreaking in its time, but looking back Schneier was quick to point out that “the field has moved along since the mid ‘90s. So much is missing now that it’s over 25 years old. … I don’t want anyone to design a system based on that because it’s too out-of-date and obsolete. It’s there for historical purposes only.”

Yet his general approach, of simplifying complex concepts in a practical way, still stands as an invaluable way of supporting continued innovation in cybersecurity and other IT fields.

“Security has gotten extraordinarily technical, and makes it hard for people to understand,” he explained. “History provides good parallels and good stories, so I always like to look at parallels that people can understand better.”

Taking this theme and running with it, Schneier is currently writing a book exploring the idea that hacking is a fundamental skill rather than a form of deviant behavior — and that it’s not just the purview of malicious cybercriminals working in the shadows.

“It really is often the rich and powerful that are doing it to increase their power and wealth,” he explained, noting that “I never really got very deep into code. … My core skill is thinking about the economics and psychology and political science of different ways of thinking about security and privacy — much more abstract and people-focused.”

Those skills are part of what enticed Schneier to join Berners-Lee at Inrupt, which is helping to implement the latter’s Solid data-ownership model — a new approach to data management and security that he has previously written “will fundamentally alter the balance of power in a world where everything is a computer, and everything is producing data about you.”

That data-inundated world will meet its match as artificial intelligence (AI) algorithms increasingly complement the all-too-human activity of hacking, Schneier said — and that’s when things are going to get really interesting.

“What happens if you give an AI the tax code of every country on the planet and tell it to minimize your tax? How many loopholes will it discover, and what will that mean?”

“We have a lot of trouble patching the tax code, which isn’t like Microsoft issuing a patch; we have to pass a law, which is hard to do and takes years. And if you find 1,000 loopholes in the tax code, that means you get no revenue. It’s going to be a different kind of world.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.