The Art of the Unintended: Hack All the Things
Hackers are bad, scary, criminal, and worst of all, they wear hoodies, right? Hackers don’t belong in enterprise technology teams, right? Wrong! Personally, I’ve been fascinated by hackers my whole life, probably since I first saw WarGames. While I don’t consider myself a hacker, I’ve done some light hacking over the years.
Shortly after I went to school and learned Windows networking, I visited a friend’s house and he showed me his new computer. I noticed he had high-speed internet (somewhat rare back then) and I asked him who his provider was. He said, “I don’t know, I just turned it on and it works.” At that point, I asked him if he’d like to know which of his neighbor’s internet he was using. He said, “You can do that?” I said, “I don’t know, let’s find out…” In a matter of seconds, I mapped the local network and found his neighbor’s printers, media libraries, and file shares. I opened up his file share and found a resume that contained his home address. “Bingo, it’s this guy.” Ironically, his resume led off with “Seeking a position in information security.” I wanted to edit his resume to say “Don’t hire me. I don’t know what I’m doing,” but my friend talked me out of it.
At this point, my friend turned to me in amazement and said, “Where did you learn how to hack?!?” I didn’t technically hack, crack, exploit, or social-engineer anything. I just used my Windows networking knowledge. That experience opened my eyes to what hacking really is. It’s simply thinking outside the “happy path.” Do the unintended, and see where it leads.
Several years later, I went to my first SANS class, where I learned hacking and anti-hacking defense techniques. While nearly all of those specific tactics are now obsolete, I learned how to think like a hacker and look for security weaknesses in technology. Those thinking patterns serve me well to this day.
Hack all the things. Doing the unintended is really fun.
While working for one of my previous companies, we had a cloud app that had a mobile offering, but the mobile enrollment was disabled. At least that’s what the administrators thought. They hid the mobile enrollment menu options from the user interface. I simply googled public user manuals on how to do mobile enrollment, and I found screenshots with the URL structure that held that functionality. I wondered to myself, “Is this really disabled, or is it just hidden?” I found out by typing the URL into the app, and boom: The mobile enrollment feature rendered. Sweetness. I got to be the guy that had the feature that everyone else wanted but couldn’t have.
I was using another cloud app that limited certain edit functionality, which I thought was really lame. I wasn’t satisfied, so I started researching ways to bypass the user interface. I found the RESTful API, loaded up some browser extensions, and edited the uneditable with JSON. I was very pleased with myself and shared my “hack” with other users. Eventually, the administrator caught wind of it and said, “Uhh, thanks… I think… Are you SUPPOSED to do that?” I don’t know if I’m supposed to, but I can, and I did. If I’m not supposed to do that, then close the loophole and stop me. That’s thinking like a hacker.
These are some fun and harmless stories, but let’s get serious for a moment. Information security is a real threat. I hold a position in my current company (and at previous companies) that is directly accountable for the security of our technology environment. There are criminal hackers that are out to exploit companies of all shapes and sizes. While we have numerous technical means to defend our organization, we need to enlist the help of everyone in the organization to do the job successfully.
The role of the general business user is pretty straightforward: “Be aware, be careful, and don’t get duped. If you see something, say something.” There’s more to it than that, but that’s the basic idea. The role of the technical folks is to think like a hacker. Seriously, I want to find out about our weaknesses from the friendlies. The only way to do that is to start hacking.
You may think that security is someone else’s job, but everyone in a technical role has a special responsibility due to their immersion and understanding of the inner workings of specific technologies. This depth and context aren’t available to outside security consultants or even your internal IT security team. We need every technician, engineer, and developer to put on their hacker hoodie every so often to harden our tech.
Don’t be a hater. Hackers are people too.
I am not h4x0r 31337! I don’t even qualify as a n00b script kiddie. I just like to try the unintended and see what happens. The real hackers bring me awe and amazement. One of my favorite hackers (a.k.a. Security Researcher) is Chris Roberts. He may (or may not) have controlled a flight from his passenger seat by hacking the in-flight entertainment system and gaining access to the thrust control system. We may never know what really happened, but his stunt got him detained by the FBI and banned from flying United Airlines.
Good hackers sometimes do questionable things to get attention. Why? Because we don’t listen to them. We don’t take them seriously. We treat them like enemies instead of friends. There is a philosophical lesson to be learned here, but I’m not the best one to teach it. Instead, I encourage each of you to watch to Keren Elazari’s famous Ted Talk which has gained more than 2.6M views.
In conclusion, we get stronger by hacking ourselves before the bad guys do. Stay within the guardrails of law and policy. Serve the business by doing potentially disruptive activities within appropriate maintenance windows and approvals. Disclose findings responsibly. With that understanding, hack the planet!
Have any fun hacking stories to share? Put them in the comments below!
5 thoughts on “The Art of the Unintended: Hack All the Things”
I was a labbie at my college, and we weren’t allowed to have admin privileges on our labbie computer running Windows NT. The clocks were always set wrong which was annoying to me. Found a GetAdmin script and boom! Clocks set to the right time. This security hole was open for a surprisingly long time.
Indeed! This is consistent with my stories. You don’t often set out to hack, but necessity is the mother of invention. Don’t like the way things are? Hack around it!
Zach, this is an excellent blog post!! Thank you for making people aware of this!!
I’ve learned a lot from this article, especially the three types of users, this category I’m going to use in my upcoming article for Powr of You. I’m happy that I don’t run on Windows (from 2010 at least). google my creative work: @narcsat by D1 SKCHDB and follow me on various social media, including Youtube and Vimeo. I’m also going to rip off your profile picture.
Awesome post Zach.
Your conclusion was very bold, “we get stronger by hacking ourselves before the bad guys do. Stay within the guardrails of law and policy. Serve the business by doing potentially disruptive activities within appropriate maintenance windows and approvals. Disclose findings responsibly.”
That quote is simply refreshing.
From the CEO to the janitor we can all contribute to a more secure workplace.
Hack the planet!