A Hacker's Mind

Introduction They say that water, it never runs uphill. It never has, and it never will. But if you get enough money involved, There’s bound to be a loophole in the natural law. And water, is gonna flow uphill. —“Water Never Runs Uphill,” Jim Fitting, Session Americana

Ref. 56E9-A

Security technologists look at the world differently than most people. When most people look at a system, they focus on how it works. When security technologists look at the same system, they can’t help but focus on how it can be made to fail: how that failure can be used to force the system to behave in a way it shouldn’t, in order to do something it shouldn’t be able to do—and then how to use that behavior to gain an advantage of some kind.

Ref. E7D7-B

That’s what a hack is: an activity allowed by the system that subverts the goal or intent of the system. Just like using Uncle Milton’s system to send tubes of ants to people who don’t want them.

Ref. 8DDC-C

Kids are natural hackers. They do it instinctively, because they don’t fully understand the rules and their intent. (So are artificial intelligence systems—we’ll get to that at the end of the book.) But so are the wealthy. Unlike children or artificial intelligences, they understand the rules and their context. But, like children, many wealthy individuals don’t accept that the rules apply to them. Or, at least, they believe that their own self-interest takes precedence. The result is that they hack systems all the time.

Ref. 301E-D

A hacker is more likely to be working for a hedge fund, finding a loophole in financial regulations that lets her siphon extra profits out of the system. He’s more likely in a corporate office. Or an elected official. Hacking is integral to the job of every government lobbyist. It’s how social media systems keep us on their platforms.

Ref. C1CD-E

In my story, hacking is something that the rich and powerful do, something that reinforces existing power structures.

Ref. 76B0-F

One example is Peter Thiel. The Roth IRA is a retirement account allowed by a 1997 law. It’s intended for middle-class investors, and has limits on both the investor’s income level and the amount that can be invested. But billionaire Peter Thiel found a hack. Because he was one of the founders of PayPal, he was able to use a $2,000 investment to buy 1.7 million shares of the company at $0.001 per share, turning it into $5 billion—all forever tax free.

Ref. 8BF3-G

It’s not that the wealthy and powerful are better at hacking, it’s that they’re less likely to be punished for doing so. Indeed, their hacks often become just a normal part of how society works. Fixing this is going to require institutional change. Which is hard, because institutional leaders are the very people stacking the deck against us.

Ref. 271E-H

AI will hack systems with a speed and skill that will put human hackers to shame. Keep the concept of AI hackers in mind as you read; I will culminate the book with that in the final part.

Ref. 5377-I

That’s why this book is important right now. If there’s any time when we need to understand how to recognize and defend against hacks, it’s now. And this is where security technologists can help.

Ref. BC7A-J

“It’s not that math can solve the world’s problems. It’s just that the world’s problems would be easier to solve if everyone just knew a little bit more math.” I think the same holds true for thinking about security. It’s not that the security mindset, or a hacking mentality, will solve the world’s problems. It’s that the world’s problems would be easier to solve if everyone just understood a little more about security.

Ref. B429-K

Hacking is not the same as cheating. A hack could also be a cheat, but it’s more likely not. When someone cheats, they’re doing something against the rules—something the system explicitly prohibits. Typing someone else’s name and password into a website without their permission, not disclosing all of your income on your tax return, or copying someone else’s answers on a test are all cheating. None of those are hacking.

Ref. 19C2-L

Hacking targets a system and turns it against itself without breaking it. If I smash your car window and hotwire the ignition, that’s not a hack. If I figure out how to trick the car’s keyless entry system into unlocking the car door and starting the ignition, that’s a hack.

Ref. 6FF9-M

Notice the difference. The hacker isn’t just outsmarting her victim. She’s found a flaw in the rules of the system. She’s doing something she shouldn’t be allowed to do, but is. She’s outsmarting the system. And, by extension, she’s outsmarting the system’s designers.

Ref. E6D0-N

Hacking subverts the intent of a system by subverting its rules or norms. It’s “gaming the system.” It occupies a middle ground between cheating and innovation.

Ref. F693-O

Hackers and their work force us to think differently about the systems in our world. They expose what we assume or take for granted, often to the embarrassment of the powerful and sometimes at terrible cost.

Ref. C5A1-P

You once had to jailbreak your smartphone to turn it into a wireless hotspot; now hotspots are standard features in both iOS and Android. Hiding a metal file in a cake sent to a jailed confederate was initially a hack, but now it’s a movie trope that prisons will be on guard against.

Ref. 58F1-Q

Hacks are often legal. Because they follow the letter of the rules but evade the spirit, they are only illegal if there is some overarching rule that forbids them. When an accountant finds a loophole in the tax rules, it’s probably legal if there is no more general law that prohibits it.

Ref. E653-R

There’s even a word for this sort of thing in Italian: furbizia, the ingenuity that Italians deploy towards getting around bureaucracy and inconvenient laws. Hindi has a similar word, jugaad, which emphasizes the cleverness and resourcefulness of making do. In Brazilian Portuguese, the equivalent is gambiarra.

Ref. 0BFA-S

This isn’t new. We’ve been hacking society’s systems throughout history.

Ref. 058E-T

The tax code isn’t software. It doesn’t run on a computer. But you can still think of it as “code” in the computer sense of the term. It’s a series of algorithms that takes an input—financial information for the year—and produces an output: the amount of tax owed.

Ref. 0294-U

The tax code is incredibly complex. Maybe not for most of us as individuals, but there are a bazillion details and exceptions and special cases for rich people and businesses of various kinds. It consists of government laws, administrative rulings, judicial decisions, and legal opinions. It also includes the laws and regulations governing corporations and various types of partnerships. Credible estimates of the size of it all are hard to come by; even experts had no idea when I asked. The tax laws themselves occupy about 2,600 pages. IRS regulations and tax rulings increase that to about 70,000 pages. The laws involving corporate structures and partnerships are equally complicated, so I’m going to wave my hands and assume a total of 100,000 pages—or 3 million lines—for the US tax code. Microsoft Windows 10 takes up about 50 million lines of code. It’s hard to compare lines of text to lines of computer code, but the comparison is still useful. In both examples, much of that complexity is related to how different parts of the code interact with each other.

Ref. 67B2-V

These bugs are in all the software that you’re currently using: in your computer, on your phone, in whatever “Internet of Things” (IoT) devices you have around your home and work. That all of this software works perfectly well most of the time speaks to how obscure and inconsequential these bugs tend to be. You’re unlikely to encounter them in normal…

Ref. 69D4-W

The tax code also has bugs. They might be mistakes in how the tax laws were written: errors in the actual words that Congress voted on and the president signed into law. They might be mistakes in how the tax code is interpreted. They might be oversights in how parts of the law were conceived, or unintended omissions of some sort or another. They might…

Ref. E2C8-X

A recent example comes from the 2017 Tax Cuts and Jobs Act. That law was drafted in haste and in secret, and passed without any time for review by legislators—or even proofreading. Parts of it were handwritten, and it’s pretty much inconceivable that anyone who voted either for or against it knew precisely what was in it. The text contained an error that accidentally categorized military death benefits as earned income. The practical effect of that mistake was that surviving family members were hit with surprise tax bills of $10,000 or more. That’s a bug. It’s not a vulnerability, though, because no one can take advantage of it to reduce their tax bill. But some bugs in the tax code are also vulnerabilities. For example, there was a…

Ref. FA55-Y

company transfers assets to an Irish subsidiary. That subsidiary charges the US company huge royalties from sales to US customers. This dramatically lowers the company’s US taxes, and Irish taxes on royalties are designed to be low. Then, using a loophole in Irish tax law, the company can shift the profits to entities in tax havens like Bermuda, Belize, Mauritius, or the Cayman Islands—to ensure that these profits remain untaxed. Next, add a second Irish company, this time for sales to European customers, also taxed at a low rate. Finally, use another vulnerability, this one involving a Dutch intermediary company, to transfer the profits back to the first Irish company and on to the offshore tax haven. Tech…

Ref. BFB9-Z

In the tax world, bugs and vulnerabilities are called loopholes. Attackers take advantage of these; it’s called tax avoidance. And there are thousands of what we in the computer security world would call “black-hat researchers,” who examine every line of the tax code looking for vulnerabilities they can exploit: tax attorneys and tax accountants.

Ref. 4C36-A

We know how to fix vulnerabilities in computer code. First, we can employ a variety of tools to detect them before the code is finished. Second, and after the code is out in the world, there are various ways we can find them and—most important of all—quickly patch them. We can employ these same methods with the tax code. The 2017 tax law capped income tax deductions for property taxes. This provision didn’t come into force until 2018, so someone came up with the clever hack to prepay 2018 property taxes in 2017. Just before the end of the year, the IRS ruled about when that was legal and when it wasn’t, patching the tax code against this exploit. Short answer: most of the time, it wasn’t.

Ref. 637C-B

A hack subverts the intent of a system. Whatever governing system has jurisdiction either blocks or allows it. Sometimes it explicitly allows it, and other times it does nothing and implicitly allows it.

Ref. 5A3F-C

A complex process, constrained by a set of rules or norms, intended to produce one or more desired outcomes.

Ref. 3723-D

Professional sports are hacked all the time, because they are governed by explicit sets of rules. The law is often hacked, because law is nothing but rules.

Ref. BF0A-E

In some systems, of course, the laws are the rules or, at least, provide many of them. As we’ll see when we discuss hacking finances or the legal system itself, simple typos or confusing language in a bill, contract, or judicial opinion can open the door to endless exploits that were never intended by the original drafters or judges themselves. Note something very important:

Ref. A7AD-F

My definition of system includes the word “intended.” This implies a designer: someone who determines the desired outcome of a system. This is an important part of the definition, but really it’s only sometimes correct.

Ref. 7104-G

With computers, the systems being hacked are deliberately created by a person or organization, which means the hacker is outsmarting the system’s designers. This is also true for systems of rules established by some governing body: corporate procedures, rules of a sport, or UN treaties.

Ref. 964B-H

Many of the systems we’ll be discussing in this book don’t have individual designers. No one person designed market capitalism; many people had their hand in its evolution over time. The same applies to the democratic process; in the US, it’s a combination of the Constitution, legislation, judicial rulings, and social norms. And when someone hacks social, political, or economic systems, they’re outsmarting some combination of the designers of the system, the social process by which the system evolved, and the societal norms that govern the system.

Ref. E671-I

Hacking is a natural outgrowth of systems thinking. Systems permeate much of our lives. These systems underpin most of complex society, and are becoming increasingly complex as society becomes more complex. And the exploitation of these systems—hacking—becomes ever more important. Basically, if you understand a system well and deeply, you don’t have to play by the same rules as everyone else. You can look for flaws and omissions in the rules. You notice where the constraints the system places on you don’t work. You naturally hack the system. And if you’re rich and powerful, you’ll likely get away with it.

Ref. 419E-J

A vulnerability is a feature in a system that allows a hack to occur. In a computer system, it’s a flaw. It’s either an error or an oversight: in the design, the specification, or the code itself. It could be something as minor as a missing parenthesis—or as major as a property of the software architecture. It’s the underlying reason that the hack works. An exploit is the mechanism to make use of the vulnerability.

Ref. F910-K

The exploit would be the software program that allows me to see them. If a door lock can be opened without a key, that’s also a vulnerability. The exploit would be whatever physical shim or tool is required to pry it open.

Ref. 7188-L

Second, there is the person who uses the resultant exploit in practice. In the NSA, it was an employee who deployed the exploit against a target. In an accounting firm, it was whichever accountant applied Irish and Dutch tax laws to a particular corporation’s tax avoidance strategy. The hacker who performs that sort of hack makes use of someone else’s creativity. In the computer world, we derisively call them “script kiddies.” They’re not smart or creative enough to unearth new hacks, but they can run computer programs—scripts—that automatically unleash the results of someone else’s creativity. And finally, there is the organization or person in whose service this is all being done. So we can speak of the NSA hacking a foreign network, or Russia

Ref. 4344-M

This is all important, because we’re going to be talking repeatedly about how the rich and powerful hack systems. I’m not saying that wealth and power makes someone a better technical hacker, it just gives that person better access. Like the US or Russia or Google, it enables them to hire the technical expertise needed to successfully hack systems.

Ref. C29A-N

Children are natural hackers. They don’t understand intent and, as a result, don’t see system limitations in the same way adults do. They look at problems holistically, and can stumble onto hacks without realizing what they’re doing. They aren’t as constrained by norms, and they certainly don’t understand laws in the same way. Testing the rules is a sign of independence.

Ref. B9FD-O

Resilience is an important concept, one that applies to everything from the human body to the planetary ecosystem, from organizational systems to computer systems. It’s the ability of a system to recover from perturbations, including hacks. Resilience is why suspension bridges are built from stranded cables and not solid rods: solid rods fail suddenly and catastrophically, while stranded cables fail slowly and noisily. It’s why our brains and bodies have so many different ways to adapt to whatever circumstances we find ourselves in, and why good taxi drivers know four different ways to drive between popular landmarks. It’s why Orange County, California, has a functioning county government, even after it was forced to declare bankruptcy in 1994. In security, resilience is an emergent property of a system, one that can combine such aspects of properties as impenetrability, homeostasis, redundancy, agility, mitigation, and recovery. Resilient systems are more secure than fragile ones. Many of the security measures we discussed in the previous few chapters are all about increasing a system’s resilience from hacking.

Ref. 669A-P