2 : HACKING, FOLKLORE, AND THE GAME
c. FEBRUARY-MARCH 2019 / FEBRUARY-MARCH 2018
To be a hacker is to dance to hidden tunes. But more than that, it is to rewrite the song and repurpose the instruments. Make a piano sound like a guitar; disguise a vuvuzela as a clarinet to get it past security; redesign a flute so that it produces the flatulent bellow of a tuba. All because we can.
We don't just hear a melody, we compose it.
When you're a hacker no music is unplayable. Any instrument or style can be mastered, so long as you have the drive to understand it. That's what moves us beyond all else: the urge to take things apart, learn how they work, and reshape them. Legend has it that the term 'hacker' originated at MIT, to describe those students who came up with particularly innovative or interesting solutions to creating model trainsets.1
It means finding surprising answers to problems - sometimes, problems nobody has yet thought to ask - and posing questions of your own.
Criminal hackers, sometimes known as 'black hats' after a trope in old Western films2 take a vicious pride in destruction, in the creation of exploits and malware and their damaging effects. They find exhilaration in senseless devastation and the acquisition of money through criminal enterprise, immersed in their heaving little worlds of malice.
Jay, like me, was a hacker, not a criminal. He hated black hats with a passion, although he admired some of the skills they demonstrated (as evidenced by his curation of The Tour), but our obsession with The Helmsman's game arose from our shared disease of curiosity. That, and nothing else.
We just had to know.
* * *
I joined Cybotage, a small information security outfit - one of those firms inaccurately described as 'agile' in marketing bumf and accurately defined as 'fucking chaos' by the actual staff - in February 2018, a few months after graduating from university, as a junior penetration tester.3
Cybotage was based on the first floor of a redbrick office building in East London called Gants House.4
On the floor above us was a DVLA test centre, so we became inured to the sight of people sweating over copies of The Highway Code in reception, and the screams of delight and moans of anguish as candidates learnt their results. Sometimes, over a ciggy at the back of the building, the DVLA staff would tell us stories. My favourite was the one involving a short, scrawny, acne-ridden seventeen-year-old kid who, upon getting into the car with his examiner, donned green sunglasses, reclined his seat, put one hand on top of the wheel, and said, "Let's roll, motherfucker." I wonder where that kid is now.
Gants House backed on to a railway line, and you'd regularly hear the shocking scream of a train as it barrelled past outside, making the floors and walls vibrate and our mugs jump and shudder on the desks. When the weather turned warmer Richard refused to let us turn on the air con because he believed it would make too much of a dent in the firm's already meagre coffers - so we kept the windows open and flinched on cue, every twenty minutes.
The penetration testing team was small - only four of us: Jay, Nina, Kevin5 and myself - and there were two other small teams which dealt with threat intelligence and incident response. Jay was the team leader, a veteran pentester who had been involved in the hacking community since his teens. I'd heard about him during my degree, and had read some of his blogs after applying for the position. He was big 'in the scene', as we say - presenting research at prominent conferences, participating in CTFs,6 and regularly releasing new tools and code. Jay knew the history of hacking inside out, from phreaking7 and cypherpunks8 to cryptocurrencies and ransomware. And he ruled Cybotage, more or less, for all that Richard was ostensibly in charge. A raised eyebrow from Jay could torpedo a proposal; a single email could shift a strategy. He could have easily secured a senior position at one of the corporate firms, but I think he preferred to be a big fish in a tiny pond. When I googled him before starting at Cybotage, his name and nick, 'brix', were spoken with respect in all the forums9 that mattered. I didn't meet him at my interview - Richard and Nina had led it - but I did on my first day.
And I hated him.
* * *
Sophie, a tall woman with large grey eyes and a soft voice, led my induction, such as it was. She ushered me around the little office to meet everyone, and we ended our tour at the tiny kitchen where Jay was reading something on his phone and eating a sandwich. He was dressed in what I would come to think of as his uniform: black baseball cap, black jeans, white t-shirt hanging loose on his thin frame. He didn't look up as we came in.
"This is Alex," Sophie said to him. "Your new pentester."
Jay turned to us. His lips - shaped in a languid curve, like an archer's bow - twisted slightly into a brief smile as we shook hands. His eyes flickered over my face, and then, out of nowhere, he said:
"What's your favourite vulnerability?"
I blinked. "Sorry, what?"
"Jay," Sophie said gently. "It's her first day."
Jay waited, watched.
The question had thrown me. I'd become interested in security at university, although my degree had barely covered the subject, and I'd done some playing around at home with test rigs and vulnerable VMs10 and so on - but a favourite vulnerability? Is this a test? I thought wildly. Is he expecting something original, something highly exotic? I struggled for a second or two to think of something impressive, dredging my memory, until something eventually bobbed to the surface and I snatched at it.
"Er, probably MS08-067?"11
There was a pause.
"Seriously?"
"I haven't really looked at many-"
"What is it you like about it?"
"Jay," Sophie said again. "She's been interviewed already."
"Yeah, by Nina and Richard," Jay said. "Not me." His eyes were still on me. "Why do you want to be a hacker?"
I'd been asked this at my interview, and I had an answer ready. I can't remember if it was what I truly believed at the time, or if I'd cynically tried to predict what my interviewers would like to hear. Knowing myself, it was probably the latter.
"I want to help organisations improve their security and make society safer by finding vulnerabilities and helping to mitigate them," I said in a rush, the words stacking up and collapsing into each other. Even to my ears it sounded mealy-mouthed.
Jay waited a few seconds, as though expecting more, his smile slowly dying, before turning back to his phone and taking a bite out of his sandwich.
"Great," he said through a mouthful of bread. Disappointed. "Cool. Look forward to working with you."
It had been a test, and I had failed. Sophie gave me a slack sort of smile, raised her eyebrows in sympathy, and led me back to my desk.
Our world can be wonderful; it attracts minds which can do and think things nobody thought possible. But it also draws the worst: the intolerant, the insecure. After that first encounter, I placed Jay firmly in the second camp. He was a talented misanthrope, I decided, one who saw others as inferior and unworthy of his time and attention. Later, as I got to know him better, I realised that was how he was with everyone: awkward, combative, as though everything had to be challenged. It wasn't personal, it was just who he was, and what made him a good hacker. He would have been dismayed to learn that it made others uncomfortable. It was simply how he processed information: absorb it, understand it, streamline it, and then precisely exploit the gaps and weaknesses he had identified. It wasn't a character flaw, I suppose I mean, although it could certainly come across that way.
At the time, though, I made a mental note to try and steer clear of him as much as I possibly could.
* * *
Naturally that was difficult in such a small team, and a couple of weeks later I found myself partnered with him for five days in Basingstoke for my first ever client engagement, an internal infrastructure test at an insurance company.12
We would work from their office, connect our testing laptops to their internal network, and probe for vulnerabilities before writing up our findings in a report.
On the first day, the client contact (Colin,13 I think his name was; most of our clients' IT people seemed to be called Colin) met us in reception. After he'd briefed us - me spending most of the time trying to look as though I understood what was going on - we got a flimsy plastic cup of cheap coffee each from the vending machines, the material so thin it felt like it was warping with the heat of the liquid, and set up our laptops at two adjoining desks in the corner of the large open-plan office.
"Know what you're doing?" Jay asked.
"Well, I've done some stuff at home," I said, "on a testing rig, which I-"
I stopped myself. Don't blather. Show him you belong here.
"Yes," I said.
"Know how to do a SYN14 scan?"
"Yes."
"Get started, then," Jay said. "Whatever subnet...
