Welcome to what that means with Camille companion episodes to the in technology podcast. In this series, Camille asks top technical experts to explain in plain English, commonly used terms in their field, then dives deeper, giving you insights into the hottest topics and arguments they face. Get the definition directly from those who are defining it. Now, here is Camille Morhardt.
Camille Morhardt 00:31
Hi, and welcome to this episode of what that means good hacker or ethical hacker. I have with me today, Ted Harrington. Welcome, Ted.
Ted Harrington 00:40
Thanks for having me. Excited to be here.
Camille Morhardt 00:42
I’m excited to have you here to actually joined Ted on his podcast a little bit ago. And that was super fun. So I’m really excited to talk about podcasting a little bit later in this conversation. But I do want to start because you are a good hacker. So I want to start with that. I also want to point out, you’re an executive partner at Independent Security Evaluators, or ISE. And your team founded and organizes IoT village, which we know well, an event whose hacking contest has produced three DEF CON black badges, you’re the real deal.
Ted Harrington 01:17
Oh, my God is the real deal. I guess. I’m just in a fortunate position to lead some really smart people.
Camille Morhardt 01:22
So I want to start by just asking you because you are a good hacker. What is that? I think a lot of people kind of have sense of what hacking is. But what would good hacking mean or, or ethical hacking?
Ted Harrington 01:35
Well, let’s start with what hacker is or what hacking is because I agree with you that people at least should know what it is. But there’s pretty rampant misconception about what it means. Because hacking or hacker is typically framed as a negative, right, as a malicious person who does evil things, whatever. Pretty much every single news article, you ever read talks about hackers in a negative context. But hackers are neither good nor bad. Hackers are problem solvers. There are creative people who look at a system and they say, can I build it in a different way? If it’s already built? Can I make it do something different than it was intended to do? So that’s really what a hacker is, it’s not good or bad. The fork in the road comes to motivation. Do you want to look at a system to understand how it works to figure out how to break it because you want to do something malicious? Well, then yeah, that’s the type of hacker the adversaries the attackers that everyone who’s in the security profession is trying to defend against. But if your motivation is instead to do those same things, to find the flaws in the system, but to do that, in order to fix the system to make it better, then that’s where ethical hackers come from. That’s where my corner of the world is. So that’s really sort of the distinction. We use the same tools, we do the same things, we have the same sort of malicious view on the world. But the motivation is different. We want to do this in order to make systems better.
Camille Morhardt 03:01
And I guess there could be like a neutral hacker or like a personal reasons hacker where you’re actually just adjusting the use of the system for something that it wasn’t intended for. But for your own purposes, that’s not bad or good, just kind of how you’re how you’re using it.
Ted Harrington 03:18
Think of something like MacGyver, right? Like I don’t know if anyone listening to this ever saw that show. I mean, I barely saw it. But I’m familiar with the concept of MacGyver, the guy would take like a paperclip, which is intended to clip paper together, and he would use it to like start an engine or something. And that’s hacking that’s like it was supposed to do one thing, can I make it do something else?
Camille Morhardt 03:39
So that’s like a good hacker, what is a good hacker? So my next question is what makes a good hacker? What makes somebody good at hacking?
Ted Harrington 03:48
Well, definitely starts from the problem solver mindset, for sure, is someone who looks at something and it’s maybe ill defined what it means to take a system that’s supposed to do x and you want it to do why. And how do you do that, like, there’s not always a clearly defined process. So the person who can sit down and say, I have this idea, and I now need to create something around the idea in order to execute that problem solving mentality, a considerable amount of perseverance, for sure. One of the things about ethical hacking is that you’re just going to run into dead ends all the time. And that’s not a bad thing. But you have to keep going to find where the opportunities lead. The third thing that I would say is this relentless pursuit of excellence. Now, that’s not to say that every single person who works in security actually achieves excellence. But one of the things that I have definitely noticed is that people who come from ethical hacking, they tend to be wired to be life learners to constantly want to improve, to read research, to publish research, to learn from their peers, teach their peers that growth mindset. seems to be a really direct indicator of whether someone will be good at this. And what’s interesting, as you’ve noticed, like the first three things that I stated, which I think are probably the three most important things have nothing to do yet with the technical capabilities. I didn’t come here and say you have to be a master at you know, Burp suite or whatever. And because I believe that if you have the right attitude and the right aptitude, you can learn the tools and the skills that will then, you know, assuming this is something you’re interested in passionate about, you probably can’t ever be excellent, something you’re not passionate about. But you take all that together. And then I think people can develop the skills along the way to be able to do what they need to do.
Camille Morhardt 05:40
That’s really interesting. So okay, so you have I am, you are a hacker, and you have, you know, team of hackers, and you’re actually pretty famous for having hacked some, some things that we all hope aren’t hackable. And you wrote a book, hackable. I’m wondering, is there what is something that you or your team has been able to hack that you were surprised at? Actually how easy it was to hack? Like, that shouldn’t have been that easy? Unfortunately, it was.
Ted Harrington 06:08
Certainly, things within the IoT realm tend to fall in that category. But maybe it’s not the right way to answer the question, because they are, maybe it’s sometimes it’s not surprising that they wind up being easy, because there’s a there’s tremendous security challenges in IoT, Internet of Things, because you have typically small form factors, which you have to have trade offs. And computational power and security, typically, is one of the things that gets sacrificed, you also have low price points, people generally hesitate to pay more for the things even that they know they should have and need and want security being one of them. So is someone going to spend, you know, 50 bucks for a light bulb that has a ton of security in it when they can get a light bulb for like four bucks, like, probably not. And so that’s that’s a very, very real challenge. But there was some research we did recently, that’s from a different realm that I think is really fascinating, actually, that I don’t know if it necessarily was like, easier or harder than we initially expected. But the outcome was really eye opening, especially in the world today that we all live in. And that was research that we did on dating apps. And there were a lot of findings that we discovered, but one of the ones that was I think just super interesting was you could actually change the vote data. So if someone you know swiped left on you, you could actually go and change that to like a swipe right to say they did want to match with you. And now in the real, like, implementation of the world does that? Does that mean that person is gonna wind up going on a date with you and then like, fall in love with you and like somehow have been tricked? Like, of course not. But what it what it hits in the heart is this sort of freedom of choice, like you’re using these apps, because you are making choices about your your romantic life, and someone in a very trivial manner, with low levels of skill, they could actually change that change that freedom. And that was the part that I thought was really interesting, also caught people’s attention. Because, you know, a lot of people aren’t dating apps, and they’re like, Wow, that could affect me personally.
Camille Morhardt 08:14
Yeah. Noticing, I’ve been on a lot of dates with engineers, people are saying to themselves, wait a minute now. For like, all these hackers, candy, number of hackers, I’ve been on a date with what is going on?
Ted Harrington 08:26
That one was, those were, those were kind of eye opening that they could be they’re easily done?
Camille Morhardt 08:31
Well, not only that, but that kind of touches on, you know, privacy. I mean, we’re laughing about it, because it’s kind of silly, like you say, it’s not going to, you know, ultimately you’re going to find the person you’re going to find but you know that that gets right into privacy, you know, presumably hacking into that could allow you to see, you know, likes and dislikes, and personal preferences, and all kinds of things that are extremely personal, you know.
Ted Harrington 08:55
The dating app, like the whole genre of it is kind of interesting that people are trying to meet each other on the internet, you know, and you go back, like, what was it like 15 years ago, or whatever people’s parents would be like, don’t talk to people on the internet. And now they’re like, Call someone on the internet to pick you up in a car to take you on a date with the person you met in the internet. It’s like, so knowing where people live, like, you know, physically or geographically located is alarming, I think to people.
Camille Morhardt 09:19
Yeah, definitely can be okay, so I want to pull part out of your book here. This kind of caught my eye because it’s a little section in the chapter fix your vulnerabilities. And it’s called vulnerabilities design versus implementation. If you have a vulnerability because of implementation, it’s basically because you executed badly, you know what your design was, so okay, there’s lots to do to fix that and you know, make sure that you are good engineer, good developer, etc. But I am really interested by the other part, which is a vulnerability in design, because in this case, you bring up the point that you This isn’t always that’s badly designed, so to speak. I mean, a lot of engine, you know, engineers design or engineers develop according to a use case, whether they’re the person who wrote the use case, or maybe a product manager wrote the use case, but they’re trying to make something work in a certain way. And if they do, that’s kind of like a, you know, green flag, right, we move forward. But you say, you know, by contrast, design flaws or issues with the design itself, they happen when the system works exactly as intended. And yet, the attacker can use that intended functionality to exploit the system anyway. I think this is very interesting, because this is really what product manufacturers have to think about and make sure that their, you know, their developers and designers are constantly aware of thinking of the security. So I just want your opinion on, you know, how do you protect against that, given the mentality of design coming in and going tell me the use case, and I’ll make it work?
Ted Harrington 10:58
It is a real fascinating part of the problem is like, Oh, I was I was given the essentially the roadmap to go build a thing in a way I did it exactly that way. And it’s like, oh, we still have a problem. The the simple answer with how you deal with that is you have someone I mean, I’m obviously coming from a biased point of view here. But what you should do is you should have ethical hackers actually look at the system and have that sort of malicious viewpoint on it. It’s a challenge thinking, if we abstract it out, so let me let me try to explain it differently. So people aren’t like, well, that’s saying that because he comes from ethical hacking, of course, he’s like, we should have ethical hackers involved. But think about really anything in your life, that if you’re a growth oriented person, I get a mentor, right, or you want to improve your fitness. So you go get a personal trainer, you’re running a business, you get a business coach, you want to be more efficient with your taxes. So you hire an accountant, these outside parties, ethical hacker is being one of them. What we all do is we bring that expertise from a different vantage point to help like challenge your thinking a little bit, and to push you to be better. And in a collaborative way, not in a well, at least for the most part. I mean, there’s definitely some out there who are kind of jerks about it. But for the most part, ethical hackers come in, and it’s a collaborative thing like, hey, let’s make this better. So a perfect example is to illustrate it like how we might do a project. Someone might come in and like literally on a whiteboard have like this circle draws an arrow to this box. And that’s how the system works. And we’re like, but the problem with that box is this. So what if the arrow instead went like that? And they’re like, oh, yeah, cool. Let’s do that. Instead, we haven’t built it yet. Awesome. So now you just saved all the time, all the money, all the effort. And but they hadn’t been thinking about how they would attack it, or think about how to build it. There was one company that we worked with a few years ago, who they were trying to do this really creative method for authentication for how you actually log into things. And they were really trying to just completely change the model for how you would do it. And from a creativity standpoint, it was it was a cool, the idea was interesting, like, oh, let’s, let’s approach the password problem differently. But the problem was the way that the system actually was designed. It made it so that it was relatively easy to actually predict credentials for an attacker. So like a brute force attack became very, very viable. And they hadn’t necessarily thought of it that way. Yet. It was it was designed to be like that. And so that’s an example where you want someone to come in and look at it be like, well, here’s why you probably don’t want to do it like that. And if we can shift it in this way, you won’t spend many years and however many millions of dollars building a thing. You can do it right in the first place.
Camille Morhardt 13:40
Actually, it’s kind of interesting what you’re saying, because I didn’t ask you about the time frame for bringing in hackers. But I think a lot of times people imagine it’s, you know, after the fact, like the product is built, and you know, maybe it hasn’t shipped yet. And there certainly can be a lot of focus then, or even, you know, teams within companies trying to hack a product before it ships out. But you’re suggesting, you know, bringing in good hackers very early, even in the design process, to kind of anticipate things as the design is happening, like in partnership with the designers for utility to come in and say, well, let’s make sure you’re also considering security threats and risks that are out there.
Ted Harrington 14:22
Every step of the process of building something has a correlating security action. And everyone should take that action, what you just described where people will bring in security at the end, that’s exceedingly common. That happens all day, every day, where it’s sort of like, Oh, we got the thing built. Let’s just make sure it’s secure. Now, that’s kind of like saying, well, we got the car built. Let’s make sure the passengers going to survive. You’re like, oh, maybe we should in the engineering. And when we’re actually specifying the vehicle, we should be thinking about what are the physics of a side impact look like? Those types of things. And the beauty of involving security earlier, is it’s both more effective. And it’s also less expensive. And that’s the thing that people don’t realize is they, they sort of assume well, if I involve them earlier, it’s probably going to cost me more. But actually, not only does the security effort itself cost less, like the actual dollars that you would pay to someone to help you. But the effort in remediation is astronomical. One of the things I talked about in the book actually looked at the data, our team looked at the data for what that means. And so we looked at something like 10 years of data of, you know, projects that we worked on and sort of compared and contrasted where they involved us, and the difference in effort for remediation. So let’s say you had a design level flaw like you, the issue was with the design, and it’s not discovered until you’re about to really deploy the thing, that let’s say it took 10 hours to fix it, if you found it during the design stage, it now costs like 250 hours to fix it, and deployment. So the Delta was about 25 times. And you look at that. And that’s, that’s bonkers because you’re already paying developers, engineers, etc, to build and iterate systems. So this cost doesn’t actually show up on a profit and loss statement. But where it shows up is in the productivity loss. Because if you’re now spending 25 times more effort on something than if you had just done that same activity earlier, it’s kind of crazy. And the metaphor I always use to sort of think about this one is having a breakfast smoothie, have a smoothie in the morning, right. And so you got your like pea protein in there, you got your spinach, water, cashew butter, whatever. And when you’re, you make the smoothie, and you pour the smoothie out, you have two ways you can approach cleaning the blender, you can do it now, or you can do it later. If you do it now. It’s easier, but most people are like, I’m busy. If you do it later, it’s super hard. Like if you do it later, all those ingredients, they they harden, and they become like crystallized on the thing, you got to disassemble it, you got to scrub it. It’s a nightmare. And and you usually then have to do that when you’re wanting to make your smoothie. Right. But if you right in that moment is but like a little bit of soap and a little bit of water and you run the thing for like 10 seconds, it literally cleans itself. That’s what it’s like building security. And earlier, that system will secure. It won’t secure itself, but it will, the process will make it so so so much easier than if you do it later.
Camille Morhardt 17:32
You started a podcast called Tech Done Different. What do you think of podcasting? Like, how has that been for you being from sort of behind the scenes to like chatting with other people anything like awkward, unexpected, amazing? What kind of thoughts do you have on it?
Ted Harrington 17:48
And what was cool about the process of reading the book was that I had this opportunity to interview all these people. And you know, ask them about like, well tell me about this challenge. Am I understanding this right? And then when that part of the book writing experience was complete, I was like, Oh, I mean, I want to fill this void. And then that moment in time was also right in the middle of raging pandemic, when people were, you know, staying away from each other. And so I’m like, well, maybe there’s a way where I can both talk to people, and still continue to foster connections with people while I’m not able to physically be together. And so then I thought about, well, what will be the format will be interesting, where’s their conversation that needs to be had. And so that was sort of the impetus to it. And I’ve really, really enjoyed it, because you get to selfishly, here I am I get to talk to all these smart people. And then every episode, I’m like, here’s the problem I have, can you give me advice on my problem, and that makes for a great episode. And I leave, like, Thanks for the consulting. And it’s just I love that. I think it’s awesome.
Camille Morhardt 18:50
I love that too. It’s amazing all the things that you’re thinking about partly because of the other people that you’re talking to, and that you’ve spoken with on a similar topic. And then you can ask another person and just it’s like this constant flow of, you know, building up of knowledge and information over time. It’s very fun. Thank you, Ted, Ted Harrington, who wrote the book, hackable and partner at the company, ISE, and they started IoT village, which is very cool. Go check it out if you haven’t already. Thanks so much for joining today and helping us to find good hacker.
Ted Harrington 19:23
Thanks for having me. And if anyone had any follow up questions or wanting to reach out to me just you can find me at TED harrington.com Very cool. Thanks. Ted.
Never miss an episode of what that means with Camille by following us here on YouTube, or search for in technology wherever you get your podcasts. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.