Jeff Moss on the Evolution of Hacking at SecTor 2021
Jeff Moss, founder of DEF CON/Black Hat, gave the keynote speech at SecTor 2021 in Toronto, Ontario. His talk was nostalgic, reflecting on the 40+ years of computer hacking. His talk was also inspirational, welcoming a new generation to continue the tradition in the future.
Moss defined the word “hacker” as “curiosity plus skills.” He pointed out that someone having curiosity, with no skills, is not a hacker. And conversely, someone having skills with no curiosity is not a hacker either. You need both.
Moss also said that all hacking is not infosec and that all infosec is not hacking. “Hacking can provide a lot of joy and absolutely no income. Where with infosec the goal is to produce income. It’s a job. You get up, you have to be professionally creative, you have to do the thing, solve the problem, write the report. But hacking, not so much. You might be interested in reverse engineering some protocol for no reason at all. It’s that innate curiosity.”
This set up a basic dichotomy throughout his talk in that hacking doesn’t require professionalism just curiosity and Infosec does require professionalism but not always curiosity. That difference has provided some tension within the hacking community, the idea that some people are actually making good money being hackers today.
Moss then defined four eras in hacking history: Age of Innocence, dot.com, Coming of Age, and the Next Generation.
In the Age of Innocence, 1970s - 1994, everything was new and hard to get. He said people would write out large text files and share these on bulletin boards “because there was no internet.” No internet, no online stores, so the most you could steal was free long distance phone calls, which you would need to contact different databases around the world. He talked about blue boxes which used different tones to access different areas of the telephone network for free. Not really to steal, but to gain access to faster computers. "And then AOL came and ruined it for everyone," he said.
In the dot.com era, 1994-2002, this was the time of the commercial internet, the rise of search engines, and internet browsers. Moss noted that security people he'd known for years were started getting salaried jobs … and started using their legal names. He said he had to “double his memory” to include both the hacker nicknames and the real names of people in his contact list.
In the Coming of Age era, 2005-2019, provided "free" long distance and "free" internet access, we're always online, but this gives rise to surveillance capitalism. Moss said Nation States want secrets, criminals want money, and protestors want change. He added that hackers and researchers want knowledge. He said hackers and researchers really lead the way by discovering new classes of vulnerabilities, by exposing poor security practices, and spurring public debate about information security. He said criminals and governments do not want debate; it's not in their interests. So it's up to the hackers and researchers. He said, "the better you understand the risks, the better informed your decisions will be." He mentioned how the Digital Millennium Copyright Act, specifically US DCMA 2015 section 1201 (a) (1), now grants exceptions, to be renewed every three years, for certain types of hacking. He also better policy decisions are being made by understanding that we should be curious a system really works vs what we are told; that hacking is about continuously learning and teaching others; and that hackers are civil society speaking truth to power.
In the Next Generation era, today through 2035, everyone is online all the time, everyone is under attack (corporate or government) and there's now cognitive warfare to influence opinion. Moss said "everything's at risk, which means we [hackers] have employment forever." He said "if you're in it to hack for change; well, change happens very slowly." He used an analogy with a cancer doctor. A cancer doctor doesn't wake up one day and say today I'm going to cure cancer. Instead, the cancer doctor wakes up and realizes that he or she is part of a long battle. He said security work is that like that. He also said that "hacking will influence all industries and technologies." It will have social impact. It will have commercial impact.
Moss said that he got his first dial-up modem around 1982. He said over the years sometimes the community wasn't always doing what I want, but he didn't say "well, I'm out of here." Rather, he said "What I try to do is build the house that I want to live in. When you enter into this hacking community, try to create the environment you want to see for others." He ended his talk by saying he wants to build a community in hacking that outlives each of us.