The Extinction of Hackers
The Extinction of Hackers
20 Oct 2005
Abstract The Hacker community looks at the end of their era. The reason is not the always-propagated 1985 type of government, which we surely see in many places being perfected. Neither is it the big evil corporations hunting down and suing all the hackers, preventing freedom of speech and teaming up with the evil governments. The reason is something so simple that most of the people in the community would never notice it: there is no young blood to speak of. The entire community ages linear with the people who developed it to what it is now. At the same time, the technology and the respective hacker techniques get more complicated, complex and demanding, so that there is almost no chance any more to grow apprentice hackers.
Introduction I call myself a hacker. It’s a title I carry with pride. It’s a title I looked up to when I wasn’t entitled to name myself one. I decided for myself when I was ready for the title, and honestly, I don’t remember anymore when and why this happened. There will always be people who do not think I’m worth the title and there seem to be some thinking I am.
The term Hacker has many sides and facets and everyone likes some of it and doesn’t like others. There are the aspects describing wizard like handling of technology, the black magic of breaking into computers and networks. There is the question of using these skills to do good or evil and the definition of what good or evil is. For many people, especially in what they call the scene, there is also the lifestyle.
It doesn’t matter if you think of hackers as the ones who write viruses and worms, the ones who wear black all the time and are rarely seen without their laptop computer, the people who publish security issues with all kinds of software and make the companies fix them for free or the ones who protect your personal data from being distributed all over the government and industry by showing the same that it’s not secure to do so. You might even think of hackers as the ones who broke into all your web sites and replaced the start page with an ugly text making fun of you.
At the end, it doesn’t change the fact that the hacker community did have an important role to play in the rise of the Internet (no, not just the Web). It’s hard to say what the whole Dotcom time would have been without people constantly breaking all the fancy new stuff. Or do you want to drive a car where only the manufacturer tested it and told you it will be perfectly safe for you. Ford Explorer anyone?
Anyhow, for the purpose of this text, think of hackers as renegade computer experts and take my word for it that we need them. If you don’t, there is no point in reading the remaining text.
Random observations The following is a list of random observations, just to draw the sceptic reader into the picture:
The last hacker event I attended (less than a month ago) had an average age of almost 30 and people were congratulating each other for still hacking. From all hackers I know personally, only two or three are less than 20 years old. On a closed, so-called “elite” email list, a fellow hacker was celebrated for solving a simple task in Visual Basic. Any junior hacker proposing the same would have been crucified for it. All new members of established hacker groups I heard of in the last two years were over 25 years old. Everyone I know trying to get into hacking has the primary goal of writing buffer overflow exploits. Most of them don’t actually know why this is their final goal and almost all give up before reaching it. Every presentation I did on the topic of hacker development had an audience full of 30+ people. Every young hacker I know either got tired of the community and left or stopped hacking in favour of just hanging out and talking. There hasn’t been any groundbreaking works in the last two years, except for one technique, which was developed by a teenage hacker. If you don’t see a pattern emerging or don’t think this pattern has a bitter taste to it, you should probably consider reading something else now.
Some will now question if there is really a problem and if my random observations actually reflect the real world. The only thing I can say is: look around you. How many speakers at conferences you visit are younger than 22 years? Only a few years ago, I attended conferences with more than 5 speakers being teenagers. Today, there are none. That alone should speak for itself.
Unsorted list of reasons So the obvious question is: why is the community aging so badly and why don’t we see smart, aggressive, young blood taking over from the old farts?
Late starts One of the more obvious reasons may be the age at which people start hacking. Although all the old farts in the scene will state differently, hacking has its peak of fascination when you are a teenager, and that’s not a bad thing.
Teenagers can dream a lot more than people in the twenties can. There is still time to think about the boring parts of life later: learning, graduating, finding a job and earning money. Getting into hacking is almost completely different than getting seriously into computers. But both have something in common: you need to play around a lot, which takes a lot of time and dedication. This dedication is hard to muster when you are an adult. But the dream of having the power to access any computer system on earth you want can result in a lot of dedication in a teenager. And, this dream is a lot more realistic than becoming a rock star.
There is also the fact that nobody really knows how one learns hacking from the ground up. The teenage hackers just play around and after a couple of years they suddenly are hackers. When being asked how to become a hacker, many people just don’t have any answer. Those of us who spent some time thinking about it will answer with a list of skills you need. This list tends to be large enough to keep a reasonable intelligent person busy until retirement. Interestingly enough, following such a list does not produce hackers.
The third advantage for teenagers is knowledge or the lack thereof. It is common wisdom that knowledge and experience gets in the way when you try to be creative. People tent to imitate themselves when they found something works. Teenage hackers don’t have this limitation. Teenagers developed many of the great breakthroughs in attack techniques on all fronts. Often in computer security, the trick is to be not impressed with the defences or the odds of getting in. If you think you know how much work a specific attack is, you either don’t do it because it’s trivial or you don’t do it because it’s too much work. But if you don’t know, you just do it.
Fact is, very little teenagers are getting into hacking in the last five years, and if they do, other aspects prevent them from becoming any good. Keep reading.
Stupid statements Interestingly, some of the old farts actually realise the problem, but offer an easy excuse why it exists and why they cannot do anything about it: "The young hackers did not build their first computer, but got it for xmas with Windows preinstalled and a lot of computer games. They cannot understand the fundamentals, therefore, they cannot become good hackers." This is arrogant bullshit. Just because a young hacker startet with Windows98 and his first programming attempts were in HTML, it does not mean anything. It's a different way to get startet, not the wrong way. Besides, the old farts stating something like that wouldn't be able to program for shit, even if their life would depend on it. So why bother listening to them.
The Meritocracy A commonly agreed upon fact is that the hacker community is a meritocracy. This means that your rank in the community depends mainly on how much “magic hacker points” you collected. It should be obvious that I’m not referring to an official counting scheme but rather to a rating in the perception of other hackers.
There is a major problem with that approach: the jury. The community is clustered around a relatively small number of fairly well known people. These people almost exclusively influence the joint opinion of the community. But these people are all part of the old farts club. For an apprentice hacker, it’s hard or almost impossible to be recognised as good or outstanding without impressing the old farts club.
Now, the established leaders of the hacker community often have very little interest in openly stating that a youngster’s work is way beyond them. People being glued to their chairs is a common problem and the hacker community is no exception. The old farts fear to degrade themselves by giving magic hacker points to young people. For some of the old farts it’s also their job security @stake. Most of them realise this fact at some point in time, but usually too late. A common sight is the late attempt to hand over to a younger (but still increasingly old) generation, only to find that the juniors forgot how to have their own style. Consequentially, the juniors fail to lead by example and keep relying on the seniors to tell them how.
Another aspect of the meritocracy and the established leaders has as much impact as the first: the established leaders show the paved path on which they came from being nobody to being a hacker. The junior people either follow this path, learn how to write buffer overflow exploits and shell codes, although this attack vector might be extinct in the near future, or they won’t be accepted. The few intelligent and promising young people in the scene stop respecting the established leaders and, since everybody else looks up to them, stop feeling comfortable with the entire scene. Interestingly enough, this is also one of the reasons there are so little female hackers, but I leave the discussion of this topic to other, more appropriate people.
Bottom line of the meritocracy, which used to be a good thing, is, that apprentice hackers either follow antiqued paradigms and out-dated personalities or turn their back on the community because they’re not accepted.
Too easy and too hard In a highly technological environment, the technology itself has a big impact on the demographics of the people dealing with it. There is an interesting connection between the way the computer security defences developed in the last years and the influence this has on the hacker community.
When starting with hacking ten years ago, it was all about exposed services, weak passwords and buffer overflows. Today’s digital world is a lot different. Many operating systems are shipped with various anti-hacker technologies build in and every company has at least a firewall. That doesn’t mean it’s harder now, because there are also the myriads of web applications, web services and new programming languages and paradigms.
When starting today, the junior hacker probably starts reading the established mailing lists, only to discover that they are full of Linux distributions reporting fixed packages and companies posting vulnerability information without any details. The only issues found on these lists that a newbie would probably understand are Cross Site Scripting attacks. Naturally, the newbie will start looking for those himself and may end up posting some of them, without ever understanding which XSS effects of a web application can actually be used for an attack and which are just HTML games.
Assumed the newbie actually spends some time reading through papers and discovers SQL injections, there is a huge step between the two. SQL injections work by modifying a programming language (SQL) statement partially, mostly blindly, and work different on different back end database platforms, which the attacker usually doesn’t know. This means, suddenly it’s no longer just imitation but understanding SQL, relational databases and web application architectures. And since these applications are often written in different languages, just add learning Perl, PHP and a little Java to the list of requirements.
It should be obvious from this little example just how big the steps between two classes of attacks are. And since the established community so effectively prevents the next generations from developing their own attacks, there is little an apprentice hacker can do but learn all of it. Now, that’s what I call hard, boring and reward-free work. Is that hacking? It’s so not.
On the other hand, there are so many juicy technologies the industry comes up with a young hacker could be interested in. But instead of encouraging an apprentice hacker to start looking at whatever he finds interesting and pointing out just how many interesting things are out there, the established clan of senior people require more and more superficial proofs of skill.
From a purely technological point of view, it might make sense to require prerequisites. But if a young and dedicated candidate wants to hack .NET or Java, asking him to learn C and C++ buffer overflow exploitation and shell codes from Aleph1 to today is extremely counterproductive. The promising young fellow is pushed into the thinking pattern of the old generation, all dedication is used up and there is almost no satisfaction in for him or her. That’s exactly what is not wanted. You can bet that the most effective attacks against .NET applications will have nothing to do with buffer overflows. And you can bet whoever discovers them is below 25.
Wrong focus The established community and its rules have the effect of distracting young hackers from their own, personal goals. You are not accepted as a hacker if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions like RedHat or Suse, even if your goal is hacking in the Microsoft .NET environment.
There is no doubt that working with Linux, FreeBSD, OpenBSD and MacOS X will teach you a lot. But if that’s not what you are interested in, why bother? It just wastes a lot of valuable time, during which you could have read another book or two about the Windows architecture.
Actually, in the time required to get into Linux, the person probably developed more new attacks against Windows than the Linux priest ever heard of. Holy wars about operating systems and programming languages are for people who basically have nothing else to do. But the apprentice hacker, when trying to join a community or hacker group, is forced to convert to their religion, meaning their operating system of choice, distribution and programming language.
I have witnessed promising young hackers being attacked for running the wrong window manager on their Linux X Window System, while the person complaining was actually saying “X Windows”. In many other communities, teaching the basics works quite well and establishing good standards helps the newbie to not waste his/her time. Not so with computers and hacking. Telling people what they need to use as tools is stupid and does not support creative thinking. Showing people what tools there are and trying to be objective is. The new generation needs the freedom to make their own decisions.
Conclusion, kind of Software doubles in size approximately every 18 months. The industry invents new systems, programming languages, protocols and products like ice cream flavours. Our personal data is distributed in global networks without anyone on earth understanding all the routes it takes. Even the companies who want to secure their software and systems don’t know where to find the right people to do it.
The community, the industry and the society as a whole needs smart, aggressive, young blood taking over the hacker’s banner. It’s time the role models realise what their task and their responsibility is, namely to encourage young hackers to do their own thing and stop to tell them how something should be done. This is not science; this is hacking, where reinventing the wheel is not necessarily a bad thing. The task is to help (re)inventing, not to show them your wheel from five years ago, it’s rotten anyway.
A Note from 2011 With pleasure I notice that I was somewhat wrong when I originally wrote this. The young blood increasingly ignores old farts and simply does what I was hoping they would: (re)inventing and exploring. Even some of the old farts are re-inventing themselves, others have taken on the role of support instead of suppression. We hackers seem to resist extinction, for now.
 As a rule of thumb, if the web application transports authentication or session information in the URL or as a cookie, the XSS is usable for an attack.
 Which is a faux pas, so much for the “political correct” choice of Window Managers.