Cybersecurity expert Keren Elazari on Hackers: The Internet’s Immune System at TED Talks – Transcript
Right click to download the MP3 audio:
Keren Elazari – Cybersecurity expert
Four years ago, a security researcher, or as most people would call it, a hacker, found a way to literally make ATMs throw money at him. His name was Barnaby Jack, and this technique was later called jackpotting in his honor.
I’m here today because I think we actually need hackers. Barnaby Jack could have easily turned into a career criminal or James Bond villain with his knowledge, but he chose to show the world his research instead. He believed that sometimes you have to demo a threat to spark a solution. And I feel the same way. That’s why I’m here today.
We are often terrified and fascinated by the power hackers now have. They scare us. But the choices they make have dramatic outcomes that influence us all. So I am here today because I think we need hackers, and in fact, they just might be the immune system for the information age. Sometimes they make us sick, but they also find those hidden threats in our world, and they make us fix it.
I knew that I might get hacked for giving this talk, so let me save you the effort. In true TED fashion, here is my most embarrassing picture. But it would be difficult for you to find me in it, because I’m the one who looks like a boy standing to the side.
I was such a nerd back then that even the boys on the Dungeons and Dragons team wouldn’t let me join. This is who I was, but this is who I wanted to be: Angelina Jolie. She portrayed Acid Burn in the ’95 film Hackers. She was pretty and she could rollerblade, but being a hacker, that made her powerful. And I wanted to be just like her, so I started spending a lot of time on hacker chat rooms and online forums.
I remember one late night I found a bit of PHP code. I didn’t really know what it did, but I copy-pasted it and used it anyway to get into a password-protected site like that. Open Sesame. It was a simple trick, and I was just a script kiddie back then, but to me, that trick, it felt like this, like I had discovered limitless potential at my fingertips. This is the rush of power that hackers feel. It’s geeks just like me discovering they have access to superpower, one that requires the skill and tenacity of their intellect, but thankfully no radioactive spiders.
But with great power comes great responsibility, and you all like to think that if we had such powers, we would only use them for good. But what if you could read your ex’s emails, or add a couple zeros to your bank account. What would you do then? Indeed, many hackers do not resist those temptations, and so they are responsible in one way or another to billions of dollars lost each year to fraud, malware or plain old identity theft, which is a serious issue. But there are other hackers, hackers who just like to break things, and it is precisely those hackers that can find the weaker elements in our world and make us fix it.
This is what happened last year when another security researcher called Kyle Lovett discovered a gaping hole in the design of certain wireless routers like you might have in your home or office. He learned that anyone could remotely connect to these devices over the Internet and download documents from hard drives attached to those routers, no password needed. He reported it to the company, of course, but they ignored his report.
Perhaps they thought universal access was a feature, not a bug, until two months ago when a group of hackers used it to get into people’s files. But they didn’t steal anything. They left a note: Your router and your documents can be accessed by anyone in the world. Here’s what you should do to fix it. We hope we helped. By getting into people’s files like that, yeah, they broke the law, but they also forced that company to fix their product.
Making vulnerabilities known to the public is a practice called full disclosure in the hacker community, and it is controversial, but it does make me think of how hackers have an evolving effect on technologies we use every day. This is what Khalil did. Khalil is a Palestinian hacker from the West Bank, and he found a serious privacy flaw on Facebook which he attempted to report through the company’s bug bounty program. These are usually great arrangements for companies to reward hackers disclosing vulnerabilities they find in their code.
Unfortunately, due to some miscommunications, his report was not acknowledged. Frustrated with the exchange, he took to use his own discovery to post on Mark Zuckerberg’s wall. This got their attention, all right, and they fixed the bug, but because he hadn’t reported it properly, he was denied the bounty usually paid out for such discoveries.
Thankfully for Khalil, a group of hackers were watching out for him. In fact, they raised more than $13,000 to reward him for this discovery, raising a vital discussion in the technology industry about how we come up with incentives for hackers to do the right thing.
But I think there’s a greater story here still. Even companies founded by hackers, like Facebook was, still have a complicated relationship when it comes to hackers. And so for more conservative organizations, it is going to take time and adapting in order to embrace hacker culture and the creative chaos that it brings with it. But I think it’s worth the effort, because the alternative, to blindly fight all hackers, is to go against the power you cannot control at the cost of stifling innovation and regulating knowledge. These are things that will come back and bite you.
It is even more true if we go after hackers that are willing to risk their own freedom for ideals like the freedom of the web, especially in times like this, like today even, as governments and corporates fight to control the Internet. I find it astounding that someone from the shadowy corners of cyberspace can become its voice of opposition, its last line of defense even, perhaps someone like Anonymous, the leading brand of global hacktivism.