Ýmir Vigfússon – Icelandic hacker and computer security expert
I grew up as a hacker. And by hacker I mean somebody who can break into a computer. And my goal here today is to explain to you why I teach other people how to hack.
So imagine a world filled with intellectually capable people who all share a common passion. And in this world the only way you communicate is through a chat interface. So you have no idea who the person is in the other end. It could be a 13 year old girl from Haiti, it could be a 37 year old law enforcement agent from Thailand, it could be artificial intelligence, you just don’t know. But it doesn’t even matter. You see your background, your age, your sex, your class, your looks, none of that has any bearing in this world that I’m describing. The only thing that matters in this world is your knowledge, your skills and your curiosity for understanding how the digital world works.
So the world that I’m describing is the hacker underground where I spent my teenage years. So what drew me to that place? What drew me to this world? I’m sure at some point in your life you must have tried to guess someone’s password, right? Yes, that’s right. Do you remember that feeling, that rush, the kind of euphoric sensation of accomplishment and power when you succeeded? Right? It’s the same kind of feeling that you would get when you solve a complex puzzle or when you beat someone at chess, when you prove a mathematical theory. You feel as if somehow you outsmarted a real or imaginary opponent.
So hackers get that same excited rush when they defeat someone’s program to make it do something that was not intended to do, or when they gain unauthorized access to someone’s system. It’s really not that hard to relate. I mean, imagine this — imagine this, you’re in your online bank and you’re about to transfer money to your friend. Just for kicks, instead of putting in the amount you put in the number 0, just to see what happens, just for kicks. And nothing happens. And you persist, you keep at it and you try something else and you try putting in letters instead of numbers, and again so the site blocked. And you press arrear, you try again, you try putting in a negative number just to see what will happen. And lo and behold it goes through and what have you done? Now instead of you transferring money from your account to your friend you’re effectively taking money from your friend’s account to put into yours, right, without any notification. Can you imagine what you would feel like if you had just discovered this?
All right. I’m sure you would feel surprised. I’m sure you would slightly elated. I’m sure you’d feel like as if you outflanked an entire army of programmers whose only purpose it was to try to keep out people like yourself. And I’m sure you’d feel a bit uneasy that it was this easy to defeat the security of the site to which you are trusting your money, right?
So most people I know would get a huge kick out of finding this type of vulnerability. But they wouldn’t abuse it. They’d just enjoy the process of finding this bug and then they would report it. Unfortunately that is becoming more and more accepted. As it turns out, this particular bug that I’m describing to you was real, was actually found by my friend, who at some point just called me like, ‘Hey Ýmir, this is this hysterical one. Look at your account. Now look at it again. Isn’t that funny?’ So he’s doing this audit of some internet security bank, yeah, it was really funny.
Anyway, so I’m sure somebody can relate but during your teenage years you don’t really have much of a moral compass, somebody can relate to that I hope. So I was sitting at one point in my room and I was hacking the server at an Icelandic internet service provider. And some member of my family picked up the phone, ‘Oh Ýmir, are you on the phone?’ was disconnected me from the internet. This is from the time when everybody had modems, right? But moreover it disconnected me from the server that I was hacking and left that server completely unusable. And in such a state of disarray that I couldn’t even get back into it. And I just remember sitting there looking at my screen, feeling utterly devastated over what had happened. I had no idea what to do. I was just – I had this cancer’s feeling of guilt in my gut, just I really had no idea what recourse I had. And I remember spending the entire night with my friends just discussing what to do. And it was decided that the following morning I would go to this company and tell them what I had done.
And so in the morning I go with a friend, we catch the bus and we got to the place, we talked to the secretary, secretary phoned to the system administrator and then we waited. And we waited, and it was the most agonizing wait that a 15 year old could ever ask for. It was an experience that I will never forget. Remember thinking that there were two ways this could play out. The system administrator could be forgiving, could scold us and be like, ‘Hey, don’t hack my servers again. Get out.” Or he could be a lot more angrier than that. He could react and he could practically sue us, he could just label us as criminals, steer us on the path of something very dark, just pretty much it will be over by then.
As it turned out the system administrator was an amateur hacker, was delighted to see us.
He was like, ‘Wow, that’s really cool’, and like we showed him how to fix his servers and he was like that’s really cool. And then instead of reacting with rage he called us a few days later and offered us a part-time job with the company which we kept for several years, and yes, it was fun.
Anyhow as I grew older my moral compass developed, fortunately. And I moved away from hacking and I studied mathematics at the University and went to the US and did a PhD in computer science. And when I came back I realized that the state of security in Iceland was pretty much the same as when I had left, an utter mess. And so it was somehow as if Icelanders believed that this geographic remoteness that have sheltered us throughout millennia was somehow an effective protection against the forces of the internet, which couldn’t be more false.
So I started thinking to myself: what can I do to improve the cyber security of my home country? And as I was searching for an answer to this question, I realized that there were lots of system administrators who are ultimately responsible for a lot of the security who felt reasonably safe against cyber attacks. And this belief was usually sustained by some sort of faith in an antivirus solution or an elaborate firewall or some security solution that they had just purchased for a lot of money, it must be good, it was really expensive. And I was just flabbergasted. I mean can you imagine somebody telling you like, ‘Hey, my house is a really secure, yes, yes. I bought this really big steel door and it’s reinforced with unobtanium, nobody can get inside’. And then when you drive past this home, you see this really big steel door and the windows are all open. That is how I felt when people said this to me. It was something else to listen to this.
So, and then it really hit me that the way I was thinking about security was actually fundamentally different from the way they were thinking about security. You see, as a hacker I am trained to ask: how would I get in? How would you defeat the defenses? Are there protections in place? Are these protections even enabled? Can I get around them? I’m trained to ask all these questions.
I mean ask yourself: how would you break into your own home? Have you ever thought about that, right? How would you do it? Like or you can ask a friend it turns out that if you ask this question periodically or ask people that you trust and then you do something about it, probably you are going to be having a safer home than if you just blindly believe in some security solution that you could just buy security in a box.
So what I decided to do was that I wanted to somehow transfer this mindset that I had, this hacker mindset on to people so that they could also see my perspective on things. And what I decided to do was just to start teaching hacking, that I would teach how software breaks, how defenses get thwarted and how people bypass all these new protections that are coming about, how new protections come in their place, how this cat and mouse game is played out? Because you see security is actually really hard, because as a defender you need to anticipate every possible way, somebody might try to break in. But the hacker only needs to find one way in, right?
So what did I do? Well, I did three things – I had three approaches to try to improve the state of affairs through teaching hacking. The first one is that I started teaching a university course at Reykjavik University where every year we have 20 to 30 graduates who understand the very low-level details of what it is to hack and how things break and how to break them. They understand this cat and mouse game that’s being played in the security industry. And these are the people that are going to be in critical roles at the Icelandic companies from time to come, they’re going to understand that like, ‘Hey, firewalls are not actually very effective anymore. It’s not going to be sufficient.’ Right? These are the people that are going to be in these key roles making decisions which now in this time of so many cyber attacks we don’t even hear about all of them, and in this time where we have industrial espionage raging and becoming more and more prevalent, these are the people that are going to make a difference.
The second thing that I did was that I co-founded a company with some of my friends with security experts, that is called Syndis, and they’re specialized in simulating sophisticated cyber attacks against large international – large Icelandic corporations. And as a part of what we do, a part of our strategy is that we try to take the people that work at these companies and teach them the things that we do, teach them how we defeat their defenses, to try to educate them with this hacker mindset that we have, so that they too can understand the context of security a lot better. And clearly we’re filling some sort of meat, because the biggest problem we’ve had at this company is to manage project workload.
Now the third thing that I did was that I started running hacking competitions. Sure, maybe some of you have heard of any of them, been running now for three years. So every year I put like a server on the internet and I ask people to hack it and the people who succeed we pick a few finalists and they come on stage. And in front of up to 500 people they are hacking each other live, it’s really fun actually. There’s like a live scoreboard, there’s like a DJ and there are commentators and then you have a lay audience just looking at this really strange thing. And it provides like a several opportunities.
There are some side effects from doing it this way. First of all, it’s like really educational, and because you have this lay audience, you get this opportunity to teach people a thing or two about cyber security, raising the awareness of some of the latest things they should watch out for, some of the things they can do to protect themselves.
And the second side effect of the way I’m doing things is that the participants, which are usually students, they learn an incredible amount in a very short period of time. You see normally when I’m teaching computer architecture or I’m teaching operating systems, I have students that are like moaning, they’re just like, huh, do we have to learn this? But let’s be on the exam. And I go like, yeah, yeah. But for this competition I have people that are coming up, at least you can tell me everything you know about the computers, I want to know everything, I want to learn it all, can you tell me how to — you teach me how to hack. And so it’s like incredible in a very short period of time how much they could absorb, I pretty much just taught them everything I know.
And so the third thing that comes from having, running this type of hacking competition is that the media really loves to – I talk to the media liaison at Reykjavík University, and it’s like, yeah, so I’m going to have this hacking competition. He is like yeah, yeah. I contacted the media and it was like selling ice cream in a desert, they just flocked onto it like hyenas and like everybody showed up. I remember like the first competition I had two people, it was like oh yes, you can expect maybe 20 people to show up or something. You guys are going to be on stage, you’re going to be hacking each other. And then when they came they’re just like big cameras everywhere, like this newscasters was like a lot of light around them and so forth. And these two guys were just frozen on stage trying to do something or totally unprepared, it was really funny.
Anyway so it’s been really educational, really entertaining and that I think it really has worked out for the better. But I know there’s this lingering doubt in the back of your mind, there’s this question which is wait a second, aren’t you just arming people with digital weapons? To an extent that’s true. I am indeed teaching people skills that they could abuse. But so are chemistry professors, so is the police academy, so are martial arts teacher, and just take these people I am putting trust in my students, I’m putting trust that they’re not going to abuse their skills. In fact, they have to sign a waiver that they’re not going to do it for anything unethical. And I spent a lot of time with them trying to understand these ethical dilemmas that created through the power that is hacking.
Imagine for instance if you find an exploit that could make you walk into any computer on the planet, what would you do? Now what would you do if somebody offered you $500,000 or $1 million? These are real questions and this is really how the environment works in the underground. So I actually believe that I have swayed some people, some people whose moral compass was not fully developed, some people who are making choices that they might later regret, some younger versions of myself, I may have strayed them on a path where they are becoming constructive members of society and making choices that are improving the security of us all. And because there was somebody who did that for me many years ago, and something that I’ll never forget, and it’s something that I want to pay forward and that is why I teach people how to hack.
