Watch and read the full transcript of Icelandic hacker Ýmir Vigfússon’s TEDx Talk: Why I Teach People How To Hack at TEDxReykjavík conference.
Right click to download the MP3 audio:
Ýmir Vigfússon – Icelandic hacker and computer security expert
I grew up as a hacker. And by hacker I mean somebody who can break into a computer. And my goal here today is to explain to you why I teach other people how to hack.
So imagine a world filled with intellectually capable people who all share a common passion. And in this world the only way you communicate is through a chat interface. So you have no idea who the person is in the other end. It could be a 13 year old girl from Haiti, it could be a 37 year old law enforcement agent from Thailand, it could be artificial intelligence, you just don’t know. But it doesn’t even matter. You see your background, your age, your sex, your class, your looks, none of that has any bearing in this world that I’m describing. The only thing that matters in this world is your knowledge, your skills and your curiosity for understanding how the digital world works.
So the world that I’m describing is the hacker underground where I spent my teenage years. So what drew me to that place? What drew me to this world? I’m sure at some point in your life you must have tried to guess someone’s password, right? Yes, that’s right. Do you remember that feeling, that rush, the kind of euphoric sensation of accomplishment and power when you succeeded? Right? It’s the same kind of feeling that you would get when you solve a complex puzzle or when you beat someone at chess, when you prove a mathematical theory. You feel as if somehow you outsmarted a real or imaginary opponent.
So hackers get that same excited rush when they defeat someone’s program to make it do something that was not intended to do, or when they gain unauthorized access to someone’s system. It’s really not that hard to relate. I mean, imagine this — imagine this, you’re in your online bank and you’re about to transfer money to your friend. Just for kicks, instead of putting in the amount you put in the number 0, just to see what happens, just for kicks. And nothing happens. And you persist, you keep at it and you try something else and you try putting in letters instead of numbers, and again so the site blocked. And you press arrear, you try again, you try putting in a negative number just to see what will happen. And lo and behold it goes through and what have you done? Now instead of you transferring money from your account to your friend you’re effectively taking money from your friend’s account to put into yours, right, without any notification. Can you imagine what you would feel like if you had just discovered this?
All right. I’m sure you would feel surprised. I’m sure you would slightly elated. I’m sure you’d feel like as if you outflanked an entire army of programmers whose only purpose it was to try to keep out people like yourself. And I’m sure you’d feel a bit uneasy that it was this easy to defeat the security of the site to which you are trusting your money, right?
So most people I know would get a huge kick out of finding this type of vulnerability. But they wouldn’t abuse it. They’d just enjoy the process of finding this bug and then they would report it. Unfortunately that is becoming more and more accepted. As it turns out, this particular bug that I’m describing to you was real, was actually found by my friend, who at some point just called me like, ‘Hey Ýmir, this is this hysterical one. Look at your account. Now look at it again. Isn’t that funny?’ So he’s doing this audit of some internet security bank, yeah, it was really funny.