Watch and read the full transcript of Icelandic hacker Ýmir Vigfússon’s TEDx Talk: Why I Teach People How To Hack at TEDxReykjavík conference.
Right click to download the MP3 audio:
Ýmir Vigfússon – Icelandic hacker and computer security expert
I grew up as a hacker. And by hacker I mean somebody who can break into a computer. And my goal here today is to explain to you why I teach other people how to hack.
So imagine a world filled with intellectually capable people who all share a common passion. And in this world the only way you communicate is through a chat interface. So you have no idea who the person is in the other end. It could be a 13 year old girl from Haiti, it could be a 37 year old law enforcement agent from Thailand, it could be artificial intelligence, you just don’t know. But it doesn’t even matter. You see your background, your age, your sex, your class, your looks, none of that has any bearing in this world that I’m describing. The only thing that matters in this world is your knowledge, your skills and your curiosity for understanding how the digital world works.
So the world that I’m describing is the hacker underground where I spent my teenage years. So what drew me to that place? What drew me to this world? I’m sure at some point in your life you must have tried to guess someone’s password, right? Yes, that’s right. Do you remember that feeling, that rush, the kind of euphoric sensation of accomplishment and power when you succeeded? Right? It’s the same kind of feeling that you would get when you solve a complex puzzle or when you beat someone at chess, when you prove a mathematical theory. You feel as if somehow you outsmarted a real or imaginary opponent.
So hackers get that same excited rush when they defeat someone’s program to make it do something that was not intended to do, or when they gain unauthorized access to someone’s system. It’s really not that hard to relate. I mean, imagine this — imagine this, you’re in your online bank and you’re about to transfer money to your friend. Just for kicks, instead of putting in the amount you put in the number 0, just to see what happens, just for kicks. And nothing happens. And you persist, you keep at it and you try something else and you try putting in letters instead of numbers, and again so the site blocked. And you press arrear, you try again, you try putting in a negative number just to see what will happen. And lo and behold it goes through and what have you done? Now instead of you transferring money from your account to your friend you’re effectively taking money from your friend’s account to put into yours, right, without any notification. Can you imagine what you would feel like if you had just discovered this?
All right. I’m sure you would feel surprised. I’m sure you would slightly elated. I’m sure you’d feel like as if you outflanked an entire army of programmers whose only purpose it was to try to keep out people like yourself. And I’m sure you’d feel a bit uneasy that it was this easy to defeat the security of the site to which you are trusting your money, right?
So most people I know would get a huge kick out of finding this type of vulnerability. But they wouldn’t abuse it. They’d just enjoy the process of finding this bug and then they would report it. Unfortunately that is becoming more and more accepted. As it turns out, this particular bug that I’m describing to you was real, was actually found by my friend, who at some point just called me like, ‘Hey Ýmir, this is this hysterical one. Look at your account. Now look at it again. Isn’t that funny?’ So he’s doing this audit of some internet security bank, yeah, it was really funny.
Anyway, so I’m sure somebody can relate but during your teenage years you don’t really have much of a moral compass, somebody can relate to that I hope. So I was sitting at one point in my room and I was hacking the server at an Icelandic internet service provider. And some member of my family picked up the phone, ‘Oh Ýmir, are you on the phone?’ was disconnected me from the internet. This is from the time when everybody had modems, right? But moreover it disconnected me from the server that I was hacking and left that server completely unusable. And in such a state of disarray that I couldn’t even get back into it. And I just remember sitting there looking at my screen, feeling utterly devastated over what had happened. I had no idea what to do. I was just – I had this cancer’s feeling of guilt in my gut, just I really had no idea what recourse I had. And I remember spending the entire night with my friends just discussing what to do. And it was decided that the following morning I would go to this company and tell them what I had done.
And so in the morning I go with a friend, we catch the bus and we got to the place, we talked to the secretary, secretary phoned to the system administrator and then we waited. And we waited, and it was the most agonizing wait that a 15 year old could ever ask for. It was an experience that I will never forget. Remember thinking that there were two ways this could play out. The system administrator could be forgiving, could scold us and be like, ‘Hey, don’t hack my servers again. Get out.” Or he could be a lot more angrier than that. He could react and he could practically sue us, he could just label us as criminals, steer us on the path of something very dark, just pretty much it will be over by then.
As it turned out the system administrator was an amateur hacker, was delighted to see us. He was like, ‘Wow, that’s really cool’, and like we showed him how to fix his servers and he was like that’s really cool. And then instead of reacting with rage he called us a few days later and offered us a part-time job with the company which we kept for several years, and yes, it was fun.
Anyhow as I grew older my moral compass developed, fortunately. And I moved away from hacking and I studied mathematics at the University and went to the US and did a PhD in computer science. And when I came back I realized that the state of security in Iceland was pretty much the same as when I had left, an utter mess. And so it was somehow as if Icelanders believed that this geographic remoteness that have sheltered us throughout millennia was somehow an effective protection against the forces of the internet, which couldn’t be more false.
So I started thinking to myself: what can I do to improve the cyber security of my home country? And as I was searching for an answer to this question, I realized that there were lots of system administrators who are ultimately responsible for a lot of the security who felt reasonably safe against cyber attacks. And this belief was usually sustained by some sort of faith in an antivirus solution or an elaborate firewall or some security solution that they had just purchased for a lot of money, it must be good, it was really expensive. And I was just flabbergasted. I mean can you imagine somebody telling you like, ‘Hey, my house is a really secure, yes, yes. I bought this really big steel door and it’s reinforced with unobtanium, nobody can get inside’. And then when you drive past this home, you see this really big steel door and the windows are all open. That is how I felt when people said this to me. It was something else to listen to this.