Welcome to the August issue of Hacker Chronicles, the hacker fiction newsletter!
Regards, John Wilander
Back when I was a PhD student in software security, I dug deep into exploitable bugs and wrote a bunch of attack code, even code that attacked itself. I wanted to unravel the mystery of how you break into a computer program and I can tell you it was really rewarding.
Programming a computer is itself a mystery for most people, as are many professions for the uninitiated. Hackers take a step beyond programming to exploit the unintended – things that the programmer might not have considered and thus not made their software handle gracefully. Such holes in computer program logic are called vulnerabilities, or vulns.
Since hacking is such a mystery, it should work great for fiction. We as readers love to wonder "how can that be?", "how can she possibly get out of that situation?", and "I wonder if that's going to come back and bite him somehow?"
But if we don't understand the solution to the mystery, it easily falls into the trap of deus ex machina – an act of God or "a seemingly unsolvable problem in a story is suddenly and abruptly resolved by an unexpected and unlikely occurrence."
Thinking of exploitation of weaknesses and vulnerabilities in the physical world gives us an opportunity to understand the mystery of the hack.
Here are three physical hacks that show how hackers think. Please don't try any of these ideas in real life as someone might get hurt or sick.
As a kid, I remember noting that milk cartons only had day and month printed as use-by date (no longer the case). This gave me the idea of saving a carton for a full year and then sneaking it back into our local grocery store. I never did but I still think about that hack. Nowadays when they do print year, how many actually check it?
What would happen if you nailed someone’s shoes to a wooden floor? Especially a pair of clogs? Maybe they’d fall over when they slip their feet in and aren’t able to move? Or maybe they always move their shoes before putting them on so they’d detect your “attack” right away?
Have you heard of TTL wire-wrapping? Probably not. It’s an old technique for connecting digital circuits without etching and soldering. Connections are made with thin wires that wrap tightly around tiny pins with sharp edges. A TTL complex project will eventually look like this:
As undergrads, two friends and I were tasked with designing and constructing our own micro computer with TTL and we spent a tremendous amount of time in the lab, eventually going in shifts.
There was this other team burning the midnight oil too and the two teams started challenging each other on coming up with the worst way to compromise the others' project. Maybe cut a random wire? Or remove one? Remove all wires to reboot the project? No, the most nefarious idea we came up with was to add one extra wire to the mix. I can still remember the sinking feeling when my friend Adam brought it up. It was a malicious hack and would be totally unexpected because when you're looking for mistakes you're looking for missing or erroneous things, not extra things on top of an otherwise correct setup.
And you know what? The photo above is borrowed from a case where that actually happened 😫: It’s a wire-wrapped board sabotage.
All the three ideas above – nailed down shoes, year-old milk carton, and the extra wire to compromise a circuit board – are examples of doing something unexpected, something not considered, and something the victim would have zero defenses against other than luck or instinct. That’s exactly what hackers are looking for in software.
The best example I can provide of a computer hack that was almost a physical hack was for the online order form of a furniture company. The programmers had failed to consider a case where someone would order a negative number of furniture.
A hacker found out that you could order minus one bookshelf and be credited the cost of one bookshelf, as if you'd returned it. They reported the vulnerability and it was fixed.
The next time you wonder how hackers do it, or need your fictional characters to pull off a neat hack, think of minus one bookshelf.
Surprising but inevitable, that's what readers or movie watchers want out of plot twists and unraveled mysteries. Their reaction should be "Waaat?! But of course." If it's just surprising, it may be a deus ex machina, and if it's just inevitable, readers will have seen it coming a mile away.
Hacking being such a mystery for most of us means it can easily be surprising. The hard part is to make it inevitable instead of an act of God. This is where I think a lot of fiction featuring hackers falls short. Often there's just some gibberish on a screen and voilà, they're in.
Instead, the hack needs to make sense to the audience without the movie/book becoming an instruction manual. Part of making it believable is accepting that most hacking is not fast or in-the-moment. Hacking requires thinking, preparation, and probing. The hacker movie I'm reviewing in the next letter – Sneakers – has a lot of that going for it. Stay tuned.
I now have two book covers in the works, by two different designers. One of them will be for the limited Binary Release.
And just a couple of days ago I go the manuscript back from the copyeditor. I have to go through all of her managed changes and accept/reject them.
I’m currently listening to The No Asshole Rule by Prof. Bob Sutton. It's about how jerks can poison the workplace for all others and how to either set a no asshole rule or at least cope with assholes on our ways to better places. I recommend it to everyone and especially folks in a position to set workplace policy.
The September newsletter issue will feature a review of the movie Sneakers from 1992. I consider it part of the golden triple of hacker movies together with WarGames and Hackers. Take the opportunity to watch it now so I won’t spoil anything for you.
If this email landed in your Promotions tab in Gmail, please take a second and drag it to your Primary tab. It makes a big difference to Google’s understanding of what kind of content this is, plus you’ll never miss a post.