Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I grew up as a hacker and bi hacker I mean somebody who can break into a computer and my color today is to explain to you why I teach other people how to hack so imagine a world filled with intellectually capable people who all share a common passion and in this world the only way you communicate is through a chat interface so you have no idea who the person is in the other end it could be a 13 year old girl from Haiti it could be a 37 year old law enforcement agent from Thailand it could be artificial intelligence you just don't know but it doesn't even matter you see your background your aids your sex your class your looks none of that has any bearing in this world that I'm describing the only thing that matters in this world is your knowledge your skills and your curiosity for understanding how the digital world works so the world that I'm describing is the hacker Underground where I spent my teenage years so what drew me to that place what drew me to this world I'm sure at some point in your life you must have tried to guess someone's password right right yeah that's right do you remember that feeling that that rush the kind of euphoric sensation of accomplishment and power when you succeeded right it's the same kind of feeling that you would get when you solve a complex puzzle or when you beat someone a chest when you prove a mathematical theory it's you feel as if some of you outsmarted a real or imaginary opponent right so hackers get that same exact rush when they defeat someone's program to make it do something it was not intended to do or when they gain unauthorized access to someone's system it's really not that hard to relate I mean imagine this imagine this your you're in your online bank and you're about to transfer money to your friend a district kicks instead of putting in the amount you put in the number zero just just to see what happens just for case and nothing happens and you persist you keep at it then you try to to try something else and you start putting in letters instead of numbers and again the website blocks it and you persevere and you try again and you try putting in a negative number just to see what happened and lo and behold it goes through and what have you done now instead of you transferring money from your account to your friend you've effectively taking money from your friend's account to put it into yours right without any notification can you imagine what you would feel like if you had just discovered this all right I'm sure you would feel surprised I'm sure it feels slightly elated I'm sure you'd feel like as if you outflanked an entire army of programmers whose only purpose it was to try to keep out people like yourself and I'm sure you'd feel a bit uneasy that it was this easy to defeat the security of the side to which you were trusting your money right so most people I know would get a huge kick out of finding this type of vulnerability but they wouldn't abuse it they'll just enjoy the process of finding this bug and then they would report it unfortunately that is becoming more and more acceptance as it turns out this particular bug that I'm describing to was real was actually found by my friend well at some point does call me up like hey Amit this is hysterical man hey look at your account no no no look at that again isn't that funny so he's doing this audit of us on internet security banks yeah I was really funny anyway so I'm sure somebody we can relate but during your teenage years you don't really have much of a moral compass so but I can relate to that I hope right so I was sitting at one point in my room and I was hacking the server at an Icelandic Internet service provider and so a member of my family picked up the phone with that whole email are you on the phone which disconnected me from the Internet this is from the time when everybody had modems right but moreover it disconnected me from the server that I was hacking and left that server completely unusable and in such a state of disarray that I couldn't even get back into it and I just remember sitting there looking at my screen feeling utterly devastated over what had happened I had no idea what to do I was just I had this cancerous feeling of guilt in my gut just I I really had no idea what recourse I had and I remember spending the entire night with my friends discussing what to do and it was decided that the following morning I would go to this company and tell them what I had done and so in the morning I go with a friend we catch the bus and we go to the place we talked to the secretary secretary phones of the system administrator and then we waited and we waited and it was the most agonizing wait that a fifteen-year-old could ever ask for it was an experience that I will never forget I remember thinking that there were two ways this could play out the system administrator could be forgiving could scroll the simple like I don't hack my servers again get out or he could be a lot more angry than that he could react and you could practically sue us he could just steer us he would label us as criminal steer us on the path of something very dark just pretty much will be over by then as it turned out the system administrator was an amateur hacker was delighted to see us was like wow that's really cool and like we showed him how to fix his servers is really cool and then instead of reacting with rage he called the shop a few days later and offered this a part-time job at the company which we kept for several years and yeah it was fun anyhow I say grew older my moral compass developed fortunately and I moved away from hacking and I studied mathematics at the University and did went to the u.s. and their PhD in computer science and when I came back I realized that the state of security in Iceland was pretty much the same as when I had left an utter mess and so it was somehow as if Iceland is believed that this Geographic remoteness that has sheltered us throughout millennia was somehow an effective protection against the forces of the internet which couldn't be more false so I started thinking to myself what can I do to improve the cybersecurity of my home country and as I was searching for an answer to this question I realized that there were lots of system administrators who were ultimately responsible for a lot of the security who felt reasonably safe against cyberattacks and this belief was usually sustained by some sort of faith in an anti-virus solution or an elaborate firewall or some security solution that they had just purchased for a lot of money must be good it was really expensive and I was just flabbergasted I mean can you imagine somebody telling you like hey my houses are really secure yes yes I bought this really big steel door and it's reinforced with unobtainium nobody can get inside and then when you drive past this home you see this really big steel door and then the windows are all open that is how I felt when people said this to me it was it was something else to listen to this so and then it really hit me that the way I was thinking about security was actually fundamentally different from the way they were thinking about security you see as a hacker I am trained to how would I get in how would you defeat the defenses are there protections in place all these protections even enabled can I get around them I'm trying to ask all these questions I mean ask yourself how would you break into your own home have you ever have you ever thought about that right how would you do it like or you can ask a friend it turns out that if you ask this question periodically you ask people that you trust and then you do something about it probably you're going to be having a safer home than if you just blindly believe in some security solution that you could just by security in a box so what I decided to do was that I wanted to somehow transfer this mindset that I had this hacker mindset on to people so that they could also see my perspective on things and what I decided to do was just to start teaching hacking that I would teach how software breaks how defenses get get thwarted and how people bypass all these new protections that are coming about and how new protection has come in their place how this cat-and-mouse game is played out because you see security is actually really hard because as a defender you need to anticipate every possible way somebody might try to break in but the hacker only needs to find one way in right so what did I do well I did three things I had three approaches to try to improve the state of affairs through teaching hacking the first one is that I started teaching a university course at Eric York University where every year we have 20 to 30 graduates who understand the very low-level details of what it is to hack it how things break and how to break them they understand this cat-and-mouse game that's being played in the security industry and these are the people that are going to be in critical roles at the Icelandic companies from time to come they're gonna understand that like hey firewalls are not actually very effective anymore it's not gonna be sufficient right these are the people that are going to be in the ski rolls making decisions which now in this time of so many cyber attacks we don't but all of them and in this time where we have industrial espionage raging and becoming more more prevalent these other people are going to make a difference the second thing that it did was that I co-founded a company with some of my friends great the security experts that is called Cyndi's and they specialized in simulating sophisticated cyber attacks against large international large Islamic corporations and it's a part of what we do a part of our strategy is that we try to take the people that work at these companies and teach them the things that we do teach them how we defeat their defeat their defenses so try to educate them with this hacker mindset that we have so that they too can understand the context of security a lot better and clearly where we're filling some sort of needs because the biggest problem we've had at this company is to manage project workload now the third thing that I did was that I started running hacking competitions sure maybe some of you heard of any of them been running out for three years so every year I put like a server on the internet and I asked people to hack it and the people who succeed we we pick a few finalists and they come on stage in front of up to 500 people they are hacking each other life it's really fun actually there's like a live scoreboard there's like a DJ and they're commentators and they do have a lay artist it's looking at this really strange thing right and and that it's it provides that get several opportunities there's some side effects from doing it this way first of all it's like really educational and because you have this lay audience you get this opportunity to teach people a thing or two about cybersecurity raising the awareness of some of the latest things they should watch out for some of the things they can do to protect themselves and the second side effect of the way I'm doing things is that the participants which are usually students they learn an incredible amount in a very short period of time you see normally when I'm teaching computer architecture or I'm teaching operating systems I have students that are like moaning they're just like ah do we have to learn this would this be on the exam I know yeah yeah but for this competition I guess people are coming up to me please you can tell me everything you know but the computers I want to know everything I want to learn it all can you take me out to do you need it's me how to hawk all right some Italian exchange dudes and and so it's like incredible in a very short period of time how much they could absorb I pretty much just taught him everything I know and so the third thing that comes from Hell running this type of hacking competition is that is that the media really loves it I talked to the media liaison at a Drake University it's like yeah so I'm gonna have this hacking competition she's like yeah yeah I contacted the media and it was like selling ice cream in the desert they'll just flocked onto it like hyenas and like everybody showed up I remember like the first competition I had two people ever attack now yes I'm gonna expect maybe 20 people to show up or something you guys are gonna be on stage so you're gonna be hacking each other and then when they came there there's like big cameras everywhere and like this newscasters was like a lot of light around them and so forth and these two guys were just frozen on States trying to do something totally unprepared it was really funny anyway so it's it's been really educational really entertaining and that I think it really has worked out for the better but I know there is this lingering doubt in the back of your mind there's this question which is wait a second aren't you just arming people with digital weapons right and to an extent that's true I am indeed teaching people skills that they could abuse but so are chemistry professors so it's a police academy social martial arts teacher and just like these people I am putting trust in my students I'm gonna trust that they're not going to abuse their skills in fact they have to sign a waiver that they're not gonna do it for anything unethical and I spent a lot of time with them trying to understand these ethical dilemmas that get created through the power that is hacking imagine for instance if you find an exploit that could make you walk into any computer on the planet what would you do now what would you do if somebody offered you $500,000 for it million dollars right these are real questions and this is really how the environment works in the underground so I actually believe that I have swayed some people some people whose moral compass was not fully developed some people who are making choices that they might later regret some younger versions of myself I may have swayed them on a path where they are becoming constructive members of society and making choices that are improving the security office all and because there was somebody who did that for me above many years ago and something that I will never forget and it's something that I want to pay forward and that is why I teach people how to hack thank you you

Info

Channel: TEDx Talks

Views: 1,832,202

Rating: 4.9312305 out of 5

Keywords: Hacker (Character Power), tedx, ted talk, TEDx, internet, ted x, tedx talk, computer science, ted, Harpa, TEDxReykjavík, Hacking, Iceland, University, Háskolinn í Reykjavík, ted talks, cyber security, Ýmir Vigfússon, internet security, tedx talks

Id: KwJyKmCbOws

Channel Id: undefined

Length: 16min 17sec (977 seconds)

Published: Fri Jul 04 2014