The real meaning of “hack”
By Adam Penenberg
The opinions expressed are his own. This piece originally appeared in Fast Company.
Over the years I’ve published tens of thousands of words on “hackers.” I wrote “Hacking Bhabha,” a story about the “hack” of an Indian atomic research station, when gangs of computer miscreants went wilding through its servers, and the 1998 takedown of the New York Times website, which, for me, resulted in the threat of a justice department subpoena.
I interviewed Kevin Mitnick while he was still in prison and sat at my computer one night as someone who called himself MagicFX replaced eBay’s home page with his own that said: ”Proof by MagicFX that you can’t always trust people… not even huge companies.”
I profiled an IT consultant selling exploits to compromise software products as varied as Microsoft Office, Mozilla Firefox, SAP, and HP while working for HP in France. In my first book, Spooked, I dedicated a chapter to a hacker who was threatened by terrorists. I outed a guy who made up a whole magazine story about hackers extorting the corporations they penetrated, and fell for a hoax about a self-proclaimed online kiddie porn vigilante. And I’ve also been called a “talentless hack” by enraged readers, usually in invective-filled emails.
So if there are two words I’m familiar with, they’re “hack” and “hacker,” and I’ve done my fair share in graffitiing the web with their overuse. That’s why I say it’s time to re-examine how we use them, because they’re relied on far too often to describe all kinds of activities that don’t qualify as hacks or hacking. They’ve become so common they’ve lost all cachet–like ponytails and earrings on middle-aged dudes.
Think about it: Did Rupert Murdoch’s News of The World newspaper hacks “hack” voicemails, or did they trick people into providing passwords and conjured up various low-tech, “surprisingly dull” methods for fooling the phone system? When some numb-nuts spammer takes over your Facebook or Twitter account, do you really mean to say he hacked it, or did he access your account without permission by using brute force techniques to guess or steal your password? If a “phisher” commandeers your Hotmail or Gmail account to beseech people in your address book to wire money to London because you lost your passport, were you hacked or did he impersonate you to trick your contacts into wiring money?
If what NoTW, spammers, and phishers have done is hacking, then you’ve probably been guilty of hacking at one time or another, because this type of “social engineering” is all around us–on the train, on the web, in libraries, Congress, and on Madison Avenue. The panhandler on the subway hacked you when his sob story convinced you to fork over a buck. The spammer that got you to click to an online pharmacy hacked you. So do online marketers when they follow you around the web. A friend who borrows a student’s log-in credentials to access a university library database to pull up a few articles is a hacker. If you find yourself influenced by political ads or pontificating pundits on cable TV, you’ve been hacked. Have a craving for McDonald’s french fries? Maybe the millions the fast-food chain spends on advertising has a role in that. If so, you’ve been hacked.
While ridiculous examples, they aren’t that far afield from what NoTW minions did. I realize it’s not always easy to know when something goes from simple social engineering to true-blue hacking, because incidents that involve hackers don’t necessarily mean it’s hacking. When the group Anonymous unleashed attacks against sites operated by Hustler magazine, the Motion Picture Association of America, The Recording Industry Association (RIAA), and Sony, were those really hacks?
The attacks, known as distributed denial of service (DDoS), involve overwhelming sites with more traffic than they can stomach, the equivalent of convincing hundreds of thousands of people to call a single phone number at the same time, which would make it impossible for anyone to get through. None of the sites were breeched, no data was stolen. Many–me included–would argue this doesn’t qualify as a hack. (Others would).
But when hackers penetrated the Sony PlayStation Network in one of the all-time biggest data breaches in April, compromising 77 million user accounts, now that was a hack!
Recently, I had a discussion over Twitter with Gigaom writer Mathew Ingram, debating the use of the word “hack” to describe digital activist Aaron Swartz’s activities in a story Ingram wrote, titled “What Would Happen If You Hacked Into a Library?” In it, Ingram said that Swartz was “accused of hacking into the Massachusetts Institute of Technology computer network and downloading almost 5 million academic documents.” But nowhere in the criminal complaint (pdf) do prosecutors use the word “hack.” Instead, they claim that on several occasions Swartz visited MIT, hooked up his laptop to the network, registered under a pseudonym, and harvested millions of articles.
I told Ingram that if I were writing the story I might have used “accessed without permission,” “without authorization,” “illegally accessed,” or “tapped into,” but not “hacked.” Ingram replied, “The guy used software and other exploits to repeatedly disguise his PC and get around network blocks–that’s not hacking?” He added, “In common usage, hack refers to any unauthorized attempt to use technology for purposes other than those for which it was meant.” That’s too broad a definition, I replied. “Use your laptop as a step stool to break in to a building, by that definition you hacked the building.”
This prompted Jacob Harris, a self-described “news hacker” and senior software architect at The New York Times, to ask, “What is the minimal level of complexity you want for something to be called a hack?”
It’s a good question with no simple answer. In the 1990s there was a movement afoot to use “crackers” to describe those who maliciously break in to computers while saving “hackers” for those with a passion for tearing apart hardware, software, and products to see how they work. Alas, prescriptive attempts at influencing language rarely succeed, and this fell by the wayside. PC Magazine defines hacker, in part, as “any programmer … with a strong technical background who is ‘hacking away’ at the bits and bytes.” Merriam-Webster claims a hacker is either ” an expert at programming and solving problems with a computer” or “a person who illegally gains access to and sometimes tampers with information in a computer system.”
Promoting their own interests, some on the side of law enforcement define it way too broadly as “someone who gains unauthorized access to a computer system,” so if you ever as a practical joke changed your friend’s screensaver image to a picture of penguins playing the piano, you could be facing jail time. On the other end of the spectrum, there is the Pollyannaish “a person skilled with the use of computers that uses his talents to gain knowledge.” If I had my druthers I’d retrofit the Merriam-Webster definition of hacker to read: “A person who uses a computer to illegally gain access to and sometimes tamper with information in a computer system.”
Ultimately, though, barring a widely accepted definition (I won’t hold my breath) what I want is greater precision and the end of hack as a catchall to describe anything that has to do with computer security. If a hacker deploys a buffer overflow attack to penetrate a network, say that. If she deploys social engineering and fools an administrator into passing over passwords, write it. If he defaces a website, that’s the terminology you should use.
Because you can hack software, hardware, a car, radio, website, and even chicken. Whether you’re a journalist, blogger, or commenter, you should move beyond glib terminology to words that are more accurate and descriptive. It’s our job.
Adam L. Penenberg is a journalism professor at NYU and a contributing writer to Fast Company. Follow him on Twitter: @penenberg.