Hackers are among us: shopping at the same grocery stores, sharing buses with us, even working in our offices. As you read this, your son or daughter may be experimenting with basic computer coding and tinkering with Arduino electronics. Just a hobby, you say naively? Wake up, Utah. When you least expect it, hackers can own you.
In a quiet, nondescript office suite in downtown Salt Lake City, a group of hackers have gathered to delight in the latest developments in Wi-Fi hacking. The clutch of code wizards each has his or her own moniker—special online handles—like Metacortex, Nemus, Lean, Grifter and Dr. Unicorn. The group looks as harmless as a bunch of college students at an off-campus study session. Nothing appears out of the ordinary—well, except for Dr. Unicorn, who silently listens to the evening’s hacking presentation wearing a rubber unicorn mask.
The first item of mischief under discussion is a Wi-Fi “pineapple,” a small device that’s used to mimic unsecured—and in some cases secured—wireless hotspots. When a person clicks on what they think is a Wi-Fi network they’ve used in the past, they’re actually joining the hacker’s network.
Testing out the devious pineapple, Metacortex (editor’s note: hacker handles, which involve a mix of letters, numbers and characters, have been translated into plain English in this story) shows how clicking on the dummy network allows the hapless victim’s computer to be mercilessly “Rick-rolled,” as the computer screen is taken over by a video of British pop singer Rick Astley singing “Never Gonna Give You Up.”
Another tool discussed by the hackers, still in the early stages of development, is a kind of Bluetooth “sniffer” that allows hackers to take over the audio inside of a moving vehicle.
“If there is like a Beemer or Mercedes tailgating you, you can associate with their car and say, ‘Get the fuck off my ass,’ through their speakers,” Metacortex says. The possibilities, which might be terrifying to some, are hilarious to the group gathered in the DC801 Salt Lake City hackerspace club.
While they may laugh maniacally, the reality is that this is not a conspiracy of evil scientists bent on digital destruction but just a social get-together of people who work in information security. They hack so that they can help, learning what new threats are out there and how to stop them before it’s too late.
To some extent, these hackers are simply tinkerers who understand their computers from code to circuit boards, the same way motorheads understand their cars from axles to engines. The club members revel in the creative problem-solving, and their zeal for securing data and networks has practically gone viral through Utah’s budding cybersecurity industry.
Cybersecurity companies are flocking to Utah to support the state’s budding tech industry and prominent data centers that have come to Utah, thanks in part to the state’s relatively inexpensive electricity. As Utah’s cybersecurity presence grows, it’s nourished by two unique areas: the academic world, where the University of Utah and Utah Valley University are known for their solid cybersecurity research and education, and the “hackerspaces,” informal clubs where hackers practice their art free from the constraints of classrooms and curriculums.
These creative tech addicts are working not just to improve private cybersecurity, but, in some cases, to even sharpen the country’s cyber-readiness. The next greatest threat to global security may not be a terrorist hijacking a plane, but a network of cyberterrorists hijacking the country’s sensitive infrastructure—shutting down power grids and military installations with a fusillade of code launched from the other side of the world.
The term “hacker” seems like a throwback to the ’80s and ’90s, when the Internet and home computing were new technologies. The Internet and personal computers took a sudden turn into a rebellious adolescence as a generation of hackers mastered the technology in leaps and bounds ahead of average users. Their seemingly magical prowess over the intricacies of computers and other electronics spawned the image of the recluse lurking in a dimly lit room, face awash in the green glow of a monitor, mashing keyboards and wreaking havoc.
Criminal hackers haven’t diminished in number, but they have become stealthier. For the average criminal or “black hat” hacker, penetrating a vulnerable system to find information is the goal. Many computers become infiltrated when people click on bad links and/or are not religious about updating their software. “Injection” attacks go beyond that; you could simply be looking at—not even clicking on—a post on your Facebook wall to have your computer compromised.
These hackers seek to control your computer to send spam e-mails to your contacts, pitching them on porn sites, pharmaceuticals and other illicit goods. While a few years ago, users would suddenly discover that everyone in their e-mail contacts list had been sent a message asking them to click on a link, most current hacking methods are much more subtle. Instead of bombing all your contacts with spam, your computer may be sending out only four or five spam e-mails a day.
But it goes further than embarrassing spam e-mails for Viagra and Russian girls. People now worry about hackers from countries like China or North Korea seeking to carpet-bomb the code that runs America’s digital defenses and infrastructure.
In February 2013, The New York Times broke a story about the possibility of a Chinese army unit leading high-level cyberattacks in the United States. The Times got the story the hard way, having discovered that the paper had been hacked after journalists there reported on China’s wealthy power elite. In April, hackers got their digital mitts on the Associated Press’ Twitter feed and tweeted to the wire service’s millions of followers that there had been explosions in the White House. In the few short minutes the fake tweet was left uncorrected, it became a trending topic and caused the Dow Jones to fall more than 100 points.
While state-sponsored cyberwarfare represents one of the biggest tectonic shifts in foreign policy since the terrorist attacks of Sept. 11, cybercriminals have also perfected a means of bleeding vulnerable systems for pure profit.
On the local front, in 2012, criminals were able to access the personal information of three-quarters of a million of Utah Medicaid clients, exposing them to identity theft. In the wake of the breach, the state reportedly spent $9 million to help those whose Social Security numbers were compromised, running a security assessment of state servers, upgrading existing security and creating the Office of Health Information & Data Security.
While the breach was a black eye for Utah, the state is becoming a hotspot for the cybersecurity industry. By fall 2013, the National Security Agency will have completed a $2 billion “spy center” in Bluffdale. In March 2013, cybersecurity company FireEye announced a major expansion to Utah that will bring 250 new jobs to the area.
University administrators, gearing up their own tech programs to adapt to growth in the field, say that Utah’s relatively inexpensive power and skilled workforce are what’s attracting major data centers like the NSA, as well as mega-techie companies like Omniture and Domo. As Utah’s mini Silicon Valley—far south in the Salt Lake Valley and through Utah County—grows in reputation, the Governor’s Office of Economic Development has recognized the need to keep it secure. The 2013 Governor’s Utah Economic Summit was the first this year to provide intensive training on cybersecurity needs for local companies.
In September 2012, Utah Valley University was awarded a $3 million cybersecurity grant from the U.S. Department of Labor. The university already has popular associates and bachelor’s degree programs in information security, but Keith Mulbery, chairman of UVU’s information systems & technology department, says the grant will now help provide post-baccalaureate degrees to help students land advanced management-level cybersecurity certifications.
“A lot of employers right now are desperate for cybersecurity professionals, both in the private sector and the public sector,” says Robert Jorgensen, a UVU senior faculty professional in residence who was brought on to develop the new courses.
The grant will also fund a new 18-credit certification to help people acquire a basic IT certification.
“It will help people who have lost jobs due to maybe the recession ... and get them the job skills ready for an entry-level position in these industries that have a lot of job potential,” Mulbery says.
Mutually Assured Cyber Destruction
With its clean, white-linoleum floors and bulletins on the walls, the Merrill Engineering Building at the University of Utah seems like a typical campus building. Yet the students are anything but typical. Here, you’ll hear students having hallway conversations about Bernoulli’s principle. Or you’ll see a student wearing goggles with wires trailing to a laptop, which is carried by another student walking down the hallway.
In Matthew Might’s office, framed photos of Star Trek’s Captain Kirk hang above his desk. Stacks of books line the wall—there’s a Linux manual next to Sun Tzu’s The Art of War. I sit down with Might at a conference table emblazoned with the logo of Starfleet Academy.
Might, a professor in the university’s School of Computing, exudes an easygoing manner, even when awkwardly deflecting questions about his youthful hacking.
“I’ll tell you one thing, at one point I was worried about my home phone line being tapped, so I built a box that would drain the power out of the phone line if it got lit up by a trace,” Might says. The only problem was that his box set off the security alarm in his parents’ house.
“My parents just thought it broke,” Might says with a laugh. “I don’t think they ever knew it was me.”
Might says the power to control machines has always been incredibly appealing to him. Now, he says, the research he’s doing at the U is helping not only Utah’s emerging cybersecurity industry, but also the national cyberwarfare defenses. While U.S. technology is advanced, he says, it’s not foolproof, especially when it comes to cyberdefense.
“Just because we’re the best doesn’t mean many others aren’t good,” Might says. “In fact, many countries are extremely good at offensive cyberwarfare, including China, Iran and Russia. And, honestly, if it came to all-out cyberwarfare, there’s not a lot we could do to defend ourselves right now.”
Might has a habit of dropping these fun facts about America’s meager cyberdefenses the way another person might casually talk about the poor defense of a basketball team.
“Most all of the nightmare scenarios are possible because every piece of equipment we’ve got is vulnerable,” he says.
How bad is it? Well, while most movie depictions of hacking are inaccurate when it comes to attackers coolly punching some keys and then gaining access to high-security systems, the hacks themselves are largely within the realm of possibility. Power grids could be taken down, satellites taken offline, military technology “Rick-rolled” to the point of being rendered useless and thereby leaving the country vulnerable.
“There’s been a recognition in the past few years, even by the military, that the situation has gotten out of hand, because even the military gets compromised on a daily basis now,” Might says.
That’s why Might is working to revamp cybersecurity for the U.S. military, thanks to two research grants from the Defense Advanced Research Projects Agency. His goal, he says, is to create a system that will reboot the cybersecurity paradigm.
Currently, he says, when software is developed, patches that users can download are created later to catch bugs or fix vulnerabilities. The problem is that the good guys don’t always find the vulnerabilities before malicious users do. And even when the good guys spot the problems first and release the patch to customers, this also points out to hackers exactly where the vulnerabilities lie. If the user doesn’t download the patch—and a lot of users, annoyed at the thought of interrupting work or play with yet another download, don’t—then they’re very exposed.
One solution Might is working on to replace the “patch & pray” model of cybersecurity is an automated computer scan to identify problem areas before software is released to the public.
“Every programmer makes mistakes; we’re human,” Might says. “That’s why it’s better to rely on machines to do the checking.”
Might says the program will identify common programmer errors through automated systems. If you’re worried that this cedes a little bit too much authority to the machines and puts humanity on the path to a future at war with Terminators or Cylons, Might’s program plan also has humans verifying the machine’s work with mathematical proofs that can be checked by hand.
Might hopes that such measures can help shore up the country’s cyberdefenses. He points out that countries like North Korea have “tremendous” cyberwarfare capabilities. One reason such countries have withheld from a major cyberattack against the United States might be that they know that such an attack would likely result in the United States responding with actual force.
But what if the attack could also cripple the military, thus removing the threat of the United States responding to a cyberattack with bombs and bullets?
“That’s what keeps me up at night,” Might says.
While the prospects of cyberwarfare sound terrifying, it is comforting to know that Utah research universities are working hard to shore up our digital defenses and train cybersecurity experts. But while you can get a degree in cybersecurity, members of the state’s thriving hacker community argue that the real art of hacking is something you just can’t get in a classroom.
Da Vinci Was a Hacker
Neil Wyler took the handle “Grifter” at the age of 8, when he began his love affair with hacking. At the time, computers and the Internet were new to everyone, even the military specialists and universities that were the first to embrace the new technologies. Now in his mid-30s, Wyler says the technology has changed into something so user-friendly that the average user doesn’t appreciate the magic of the technology.
“My son who’s 5 years old, he looks at the computer like it’s a toaster,” Wyler says. “As far as he’s concerned, it’s just another appliance that is in the house. It’s not this sexy, magical thing.”
Wyler says that’s an outlook he hopes to change, but he says it’s a common attitude among many technology users nowadays who are looking for one-click solutions and simply resort to the aid of genius bars and geek squads to fix their technology when it malfunctions.
An old-school hacker, Wyler went from using his skills for less-than-legal purposes as a teen to enrolling in the military and, now, doing consulting and working as an information-security engineer. Having hacked most of his life, Wyler says that much has changed since hacking’s early days in the ’80s and ’90s.
“Before, you’d have to hop over a fence of some company and go rooting through their Dumpster or pick the locks off their trucks and get the manuals and go running off into the night,” Wyler says. But now, he says, the digital sharing of our Interwebbed world has made hacking a much more accessible art, with online communities readily sharing and disseminating hacking skills and info to anyone interested.
“For people like us, we are in absolute heaven. We’ve been waiting for this kind of shit for so long, we’re losing our minds,” Wyler says. “It’s like the renaissance of nerd-dom.”
According to the folks of DC801, a hacker is someone who, once they know how something works, wants to see if they can make it do something different, run better, operate faster or more efficiently.
“There are probably as many hackers today as there have been throughout human civilization, because they haven’t always been recognized that way,” Wyler says. “Leonardo da Vinci was a hacker, even though he didn’t have a computer. Bootleggers were hackers, and that’s where NASCAR was born. They were always pushing to see ‘how can I get this car to go faster and faster and faster.’ That spirit has always been there; it just manifests itself in a different way depending on the generation.”
Hacking’s negative connotation is tied to pranks, identity theft and the less-than-honest means to acquire specialized knowledge of computers and networks, how “black hat”—malicious—hackers made technology prowess a dark art. If the layperson treats his computer like a kitchen appliance, it’s no wonder that black-hat hackers have gained a nasty reputation. If someone took over your toaster and turned it against you, you’d be angry and terrified, too.
“The only thing that makes a hacker bad is a lack of integrity,” says Kevin Howard, aka “Lean,” one of the founders of the SLC hackerspace.
Howard, like most of the members, works in information security and uses the space for controlled “hacking.” The members attack “hostile servers” or set up virtual machines on which they’ll unleash the latest worm to see the damage it does. Dissecting attacks, spam, malware and different hacks gives members the upper hand in learning how to help the companies they work for defend against them. And there are plenty of problems out there.
DC801 member Metacortex, who asked that his real name be withheld, sees the “user-friendly” innovations in technology as having opened up plenty of vulnerabilities, with blogs and websites getting infected and spamming others. When spam lands in his e-mail, he’ll trace the e-mail back to find its source, and says it’s often the most well-meaning people who are spreading the nastiest stuff.
“I have seen so many church websites running blogs on Wordpress that are serving up malware or porn,” Metacortex says. “All it takes is one click to set up a website, but no one knows how to secure it.”
While the hackerspace provides the freedom to learn new skills in a community environment, Howard stresses that members involved in any illegal or “black hat” activity will be promptly kicked out. Still, he points out that spaces like DC801 are crucial for getting ahead in the cybersecurity biz. Computer degrees can be attained at universities, but higher-ed curriculums can’t keep up with all the latest threats.
“There’s so many avenues through which you can learn, but unless you’re actually getting your hands dirty and securing systems, you don’t have a lot of value” in the job market, Howard says. “If you can’t do the attacks, then you can’t defend them.”
Deven Fore, also known as “decaf,” got the itch to tinker at a young age, growing up in rural Ephraim, where he and his father took every machine apart to figure out how it worked. His latest project is community tinkering, having founded the Orem Transistor, a 5,000-square-foot space in Orem, across the freeway from UVU in a small business park. The community’s November 2012 move to the space was a big upgrade, as the hackerspace had previously occupied a small attic in Provo. Now, members pay a small monthly fee for creative space in The Orem Transistor.
Fore is sort of the godfather of the Utah hacker community. He formed a company to rent the space and organize it into a creative powerhouse of local hackers, whom he considers the true geniuses driving the space.
And the geniuses hold him in high regard. Taking this reporter on a tour of the Transistor on a recent Saturday, Fore was stopped by a fellow member who had a question about something and showed him a laptop screen with what appeared to be the Matrix, or perhaps a schematic for the engine of a spaceship or something equally incomprehensible to this tech-unsavvy reporter. The conversation itself was as undecipherable as listening to modems talk to each other. Whatever the message, the fellow hacker got it, and Fore continued on.
Not only did Fore get the Transistor up and running, but he also helped DC801 set up its space in Salt Lake City as a kind of an extension of the Orem space. The Orem space is not just focused on information security, as DC801 is, and offers more space for electronics and hardware experimentation. In the Orem space, the unspoken mantra is that if you can think it, you can hack it.
“People have this explorer’s attitude ingrained in them, and hackers are definitely not limited to computers and information security,” Fore says. “We have people building a refractory so they can melt metal, we’ve got guys interested in brewing so they’re building a microbrewery here, we’ve got 3-D printers … it’s definitely all aspects.”
The 3-D printers print small bits of hardware, toys and even the pieces needed to make more 3-D printers. And the gadgetry doesn’t stop there. Members have created flying helicopters and a computer-controlled CNC router saw. There is even a lounge where hackers have made their own arcade game, dubbed Keep the Change, which has old-school joystick controls and is loaded with dozens of old Nintendo-generation games.
It’s a spirit of unconstrained tinkering and invention that Fore is particularly proud of in the space. “This generation’s hacker is last generation’s do-it-yourselfer,” he says.
One hacker in the space, Justin Rossetti, aka “Asiago,” refers to himself as a “hardware hacker.” His workspace is illuminated by a Chinese lantern, which has an electronic light simulating the flicker of a candle, and his desk is cluttered with jars of herbal tinctures, including myrrh and licorice root. His biggest project at the moment is a “tiny home” he’s constructing in the rear of the hackerspace warehouse. It’s a project motivated mostly by curiosity—the same fuel that moves most of the hackers, supported by a learning space where goals aren’t based on job expectations or getting a grade to pass a class, but just by an itch to tinker.
“It’s important to me to have the ability to learn how I like to learn,” Rossetti says. For Rossetti, the purity of the hacker spirit fostered at the space is something that’s very American.
“I think it’s essential to the continued survival of our American culture—it’s who we are,” Rossetti says. “It’s important to have an interest in the world around you because if you don’t, then you’re never going to progress.”
Whether the classroom is an Orem warehouse full of eccentrics, a workshop in Salt Lake City or an advanced university laboratory, Utah’s hackers continue to innovate out of an innate curiosity and fascination with technology that may benefit the state’s tech business and, perhaps, even the entire country. At first glance, the likes of folks like Grifter and Dr. Unicorn would seem unlikely assets to the nation’s cyberdefense, but for U professor Might, the hacker-hobbyists in Utah and elsewhere might just be our secret weapon.
“These groups get together just for the fun of it,” Might says. “But I think these people are some of our nation’s most valuable resources. These are the people we want helping us if there is ever real cyberwarfare.”