How To Write About a Hacker...

So I want to write a "hacker" character, or at the very least someone who is proficient in the world of technology, but here's the deal... I know nothing about technology. I'm just sort of making it up as I go along (and purposefully set my story a little bit into the future in order to give myself a little leeway), but I have no clue how to write about this stuff since I have no knowledge of how it works.
Any advice?

 

Be vague. "I thought you had a criminal record?" "Oh, yeah, psh. I fixed that." We only need to know what the character can do, not how they do it.

 

To pick up the language, trolling some tech forums would help. Especially if you read things like help forums and search for security fixes. ETA: It wouldn't helps specifically with hacking of course, but you'd "hear" some of the lingo and see the way techies relate to each other and to the general public.

 

LOL-- Good point. I didn't mean literal trolling in the tech sense. I meant it in the American slang sense of hanging out. We use it to mean hanging out, cruising through...As in, "Yeah, I can't get enough vanilla lattes so I've been trolling a lot of coffee shops." Trawling, although more accurate, isn't a word we Americans use unless we're on a fishing boat.

 

You don't need to know anything about technology; honestly every field of 'hacking' is a whole sphere of it's own with myriad intricacies. Even if you did get super in depth (you shouldn't; it's really dull) to anyone who isn't really specifically into this stuff isn't going to get it anyway. There are some things that you need to know though; both about his character to make him feel realistic, as well as about the concept of hacking stuff to make it feel real no matter how you actually depict it.

Firstly; the kind of people who are hackers. They are tinkerers and curious and excel at coming up with creative ways to break things. They do not like rules. They like to see what is possible, not what you're supposed to do. That is almost every hacker out there. There are a very very few hackers (on both sides of the law) who are actively trying to penetrate stuff and break things. Mostly they are people who are fiddling with stuff as a project and want to see how far they can push that. Think of the kind of guy who builds a mustang in his garage then spends five years perfectly tweaking the engine to see just how fast he can push it beyond what the specs say it should be capable of. That person is a hacker, whether you call him that or not. That's what hacking is. It's an approach to the world where you look at something and say "Yeah, but I bet it'd be faster if I just did..." or "Nah, I'll just build my own one...". Hackers are generally individualists and weirdos who are super into the stuff they hack but also bring that spirit to everything they touch in their lives.

Secondly; what actually is hacking? In a general sense it is literally just making stuff do what you want not what not what it's supposed to do. So how do you do that? Mostly you take the simplest way possible. People fantasize about hacking through the firewalls and defeating security but actually... That's kinda the opposite of what hacking is most of the time. You are mostly finding ways around security, not through it. Hackers don't use some super awesome program to batter through firewalls; they find out how to let the firewall let them through. That's a really important difference. Hacking isn't like ram raiding; it's a computer confidence trick; it's finding unsecured things to attack and finding ways that you can slip past the defended things defenses.

There was a long and ongoing attack on a financial institution in South Africa where all their complex and powerful security was just doing absolutely nothing. Somehow hackers were making big transfers and vanishing money. What happened? Well, a number of things happened. Firstly; they bribed someone who worked there to plug little USB keylogger sticks into computers (google; you can just buy them, no expertise necessary) and they harvested user names and passwords. Once they had an account that could make a transaction and one that could approve a transaction they had their bribed guy plug a little box into a network port somewhere out of the way. What was this box? It was commercially available product that had a cellular modem on one end and a network port on the other, so they could connect to the inside of the network without all the security, log in like they were inside the building and make their own transactions. This was a super unsophisticated attack. Like, you and me and your best buddy could do that. No complex anything, no computer skills, no nothing. All using off the shelf products that are damn near idiot proof, and patience, and that's it. Nothing else. And they got away with a few million before they were caught. The lesson from this story is that hacking (even criminal hacking) isn't some arcane skill. It's just the art of coming from a direction no-one expected you would try.

Almost every hacking related story of the past few years has been the result of poor security practices on the company's part, not l33t haxx0r skillz. Well protected systems are way easier to penetrate by compromising a person than a computer. But poor protected systems you can just steal all their shit and wreck the place up too, because there's nothing to stop you.

Oh also; actual computer hacking itself is really dull. Really dull. Finding security vulnerabilities in a piece of software is a really boring process. Mostly you can't just force a hole, you just keep looking until you find one or don't. It's the same deal for writing bits of code to exploit those weaknesses. It's dull. It's just writing code, which is even more dull (to the viewer) than writing prose. The movies like to make hacking look like adrenaline fueled action but it's definitely not. It's painstaking and slow. It takes dedication. And you can never ever just go hack something in sixty seconds because Halle Berry is under the desk. But that can actually play into your hands. The hacking is dull, you don't need to put it on screen. Just have him off doing his thing and everyone else rolling their eyes and asking why is this taking so damn long. Just play off the fact that the reality of hacking is super unglamerous, and so are the people. They are pretty much computer nerds. No, they aren't all fat and sweaty, but they are definitely really nerdy. You have to be to spend weeks of your life looking for some subtle flaw you can abuse in some clever way.

Hacker lingo isn't hard to pick up. Yes, there are some kinda specific hacker phrases but they've made their way out into the general computer world now that hackers have gone legit. They talk computer and they talk gamer and they add a bit of hacker too. But mostly it's just people talking in normalish ways with a few in-jokes and bits of slang. No big deal.

I'm going to link you to a couple of DefCon videos on the youtubes that I think will help you get into the mindset of these people. Just listen to how they talk. Notice they are mostly joking about stuff and goofing off as they talk about quite serious stuff. Notice too I'm not going to show you anything about computers themselves because that stuff doesn't matter. I'm just going to show you some hacker type guys giving talks about the stuff that interests them and how they figured out how to break it. Oh and also you may not sleep as well after you watch these.

[Deviant Ollam and Howard Payne talking about hacking elevators]

[Mike Robinson about hacking drones]

[Jason E Street and his talk entitled "Steal Everything, Kill People, Cause Total Financial Ruin" which is about physical security]

Oh and you'll notice most of these people are drunk (or at least drinking) as they deliver major conference talks. That's just how hackers roll

Forget trawling the internet; if you want to learn what hackers are like and the stuff they do watch talks from DefCon and HOPE and SchmooCon and BlackHat. You don't need to understand what they are saying on the technical side, just listen to how they talk, how they relate to the material. Even when they are talking about complex stuff they never act like it's a big deal. Mostly they aren't even talking about stuff that you could do anything really practical with, it's just super cool that they found this weird thing you could do. Now that is a hacker

So yeah I hope this helps Enjoy.

 

First of all, do not overdo it. A regular child cannot hack the pentagon like in many 1990s movies. Make sure that values in IP addresses only have numbers from 0 to 255 since they are stored as 8 bits. Look up how it is done for IPv4 and IPv6. IPv6 is the modern version currently used. For exchanging information with another location, they can use an encrypted tunnel.

You can read about asymetrical encryption since it affects how information can be written by one person and only opened by another holding the private key. This also allow signing information using prime numbers when the writing key is private but the reading key is public. Signing is how operating systems can take updates and know who made it using 2048-bit encryption.

Do not mix up assembly with machine code. Assembly is a text language that is compiled into more specific binary forms of machine code wrapped with meta data for describing the target system.

Only let the most advanced hackers invent their own zero day exploits. Most hackers are just good at finding outdated software with already exposed flaws. Attacks from a distance is almost impossible so let the victim open a website from a mail or accept a trojan software. A direct attack using a USB connection is however a sure way to attack since it has to trust the connection in some way. Either by uploading a file and explicitly giving it access rights or by pretending to be a keyboard and sending keystrokes via USB and type a virus from memory into a terminal.

Cracking passwords is easy for the weak ones but system admins use harder passwords that are easier to get using privilege escalation using some server application that was badly written.

Servers can use honey pots that are fake systems that nobody actually use which will trigger an alarm if someone tries to access it.

DDOS attacks are the simplest way to attack a website since it does not use any kind of exploit. It just opens so many connections from fake addresses that the server cannot keep track of the real users.

 

Right; that's exactly what I meant by the vast majority of hacking that we hear about is caused by lax security not by highly sophisticated hacking. Against someone on their game these kinds of attacks simply cannot work. Any kind of two factor authentication, any kind of strong password policy, any kind of red team security testing within the organisation and this kind of stuff would just fail to work. Hacking as a criminal enterprise (either for cash or for fun) works the same way as every other crime; picking off the low hanging fruit. That's not to say that it's truly impossible to penetrate a really secure network just via computerized means but in almost every case the easier approach would be to go after people and conduct some traditional espionage rather than going through highly monitored and secured wires. Bribing, threatening and coercing people (even intelligence agents and military personnel) is tried and tested and genuinely effective. What is the most famous security breach of our times? Snowden, right? And no-one hacked anything, Ed Snowden wasn't happy with what he was doing and just gave it away.

Like I said before; forget the technical details think about hacking as a theft or a con job. You can't just walk up to any given target and then work backwards to figure out how to compromise them. You cruise for targets and you take the one that is easily taken. You look for the house where the owner is away a lot and have a really nice TV; you definitely don't decide that a casino has loads of money so lets rob a casino. That's how to think about hacking. Even if you are a nation state with your own offensive hacking team most of what they are doing (according to some other leaks) is building a big list of vulnerabilities in commonly used software so when they need to hack someone they have a big directory of potential ways to do it and can find one that fits; they don't find the guy then find the vulnerability. And of course even if you are a nation state scale organisation with a huge budget; a better bet than look for a vulnerability is subverting someone who makes the software and having them slip a little bug into that so your hackers can just waltz in.

Of course we're talking about fiction so you can look at some of the real achievements of hacking the most impressive of which is definitely Stuxnet, a virus made to damage Iranian uranium centrifuges (try saying that three times fast). It infected loads of computers and eventually was carried into the target facility on a USB stick. And that's... Super impressive. But, according to popular knowledge, this was a joint project of Mossad and the US government with huge resources and that targeted that specific vector because that was a very specific security hole. The Iranians thought that because their centrifuge control stuff wasn't connected to the outside world it was safe and didn't institute proper policies. What the hell was some dude doing bringing a USB stick from home into a nuclear facility anyway? Stuxnet was a really sophisticated attack in how they targeted that vulnerability but even then they only did that specifically because they couldn't leave any proof. The way they attacked the centrifuges was impressively sophisticated, so was the delivery method, but it still was attacking an existing hole in security.

Edit to add -

Something to really remember by the way is that almost all computer security total fails when you have physical access to the device you are trying to compromise. All the high tech security you can name will do nothing if the attacker can get in the building and start pushing buttons. And in almost all cases the physical security of a location is way way easier to compromise than it's computer security from the outside. Just like the South African bank job I was talking about, if you can get a man inside and can just start plugging shit into their computers then that's game over. That's something to keep in mind. Your hacker doesn't need to be awesome leet haxxor if he is smart and knows how to slip into the building and get access that way.

 

What I would do is read books on the subject. Not hacking how to books. Books about people who are part of the hacking community. The main character of my recently completed manuscript is a hacker. I am not a computer wizard. Far from it. Some of books I read before I started writing:

1) Hackers: Heroes of the Computer Revolution by Steven Levy
2) Cyber War by Richard A. Clarke
3) Kingpin: How one hacker took over the billion-dollar cybercrime underground
4) Crack99: The Takedown of a $100 million Chinese software pirate by David Locke Hall
5) Ghost in the Wires by Kevin Mitnick (although I feel this was more about cracking than hacking)

My process was to immerse myself into the world I was researching and get a feel for the people in said world. I read with an eye on what makes these people tick. I wasn't looking for someone to base my character on. I wasn't looking for hacking skills or tricks of the trade. I strictly read so that I could start to see the world through their eyes in the hopes that I could create a fictional character that would credibly belong to that world. My main character is not based upon any of the people in the books I read, but I feel like I was able to create a character whose personality, motivations, strengths, frailties and quirks would fit in that world.

In any event, that was my process. Hope it helps.

 

Since we're talking about books I think the best place to start is with William Gibson's Sprawl books. Not because of the cool VR hacking stuff. But the hackers in that are kinda, well, they are surprisingly true to life. I suspect some of that is life imitating art but there's a wonderful phrase from Neuromancer describing why the hackers are mostly pale and out of shape; "...a certain relaxed contempt for the flesh..." which is kinda true about a lot of people who live more on the web than in the real world. Case is not a particularly laudable picture of a person (well not to most people; I like him and I think a lot of hackers do too) but he does speak to the darker side of hacker-nature; his nihilistic disinterest in other people and focus on himself even above the rest of his team, his soul drive in that book is getting back his hacker mojo and continuing to hack stuff, his short sighted hedonism and lack of professional ethics; his arrogant assumption that he's just the fucking best and it doesn't matter if he's sweating out some weird designer stimulant while going on a job where he might die if he screws up.

I also think that you can learn from how Gibson wrote what hacking looks like in that world. Gibson famously had never touched or even really knew a damn thing about computer; he wrote on a type writer and had no real interest in learning about what hacking really was. And he ended up writing something that was actually kinda true to life. In every Sprawl hack the hacking is mostly about planning. You need to get the right tools, the right access, the right timing even, you already know exactly what you're going to do before you even touch a computer. And that is true to life. The hard part is finding the way in. Once you've plotted it out the hacker is kinda just there to press the buttons. You know how the system will react, you know how to deal with that, and you kinda just walk in.

If you don't want to read a whole novel then I'd say you can just read (or listen to; there's a very good audio book version) to Burning Chrome, once described by my ex-girlfriend as the most depressing thing she'd ever heard. It's a really nice, short, concise story that puts all of this stuff together. Well worth a look.