I grew up as a hacker.
And by hacker, I mean somebody who can break into a computer.
And my goal today is to explain to you
why I teach other people how to hack.
So, imagine a world filled with intellectually capable people
who all share a common passion.
And in this world, the only way you communicate
is through a chat interface,
so you have no idea who the person is on the other end.
It could be a 13 year old girl from Haiti,
It could be a 37 year old law enforcement agent from Thailand.
It could be artificial intelligence, you just don’t know.
But it doesn’t even matter.
You see, your background:
你的年龄 你的性别 你的阶级 你的相貌
your age, your sex, your class, your looks,
none of that has any bearing in this world that I’m describing.
The only thing that matters in this world
is your knowledge, your skills,
and your curiosity for understanding how the digital world works.
So the world that I’m describing,
is the Hacker Underground where I spent my teenage years.
So what drew me to that place, what drew me to this world?
Um, I’m sure at some point in your life,
you must have tried to guess someone’s password, right?
Right? Uh? Yes, right?
Do you remember that feeling? That…that rush?
The kind of euphoric sensation of
accomplishment and power when you succeeded? Right?
It’s the same kind of feeling that you would get,
uh, when you solve a complex puzzle
or when you beat someone in a chess,
when you prove a mathematical theory.
It’s…you feel as if some of you outsmarted
a real or imaginary opponent, right?
So hackers got that same exact of rush.
When they defeat someone’s program
to make it do something it was not intended to do.
Or when they gain unauthorized access to someone’s system.
It’s really not that hard to relate.
Imagine this, imagine this. You’re,
um, you are in your online bank.
And you are about to transfer money to your friend.
When this kicks, instead of putting in the amount,
you put in the number zero.
Just to see what happens, just for case.
And nothing happens.
And you persist, you keep add it then you try to,
uh, to try something else,
and you try to put in letters instead of numbers.
And again, the website blocks it.
And you persevere,
you try again,you try putting in a negative number.
就是想知道会发生什么 天啊 居然成功了
Just to see what will happen, and Lord, behold it! It goes through.
And what have you done?
Now instead of you transferring money from your account to you friend,
you’ve effectively taking money from your friend’s account to put it into yours.
Right? Without any notification.
Can you imagine what you would feel like
if you had just discovered this?
Right? I’m sure you will feel surprised.
I’m sure it feels slightly elated.
I’m sure you will feel like as if you outflanked an entire army of programmers,
whose only purpose it was to try to keep out people like yourself.
And I’m sure you will feel a bit uneasy that it was this easy
to defeat the security of the side to which you were trusting your money. Right?
Most people I know would get a huge kick
out of finding this type of vulnerability,
but they wouldn’t abuse it.
They’ll just enjoy the process of finding this bug
and then they would report it,
unfortunately that is becoming more and more acceptance.
As it turns out, this particular bug that I’m describing to was real,
was actually found by my friend.
Well, at some point just call me up like:
“嘿 埃米尔 这个歇斯底里的人 快看看你的账户
“Hey Emil,this is hysterical man,hey, look at your account.
不不不 再仔细看看 是不是很有趣？”
No,no, no, look at that again. Isn’t that funny? “
So he’s doing this audit of us on internet security banks.
Yeah, it was really funny.
Ha ha ha. Anyway, so, um,
I’m sure somebody we can relate but during your teenage years,
you don’t really have much of a moral compass.
So but I can relate to that I hope.
Right? So I was sitting at one point in my room
and I was hacking the server
at an Icelandic Internet service provider.
And so a member of my family
picked up the phone with that,
“喂 埃米尔 你在接电话吗？”
“Wow, Emil, are you on the phone?”
which disconnected me from the Internet, this is from the time
when everybody had modems right.
But more over,
it disconnect me from the server that I was hacking,
and left that server completely unusable.
And in such a state of disarray that I couldn’t even get back into it.
And just remember sitting there, looking at my screen,
feeling utterly devastated over what had happened.
I had no idea what to do, I was just, I had this
cancerous feeling of guilt in my gut,
just I…I really had no idea what recourse I had.
And I remember spending the entire night
with my friends just discussing what to do.
And it was decided that the following morning,
I would go to this company and tell them what I had done.
And so in the morning, I go with a friend, we catch a bus
and, uh, we go to the place, we talked to the secretary.
Secretary phones to the system administrator,
and then we waited.
And we waited.
And it was the most agonizing wait that
a fifteen-year-old could ever ask for it.
It was an experience that I will never forget.
I remember thinking that there were two ways this could play out,
the system administrator could be forgiving,
只是简单地说“嘿 不要再入侵我的系统 走开”
could scroll the simple like,”Hey, don’t hack my servers again, get out.”
Or he could be a lot more angry than that.
He could react and you could practically sue us,
he could just steer us,
he could label us as criminal,
steer us on the path of something very dark.
Just, pretty much will be over by then.
As it turned out,
the system administrator was an amateur hacker,
was delighted to see us,
was like,”Wow, that’s really cool”,
and like we showed him how to fix his servers and he’s like,”That’s really cool.”
And then instead of reacting with rage,
he called the shop a few days later
and offered this a part-time job at the company
which we kept for several years and, uh, yeah, it was fun.
Anyhow, um, I say,
grew older my moral compass developed fortunately.
And I moved away from hacking.
And I studied mathematics at the university,
and, uh, did went to the U.S into the PhD in computer science.
And when I came back,
I realized the state of security in Iceland
was pretty much the same as when I have left.
An utter mess.
And so, it was somehow as if Iceland is believed that
this geographic remoteness
that has sheltered us throughout millennia
was somehow an effective protection against the forces of the internet,
which couldn’t be more false.
So, I started thinking to myself:
“what can I do to improve the cyber security of my home country?”
And as I was searching for an answer to this question,
I realized there were lots of system administrators
who were ultimately responsible for a lot of the security,
who felt reasonably safe against cyberattacks.
And this belief was usually sustained by some sort of faith.
An anti-virus solution
or an elaborate firewall
or some security solution that they had just purchased for a lot of money.
Must be good, it was really expensive.
And I was just flabbergasted. I mean,
can you imagine somebody telling you like,
“嘿 我的房子非常安全 真的
“Hey, my house is really secure, yes, yes,
I bought this really big steel door
and it’s reinforceed with unobtainium.
Nobody can get inside.”
And when you drive past his home,
you see this really big steel door and the windows are all open.
That is how I felt when people said this to me.
It was something else, listen to this,
so, and then it really hit me that
the way I was thinking about security
was actually fundamentally different
from the way they were thinking about security.
You see, as a hacker,
I’m trained to ask:”How would I get in?
How would you defeat the defenses?
Are there protections in place?
All these protections, even enabled,
can I get around them?”
I’m trying to ask all these questions.
我是说 问一下你自己 你会怎样闯进自己的家
I mean, ask yourself, how would you break into your own home?
Have you ever, ever you thought about that?
Right? How would you do it? Like, or you can ask a friend.
It turns out that if you ask this question periodically,
you ask people that you trust
and then you do something about it.
Probably you’re going to be having a safer home
than if you just blindly believe in some security solution,
that you could just buy security in a box.
So, what I decided to do, was that, I wanted to
somehow transfer this mindset that I had, this hacker mindset,
on to people, so that they could also see my perspective on things.
And,what I decided to do was just to start teaching hacking.
That I would teach how software breaks.
How defenses get, uh, thwarted.
And how people bypass all these new protections that are coming about.
And how new protection has come in their place.
How this cat-and-mouse game is played out.
Because you see, security is actually really hard.
Because as a defender,
you need to anticipate every possible way,
somebody might try to break in.
但作为一名黑客 你只要找到一种方式 不是吗？
But the hacker only needs to find one way in, right?
So what did I do?
Well, I did three things, I had three approaches to try to
uh, improve the state of affairs through teaching hacking.
The first one is that
I started teaching a university course at Reykjavik University,
where every year we have 20 to 30 graduates
who understand the very low level details of
what it is to hack, and how things break and how to break them.
They understand this cat-and-mouse game
that’s being played in the security industry.
And these are the people
that are gonna be in critical roles
at the Icelandic companies from time to come.
They’re gonna understand that like:
“嘿 呃 防火墙并不是那么高效
“Hey,uh, firewalls are not actually very effective anymore.
It’s not gonna be sufficient.” Right?
These are the people that are going to be in the ski rolls making decisions,
which now in this time of so many cyber attacks
we don’t even hear about all of them.
And in this time where we have industrial espionage raging
and becoming more more prevalent,
These other people are going to make a difference.
The second thing that it did,
was that I co-founded a company
with some of my friends, great, the security experts.
That is called Cyndi’s and they specialized in, uh,
simulating sophisticated cyber attacks
against large international large Islamic corporations.
It’s a part of what we do, a part of our strategy is that
we try to take the people that work at these companies
and teach them the things that we do.
Teach them how we defeat their, uh, defeat their defenses.
So try to educate them with this hacker mindset that we have.
So that they too, can understand the context of security a lot better.
Clearly where we’re filling some sort of needs because
the biggest problem we’ve had at this company
is to manage project workload.
Now, the third thing that I did,
was that I started running hacking competitions.
Sure, maybe some of you heard of any of them,
been running out for three years.
So every year, I put like a server on the internet
and I asked people to hack it.
And the people who succeed,
we pick a few finalists and they come on stage
and in front of up to 500 people,
they are hacking each other,
live, it’s really fun actually.
There’s like a live scoreboard, there’s like a DJ
and they’re commentators
and they do have a lay artist just looking at this really strange thing, right.
And, uh, and ,uh,
it’s, it provides that get several opportunities.
There’s some side effects from doing it this way.
First of all, it’s like really educational.
And because you have this lay audience,
you get this opportunity to teach people a thing or two about cybersecurity.
Raising the awareness of
some of the latest things they should watch out for,
some of the things they can do to protect themselves.
And the second side effect of the way I’m doing things is that,
the participants, which are usually students,
they learn an incredible amount in a very short period of time.
You see, normally when I’m teaching
computer architecture or I’m teaching operating systems,
I have students that are like mourning, they’re just like,
“Uh, do we have to learn this?
Would this be on the exam?”
I know like, yeah, yeah.
But for this competition I have people are coming up to me,
“Please, you can tell me everything you know but the computers.
I want to know everything, I want to learn it all.
Can you take me out to, you need teach me how to hack.”
Oh, that’s some Italian exchange students.
and so, it’s like incredible in a very short period of time,
how much they could absorb.
I pretty much just taught him everything I know.
And so, the third thing
comes from how I running this type of hacking competition,
is that, uh, is that the media really loves it.
I talked to the media liaison at Drake University, it’s like:
“Yeah, so I’m gonna have this hacking competition.”
She’s like,”Yeah, yeah, I contacted the media,
and it was like selling icecream and dessert.”
They’ll just flocked onto it like hyenas
and like everybody showed up.
I remember like, the first competition,
I had two people and I was like,
“Ow, yes, I’m gonna expect maybe 20 people to show up or something.
You guys are gonna be on stage, so you’re gonna be hacking each other.”
And then, when they came there, there’s like,
big cameras everywhere and like this newscasters
was like a lot of light around them and so forth.
And these two guys were just frozen on stage,
trying to do something, totally unprepared.
It was really funny.
不管怎样 这也很具有教育意义 令人愉快
Anyway, so it’s been really educational, really entertaining,
and uh, I think it really has worked out for the better.
But I know there is this lingering doubt in the back of your mind.
There’s this question,which is,
“Wait a second, aren’t you just arming people with digital weapons?”
Right? And to an extent, that’s true.
I am indeed teaching people skills that they could abuse,
but so are chemistry professors.
So it is a police academy,
social martial arts teacher.
And just like these people,
I am putting trust in my students.
I’m gonna trust them they are not going to abuse their skills.
In fact, they have to sign a waiver that
they’re not gonna do it for anything unethical.
And I spent a lot of time with them,
trying to understand these ethical dilemmas that get created
through the power that is hacking
Imagine for instance, if you find an exploit that
could make you walk into any computer on the planet,
what would you do?
Now what would you do, if somebody offered you $500,000 for it?
Million dollars, right?
These are real questions,
and this is really how the environment works in the underground.
So, I actually believe that I have swayed some people,
some people whose moral compass was not fully developed,
some people who are making choices
that they might later regret.
Some younger versions of myself,
I may have swayed them on the path
where they are becoming constructive members of the society,
and making choices that are improving the security of us all.
And because there was somebody who did that for me about many years ago.
And something that I will never forget.
And it’s something that I want to pay forward
and that is why I teach people how to hack.