Cracker Hackers on Stage are Like Circus Clowns

Stop me if you have heard this one before. I was at a conference on computer security and I attended a talk by some notorious hacker who implied he could hack anything easily. He produced evidence in the form of a live demonstration involving an old, known vulnerability and used a script kiddie tool that broke in. Push-button breach. The hacker leaned back with a smug look while the audience oohed, ahed, and generally marveled at his hacking prowess.

Watching (or executing) a breach in a sandbox environment can be entertaining. It is nifty to see a computer fall, and even niftier if that killing blow is delivered with elegance. However, for better or for worse, this kind of stage performance is only for entertainment purposes.

In the real world there are millions of approaches to hacking into a computer. Only a very few have any chance of succeeding against a real target, and you don’t really know which few might yield results until you start poking around. In a way, hacking into a computer is like an ant trying to find the sweets in a picnic basket. The ant will wander all over the place and never knows where, exactly, it is going until it gets there. That is what cracking into a real computer is like.

So, the next time you see one of these cracker hackers excitedly gesticulating, going on and on about how they know so much about one very specific attack method, I want you to think about circus clowns. Yeah, those clowns can entertain the kids. But, you know, they are just clowns.