One of the things I get asked the most about is questions about how to be a hacker and how to learn hacking skills. And I think there’s a few people I know who really epitomized what that’s all about, and we’ve had pretty deep journeys and in their lives and their careers about about computer hacking.
We talk a lot about the mindset of hackers, which is one of the things I’m super interested in and attracted to. I find to be very helpful way of thinking about things. But you know, when we’re talking about the technicalities of computer hacking, what that means, it really appeals to a certain kind of person and I think a lot of people just don’t know where to start. And so I wanted to share one of the folks that I find inspiring and who I’ve known for a long time. I think his life and his career sort of epitomizes what a lot of folks are thinking about when they’re asking about computer hacking.
And so his name’s Riley Eller and Riley’s sort of a famous in the hacker community because he used to run the most popular party for hackers called Caesar’s challenge. And we’d have this party once a year at DEF CON and only the league got in. Riley has done a great job over the years of figuring out how to get hackers partying, and get us all connecting to each other and making friends with each other.
I think that’s a really important and valuable thing for a community of folks who maybe having focused on social skills so much previously. And so Riley’s also known for being a member of the ghetto hackers, which was the first team of hackers to win the DEF CON Capture the Flag contest three years in a row.
Then they took it over and ran that contest for a few years and really up the game. This was the notorious, you know hacking contest, cause it was the first big hacking contest. It was the place where that got started. And now of course you have hacking contests all over the world, but capture the flag at Def CON is where it started.
The ghetto hackers were one of the first real teams to take that on and they advanced the game and really turned it into a spectator sport at DEF CON. And it’s, it’s gone on and evolved since then. We talk about that a bit in this conversation. We go deep into a little bit deep into talking about a wifi mesh networking at a company called CoCo Communications where Riley worked another one of our upcoming guests on the podcast, Jeremy Bruestle who was the founder of that company.
You can listen to that to learn a little more about CoCo, but a lot of those inventions and those technologies are just coming of age now. And so I think it’s actually pretty relevant and interesting because mesh networking is one of these things that keeps coming up again and again, and the problems are hard and interesting.
So that’s a cool conversation. And then later on, we talk about Caesar’s experience as a hacker growing up, how he got into it, what he’s learned, what he values about it as well as his ideas for how you can become a hacker. I am really excited to share Riley with you guys. He’s made a big impression on me and my life, so I hope you enjoy it.
Pablos: This has been one of the conversations I’ve had in my mind as being important for the podcast and what I want to do. I’ve known you for more than twenty years. We have similar progression or timelines in our lives of getting interested in computers, hacking, and ending up in the social dynamic of the hacker community in those days. There’s a lot to learn from that. What I want to do with you is talk about some of those experiences early on and how we got into it.
First, let’s talk a little bit about what you’ve been working on professionally because you spent a lot of time on the last company you were at. It was a company started by Jeremy, who was one of the founders, so it was started by hackers. I remember talking to him before he started the company about the ideas for trying to create mesh networks that were ad hoc mesh networks. That was, in those days, one of the hard problems with networking to solve. I’d seen lots of trial and error and lots of difficult problems in that. Jeremy was amazing because he was able to get further than anybody, as far as I could tell, technically. I was always interested in that company, and you and a bunch of other friends end up working there, so can you tell me a little bit about what the progression of that was like?
Riley: Originally, we were doing a Business 2.0 article. Jeremy was explaining on the whiteboard in the Ghetto Hacker workspace how that all worked and I was trying to repeat it back to him to see if I understood his ideas, because it was difficult to grasp with what I knew at the time. There’s a photo of him and I talking over that particular moment right before the company was taking off. It was a pivotal moment in my life.
Maybe the first thing to do is describe what the point of that was at that moment because this must have been about 2005, 2006 or something.
No. The company was started in 2002 and I joined in 2003. They had about a year to go around, raise funding, talk about it and get their hands around what the problem was that they were trying to solve. What happened was a whole bunch of families who are proud of the country in Seattle, people with some money to invest, saw the communication failure on 911 as a critical infrastructure defense problem that could be solved commercially. It should be available so people who are busy doing things, running toward emergencies and disasters, will know that they’re not going to get cut off from the lifeline and the lifeline for those people is always information. Having that access to information or failing to have that access to information was responsible for about 10% of the deaths that day.
It’s not solving all of the world’s problems they thought, but it was something that they could focus on, it was narrow. This was about a year after the dot-com crash, so they’d all been gotten used to investing in technology. They saw this problem and they decided to try to get somebody smart and they knew Mark Tucker, who was the CEO. Mark and Jeremy had worked together on a project before, so they brought Jeremy in and he took some initial ideas out of IEEE and what was available at the time and said, “We’re going to build the stack of these existing technologies.”
He went around and talked to people who were in the upper echelons of communications, telecommunications, first responder communications, and military comms. He found that there was huge resistance on cost because centralized networks are much cheaper to operate than networks where all the smarts have to be in every device. The more decentralized a network, the more expensive it is, period, because like a smartphone, the phone part of it is low power, tiny little chip. Most of what we call phone now is a lot of other stuff. Adding anything, even communication technology that is constantly running, trying to help other people on demand, all those things that the first responder would need if the central communications went down, each of them is a real challenge.
Jeremy kept pushing on invention after the invention and built a four-tier stack of pieces that would be needed. At the bottom layer, you need to be able to defend against denial of service attacks because that’s an easy way to knock down a network like this. It’s to send crappy messages, so we had to have link security and link identity but we needed to provide application communication concerns like police and firefighters have common missions. You may have police and firefighters on the same scene at the same time but they have distinct missions. You can’t get the communications crossed up. A firefighter can’t misunderstand that shoot comes from a police officer or firefighter. They need to know what their lingo is and their jargon is. They need to use their words their way and not have to double-check who’s talking.
We needed to have a separation of communications as well, even though we had to have a common trust model, being able to join a lot of groups of people who have different interests in missions. Journalists, possibly even those who may need to talk to each other or send pictures back and forth to their cameras and so forth. All of these problems turned out to be tractable but complicated. It’s building up to pieces one at a time and working out how we can make a network that doesn’t have a central registrar. In the end, we found that we couldn’t create trust without some centrality. We had to have some trusted arbitrators of identity, but once you had an identity service, then the rest of it could be done purely decentralized.
We saw in the 802.11p or 802.11r, whichever one is the automotive spec they ended up rebuilding almost the same technology stack. They came around and they’re like, “These vehicles are going too fast. We need them to be able to talk to each other. They don’t know each other. A Ford doesn’t know to trust a Toyota.” All these same problems came back out so the model proved to be correct and effective. The way we implemented it, and our desire to make the network scale to essentially infinite size, make it scale-free.
That ended up being too costly for the amount of network resources available at the time, especially if you think about high-speed devices like airplanes or cars relative to bicycles and humans. Having that slow stability is great, but having those high-speed movers can shuffle the topology of the network quickly if you do any automated algorithms or if you consider those to be all part of the same network. There are good reasons that the military divides the universe up into upper air tier, middle air tier, lower air tier, ground tier, sea tier, undersea tier and cyber tier. These are all different dimensions and each one of them has a completely distinct communication technology. That was an opportunity for improvement and we didn’t see that. A lot of our designs were homogeneous.
It’s a little over-engineered.
That took us a long time to recover from.
In those days, if we’re talking about 2002, 2003, 2004 or 2005, basically, we’re at a point in the world where the internet has completely taken over. TCP/IP 1, people, especially at that time, thought of it as this is a decentralized protocol, in a sense compared to centralized networks that came before us. The telephone network is a hub and spoke design where you have a switchboard in the middle and anytime you want to talk to anybody else, you go through the switchboard in the middle. TCP/IP, all you’ve got to do is find anybody else on the network and you can connect through them. We think of it as decentralized but in fact, for it to work the way you described, there’s a bunch of quasi centralized services like name service, issuing IP addresses and that stuff that has to be managed too.
You have to have an identity database. You have to log into all these services.
We have a whole bunch of different identity services but those are all essentially centralizing services.
Even the IP address assignment is a central function.
I remember we were first playing with Wi-Fi probably by ‘98, or something. It was for extreme nerds and nothing had Wi-Fi in it, so you had to plug a Wi-Fi card the size of an iPhone into your laptop to get on Wi-Fi. By 2001 and 2002, it’s getting normal. The first laptops with Wi-Fi were probably the iBook, Apple’s Titanium PowerBook, or something. It was one of those that had Wi-Fi build in.
We were using PalmPilot or Pocket PCs, which were a phone board and PC board jam together with a serial port and stacked with it with a screen. The HP iPAQ and the Compaq iPAQ were the things because it had Wi-Fi and that Wi-Fi in the old days had to have ad hoc mode. Lately, that’s not supported on most radios.
A lot of the companies wanted to put this communication technology into an employee problem rather than a job problem.
Tweet
They don’t even support ad hoc mode anymore. Ad hoc mode, I thought, were some descendant of it. It is basically what’s used when you do personal hotspot on your iPhone.
It’s a descendant and it has a parent and a child relationship even then.
The point being is all these networks that we use have that hierarchical relationship where, in Bluetooth, you pair to your other devices. There were occasional cases like airdrop as an example of an ad hoc thing where you could find devices on a network that you didn’t even know about before and talk to them for a little bit. I remember those days. As computer nerds, we were all fantasizing about how to build the next generation of the wireless network to be an ad hoc wireless, we call it a mesh network, meaning there was no centralized authority in the network.
What we imagined was you would be able to go anywhere, devices and all find the other devices around them. As long as one of those things was on the internet, everybody could route through them. It ended up being intractable because largely, the overhead of managing routing tables and those things. What I saw with the company that was called CoCo at the time, what Jeremy had come up with was a more practical way to solve that routing problem. Did it not end up being a big deal?
It did but what it ended up doing at the scales we wanted to achieve was creating a lot of ongoing or zombie connections. It wasn’t even the routing that was complicated. It was keeping all the devices leashed together. The big problem for multi-party or multi-security domain mesh networks is that we give them to the police and the firemen. We want to keep the comms separate. The big problem is to track a firefighter who has moved through and past the end of the police area. We have to hop that firefighter’s connections through those policemen and back to where the other firefighters are. That is such a core conceptual model that your workgroup stays together as long as you exist and you’re connected to the mesh. You have this constant application layer concept of group communication or a group connection.
When you have that, then it’s cool because you can have an IP subnet in your mind or your machine. You can represent a group of any nature that you’re a part of in the whole world with an IP range and use all your standard TCP/IP applications. The problem was to keep that real, then there needs to be a path for people in, for instance, that big group of firefighters that have one of their own orphaned out and at the end of the police network. They need to have a live connection in tracking where other firefighters are moving, so when messages come for them, there’s a path selected. It is a routing problem but it’s an online routing problem and it turns out that, even though nobody cares, except for your people and that was our goal. It was to make it lightweight for everyone else. Everyone still has to pass along updates about destination locations as you move.
It’s got this whole mobility problem and nowhere to send the mobility information so it can be permanently routed in a central place. Mobile IP doesn’t have this problem, because mobile IP does not allow two mobile devices to talk to each other ad hoc. It’s not mobile. It’s both of them. Each of them has a static IP somewhere and they proxy through that. Only that one device needs to know about their location updates and everyone else can forget it. In a truly purely ad hoc mesh, you can’t do that. There’s a connection overhead, a connection load.
Where did you guys land? I know that you build various iterations of this product to try and help emergency services and in those situations, what did you end up with?
We ended up with the first high res audio USB audio digitizer that was pluggable for firefighters or emergency response radios. We went down to Katrina as soon as Hurricane Katrina happened in the aftermath. We went down and we hooked up a lot of the radios to each other and created multi-discipline talk groups to help them out. That was one of our successful products, our tactical radio gateway.
Instead of all the police and firefighters having analog radios on channel thirteen, talking to each other, you could have them all on channel thirteen, but you’re using digital sampling of their audio when they’re talking, sending it digitally and separating out on the network. This goes to the police group and this goes to the firefighters’ group.
We could do that but we also have the power to then cross those groups up. Maybe by regions EMP 25 and these other guys are using a more legacy Motorola StarTAC or something network. They’re unrelated radio networks and we get them to give us one radio each plug it into the gateway and now those two top groups are merged. It was either a distributor like you’re saying or a mock server. We did that and we were able to at least to some degree, effectively negotiate the push-to-talk problems.
Push-to-talk networks that have an incredibly low timing sensitivity. You have to be as fast as possible. Because if I push my button and you push your button, we both talk and nobody hears. Everyone else hears both of us, but we don’t hear each other. We don’t know that there’s a problem. The farther apart those networks are, the harder it is to mediate an effective push-to-talk regimen, so we came up with some patents in that area as well.
We branched out all over the space of communication in hastily assembled or dynamic environments. We built a chat network so it was your Jabber chat client but it would connect to a localhost. There’s a local service that you were running that pretended to be a chat server and would transact all your messages out to multicast well and track which ones of them arrived and didn’t retransmit correctly. You could on a multicast plane have a bunch of people using this chat service, transacting files at extraordinary speeds.
That makes sense.
Because everyone’s getting a copy of the packet at once so you didn’t have to send ten copies to ten people. You had one copy to the network and if anyone needs a particular frame retransmitted, somebody else can do it while you’re still spewing. It was efficient and it worked effectively up to 70% packet loss and you get delays of one second in your chat.
That’s tolerable in chat. Is this stuff being used widely in emergency services scenarios now?
No. Emergency services are utterly owned by Motorola Public Safety. They own the regulators, schools and engineers. They own everything.
It sounds like a great business.
Three years after we got going and they heard of us, they bought Mesh Networks Inc., which made a much simpler product that wasn’t meant to solve the world’s hunger. Many Motorola devices have mesh network devices in them, which is interesting because the radio at least at one time, beaconed all the time, and beaconed a clear crystal simple sound on the unique frequency. You could easily build a, “Where’s the police officer near me,” direction pointing to yourself. It’s a convenient GPS overlay of, “Where’s the nearest police officer?” We pivoted into the military space and we did that. We took those same radio gateways and mesh network repeaters. There was a company that was making Pocket PCs in a scanner form factor with four bar codes. It was rugged. We took some of these rugged Pocket PCs and mesh network repeaters that look like little bricks and tactical radio gateway, which looks a little pelican case. We took those out for the Coast Guard and helped them to build a hastily assembled boarding team interdiction network.
What does that mean?
I didn’t get up close to a freight ship before but they’re the size of a skyscraper lying sideways in the water. They’re utterly huge. You think about a 40 or 50 story building covering that in communication seems a hard problem. When you think about a ship, it’s not clear necessarily. It wasn’t to me anyway what the problem would be. It turns out the ship is made out of a Faraday cage. It does not permit radio to pass any part anywhere at all ever. Coming up with a way for people with bulletproof floating vests, rifles, comm systems, flashlights, these Coast Guard are there to see if there’s smuggling. They’ve got their border mission.
Coming up with a way that guys can operate a mesh network became a real challenge. On the bricks, we had to come up with a light signal system. We had an ON button but no OFF button so you couldn’t turn them off later to screw up the network. They’re rugged. They break it in and it stops working and the crypto falls off. On the front, there were four lights: red, yellow, green and purple. It was that blue LED that was popular at the time.
Blue meant that the device was connected back to the radio gateway. You’re on the network. As long as blue was lit, you’re live and you’re okay. Red, yellow, and green was the link quality of the first hop back to the radio gateway. We would tell people to leave them off in the provisioning center, on the cutter, they would be off, pack them in their jackets, and take them across. They turn on the radio gateway, talk back to the cutter, turn on the first mesh node, and it’s likely to go green and blue. The green and the blue. They’d walk away and it would drop to yellow. We’d have them step back up until it got to green, set it down there and that’s as far as this device can go.
They leave breadcrumbs all the way.
BreadCrumb is a registered trademark of the Rajant Corporation, which makes a similar communication device so I’m not going to say that word. The Hansel and Gretel story is the way that went. The cool thing was, by making it real-time, live and visible, this utterly impossible concept of link quality that no Boatswain’s mate is going to ever be able to jump to lecture on. That usability in real-time changed the future of our product in an interesting way. It turns out that there are these spots where a guy would be taking one round to see. As an experiment, we did it on an icebreaker, the Polar Star.
We went around playing with them and playing with them, Grant Wallace moved a live one that was in a red state. The blues off. You’re not on the network. You can’t see what’s going on. You’re too far away. He’s like, “These don’t cover enough ground. We’re going to have to take 40 of them over.” They weigh a couple of pounds and that’s unrealistic. He moved it in front of an air vent and it turns out that the ventilation system is a perfect effing waveguide. He mounts it outside and it goes green and blue. We ended up filling the Polar Star with six Wi-Fi radios. It’s like a 30-story skyscraper lying on its side on the water and we’ve got six 2005 era Wi-Fi radios.
You could go down into the hold and live talk back and forth with Groton, Connecticut, over a SATCOM back on the cutter. They could take a picture, have it go round trip, be in Groton within a minute or so with several seconds anyway. They were slow radios back then and have an analyst tell you whether it was a problem or not. You wouldn’t have to do what they did before, which was go over, go down and below decks in pairs, take photos of everything that could be found and come back up every fifteen minutes to make sure nobody got shot. Anyone being shot is not an acceptable experience.
It’s a US problem.
That was my feeling. We’ve got to change this. We’ve got to do something different so giving them live round trips back to Connecticut made a huge difference.
To be clear, the reason they would have to do it that way before is because the analog radio, a Faraday cage means all the radio communications are going to get blocked if you’re below the deck or whatever.
Your cell phones don’t work on the inside of the big ship. Cable TV and satellite phones, none of that shit works when you’re inside of a big ship.
You guys develop that type of technology and other things around it and end up selling the company at some point.
We worked on rebranding as well. We pivoted out of the Federal space and went into construction first. We thought that construction was a natural thing. It turns out if you can rig a communication system for a skyscraper on its side in the water, you could also do that for one that’s being built. It was an easy pivot to stand that skyscraper back up and go into the construction industry.
Did it end up being a successful market for guys?
Not as much as we wanted.
Construction is hard to sell into because it’s conservative.
We got written into some IT plans like this as part of the IT budget for a bidding process. We made it all the way through the selection and integration process. I don’t mean to say that it was unsuccessful but there’s a weird intersection for those guys. There are some things that they buy every time they do a job. There are some things that they buy every time they hire an employee and they expect the employee to track that device like a cell phone. A lot of the companies wanted to put this communication technology into an employee problem rather than a job problem.
There were weird technical issues that made that go way slower than we wanted and potentially not have a lot of resales because the company would reuse the same system building after building. They buy enough for how many jobs they do at once, rather than enough for every job. Finally, we went to residential and started building residential Wi-Fi mesh networks, so home routers and extenders. Nokia was moving into the Nokia Wi-Fi space. Nokia makes most of the phone equipment that’s not Huawei or outside China. They’re the leader. They build the head and equipment and lay the fiber or somebody lays the fiber. They even built the CPE.
What’s that?
Your router, your fiber modem or terminal. They wanted to provide the carriers the capacity to deliver that gigabit fiber service all the way through even an extender to the far edge of the home. They acquired our company, Unium was the rename of CoCo. Unium like E Pluribus Unum. Unium, the element of connection. That’s where we wanted to take the brand eventually. We rebranded it and turned it around. Mike Chen from Linksys that we had met before had gone over to head up the digital home business unit there. He knew about us and came. He found our people and talked through them. Over about a six-month period, we worked our way to a partnership and that’s been going for a few years now.
I want to change gears a little bit. When we first met was probably at DEF CON sometime in the late ‘90s. In those days, DEF CON, which is now the world’s largest hacker convention, probably always was, but there were maybe 1,000 people there, maybe 2,000.
Maybe up to 1,500.
I was still at Alexis Park which is the size of a Motel 6 or something. It’s a small hotel off the strip in Vegas that gets invaded by 1,000 hackers or so every summer, every August maybe. It’s 106 degrees, you’ve got 1,000 pasty white computer nerds in black t-shirts with witty slogans about internet protocols, Linux or something, laptops the size of VCRs, some of them with dual VCR decks in them.
Can you explain VCR to me? I don’t think anyone reading this is going to know what you’re saying.
We’re definitely losing people. My daughter has no idea what a VCR is.
Hacking is like this bottomless pit of puzzles. It’s that bottomless pit of intrigue about the computer.
Tweet
Laptops that are the size of stoves.
They were huge. People who have probably heard stories or anyone interested in hacking have probably heard stories or read about DEF CON in those days. I remember at that point, we were at Alexis Park because we’d been kicked out of every hotel on the strip for being poorly behaved, essentially cutting the power to a wing of the hotel and arson.
Breaking the security system and throwing bottles off buildings.
There you go. The ATM is going haywire. Who knows why? All payphones being destroyed. It’s all those things.
People dying the fountains.
Hackers in those days were fringe. It hadn’t gone mainstream. These days, a hacker is anybody who plays video games. There’s nothing to it.
That’s not that big of a pride point. I still call myself a hacker because I’m still proud of it but there’s something definitely diluted about it.
That’s the progression. Hacker in those days was not something that you advertised. It was essentially considered a criminal. For most people, it was isolated, at least for me. I grew up in the ‘80s, in Alaska, and I lived in a small town where there was nobody around who was interested in computer hacking, except for me. I would get these floppy disks mailed to me with The Anarchist Cookbook, information about hacking phone systems, how to crack video games and Apple II. It’s that kind of stuff. I get the floppy disk mailed to me once every few months.
By whom?
There were others but the one I remember was called the Bootlegger. It was a magazine for hackers on a floppy disk. You could subscribe to it and get mailed out. That was probably in ‘81 or ‘82. It was bad. By ‘82, I got a modem. I was in Alaska in those days and long-distance calls were expensive.
Freaking was the law. The physics of the environment. If you don’t freak, you don’t play it.
You couldn’t afford to call.
Do you remember the first time you ever turned on a TCP/IP connection and you were like, “Russia, oh my God, it was free?”
TCP/IP, I didn’t get it.
It was like legal freaking but the internet was like a crime that you could buy. You could go out and buy this thing that could commit crimes for you by sending packets for free around the world. That’s the best feeling in the entire universe.
That’s well put. I got on mainframes in the early ‘80s.
How did you learn all this so young?
It’s because I had nothing else to do. It was cold outside. You were going to die if you left the house and I had a 300 baud modem. The thing was, the university had mainframes, which in those days, were VAX mainframes. VAX, to be clear, has the computational power of a Tamagotchi but it was a multi-user computer, and it could have 100 people connected at once and a lot more in the computer lab at the university.
The most boring LAN party possible.
It was the most boring LAN party but we were all so excited. The cool thing was because I was a kid with nothing else to do, I managed to finagle my way onto the system even though I’m a 13 or 11-year-old kid, whatever it was, and everybody else was a computer science professor. They didn’t know I was a kid, but they all had jobs and in school and stuff to do and I didn’t have anything. I could spend sixteen hours a day learning about the mainframe, but it was painful. I learned the hard way as I’ve told other people. I learned to code by reverse engineering 6502 assembly language. There was no one to teach me. There was no YouTube video. There was no how-to for dummies guide.
You didn’t get the Commodore 64: Programmer’s Reference Guide?
I had Apple II and I had the manuals that came with it, but that was not how to code.
There’s an assembly reference in that, isn’t there? There isn’t a Commodore.
There is a reference that’s generous. It shows you, “Here’s what jumps statements are in hexadecimal.” What does a jump statement do? I don’t know. Let’s delete them all and see what happens. It was bad. I had pin-free Dot Matrix printer so I could print out all the assembly for a program.
Was it like fanfold?
Yeah. You printed all that, it would be hundreds of pages and you would go through and look like how you would crack video games in those days. Find all the jump statements one bite at a time. I didn’t learn a lot too fast but I had made up for it by time and enthusiasm.
That’s what they called talent, time plus enthusiasm.
These days, that’s about as good as it gets. Once I got on the mainframe, I could finally talk to people who knew more than me and there was an email system on there where you could email the other people on the mainframe. There are a couple of hundreds of people you could talk to, so I would ask them dumb questions, “How does this work? What does that do?” Because the mainframe was limited, you could only get so much processing time, so much storage and memory, and I always wanted more.
I would write these programs, which we call Mail Bombs, and you would write a little program in DCL, which was the scripting language for the mainframe for VAX and you name it like Star Trek Game. You would email it to somebody and get them to run the Star Trek game. It would give them an innocuous error because they didn’t have a game. It would give them errors and I’d say, “I’ll go try and fix it,” but in the background, it would be locking them out of their account if they’ve given me all the resources and access to all their stuff. It’s a computer virus, but we didn’t have that nomenclature yet. We independently invented Mail Bombs.
I believe that’s called a Logic Bomb, not a virus because it doesn’t make more viruses
If you’re nitpicking, that’s true. I didn’t get to the automatically replicating part of it. The point being, that’s what, in a nutshell, my childhood was like. It was trying to learn as much as I could about computers and having nobody and almost no resources to lean on, and now it’s so much different. Kids can go on YouTube and watch how-to videos with animated cartoons explaining everything. The point being, by the time the internet came along because there’s a window of time where you got past mainframes into BBSs and things like OBS.
I’m one tech generation later, like four years later.
BBSs were more accessible communities of fringe wackos essentially who wanted to get into nerd stuff.
For me, you go over to the Disk Copy Party that happened once a month and steal everybody’s software with each other and copy everybody’s stuff. Somebody came into a place that I’ve had my first job and they had a duffel bag full of pirate floppy disks. No envelopes, nothing protecting them, it was jammed in there.
Floppies were oddly resilient.
It’s so true. It’s surprising compared to even a CD or a DVD. You get a little scratch in the plastic and it’s all ruined. Out of the backdrops CCGMS, the modem program for Commodore 64. I had no idea. I didn’t have a modem so I’m asking this guy what does he do and all this stuff. We end up becoming short-term friends. He was on the run and making his way toward Vancouver and had some stuff. He was from Portland and they had some stuff going on.
He was on the run with a duffel bag of floppies.
We stayed in Arlington for a little while and we were friends for a minute. I went to his house once and there were five discs left on the floor and he’s gone. Everything is gone. In that meantime, he taught me how to get Sprint to issue a calling card that didn’t bill. I thought, “This is acceptable. This is my solution.” This guy tells me one thing and for eighteen months, I don’t have to work to dial internationally. I’m not a freaker. I script kiddie the solution from a guy and that solved my problem. I got a 300 baud modem, 1,200 baud modem, and 2,400 baud modem as fast as I could upgrade. I got two and ran a little BBS of my own.
It’s like being part of a global underground.
Our German teacher was the head of Brain Damage Studio, which was a distribution group in the Pacific Northwest, pulling out of Frankfurt. He would be on the phone on one of his phone lines 24 hours a day pulling down from Frankfurt. I was like, “I’ll help.” He’s like, “Great. Here’s another Fairlight BBS. You go here and get this stuff and bring it in.” That was my introduction to it. I fell into it.
I had a sense that that existed out there but I was far removed that I couldn’t get to that thing. There was no place to do floppy copy parties. I remember one time, I met a guy on a mainframe, who also had Apple II. My parents drove me across town to a sketchy mobile home park, a trailer park. They dropped me off to hang out with some weird guy.
Mine did too. I did the same thing too.
I went to his house because he had dual floppies and I only have one, so it’s a lot better to copy. That was weird stuff. That seems amazing because you probably got far fast doing that.
I got to learn about password security and logging. Joe Grand was the one who remembered this guy’s name. There used to be a guy on the East Coast and it’s because I could call anywhere on this scheme at the time. There used to be a guy on the East Coast who would set up voicemail boxes because all the voicemail systems were brand new at the time, they all had stupid hardcoded backdoors. You could call into one, dial a few different codes to see which brand it was, get yourself administrator privilege, and set up a voicemail box on (77245) extension, which no one is ever going to dial in history because it’s a two-digit extension box. (77) is not allowed, so you’d make these absurd voicemail boxes, no one ever knows they’re happening. This guy would call in and he’s like, “Here we go. I’ve got numbers for six bulletin boards,” and read them fast. It was like the Micro Machine’s commercial guy. He read them so fast. He’s like, “Here are thirteen Mastercards all fresh in the last 24 hours. American Express, Visa.”
The Hacker ethos has always been anti-aesthetic. It’s not as good to look good as it is not to be cool.
Tweet
He’s reading the stuff up in the voicemail boxes.
He’s not even putting it on a digital packetized thing and leaving a modem tone or something. He reads it off. The capacity to do stuff was far away from the practice of how to do it. If a guy is reading you into a phone and you’re calling, in the end, the next voicemail box would be a phone number and a voicemail by extension. That one would never get used again and get deleted a couple of days later. Once you get on the train, you’ve got to stay on the train. It’s like a podcast that was hard to get.
When did you first end up going to DEF CON?
Shortly after all of these shenanigans, my age of majority was starting to approach and I was working a lot. I bought my first car when I was fourteen. I wanted to get going in life. With Operation Sun Devil and some of the other police anti-hacker moves in the late ‘80s and at the transition to the ‘90s, with that stuff going on, I decided to put away all of those childish things and go out in the world and do my thing. I got my first programming job before my eighteenth birthday and went fully professional. I helped the guy who built the Sonic Arris Assembly Line and all these little projects and cool little things I fell into working with Datalight, Roy Sherrill in particular. They lifted my career up.
I went in for a programming interview and they said, “The Program is Tic Tac Toe in C.” I was like, “Cool. Do you have a book on C? I’ve never seen that language before.” I sat there and for eight hours, I learned C and got a partly working Tic Tac Toe and they were like, “If that’s your first day in C, you are in.” That was mostly because I’d had Mr. McKay and Ainsworth in the Marysville high school system. They put a lot of effort into exposing kids early and effectively to programming. I learned logo when I was eleven. I would assume it would be now the normal programming course. I’m meeting more kids that haven’t taken a programming class and I’m a little surprised.
It’s finally been legitimized. When I was a kid, I remember everybody’s parents wanted them to grow up to be a doctor or a lawyer because those were legitimate career choices. Computer programmer sounded psychedelic. Now, it’s like, “You should be a computer programmer or doctor, definitely not a lawyer.” That’s the progression. It’s the revenge of the nerds. We ended up succeeding at making careers, businesses and a lot of money.
The explicit goals of the Ghetto Hackers were to improve our skills, our revenue and our careers.
Hacking was a thing when you’re a kid and you ended up getting jobs. I remember when I got out of high school, I got a zillion computer consulting jobs. Whenever somebody wanted to do something with a computer, somebody goes, “Call this guy because he knows computers.” I never knew what I was doing. It’s like the C thing, I’m like, “I’ll figure it out.” I figured it out because I wanted to prove that I could do it or I wouldn’t get another job. That’s was my whole early career, but I might still be doing that.
I am.
I don’t know if that’s a personality thing or the window in time. I didn’t go to college because I was busy. I could get these jobs to play with cool, new computers. Why would I pay somebody else to play with their old computer? That’s how it went and that worked out for me.
I lived for two years because a friend said, “You have to go to college and I’ll drive you.” I was like, “Did someone gave you a ride to college?” In two years, I almost finished it. I quit because it was too boring.
For similar reasons, I did get signed up for college as a way to get the student loan so I could buy a car. I skipped all my classes to go snowboarding and that wasn’t considered copacetic. I was going to drop out but I wanted another student loan. I signed up again and I decided to only take classes that sounded fun or interesting. I was looking through the course catalog and I found the dance classes. I had never taken any dance classes but I signed up for dance classes. I took tap dance, ballet dance, jazz dance, African-Haitian dance and every kind of dance class they had. It was fun. It paid off. I’m still there. That was a good life decision. It worked out great and then I dropped out.
You got the good stuff. First is dessert then screw the meal, let’s go dancing.
You got legit. Somewhere along the way, professionally, you ended up falling in with hackers again or somehow ended up with them.
I was working on a newsreader to convert Usenet to FidoNet. I mostly spent my time on FidoNet at the time and using it for binaries, for downloads of a certain kind. I was working on a QuickReader format translator to package back and forth and connect up the old FidoNet to the Usenet. It turns out it didn’t matter. One of the things that choked my reader was this message posted to Usenet and it was an invitation to DEF CON 4 and it was two months after DEF CON 4. I opened it and I looked at it and it was like, “Underground Hacker Convention.” I was like, “You are sending this out in public.” I got this weird ASMR thing. My hair stood up on my skin. I got all weird feeling, I was like, “Hackers are outside now. You can meet people in real life.” I was always taught like, “Don’t use it from home. Don’t admit it. Pretend to be an amateur spy.” When I saw that, it stuck in my head.
For month after month, I kept reopening this file and looking at it. I can’t even explain what it was like. It was something magical. I ended going to the website. I found the DEF CON 5 invitation. I made my plans. I went to the opening discussion and Mudge is on stage and I’m fanboying, squealing. Mudge points at me and he says, “That guy right there is one of the best hackers you’ll ever know.” I’m like, “Something is wrong.” The Hobbit is right next to me. Hobbit stands up and he’s like, “Thank you. I wrote Netcat.” I lost my mind. I went from fanboy to fangirl or fan kid. I was sitting in this room and there were 500 or 1,000 hackers together. You could see it in everyone’s eyes, every person there had something to tell you about. I started little conversations here and there. Do you know when they say, “I found my people?”
Yep.
I walked into the room and I found my people. I was adopted as a kid. I’ve always felt a little on the fringe.
How old were you when you were adopted?
Two months.
Did it felt different?
It felt different. My family all look alike and I look different. I go in there and I’m like, “Everyone here is pasty white. I’m the man or at least a boy.” It was like a clone army. It felt like being a Stormtrooper and we’re on the Death Star. I’m like, “I’m home.”
These days, it’s something that the hacker community gets much credit for being a place to feel included. For a certain class of person, that was the case.
It was a life-changing moment when I sat there and met these people.
The Anarchist Cookbook
Being a computer nerd in the ‘80s, for those who weren’t around for that, wasn’t cool.
It was maybe like what drug problems are. You’re alone at home, in the basement. No one is looking. No one will talk about it. No one wants to hear about it.
If you’re into drugs and you at least have a leather jacket, it might be cool. If you’re a computer nerd in the ‘80s, there’s nothing about being cool. It can be isolating.
You’re the first one to get kicked off the raft.
It’s like, “The raft doesn’t have room for you.” “I’m skinny.” “There’s no room for you.”
“Code a raft for yourself.”
That’s a great story. It’s probably equivalent to the story for every other single individual in that room at the time. It was a community made of nothing.
That Saturday night, there wasn’t a huge amount of well-known or well-publicized parties. It wasn’t like now where you go around and you get sixteen invites to go to a party on a Saturday night at DEF CON.
DEF CON now is 25,000 people.
It’s massive. Corporations throw parties at DEF CON now.
Microsoft and Facebook do.
All the little security firms do it. For me, when I was there, I didn’t know what to do on a Saturday night but I wanted to do something with the hackers. To be honest, I’ve told that story several times that way. My wife at the time went to the liquor store and got a couple of bottles, brought them back to the hotel room, and I stood at the hotel room door like a lady of the night. I’m standing there and pulling my jeans up a little shorter and seeing if I could attract hackers to come in and get free drinks.
I’m standing in the doorway and pulling people into the room. Everybody was happy to come in and say hi and meet each other and stuff. The social tools they had available to them lasted about 2 or 5 minutes. They’re standing on the wall waiting for somebody to have a party. It was about to be a magical thing. I’m looking at all these people and I’m thinking, “You all love each other. You all have all this stuff in common. You love the same stuff. Why aren’t you either making out if you’re inclined or talking and making out with your brains? Why aren’t you doing stuff together? I’ve put you in the room. Why aren’t you doing the thing?”
It was this breakthrough moment, I said, “I need $10,000. Let’s steal it from Western Union. Let’s get Western Union to give us fraud money.” They were like, “We can’t do that.” I was like, “Let’s decide whether we can do that once we make our plan.” All of a sudden, it turns into Ocean’s Twelve up in there. All of a sudden, everybody is a criminal. They’re like, “Let’s analyze this. Is there a backdoor? Do we have pictures of the place? Where’s the wire? What protocol do they use? Is there encryption? What about the terminals? Can we dig?” Immediately, everyone jumped in and started throwing their passion at it.
Of course, we were never going to do it and no one ever did. There’s no conspiracy to be active further. It’s a fun conversation. People in the hallway who were walking by and looking like they were ready for bed would hear the noise and turn and come back and join. The party went from 8 or 10 people by about midnight to 30 people crammed into a single, small hotel room. All was jamming and talking and yelling, “That doesn’t work.” All this crazy energy and I looked at it and I thought, “Something about what happened is the most important thing in my life and I need to figure it out. I need to be able to reproduce this. I need to bottle this crap.”
I came back the next year and I decided to brand the party as the challenge. I hadn’t worked out to put the puzzle on the invitations yet. It was an invitation to a party. I took them around and I set them in innocuous places. They were on a clear laminate with a fragile ink. If you rubbed your thumb over it, you’ll destroy the entire invitation. I set out 200 of them on tables and places where they were hard to see. I’m not sure which year this was. It was the second year I did the party.
This is about ‘95.
No, more like ‘98. I went back. Once the party got going, I said, “Let’s try this other challenge. Let’s try this other thing.” Wallflowers turned into extroverts. As soon as the state of their brain could lock on to something that was a challenge, something they couldn’t get their whole mind around quickly. For the kinds of friends we have, for the hacker mind, putting something in their brain that they’re okay with and that they want to think about that’s fun, that is complex enough that it gets their creativity chewing, it occupies their critical voice. This is my hypothesis from watching this party happen. As soon as they get this thing in their brain to work on, all of the self-criticism and internal doubt finds no exit. They can’t start talking in their brain because this problem is talking to them. They lose that sense of self-consciousness that can be toxic.
It’s interesting because if you think about what’s attractive to computer hackers, hacking is like this bottomless pit of puzzles. It’s that bottomless pit of intrigue where everything about the computer, it’s like, “That’s funny. It wasn’t supposed to do that. What happened?” You dig. That’s what debugging code is like. It’s puzzles. Security problems, in particular, like puzzles, it’s like, “You’re not supposed to be able to do that but I got it to do something it’s not supposed to do.” That’s mentally stimulating and interesting and a lot of it’s done in isolation. It’s done alone. That conversation isn’t happening with another person in the room. What’s interesting about those challenge parties is it bridged the gap to doing the thing that they like to do but doing it with other people.
Something that is still important to me is learning more about that, doing it better and finding ways to engage more in different people. Years ago, there was a battle of the sexes. Some horrifying men in the computer security community are taking some angst out on the women in the industry.
If you had to stereotype DEF CON attendees over the years, there’s a lot of poorly socialized males. Like anything else, you get better at it with practice. If you grew up by yourself in your bedroom with a computer, you’re missing out on some of the work it takes to get good at cooperating with other people and treating them well and those things. It doesn’t surprise me. It’s a community that welcomes people. There’s no screening process. You just show up.
All the behaviors that people would have that would signal to any normal person that’s like, “Stay away from that person. They’re creepy.” We don’t have a defense mechanism for those. You could be creepy and show up and we’re like, “You’re creepy.” I don’t know if you’re in a sorority or something. You wouldn’t get within 100 miles of a sorority before some football players were hired to get rid of you. There are those things. As inclusive as the community is for those reasons, it accepts people who are not specifically well balanced in other ways. I’m not saying everyone is that way.
I would further that though. I would say that some of the people, myself included, who are part of the community have done a poor job of accepting and criticizing the artwork. It seems a little tangential but a lot of the artwork in our community in the early years, in the ‘90s at least, came from metal bands and industrial music or anime. In the anime, especially, there’s maybe an overly stereotypical presentation of females and that was the aesthetic. That was what was happening. Everybody wore those t-shirts. That’s what it looked like to be around us at the time.
Capture the Flag has done more to escalate the defenders than anything else.
Tweet
Not enough people had absorbed that the artwork that they choose, the decorations that they choose are messages that reinforce or subvert stereotypes. By having a social norm of reinforcing certain stereotypes, especially the love of Japan, whatever that was going around in the late ‘80s and early ‘90s, Snow Crash and all those cultural iconic moments and the movie Akira. Letting that become the visual language we use to represent ourselves has the consequence of giving us a reduced conversation around, for instance, gender issues.
One of the things that have been tickling me in the back of the brain is how could we bring a discussion around personal aesthetic into the hacker community in a way that gives people a much more diverse self-presentation? A much more diverse self-presentation, one that they can talk to and one that other people can criticize effectively to say, “That thing that you’re wearing is like a pro-holocausts t-shirt. I don’t like that. There’s something wrong with that,” and opening that conversation. Now, people at DEF CON can wear some offensive stuff. People don’t think that’s part of the conversation. They don’t think that’s part of their environment. They don’t think that’s part of their responsibility. You think that other person is doing something wrong, maybe, or they don’t. The people who don’t know that they’re doing something wrong are having their stereotypes reinforced.
There’s a ton of stuff in there to pick apart.
You were talking about that on the other episode.
I’m always a little cautious to throw people under the bus from history or to cast judgment on the past. People are doing the best they could with the situation. We know more now. We can go piece together how we got here. We can see the things that were happening in this community that led to the problems that happened and you certainly want to learn from that. It’s interesting because you’ve identified a set of issues that have become a big deal. One of the things I loved about my social group, my friends being hackers, is the comparative irreverence that they have. These are people who don’t take the status quo for granted. They’re willing to argue about anything. They want to find a way to reason their way to their beliefs. They have no compunction about telling you when you’re full of crap. I remember times when you did that for me.
That’s why we’re friends.
I value that. I need that. I want to be able to take an idea, shoot a bunch of holes in it and see if there’s something left standing at the end of the day. That has influenced my process as an inventor. That’s what we do. I don’t find that in other communities the same way. People are worried about social hierarchy. They’re worried about their status. They’re worried about offending others. They’re worried about all these things and it keeps them from having these honest conversations.
Not to defend it but one of the things I saw in the hacker community in those days, the late ‘90s, is that it was accepting of whatever you brought. You could show up. You could wear a t-shirt with something offensive on it and everybody would be like, “Cool. Whatever.” It was accepting of marginally criminal behavior. It was accepting lots of anti-social behavior. It was accepting people who were gay. I saw that there are more than in other places I had been. You could be gay and that was no problem. Trans people, for sure, were more accepted there in general than in other places. This might be less true now. At DEF CON, maybe there’s a lot of that. It was accepting a wide variety. Drugs are more accepted, psychedelics and things like that, that wouldn’t be in other communities.
I’m not somebody who had any of those things that I needed acceptance of. I learned to be accepting of those things or at least slow to judge. I appreciate that. I remember that having a positive influence on me. I’m not trying to defend it. I certainly know, especially for women, this was a hostile environment in a lot of cases. This is not an accepting environment that was comfortable for women. I have a lot of female friends who were hackers that would come and they had put up with a lot to be there. They were brave. Some of them had to compromise themselves in ways to be there.
In my early experience with women, they were tough as nails and sharp.
Even the term in and of itself is derogatory in a sense. It’s like saying, “They have no other value other than to look pretty and be there with some guy.” It isn’t cool but that’s the context.
That’s what it seemed like at the time anyway. I only mean to say that looking forward. One of the things that would be a healthy endeavor would be to engage in some aesthetic discussion, which is new. The Hacker ethos has always been anti-aesthetic. It’s not as good to look good as it is not to be cool. That was how we tried to make the Capture the Flag game. It’s cool but we didn’t necessarily try to make it look good. We tried to give it a lot of experience, a lot of stuff. It was still gritty.
That’s the origin of the challenge party. How did you end up playing Capture the Flag? Maybe describe that.
Originally, Capture the Flag was a game run by Miles Connolly as far as I know, from the beginning. Miles would organize to have some people bring in servers and then everybody else could come in and they could play Capture the Flag. They could try to capture those servers by hacking them.
Each server had to have a file on it and that was the flag. You’d hack into it and get the file.
You’d write the file. You’d put your name in the file called flag.txt. The first year I went, I didn’t know about it or played it or anything. It was just talk. The second year, I went and saw that there was this Capture the Flag game. There were big banquet tables and different people at different tables had gone up and purchased some static IP addresses to participate in the network. There was a table that had a couple of spaces open in it and I sat down at that table and I opened up my laptop and introduced myself. I made the fateful decision to buy a round of drinks. After it, we’re blood brothers forever.
I bought a round of drinks. We got our drinks. We drank them. We set all the empty cups in the middle of the table. The next guy bought the round and it went around the table. This went on for two days. We barely left the table that year. We sat there and we were all working separately. We didn’t know what we were doing. We didn’t know each other. It turned out that two other people at the table lived here in Seattle. When I got on the plane back, one of them was on the airplane with me and I was like, “You’re my blood brother. We bought drinks for each other. We’re bound together forever. Where do you live?” He lived four blocks from me and that was Michael Eddington from Deja vu Security.
It’s is probably one of the few companies populated with actual hackers on this planet.
The whole team, they are brilliant people and many of whom I’ve worked with before. He set up a mail server and that was the thing and I started inviting everybody on the mailing list, which was mostly those three of us but then we started going to 2,600 every month in Seattle.
That was already going and you guys showed up.
We showed up and we started bringing whatever we had hacked last, whatever was on Packet Storm. Bring in an exploit, go in and talk about it, see who could carry on a reasonable conversation, and invite them over to the house. We grabbed the entire hacking community in Seattle and made them into Ghetto Hackers, one after the next and up to the next. I don’t remember how we got in touch with MD5. Maybe he was the third guy. I got them all together. It started on Tuesday nights at my house, building up our idea of how to be ready for a hacking contest was. The truth of it is Michael Eddington did all the work. He was like, “I’ve downloaded Packet Storm and made it into a searchable database and you can have access to it.” We were all like, “Sweet.” On the back of his research and his collecting Packet Storm, his mirror, we won the contest the second year playing.
You guys went and tried to do Capture the Flag as a team.
We had this idea that it would be a cool thing to do. We went and we won. We came home. We’re super jacked and super excited. We went and rented a workspace and started to try and make a real thing out of it.
At that time, this was probably the only hacking contest on Earth.
I’ve never been in touch with CCC so I don’t know what their history timeline is. I know that’s even bigger and older. We went back the third year to win the second time and it was a little harder because people were getting a little more serious. The excitement was starting to ramp up about the contest. We had to resort to fairly shady means to win that. We won that year again. The third year, we went and we coerced the team that was going to win into joining the Ghetto Hackers and merging our points. We won the third year in a row. It was shady. That irritated one of the other teams, rightfully so. That was some out of the box thinking.
This was a contest all about out of the box thinking. I don’t know which year it was, maybe before you went, there was a server room that had to be highly guarded because those are the machines you’re trying to hack into. They didn’t want to let anybody mess with them. I remember one year somebody brought a VAX mainframe to put in there. People bring all different kinds of computers. It had been gutted and there was a guy inside. In the middle of the night, he climbed out of the mainframe and locally routed all the machines because they were all there. It was easy and that’s how they won. There’s lots of shady stuff.
It’s a hacking contest. Our view was if you have a hacking contest, do whatever it takes to win. That was the zenith of the idea that we would do anything to win. Hearing the other team’s frustration triggered a guilt reaction. I was like, “This is probably crossing the line into unfun.” We got up. We got our awards at the end of the conference and our Black Badges. I asked Jeff if I could use his mic and talk for a minute and I announced that we were taking over Capture the Flag.
I remembered this. Did Jeff not know this?
Jeff didn’t know. Miles didn’t know. Nobody knew.
I was in the audience. I thought this is amazing. I didn’t realize that you hadn’t even got DT on board.
Nobody was on board. Nobody agreed. Nobody ever approved. To this to this day, we never got approval to do it.
Did you make this up on the fly?
I made it up on the fly at that moment.
What happened?
We went home and we got serious. We cranked and we cranked. I’m going to say this in different two different ways. Michael Eddington built the core router that was the actual network. He’s such a talented hacker. MD5 built the client operating system. A few people put in all this amazing work. I wrote the scoreboard software. My main contribution was arguing over threat models the whole time for the whole year. How are people going to cheat? In the second year, we double NAT everyone so that you couldn’t tell either what IP address you were coming from or to through the central router so that it would look like everything was homogeneous. The central router also reached out to your machine and tested whether it was working. You had to get defensive points and offensive points.
At this point, the Ghetto Hackers are running the contest. You guys changed the architecture of the competition.
Instead of being either an attacker or a defender, we made everyone be both. Everybody has to be red team and blue team. We got the idea of there being service uptime points. We got the idea of there being transient points that were capturable, they’re like tokens that you had to capture in flight.
You’re running services and you got to keep them going.
The funniest one was one of the teams realized that when the packets went to hops from the enemy team to the central router to theirs, the TTL was 254. When it came from the scoreboard, the TTL is 255. They blacklisted all TTL 254 traffic. They got a perfect service uptime for the entire contest. Nobody could even see them or scan them.
No one could figure out how they did it.
That was one of those like, “We screwed up TTL.”
I was doing this thing called Capture Capture the Flag. Me and the Shmoo Group had made this logging system that would try to log every packet from the entire competition. We thought, “This will be interesting, historical artifacts, to see the TCP dump from the entire Capture the Flag competition.” Now that it’s been decades, it probably would be interesting to go with those dumps. We still have them of like, “What kind of hacking were people doing because it should have been state of the art hacking on the network for that timeframe?”
You have to remember that at that time, the way that we won the first year, the second year, and the third year was deploying known exploits. A hacker, at that time, might be building their own exploits. It was a good network search person with some script kiddie capabilities. That was the thing that we also added to the contest. We did use live services that were state of the art at the time. You could use state of the art exploits in attacks. We also started building custom services so that these were new pieces of software so that people would have to adapt and improvise. Our view was that it was a little too much of tactical exploit deployment in the original contest and a little too little of creative problems. We tried to get creative problem solving, real-time scoring, a lot of these pieces that are pretty much standard in every hacker conference in the world.
In those days, the game went from Capture the Flag, which is all the thought that goes into it is in a tweet to a sophisticated game. You guys did a lot to turn it into a spectator sport.
We wanted to bring the audience in and give them a reason.
Before that, all you could see was a bunch of drunk guys on laptops. With what you guys did, it turned into something people could see in real-time play out, at least the leaderboards and things. You guys ran it for three years.
If you take the frustration as a thing to stop at, as a negative signal, then you’re going to fail.
Tweet
We tried one with one and we ran three and then we handed it over to Kenshoto.
That was a different gang of hackers who decided to run with it for a few years.
They took it in a direction much more seriously, new exploit authorship, simpler, smaller systems so you could do a better job as a player, simpler scoring. One of my concerns and a well-founded one is that it tends to be the case that one of the teams is going to run away with the contest. If somebody figures out either how to never get hacked like a TTL 254 team or how to hack everyone at every time tick and get all the tokens at such a pace. You’re attacking seven other teams. Hypothetically, you can get a whole weekend’s worth of scoring in about five hours.
My argument and one that has been unsuccessful but I would still stand up for is that we wanted to have the contest. We wanted it to remain relevant over the course of a three-day contest. The leaderboards that we came up with were a little hard to read and a little confusing. They were like deltas in a recent time. That didn’t give people a sense of who was winning or losing but it gave them a sense of who was pulling ahead and so forth. I wanted it to be a little more like NASCAR in the individual race sense as opposed to Formula One where the champion is well-known for weeks at a time.
There’s a hacking contest every weekend somewhere all over the world going on. Do you think it has relevance in computer security?
Yeah. Capture the Flag has done more to escalate the defenders than anything else. Maybe that’s a bold statement but I feel that when we started, the attacks were static because the defense was static. As the defense became more naked and simple, like with the Kenshoto version of the game where they shrunk it all down and made it a much less code, much less stuff to worry about, it’s was streamlined. The attacks, you could reasonably, in a day or so, build a custom exploit and send something in. You build zero days live.
At first, it escalated a lot of hackers from script kiddies to exploit authors. At the same time, we saw the rise of a net exploit. We see all of these advances in counter defensive technologies and all these crazy exploit techniques. When I was winning Capture the Flag with the Ghetto Hackers, when we were there, no person I had met had that flexibility and capacity. Now, every DEF CON speaker has it. It burst the exploit author bubble and blew them up fast but that created intense pressure on all the other teams that maybe they did or they didn’t have a great exploit author. It created much more pressure on the defenders. That’s why we see Naval Warfare College. Chris Eagle’s team, the Naval Postgraduate School. We see these teams from military, from other countries. There’s a Chinese hacker team that comes to DEF CON.
We see these guys coming and they bring new talent and they bring great exploitation capability but it’s not that much different than it has been in the past. However, the defensive capabilities, the power of these guys, these guys set up live DevOps shop at the table and they start deploying router configs. If something goes wrong, they got an alarm setup. These guys, in an hour, are setting up what used to take ten years of general dynamics. I thought it was there to measure and to separate hackers from moderate coders. I thought it was there to rank and organize people. That was my original concept of what it was doing as a mechanic, but it wasn’t. If done well, it gave the attackers a field to practice in. Once they seeded the field, it gave defenders a place to grow up. I don’t know if you remember Trustworthy Computing at Microsoft, the TwC initiative.
Yeah.
That was sensible, hardcore, smart people building security on chips and getting ready for a world of digital media. They were doing a great thing. They had nothing in that system that compares to what a DEF CON Capture the Flag team has now. The idea that one of the most vaunted security programs in the world, ten years later, is replaceable by sixteen-year-olds.
In my mind, that’s the difference between trying to be smart and architect for a hypothetical future versus having your feet on the ground and testing and steering your way into what works.
They say, “Steel sharpens steel.”
It’s a much different game. Big companies make that mistake all the time. It’s why they suck at innovation. They’re trying to guess what the market is going to want years in advance. You can’t guess. Nobody can guess. That’s what’s amazing about not only hacking but the software in general. It gives us a way to test everything and that’s working well.
You have to have it in-hand all day, every day and have an obsession to perfect it. You have to have both those pieces.
That’s the progression of Capture the Flag and, to some extent, DEF CON. I get a lot of questions from people about, “How do I become a hacker?” I probably have 7,000 variants of that question in my email from people who’ve asked me over the years and I don’t have time to reply to them. One of the things I’m hoping we can do with the podcast is give folks a sense of at least what our experience has been and what our observations have been and maybe help people feel like they know what track to get on.
A lot of that intrigue comes from kids who are interested in computers. It comes from kids or people in different stages of their life, maybe who are interested in computer security for different reasons. A lot of it is folks who are attracted to hacking with some of the same sentiments that we had where they’re slightly marginalized or loners or had more of a positive experience with their computer than they did with Boy Scouts. I don’t know what to tell people exactly. It would be good for us to try and figure out if there’s advice or where to start. A lot of times, the questions show that they don’t know where to start. It’s like, “What programming language should I start with? Where can I learn to hack?” Will you teach me?” “No, I won’t teach you. That’s not what you would want anyway.”
I understand the question that you’re asking. I found that there are a couple of pieces that are important. I’ve tried to answer this a lot over the years. I’ve searched for the right answer. There’s one way that I started and this is a sarcastic joke but it comes in the form of a Japanese Koan, a Zen Koan. The pupil says to the master, “How do I become a hacker?” The master says, “You don’t.” The pupil says to the master, “Fuck you.” In a way, the way that you become a hacker is by refusing to let someone stop you. There’s a clinging to the decision to do it that is utterly required.
The thing about anything that is purely noetic, purely idea space concept or an idea space mechanic is that you will feel frustrated until you don’t. If you take frustration as a thing to stop at, as a negative signal, then you’re going to fail. You’re going to fail once and never again. As I’ve seen many times, people who say they want to become hackers, get to the moment when they are angry, “It’s not working. It doesn’t work the way that it said it would. Screw this. This is too hard. I can’t do this.” Some word goes through their head and then they take the frustration as a reason to back away, reconsider themselves, and distance themselves from the identification with the hacker. It’s almost like oil and water. You have to be able to feel frustrated to know what frustration feels like to be able to call it frustration. Stand up and walk in a circle and sit back down and do it again. You have to be able to swim in frustration. Hackers are fish and frustration is water. It’s the only thing you get.
I certainly never was able to articulate it that way but when you described that, it is entirely my childhood and my early career. Looking back, there’s nothing about my experience with computers. It was different than that. I was constantly frustrated and I’ll stare at something, “Why isn’t it working? It doesn’t make any sense.” There was no easy way out. That accurately describes my experience. Having it described is like a fundamental architecture for success in that mindset. You’re right. These days, there’s a popular notion of grit. Grit is like the people who are like, “Stick it out. If you give up early, you’re robbing yourself of that.” It’s an interesting point. How do you foster that?
First, you have to identify as a person who’s not going to let things stop you. This is a case on the computer where there’s no injustice. In the machine itself, there is no injustice. There is never an unfair game. There is never an unfair set of rules. There’s never a software that doesn’t want to work for you because you don’t look, talk, sound, or smell right. You are the only thing that can screw up between you and your computer.
That means that everything between you and your computer is perfectible because you can change, grow, and learn and the computer can’t. It can’t participate in this. It can’t let you down and it can’t lift you up. It is just there. It is going to work and do the same thing every time. You have to first decide that you’re not going to let other people stop you from doing it and then you have to decide you’re not going to let yourself stop you from doing it.
Except that the computer is never smart enough to be a jerk and then decide that. When the frustration comes, that frustration is the heat that is melting your bad ideas and turning them into good ideas and they suck and it hurts to melt your brain and put it back together into pieces. It’s going to be painful. The thing to do is to build it up from the bottom. I know this is uncool in the way that people are taught now, but I highly recommend there’s a lot of programming games where you run little robots around and you set tiles down or something on the floor.
The robot moves through the room and tries to do automated assembly instructions if you’re making a factory or something. These programming games contain all of the critical concepts in computing. They have recursion, iteration, enumeration and all of the things that you need to be able to do to assemble a concept in your brain that’s going to turn into a useful program. I recommend people start with games that don’t have an explicit programming language that are teaching you sequential reasoning.
Commodore 64: Programmer’s Reference Guide
If you don’t have access to one of those, then what you can do and I did because I didn’t have access at the time. Carl Cluster was a great geometry teacher. He told me, “If you write down everything you know, then you can do anything that you’ve ever been shown or ever been taught. You can do it because you won’t forget it. The only thing that can go wrong is forgetting how to do stuff once you’ve been taught. If you write it down, and you write it down in carefully detailed instructions how to do a proof or how to do algebra. If you write down the actual ideas in a row, then your brain will remember the pieces, but it will assemble the pieces into a larger concept.” I highly recommend for a person who wants to be a programmer that they begin to take excruciatingly detailed notes in math class. That has a strong mapping to the process of computational reasoning and sequential logic. Doing things like this that get your brain around those core ideas is so much more important than learning a programming language.
First of all, the way I think about it is framed by this notion of computational thinking, which is what they call it in my daughter’s school. It’s not necessarily about learning to be a programmer, but it’s learning the way you and I did to understand the way that a computer does so that you can communicate with the computer. You have to communicate with it in a logical progression and that turns out to be a useful skill well beyond computers, programming and everything. They have a class for computational thinking every year from 6th grade to 12th grade, which I’m super excited about. She doesn’t know that it’s cool. She’s like, “I don’t know why I got to this computational thinking class.”
The school is trying to figure out the best way to do that and you have some ideas there that will be helpful. I learned how chips work from Rocky’s Boots, which was a game on Apple II in probably ‘81 or ‘82 where you are going around configuring logic gates. You have AND gates and OR gates. To win the game, you have to put them in order. I didn’t know I was learning. I thought I was playing a game. It turns out, now I know how computer chips work from that thing. There might be other games like that. I know a popular one that a buddy of mine made. Dan Shapiro made this game called Robot Turtles, which is a board game that you can play with a five-year-old.
I have a Kickstarter on that.
He launched on Kickstarter and it’s wildly successful. Get Robot Turtles because you can play it with 5 or 6-year-old kids and they learn how to think logically about making a plan and embodying it in a set of logical steps. I don’t know what’s after that. I know with my daughter, she played Swift Playgrounds, which is a game on iPad that Apple made for kids. Half of the screen looks like a video game. You have a character on a map that you’re giving directions to, but you tell it what to do by writing Swift, which is a programming language Apple has now. It’s a scripting language.
Each level is introducing a new programming concept. You learn what a four loop is at different levels. She was probably 8 or 9 or 10 when I started it out with her. I wouldn’t say she loved it, but she loved doing it as an activity with me. It tries to explain things so you don’t need somebody to do that. Having me go through it with her helped a bunch. She doesn’t even know it, but she does have some of those ideas in her head already because we did that stuff when she was a kid.
I was going to say one extra thing about the ideas I have about how to become a hacker. One of them is finding someone on the internet, in a college, in your church or wherever you go that’s trustworthy. Kids, talk to your parents first.
Not that we did, but yeah.
We didn’t but they dropped us off across town at a trailer park. Find someone trustworthy who is a professional programmer while you’re learning. Go to them not as soon as you feel frustrated. You have to learn to accept and to perform with frustration. When your frustration turns to anger or fear or sadness or something when the frustration wells up and creates secondary emotions, then pull back, take a shower, go for a run, go outside, or do something different. Talk to the person when you can. It doesn’t have to be live, “Help me. I’m doing this right now.”
Set aside time and send them an email, so they answer you the next day or something and be clear, “Here’s what I’m trying to figure out. Here’s the program as it sits now. Here’s the output. I’m supposed to make it look like this. What am I doing wrong? What’s the problem here?” There’s something about knowing that there’s someone who’s going to help you when you get stuck. That makes it a lot easier in my experience for younger people to accept frustration. Also, get yourself somebody somewhere. You’ve got to find some.
That’s Stack Overflow if nothing else.
Have a place you can go and ask the question. Don’t be quick about writing your question. Take a minute to introduce yourself and introduce what you’re doing. “I’m a sixth-grade student. I’m just learning Logo. My turtle doesn’t go left when I do this left instruction.” The person is like, “That’s because you spelled left wrong.” It may be simple stuff. Give people a sense of the story of what you’re going through and that will make one, you, accept your frustration better. Two, they want to help more. Three, it will focus their help and help generate some social relationships.
That’s another one where you’ve articulated well, but that is what happened with me. Lots of times, it didn’t have that person, but I did find that person. That’s what those folks on the mainframe work. That’s what folks in Usenet groups work. I miss email lists. In the ‘90s, you had an email list for every programming language, every topic and everything. There were a bunch of nerds who were there and you could ask them questions when you got stuck.
You didn’t want to waste their time by asking dumb questions, so you would try to work through it until you were too frustrated and then do it. That is equivalent. You and I probably have no experience with this, but I keep thinking the way you’re describing things sounds analogous to what people experience with in sports. The way you describe the computer as being completely objective and just. Sports are like that. You’re running on track against a clock.
Everything about it is fair. It’s up to you to run as fast as you can. It’s not judging you because you showed up with a screwy haircut or wearing the wrong sneakers or something. That’s your problem. Maybe that’s another area where people get to shape themselves because they’re working against objective metrics, and then they get that frustration. They’re like, “If I could do it a little faster,” and that kind of thing. They have that coach. Once it gets too extreme, they can fall back on the coach and get that insight and that helping hand.
Even if they’re saying, “I don’t think I can do this anymore.” They express the resignation they feel and the coach can be like, “That’s okay. You have to feel that way. You will make it. I promise. I’m going to help you a little more. We’ll push a little differently. Let’s fix this and make it better.” Sometimes, you need to know from the outside that, one, there’s a tribe for you, and two, that the tribe loves you and is going to stick with you. Your frustration does not make you a bad part of the tribe.
It’s interesting because it puts a fine point on folks with other interests who might not ever get that kind of experience. They might not get that experience of working through frustration of being able to develop themselves in an objective situation where they’re not being judged and isn’t just. That might be true if you were into performing arts or something like that or something more social if you’re interested in politics. I think of different things, but we were lucky to have that.
I’m starting a new company, so I have a lot of entrepreneurial things to do. I had to find a lawyer and get a lawyer. I don’t know how to tell which lawyer is better than any other lawyer, so I’m asking other entrepreneurs like, “Who have you used? Who was good and why?” I talk to lawyers and see if I like them and figure this out. I don’t know what I’m doing but I’ve got to get through that. I’m frustrated with it because I don’t even want a lawyer, but I got one.
You’ve got to go through that frustrating process, but I’m doing the same kinds of things that I did when I was trying to debug a program. I’m still using that computational thinking. I’m making a list of features that I need. I’m figuring out the logical progressions like, “I can’t interview lawyers until I get introductions and I can’t get an introduction, so I’ve got to figure out who’s had them before and people I know that I can email or talk to.”
All of that is a progression that I take for granted because I worked that way. Learning and developing that skill is the fundamental thing that kids should probably be doing or trying to do in any context and you could do it in any context. You’ve done a great job identifying the things to look for. There’s another one though, which I often associate with hackers. It’s a different mindset. What you’ve described so far could be applied to becoming a programmer, which is different than becoming a hacker.
There’s a certain amount of time you have to spend becoming a programmer. Hacking, to pick an exact definition for me, is causing systems to produce unintended effects. To do that, you have to be able to understand the systems and to understand the systems, you have to be a programmer. I consider the path toward being a hacker as being initially all about becoming a programmer who can write in a low-level language like C Counts, ASM, VHDL and anything like that.
Eventually, what you develop is a sense of the conceptual physics inside the computer like, “You can’t add numbers faster than X. You can’t multiply numbers faster than Y. You can’t divide numbers at all because it takes too long.” Don’t ever do that. If you can avoid it, just screw division. It’s not worth it. It’s better to multiply it until you find the answer. Getting an idea of how the memory works, prefetch queue, CPU instructions and those kinds of things, maybe you don’t need to be perfect at them and maybe you don’t need to be an ultra-guru at every one of these pieces.
You at least have to be able to say, “That looks like bedrock. I don’t think I can solve this problem. I need to look elsewhere.” There’s this problem that sometimes people get to, which is they don’t know what part of the problem is solvable and they don’t know which problems to work on, so they end up either trying to solve an unsolvable part and trying to work around reality. That’s where a lot of bad software comes from because people decide that if they do something more complicated, that will make reality easier. That comes from not being close enough to the machine in your sense of aesthetic and your sense of what’s fair, just and reasonable. The computer can’t do that fast.
In the machine itself, there is no injustice. There is never an unfair game. There is never an unfair set of rules.
Tweet
There’s a big path toward programming. The last piece of becoming a programmer in my mind and this is where it ties into the step up to hacker, is the scientific method. You have to be able to say, “I want to compare what this non-working software does in state A versus in state B. I want to make a random change and then change it back, compare the results and do it again.” You have to be able to do this guess and test thing. It’s almost like a guessing test effectively with the scientific method behind you is gaining eyes.
You can start to see through the parts of the problem that are changeable versus seeing the part of the problem that will not budge. When you start to see that, then you can start to say, “I don’t want to try to go through that bedrock because I’ve learned enough times that every time I try to go through or around the bedrock, I start making huge mistakes. It goes off in the weeds and it doesn’t ever accomplish anything.” Your brain turns and it’s like, “What if I attack this other part of the problem?”
That ability to think you’ve got a way in and a directed course to solve the problem you want to solve and realizing that you’re hitting up against a wall that’s not going to budge. Turning your attention to something different like, “What if I attack the password found or the user database?” That is where the famous lateral thinking part of hacking comes in. It’s not just throwing yourself at a wall every day dying on it. It’s throwing yourself against a wall once and going, “That wasn’t padded at all. That hurt a lot. Let’s not do that anymore,” and walking away from an idea.
You have to have that ability to, one, recognize the ideas to be able to use them, test them and see what they work. That’s the programming part. Using the scientific method to decide what’s real and what’s not to convince yourself that you’re seeing what you think you’re seeing, and then having enough experience to know when you’re going down a fruitless avenue. When you have all those pieces together, you naturally begin to develop a sense of a quick pivot. That’s where the hacker’s mind turns the magic on.
That’s a great description of a framework that I haven’t seen articulated well. Even I haven’t been systematic about trying to break down those pieces. Having done that, you could imagine, at least for the first one, which is computational thinking we talked about like, “What kinds of steps somebody might take to get there?”
Computational meta-thinking.
Also, the practical steps, like you described in your math class of learning to write down, what do I know? What do I understand? It then becomes part of your brain’s vocabulary. It might be possible to come up with ideas like that for these other aspects too, like lateral thinking. I certainly like the analogies of, find the bedrock, understand when you’re banging up against an immovable object and learning to steer faster. The only difference between me and most other people that think of me as being creative or whatever is that I’ll turn on a dime. If I get new data that affects my worldview, I can internalize that and have an entirely new worldview within 30 seconds. From then on, I’ll be using the new model. For other people, it could take months or years and that’s the difference.
It is core to all great hackers because of this transformation and they develop this capacity to evaluate when they’re running in the wrong direction. The willingness to say, “I’ve got to skill up in skilling up. I can’t make the skill up process take so long. I need to cut out all this crap of arguing with people and disagreeing. I need to become humble. I need to say, “Yes. If you say so, let’s go for it. Let me make that the new truth.” When you get that limberness and flexibility of approach, then you can back away. You can even identify other tangential mistakes you’ve made in life because of a misunderstanding that you had. You change your worldview, you get working and then you’re like, “I remember this one time. I would now have succeeded at that moment with this new idea in place.”
Your framework is super interesting because most people, and even myself included, have fixated and come at it from the other direction. “Hackers are irreverent. They don’t mind challenging the status quo. They almost do that by default.” Those might more be symptoms than causes, the way you describe it. This is interesting because it might get us closer to understanding how you make hackers. I often chicken out of that question and say, “Probably you know some and you don’t want to hang out with them because they don’t want to watch the Super Bowl with you.”
That’s interesting. I’m going to have to pick that apart. I bet there are things we could do to back out from that. The other question I get is like, “What do I do with my kid? He doesn’t make any friends. He just loves making mods in Minecraft.” I’m like, “Have him drop out of school and play Minecraft because that’s where he’s more productive than other kids his age.” Minecraft is the starter drug for coders. I meet eight-year-old kids out there who can probably go circles around me. They learn to code in Minecraft because they wanted to blow up their friends or whatever and that was a way to do it.
It’s absurd to me. I tried to get my daughter to load Minecraft and play it and I couldn’t even figure out how to load it. It’s complex. I’m like, “I don’t have time for this. I’ve got to load different versions of the JVM, and then I’ve got to get these mods.” I’m watching YouTube videos by kids in junior high telling me how to do it. You realize that’s their FreeBSD install. For us, years ago, trying to install an operating system was like pulling teeth. You learn so much about how a computer works just by trying to install your OS.
I’m a fairly technical Minecraft player. I’ve got a ten-player server. I’ve got a whole world.
I don’t play games so much, but I appreciate that. That was one of the amazing things to see in Minecraft. Maybe a good thing for you and I to do in some days is to figure out like, “For each of those things that need to be developed in that rubric you described, what are tools to do it for kids or college students, or professionals?”
Maybe build a Coursera program.
“What do you tell your kids? What do you tell the teachers at your kid’s school?” That could be a kingpin.
It’s something that has been near and dear for a long time. It stems up out of the parties where I’m trying to get younger new people who are wallflowers to enact with people who are a little older, a little more mature and far-right on the road. I’ve always been fascinated with the degree of skill deployed by some of our friends. I mentioned Mike Harrington a couple of times. He’s a great example of what happens when someone decides they’re going to be great and sticks to it. It’s difficult to sit next to him and feel smart.
Not because his personality makes him smart. He’s a nice guy. I like to hang out with him so other people think I’m probably smart too.
If you’re standing next to the person with a mohawk, you are suddenly cool. You don’t have to get a mohawk.
I’d be inclined to circle back and go deeper on all these topics but we probably should go forever. Do you have any ideas of questions for me?
I heard a rumor that you once sold a patent to Carl Zeiss. Is that true?
Not that I’m aware of. Maybe. I have a lot of patents, but I don’t track them. That would be cool. I don’t know. That’s funny. I never heard of that rumor.
That was an explanation. Now you know that the rumor mill is bigger than your opinion.
People spread that rumor far and wide because that sounds cool, but I’m not aware of it. I have probably 80 patents.
Like 80 filings with numbers or 80 different issues.
Yeah.
Are those families and descendants and all the crap, or do you mean the actual top-level idea?
Some of them are related and you might consider them to be in a family. They’re not near and dear to my heart the same way that some other inventors have that relationship. I had a lot of help on those. Almost all of them are things that I worked on with other inventors, with other people. It’s a community effort, but a few of them are things that I feel proud of that are close to me. It’s not clear to me that any of them have been sold to Carl Zeiss.
What did you try to invent that you failed at?
The first one that comes to mind is that we had tried to cure cancer at the Intellectual Ventures Lab. This came out of an invention session, which is our team sports invention concept. I might have described this before with another podcast. People misunderstand cancer in the first place. Cancer is a thing that your body does all the time. It should be a verb, not a noun. You’re cancering. Most of the time, your body kills that off and flashes it out and you’re fine. Occasionally, it gets out of hand and a whole bunch of cells grows fast, and you’ve got this cancer, which could be contextualized as a tumor.
A lot of times, that doesn’t kill you. It’s fine. You get away with it for a long time. In a lot of kinds of cancer, what will happen is some of those cells break off and circulate in your bloodstream. Those are called circulating tumor cells and they’ll float around your bloodstream and then they’ll latch on somewhere else and metastasize. A bunch of cancer will grow in a completely different place and that’s what will kill you. What we had heard was that on average, these circulating tumor cells circulate your bloodstream one million times before they latch on. We thought, “If you get a million shots on goal, why not just look for them?”
We came up with a bunch of inventions for ways to use fiber optics to jam lenses into your bloodstream and then we were going to use computers to take a photo of every cell in your bloodstream, which is trillions of cells. When I was working on this, it sounded preposterous because that’s a petabyte of photos or something, but we figured, “Why not try digital pictures? It’s cheaper and getting cheaper every year.” One of the ways that we cheated invention is to invent ten years out on Moore’s Law and say, “It would cost you $1 billion to take all those pictures now, but in ten years, probably an iPhone could do it.”
We got some blood and we set up a bunch of experiments to circulate the blood. We try to take pictures of blood cells. We got all that working and then the idea was like, “If we could spot those tumor cells, then we zap them with a laser like we always do.” We’re always wanting to use the laser when we’re inventing stuff because lasers are cool. Down that road, we probably spent about a year on it, and then we found out that circulating tumor cells often only go around one time. We’re like, “If it’s one time, we’ve got no chance.” What I love about that story is that we didn’t keep banging our heads on cancer. We found the bedrock like, “That’s not going to work.”
I worked on self-sterilizing elevator buttons after that because we had an idea for that that made sense. I was able to steer to wherever the next best idea was. I don’t know anything about cancer in the first place. I’m not a cancer expert. I’m not an elevator button expert for that matter, but in that context, it was using that same mindset. It’s moved from the thing that failed to the thing that had potential and that one does. That’s the one that comes to mind. I use that example sometimes because that story makes sense. There are things I wanted to invent that I didn’t get to work on and some, you could say, are failures. Some of them failed to get the time, money, resources, people and that kind of thing. There are other inventions that didn’t work.
People think I’m a crazy futuristic inventor, but I’m quite pragmatic. Most of my inventions are things to do with computers anyway. If I can figure out how to make a computer do something, usually, there’s not going to be a big question about whether it’s going to work or not. A lot of my work is applying computers to things that you normally wouldn’t like. That’s how we ended up at cancer because that’s not a chemistry solution to cancer the way we’ve been doing it. It’s a computational solution to cancer. That’s how I think about those things. I don’t even track them as failures in my mind because you go until you can’t go or it doesn’t make sense. You find the bedrock and then turn and go somewhere else. They’re intersections.
It’s not the destination.
I think of almost everything like a Google Map now. I got started and I put in my destination. There’s a big map, but there’s a blue line showing you how to get there. There are some gray lines showing you alternative routes to get there. You get stuck in traffic, that thing recalculates. You make a wrong turn, it recalculates. You’ve still got your destination in mind. Halfway along the way, you might get hungry and decide, “Screw it. I’m going to go there instead.”
I’m going to register for a career on Maps.Google.com. That’s how a career should be. That’s how it should look like.
I spent 1.5 years thinking about healthcare in that context. The day I get a diagnosis, “You’ve got cancer.” “Show me the blue line.” “You’re going to do this. You’re going to do that. You’re going to get chemo. You’re going to do rehab. You’re going to spend this much time here and end up at the destination.” “I should get to see that blue line.” No one gives you that. If you break your arm, there should be a blue line. “You’re going to go here. You’re going to get a cast. You’re going to do physical therapy. There’s the blue line.” “Why can’t I see that?” How we should be doing everything in the world is like a Google Map.
Daniel Suarez hit that well with Freedom (TM). It is great near-term sci-fi. You’ll want to read Daemon. That first is great about how powerful scripts and batch files can be. The second one is about encrypted mesh networks with HUD overlay blue lines. It’s my thing and your thing jammed together. Daniel Suarez is amazing.
I don’t read a lot of science fiction. The truth is I did read those books. That was a while ago and they have not stuck with me, so I couldn’t recount them the way you did. It’s helpful to have those mental visual models of how to think about complex things.
I love everything should be a blue line.
Why couldn’t you just say, “I want to be a computer security consultant, a programmer at Google, a database administrator, or nurse and see that blue line?” It’s like, “Here’s the main way to get there. Here’s the fastest way to get there. Here’s the cheapest way to get there. Here are some other alternatives that might be more fun. Here’s the way to get there that lets you live in Santa Cruz for a couple of years.” Let people choose from any given moment, “Here’s where you are and here’s where you’re going. Here’s the map of potential choices.”
Khan Academy and Coursera are helping people get there. They have a lot of those things. Khan Academy, in particular, is like, “If you’re going to know that, you’re going to know these things first. This is the secret.” You’re right. You’ve got your thumb on the pulse there.
What does Coursera do that’s like that?
They now have degrees and programs. It lets you pull your pieces together from different schools or different parts as you would do with a college registration. It lets you put together a degree. It’s like, “I’m trying to decide whether to get an MBA. I don’t know whether I need one. I didn’t want to go to college, to begin with. I definitely didn’t need it for my career.”
Everything between you and your computer is perfectible because you can change, grow, and learn, and the computer can’t.
Tweet
If you think you want to do that, I probably know some folks you should talk to about it.
I’ll take you up on that.
I often feel like I’m faking it and I need an MBA. I don’t know what an MBA is.
Everybody else can stop thinking I’m cheating.
There’s this notion, “Whatever business I have, you know you need some around,” and they don’t self-identify as MBAs though.
They do. They are Oxfords.
That is certainly true, but they don’t like to be called MBAs. I keep calling them MBAs. “These are our MBAs.” They’re like, “That’s not exactly. We’re the people. We’re Oxfords.” As far as I can tell, in every company I’ve been in, you do need them. You need one from Harvard and you need one from Stanford. The main reason is they each have an email list with all the other MBAs that they’re on. That’s what you need it for. You and I are on the email list, but we need a proxy in their basic career.
They need to have us with the email lists we’re on.
You and I are on the email list they’ll never touch. MBA might be a way to buy your way into those email lists and then you just do deals. I would never start a company without an MBA from Harvard and Stanford because that’s where the deals come from. All the things that you would learn as an MBA is a way you described the Tic Tac Toe in C job interview. It’s like, “I know all the stuff that an MBA knows and probably a lot more and I learned it in the context of doing projects, businesses, and everything. I just don’t know that I know it and I don’t know the jargon that they would use and those kinds of things.”
You have to get right with the jargon if you want to hack your way into a community.
I don’t know if that’d be a good waste of your time or not. I probably haven’t done any of the prerequisites necessary to get into an MBA. I don’t know if this changed for you. I always felt like, even today, there’s no job in the world that I’m qualified for. I don’t even have a resume, but if I did, it certainly wouldn’t map to any job opening. For the first maybe decade after high school or something, or maybe even more, it felt like a dirty little secret. It’s like, “If people find out I don’t have a degree, I’m probably out of the run,” or that kind of thing.
A computer consultant or something like that is what I would get referred to. I wouldn’t ever apply for a job I would get from word of mouth, introduced, referred, or something. For me, in early 2001 to 2003, or somewhere around there, in those days, I would go to DEF CON and the Shmoo Group would show off cool hacking tricks we came up with other hackers. It is the worst possible audience you can get that could hire you. They all think they’re smarter than you. They know everything. They’ve seen it all before.
The only reason they came to your talk is to tell you why you’re full of shit. One thing I learned from you about this was you described speaking at hacker conventions. You had come up with this clever trick, which was to figure out who everybody in the room thought was the smartest guy in the room, and then get him in the front row, and then make fun of him from the stage. That would establish enough credibility that everybody paid attention to you. I have co-opted that. That’s what I do. I’ve taken that so far. My audiences are the presidents of companies and the presidents of countries, and I don’t give a crap because I know I can take a roomful of hackers and put them in their place.
After that, it’s easy. My wildly successful public speaking career is a side project. I don’t know why I started doing it because I thought it was funny. I realized hackers were preaching to the choir. It’s a lost cause. I started taking all the fun things that hackers could do and going to other audiences that had never seen it. I ended up with this weird hacker magic show, stealing people’s passwords live on stage that blows everyone away, except for hackers. I’m like, “That’s a trick from the ‘90s.” I would be taking it to other audiences.
That may be popular as a speaker, but it was always easy. For one thing, I’m a magician because I have superpowers no one else in the room has so that made it easy. The bigger one was that after speaking to audiences of hackers, a CEO wasn’t about to get funny. Probably for my own amusement, it progressed over years. Now I’m on stage making fun of CEOs who are in the audience because they’re going to suck at innovation. Whatever it is they know about, they don’t know what I know about. It got easy.
From 2001 to 2003, I was the first guy to show up publicly and say, “I’m a hacker.” Other than Kevin Mitnick, who is a notorious hacker/criminal/script kiddie gone wild. In those days, it was unusual. Even everybody from DEF CON would say, “I’m a computer security expert.” They were trying to legitimize themselves in that way, but I didn’t have anything to lose because I wasn’t a criminal and I wasn’t trying to get a job in any conventional way. Being the hacker got me a lot. That’s how I got known, and then after that, within the next decade, it progressed gradually to being a mainstream thing. Now, no one gives a crap if you’re a hacker. That doesn’t get any attention.
“I’ve seen that before.”
Probably there’s some progression like that for you.
You feel less imposter syndrome because you’ve had success.
I did get past that many years ago because there was a flip where if I sat and went to college, they’ll be like, “You’re smart like Bill Gates and Steve Jobs. You need to go to college.” It’s like, “I like that.” I don’t have any of the imposter syndromes like that anymore. The truth is it’s not because I’m less of an imposter. I still don’t know what I’m doing most of the time, but I’m comfortable with it. I wouldn’t want to be doing something where I knew what I was doing.
“Just take me out and put my head off the floor and kill me. I don’t ever want to do something where frustration goes away.” That’s what I was getting at earlier. The frustration is the water. Hackers are fish. If you’re out of the water, you die. You have to find your way back to the hard stuff. If you go into management, you need to learn how to be frustrated with people and be nice to them. You need to learn how to be frustrated with people and get them to perform.
Not to just yell at them and inspire anger, fear, and those kinds of simple solutions, but to praise the person you’re frustrated with for how far they got without you, to see the pain that they went through and how difficult it was for them to embrace that. You have to be able to take that same idea of frustration with the machine and do it to a person. That’s the transition that a lot of fully well-formed hackers could make. If they wanted to deal with unjust and unfairness, that’s where the meta where the wheels fall off the trail.
I’ve inadvertently stumbled into those situations at times and found myself largely unprepared for them. “This is unjust. Why are you being irrational? I pulled all the memory locations.”
Applied Cryptography
“I said the right magic words. You’re supposed to do what I want.” That’s not how people work.
That’s another episode. Let’s wind this down. I’d be remiss not to ask you because I’m sure you have ideas and we probably have folks reading who would love that insight. What are the things people could do to learn more about the hacker mindset and getting comfortable with the technical side of computers, whether programming or otherwise? Are there books that you read that you learned? I learned a ton in the old days from reading things about what Alan Kay had said. I learned from different thinkers about computers and technology in those days. I’m wondering, what influences are on you? We don’t need the best sellers that are on the bookshelf at the airport.
The most important thing that I ever read was called the Rebel Asm Tutorial. It was for people who knew how to program BASIC and it would teach them how to program Assembly. BASIC was easy to get your head around and Assembly was foreign and alien. Having something there that could pass your knowledge for the 1st step to the 2nd step and do it piece-by-piece, it took me two nights to translate my BASIC knowledge to Asm knowledge. All of a sudden, I’m able to read all these programmers’ work.
That could have taken years back in the day.
I’d figure out a little from the reference manual. This tutorial was like, “Make sure you have your reference manual because I’m not typing this stuff.” It was a 100,000 binary with a GUI and stuff. It was this fantastic little tutorial. I have to give credit to the author of the Rebel Asm Tutorial because that has escalated the speed of my knowledge gain quickly. If it were someone who wanted to follow in the track, I would say get your programming down to Assembly language.
Even if you don’t stick there long, just having that comfort and that knowledge of what it takes to take a number and a different number and add them together, put it somewhere, and do these mechanistic computer actions. That’s critical for developing the sense of where the bedrock is. Applied Cryptography, Bruce Schneier’s book taught me a lot about how to think about security. I’ve heard people say that it’s not perfect, but it taught me so much about how to think about security, protocols, and information exchanges.
One of my favorite books ever was a book by Danny Hillis called The Pattern On The Stone. Danny is a famous inventor who made a company called Thinking Machines, which was the first massively parallel processing computers in the late ‘80s. This machine has 64,000 processors and a lot of that is what’s in supercomputers now, but also even just chips now. The Pattern On The Stone is a tiny book. It’s out of print and might be hard to get.
I loved it. I’ve given away all my copies. I bought dozens of copies of this book. Your mom could read it, understand everything from how chips work and what logic gates are, and how they’re constructed and put together into logical groupings to do different things. All the way up to massively parallel processing and everything in between. You can read it in a couple of hours. He’s a bright guy. I should figure out if I can get an eBook of that or something to get people. It’s incredible.
On Intelligence by the creator of the PalmPilot.
I don’t know that one.
I don’t remember his name. It’s great because it’s pamphlet-length. It’s probably 5,000 words, maybe 10,000. It’s like, “Here’s how intelligence happens.” It’s a little bit about artificial neural networks and how those work ground up. It’s a nice little primmer, a place to start. For people who aren’t necessarily going into the pure math, pure neural networks, pure hacking side but want to have that creative outlet and are going to do it in a digital universe, I love the book Reminiscences of a Stock Operator.
It’s a thin book in a big format. It’s old, maybe 100 or more years old. It’s the story of the development of a guy who made a lot of money on Wall Street. His story of development from six years old running numbers for the bookies in the neighborhood and developing his understanding of money all the way through being a major stock operator. In it are the lessons that for instance, the Bitcoin kids are all learning one by one as they get ripped off by people who learn these tricks.
It’s all the first round tricks that stock players knew 100 years ago or so. It’s thin, easy to read and super personal. You think of him as, “That guy lied to me.” Instead of thinking about it as an arbitrage opportunity. There’s not a lot of technical wording. It’s like, “This person lied. I made a bad bet, so I need to learn that I have to vet my sources.” There’s a weird amount of solid reality wisdom in the book, Reminiscences of a Stock Operator.
Anything else we didn’t cover that comes to mind?
Not at all.
Let’s wrap this up. Thanks. I appreciate it.
Important Links:
