Hacking (by my definition) is a lot about understanding how things work and how to make thinge operate in new, different or more efficient ways. Part of that understanding can come through taking things apart.
That leads to a question: Of all of the engineers that you know, how many took things apart when they were kids? Most that I know took apart radios, clocks, televsions, anything with a motor, etc.
If that doesn't show the hacker mindset, I don't know what does.
When they are good, an engineer and hacker are exactly the same thing. If differences exist between what a person does and either definition:
then the hacker has not yet reached his potential
or the engineer is having his potential limited by management.
The problem with the specific example given is not that a fundamental difference exists between hackers and engineers; but that anyone that has spent a great deal of time and effort perfecting something will be blind to certain faults. If you just spent a month making a system as secure as you are able, and then you are given a day to "think like a hacker" and try to find ways to circumvent your own security, you will fail to breach your own system because you have already fixed all the exploits you can think of. The solution is to get a fresh set of eyes performing security tests, someone without a vested interest in the success of the device.
"Because engineers and attackers are no different in terms of their ability to think analytically, are they having no problems in playing interchaneable roles?"
The way I would put it is simply that network security is a discipline that becomes increasingly important as more things are interconnected. But there's nothing new or different in this. Engineering has always had to deal with innovation. That's what it's all about. When I went to school, Ethernet was just being born and Internet Protocols did not exist yet. Now packet-switched networks and internetworking are a major discipline.
Cybersecurity is a relatively new field just like digital electronics and solid state electronics were new a few decades ago. With cybersecurity, the problem is not that engineers can't think that way. The problem is that it's a constant battle. Then again, what's new about that? Isn't this always the case? E.g., with faster and faster chips, aren't we similarly having to solve and re-solve problems of heat, of pulse rise times, of latency in interconnects? With cybersecurity, you're similarly having to re-solve problems, as new vulnerabilities emerge.
I totally agree with Bert and Frank on this. The term "hacker" was hijacked by the media some time ago and redefined as someone with malicious intent. But as far as I'm concerned, it's just a slang term for "hacking" code in the same way that "hacks" is sometimes used to (mostly as an insult) to define journalists or marketers who'd do anything for a buck.
In fact, there's a large national meetup group called "hacks and hackers" that includes engineers and journalists who are looking to apply innovative technology to advance journalism. In that context, neither side draws offense at the term, and the group's intent is absolutely positive.
Well said Bert. I don't really understand all the fuss, regardless of which definition of "hacker" is meant. Engineers sometimes fly by the seat of their pants and "hack" quick and dirty solutions to problems, and certainly some engineers are criminals -- or could be if they wanted to be. Ironically, it wasn't that long ago that EE Times had an article about infamous engineer-criminals -- but those guys were violent types, not malicious intruders of networks.
I also like your point about how engineers have always had requirements to make their designs foolproof, temparture-proof, etc. Actually, "proof" is too strong a word -- "resistant" is more accurate. In any case, if your next design happens to included network connectivity, you simply add hacker-resistant to that list.
no, my point wasn't really about defining what an engineer is and what he is not.
I didn't mean to pigeon hole any of the engineers.
But I was simply responding to the original off-hand comments made by a Freescale executive about automotive security. How are engineers working at those companies (and I am talking about those who have not been necessarily hired as security experts) responding to the rising needs of "thinking like attackers"?
Because engineers and attackers are no different in terms of their ability to think analytically, are they having no problems in playing interchaneable roles?
Or, are some chip companies beginning to hire security experts to find security holes in a system to which they supply their chips?
Junko: "Does anyone here work for a coporate environment in which you are encouraged to let your hair down and think like 'attackers' in your engineering projects?"
Honestly, too much is being made of this. Too narrow of a definition, too much unsubstantiated differentiation of categories of people. Like Duane said, the defintion of "hacker" used in this article is that of a criminal. Not the experimenter or the quick-fixer, as it was previously meant. Engineers can also be criminals, if it comes to that.
Part of good engineering design has always been to make the product as fool-proof, idiot-proof, temperature-stable, voltage variation tolerant, and any other kind of "proof," to make the product as robust as possible, operating in its intended environment, within cost constraints. Defense against criminal attacks has to be included along with all the other defense mechanisms. And of course new pathways for criminals, never mind just plain old bunglers, become possible, the more interconnected a product is.
Engineers have always been taught these things, even if the narrow focus on hacking into a system via its network connections is a relatively new twist. Look at all the security updates you get with Windows OSs. It's an ongoing problem. The more a product is designed for convenience, the more pathways are created that can be abused, the more new measures have to be devised to protect the system from intentional OR unintentional intrusion.
For example, remotely installed software updates in a digital control system are convenient, but create pathways for abuse. EXACTLY THE SAME WAY thet the OBD-II system is convenient, and creates pathways for abuse.
Let's not put too much of a fine point on "what an engineer is" and "what an engineer is not."
Hmmm. We could consider the Manhattan Project was a big hackathon and, depending on your point of view, the scientists were either malicious hackers or the kind in the white hats. (Of course, that kind of hackathon is not welcome at DESIGN West.)
Duane: I also agree with your insight that the hacker mindset suffers inside large corporations. One of the things that amazed me about Steve Jobs' leadership at Apple was that he kept that alive as the company grew. I can't think of another innovator (or hacker in this context) who achieved that at another company of comparable size.
This begs the question: Who do you think is the greatest living hacker/innovator/inventor who is in a leadership role within any major company, worldwide?