Hacker Perspective: Virgil Griffith

Hi.  My name is Virgil Griffith.  I am 25 years old and live in Pasadena, California.  I study theoretical neuroscience at the California Institute of Technology and am in my second year of graduate school.  My day job and career is science, but I'm not here to talk about that.  I am here to talk about a creative, artistic enterprise called hacking - my experiences with it, what it is to me, and to share some observations about our little community that I never hear anyone talk about.

Some background about me. I was born and raised in Alabama; my family got its first computer when I was seven.  It had a 33 MHz processor, 120 MB hard drive, and a fancy 2400 baud modem.  Unlike many hackers I know, I didn't immediately fall in love with programming - I liked playing video games and especially finding counterintuitive abuses in the rules to give myself an edge.  I loved the ingenuity that goes into trying to think of the most perverse things you can do within the game that the designers would have never foreseen someone trying.  This slowly extended into writing scripts within games to perform common tasks more quickly.

Hacking has a certain mystique, but it was the search for the most advanced, insidious ways to get an edge on the online competition that brought me to the security mindset and soon I was noticing compromising blemishes in all sorts of social and technological systems.  I subscribed to 2600 Magazine and in every issue I understood two or three articles well enough to re-implement them or clean up any minor defects in their technique.

At 17 I attended my first hacker conference, H2K, in New York.  I understood almost none of the talks, but I made up for it by taking page after page of useless notes.  In my senior year of high school, I was inspired by an article in this very magazine entitled "CampusWide Wide Open" by Acidus, a sophomore at Georgia Tech.  It was about flaws in the Blackboard Transaction System, the card access system used at most college campuses nationwide.

The article made complete sense to me and I felt it could have deep ramifications.  Later that year, I graduated high school, enrolled at the University of Alabama, and met Acidus, a.k.a. Billy Hoffman, at a local hacker conference in Atlanta.  We started up a collaboration to fully flesh out and implement the ideas in his paper.  Seven months later in April 2003, I was excited to give a security talk together (my first), but hours before our talk we were served a temporary retraining order from Blackboard Inc., the maker of the campus card system.  This was followed by a civil lawsuit two days later stating that our investigating the flaws in their system was, in fact, illegal.

The suit didn't go so well.  I feel we were completely in the right, but legal courts do not favor who is right.  Oftentimes they don't even favor who is on the right side of the law.  They favor the prepared.  We were woefully unprepared, and we settled out of court under sealed terms.  Hopefully, you all can learn from this: Talk to a lawyer before you get too deep into your project.  Although, judging from the recent history of hacker cases, it's unlikely you'll go to jail for trying to do a good deed.  But unless your case is legally unassailable, the company will outspend you, successfully stop you, and your case will simply become yet another one of the many cases that fail to establish any useful precedent.

Anyway, at this point administrators at both of our universities were more than pissed at us for causing a ruckus.  Throughout my sophomore year, I was politely encouraged to leave.  So I did.  I dropped out of school and moved to Indiana without a job or studentship, and met Douglas Hofstadter, the author of Gödel, Escher, Bach: An Eternal Golden Braid, a profoundly sublime book I read in high school.

While there, I somehow convinced one of the professors at Indiana University School of Informatics to give me a job doing computer security research.  I did a cute data-mining project that cross-referenced birth and marriage records across the state of Texas to automatically discover Mother's Maiden Names (as far as I can tell, not even bank employees know why it's still used as a security question).  I called it "Messin' with Texas."

The ease and influence one had simply by merging databases and running some dead-simple analyses inspired me.  I started thinking up more projects in this vein which I began to call "data-mining as an offensive weapon."  The idea is simple:

  1. Take a known security vulnerability.
  2. Do it to the entire Internet.

For example, for some time everyone has known about Microsoft Word documents containing metadata about recent changes and who made them.  So I downloaded every Word document from .mil that Google knew about (ext:doc site:.mil inurl:aa, ext:doc site:.mil inurl:ab, ext:doc site:.mil inurl:ac, ...) and used known techniques to reveal recently deleted text - some of it quite naughty.  Now that was fun.

Around then, I read about an IP address deleting unflattering facts from congressmen's Wikipedia pages and upon manually tracing it back discovered it was in fact registered to the House of Representatives itself!  Shortly afterwards, it was discovered that two congressmen had actually hired staffers to police their pages.  The embarrassment these congressmen rightly deserved was simply delightful and I wondered how hard it would be to automate the entire process over all of Wikipedia.

I wrote a simple tool, WikiScanner, that took two databases: the database of all Wikipedia edits, and another database which listed the registered owner for a given IP address.  Users could then type in a company and see every anonymous edit that company had made from their offices.  It was a bountiful harvest of public relations disasters for disinformers across the globe.

After all of this, I honestly I have no idea why more people still don't use data-mining as an offensive weapon - merely picking off the lowest of the low hanging fruit is so easy, yet has huge impact.  An attack that works against 0.0001 percent of a very big number is a big number.

In 2007, after three years of science and online hijinks at Indiana University, I graduated and entered graduate school here in California.  Since then, I've worked on several projects such as extending WikiScanner to catch organizations hiding behind registered accounts (Poor Man's Check User), as well as forging a conduit between the Tor darknet and the World Wide Web (tor2web), bringing military-strength anonymous publishing to the Internet.  I look forward to future work to help make the Internet a better place.

What Hacking Means to Me

Labels of subcultures invariably come to mean different things to different people, and the word "hacker" is no exception.  It spans the gamut from the most incendiary - cyber-criminals - to the most banal - anyone who enjoys anything remotely technical solely for the sake of it with shades of Loki-like pranksters, dapper trenchcoat wearers, and intrepid open-source developers somewhere in between.  And, despite the minor confusion, it's all just fine.

I genuinely enjoy language, but really, everyone reading this magazine has much more exciting, interesting, and fulfilling things to do with their time than insisting a certain charming yet nebulous H-word should only be used to describe people in Group A and never to people in Group B.

For me personally, hacking is an art form.  Hacking is art upon the canvas of the living, breathing, sprawling, deeply interwoven technological and social systems that make up modern life.  Hacking is picking out the counterintuitive, unbalanced, seldom-explored parts of these systems, searching for ways they could play off each other, synergistically amplifying their power, spiraling out of normal control, and shifting the course of the whole complex to do something completely unexpected.

So, instead of prescribing a definition, the myriad self-described hackers I've met are typically:

My paramount goal is shaping the world for the better.  Creativity conjoined with technological know-how is the tool of choice.  For me, hacking is first a means to an end, and second a delightful open-ended game.

Sometimes people say they're into hacking just for fun, but they're just being modest.  There are many many other deeper, more elegant games people play for fun - take Go, StarCraft, or the stock market.  If all I wanted was an entertaining, complex, ever-changing, open-ended game that required substantial time investment, I'd play Magic: The Gathering and be done with it.  Hacking is the only game that permits even causal players to influence (sometimes even altering the course of) entities far bigger than them including corporations,industries, and governments.  It's the massively multi-player online RPG with a vibrant rich world and complex history that you play in real life.

Half Gems and the Quest for Pure Disruptive Beauty

This community - or at least the small slice of it I live in - has some strikingly unusual etiquette that the newcomers never get at first.  I've never heard anyone publicly talk about it, and I think it sheds light on what motivates hackers.

Within the community, the essence of hacking is the quest to craft the most perfect disruptive gem that changes everything for the better.  Of course, peoples' moral intuitions occasionally disagree, but by and large they see eye-to-eye.

At a given moment, a hacker knows of between five to 15 "half gems" - a minor unpublished vulnerability, a new twist on an old technique, an obscure but handy database, a little known surprising fact, a clever new trick.  Something that's mildly interesting on its own, but nothing to shout from the rooftops.

A truly original work of art almost inevitably requires finding two or three half gems that play off each other in just the right way.  On a day-to-day basis, hackers spend most of their time looking for the perfect mates for their half gems in hopes of creating that truly novel thing that blindsides the entire world with its originality and strength.

Hackers would rather share, but unfortunately they can't share their half gems with everyone.  Just like you, the powers that be recognize half gems too, will "fix the problem" or otherwise insulate themselves from it, and the half gem is gone.

Early career hackers sometimes forget to aspire to something truly novel and great.  And their desire for even small media attention prods them into prematurely publishing ideas on their blog that their friends have been tossing around.  If you blog-narc, people will stop sharing their half gems with you.  You stop benefiting from them, and they stop benefiting from you.  It's just worse for everyone all the way around.

This is what hacking and the hacker culture is to me.  I don't know how representative any of it is, but it's 100 percent honest so it has to be worth something.  If you've read this magazine long, you can't help but notice the "Hacker Perspective" articles are all quite different.  But the differences look big only because the comparison is made under a magnifying glass.  Backing out, we're all cut from the same idiosyncratic, variegated feeling cloth like everyone else.  We just happened to be born with a penchant for technology and coloring outside the lines.

I wish to thank StricK for being the greatest hacker mentor and friend a boy could ever have and without whom I would not be writing this today.  I also wish to thank Emmanuel Goldstein for being the spiritual leader of this whole shebang and raising an entire generation of disruptive technologists.

Disruptive Technologist Virgil Griffith has balls of fucking steel and is known for developing the WikiScanner software.