Hacker Perspective: Jack Beltane
Trust is a powerful thing, and it starts with nothing. As children, we are taught not to talk to strangers, but we see our parents do it all the time. Children see that, to adults, trust starts with a handshake. What children don't understand is how much information is packed into a handshake: the firmness of the grip, how sweaty the palms are, if the smile on the lips is mirrored in the eyes. As children, we don't fully understand how a simple handshake can help determine trust for our parents.
Computers do the same thing before they'll talk to each other, offering an introductory handshake and weighing the response. But computers are binary and their users, like children, don't understand what the handshake does - or doesn't do. Computers don't read subtle signs and cues in a handshake to help determine a level of trust. Computers make a set series of snap judgments and return a 1 or 0. Trust/not. That's why it's so easy to fool a computer and spoof false trust with a handshake. In humans, using the subtle cues in a handshake to spoof trust is an art reserved for the very best salespeople and scam artists who can bilk an unsuspecting rube of thousands or millions of dollars.
In an effort to combat human spoofing, we don't fully trust anyone, even with a handshake. Trust has to be earned. Trust has to be maintained. Trust can never be rebuilt. Machines trust far too easily in order to avoid bogging down users with passwords and credentials checks multiple times in a single session. The problem is, most humans believe that the binary line of trust used by computers keeps them safe. Humans forget that it's still up to us, not the machines, to interpret the subtle signs and cues in every handshake and, from there, go beyond the handshake and build a complete trust profile.
I've always looked sketchy: earrings, tattoos, mohawks, black nail polish. Now I'm middle aged and I've dialed back the overt rebellion, but I've kept the earrings, and the tattoos aren't going anywhere. At parent-teacher conferences, I still catch sidelong glances from soccer moms and salesman dads. They figure they don't need a handshake to determine that my kids should stay away from their kids. What my years of overt rebellion have taught me is simple: Perception is the first human filter, and it's up to us to change - or prove - the perception of another, starting with a handshake.
Most humans are polite and logical, which allows us to initiate a handshake and, from there, if the handshake returns a 1, go beyond it to establish if the perception was correct or may need to be adjusted: An assessment taking nanoseconds of subconscious processing that reaches the brain as a gut feeling. Salespeople are well versed in the gut feeling. Nobody trusts a salesperson - that perception is set in stone. However, salespeople will tell you that perception is easy to overcome with a trustworthy handshake. The last 30 years have taught me the same thing: words and actions speak louder than perception.
Computers do not benefit from first impressions and gut feelings. First contact determines 1 or 0. Trust/not. They cannot go beyond the handshake. Computers grant access and establish trust either one-way (the domain trusts the user logged in, for example) or two-way (the user's machine and the domain both establish trust with each other). Human trust could be similarly distinguished, and access granted in response, but instances of one-way trust among humans are reserved most obviously for the shyster-rube relationship. More subtle is how corporations view coders.
Most corporations handle employee relationships, especially with employees who have a proficiency for computers and coding, with a one-way trust, expecting their employees to trust them even as they do not truly trust their employees. Most employees naively believe it's a two-way trust: they trust the employer and they believe their employer trusts them. Employees assume that the interview and eventual hiring was handshake, perception, credential checks, and acceptance in one neat bundle, establishing a solid two-way trust.
The first "career" job I had for a faceless corporation didn't bother to go beyond the handshake when they learned of a script I'd written. The script wasn't anything amazing, which is why it never occurred to me to clear it with my superiors. At that point, I was suffering under the delusion of a two-way trust. I wrote the script for the same reason most hacks are developed: to make life easier and processes more efficient. I had to open, paginate, and number 400-plus separate Word files so they could be combined into a single, consecutively numbered file for two distinct volumes. I'm leaving out a lot of details about why this massive inefficiency existed (it took me about 40 mind-numbing hours to do it their way), but I was inspired to let my machine do its job and open, paginate, and number the files for me. It took the script about two minutes to accomplish what took me a week. I wish I was exaggerating.
By way of thanks, I got written up and my next three reviews mentioned my infraction. Big Company One had a whole department for scripting, it turned out, and they didn't trust anyone else to write code. The Scripting Department was overworked, most likely underpaid, and even more likely had the scripts they developed overseen and changed by ignorant middle managers. It was how Big Company One dealt with the issue of gray-hats - coders who had yet to prove if their intentions were black hat or white hat - as if locking all the tigers in a cage negated any possibility of danger.
To be clear, I've never been a black hat user. The most malicious thing I've done with computers was back in high school, when I finished my computer assignment early and spent the rest of the class poking around in the settings and configuration files on my workstation. When I left at the bell, all the machines in the lab had pink-on-yellow displays (this was the 8-bit era) and their keyboards set to Dvorak, rendering the hot keys for settings useless unless you knew the Dvorak keyboard layout. I got called out of my next class to fix it, but I didn't get in any trouble and, to this day, I don't know if they asked for my help because they knew I'd done it or because they figured I could fix it. If he'd had the lingo, my teacher would have viewed me as a gray-hat. After that, I did what I could to prove he could trust me.
Because of the red tape, the Scripting Department at Big Company One was massively inefficient, and it didn't take long for my reputation to spread as the guy who could rewrite a script that didn't work, or help someone who needed a script immediately to meet a deadline that the Scripting Department wouldn't be able to beat. That's when I realized the perception of my employers wasn't wrong; I was a gray-hat and, for all they knew, possibly a black hat. I had to work off the books by word of mouth. If someone sent me an email, I dutifully responded that they had to go through the Scripting Department, then walked over to their cube, swore them to secrecy, and asked how I could help. Scripts were delivered on floppy disks - I knew the Company was watching. They read our emails, sniffed our network traffic, and used our badges to triangulate where in the building we were, when we got there, and how long we stayed. It's hard to do anything at work without your employer knowing or being able to find out.
To Big Company One, I was a hacker who'd been caught once, and the fact that I kept doing it put me on the wrong side of the rules. I didn't have a chance to go beyond the handshake and prove the actual color of my intentions to them, but to myself and other employees, I saved jobs with scripts that made unrealistic deadlines realistic. My peers saw and accepted that gray area, but corporations behave more like machines and to them the question was binary: 1 or 0. Trust/not. White/black.
The inherent distrust of Big Company One made me less trustworthy, not more compliant. The way the company viewed me was directly responsible for shading my hat to gray, maybe even charcoal. They created a perception and relied on a handshake that they refused to look beyond. Ironically, their distrust motivated me to work under the counter. It forced me to learn ways of communicating and passing data without leaving footprints behind, and it proved to me that I was working for the wrong people. I didn't want to hide my skills, lie, and cover my tracks just to help fellow employees work more efficiently. It didn't feel right.
My current job is not like most corporations, which is why I'm closing in on ten years with them. It's big, but not faceless, and it assumed I was a white hat from my first day. It trusted its own interview processes as a handshake to root out nefarious employees, and it used other employees who had proved themselves trustworthy to go beyond that handshake. Perception - the earrings and tattoos - didn't even figure into it.
Not long after I'd been hired, my team lead asked about the computer languages I'd listed on my resume and wondered if I could look at a VBScript a previous employee had written. It was used to run about 200 unique shell processes, one after the other, but it would crash randomly with no way of telling how many of the 200 processes had been completed, and whether or not they had completed successfully. I had not been hired to perform any kind of scripting, and they just wanted me to add logging so they could see what was going on. The task was also designed to go beyond the handshake. It was being used to establish two-way, human trust.
After I was done, the script had been completely rewritten. Logging was the least of the issues with it. As I reported back on what I was doing - to avoid overstepping my bounds and being written up - the trust Big Company Two had for me increased. Their encouragement and faith in my abilities also established my trust for them. I proved that, beyond our handshake, I knew what I was doing, took all necessary precautions to avoid disasters, and was making life for the other employees easier and more efficient.
Big Company Two knew I was a hacker by definition - by the very tasks they asked me to code, which required me to force interaction between applications designed not to interact - but they used humans to take the time to establish trust and determine the color of my hat, instead of simply flipping a 1 or 0 based on my job description, then forcing me into a perception that fit their handshake. Instead of a reprimand, I earned a healthy bonus in my paycheck and was encouraged to write more code.
Both companies were given the chance to use my actions to prove my motivations. Big Company One chose not to look beyond the handshake, which lead to an inevitable employment separation. Thanks to the culture and attitude of Big Company Two, we instead established two-way trust, despite the processing machine running my scripts being given a special pass by the Network Security department, since a lot of what I'd written looked like a virus. There was a lot of humanity behind that decision.
In the online era, it's the lack of perception and a real handshake to go beyond that allows shy introverts to make lasting virtual friendships - but it's the same thing that opens the door to catfishing and identity theft. On the Internet more than anywhere, trust must be earned and maintained by humans. Everyone is a stranger. You don't know who is reading your information - your tweets, your blog posts, your Facebook - nor what they're doing with it.
Everyone is a gray-hat, not just hackers. Even trusted sites can be spoofed or fall victim to a "man-in-the-middle" attack. This is worth remembering in a culture where most humans have ceded determining trust to machines or corporations or political parties. Human interpretation of words and actions has always been the only solid firewall against black hats. Only what a person says and does can establish if they're black- or white hats, from salespeople to politicians to contractors to User72 in chatroom X. It's why children are still taught not to trust strangers, and why adults have learned to neither trust nor distrust strangers.
Machines lack the depth of perception and experience that describes the human animal. It's easy to flip a 0 to a 1, but actual trust is not turned on or off. The thing we have to do, as humans interacting with other humans using machines, is add that layer of human-interactive trust to the machine's binary interaction, shading it with our perception and gut feelings and experience. It's not impossible; it just requires more work, closer attention to detail, and the realization that information on the Internet, no matter how encrypted or protected, is public, because machine trust, even two-way, so often fails.
I left Big Company One for two main reasons:
- I figured the satellite office I worked at was about to be closed (it was, a year after I left)
- I didn't like the way working there made me feel, like it was us against them and everyone was doing what they could to save their necks or stab anyone ahead of them in the back.
I didn't feel trusted, I didn't trust the Company, and I didn't trust my peers because that was the climate and culture the Company had created with its innate distrust of everyone.
Big Company Two knows that I could write malicious code, but they're also sure I won't. The power in trust is not that you can fool people and take advantage of them or commit crimes; the power is in not using the tools at your disposal to be a black hat. White hats don't use tools to snoop. They use them to find the black hats who are snooping on others. They don't use tools to steal. They use them to make systems safer and more efficient. And while the color of a hat can be determined objectively, it is more often decided subjectively. Your actions speak louder than job titles, certificates, or credentials, but one misstep and the trust is broken.
My career has shown me that white hats are motivated by trust and black hats are motivated by distrust. I understand why average people - and even corporations - fear hackers, but the only way to overcome that fear is through enlightenment - through establishing human-interactive two-way trust with our actions. Humans are not binary and it hurts us to try and experience the world as if we are machines, using only a virtual handshake to establish trust.
It was too late for me with Big Company One, even if they had taken the time to see exactly what I was doing. Fear, after all, breeds distrust. It was also too late for them with me: Distrust will never breed trust, just fear. It's a vicious circle.
Jack Beltane hides in plain sight on the Internet at jackofbells.com. He writes software documentation for a paycheck, novels for his soul, and articles like this for fun.