I love libraries. I am not just a voracious reader, I am pretty much a compulsive reader. I have loved libraries ... well, I don't know how long. (I have no idea where my love of libraries, and reading, and information, came from. My parents, despite both being teachers, never read, themselves. They never took me to the public library. But I digress ...) My first experience of libraries was the school library, but eventually I discovered the public library, and I have patronized every library where I have lived ever since.
I hack my library.
I mean no harm. Hopefully I do no harm. Indeed, I have evidence that the systems people at the library consider me a resource, in that I identify bugs in their system (which is now complex and relies on a third party Web interface as well as their back-end "catalogue" database and other parts) and generally can be counted on to provide sufficient, and sufficiently accurate, detail that a fix can be accomplished by the responsible party.
When I talk about hacking the system (and, at my level, some people would say I was more "gaming" the system) I mean it in the classical sense of getting the system to do what I want it to do, and perform functions which the system owners or builders have not had the time, inclination, or desire to have the system perform.
One of my regular hacks involves finding new items. There is a "hold" function in the system, as well as a list of items that you might want to keep track of "for later." The "for later" list doesn't seem to have a limit, but the "hold" list is restricted to 30 items. I tend to run with my "hold" list pretty full most of the time.
This morning my "hold" list was maxxed out. And then I found a new item that I wanted to place a hold on. The system will also tell you how many copies of an item are ordered or available, and how many people had holds on it. This morning it had three holds. By this afternoon it had 14 holds. So, when I saw that two of my hold items had come in and were ready for pickup, I went to the library. I didn't need those items just yet, but I needed the space on the hold list.
When I told Gloria where I was going, and why, she smiled. "Hacking the system."
She was absolutely right.
Hacking doesn't have to be limited to a "technical" fix. I didn't have to break into the library system and give myself extra space beyond the prescribed limit. I just had to walk over, take a couple of items off the shelf, and check them out. It was a physical hack, but it worked.
As a systems analyst colleague once noted, "If you can improve efficiency by moving a filing cabinet to get access to another terminal, you don't buy a new terminal, you move the filing cabinet!"
As a security analyst colleague once responded, when I tasked him about suddenly starting to wear a tie after decades of pony tail and jeans, it made the C-suite people he was talking to trust him. Then he grinned. "It's a good hack."
So should everyone learn how to hack?
@rslade the big point you bring to light here is the key to any successful hacking endeavor.
If you know how a system works, you can find the flaws and use it to your advantage.
Just as valuable is: If you know what the expected behavior is, how does it handle the unexpected?
I once coached softball. I knew the rules and several times I used it to my advantage. We had several rules but one of them was in the first 3 innings you were limited to scoring 5 runs per inning. Once you got to the 4th inning it was unlimited runs. We also had this one: If you had gone over the one hour mark you could stop the game if you thought it might get too dark if you started another inning; however once you started the 4th you had to finish it (unless thundering or it just became too dark).
So we were in the 3rd inning and down by 6 runs and it was approaching 53 minutes on the clock. We scored 3 runs and had the bases loaded with 2 outs. I knew we would get the 5 runs in eventually because the pitching was so bad they would probably walk the next 2 batters, but we ran the risk of going over the time limit if we got those other 2 runs. I was afraid the official would call the game after the 3rd inning if we got those 2 runs. So what did I do? I already had my slowest runner on 3rd base. I told the 3rd base coach "The next pitch I want you to send the runner home, even if the catcher catches the ball. I NEED her to get out. I'll explain later." She did run and she did get out. We hustled off the field and hustled back on so we could start the next inning. We started the inning and came back and won. After the game, the girl who got out felt terrible. I called the team around her and gave her the game ball and explained the situation to the team. I explained how she actually gave us the chance to win by getting out and that it was I, the coach, who had told her to get out. She smiled as she got the game ball and her teammates congratulated her. Now did I hack the game or just understand how, when you combined the rules in your favor, you could have a chance to win the game?
@Caute_cautim Yes, everyone should learn to hack. Great article.
I think it is crucial for security folks to learn to hack. Here in my state we have a sharing of resources across agencies and one agency holds a CEH class and lets other agency personnel attend. In one class I attended you saw developers as well as "regular" IT folks mixed in with some security folks. When these people, not normally associated with security, saw how easy it was to hack and the array of free tools available, you could see the light bulbs go off in their heads. The developer said, "Oh. I get why I need to code securely now." The IT guy said "I see why I don't just need to download whatever I want and install it."
You could tell they had a different view of security after the class. So yes, everyone should learn hacking.