Overcoming Insularity: A Critique of the “Try Harder” Mentality
The Things Hackers Need to Know Are Really Complex
When I started learning ethical hacking many years ago, the world that we were coming into was very different from the one that people entering the community encounter today. Hacking was esoteric knowledge held by intellectuals who existed on a different plane, who kept an insular community. Us newbies were often told to sit back, listen, and try to absorb ideas that were far beyond our own understanding, studying in our free time to fill in the gaps.
Learning any sort of hacking involved overcoming an incredibly steep learning curve. At least in infosec, this meant that we would spend hours, frequently up late at night losing sleep, just to practice on random vulnerable VMs or to read through blog posts and articles. Often, we spent more time going down rabbit holes in an effort to grasp complex ideas than we would reading the actual article or putting a technique into action.
Back in the day, it wasn’t as simple, most of the time, as just searching online for information and finding nicely organized wikis, guides, and tools. Knowledge about hacking was confined to obscure journals, underground hacker zines, communities that engaged in illegal activity (e.g., urban explorers, shoplifters), subcultural publications such as 2600, and in-person community meetups. To run into a problem meant taking on a project, learning baseline knowledge, finding partial resources that might be accessible (which were often incomprehensibly complex, especially to a fledgling) and asking a lot of questions. If we were lucky, we ended up with a mentor, but most people were often left on their own. We grouped this under the slogan of “try harder” and shouted it from the rooftops.
I want to be clear that I gained a lot from this way of doing things. Rather than relying on what was a growing series of point and click tools, I forced myself to learn from base principles. As a result, I’m far more adaptable, and more confident in my ability to grasp a difficult concept quickly. I was forced to develop my own methodology under fire in stressful conditions, and that has been invaluable. At the same time, it came at the cost of literally hundreds of hours of learning before getting paid for this, a lot of sleepless nights, and sidelining many of my other interests to focus on this full time.
It is an experience that a lot of us have “lived” through. The process of going through this jump into the abyss, and having to figure out how to navigate the way down to Hades, is one that we talk about almost as a collective trauma. We talk about the long nights as a mark of honor and we approach the burnout as a symbol of dedication. Not only does that lead to unsustainable practices in our communities, but there are also profound social impacts that come along with creating cloistered intellectual environments like this.
Creating Security Consumers
Such extreme self-reliance has been beneficial for me (sleepless nights aside), but there are distinct and negative impacts from having to overcome the disadvantages of intellectual gatekeeping. These dynamics negatively impact not only hacking communities but also the broader social goals many of us work toward (that is, a freer but more secure world for everyone). These adverse effects occur on a variety of levels.
Firstly, the “try harder” mentality tends to assume a sort of equivalent learning terrain for all people. Sure, it’s fine to tell someone to spend many hours of unpaid time learning something difficult, something that requires a lot of tenacity, energy, and access to information. However, we need to realize that most of us do not inhabit a world which allows for that. For example, I spent a solid 3 years learning before ever trying to try hacking professionally on any level. I was an academic at the time, so I had both the time to study and access to resources. I still ended up exhausted. It's asinine to assume that someone working two jobs, raising kids, caretaking for ill or elderly relatives, or any sort of condition that may make traditional learning more difficult, could take on this sort of burden. Since many are excluded from our spaces simply due to circumstance, we lose a lot of creativity, originality, and perspective when we refuse to recognize this dynamic.
Secondly, we have created a space of extreme complexity that starts to approach a portrayal of ourselves as practitioners of dark and mysterious arts. Often the depiction of hackers is of a magician making esoteric incantations to a keyboard that cause machines to do weird and unexpected things. We see this in almost every portrayal of the hacker, clandestinely accessing some system using means only they understand. Never mind that everything we do is logical, technical, and able to be understood. The complexity of the initial knowledge, coupled with our tendencies to use obtuse jargon and the abovementioned social barriers, has created a space in which most people remain separated from understanding security and are reduced to consumers. This results in a space that is both difficult to enter and intimidating, especially for those with disadvantages or any level of social anxiety.
We have produced an environment that is not only hard to access but which also creates a whole consumer class out of this isolation. The result is a large number of people impacted by security directly and profoundly but who have little understanding of how to protect themselves. On a broad social level, that leaves us vulnerable to significant attacks, for example, worms that go out of control and shut down whole national healthcare systems, or people having credit cards stolen. The only defenses are often whatever someone picks up in the media or from the once monthly security email their IT department sends out. We have made security into magic, which feels really good to us insiders. It makes us all feel clever, and it is VERY profitable. But ultimately, we have also created an environment in which the broader social goals of hacking communities (autonomy, collective power, the ability to control technical systems, fostering curiosity) can never be achieved because of this.
The Social Costs of Insularity
It’s not like this narrative is foreign to the hacking community. So much of the mythology of the hacking scene and open-source communities centers around the creation of closed source environments, with the focus being on Microsoft and Windows. Let us set aside judgements that we may have on Microsoft’s business practices in the mid to late 1990s and just focus on the impact.
Windows is easy to use, and that is its primary strength in the minds of most users. The whole system is structured to abstract away the more complex elements of computing, to allow a user to focus on using the machine while not necessarily understanding it. Remember, it was originally developed as a UI over DOS. The result of everyone having their bright new beige desktop come with a copy of the newest Windows was that computing ceased being the purview of a small number of relatively dedicated enthusiasts and instead became something most anyone could have access to.
This grand democratization of computing came with some significant costs, however. Due to the closed source nature of Windows, it was not possible for programmers to see and understand the system. This left much of Windows to be discovered in acts of archaeology by security researchers. Whole elements of the system were abstracted away and rendered inaccessible. So, just as we ended up with this massive expansion in access to computing, we also created computing in such a way that the actual operations of the system remained more or less mysterious. Not only does this lead to people doing things like replacing an entire laptop when a hard drive dies, but it has created a multitrillion-dollar ecosystem that relies on profits being derived to the degree that users are removed from their own systems.
We have seen similar dynamics emerge every time paradigm-shifting technologies develop and expand. Printing, for example. Though it seems like a simple endeavor, it is actually an incredibly precise process of understanding your machines. Knowing their quirks and limitations, and then developing layouts that work with that specific machine. The advent of printing brought with it profound social impacts. Not only did its introduction and expansion create a world in which literacy was normal, but as a result, it also greatly expanded the purview of social discourse and led to significant changes in the ways we live. Printing is directly credited with being a primary agitating factor for both the American and French revolutions.
The other effect, however, was to create a caste of printers, with their own apprenticeships and their own specialized knowledge. So, at the same time that we had this grand expansion of social discourse, it became limited by access to printing and printers. That particular dynamic is something we have seen change with photocopies and computerized printing. Even in that space, however, the actual operations of the printer itself are relatively abstract. (This is partially why home printers are essentially disposable at this point.)
One contributing factor to limiting access is the craft languages we develop to address complexity. Entire vocabularies filled with acronyms, specialized terms, and weird usages of otherwise relatively clear terminology (philosophers and hackers are notorious for this) are developed and used, but only by those who have access to this language. The combination of the removal of the user from technology and the development of cloistered environments creates spaces that are incredibly difficult to access. In this way, we mimic the structure of the university, where our ability to engage in a specialized discourse is related to our ability to access specific spaces and to learn specific craft languages. The university’s disciplinary structure is clearly designed to address this esotericism and the dedication necessary to push through it. That cloistering effect, and the tendency to present esoteric knowledge as magic, as attainable only by the chosen few, forms such a core of the university system that we end up with increasingly complex ceremonies and uniforms as we rise through the ranks. (The robes you wear when you get a PhD are definitely wizard robes.)
Overcoming this insularity requires the hacking community to genuinely understand the roots of this dynamic, and to do that, we must look at the relationship of technology to social uncertainty. It is easy for the new and complex to end up the bastion of some specialized group; it happens all the time. By creating an isolated community, we not only make our jobs more difficult (especially if one works blue team), but we end up reinforcing a disempowering dynamic of consumerist computing. Thankfully, we have examples of what it looks like to work against this sequestering dynamic. Some of these examples are a lot closer to home than one might think. In my next post, I’ll examine these more inclusive models and put forth steps we can take to move toward a more welcoming and egalitarian environment.
Credits
Prepared by: Thomas Pieragastini
LinkedIn: (https://www.linkedin.com/in/thomas-pieragastini-932974ba/)