When asked to name the world's largest hacking firm, most people would think along the lines of Rapid 7 or Check Point. But in truth, it is Deloitte and PwC who are the largest hacking firms. It's not because they have so many penetration testers. Instead, it is due to how many accountants and lawyers they employ.
And that is the underlying theme Bruce Schneier makes in his excellent new book A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back (W.W. Norton Publishing). His premise is that hacking is, in fact, a universal trait. While those in the information security field think of hacking in terms of zero days and Windows vulnerabilities, finding gaps in things is a normal human response.
Schneier writes that all systems will have ambiguities, inconsistencies, and oversights, and they will always be exploitable. Systems of rules, in particular, have to tread the fine line between being complete and being comprehensive within the many limits of human language and understanding. Combine that with the natural human need to push against constraints and test limits, and with the inevitability of vulnerabilities, and you get everything being hacked all the time.
This is a delightful and readable book where he discusses how hacking is pervasive across all systems. From hacking financial and legal systems, to political systems, cognitive systems, and more. Not only that, creating an unbreakable system, based on Gödel's incompleteness theorems, is fundamentally unattainable.
Created in the 1930s, German logician Kurt Gödel proved that all of mathematics is fundamentally incomplete. As Schneier shows so articulately, what that means for computer security is that all systems will have ambiguities, inconsistencies, and oversights. And they will forever be vulnerable and hackable. And for those that remember the claim of Larry Ellison of Oracle, about 20 years ago, that their systems were unbreakable, that will certainly bring back a humorous blast from the past.
In the context of the book, Schneier defines a hack as a technique that adheres to the rules of the system, but subverts its intent. But this isn't always a bad thing, as some hacks are also beneficial innovations. This, though, leads to the obvious question – who gets to define intent? Who decides whether a hack is beneficial or not, or whether the subverted system is better or not? This is a highly complex matter, especially in systems with multiple designers, or that have evolved over time. Hacks are beneficial to some and detrimental to others.
As Schneier notes, everything can be hacked, and blogs and books about these hacks abound. One popular example is Brian Kelly, AKA The Points Guy. He created a website to hack airline frequent flyer programs. This can be done via various methods, optimizing airline credit card offers, and more. And this is just one example of hundreds.
Another hack the book goes into detail about is the US tax code. And it's the tax code that the Big 4 firm auditors review deeply to find loopholes to save their client's money. There is a lot of money for tax attorneys and tax accountants to do these hacks. And Congress and regulators are unable to do anything to stop it. And when they try to, the ensuing laws and regulations, with their inevitable vulnerabilities, will also be hacked.
So what can be done to fix the nefarious hacks? There are not many solutions. In fact, artificial intelligence and machine learning will only make these hacks worse. Machine learning, ChatGPT, and other methods are able to find software vulnerabilities. It's still in its infancy, but the trajectory is increasing.
Schneier writes that we must find a way to use hacking for social progress. But doing that in practice is exceedingly difficult. And the fact that the book has over 200 pages of narratives about the hacks, and not a whole lot about solutions shows how challenging the problem is.
This enjoyable book is relevant to most people; they don't have to be security or technology savvy. In the Harvard Business Review, Sabina Nawaz writes that it's time to retire the saying, "Don't bring me problems; bring me solutions." But in deference to Ms. Nawaz, Bruce Schneier has laid out a lot of the problem. And while the solutions are not necessarily definitively here, the book is a wake-up call that a lot needs to be done.