Zines/phrack/68/7.txt

                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x07 of 0x13

|=-----------------------------------------------------------------------=|
|=-------------------------=[ Happy Hacking ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ by Anonymous ]=---------------------------=|
|=-----------------------------------------------------------------------=|

                                  -------

1. Introduction

2. The Happiness Hypothesis

3. The consulting industry

4. Rebirth

5. Conclusions

6. References

                                  -------

--[ 1 - Introduction

I've been fascinated with happiness since my college days. Prior to 1998
psychology focused on fixing people who had problems in an attempt to make
them more "normal". However, recent trends in psychology have brought a
whole new field called positive psychology. Positive psychology, or the
science of Happiness, brings a wealth of research on how normal people can
achieve greater levels of happiness. As you delve into the subject you will
discover that most of the conclusions associated with the research into the
topic of happiness actually runs counter to the popular culture
understanding of what brings happiness.

In this article I'd like to expose some ideas that directly impact the
hacking scene and specifically as it relates to working in the security
industry. I'd also like to introduce the idea of hacking happiness.

If you could spend a percentage of your time learning about happiness, how
much happier do you think you could be? Hacking happiness means cutting the
path to happiness straight to what makes you happy by researching happiness
just like you would any security topic.

Since the article is focused on Happiness as it relates to hacking, there
are many subjects of positive psychology that we are not going to touch or
mention. However, if you are interested in reading more about the field,
Wikipedia has an excellent article on the subject:

  - http://en.wikipedia.org/wiki/Positive_psychology


--[ 2 - The Happiness Hypothesis

Most of the ideas introduced by this article are borrowed from "The
Happiness Hypothesis" by Jonathan Haidt, which I recommend if you'd like to
dig deeper into the subject.

The first thing about happiness that you should know that research has
proved is:

  - "People are very bad at predicting what will bring them happiness." -

To expose this idea let me provide an example. Researchers took a look at 2
different groups of people that had been through completely opposite
situations, the first group are lottery winners, and the second group are
people that became paraplegics through some type of accident. Both groups
were interviewed at 2 different times, once just after the event (winning
the lottery or becoming paraplegic), and once more again several years
later. The results of their interviews are quite astonishing.

The first group, the lottery winners, as you might expect, had very high
happiness levels when interviewed shortly after they had won the lottery.
The second group, those who were newly paralyzed had a very low level of
happiness, some were even so unhappy that they regretted not dying during
the accident. These findings are quite obvious and shouldn't be surprising
to you; however what is astonishing are the results of the second
interview.

Years later, the lottery winners were interviewed again, this time the
results were quite surprising. As it turns out, their happiness level had
dropped significantly to levels so low that most of the winners where more
unhappy now than before winning the lottery. In contrast, the happiness of
the group of paraplegics was very high, equal to or higher than before the
accident. So what really happened?

To explain this, let me describe the circumstances of the lottery winners.
Having won the lottery, they thought they had achieved everything they
wanted, since popular culture equates happiness with material wealth, and
so their short term happiness level grew quite high. After some time
though, they started to realize that the money wasn't bringing them the
happiness they once thought they would achieve when they would be rich.
Frustrated at the possibility that they would never be able to achieve full
happiness, their happiness level started dropping. To try to compensate for
their decreasing happiness level, they started spending money on material
things, but that was no longer a happiness source. Further exacerbating the
problem, this new wealth brought new problems (to quote Notorious B.I.G. -
"Mo money mo problems"). Now family, friends and colleagues were regarded
as a threat, thinking that all they wanted is to take advantage of their
new wealth. People around them started asking for loans and favors, which
led them to distant themselves from their families and friends. Again, in
order to compensate, they started trying to make new friends that had their
own wealth status. But breaking the bonds with old friends and family that
had been established for most of their lives and trying to establish new
ones, brought a feeling of loneliness that directly correlates to their
happiness levels significantly dropping.

On the other hand those who had become paraplegics relied heavily on their
families and friends to help them through the rough times, thus 
strengthening the bonds between them. And just like the lottery winners,
the new circumstances brought back old friends from the past. But unlike
with lottery winners who's friends came back looking to take advantage of
their new wealth, these old friends came back for the opposite; they sought
to help. Another factor associated with the increased happiness was the 
fact that the group that was paralyzed had to learn to cope with being 
paraplegics. Learning to cope with being paraplegics brought an immense
sense of achievement that made their happiness levels go up.  After a few
years their family relations were stronger than ever; friends were closer
and their sense of achievement from having overcome their limitations had
brought them an immense amount of happiness that, when compared to their 
happiness levels before the accident, was equal and most of the times 
higher.

If someone were to ask you whether you would choose to become paraplegic or
win the lottery, it is obvious that everyone would choose to win the
lottery; however this choice goes against research which has shown that by
becoming a paraplegic you would ultimately be happier.

Obviously I am not saying this is the path you need to choose (if you are
thinking of doing this, please stop!). I am merely trying to demonstrate
that the actual road to happiness may force you to look at things in a very
different and counter intuitive manner.


--[ 3 - The Security Industry

In recent years I've seen how many hackers join the information security
industry and many of them having the illusion that hacking as their day job
will bring them a great deal of happiness. After a couple of years they
discover they no longer enjoy hacking, that those feelings they used to
have in the old days are no longer there, and they decide to blame the
hacking scene, often condemning it as "being dead".

I'll try to explain this behavior from the science of happiness point of
view.

Let me start by looking at Journalism. The science of happiness has shown
that people are happy in a profession where:

  - "Doing good (high quality work) matches with doing well (achieving 
    wealth and professional advancement) in the field." -

Journalism is one of those careers where doing good (making the world
better by promoting democracy and free press) doesn't usually lead to
rising as a journalist. Julian Assange, the chief editor of Wikileaks, is
a pretty obvious example of this. By firmly believing in free press he has
brought upon himself a great deal of trouble. In contrast, being
manipulative and exaggerating news often leads to selling more news, which
in turn allows for the sales of more ads, which correlates to doing well.
But by doing so, journalists have to compromise their beliefs, which
ultimately makes their happiness levels go down. Those who decide not to
compromise feel angry at their profession when they see those who cheat and
compromise rise high. This feeling also leads to their happiness levels to
drop. Journalism is therefore one of those professions where its
practitioners tend to be the most unhappy.

Hacking on the other hand doesn't suffer from this issue. In the hacking
scene doing great work is often recognized and admired. Those hackers that
are able to write that exploit thought to be impossible, or find that
unbelievably complex vulnerability, are recognized and praised by the
community. Also, many hackers tend to develop great tools which are often
released as open source. The open source community shares a lot of
properties with the hacking community. It is not hard to see why people
enjoy developing open source projects so much. Most open source projects
are community organizations lead by meritocracy; where the best programmers
can quickly escalate the ranks by writing great code. Furthermore, the idea
of making the code and the underlying designs widely available gives
participants a feeling of fulfillment as they are not doing this for profit
but to contribute to a better world. These ideals have also been an
integral part of the hacking community where one of its mottos is,
"Knowledge should be free, information should be free". Being part of such
communities brings a wealth of happiness, and is the reason why these
communities flourished without the need for any economic incentives.

Recent years however have brought the security industry closer to the 
hacking industry. Many hacking scene members have become security industry
members once their responsibilities demanded more money (e.g. married with
kids and a mortgage). For them it seemed like the right fit and the perfect
job was to hack for a living.

However, the security industry does not have the same properties as the
hacking or open source communities. The security industry is much more like
the journalism industry.

The main difference between the hacking community and the security industry
is about the consumers of the security industry. While in the hacking
community the consumers are hackers themselves, in the security industry
the consumers are companies and other entities that don't have the same
behavior as hackers. The behavior of the security industry consumers is
similar to the behavior of the consumers of journalism. This is because
these companies are partially a subset of the consumers of journalism.
These consumers do not judge work as hackers do; instead they are more
ignorant and have a different set of criteria to judge work quality.

It is because of this, that once a hacker joins the security industry they
eventually discover that doing great work no longer means becoming a better
security professional. They quickly start discovering a whole new set of
rules to achieve what is considered to be the 'optimal', such as getting
various industry certifications (CISSP, etc), over-hyping their research
and its impact to generate press coverage, and often having to compromise
their ideals in order to protect their source of income (for example the 
"no more free bugs", "no more free techniques" movements).

Those deciding that they don't want to be a part of this quickly realize
that the ones who do are the ones that rise up. Most of them try to fix the
situation by calling these people out, which often makes the person being
called out likely criticized by the hacking community. But that is often 
not the case within the security industry were they still enjoy a great 
deal of success.

To illustrate further, it has become very prevalent to announce discoveries
and claim that by making the vulnerability details public catastrophic
consequences would ensue, as we'll see in the example below. Most of the
hacking community are quick to criticize this behavior, often ostracizing
the person making the claim, and in a few cases hacking them in an
attempt to publicly expose them. However, this practice only has an impact
within the hacking community. In the security industry an opposite effect
happens and the person in question achieves a higher status that allows
him to present in the top security industry conferences. This person is
also praised for choosing to responsibly disclose the vulnerability thus
obtaining an overall security status of guru.

To illustrate this let's look at a real world example. On July 28, 2009, 
during the Las Vegas based Black Hat Briefings industry conference, the
ZF05 ezine was released. The ezine featured a number of well respected
security researchers and how they were hacked. But one of these researchers
stood out, namely Dan Kaminsky. The reason why he stood out was that one
year before, a couple of months before Black Hat Briefings, Dan Kaminsky
decided to announce that he had a critical bug on how DNS servers
operated [0].

Moreover he announced that he had decided, for the benefit of Internet
security, to release the technical details only during his Black Hat
Briefings speech that year. The response to this decision was very
polarized. On one side there was the "vendor" and information security
industry that praised Dan for following responsible disclosure. On the
other hand, some of the more prominent security people, criticized this
approach [1].

Dan in turn positioned himself as a martyr, stating that everyone was going
against him, but he was willing to sacrifice himself in order to protect
the Internet.

When ZF05 was released, Dan Kaminsky's email spool and IRC logs were
published in it. The released data included a number of emails he exchanged
during the time he released the DNS bug. The emails showed exactly what
everyone in the hacking community already knew; that Dan Kaminsky was
anything but a martyr, and that everything was a large publicity stunt [2].

Even though the data were completely embarrassing and publicly exposed Dan
Kaminsky for what he really was, a master at handling the press, this had
no impact outside of the hacking community. That year, again, Dan Kaminsky
took a stand in the Black Hat Briefings conference to deliver a talk, and
was again praised. He was also later chosen to be the American
representative who holds the backups of the global DNS root keys [3].

This demonstrates that no matter how severe a security industry figure gets
owned by hackers literally (e.g. publishing their email spools and IRC 
logs) or figuratively (e.g. showing qualitative evidence that their
research is flawed, stolen, inaccurate or simply unoriginal), these
individuals continue to enjoy a great deal of respect from the security
industry. To quote Paris Hilton, "There's no such thing as bad press".

With time those that choose not to compromise either live an unhappy life
frustrated by these so called "hackers" that get their recognition from the
security industry while they themselves are seen as security consultants 
who just can't market themselves, or they simply choose to change their 
entire career, often burned out and proclaiming that hacking is dead.


--[ 4 - Rebirth

Since the idea behind this paper is not to expose anyone, or complain about
the security industry, we want to leave this aside and move on to what
exactly a hacker can do to hack happiness.

The rebirth section is then a logical reasoning exercise on the different
paths that are available to a hacker who is also part of the information 
security consulting community, as seen from the happiness maximization 
perspective.

The first path is to keep fighting. This path is quite popular; over the
years we have seen many hackers forming groups and follow this path (el8,
h0n0, Zero for 0wned, project m4yh3m, etc). But don't get too excited since
most of the teams that follow this path eventually disintegrate; I'll try
to explain the reasons why this happens. First, remember that humans are
very bad at predicting what would bring them happiness. With that in mind,
most of these groups form with the ideal of exerting a big change onto the
security community. The problem with this approach is that they really have
no control over the consumers of the industry, which is exactly where the
problem really is. As these groups try to exert a change they quickly
discover that even when their actions lead to undeniable proof of their
arguments and are completely convincing to other hackers, they don't seem
to affect regular people. Their initial victories and support from the
hacking community will bring them a new wave of happiness, but as time goes
frustration from not being able to have an impact beyond the hacker
community will then start to build up, which leads to their level of
happiness to drop, eventually disintegrating the group. You would be wise,
if you are thinking of taking this path not to take my word for it, but 
just look at the history of the groups that precede you, and then decide.

Your other path is simply to ignore all of this and just keep working on
the sidelines as a security consultant. As someone who was once part of the
security industry - being on the sidelines without compromising my ideals
while I saw others which had little skills rise - I can honestly tell you 
it will make you sick. For some people, professional success is a very
important part of their overall happiness. So if you choose to follow this
path first make sure that professional success is not a very important part
of your life. If that is the case, instead focus on other activities from
which you can derive happiness. One great choice is participating in open
source projects, or building one yourself. There are of course many other
alternatives like family, sports etc, all of which can bring you immense
happiness. On the other hand, if your personality is that of someone very
ambitious, following this path will make you very unhappy for obvious
reasons.

Finally there is one more path. Simply accepting this is how the security
industry works (these are the rules of the game), and playing the game. In
this scenario, as you begin to rise you will discover that in order to
move higher you are going to have to make some ethical compromises, and by
doing so to rise up in the information security industry. Unfortunately,
even though your professional success will bring some happiness with it,
you will start to feel as if you sold your "soul" to the devil. This
feeling will start bringing your happiness levels down, and the more you 
compromise the bigger impact this will have. At the same time, you will 
start hating your job for forcing you to compromise your ideals. This in 
effect will cause your professional success to no longer bring you any 
happiness. The combination of both hating your job and compromising your 
ideals will bring your happiness levels very low. Eventually you will
falsely reach the conclusion that you no longer like hacking, that hacking
is dead, and this is why you feel so unhappy.

Fortunately for you, the security industry is not the only option. Your
skills and intelligence will be valued in different industries. It is up to
you to decide what kind of career you would like to pursue. Many hackers 
choose to work as software engineers, which is a very good option since 
they already poses a great deal of knowledge in this area. But you are not 
restricted to the software engineering industry. In fact I've seen cases 
were hackers have chosen careers that have nothing to do with computing,
far away actually, such as music or art, and they are quite successful and 
happy.

This does not mean you are giving up on hacking; in fact it is quite the
opposite. Many people, including myself, do hacking as a hobby and choose
to participate in a different industry for our living income. If you choose
this path you will realize that as being part of this community will bring 
you a lot of happiness. Deep inside you already know this if you are 
reading this article. The real reason you started hacking in the first 
place was not because you were good at it, or because you liked computers;
it was because it made you happy and there is no reason why this has to
change.

For those of you that have been in the security industry for a while, which
are unhappy with the current situation and are blaming the hacking 
community for this, don't. Understand that it is not the hacking community 
which has problems but the security industry and that once you start 
hacking as a hobby again those feelings you once had will come back.


--[ 5 - Conclusions

I hope I brought some understanding to what makes people happier, what you
should look into any industry you seek to work in if you want to maximize
your happiness, and more importantly how the security industry behaves. 

Hopefully some of you will be able to make better decisions, and ultimately
the conclusion should be:

  - Hacking will never die, because ultimately we all want happiness, and
    hacking brings happiness. -

HAPPY HACKING!


--[ 6 - References

[0] http://dankaminsky.com/2008/07/09/an-astonishing-collaboration/
[1] https://lists.immunityinc.com/pipermail/dailydave/2008-July/005177.html
[2] http://attrition.org/misc/ee/zf05.txt
[3] http://www.root-dnssec.org/tcr/selection-2010/


--[ EOF