Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
Almost everybody in 2024 is familiar with the modern meaning of “hacker” – an individual who is highly skilled technically – with computer systems especially – and willing and able to use that knowledge with criminal intent in order to breach the security of computer systems, especially those that operate across the internet. We’re familiar with the iconography of hackers as pale, young individuals typing furiously into the early hours of the morning, their hooded face lit only by the pale blue glow of their computer screen. This figure of the “security hacker” describes someone who utilizes their technical know-how of bugs or exploits to break into computer systems and access data which would otherwise be inaccessible to them.
However, “hacker” as a term predates the internet, was not originally restricted to activities involving computers, and did not signal any criminal intent. A “hacker” was simply an enthusiast of technology, with sufficient motivation to not simply use or operate the technology, but to understand its function in detail and apply a playful cleverness to subvert the technology to achieve a goal other than that which it was designed for. The defining characteristic of a hacker was not applied to any specific activity, but this approach that combined deep technological knowledge with lateral thinking, and an often playful or exciting activity. Quite aside from any criminal intent, the earliest hacks (as described by that word) were performed either just to test the hacker’s mastery of a technology for their own satisfaction, or else to demonstrate their technical aptitude and cleverness to others within their community.
The first modern community or communities of like-minded individuals that adopted these ideas as a community and subculture is generally accepted as being the so-called “hacker culture” that emerged in distributed academic environments (though particularly in North America) in the 1960s. Foremost among these is generally held to be the Massachusetts Institute of Technology (MIT) and in particular the members of its Tech Model Railroad Club (TMRC), as well as the MIT Artificial Intelligence Laboratory. Despite the fact that MIT at this time was already making use of computers, these self-described “hackers” were using lateral thinking not to attack computer systems but to perform pranks such as placing of a campus police cruiser on the roof of the university’s “Great Dome.”
The key factor in common was to analysis technologies available and what could be done with them, often to deliver a solution that baffled the casual observer as to how it could be performed. In this respect, “hacks” had more in common with traditions such as parlour magic and the crafting of so-called “impossible logic” problems such as the “ship in a bottle” – a practice that dates as far back as the creations of Giovanni Biondo at the end of the eighteenth century – or the even older Chinese puzzle balls of the fourteenth century.
A hacker in this broader sense is a person who is technically skilled and who uses their technical knowledge to achieve a goal or overcome an obstacle, by a non-standard and often unexpected and unanticipated means. There are therefore three elements to hacking:
The first is a deep technical knowledge and often the love of knowledge for its own sake. Not content with simply using an available technical system, a hacker is someone who digs deeper and determines how the technology works, often by breaking it down into smaller and smaller subcomponents and establishing the operation of each. A hacker is therefore a person who enjoys exploring the details of technologies, but also enjoys challenging and stretching their own capabilities. Notably this is quite different to a modern script kiddy, a denigrating term that is used to describe modern computer hackers who simply attack computer systems using tools created and published by others.
The second factor is that of edge cases and unexpected operation: that is, using a device or system or technology for a purpose other than was intended or in a way other than was anticipated by its creator. Within computing, this often involves exploiting so-called edge cases – actions that are possible within a system but at or beyond the expected boundaries of normal usage – in opposition to the expected “happy path” that users of a system are expected to follow.
There is an element in this second factor both of novelty and also of subversion, so that even where hacking is not criminal it can often be considered at least to be a prank.
The third element usually seen is elegance or cleverness in that the alternative usage cannot simply rely on brute force over cleverness so achieve its goals. Rather, a hack is considered more notable the greater the force multiplier that it applies, with the greatest perturbation or disturbance for the smallest input.
There may seem to be a large overlap between this broader sense of “hacking” and the concept of invention and innovation. Both can be seen as driving evolution of technology to some extent – the latter directly, and the former by forcing or suggesting improvements by demonstrating current problems.
There are three main differences between hacking and innovation. The first is that not all innovations or innovations are disruptive, even if they are revolutionary, but hacking is always disruptive in nature in that it seeks to upset the status quo in some way. For example, although often cited as one of the world’s most important inventions, the first cars in the late 19th century were not a disruptive innovation, because the earliest vehicles were expensive luxury items: they did not disrupt the existing market for horse-drawn vehicles.
The second difference is that innovations and inventions can often take a substantial amount of effort, resourcing, and investment to deliver. In the case of the automobile, it is a significant manufacturing undertaking. This contrasts with the hacking concept of elegance, where a goal can be achieved by subtle redirecting or undermining of existing practices.
And the final difference is that hacking doesn’t generally involve the introduce of new tooling at all, it relies on the subversion of existing systems in a somewhat parasitic manner. Hacking may involve combining existing technologies to undermine a solution in an unexpected way, based on an understanding of the technology and potential alternative applications, but it does not introduce new functionality itself in general. Hacking therefore involves a new process, rather than a new product or service. Through identifying and analysing existing systems for possible points of intervention, or alternative usages, a hacker can then perform a disruptive intervention.
Invention and hacking work instead in tandem: even as technology changes – from the wheel to the telescope, to the computer – hackers push the envelope and test the limits of what’s possible.
In the strictest modern sense, hackers clearly don’t predate modern digital electronic computers, which began to originate in their crudest forms as early as the 1930s. One of the earliest – and most commonly cited – examples of early hacking are the emergence of “phreakers” during the 1970s. This was a group who manipulated properties of the phone system communication protocols at the time in order to gain access to AT&T’s long-distance system and place free long-distance calls. John Draper famously discovered that a toy whistle given away boxes of “Cap’n Crunch” cereal delivered the perfect tone to replicate a special “administrative operator” line tone used to access restricted modes across the public phone network. All the elements that we outlined above are present here in that the technique is elegant and cheap (in using a free toy whistle), required a knowledge of the technology involved (the phone dial tone protocols) and exploited an edge case of an existing system.
An even earlier example of hacking involves two twins Joseph and Francois Blanc, who worked in the financial industry. At the time there was a system of semaphores used for long-distance communication within Europe, prior to the electronic telegram, a system based on a series of spaced semaphore towers – each tower or station operating a large contraption of wooden beams controlled by ropes and pulleys that could indicate different characters or meanings, similar to the system of naval signalling flags, and each relaying messages from one to another via line of sight.
The Francois brothers bribed a semaphore operator to transmit stock market messages for them across the (government operated) semaphore system, allowing them to gain a head start on changing financial prices. Since the brothers did not have the collusion of every single semaphore tower operator along the message path (only the originating tower) they needed to find a way to send a message but that could not be detected as such by tower operators. They struck upon the idea of having the operator send unlikely error signals followed immediately by “correction” signals that were effectively coded messages. This practice of hiding even the existence of a secret message is known as steganography and is still used to this day.
Mechanical and geared systems for processing and communication in particular date back potentially as far as 100BC. The earliest known instances include devices such as geared astrolabes, planetaria and orreries used for astronomical calculations and predictions, such as the controversial Antikythera mechanism, however little is known of the usage of these devices, let alone documented instances of their being subverted by hackers.
In the broader sense of a hacker culture that we described above, however – using a cleverness and understanding of systems to bypass convention and disrupt expected activities – examples exist throughout history. Technically these are extremely far removed from modern concepts of hacking, but culturally and ideologically they can often share much in common. Humans have been finding ways to exploit established systems throughout history, whether those systems are technological, administrative, or otherwise. Just as with software or operating system, human institutions have expected or intended usage patterns, as well as unconsidered edge cases that offer points of vulnerability and loopholes. A “civic hacker” may be willing to exploit them in their own self-interest.
An early example of this type of thinking applied outside of a computing context is the Roman corvus. The Roman Republic became engaged in a protracted war against Carthage. Carthage was a significant empire bordering the Mediterranean and with a power based backed by significant naval force and experience. The Romans in contrast had not fought a significant naval war previously but were used to conducting land-based warfare, and its main assets were the discipline and the courage of the Roman soldiers. Rather than attempt to replicate Carthaginian ship design, tactics, and training, the Romans instead came up with a simple solution that allowed them to subvert Carthaginian expectations for how naval warfare should be conducted and to simply fight a “land war” at sea instead. They fitted their boats with massive boarding bridges that allowed their infantry to board Carthaginian vessels and overcome the Carthaginians’ superior naval experience and skills: a simple and elegant solution requiring minimal change or effort but delivering a significant force multiplier and undermining expected practice and conventions.
Whilst we can’t protect you from hordes of rampaging Roman legionnaires, AppCheck can help you with providing assurance in your entire organisation’s security footprint, by detecting vulnerabilities and enabling organizations to remediate them before hackers are able to exploit them. AppCheck performs comprehensive checks for a massive range of web application and infrastructure vulnerabilities – including missing security patches, exposed network services and default or insecure authentication in place in infrastructure devices.
External vulnerability scanning secures the perimeter of your network from external threats, such as cyber criminals seeking to exploit or disrupt your internet facing infrastructure. Our state-of-the-art external vulnerability scanner can assist in strengthening and bolstering your external networks, which are most prone to attack due to their ease of access.
The AppCheck Vulnerability Analysis Engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail, and proof of concept evidence through safe exploitation.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: info@localhost
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)