Skip to Content, Navigation, or Footer.
Wednesday, May 29, 2024
The Observer

Ex-hackers roundtable discusses 1990s hacking, security industry

Notre Dame faculty Walter Scheirer and Luis Felipe Murillo began teaching a course last spring called “The Archaeology of Hacking: Everything You Wanted to Know About Hacking but Were Afraid to Ask.” On Thursday, the two faculty members held a hacker roundtable where 1990s hacking and its evolution were discussed by three ex-hackers and a professor of anthropology.

The panel was mediated by Gabriella Coleman, a Harvard professor of anthropology focusing on hacking and computing. Panelists included Rocky Witt, a senior security engineer in the cryptocurrency industry; Mike Schiffman, lead of network security engineering at Google and Stephen Watt, a software engineer at DomainTools. Witt, Schiffman and Watt were all former hackers.

Each panelist introduced themselves and told the story of how they became interested in hacking.

Witt said his family received their first computer in the mid-1990s. 

“I was very bored in school, very bored in my small town and I turned to mischief to keep myself entertained,” he said.

Witt's first attempt to gain unauthorized access into systems was copying login strings.

Schiffman said his first experience with a computer was with a Commodore VIC 20, which was owned by his father.

Schiffman's friend introduced him to the hacking world, where he used an Internet Relay Chat (IRC) to “consume information.”

Watt received his first computer around 1991, when he was about eight years old. 

“I got online because I grew up in Florida — weather was too hot,” Watt said. “Shortly thereafter, I started dialing up some local bulletin boards with my modem. From there, I started getting into pirating software."

When Coleman asked about the “multifaceted” social scene among hackers in the 1990s, Witt mentioned the vast use of IRCs in “looking for sources of information or people who can teach you something.”

“Back in the day, it was probably a lot more likely that [security vulnerabilities with ‘zero days’ left to protect] would actually leak. You’d have … a closed network of people sharing information between trusted friends and somebody might just publish it,” Watt said.

Watt said an interested hacker would usually have to ask highly specific questions rather than general help in order to appear more advanced and receive specific codes.

Witt then mentioned the use of script kiddies — publicly accessible means to hack into computers — and the stigma attached to them at a conference he once attended.

The three main panelists — Rocky Witt, Mike Schiffman and Stephen Watt (from left to right) — spoke about their transition from hacking into the security industry.

Coleman then transitioned the conversation about the hacker pipeline into the security industry, which she described as “contentious in the underground.”

Watt said the current security industry “couldn’t be further away from how things were done in the past.” He specifically noted the overuse of puns and branding to the information within security.

Schiffman said he “started working at companies and aggregating sort of both things [hacking and a job in industry] at the time … until I eventually started to just sort of transition out of the hacking scene entirely.”

As the last question, Coleman asked about the current state of security and the possibilities for hacking. 

Watt and Schiffman both noted how current hacking is less “innocent” than what it was years ago.

“There’s just a lot of money on both sides,” Witt said, pointing to a motive for current hackers.

When asked if the three hackers do anything differently in regards to their own security, Watt said he has nothing on the cloud. He also described social media as a “trade-off.”

Schiffman said he likes to minimize his footprint in his posts, specifically in regards to location, and Witt explained his lack of use of technology when he's not on the clock.

“I don’t really use computers outside of my job,” Witt said. 

All three agreed that they do not see a relationship between being an expert in security and excessive concern with personal data.