Hackathon Season is Upon Us

The use of the term hacker used to be derogatory, conjuring up images of someone cackling like a Witch, hunched over a computer as they steal some poor unsuspecting fool’s bank details. This is changing though, and the present use of the word is much broader and less critical.

A couple of weeks ago I wrote a post about Aaron Swartz, and many see him as “a hacker for good”. He was greatly revered and respected in the Internet world and considered a programming genius by many.

Also today many Internet companies offer prizes to hackers who can break their security systems, so that they can then repair the weaknesses, all done more or less in secrecy obviously.

Here last week in Cambridge Massachusetts MIT held a Hackathon. The prize for the best “hack” was $1500 dollars, with plenty of runner’s up prizes too. And it is sponsored by Techfair, who organize a large business fair.

People from tech companies are invited to the hackathon to meet the ‘contestants’. It is in fact a job fair too, but as the website says don’t bring a CV, we just watch to see what you can do. There are tech talks and mini lectures, all above board as you can see from the website here.

A Hackathon

Inside a Hackathon

And this 20 hour marathon is neither the only nor the biggest hackathon in the USA. In January the Foursquare hackathon took place in New York City. The website has a link to all of the submitted hacks, and they are possibly nothing like you imagine. They are websites that can tell you how long you might have to wait in a certain restaurant, tell you NASDAQ values or help you influence the choice in music played around you, and that is to name just a few.

All this is organized with the help of Hacker League, as they say on the website you can “trust Hacker League to handle hackathon planning and organization” because they “power Hackathons”.

The biggest is in Pensylvania and is called PennApps (presumably after the University). Their January event attracted more than 450 students from 40 universities from all over the world, their prize being $4000 and a visit to Google HQ to demonstrate their work.

So the use of the word “hack” has clearly taken on a different meaning.

As many of you might know my work at the Bassetti Foundation is all about responsible innovation.  If we take case 1, writing code to steal bank details or destroy somebody’s reputation by getting into their email account, we might see this as irresponsible. But case 2, improving security, breeding entrepreneurs and innovation using the same skills and through the same actions by the same people, might be seen as much more responsible and in fact is promoted by organizations, businesses and universities.

It doesn’t look much like hacking to me though.

Kill the Password

This week I would like to draw readers’ attention to an article that appeared in Wired at the end of last year. Written by Mat Honan and entitled Kill the Password: Why a String of Characters Can’t Protect Us Anymore, it makes for really interesting and alarming reading.

The author starts by explaining that he lost all of his digital life last year as his accounts were hacked, an event that lead him into investigating online security and how it is breached.

What he discovered is not for the faint hearted. The linking together of different accounts using an email as username means that any seriously interested party with a little time on their hands and very little money can relatively easily get into a single account, and from there into the others.

His conclusion is that the culture of using passwords for security is outdated, a thing of the past and that anyone who tells you otherwise is either deluded or trying to convince you of something that is not true.

The worst password choices

Worst passwords of 2012

The availability of information is a problem because of the personal question access to resetting your password. Mother’s maiden name, place born etc. are easy things to find out about anybody through ancestry sites or other documents. Once you have somebody’s email address, you try to reset the password using the personal questions through the provider’s website. The answers might be on Facebook, or on their blog, or maybe intuitive, but they are out there.

Then to the customer services rep that you speak to by phone. They are people and can be misled. The article contains a transcription of a conversation between a hacker and one of these people. As the user needs to be able to reset the password they are offered a series of questions that get easier and easier to guess. Names of best friends is possible using Facebook or other social network publications, but if not try favourite food or others, but the example given is name of one of the files in the account. Try Google, Amazon, Personal, one will be right.

So the problem is that the system needs to be flexible and easy enough to use, so we must be able to easily change our passwords, but this makes security impossible.

How can this problem be addressed? Here the trade off is privacy. If the company knows you, through your search histories, places you have been, where you work and what you like to do they might better be able to tell if the password reset-er is you, but you lose any privacy you think you might have.

Voice recognition can be tricked using recordings, biometrics and fingerprints too. Once a system uses these things that cannot be changed or reset the problem is magnified. If I have a fingerprint lifted from a screen I can use it to get anywhere and new fingers are hard to come by these days, so what do you use next?

The article poses these problems from the point of view of somebody who has been hacked, but the author also looks at who these hackers are and even meets a couple. It is big business in certain circles, particularly in the Russian speaking world where organized crime has a large stake and makes a lot of money through stealing identities and all that follows. In other circles they are just “kids” having some fun wreaking havoc.

There are a few simple strategies outlined in this (not short) article that are worth following but none are foolproof, and that is a lesson we could all learn from. Just a word of warning, it contains some harsh language.

On a lighter note happy new year to everyone, and my mum’s maiden name was Windsor (no relation to either Barbara or Elizabeth).