Cyber Culture: Why hackers are being asked to come and have a go, if they think they're smart enough

  • @rhodri

Security personnel tend not to challenge the public to sneak unnoticed into buildings they're guarding, preferring to give the impression that the entrances are impregnable and they themselves are invincible. But the "keep out or else" approach doesn't work online, where cyber attacks are rampant and the task of thwarting them is too colossal for stretched IT departments.

Instead, companies are encouraging us to discover weaknesses by hacking their websites: to have a go if we think we're clever enough. At a recent TED (Technology, Entertainment, Design) event in Hawaii, web-security expert Jeremiah Grossman gave a talk entitled "Hack Yourself First" which outlined this principle of ethical hacking; permitting people to hack systems provided that they disclose their findings.

Thinking of hacking as a benevolent practice runs contrary to everything we've ever been told, but there's a growing movement of crusading "white hat" hackers, partly encouraged by the huge sums that companies pay out in rewards for uncovering flaws. An annual white-hat conference, ShmooCon, took place in Washington DC a few days ago and was attended by 1,800 people whose interest in gaining access to restricted areas is totally benign – at least, that's what they say.

Google has a roll-call of people who've pointed out coding errors and helped make its products safer, grandly termed the "Security Hall Of Fame"; one of the latest additions is a 15-year-old boy from Norway, Cim Stordal. In an interview with CNET he revealed the time it took him to uncover flaws (four days for Facebook, five minutes for Apple) but the more surprising revelation was that he's only been doing this kind of thing for a year.

When you know that an inexperienced teenager can quickly find holes in the world's most popular websites, it's easy to see why hacking of the non-white-hat variety is so widespread. And why some companies are now having to place their trust in white-hat hackery.

Despite its bad-boy name, jailbreaking is legal, for now...

When spiffy new features appear on your smartphone during software upgrades, you can be sure that a handful of those ideas emerged from the jailbreak community. Jailbreaking – or rooting – is about getting under the bonnet of the phone, gaining access to features that the operating system (OS) wouldn't normally allow, and exploiting them with apps. Jailbroken iPhones, for example, could sync over Wifi and record video clips long before their squeaky-clean, Apple-approved cousins.

Unsurprisingly, jailbreaking isn't smiled upon by manufacturers; it wrests control of the device away from them, transporting it away from a safe, fluffy, cosseted world and into one full of possibility and (so we're told) danger. So it probably invalidates your warranty, and keeping it jailbroken when your phone's OS is upgraded can be tiresome – but it's not illegal, and hasn't been since a ruling by the US Copyright Office in 2010.

These rulings come up for renewal every couple of years, however, and so the issue of jailbreaking is once again being kicked around furiously. The Electronic Frontier Foundation (EFF) is campaigning for the exemption to be extended to tablets and video game consoles, arguing that it provides an essential platform for innovation, and allows the untapped potential of our devices to be explored and tinkered with.

The Apples and Googles of this world will be submitting incredibly detailed legal arguments as to why this isn't a good idea. It seems unfair to me that a niche activity borne out of curiosity and enthusiasm should ever be punishable by a fine or a jail sentence – but then again I'm not a multinational technology company, so what do I know?

Information wants to be free. So do oppressed citizens

Intrepid geekery may also have a big part to play as emerging legislation begins to affect the way we use the internet. Much has been written about Sopa (Stop Online Privacy Act) and Pipa (Protect Intellectual Property Act) that are currently being debated in the US, along with the global Anti-Counterfeiting Trade Agreement (Acta); all three seek to criminalise certain types of internet activity, but some vague definitions and lazy wording seem to jeopardise some legal activity, too.

Last week, Infoworld's Paul Venezia lamented the internet becoming "crippled by greed and ignorance". But, as the slogan goes, information wants to be free. And there'll be thousands upon thousands of tech-savvy netizens working hard to circumvent any measures that are put in place.

Anonymising services such as Tor are already used by whistleblowers and human rights workers, alternative domain name servers (DNS) can circumvent countrywide blocks, while proxy servers and virtual private networks can run rings around attempts to censor the web.

Venezia envisages a jailbroken internet, where all these circumvention measures are wrapped up into a package you can install to bypass the standard internet pathways, prolonging this digital game of cat and mouse. Many might deem it frivolous, wilful lawbreaking, but those whose voices are being silenced by oppressive regimes will relish the idea of a jailbroken internet.

QR codes: a boon for lazy shoppers – and mischievious sports fans

QR codes, those blocky, black and white symbols that appear on printed adverts and look like the results of blindfolded knitting, are becoming more widespread; one American survey recently noted a 400 per cent increase in their appearances in magazines over the past 12 months.

The idea is that snapping the QR code with your phone's camera will instantly take you to a website with further information about that product, service, album or film.

But aside from a single exploratory snap I made when first writing about QR codes for this newspaper a couple of years ago, I've never used them – and I'm not the only one.

It's supposedly a one-click "information solution", but in reality it's a drag: you have to launch the barcode reading app, wait for the cameras to focus, keep a steady hand, snap the picture, hope the image is clear, and then keep your fingers crossed that you've got an stable enough internet connection. You're probably better off memorising a URL – or, God forbid, writing it down. But QR codes do have their uses.

There are virtual supermarkets at stations in South Korea with pictures of goods each appended with a QR code; just snap the products you want and they're delivered to your home within hours.

But aside from it being a clumsy means to an end (one commentator described it as like putting roller skates on a horse) it's a system that's obviously ripe for mischief. Stick your own codes over existing ones and you can easily transport the unwitting snapper to a website of your choice.

This was beautifully demonstrated the other week at a football match in Turkey, where fans of Karsiyaka FC made a banner with a QR code on it. When the opposing fans of Goztepe FC took pictures they were immediately transported to a website informing them that they were "sons of bitches", providing not only a good laugh for Karsijaka fans, but also one of the best headlines I've seen for a while: "QR Ya? QR Ya?"