What Comes Next for the Art of Hacking?
by Matt
I've been reading 2600 for decades. I read it when there was paranoia about who was watching the subscription lists for it. I even used to pay cash at a local bookstore to buy my copies. Now it's both commonplace to read and discuss the magazine. Plus you can even subscribe online and get PDFs or EPUB versions to read (thank you, editors).
I've turned countless people on to reading the magazine, but there is virtually no one newer to the field I've spoken to who knows the origin of the name and why it's so closely connected to the hallmark payphone photos which has always acted as the magazine's calling card. I won't go into that here. As we say in chat speak: IYKYK.
Phone phreaking though I will talk about. It was one of the original "hacks" - manipulating phone systems to make free calls. As someone who spent a number of years working for a telecom manufacturer designing and configuring PBX systems, I always found the way voice switching and routing functions operate to be fascinating, and how easy it is to manipulate them. Analog tone-based control just like Close Encounters. Genius.
I also remember very early Windows systems, where you could effectively crash a system with a memory worm in about two lines of code using a random number generator, and Slackware 0.x kernels with their password files and X GUIs that had myriad ways to get around only basic security.
I've watched security postures mature over the years, and in turn, hackers got increasingly creative about their methods: packet-in-packet exfiltration, screen scraping, RATs, network snooping, peer-to-peer, and more. Then, as hacking became more of a business and increasingly industrialized, it was all about monetization. Gotta pay those bills and the salaries of the many people working in call center-like offices whose job it is to unlock ransomware impacted machines or convince people their computer needed a driver or a multiyear support contract to avoid a dreaded error code which amounts to nothing more than a standard Window hash.
The art of hacking in the past few years, while alive and well, has from my view morphed into something new. There are still purists who largely do what they do because they love it (think David Lightman from WarGames), but there are certainly people out there who now also use it as a source of income, and not always from malicious pursuits. As one example, the CEH accreditation has become well established as a prized, valuable asset for security analysts and leaders at even the largest companies.
As I think about the future of the space, setting groups who monetize predation tactics aside, I wonder what comes next for the people who just love the art of the hack now that we're seeing the widespread adoption and exploration of AI. AI models are deeply rooted in advanced mathematics. Read any paper on bias, training, or ablation tactics on models and it's virtually all graphs, tokens, and mathematical equations instead of scripts, code, and debugging. While traditional code-based hacking is still popular, it has become more complicated and less impactful on newer systems. While still crucial, especially for pen-testing and tabletop exercises, a whole new area of "hacking" (if we still would call it that) is emerging using natural language for engaging in mind games with generative models. Messing with an AI on a psychological level can be far more engaging and fruitful (depending upon your objective).
It also makes me consider what comes next.
Will traditional hackers take up inference or tuning corruption, corpus poisoning, and AI worms? Will new hackers focus only on those things, never knowing the origins of their craft? Will hacking as we know it dwindle in favor of simply becoming prompt engineers?
In my opinion, there should always be a need for understanding the basics.
I recall an experiment an MIT professor conducted in late 2023 where a class was divided into two groups of students. One group used an LLM to solve a coding issue and another group used Google search. There were two objectives: first, produce the correct answer quickly. Second, repeat the process without the help of online capabilities.
The LLM group won the first objective and failed miserably on the second. The Google search group finished last (but still solved the problem) on the first objective and were the only ones who could pass the second.
The moral: modern tools may be fast and accurate, but they also don't reinforce the basics and without that, people become too dependent on tools instead of their own knowledge.
It's because of this I hope that new people who enter the fray study the origins and find ways to use that to their advantage.
After all, AI red-teaming is a crucial step in testing AI security, so I don't believe hackers/hacking will ever go away. But I do wonder if the days of creating elaborate code traps and building points of entry to systems and networks are coming to a close.
I mean, why break into a data store if a large language model has all the contents of that store in its memory and you just need to coax it out?
Bottom line: I believe the people just getting into this should understand where we came from, no matter what the tech/tools flavor of the month happens to be, and traditionalists also need to embrace everything new.
The people who do both will be the future. And they're also the only ones who will understand what "2600" really means.