The term “hacker” is thrown around liberally nowadays. It’s a surefire traffic-boosting headline, and the media seizes any opportunity to publish a story with a hacker connection, often positioning the word as a synonym for “malicious attacker.”

Hip Hop Hooray

Hacker: ( noun hack·er\ˈha-kər\)

  1. one that hacks
  2. a person who is inexperienced or unskilled at a particular activity
  3. an expert at programming and solving problems with a computer
  4. a person who illegally gains access to and sometimes tampers with information in a computer system

(source: http://www.merriam-webster.com/dictionary

The term “hacker” is thrown around liberally nowadays. It’s a surefire traffic-boosting headline, and the media seizes any opportunity to publish a story with a hacker connection, often positioning the word as a synonym for “malicious attacker.” The infosec community, more comfortable with the term but divided on its meaning nonetheless, understands that hackers aren’t necessarily bad guys. Still, even within the community, “hacker” is often casually lobbed into the “criminal” camp as an easy way to differentiate threat actors from enterprise security practitioners, the latter defined as clearly and cleanly fitting into the “good guy” box. 

As the hype around cybersecurity has grown hotter over the past few years, and the word “hack” has evolved (e.g., Buzzfeed and its plethora of “how to hack your life/eating habits/household chores” stories), hackers have had an easier time landing jobs with enterprise security teams without having to couch their work in more corporate-friendly terminology. Yet, as highlighted by Lance James, the InfoSec World 2016 opening keynote speaker, a rift often exists between the “hackers” and the rest of the organization even when they’re members of the same team. One half of the issue can be attributed to the hacker community and its reluctance to integrate and/or coach others about the true meaning and goals of being a hacker; the other half is the skewed perception of the non-hacker community that hackers are naughty by nature and inherently weird or different.

Last year in an informal discussion with Jen Ellis, Vice President of Community and Public Affairs at Rapid7, InfoSec Insider learned how Ellis, along with industry colleagues, is on a mission to change the perception of hackers both within and external to the infosec community. Ellis feels strongly that “hacker” should fit into (an expanded) definition #3, above, rather than #4, or some other dubious and/or distorted version thereof. She shared her point of view during a recent chat.

What does “hacker” mean to you?

Ellis: To me, a “hacker” is someone interested in understanding the way things work, both in terms of the potential and the boundaries. The term is often applied to cybercriminals. To me, though, it’s relevant to all sorts of people, many of whom have no nefarious intent, but are instead driven by technical curiosity or perhaps a desire to understand the risk associated with certain technologies, and in some cases, to make those technologies safer.

How has the meaning of “hacker” changed in recent years?

Ellis: The term is increasingly used in mainstream media to refer to cybercriminals or attackers. The security community (a.k.a. the hacker community) has lost control of the word, and unfortunately it’s now weighed down with negative connotations.

At the same time, many hackers are evolving in themselves and are starting to take a more active role in trying to make the internet safer and build better education and awareness around security issues.

Does an inherent connotation of “hacker” perpetuate? If so, what is it, and why is it spot on or inaccurate?

Ellis: That depends on whom you ask. Unfortunately, for the majority of non-security people, the word “hacker” conveys someone shady with nefarious intent. Hackers are often portrayed with negative stereotypes, showing them as antisocial or socially inept, and stock photography of hackers will typically portray them sitting at a computer wearing a pulled up hoodie, a balaclava (who hacks without one?!), or an Anonymous mask.

For those in the security community, I think the word “hacker” generally has a very different connotation—one of curiosity and perhaps even playfulness (the latter was an observation made to me in Vegas [at Black Hat/DEF CON], and I’m not completely sold on this definition, but thought I would share anyway).

What can the infosec community do to further understanding of security and hackers?

Ellis: Many security professionals feel it is our responsibility to educate others as we understand the risks and the importance of security, which is complex for many non-security folks to grapple with. For those interested in spreading the word, I would say the best path forward is to try to relate to people who are not security-minded and try to make security simple, easy, and relatable. Use examples they care about (like John Oliver did with the Edward Snowden interview and “Dick Pics”) and give manageable, practical advice. For example, if you tell people to use two-factor authentication on everything, they probably won’t. If you tell them to use it on their primary email account which connects them to all of their accounts, services, and information aside from of work, two-factor suddenly becomes realistic and manageable.

The same applies when you are engaging your granny, your little nephew, executives in your business, or even policy makers in discussions about information security. It’s always about making security relevant to what that person cares about, is consumable, and is easily actionable. A life hack, if you will.