How Hackers Hack, and What We Can Learn From It

Hackers have a high tolerance for ambiguity. By the nature of their work, these engineers regularly need to navigate unfamiliar environments. But as it turns out, they don’t look at uncertainty as some unpleasantry that comes with the job. For many of them, uncertainty is what they enjoy the most.

At most workplaces, poorly defined tasks can be a major problem. If managers don’t explain the job well, they can’t expect the work to be done correctly. A bad job is everyone’s time wasted, so managers try to define tasks as best as they can.

Still, life has a habit of dropping surprises into our path. We all find ourselves facing unfamiliar challenges from time to time, and many of us are unequipped to handle them.

Hackers, on the other hand, not only accept ambiguity but thrive in them. One study asked hackers whether they’re comfortable with tasks that lack definition. The overwhelming majority, 70 percent of respondents, said they are indeed comfortable. Some went so far as to express their desire to work on complex problems and in complex environments.

But how do hackers prepare for handling this chaos?

Motivation goes beyond the color of the hat

Before we go on, we should note that in this post, a hacker is someone who solves unusual computer problems.

Some of the “hacking” in the news has very little to do with solving problems. Many exploits are carried out by amateurs, who did nothing but install capable software to cause damage. And some things that we’d call “hacking” won’t be in the news at all: when engineers investigate computer systems and repurpose them for new tasks they weren’t designed for.

When it comes to real security engineers, however, neither good intentions nor bad ones seem to truly motivate them to hack into systems. Granted, a “white hat” or ethical hacker might desire to be known for being smart, and a “black hat” fraudster might want to cause harm.

But studies suggest that for hackers, intellectual stimulation is a more important driver than fame or capital gains. It’s the so-called “enjoyment-based intrinsic motivation” they pursue. What matters is how creative they feel while working on the problem.

Thinking way outside the box

To push the limits of a computer system, you first need to gain deep knowledge about it. This is often hard for hackers, as administrators keep all documentation locked up. Security engineers, therefore, find themselves facing unknown systems.

The only way for them to learn more is the hard way: using creative thinking skills and imagining what the system can possibly be doing. Hackers might attack the problem from multiple directions:

1. Look for other systems that might be similar to this one. To build mental models, a good first step is to find an example that can give insight into the current system. Leveraging previous knowledge is a professional’s best tool.
2. Collaborate with others. No hacker works in a vacuum; there’s a dynamic community out there that includes journals, conferences, and forums. A great way to evaluate a strategy or decision is by debating with other experts.
3. Interact with the system in any way possible to build and improve their mental picture. Hackers want to find a “feedback machine” early on: change something in the inputs, and observe what happens afterward.
4. Visualize the architecture, and construct topological models. What components may be in there, how do they behave, and what are the relationships between them?
5. Look for anomalies. Anything that looks odd or out of place can give a hint about the system. All those warrant further investigation.

Whatever the hacker’s goal is, their first step is building their knowledge base. Knowing more about the system helps engineers deduce potential consequences, even before touching a computer.

As Albert Einstein said, “If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.”

Find your flow

Some independent security engineers find bugs for free, even when companies would pay them handsomely for their work. We also see malicious hackers who have been repeatedly caught and punished, yet still, continue to work on exploits—as if they were addicted to it.

Much of a hacker’s productivity lies in their ability to enter the “tunnel,” the flow state when concentration becomes intense and focused. This is when working on the problem becomes its own enjoyment, and hackers are great at putting their head down and put in the hours. It all starts with shutting the door and getting to work.

When embarking on one of those poorly defined jobs, these programmers start with collecting information. Sometimes they find a project that’s too easy, and other times the challenge proves to be bigger than what they can solve alone. Whatever the problem they face is, they first form a deep understanding of it, and only then start offering solutions. Quite the opposite of what everyone else does.