Ýmir Vigfússon is an Icelandic hacker and a computer security expert.
The hacking community is one that values only knowledge, rather than social class, money, looks, background. They feel a thrill when they discover an exploit or serious bug after hours of searching, for example one of Ýmir’s friends was playing with his online banking app and discovered he could transfer negative amounts (effectively taking money from other people’s accounts). As a youngster, Ýmir was hacking into a server when his parents used the phone. This disconnected him, and left the server broken so that even Ýmir couldn’t get back in. He owned up to the system administrator and thankfully found the admin an amateur hacker, quite accepting and interested in Ýmir’s indiscretions.
There is an attitude that security can be bought in a big expensive box – that a single piece of equipment like a firewall or a server will protect people. Ýmir sees it differently – like a house with a massively secure front door but all the windows wide open. Hackers think about the system as a whole, asking “how would I break in”, and so can build a much more secure system by constantly challenging it. Defending against a cyberattack is difficult, since you need to set up a defense against every possible attack, while the attacker needs to find only a single vulnerability.
Ýmir wanted to transfer this mindset to others.
- He has set up a university course to teach students the techniques to hack, with 30 graduates per year.
- Formed a consulting firm to simulate cyber-attacks on big businesses, and lead them through the process to improve their security.
- Set up hacking competitions. He starts by asking people to hack a server on the internet, then selects finalists to hack each other on stage. This gets a lot of public excitement, and lets him reach out to ‘lay’ audiences & media with his methods.
Ethically, people could be concerned about Ýmir arming a wider audience to hack. But he has to put his faith in students to act ethically: as does a martial arts or chemistry teacher. Ethics is a part of his course, and he believes his methods have swayed young hackers into a more useful career than destructive hacking. He thinks of himself similarly to the sysadmin who encouraged him when he made a mistake as a delinquent hacker.
An important reminder that having a ‘dangerous’ skill does not necessarily make someone dangerous.