Hacker Conversations: Dan McInerney and Puzzle-Driven Hacking

2 weeks ago 10
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Dan McInerney, currently lead AI threat researcher at Protect AI, came late to tech hacking. He was a 22-years old psychology grad when he started. His journey, however, provides new insights into the creation and motivation of a hacker.

Most hackers define themselves as someone driven by curiosity to understand how an object – it could be anything – works. This involves disassembling the object, or less prosaically, breaking it. Some go one stage further, suggesting the hacker has an urge to reassemble the object differently – either to change or improve its original purpose.

Dan McInerney has a different view: a hacker is fundamentally a puzzle solver. The hacker sees a puzzle, or problem, and is intellectually driven to solve it. Solving the puzzle, rather than understanding or improving the object, is the drive and the goal – and technology is merely one field for the hacker to play in.

McInerney was a psychology grad. He’d had no specific training in technology, and his academic history was pushing him toward a career in business or marketing. But when he was 22 years old, he found a puzzle that he needed to solve: how to get more out of his iPod. This meant jailbreaking it – and it was a puzzle he needed to solve.

“I didn’t know much about computers, nothing really,” he explained. “This was back in 2011, and it took me eight hours of jailbreaking to solve the puzzle. I have to say that succeeding was such a rush. I had one goal, and I was in this psychological state where I lost all track of time. I had three possibilities at every point; so, I just try all three possibilities, and one of them would work and I’d get three new possibilities. Which way do I go? This state was so intense that I’d never experienced anything like it.”

He likens it to being ‘in the flow’; a condition not unknown in sports, music – and computer security. It is also known as hyperfocus, where consciousness and concentration are entirely focused on a single subject. For McInerney, the process was so intense that it changed his life’s direction. We probed for details. He’s had other periods of being in the flow, like when he spent 12 months learning about computers and hacking, and when he spent two years grappling with AI.

“At such times I might stay awake for 48 hours; just a manic period of having to achieve the goal before going to sleep.” During such periods he is aware of an increase in serotonin, like a drug rush. 

“It’s like lock picking,” he continued. “Lock picking and hacking go hand in hand. When you’re picking a lock, it’s like you just bang your head against it for so long, and suddenly, it just explodes open, and you get this immediate surge of adrenaline.” For him ‘the flow’ is a combination of joy (the process) and adrenaline (the success).

Advertisement. Scroll to continue reading.

From this description it is tempting to think he may be neurodiverse. McInerney is not sure. ASD is a wide-ranging condition that has no specific medical test – it is more usually diagnosed as a possible probability rather than a certainty. “I feel ‘flows’ are a little more general than just being applicable to ASD,” he said. “I think ASD and similar people on that grand spectrum do have tendencies toward hyperfocus; they tend to have a bit more obsession with singular topics. And I can see myself in that a little bit. I have never been diagnosed, but some of my friends have wondered about me because I do get that same hyperfocus. In the industry, absolutely, I think ASD is overrepresented, compared to the general population. I think part of that is also because it’s a solo activity; you can just do this in your room for 12 hours and have a great time. You don’t need a studio or a lab or anything like that…”

It was the experience of hacking the iPod that changed McInerney’s life. He realized that what he wanted was not a business or marketing future, but a career in computer security – largely for the huge intellectual buzz of tackling and solving complex techno problems. But he had no computer training or background.

“I remember having a heart-to-heart with my parents and saying, ‘Listen, thank you so much for everything you’ve done – I’m now going to throw it all away to embark on this other thing, that may not work out.’”

But they supported him. “They supported me for about a year with the small bills. I had to make sure that I could study full time; so, I studied basically 12 hours a day for about a year. I just locked myself in my room and did a couple of hours of online work to pay the rent.”

He recalls it as one of the most enjoyable times of his life. “After that little sabbatical… I don’t even know what to call it, it was like my personal Walden Pond… I just shut myself in, and got caught up for a year, just full time, 100% focus, no distractions whatsoever and long periods of the flow. After that year, I finally got a job that got me into the tech industry, and a couple of years after that, I got the actual pen test job that I was dreaming of.”

Most hackers start with a childhood fascination with computers, growing expertise, and an increasing desire to demonstrate that expertise through playing pranks on their friends. McInerney didn’t follow this route. He never played pranks, but he did have one school friend who enjoyed hacking games.

“One of my friends started hacking Diablo II, and he got very, very good at game hacking. He didn’t really want to play Diablo II, he just wanted to hack it – he wanted to get past the anti-cheat and build his own cheat. But as soon as he builds the cheat system, he’s really not that interested in using it. He’s just interested in breaking the original.”

This same friend demonstrated one of the few prank hacking examples he experienced. “It was in high school,” he explained. “He wrote a simple virus – it’s hard to even call it a virus. It was a program that just did some stuff that he said it didn’t do. He would go on chats, and he would say, ‘Hey, guys, I have this Gold hack. Come and download it.’”

But it wasn’t a Gold hack. When someone downloaded it, it took over the webcam. “And then it would tell that person to go inspect the serial number of the CD drive. As soon as they did that and put their face really close to the CD drive looking for numbers – boom – the ‘virus’ would eject the drive and the webcam would catch the surprise.”

McInerney notes that the ‘hacker’ could have done anything on or to that computer, but he didn’t. “He just enjoyed the pleasure of the prank, and solving the security puzzle of ‘how do I write a very simple virus and get people to download it?’ Social engineering,” he commented, “is total manipulation. And it’s a bit of a rush to get someone to do something that you want them to do.”

Of course, by the time he was able to play pranks, he had outgrown the pleasure of pranking friends – even though his newfound direction was bringing him into closer contact with other hackers.

“As soon as I started learning how to hack, I pretty much jumped into the hacker circles and all my friends became hackers. Pranking hacker friends scared me a little bit because I know the powers they have. So, I can’t say that I did a lot of pranks on my friends – mostly because I feared the repercussions.”

It is interesting to conjecture whether the late entry into hacking as a psychology graduate rather than a kid looking for kudos among friends has played any part in McInerney’s hacker makeup. He has never been tempted to use his growing skills for anything other than good. That boundary between ‘whitehat’ and ‘blackhat’ hacking is something we try to explore in this series. We asked him directly.

“I wonder this myself too,” he responded, “because I fall squarely in that whitehat hacking field, where I can get paid a lot of money and not have any risk of losing everything.”

He thinks there may be two primary motivations that tip hackers to the dark side. The first motivation is the risk factor. “I think blackhats tend to have a higher drive for adrenaline and rush than a lot of the whitehats. You’re taking a massive risk, and I’m sure you can feel the adrenaline rising when you’re committing a felony. I suspect that, psychologically, blackhats get more pleasure from the adrenaline rush.”

The second motivation is simply money, but with complex geographical wrappings. “It’s really fast money. If you do a campaign of locking computers and collecting ransoms – ransomware – it’s not hard. It’s surprisingly easy. But most of the people I know who do blackhat stuff tend not to live in America – they tend to live in countries where making money legitimately is much harder.”

As an example, he compares the US and Russia. You can make good money as a whitehat in the US, but not so much in Russia. It is easier for a Russian hacker to make money as a blackhat than as a whitehat. “In the US, the risk/reward balance for blackhat hacking doesn’t make sense. In other countries, it makes perfect sense.”

One concept he rejects as a factor between blackhat and whitehat hacking is the ‘moral compass’; the idea that a whitehat gets to claim that being whitehat is because of a superior moral standpoint. “If you’re a whitehat, it feels good to say, ‘I’m a moral person, and that’s why I don’t do this other stuff.’ But do you really get to morally grandstand?” he asked.

“Given the exact same incentives that a Russian hacker has, and that person’s inability to make the same amount of money as you (plus the likely lack of consequences provided you only hack outside of Russia), I guarantee these people who are saying, ‘Oh, I’m just a morally superior person to the blackhats’, would probably make the same decision as the blackhats. Everybody likes to think they are moral. Even murderers will say, ‘Listen; I’m a good guy, it was just one little mistake,’ So, I don’t want to indulge people who claim, ‘Oh, I do it this way because of the greatness I can bring into the world, and I don’t want to do harm.’ I think that’s a backward rationalization [justification after the fact rather than argument in favor of the fact].”

Dan McInerney’s path to becoming a hacker is subtly different to many other hacker stories. He started as a 22-year old psychology graduate rather than a computer-obsessed 9-year old kid. His motivation is also subtly different. It is not the common curiosity-driven need to disassemble in order to reassemble differently or better – it is simply an intellectual drive to solve puzzles, possibly fed by the psychological satisfaction found in the process of hyperfocus. Of course, solving a puzzle could require ‘disassembly and reassembly’, but it is the puzzle solution rather than the solution process that drives him.

RelatedHacker Conversations: Kevin O’Connor, From Childhood Hacker to NSA Operative

RelatedHacker Conversations: HD Moore and the Line Between Black and White

RelatedHacker Conversations: Rob Dyke on Legal Bullying of Good Faith Researchers

RelatedHacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd

Read Entire Article