Thinking Way Outside the Box

To push the limits of a computer system, you first need to gain deep knowledge about it. This is often hard for hackers, as administrators keep all documentation locked up. Security engineers therefore find themselves facing unknown systems.

The only way for them to learn more is the hard way: using creative thinking skills and imagining what the system can possibly be doing. Hackers might attack the problem from multiple directions:

  1. Look for other systems that might be similar to this one. To build mental models, a good first step is to find an example that can give insight about the current system. Leveraging previous knowledge is a professional’s best tool.
  2. Collaborate with others. No hacker works in a vacuum; there’s a dynamic community out there that includes journals, conferences and forums. A great way to evaluate a strategy or decision is through debating with other experts.
  3. Interact with the system in any way possible to build and improve their mental picture. Hackers want to find a “feedback machine” early on: change something in the inputs, and observe what happens afterwards.
  4. Visualize the architecture, and construct topological models. What components may be in there, how do they behave, and what are the relationships between them?
  5. Look for anomalies. Anything that looks odd or out of place can give a hint about the system. All those warrant further investigation.

Whatever the hacker’s goal is, their first step is building their knowledge base. Knowing more about the system helps engineers deduce potential consequences, even before touching a computer.

As Albert Einstein said, “If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.”