# A Hacker's Mind  ## Metadata - Author: [[Bruce Schneier]] - Full Title: A Hacker's Mind - Category: #books - Cite: [[@schneierHackerMindHow2023]] ## Highlights - That hack wasn’t new. It even has a name: foldering. In separate incidents, it was used by General Petraeus, Paul Manafort, and the 9/11 terrorists. They all realized that they could evade communications surveillance if they shared an email account with their co-conspirators and wrote messages to each other, keeping them as email drafts and never sending them. ([Location 457](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=457)) - There are exceptions, of course. In the 1980s, a group of MIT and Harvard academics invented an innovative card-counting hack. Casinos know how to detect card counters; they look for people who (1) consistently win and (2) change their betting patterns in a way that implies strategic knowledge. The MIT group divided the different card-counting tasks among different players to better avoid detection. The counters sat at the tables and never changed their betting patterns. The large-money bettors also never changed their betting patterns and were steered to “hot tables” by compatriots who received signals from the counters. The group made an estimated $10 million before they gave up the business. Indeed a great hack. ([Location 608](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=608)) - Swimming, 1988. Both America’s David Berkoff and Japan’s Daichi Suzuki hacked the backstroke, swimming most of the length of the pool underwater and clocking amazingly fast times. This technique was soon adopted by other top-flight swimmers, until the International Swimming Federation stepped in and limited the distance a backstroke swimmer could remain submerged. ([Location 665](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=665)) - The goal of businessmen—and, of course, business enterprises—is to maximize profits. The goal of the public is to (more or less) maximize product quantity, quality, variety, and innovation, and minimize prices. ([Location 1442](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1442)) - Tags: [[favorite]] - The wealthy enjoy several advantages that make them better at discovering and exploiting hacks. The first is that they don’t actually have to be superior hackers themselves. The wealthy have more resources to hire the expertise required to succeed at hacking: finding vulnerabilities, creating exploits, executing hacks. Additionally, because money is so important in politics, the wealthy are better normalizers of hacks. That is, they can use their power to ensure that their hacks become legally permissible. ([Location 1588](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1588)) - Hacking is parasitical, mostly performed by the rich and powerful, and it comes at the expense of everyone else. ([Location 1615](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1615)) - The Pacific Investment Management Company, based in Newport Beach, California, runs a hedge fund registered in the Cayman Islands to avoid paying US taxes. But by investing in a Delaware corporation and tying it to the parent California corporation, the hedge fund was able to borrow money commercially to buy securities, then borrow $13.1 million from the government relief program, and finally use that loan to pay back the original and more expensive securities loan. Instant profit, perfectly legal, at the expense of everyone in the US. Sociopathic, perhaps, yet I admire the creativity. ([Location 1652](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1652)) - A more modern hack of fasting rules is the practice among some wealthy Saudi families of treating Ramadan as a month-long party, staying up most of the night and sleeping through most of the day. ([Location 1666](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1666)) - A more sinister version of this hack occurs all too often on Native lands. Tribal courts cannot try non-Native individuals who commit crimes on Native lands; only federal authorities can do so, and in disturbing numbers of cases they do not. This means non-Native Americans have free rein to assault Native women on tribal lands and suffer virtually no repercussions. It has been reported that a full 80% of Native American women who are sexually assaulted are victimized by non-Native American men. ([Location 1687](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1687)) - Work-to-rule is a labor tactic that is short of going on strike. It’s malicious compliance, and basically means following the rules exactly, which—of course—quickly brings things to a standstill. Some of it is obvious: taking all allowed breaks, stopping work exactly at quitting time. A nurse might refuse to answer the telephone, because that’s not part of a nurse’s job description. ([Location 1725](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1725)) - More recently, Uber drivers in Nairobi created a hack to cut the company out of its share of the ride fee. Passengers hail drivers through the Uber app, which also sets the ride charge. At pickup, the driver and passenger agree to “go karura,” which means that the passenger cancels the ride and pays the driver the entire amount in cash. ([Location 1741](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1741)) - Georgetown law professor Julie Cohen wrote that “power interprets regulation as damage and routes around it.” By this she meant that the powerful have the wherewithal to circumvent rules. ([Location 1805](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1805)) - In Montana, payday loan providers moved to Indian reservations to avoid state and federal regulation. ([Location 1878](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1878)) - The hack here isn’t that companies register their ships in Panama or incorporate in Delaware. The hack lies in those jurisdictions’ deliberate exploitation of the rules governing jurisdiction in order to make their own more attractive. By pitting itself against other states, Delaware subverts the intent of federal interstate commerce rules and state tax authorities. Similarly, flags of convenience subvert the intent of the UN Convention on the Law of the Sea. ([Location 1953](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=1953)) - Placing non-germane riders on these must-pass pieces of legislation enables lawmakers to avoid the scrutiny or backlash that would accompany a vote for a politically difficult provision, credibly claiming that they were merely voting for the measure as a whole. This now-common hack subverts the way legislation is supposed to work: a discrete proposal is made for a new law, and then that proposal is voted on. ([Location 2237](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2237)) - This sort of hack exploits the fact that the president can’t veto individual line items in a bill. ([Location 2248](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2248)) - The filibuster is only possible in the US because of a vulnerability in the rules that was an accidental side effect of another legislative rule change. Back in 1805, Vice President Aaron Burr declared that the US Senate should not have too many procedural rules. One of the rules dropped on his recommendation—in 1806, after he left office—was the “motion to previous question,” which ended debate on legislation. It took until 1837 for someone to notice and exploit the vulnerability. This was patched in 1917 with the cloture rule ending debate, which meant that a filibuster required nonstop talking to sustain. The current three-fifths majority—or sixty senators—requirement was only added in 1975, and the talking requirement was eliminated. It’s a hack on top of a patch on top of a hack, and it can only be changed by another hack. The filibuster subverts the legislative system. A legislative body is supposed to preserve the minority’s right to be heard, while still respecting majority rule. However, the modern filibuster flips that on its head, because now the minority party can use the filibuster to halt the legislative process for any bill without a sixty-vote majority, which actually prevents meaningful consideration or debate of an issue. It’s also bad for the rights of minorities in society, not just the minority party in the Senate. Historically, the filibuster was most often used to block legislation advancing racial equality. In the US, this is now normal. The Senate has such relaxed rules that a senator doesn’t have to actually speak for days or months to filibuster; he or she can simply state a theoretical intention to do so in order to delay a vote. ([Location 2309](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2309)) - What I am developing is a sophisticated notion of hacking. It’s not that hacks are necessarily evil. It’s not even that they’re undesirable and need to be defended against. It’s that we need to recognize that hacks subvert underlying systems, and decide whether that subversion is harmful or beneficial. ([Location 2346](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2346)) - Tags: [[favorite]] - Here’s an example. In 2020, President Trump wanted to appoint retired Army Brig. Gen. Anthony Tata to the position of under secretary of defense for policy, which requires US Senate confirmation. When it became clear that the Senate would never confirm him, Trump withdrew his nomination and instead designated him as the official “performing the duties of” the deputy under secretary of defense for policy. He also repeatedly used the term “acting” to circumvent Senate confirmation. These are hacks of the 1998 Vacancies Reform Act. But are they a flagrant disregard of reasonable Senate oversight duties or a reasonable response to the overly broad requirement that the Senate confirm 1,200 different executive positions? It depends on your opinion on how government should work. ([Location 2397](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2397)) - The 1964 Louisiana literacy test is an example that can be easily found online. One question—yes, this is real—“Write every other word in this first line and print every third word in same line, [original type smaller, and the first line ended at comma] but capitalize the fifth word that you write.” ([Location 2428](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2428)) - The basic problem is conflict of interest: the legislators who are in charge of drawing the districts are the ones who benefit from their demographics. The solution, obvious to anyone who studies the issue, is compartmentalization. Districts should be drawn by independent commissions whose members have no stake in their outcome. Michigan, for example, approved a ballot initiative mandating exactly this in 2018. That the state’s Republicans were still fighting this commission in 2020 illustrates the power of the gerrymandering hack. Beyond ([Location 2492](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2492)) - One fix is ranked-choice voting, in which voters rank their choices for an office, the lowest-scoring candidate is eliminated, and votes for those bested candidates are redistributed in sequential “runoffs” until one achieves a majority. A ranked-choice system prevents third-party spoilers (a would-be spoiler’s votes are just reallocated to a different candidate, most likely one from whom they were intended to siphon support), and helps to ensure that the candidate most acceptable to a true majority of the electorate wins the election. ([Location 2560](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2560)) - For example, disinformation is a hack that subverts our system of freedom of speech and freedom of the press. This isn’t a new notion. Goebbels, Hitler’s propaganda minister, once said: “This will always remain one of the best jokes of democracy, that it gave its deadly enemies the means by which it was destroyed.” Disinformation is also a hack that subverts many of the cognitive systems we will talk about: attention, persuasion, trust, authority, tribalism, and sometimes fear. ([Location 2663](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2663)) - Drip pricing is another example. It’s common in the airline and hotel industries, since price is regularly the first attribute people look at when choosing a travel service. The trick is to display a low price initially, then pile on fees and hope that the buyer isn’t paying close attention. ([Location 2789](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2789)) - banner ad from a company called Chatmost has what looks like a speck of dust on a touchscreen, tricking users into clicking on the ad as they try to swipe away the dirty spot. ([Location 2811](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2811)) - Over twenty years ago, I wrote “Only amateurs attack machines; professionals target people.” ([Location 2824](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2824)) - Tags: [[favorite]] - Terrorism directly hacks these cognitive shortcuts. As an actual risk, it’s minor. The 9/11 attacks killed about 3,000 people, and about 300 more have died from terrorist attacks in the US in the two decades since then. On the other hand, 38,000 people die every year in car accidents; that’s about 750,000 deaths in the same span of time. Over a million people died in the US from COVID-19. But terrorism is designed to override any logic. It’s horrifying, vivid, spectacular, random, and malicious: the very things that cause us to exaggerate risk and overreact. Fear takes hold, and we make security trade-offs we might have never considered before. These are society’s anxieties and instincts collectively being hacked. Politicians hack fear as well. If you can argue ([Location 2898](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2898)) - As Bill Clinton said, “When people are insecure, they’d rather have somebody who is strong and wrong than someone who’s weak and right.” ([Location 2907](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2907)) - Data analytics and automation are only getting smarter at hacking people’s sense of group identity to achieve some goal. And tribalism is so powerful and divisive that hacking it—especially with digital speed and precision—can have disastrous social effects, whether that’s the goal of a computer-assisted social hacker (like the Russians) or a side effect of an AI that neither knows nor cares about the costs of its actions (like social media recommendation engines). ([Location 2929](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=2929)) - All of these systems are vulnerable to hacking; in fact, current research indicates that all machine-learning systems can be undetectably compromised. And those hacks will have increasingly large societal effects. ([Location 3345](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=3345)) - Unless AI programmers specify that the system must not change its behavior when being tested, an AI might come up with the same cheat. The programmers will be satisfied. The accountants will be ecstatic. And no one is likely to catch on. ([Location 3462](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=3462)) - At its core, hacking is a balancing act. On the one hand, it’s an engine of innovation. On the other, it subverts systems, reinforces existing inequitable power structures, and can be damaging to society. ([Location 3694](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=3694)) - Sociobiologist Edward O. Wilson once described the fundamental problem with humanity is that “we have Paleolithic emotions, medieval institutions, and godlike technology.” ([Location 3732](https://readwise.io/to_kindle?action=open&asin=B0B3FY5R3M&location=3732))