Hacker and TUW university assistant Marco Squarcina on hacking.
How do you become a hacker – does it have to do with education at university?
Marco Squarcina: Hacking is more like a personal thing. You don’t become a hacker because of what is required in your study plan. It may sound a bit nerdy, but it’s less flashy than it looks from the outside: it requires a lot of commitment, especially at the beginning, and you must enjoy digging into low level details of IT systems. There is some special kind of dedication required, but it soon becomes very addictive!
Anyway, now it’s way easier to approach the field than it was years ago, even if the level has increased a lot. When I started in 2009, it was a struggle to understand the most advanced techniques. Typically, your tutorial was a single text file with examples that were not even reproducible. Figuring out how to make them work was up to you. And without friends or a community ready to help, it was a bit of a nightmare. Nowadays there’s plenty of documentation on exploitation techniques, including high-quality videos on YouTube!
Is hacking political and is there a hacker ethic? Can you give an insight into the history of hacking?
Let’s be clear, for me hacking is just hacking: understanding, breaking and fixing stuff. What has driven my motivation is mainly curiosity. Clearly it doesn’t always work like this in our society, where offensive security capabilities are seen as a powerful tool. It follows that there are multiple reasons why an individual may approach the offensive IT security field: could be career opportunities at a national security agency, easy money from selling vulnerabilities, activism (or hacktivism), visibility, and so on.
Concerning the roots of hacking: they go back to, I think, 1981. The Chaos Computer Club was one of the very first hacking-organizations in the world. They organized the first hacking convention in 1984 in Hamburg, called Chaos Communication Congress [And still they do.] It is an amazing massive hacking convention, you can really have fun meeting people sharing a similar mindset who are exploring all aspects of hacking, not just IT security! Probably the largest convention in the world nowadays is DEF CON, which started in ‘93 in Las Vegas, Nevada. They’re also hosting a hacking competition (called CTF, stands for Capture the Flag) that is considered to be “olympiads of cybersecurity”.
Going back to the connections between hacking and politics: There was one hacking group that started in 1984 in Texas which was called “The Cult of the Dead Cow” (cDc). It’s probably one of the first underground groups that hit the press and coordinated activism campaigns. The interesting part is that members of that group started getting connections with the US-government: In 1998 Peiter Zatko, who goes under the nickname Mudge, was testifying together with other cDc members in front of a US-senate-committee about serious vulnerabilities of the internet which the US were not considering at that time.
And then in 2010, Zatko was hired by DARPA, which is the research and development agency of the United States Department of Defense responsible for the development of emerging technologies. After that he was hired by Google, and after Google he became the head of security of Twitter. I think this story provides an interesting insight into the evolution of what we now consider “hacking”, basically not purely an underground activity for nerds, but a high impact activity in our modern society.
In Russia's war against Ukraine, there is always talk of cyberattacks. What is a cyberwar and how do hackers organize themselves in it?
I’m not an expert in this field since I’m mostly focused on technical aspects of IT security. That said, I don’t think we have seen the full extent of cyberwar so far – knowing how much broken software is currently in use. And I believe that threat actors have yet to show their full cyber offensive capabilities. I don’t have numbers to cite, but for me the level of cyber-warfare we are seeing so far is mainly limited to cyber-espionage and disinformation campaigns to influence the public opinion. There’s a lot of room for speculation on these topics anyway. Unlike traditional warfare activities, cyber-attacks are difficult to attribute to specific groups or states. So precisely characterizing what’s really happening is extremely problematic.
Since you asked about the current war against Ukraine and how “hackers” organize themselves. Leaving aside state-sponsored activities, in the last two months we’ve seen a number of Telegram groups created to coordinate cyber-attacks against Russia. I met non-IT experts who joined these groups and downloaded random software that is supposedly required to launch cyber-attacks against Russian infrastructures. It’s important for people to understand that these activities are illegal and extremely risky: there’s a good chance that the only outcome will be installing malwares on personal devices and negatively affecting local Internet providers more than anything else.
Do you have an idea in what direction cyberwars might develop?
Marco Squarcina: I don’t, but I can tell you that literally everything is vulnerable. You just need to have enough motivation, enough resources. To give an example: there is one program that we use every day to do all our critical activities online. That is the browser, we use the browser, like Chrome or Firefox, for literally everything. Browsers are constantly under scrutiny since they are so central in our digital life. Still, vulnerabilities are routinely discovered in these softwares. The issue is obviously amplified when applications are not under the spotlight. If state-sponsored actors start a proper cyberwar conflict, then we will be in trouble. I don’t think we are ready – but, to be honest, I don’t know how to be ready for that kind of conflict at the moment.
Do you think that states are fostering hacking activities – some more than others?
Marco Squarcina: Absolutely, but it depends how they do it. When you teach IT security to young students you don’t do that to create the next generation of cyber offenders. As I explained before, a “hacking” background is also useful to develop better defenses and protect critical infrastructures. I see these initiatives absolutely positively and it’s necessary for states to invest in such educational activities.
What is Austria's stance on cyber security?
Marco Squarcina:Austria understood the pivotal role of IT security education early on compared to other countries in Europe. As an example, the Austrian Cyber Security Challenge (ACSC) (https://verbotengut.at/) is a project to foster cyber security education to young talents and then participate in the European cyber security challenge (https://ecsc.eu/), an initiative of the ENISA, the European Cyber Security Agency (https://www.enisa.europa.eu/). Austria was one of the first countries that decided to participate in this competition. This year, the European championship of cyber security will take place in Vienna. TU Wien is a co-organizer of the event and we are proud to do our part in increasing the IT security awareness in Europe!
Marco Squarcina is a university assistant (postdoc) at TU Wien, which he joined at the end of 2018 after receiving his PhD in Computer Science at, opens an external URL in a new windowCa’ Foscari University of Venice, opens an external URL in a new window. His research interests mainly focus on web security, and his results are regularly published in top-tier security venues. As a long-standing participant in international hacking competitions, he collaborates with the, opens an external URL in a new windowEuropean Union Agency for Cybersecurity, opens an external URL in a new window (ENISA) to provide advanced training for young talents. Marco is currently teaching several security-related courses at TU Wien. He is also among the coordinators of the local academic hacking team (https://w0y.at/, opens an external URL in a new window).
On his, opens an external URL in a new windowTwitter account, opens an external URL in a new window Marco Squarcina shares news on cybersecurity, among other topics.
Interview: Edith Wildmann
Already published in the series „The hackers and me“:
In German language: