Skip to main content

Cybersecurity Expert Answers Hacking History Questions

Cybersecurity architect and adjunct professor at NC State University Jeff Crume joins WIRED to answer the internet's burning questions about the history of hacking. What was the first computer virus? Who is the most influential hacker in history? How did hacking work before the internet? Have hackers ever taken down a government website? Do VPNs really offer the anonymity we think they do? What is a firewall and how does it work? Answers to these questions and many more await on Hacking History Support. Director: Jackie Phillips Director of Photography: Grant Bell Editor: Alex Mechanik Expert: Jeff Crume Line Producer: Jamie Rasmussen Associate Producer: Paul Gulyas Production Manager: Peter Brunette Production Coordinator: Rhyan Lark Casting Producer: Nick Sawyer Camera Operator: Shay Eberle-Gunst Sound Mixer: Paul Cornett Set Designer: Liliana Starck Post Production Supervisor: Christian Olguin Post Production Coordinator: Stella Shortino Supervising Editor: Erica DeLeo Additional Editor: Samantha DiVito Assistant Editor: Fynn Lithgow

Released on 05/16/2025

Transcript

Hopefully we'll stay outta jail on this [laughing]

ladies and gentlemen, start your lawyers.

I'm Jeff Crume, I'm a cybersecurity architect,

and Adjunct Professor at NC State University.

Let's answer some questions from the internet.

This is History of Hacking Support.

[upbeat music]

@MattScary34 asks,

who do you think is the most influential hacker

in cyber history?

Some of the really great hackers

are ones you've never heard of because they, in fact,

were so good they didn't get caught.

Certainly one of the big names,

he was certainly the most influential

and infamous back in the day is Kevin Mitnick.

Kevin Mitnick was particularly known

for his social engineering where he would basically try

to con people, rely on their desire to trust each other,

and get information out of people

by pretending to be someone else.

He served five years in prison.

He was arrested for abusing the phone system.

Back in those days, you had to pay for long distance calls.

He was able to break into the phone system

and make calls for free.

@RaymondGauche1 asks, where does the term hack come from?

The term really traces its evolution from the '60s

where at MIT there was a Model Train Club

and they used the term hack or hacker to refer

to someone who was able to use the technology

in an unconventional way, in a creative way.

Then about the '70s, '80s, it kind of took a change

and most people began to associate hacking

with unauthorized access.

In the security community,

we actually refer to at least three different types,

and we refer to them by their hat color, believe it or not,

no, they're not actually wearing hats necessarily,

but we refer to black hats as the ones

who are breaking into systems in order to do damage,

in order to steal things, operating without permission.

The white hat hackers, those are more like

that original terminology that we referred to

with the the group from MIT,

who were basically hobbyists trying to find out,

where are the limits of the technology?

This sort of thing.

They report those vulnerabilities

and they're trying to do something for the overall good.

Now, you've got something in between a gray hat hacker

where they claim to be doing some good,

but maybe they don't, they cross a few lines here and there.

James_K_Polk, how did computer hackers do their hacking

back in the '60s and '70s?

It was all about physical access,

because computers, there was no internet.

All the computers that existed were pretty much

in very known places.

A company had a data center, it was on raised floor,

it had to be cooled with air conditioning.

The entry and access to those systems

was controlled via badge reader.

There were cameras, so it was basically security

was guards, guns and gates back in those days.

If you didn't have access physically to the system,

you couldn't do much damage.

Then it started moving to where attackers

were starting to use the phone system.

Hackers that were hacking on the phone system

were known as Phreakers, phone hackers.

They would do different things to try to figure out

how they could get into the phone system

and control it remotely, maybe from a payphone.

There were not a lot of computer systems

for them to break into yet.

And then we start moving into the '70s,

now we didn't really have an internet

that everyone had access to,

but more and more systems were being made available

over the public phone network,

so they had modems,

and you could call into a system and then get access.

If you knew the password, you could log in

and then maybe take control of the system that way.

So, that's what happened really more in the '70s.

In the '80s, especially as we move into the '90s,

then we had the internet,

and that's when really hacking changed very dramatically

because everyone had access to everyone

everywhere in the world.

It was a great thing for pretty much everyone,

including the attackers.

@Charliescurious asks,

have hackers ever taken down a government website?

One of the first that I remember was back in about 1996

when the Central Intelligence Agency

had their main website hacked,

and at least for a short period of time it said,

Welcome to the Central Stupidity Agency.

Not a lot of damage done there,

more just a reputational damage.

It was basically electronic graffiti.

So, what could people do to prevent their websites,

for instance, from being hacked?

One of the first things is make sure

that you change all of the default user IDs and passwords.

We call that hardening.

That's one form of hardening.

Another is turn off all the unnecessary services.

Every single thing that's turned on on a system

is potentially another way a bad guy

can use to get into your system.

Also, keep your software up to date,

because all the time vendors are fixing bugs

in their software and many of those bugs are security bugs,

and the bad guys will know about what those bugs are

and they'll take advantage of them.

Needs to be at minimum multifactor authentication.

Don't rely on voice recognition by the way,

we have deep fake technology from AI

that potentially could fake that stuff out.

Wedietz asks, Question for cybersecurity mavens,

since Signal is open-source,

doesn't that mean that some intelligent adversary

could determine its encryption algorithm

and come up with a way to decrypt signal communications?

Well, yes, in general,

but first of all, don't add people to your group chat

if you don't know who they are.

There's a notion in cryptography

that's known as Kerckhoffs' Principle,

and it says that nothing should be secret

about a crypto system except the keys.

In other words, knowing how an algorithm works

should not give you any insight into how to break it.

A good crypto algorithm will stand the test of time.

Everyone can know how it works,

and yet they still can't break it.

The only way to break an encrypted message

is to guess what the key is that's been the case.

So, if the keys to the secret to the system,

then one thing you want to be able to do

is generate those keys and keep them secret.

You want a random key

and then you wanna store it somewhere safe.

The more randomness you can get,

the better your key will be,

and then you don't have to remember that,

you'll use some other form of multifactor authentication

or things like that in order to get access to the key,

but the key itself will be saved on your system

and if it's really sensitive,

you'll store it in a special place in hardware

where if someone tries to access that without permission,

it'll actually blank the key

and just wipe it out completely.

Then that crypto device becomes effectively

just a paperweight at that point.

DeadBirdRugby says,

I've seen some older generation folks on LinkedIn

as cybersecurity analysts in the '90s.

Yeah, he's probably talking about me.

From what I remember,

the internet was like the Wild West in the '90s.

A lot of focus was just on putting up a firewall,

putting up some sort of technology

that gave us an initial block, an initial front door

to separate our internal network

from the external Wild West.

But firewalls weren't nearly enough.

They weren't enough then and they're not enough now,

but that was what a lot of the view was,

and we talk about the Wild West.

Well, there was a wild West then on the internet

because everything was kind of unknown and unmonitored.

We still have that today to a great extent,

but then there's another layer deep below the surface

that most people never see.

Where you exist, for the most part,

if you're typical of most people,

is you're on the surface web.

That's maybe 5% of the content that's on the worldwide web

and it's stuff that you can get to

from your favorite search engine.

It's been indexed, in other words,

so you can go to the search engine and find it.

The other 95% is kind of think of an iceberg.

This is the stuff below the surface.

You know the iceberg is deeper below the water level,

so think about the iceberg, the other 95% that's below,

that's the deep web.

It's not necessarily nefarious stuff,

it's just not stuff that everyone needs to get to.

It's business records, it's things like that.

Only authorized users would be able to go in

and authenticate and be able to see that stuff.

But there's a subset that's in an area we call the dark web,

and it's dark because it's not indexed.

You have to know where it is,

so you're not likely to just stumble into it.

In fact, you've gotta use special tools to get there,

and for what it's worth, I don't recommend that you go there

because it's a rough neighborhood.

Your system could be taken over, could be hacked,

could have malware on it after you visited

some of these illicit sites.

Now, is everything on the dark web terrible?

No.

Some group of the people that are on the dark web

are people who are whistleblowers,

people who are political dissidents,

people who live in areas of the world

where they can't speak freely,

and maybe it's even journalists who need to be able

to get a message out and be able to do it with anonymity,

but with anonymity comes also the possibility

of illegal and illicit activities.

It's dark because the lights are off.

It's not dark because of what the content is there,

but certainly some of the content is of a dark nature.

A user on Reddit asked, what was the Stuxnet virus

and why was it so successful?

Well, Stuxnet was some malware,

I'll just use that general term to refer to it,

designed specifically to target nuclear centrifuges in Iran.

It was unleashed on those systems.

Those systems didn't have general internet access,

so the idea was that it would be brought in

to the system physically, implanted on those systems,

and then it would cause the centrifuges to speed up

and slow down and speed up and slow down,

which caused them to not be functional.

The idea of course, was to disrupt Iran's ability

to enrich uranium.

So, who was looking out for doing that?

Well, there's a lot of attribution

and it's one of those situations.

One of my favorite quotes is,

Those who know aren't talking and those who don't,

well, you can't shut them up.

I'm gonna keep talking.

So, now you know which one of those categories I'm in.

I don't have any firsthand information,

but it's been widely attributed in the public space

that the US and Israel were involved

in this particular attack

as a way to try to subvert Iran's nuclear ambitions.

It was pretty successful for a good period of time

until it turns out that the virus spread

to some other systems.

Those other systems then were discovered

with an antivirus tool.

Then from there, the whole game started to unravel.

@mock5turtle says,

yay, my data has been compromised

due to the OPM data breach.

Not sure that's a reason for celebration.

My fingerprints and everything.

Where will it all turn up next?

How exciting.

That's a case where data is turned over to someone else

and you have to trust that they're gonna do the right thing,

and maybe they do the right thing 99% of the time,

but it's that other 1% where they didn't,

and then that's where an attack occurs.

So, what can you do about this?

Well, first of all, don't give your data to places

where you don't have to,

and most people give their data up very freely

for very little in exchange.

So, make sure that you're understanding the bargain.

Understand that your data

is worth something to those companies

that's why they want to keep it,

and make sure that what you're getting back

in exchange for it is really a fair bargain.

Also, you can do some things like credit monitoring,

like credit freeze, credit lock, things like that.

So, that way if someone tries to open a line of credit

in your name, tries to get a credit card,

tries to get a home loan, whatever like that,

they try to do that in your name using information

that they got from one of these data breaches,

well, they won't be able to.

That's something that you can do at least in the US,

and there are probably similar things

you can do in other countries as well.

@SCMagazine asks, a question For cybersecurity pros,

would you ban TikTok from your organization

over security and privacy concerns raised

about its ownership being based in China?

First of all, my general approach to bans

is I don't think they work,

not in the way that people hope that they will.

When you ban something, you drive its behavior below ground,

and once you drive it underground,

then it's hard to monitor.

Now, am I concerned about ownership?

I'm concerned about ownership of all of these

because just because a company is in China

or even if they're in the US,

doesn't necessarily make me think

that there's gonna be no violations of privacy

or no manipulation of information.

We've already seen that every country on Earth

is really good and has people who will find ways

to be good at manipulating people through misinformation

and fake news, and we know

that privacy violations occur everywhere,

and we also know that privacy violations

can occur even unintentionally.

So, there are concerns, certainly if a government

is able to say,

we are gonna make you turn over those records to us,

and now there's not independence from that service

and the government and that's a big concern,

but that happens in a lot of cases.

Iheartdaikaiju asks,

what are some ways elections are vulnerable

from a security standpoint,

and what can be done to shore up these platforms?

Almost every case I will choose

the more high tech alternative to the lower tech alternative

except when it comes to voting.

In that case, the reason I like paper ballots

is because with a paper ballot,

if the counting machine messes up,

well, we just go back and take the paper ballots

and run 'em through another one.

If we have only electronic votes to begin with,

we can't go run them all back through.

We can't line up all the people that voted on that day

and say, please go back, get in line again

and vote exactly the way you did before.

Doesn't work like that.

We could have a power outage at a voting station,

well, again, that doesn't affect paper ballots.

It might affect the counting,

and if we want to use machines to do counting of those,

I think that's not so unreasonable.

But there are a lot of things

that technology helps us with.

This is one where a lower tech solution is probably better.

Chronoport asks,

why did the ILOVEYOU virus overwrite other files?

If you are a virus,

you're trying to spread yourself as much as you can.

The more types of files that you can overwrite,

the more things you can infect,

and the more other systems you can infect,

and the harder it is to get the system disinfected.

If you're the designer of a virus, you want it to spread

as virally as possible, so infect as much stuff

as you possibly can.

@_Alafolixx_ asks, who stopped WannaCry?

WannaCry was one of the most famous examples of malware,

did a lot of damage.

The guy that's given credit for stopping it

is named Marcus Hutchins.

He did it in May of 2017.

He was doing some analysis of the malware

and found that it actually made a call out

to a particular website to a particular domain name.

It was really long and complex and gorpy looking,

nothing that you would ever guess

unless you were just decompiling the code.

And he realized that as long as it didn't find

the presence of that, it would continue to spread.

So, what he did then was go register that domain name

so that then whenever the malware went out to go ping

that site to see if it exists, it would in fact exist,

and therefore the malware would stop replicating.

So, he basically found what was a kill switch

that was built into the code,

but that didn't necessarily stop and eradicate.

The malware was still on a lot of people's systems

and may still be out there in some cases,

but at least it was a way to turn a kill switch

and make it stop so that it didn't hurt other people

for at least a good period of time.

@theboss_almighty asks,

how exactly can hackers shut down a pipeline?

I'm assuming this is a reference

to the Colonial Pipeline ransomware case

that was very infamous

because in fact there was a pipeline that transported oil

across the Southeastern portions of the US.

Well, it turns out that the attacker, the actual malware,

the ransomware did not actually shut down the pipeline.

The operators of Colonial Pipeline decided they needed

to shut it down in order to prevent further damage

'cause they weren't quite really sure what was going on.

They knew that they had experienced a case,

they were being demanded a $5 million ransom

in order to restore the systems and they,

in an abundance of caution,

just felt like it was better to shut things down

until they could figure out what happened.

They eventually did turn things back on

and of course we got back an operational.

Interesting sideline with that story

is they actually paid the $5 million ransom,

but here was the unhappy part of that ending.

The attackers gave them a tool that would decrypt the data

that had been encrypted, so they paid the ransom,

they got the tool, but the tool was so inefficient

and so slow that it would never have recovered

the data in time to do anyone any good.

So, they ended up having

to rely on their own backups incomplete

as they might have been,

and so they paid the $5 million ransom,

didn't get their data

and it was kind of a worst of both worlds situation.

However, in the end, there was one more twist,

and that was that the FBI

actually recovered half of that ransom.

Don't expect that to happen in your case.

@nobleinfantree asks,

what is a firewall and how does it work?

Well, firewall was a building mechanism

that was fire retardant materials

that would at least slow the spread of fire

from one unit to the next.

Now, when you apply that concept into network security,

it's a place, a zone, a separation

where we're going to keep one level

of trusted network away from another.

Maybe an untrusted internet,

we'll keep that separate from a trusted internal network,

and the firewall will basically be the gatekeeper.

So, we'll have a security policy in it

and it will look for certain types of traffic and say,

that kind of stuff can come in,

this other kind of stuff we're gonna block

because we don't use that kind of traffic,

we don't need traffic coming from that area of the internet,

or we don't need users of that sort,

they're not part of our organization.

So, we put a gating factor, basically a guard between areas

of networks where we have different zones of trust.

Ai_pitchside asks, I'm curious to know

how people balance online security

with the need for convenience.

Do VPNs really offer the anonymity we think they do?

The original purpose of VPNs was really just as a way

to transport sensitive information over a public network.

So, if I wanted to send a secret message to you

that only you could see

and that someone else who saw the traffic going

across the internet would not be able to read,

I would encrypt the message and then send it to you,

so that way we have an encrypted connection

between the two of us.

Now, the VPNs that most people use today,

not only can do that, but they also will hide the IP address

that you're coming from,

and that's where you start to get

some of these anonymity features.

The idea is that your ISP,

whoever it is that's providing your internet connection

and getting you as the on-ramp onto the highway,

that is the internet,

they know what your IP address is,

and they can see everything that comes and goes

into your home network or into your computer itself,

unless you use a VPN, which then all they can do

is see where the packets are coming from

and where they're going,

but they can't see the contents of it.

So, that gives you a certain level of anonymity.

However, if you use a VPN, then what it will do is also hide

where your originating IP address is,

because what will happen

is no matter where you wanna send a packet,

if you've got the VPN turned on,

it's gonna go to the VPN access point first.

Then from there it will get routed

to where it's supposed to go.

So, the ISP then at that point only sees,

here you are sending all your traffic

to this one VPN entry point, this VPN access point,

and then stuff comes back from there.

They won't be able to see the contents,

they won't be able to see where it goes after that point.

Now, that gives you some anonymity and some privacy.

However, don't be fooled.

What you've done is shifted your trust from your ISP,

which maybe wasn't so trustworthy

in terms of guarding your privacy to the VPN provider,

because the VPN provider now gets to see

where all your traffic is going,

and you don't really have a way to verify

the way they're operating.

So, some VPNs will be very rock solid

and will preserve your privacy, others will not.

So, just by using A VPN,

you may just be making it easier

by concentrating all your data to one place,

and if that place gets attacked

or if that place is a bad actor,

then you've given them all your information.

So, be careful.

A VPN's not a panacea, it can help.

@Hot-Geologist6330 asks, why are phishing emails

and telephone scams still profitable

despite increased awareness?

Simple answer is people, if you've ever met them,

well, they can be exploited.

We have this tendency as humans to trust other people.

Even if you're very jaded,

you see someone walking toward a building,

their arms are full of stuff and it's raining

and you're at the door,

so maybe you hold the door open for 'em.

But if that person was planning to do that

as a way to get into the building,

well, then they basically just socially engineered you

into letting them come into the building

and tailgate without using their badge.

Social engineering is what lies at the heart

of these types of attacks of phishing emails,

telephone scams and things like that.

Our tendency to trust and in one context,

that's a beautiful thing

because we wouldn't want everyone to be so jaded

that we never trusted another person ever again,

but we can't be trusting of everything either,

because then everything falls.

The attackers are always gonna try to find that crack

that they can exploit and they keep changing their tactics.

They keep changing different ways of doing this.

Phishers originally used mostly just email,

now they've moved into other areas as well.

In addition to email, they could do an SMS message to you.

We call that instead of phishing, we call that smishing.

They could do phishing via voicemail, we call that vishing.

There's even a new one called quishing

where they use QR code.

Thisisapseudo asks, are password managers safe?

If you're asking a security person, is it safe?

The answer is no.

I don't even have to know what the question was.

The answer is, it's not safe.

Nothing is ever fully safe, nothing's ever fully secure.

Now, is it safe enough?

It depends on which password manager you use,

and how you use it, and where you put the password manager,

and how you get access to the password manager itself.

Most of these password managers will require you

to set a strong password that you type in once

and then that unlocks all the other passwords

that it keeps in its storage.

If you have a trivial password on your password manager,

you have an unsafe system.

So, you need to have at least one really good password

and again, maybe use multifactor authentication

so that it doesn't rely just on a password to get in.

Lemme tell you what's better than a password.

If you're trying to make sure

that no one steals your password,

don't have one in the first place,

and you say, what does that mean,

I don't get to choose that?

Well, actually you are more and more getting to choose

a newer technology called Passkeys.

There's an organization called FIDO, Fast Identity Online,

that came out with this standard,

and Passkeys, sounds like the same kind of thing.

Password, passkey, it's actually very different.

Passkeys use cryptographic techniques.

You don't have to remember what the password is,

you don't have to choose what the password is,

you unlock your device the pass key is a cryptographic key

that's kept on your device and may or may not be synced

with other devices that you have.

It's relatively phishing resistant,

if not almost impossible to phish

because it uses a challenge response system,

and all of this stuff happens under the covers.

And the good news is password managers

support both passwords, the good ones, and Passkeys,

so you don't have to choose.

Curious-Brain2781 asks,

how likely is it to catch a virus nowadays,

assuming a standard up-to-date antivirus?

It's actually still very possible.

We continue to see that certain types

of malware proliferate.

Thankfully we've gotten a little better at this,

but the problem is the game constantly keeps changing.

So, then we had to, as an industry come out with things

that were not just looking for literal signature.

That is a string of bits that were in there

in the particular malware itself

and that was the identifier,

now we're looking for things like behaviors,

and if we're looking for those behaviors,

maybe we're able to block these things more often.

A lot of these viruses and malware

will exploit different vulnerabilities and software.

So, that's why as patching

and updating of software levels

has become more and more automated,

we've been able to deal with a better defense

than we had back in the day when these things

were first coming out.

Reboot your system every so often

because some viruses in malware

are not able to survive across a reboot,

so you'd like to get rid of those and clean things that way,

but in general, use tools that can disinfect your system.

That will help a lot.

Tyrone_Biggums asks,

what hack has caused the most damage?

Depends on how you measure damage.

Would it be financial damage?

Would it be in terms of the number of systems

that were affected?

Would it be in terms of the number of lives

that were impacted?

Would it be in terms of the number of lives that were lost?

There's a lot of different ways to look at this.

There was one case where a ransomware instance happened

at a hospital and it caused the hospital systems

to not be available

and they started redirecting emergency traffic

to other hospitals.

One person died during transport to a more distant hospital.

So, there's a case where indirectly ransomware cost

a person their life.

@sector00007 says, what is the CIA triad?

Well, CIA, if you talk to a cybersecurity person,

probably doesn't mean Central Intelligence Agency,

although it could.

We think of this as one of the classical security teachings,

and that is really lies at the fundamentals

of everything we do in cybersecurity.

Everything in cybersecurity is about these three,

confidentiality, integrity and availability.

So, CIA, Confidentiality, Integrity and Availability.

That's really everything we do in Cybersecurity

is about doing those three things.

@Gunblaze1969 asks,

what was the name of the first computer virus?

Well, if you use the term virus

in the larger sense of malware,

I'm actually gonna shift this question

to refer to the first real example

that the world came to know,

and that was the Morris Worm back in 1988,

and that was where an MIT student came up

with a way of planning a piece of software

on a lot of different systems across the internet

and it spread automatically.

That's what a worm does, it self replicates,

and it did this and got to 10% of the internet

before it finally got shut down.

So, that was really the first one

that made the world wake up

to the fact that this stuff

could actually have software that could do harm.

@Peterbirckhead asks,

how is it I never heard about phone phreaking?

It's an old attack.

In the early days when there really were not

a lot of computers to break into, there was a phone system

and it was worldwide,

and phone phreakers were the ones

who tried to manipulate the phone system,

and it was discovered

that you could actually control the phone system,

maybe even reconfigure the switch that's involved.

You could get free long distance phone calls.

There's a lot of different things you could do,

and you could do this

because the phone systems used a specific tone

in order to put them into a management control mode.

That mode was triggered by a tone at 2,600 Hertz.

So, if you could whistle 2,600 Hertz

or get a tone generator and hold it up to a phone,

you could then take over the phone

and maybe even penetrate into the system from that.

It turned out that Cap'n Crunch, the cereal,

came out with a toy prize,

a whistle inside, and guess what?

That whistle blew 2,600 Hertz.

Now, Cap'n Crunch, I'm sure had no idea

that that's what was gonna happen when they did that,

that were just making a toy for kids.

But the phone phreaker community learned

about that pretty quickly and they got all over that

and bought up a lot of Cap'n Crunch boxes,

and now they were able to go into pay phones

and get free phone calls.

But you don't hear about it much now

because nobody really pays for long distance phone calls.

Berowulf asks,

what movie has the most realistic concept of hacking?

Sorry, movie industry.

I'm not sure any of 'em have gotten it

really all that right.

How it works in the real world

is not necessarily all that exciting to watch.

It's often hours and hours of just mind numbing activity

of running different programs in the background

until finally you trip onto something.

It's not something that makes for a great spectator support.

So, that's why you see the movies take liberties with this

in order to make it a lot more interesting.

I don't know if hackers ever actually say I'm in,

but in every movie they certainly do.

Okay, those are all the questions.

Thanks for watching History of Hacking Support.

[upbeat music]

Up Next