The Good Hacker: Q&A with Lillian Ablon

q&a

Jan 16, 2015

Close up of Lily Ablon holding DEFCON 21 challenge medal

DEF CON's “black badge,” awarded for winning a social engineering competition

Photo by Diane Baldwin/RAND Corporation

Lillian Ablon conducts technical and policy analysis research at RAND on topics spanning cybersecurity, computer network operations, emerging technologies, competitive intelligence and the human element in intelligence gathering, and digital exhaust.

There are good hackers and malicious hackers. I consider myself a good hacker.

You're a mathematician with expertise in cyber topics. What keeps you up at night?

Many things: especially corporate and nation-state espionage, and the lack of focus on secure coding and user account security. I think about privacy concerns: not only having the right to be forgotten, but also the ability to be forgotten. There's the Internet of Things, which opens doors to personal networks. And the great weakness: the human element.

What's the one thing that would put a dent in cybercrime?

Reducing confidence within black markets. Everyone is confident that the products work, that people are who they say they are, and that there's little risk of getting caught. To disrupt, maybe combine coordinated takedowns with blasting a ton of bad data, bad products, and false users into these markets to start to diminish confidence.

You were the first female winner of DEF CON 21's Social Engineer Capture the Flag (SECTF) Competition. What does it mean to be DEF CON's “Deadliest Social Engineer”?

Lily Ablon holding medal received for winning DEF CON 21 challenge at Def Con Cybersecurity conference

Lillian Ablon was the first female to earn a coveted “black badge,” awarded for winning the DEF CON 21 Social Engineer Capture the Flag (SECTF) Competition at the DEFCON cybersecurity conference.

Photo by Diane Baldwin/RAND Corporation

DEF CON is one of the largest and longest-running hacker conventions in the world. It features technical talks and contests, one of which is on social engineering. The challenge was to get 45 specific pieces of information about a Fortune Top 10 company. I dug for open source information online, and then conducted a live social engineering phone attack on employees with the audience watching. I gained key insights into the company and could have successfully installed malware on its computers. The prizes included a lockpick set (adding to the one I already have), all kinds of gadgets, and—best of all—a coveted “black badge.” I scored 200 points more than my closest competitor, and I was the first woman to win.

Which leads to your science, tech, engineering, and math (STEM) work with young women and girls. Can you tell us more about what you do and why it's important?

It's one of my passions. I loved math as a kid—I was 5 or 6 when I decided my favorite number was 959—and still love it. My husband and I throw an annual Pi Day party! So I want to do all I can to encourage more women to get excited and stay excited about numbers, math, and technology. It was such an honor to speak at inspiring conferences like CyberGirlz and Expanding Your Horizons. I'm mentoring a few of the young women I met, and it's incredibly satisfying. One reason few females are involved is lack of confidence, so I like to talk about “power posing”—Harvard's Amy Cuddy gave a well-known TED talk on this, but others also research the topic. Posing like Wonder Woman for just two minutes can reduce the stress hormone cortisol, increase your testosterone, and basically trick you into feeling powerful. Before I give any speech, you'd better believe I power pose!

Is “hacker” a dirty word?

No! “Hacker” is an inspirational word. A hacker thinks outside the box, challenges the status quo, tries to improve things by figuring out how they work—often by breaking a thing or two. There are good hackers and malicious hackers. I consider myself a good hacker.

Your first career was working with code breaking, network exploitation, and vulnerability analysis. Was that as riveting as it sounds?

(Long pause) It was absolutely awesome. Let's leave it at that.