Two kids are playing after pre-school. One parent sees another parent who she knew years ago in college. They ask each other what they do now.
“She said, ‘Well, tomorrow I have to break into a bank,’” said Jeremy N. Smith, a Missoula non-fiction writer.
In his new book, "Breaking and Entering: The Extraordinary Story of a Hacker Called 'Alien,'" he shares the story of Sherri Davidoff, an MIT hacker turned cybersecurity CEO.
It ranges from her time at the Massachusetts Institute of Technology, where she participated in physical hacking exploits as well as computer work, to early days testing the physical security of bank branches, through to the founding of LMG Security, her Missoula-based company with clients around the world, which she runs while raising a family.
Davidoff offers an eye-catching description for the company, now 10 years old with 25 employees:
“We break into companies and write reports about it,” she said. If a company is hacked, LMG will “come in, get them cleaned up. We handle the investigation.” They also provide cybersecurity testing and training and digital forensics.
Smith has written for The Atlantic, and his prior book, "Epic Measures: One Doctor. Seven Billion Patients," tracked a global health care project.
He thinks of his new book as the story of “the birth of the information insecurity age" and an update to outdated views of who hackers are.
"It’s Matthew Broderick in ‘WarGames,’ or its Angelina Jolie in ‘Hackers.’ We’re so far behind in our sense of who hackers are and how hacking really works. That was such an exciting opportunity for me to tell that story," he said.
“Alien” was Davidoff’s hacker handle in real life. Initially, she wanted to stay anonymous, and so she’s referred to by “Alien” throughout the book. (Missoula, meanwhile, doubles as “Parkmont.”)
Last year, she began to come to terms with “outing” herself, since “my story is unique enough that I can’t be anonymous, so there was an acceptance of that.” In a New York Times review of the book, the writer noted that her work is taught at universities and anyone truly inclined to find out who she is could do so.
MIT has a tradition of hacking that involves not just computer science, but breaking into and exploring physical spaces, Smith said.
“They treated the whole campus, and in some ways the whole city, like their playground,” Smith said. “That meant sometimes sneaking past guards, sometimes picking locks, to get to otherwise inaccessible and hidden places.”
In an example from the book, she and members of a group called the Coffeehouse Club climb the elevator shaft in a building, which Smith describes in detail.
These sorts of adventures proved useful after graduation, when she got a job as an information security consultant. She said there was “a lot of gender-based discrimination in the field.” Instead of the technical work that she’d studied, she was assigned physical tests of security.
These tests, conducted for bank branches, corporate headquarters, office buildings and more, involved costumes, fake ID cards, stake-outs and “social engineering,” i.e., tricking people.
“Let's say, I would go into a bank branch, and my job is to see if a person could get into the bank branch and get into the vault, and get into the file-storage rooms,” she said. “I would find that the vast majority of the time I was successful. I would come in with some kind of ruse."
She would pretend to be an auditor and talk her way into a vault or a back office.
"It was really all about gaining their trust and getting proof," she said.
She notes that they didn’t do anything like breaking a window or causing property damage.
“We have to be a little more creative and find ways to break into places without actually breaking the places,” she said.
Her career in information technology didn’t “take off until I started working for myself,” she said. “In order to break that glass ceiling, I sort of had to strike out on my own.''
The book includes dramatic anecdotes that extend beyond straight-up computer work. In one case, a major hospital system was infected with a virus. She works her way through the building, realizing that all the medical equipment is now wired to life-and-death devices.
In another story, which touches on the work-life balance, she gave birth while working on a deadline for a security test.
“She had a great birth plan, and whenever you make a birth plan, god laughs, right?” Smith said. It results in an "all-nighter" debugging while nursing.
She founded LMG in Missoula as a start-up and built it from the ground up when it was a “brand-new, emerging industry,” she said. There weren’t any degrees in cybersecurity yet and she had to do all the training herself.
Its growth coincided with emerging threats — for instance, there’s an anecdote in the book about their first ransomware call.
“You have to be willing to step up and tackle new challenges and be creative and also work really hard, and I think LMG really emphasizes that,” she said, and that the book conveys that well.
News about data breaches and data privacy are in the news more frequently than when she started out, and yet she sees some misunderstandings.
“Historically, the biggest misunderstanding is people don't understand how vulnerable they are and how much we're tracked online, and how much data is actually being captured, [and] the fact that our data security and privacy laws only protect a sliver of your information,” she said.
As an example, she pointed to the breach of the Equifax. She said many articles focused on the millions of Social Security numbers that were compromised.
“To me, in security, that’s not a big deal because your Social Security number was probably stolen 10 years ago, you know, if not longer,” she said.
She's concerned about the ways companies can connect in-store purchases to online profiles.
“And so that means that they have things like your shopping history, and your web-surfing history,” she said. “They connect those. So my question is, was my web-surfing history exposed to the world? Can people figure out what diseases I have or whether I’m getting a divorce?” she said.
“These are things that are not covered and they’re not protected by laws right now, and yet we still have this expectation of privacy but we don’t have the actual privacy,” she said.
She said there is some hope, and that legislators could protect consumer privacy.
“I think what’s hopeless right now is trying to put the cat back in the bag. Your data is stolen, your data will continue to be stolen, it’ll continue to be used by companies. That’s unlikely to change anytime soon, the fact that your data is out there. What we can change is how companies use it,” she said.
She suggested auditing and regulating the use of the data.
“We should just assume our data is out there, and start auditing and start regulating what it’s being used for: Can your insurance company buy a certain type of a data and use it to set your premiums? Can your employer buy a certain type of data to use it to make decisions about your job? And make sure the laws include the full scope of sensitive information, things that are sensitive to you to me, to me, to everyday people, not just your Social Security number,” she said.