Come, gather around the warm glow of your screen, it’s time for a story. A long time ago, in an age where long distance calls were **really** expensive, a blind, 7 year old boy with perfect pitch named Joe Egressia noticed something odd. When he whistled the fourth E above middle C, it stopped a phone call. He didn’t know why, but it was weird and there really wasn’t much else to do at the time, so he and his friends wondered if there was anything else that would work. Then a friend of his, Jon Draper, learned that a plastic whistle included in boxes of Captain Crunch cereal produced a perfect 2600hz tone, and this *same* tone essentially tricked the phone system into letting them make a free long distance call. Other tones were found, and the telephone companies got really, REALLY annoyed, and phone phreaking, as it was known, became a thing.

That’s hacking. The phone company never expected that their tone control could be used from a residential handset by a kid using a captain crunch whistle, so it was a vulnerability that lead to incremental discoveries. “If I do this, then I can do that, and eventually I get to make free phone calls.”

Computer systems follow the same pattern. For instance, a form on a website is linked to a database. Normally it works fine, but the system *also* passes the data you enter through a component that has a vulnerability – if you put a very specific text string in one of the fields, it interprets it as a command to send a password reset. By figuring out how to use that command to send a password reset to a *new* email address, all of a sudden you can get access to any account you want by sending their password reset to your email address. In that way, you’ve used an existing tool for an unintended purpose – that’s a hack.