02:14 PM

When Hackers Meet Girlfriends: Readers Judge Our Theory

My modest proposal to deter law-breaking hackers by helping them get girlfriends sparked condemnation, support, and even marriage advice.

Do hackers have an image problem? As far as many self-professed hackers are concerned, the hacking underground is doing just fine, thank you very much. Now move along.

Discussions about hacking (taking things apart and putting them back together again) and cracking (breaking into systems or software, typically for illegal purposes) can be challenging. Many non-hackers see cracking as synonymous with hacking. Many self-professed hackers shout down outside analysis of their activities or motives. Then, of course, there are those limelight-stealing amateur upstarts--in the eyes of many hackers--known as hacktivists who have the temerity to crack poorly secured databases, claim the hacker mantle, and then brag about it.

Judging by the quantity and range of responses to my recent column, "One Secret That Stops Hackers: Girlfriends," many hacking supporters have strong feelings about research showing that many young crackers simply "age out" once they get a girlfriend or other life responsibilities. "Someone who does not understand," tweeted more than one reader. But others supported the findings: "The story is completely true, tho. Happened to me and many of my friends. Exactly as late teens, and then we got girlfriends," read one post to Slashdot.

[ Cyber-vandals created an Android app store that stocks nothing but malware. Read about it at Android Attackers Launch Fake App Market. ]

Anecdotal insights and opinions about hackers--never mind the relationship proclivities of the hacking-inclined--abound. So here are some thoughts in response to the comments on my column asking how we might better help young hacking aficionados steer clear of jail:

1. What do serial hackers look like? Why do people hack? Are they young or old? How many hackers break the law? Are there more hackers than bank robbers? Is the majority of online crime today perpetrated by international identity theft syndicates? If an information security expert illegally accesses an online server but no one ever finds out, did it really happen?

Discussing computer crime can quickly verge on the existential, which just goes to show how little we know about it. While the FBI tracks bank-robbery statistics, it doesn't do the same for online crime. Accordingly, part of the usefulness of the research cited in my column from online psychology expert Grainne Kirwan, who lectures at Ireland's Dun Laoghaire Institute of Art, Design and Technology, is that she's taken the time to speak with numerous hackers, thus providing some answers to the preceding questions. Furthermore, what she found is that most--not all--hackers are young, and that many stop hacking when they get jobs and more life responsibilities. But she also spoke to older hackers who have kept it up.

2. Real hackers don't get caught. On that note, might the best hackers simply never get caught? "Real hackers go undetected. I'm 29. I'm a hacker. I have a job. I have a relationship. I have children. I just stand up for what's right, not just what makes money," said "KoE" in a comment to my column.

But how likely is it that all "real hackers" don't get detected? Isn't it also possible, in part, that law enforcement agencies know about a great many more indiscretions than they publicly acknowledge or pursue, and that--given finite resources--they simply focus on the more egregious cases of law breaking?

3. High-tech crime: Too much jail time? Should we as a society go easier on high-tech criminals who do get caught, especially if they evince a social conscience? To help answer that question, consider that admitted LulzSec participant Ryan Cleary, now 20, faces 25 years in prison in the United States if he's extradited--on top of any jail time he might serve in the United Kingdom. That's thanks to LulzSec's 50-day spree that mixed hacking websites from Sony to the U.S. Senate, before the group's leader, Sabu--by then an FBI informant--called it quits and launched a collaboration with Anonymous called AntiSec. Given the list of Cleary's crimes, does the potential jail time seem appropriate?

4. Businesses: Be accountable for data security. If part of the function of jail time is to warn other people away from certain types of crimes, then the stiff sentences associated with high-tech crime might stand. All potential rehabilitation aside, "the problem with the 'aging out' theory is that there is always a steady supply of younger hackers who take the helm--and build on the work of their predecessors," commented "Cryptodd" on my column.

That speaks to a bigger issue: if your databases are getting owned by a 16-year old, then your business isn't trying hard enough to protect its data. Better security practices, in other words, would make the youthful high-tech offender situation largely academic. In Cryptodd's words, "If data is encrypted and protected well, hacker satisfaction decreases to zero."

5. Getting hackers girlfriends would be expensive. Want to fix the hacking problem? Then get hackers girlfriends, I joked in my column. "This guy has come up with the solution to stop hackers. The FBI can start a matchmaking division to stop cybercrime," tweeted ex-hacker Kevin Mitnick.

While the concept sounds absurd, it's apparently been tried before, and it worked. As one reader emailed, linking to an Atlantic article: "The basic premise--have relationships with women to neuter dangerous men--has been tried, apparently with success. The year is 1972, after the Olympic massacre of Israelis by the Palestinian Black September terrorists. The PLO brass needed--if only for PR reasons--to shut down this group. The solution? Recruit the most beautiful daughters of Palestine, offer the terrorists a job, apartment, a wife to get them to retire." The catch, aside from finding interested female participants, is that the strategy was apparently quite expensive.

6. Revenge of the girlfriend theory. Government-promoted hacker resettlement program or dating service aside, numerous responses to my column--not least via an amusing marriage and dating sub-discussion on Slashdot--highlighted the fact that many young adults do quit hacking simply because they got a girlfriend. "In my case, she didn't do anything specific to stop my hacking, beyond existing. We have only a finite amount of time," said one Slashdot poster.

7. Hack this: Ethical encouragement. To the overriding question posed in my column--"How might young hackers who break the law be encouraged not to do so?"--the award for best response goes not to a hacker, but from someone who lives with one. "AutumnL78" says the answer isn't "throwing girls at them," but rather encouraging them to use their skills for better purposes.

"The key issue is not discouraging, but encouraging in a positive and educated way. Instead of trying to stop kids from hacking, we need to be focusing on what can be done to encourage them to become ethical hackers," she wrote.

"How do I know this??? Eight years ago I married the guy who got busted for hacking the schools' dial-up system from home in middle school, who would take leave to go to hacker cons, and owned a small library of 2600 magazines," she said. "I encouraged this hacker to change rates in the Navy so that he could use his interest in hacking and all the skills he had for good. I supported his desire to get not one, but two master's in Internet security. I have gone to many hacker cons just to learn and understand what my husband is passionate about."

The best solution? To help keep more young rule-breaking hackers from doing jail time, let's encourage them to put their skills to ethical use. Anyone want to argue with that?

Distributed denial-of-service attacks can do serious damage. Get ready before you're hit. Also in the new, all-digital Save Your Assets issue of Dark Reading: Next-gen attackers aren't out to steal your money, and your old style of defense isn't going to stop them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
7/31/2012 | 11:25:35 PM
re: When Hackers Meet Girlfriends: Readers Judge Our Theory
Maybe we were wrong about the Gǣaging outGǥ aspect. Heather Kelly reports from DefCon on the GǣDef Con KidsGǥ programs where 11 year olds are taught hacking skills, including by the DoD. The intent is to steer them towards white hat careers later onGǪ It seems the girlfriends will be the hackersGǪ Will we Gǣthrow boys at themGǥ? Kidding aside, these Def Con darlings, girls and boys, may make the current hacker crop squirm. Again, weGd better tighten protection over data and keep our technologies sharp.

CISOs' No. 1 Concern in 2018: The Talent Gap
Dawn Kawamoto, Associate Editor, Dark Reading,  1/10/2018
'Back to Basics' Might Be Your Best Security Weapon
Lee Waskevich, Vice President, Security Solutions at ePlus Technology,  1/10/2018
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.