Do hackers have an image problem? As far as many self-professed hackers are concerned, the hacking underground is doing just fine, thank you very much. Now move along.
Discussions about hacking (taking things apart and putting them back together again) and cracking (breaking into systems or software, typically for illegal purposes) can be challenging. Many non-hackers see cracking as synonymous with hacking. Many self-professed hackers shout down outside analysis of their activities or motives. Then, of course, there are those limelight-stealing amateur upstarts--in the eyes of many hackers--known as hacktivists who have the temerity to crack poorly secured databases, claim the hacker mantle, and then brag about it.
Judging by the quantity and range of responses to my recent column, "One Secret That Stops Hackers: Girlfriends," many hacking supporters have strong feelings about research showing that many young crackers simply "age out" once they get a girlfriend or other life responsibilities. "Someone who does not understand," tweeted more than one reader. But others supported the findings: "The story is completely true, tho. Happened to me and many of my friends. Exactly as late teens, and then we got girlfriends," read one post to Slashdot.
[ Cyber-vandals created an Android app store that stocks nothing but malware. Read about it at Android Attackers Launch Fake App Market. ]
Anecdotal insights and opinions about hackers--never mind the relationship proclivities of the hacking-inclined--abound. So here are some thoughts in response to the comments on my column asking how we might better help young hacking aficionados steer clear of jail:
1. What do serial hackers look like? Why do people hack? Are they young or old? How many hackers break the law? Are there more hackers than bank robbers? Is the majority of online crime today perpetrated by international identity theft syndicates? If an information security expert illegally accesses an online server but no one ever finds out, did it really happen?
Discussing computer crime can quickly verge on the existential, which just goes to show how little we know about it. While the FBI tracks bank-robbery statistics, it doesn't do the same for online crime. Accordingly, part of the usefulness of the research cited in my column from online psychology expert Grainne Kirwan, who lectures at Ireland's Dun Laoghaire Institute of Art, Design and Technology, is that she's taken the time to speak with numerous hackers, thus providing some answers to the preceding questions. Furthermore, what she found is that most--not all--hackers are young, and that many stop hacking when they get jobs and more life responsibilities. But she also spoke to older hackers who have kept it up.
2. Real hackers don't get caught. On that note, might the best hackers simply never get caught? "Real hackers go undetected. I'm 29. I'm a hacker. I have a job. I have a relationship. I have children. I just stand up for what's right, not just what makes money," said "KoE" in a comment to my column.
But how likely is it that all "real hackers" don't get detected? Isn't it also possible, in part, that law enforcement agencies know about a great many more indiscretions than they publicly acknowledge or pursue, and that--given finite resources--they simply focus on the more egregious cases of law breaking?
3. High-tech crime: Too much jail time? Should we as a society go easier on high-tech criminals who do get caught, especially if they evince a social conscience? To help answer that question, consider that admitted LulzSec participant Ryan Cleary, now 20, faces 25 years in prison in the United States if he's extradited--on top of any jail time he might serve in the United Kingdom. That's thanks to LulzSec's 50-day spree that mixed hacking websites from Sony to the U.S. Senate, before the group's leader, Sabu--by then an FBI informant--called it quits and launched a collaboration with Anonymous called AntiSec. Given the list of Cleary's crimes, does the potential jail time seem appropriate?
4. Businesses: Be accountable for data security. If part of the function of jail time is to warn other people away from certain types of crimes, then the stiff sentences associated with high-tech crime might stand. All potential rehabilitation aside, "the problem with the 'aging out' theory is that there is always a steady supply of younger hackers who take the helm--and build on the work of their predecessors," commented "Cryptodd" on my column.
That speaks to a bigger issue: if your databases are getting owned by a 16-year old, then your business isn't trying hard enough to protect its data. Better security practices, in other words, would make the youthful high-tech offender situation largely academic. In Cryptodd's words, "If data is encrypted and protected well, hacker satisfaction decreases to zero."
5. Getting hackers girlfriends would be expensive. Want to fix the hacking problem? Then get hackers girlfriends, I joked in my column. "This guy has come up with the solution to stop hackers. The FBI can start a matchmaking division to stop cybercrime," tweeted ex-hacker Kevin Mitnick.
While the concept sounds absurd, it's apparently been tried before, and it worked. As one reader emailed, linking to an Atlantic article: "The basic premise--have relationships with women to neuter dangerous men--has been tried, apparently with success. The year is 1972, after the Olympic massacre of Israelis by the Palestinian Black September terrorists. The PLO brass needed--if only for PR reasons--to shut down this group. The solution? Recruit the most beautiful daughters of Palestine, offer the terrorists a job, apartment, a wife to get them to retire." The catch, aside from finding interested female participants, is that the strategy was apparently quite expensive.
6. Revenge of the girlfriend theory. Government-promoted hacker resettlement program or dating service aside, numerous responses to my column--not least via an amusing marriage and dating sub-discussion on Slashdot--highlighted the fact that many young adults do quit hacking simply because they got a girlfriend. "In my case, she didn't do anything specific to stop my hacking, beyond existing. We have only a finite amount of time," said one Slashdot poster.
7. Hack this: Ethical encouragement. To the overriding question posed in my column--"How might young hackers who break the law be encouraged not to do so?"--the award for best response goes not to a hacker, but from someone who lives with one. "AutumnL78" says the answer isn't "throwing girls at them," but rather encouraging them to use their skills for better purposes.
"The key issue is not discouraging, but encouraging in a positive and educated way. Instead of trying to stop kids from hacking, we need to be focusing on what can be done to encourage them to become ethical hackers," she wrote.
"How do I know this??? Eight years ago I married the guy who got busted for hacking the schools' dial-up system from home in middle school, who would take leave to go to hacker cons, and owned a small library of 2600 magazines," she said. "I encouraged this hacker to change rates in the Navy so that he could use his interest in hacking and all the skills he had for good. I supported his desire to get not one, but two master's in Internet security. I have gone to many hacker cons just to learn and understand what my husband is passionate about."
The best solution? To help keep more young rule-breaking hackers from doing jail time, let's encourage them to put their skills to ethical use. Anyone want to argue with that?
Distributed denial-of-service attacks can do serious damage. Get ready before you're hit. Also in the new, all-digital Save Your Assets issue of Dark Reading: Next-gen attackers aren't out to steal your money, and your old style of defense isn't going to stop them. (Free registration required.)