On the last day of June of this year, a tech website called Redmond Pie posted two articles in quick succession that, on their face, had nothing to do with each other. The first, with the headline “Root Nexus 7 on Android 4.1 Jelly Bean, Unlock Bootloader, And Flash ClockworkMod Recovery,” was a tutorial on how to modify the software—mainly in order to gain control of the operating system—in Google’s brand-new tablet computer, the Nexus 7, a device so fresh that it hadn’t yet shipped to consumers.
The second headline was slightly more decipherable to the casual reader: “New OS X Tibet Malware Puts in an Appearance, Sends User’s Personal Information to a Remote Server.” That story, which referred to the discovery of a so-called “Trojan horse” computer virus on certain machines in Tibet, pointed out that Apple computers were no longer as impervious to malicious viruses and worms as they had been in the past and that this attack, which targeted Tibetan activists against the Chinese regime, was not random but political. When the Tibetan activists downloaded the infected file, it would secretly connect their computers to a server in China that could monitor their activities and capture the contents of their machines. (The Redmond Pie writer speculated that the reason Apple computers were targeted in this attack was that they were the preferred brand of the Dalai Lama.)
In fact, the Nexus 7 story and the Tibetan Trojan horse story were both about the same thing: hacking and hackers, although the hacking done by the Nexus 7 hackers—who contribute to an online website called Rootzwiki—was very different from that done by the crew homing in on the Tibetan activists. Hacking and hackers have become such inclusive, generic terms that their meaning, now, must almost always be derived from the context. Still, in the last few years, after the British phone-hacking scandal, after Anonymous and LulzSec, after Stuxnet, in which Americans and Israelis used a computer virus to break centrifuges and delay the Iranian nuclear project, after any number of identity thefts, that context has tended to accent the destructive side of hacking.
In February, when Facebook CEO Mark Zuckerberg observed in his letter to potential shareholders before taking the company public that Facebook embraced a philosophy called “The Hacker Way,” he was not being provocative but, rather, trying to tip the balance in the other direction. (He was also drawing on the words of the veteran technology reporter Steven Levy, whose 1984 book Hackers: Heroes of the Computer Revolution was the first serious attempt to understand the subculture that gave us Steve Jobs, Steve Wozniak, and Bill Gates.) According to Zuckerberg:
In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world…. Hackers believe that something can always be better, and that nothing is ever complete. They just have to go fix it—often in the face of people who say it’s impossible or are content with the status quo.
Though it might seem neutral, the word “fix” turns out to be open to interpretation. Was the new Google Nexus 7 tablet broken before it was boxed up and shipped? Not to Google or to the vast majority of people who ordered it, but yes to those who saw its specifications and noticed, for instance, that it had a relatively small amount of built-in memory, and wanted to enable the machine to accept an external storage device that could greatly expand its memory. Similarly, there was nothing wrong with the original iPhone—it worked just fine. But for users hoping to load software that was not authored or vetted by Apple, and those who didn’t want to be restricted to a particular service provider (AT&T), and those who liked to tinker and considered it their right as owners to do so, the various “jailbreaks”—or ways of circumventing such restrictions—provided by hackers have addressed and, in Zuckerberg’s term, “fixed” these issues.1
Apple, on the other hand, did not see it this way and argued to the United States Copyright Office that modifying an iPhone’s operating system constituted copyright infringement and thus was illegal. In a ruling in 2010, the Copyright Office disagreed, stating that there was “no basis for copyright law to assist Apple in protecting its restrictive business model.” Copyright laws vary country to country, though, and already this year three people in Japan have been arrested under that country’s recently updated Unfair Competition Prevention Act for modifying—i.e., hacking—Nintendo game consoles. As for the Nexus 7 hackers, they need not worry: Google’s Android software is “open source,” meaning that it is released to the public, which is free to fiddle with it, to an extent.
The salient point of Mark Zuckerberg’s paean to hackers, and the reason he took the opportunity to inform potential shareholders, is that hacking can, and often does, improve products. It exposes vulnerabilities, supplies innovations, and demonstrates both what is possible and what consumers want. Still, as Zuckerberg also intimated, hacking has a dark side, one that has eclipsed its playful, sporty, creative side, especially in the popular imagination, and with good reason. Hacking has become the preferred tool for a certain kind of thief, one who lifts money from electronic bank accounts and sells personal information, particularly as it relates to credit cards and passwords, in a thriving international Internet underground. Hacking has also become a method used for extortion, public humiliation, business disruption, intellectual property theft, espionage, and, possibly, war.
Two recent busts by the FBI are illustrative of the common ways that hacking, in essence, has been hacked by the bad guys. The first, Operation Ghost Click, in November of last year, resulted in the arrest of six Estonian nationals who had infected more than four million computers in one hundred countries with a virus that allowed them to generate $14 million in illicit Internet advertising fees. The virus was transmitted disguised as software needed to view online videos. Once installed, it would surreptitiously redirect the infected computer’s Web browser to sites controlled by the hackers. As unintended collateral damage, once the FBI shut down the hackers’ servers, tens of thousands of computers that hadn’t been “disinfected” by their unsuspecting owners were no longer able to access the Internet.
The second FBI sting took place in June. Called Operation Card Shop, it netted twenty-four people in eight countries on four continents who were stealing and selling credit card data through a private, invitation-only, Internet “carding” forum secretly set up and run by the FBI. Users could buy and sell stolen credit card numbers and other personal information, and exchange tips for stealing and using that information. The FBI estimated that these arrests saved 400,000 potential victims a potential $205 million. (The FBI was feeding the stolen information back to the banks, so the losses were, apparently, avoided.)
The profiles of the eleven Americans arrested in Operation Card Shop could be read as a coda to DarkMarket, Misha Glenny’s disturbing portrait of the criminal hackers—more accurately called crackers—involved in an earlier carding scheme that, like Operation Card Shop, centered around an Internet forum where personal data was offered for sale and trade. Like the subjects of Glenny’s book, the Operation Card Shop hackers were young—none was older than twenty-five—and male. For example, Michael Hogue, a twenty-one-year-old from Tucson, Arizona, sold “malware” that let its user infect—through a variety of methods, including booby-trapped links, e-mails, and programs—and then remotely control the operations of the “captured” computer. It could turn on a Web camera and spy on the user, and it could record every keystroke made by the unsuspecting victim, which was a handy feature for stealing passwords and accessing bank accounts.
And then there was nineteen-year-old Christian Cangeopol from Lawrenceville, Georgia. He engaged in a practice called “instoring”—buying expensive electronic equipment in an actual store (hence, “instoring”) with credit cards stolen online and reselling it for cash. If these young men seem like small fry in the criminal underground, it may be because of the way the FBI caught them: by tossing out a net and seeing who swam into it. More typically, as Glenny points out, major Internet crime is the work of syndicates, many of which operate out of the former Soviet Union, if they operate “out” of anywhere.
Around the same time that the FBI announced Operation Card Shop, the security companies McAfee and Guardian Analytics issued a white paper documenting a sophisticated hacking scheme that targeted high-net-worth bank accounts of both businesses and individuals. The hackers were able to acquire the targets’ passwords and banking information, which they then used to transfer funds to their own accounts. Dubbed Operation High Roller, the thefts began in Italy, moved through Europe, jumped to Latin America and from there to the United States like a wave cheer progressing around a stadium.
Remarkably, all of this was remotely orchestrated by sixty high-capacity computers in Russia. Once it was set up, the hack ran itself. “With no human participation required, each attack moves quickly and scales neatly,” the white paper team wrote. “This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term ‘organized crime.’” The authors estimated that at least a dozen criminal syndicates were behind the thefts, and that taken together they accounted for about $78 million in losses. They also supposed that if the entire operation had succeeded, the losses could have been “as high as €2 billion.”
Two billion euros—$2.5 billion in US dollars—is a lot of money, and $78 million is not inconsiderable. By making those sums public, McAfee and Guardian Analytics, like the FBI with its estimate of $205 million that could have been lost through Operation Card Shop had the shop been run by criminals, aim to give the public a feel for the magnitude of the threat posed by cyber criminals. Yet the numbers supplied by McAfee, Guardian Analytics, and the FBI are speculative, based on what might have happened, but did not.
Similarly, when the software company Norton, which creates antivirus programs, issued its 2011 Cybercrime Report, a survey of Internet-based crime around the world, it estimated that consumers were losing around $114 billion annually. The press picked this up and turned it into an equivalence: in monetary terms, cybercrime now rivaled the global drug trade. Here was a shocking new fact of life in the Internet age that, no doubt, caused countless numbers of people to strengthen their computer passwords and download antivirus software. But this may have been the point, since antivirus software manufacturers and Internet security firms have a stake in this game. While cyberthefts were escalating, corporate spending on cybersecurity was, too. By one estimate it has increased 10 percent a year since 2006 to over $80 billion annually.
1 Certain proprietary applications that Google distributes with Android, such as Gmail, are not open to manipulation. ↩
Certain proprietary applications that Google distributes with Android, such as Gmail, are not open to manipulation. ↩