On the last day of June of this year, a tech website called Redmond Pie posted two articles in quick succession that, on their face, had nothing to do with each other. The first, with the headline “Root Nexus 7 on Android 4.1 Jelly Bean, Unlock Bootloader, And Flash ClockworkMod Recovery,” was a tutorial on how to modify the software—mainly in order to gain control of the operating system—in Google’s brand-new tablet computer, the Nexus 7, a device so fresh that it hadn’t yet shipped to consumers.
The second headline was slightly more decipherable to the casual reader: “New OS X Tibet Malware Puts in an Appearance, Sends User’s Personal Information to a Remote Server.” That story, which referred to the discovery of a so-called “Trojan horse” computer virus on certain machines in Tibet, pointed out that Apple computers were no longer as impervious to malicious viruses and worms as they had been in the past and that this attack, which targeted Tibetan activists against the Chinese regime, was not random but political. When the Tibetan activists downloaded the infected file, it would secretly connect their computers to a server in China that could monitor their activities and capture the contents of their machines. (The Redmond Pie writer speculated that the reason Apple computers were targeted in this attack was that they were the preferred brand of the Dalai Lama.)
In fact, the Nexus 7 story and the Tibetan Trojan horse story were both about the same thing: hacking and hackers, although the hacking done by the Nexus 7 hackers—who contribute to an online website called Rootzwiki—was very different from that done by the crew homing in on the Tibetan activists. Hacking and hackers have become such inclusive, generic terms that their meaning, now, must almost always be derived from the context. Still, in the last few years, after the British phone-hacking scandal, after Anonymous and LulzSec, after Stuxnet, in which Americans and Israelis used a computer virus to break centrifuges and delay the Iranian nuclear project, after any number of identity thefts, that context has tended to accent the destructive side of hacking.
In February, when Facebook CEO Mark Zuckerberg observed in his letter to potential shareholders before taking the company public that Facebook embraced a philosophy called “The Hacker Way,” he was not being provocative but, rather, trying to tip the balance in the other direction. (He was also drawing on the words of the veteran technology reporter Steven Levy, whose 1984 book Hackers: Heroes of the Computer Revolution was the first serious attempt to understand the subculture that gave us Steve Jobs, Steve Wozniak, and Bill Gates.) According to Zuckerberg:
In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world…. Hackers believe that something can always be better, and that nothing is ever complete. They just have to go fix it—often in the face of people who say it’s impossible or are content with the status quo.
Though it might seem neutral, the word “fix” turns out to be open to interpretation. Was the new Google Nexus 7 tablet broken before it was boxed up and shipped? Not to Google or to the vast majority of people who ordered it, but yes to those who saw its specifications and noticed, for instance, that it had a relatively small amount of built-in memory, and wanted to enable the machine to accept an external storage device that could greatly expand its memory. Similarly, there was nothing wrong with the original iPhone—it worked just fine. But for users hoping to load software that was not authored or vetted by Apple, and those who didn’t want to be restricted to a particular service provider (AT&T), and those who liked to tinker and considered it their right as owners to do so, the various “jailbreaks”—or ways of circumventing such restrictions—provided by hackers have addressed and, in Zuckerberg’s term, “fixed” these issues.1
Apple, on the other hand, did not see it this way and argued to the United States Copyright Office that modifying an iPhone’s operating system constituted copyright infringement and thus was illegal. In a ruling in 2010, the Copyright Office disagreed, stating that there was “no basis for copyright law to assist Apple in protecting its restrictive business model.” Copyright laws vary country to country, though, and already this year three people in Japan have been arrested under that country’s recently updated Unfair Competition Prevention Act for modifying—i.e., hacking—Nintendo game consoles. As for the Nexus 7 hackers, they need not worry: Google’s Android software is “open source,” meaning that it is released to the public, which is free to fiddle with it, to an extent.
The salient point of Mark Zuckerberg’s paean to hackers, and the reason he took the opportunity to inform potential shareholders, is that hacking can, and often does, improve products. It exposes vulnerabilities, supplies innovations, and demonstrates both what is possible and what consumers want. Still, as Zuckerberg also intimated, hacking has a dark side, one that has eclipsed its playful, sporty, creative side, especially in the popular imagination, and with good reason. Hacking has become the preferred tool for a certain kind of thief, one who lifts money from electronic bank accounts and sells personal information, particularly as it relates to credit cards and passwords, in a thriving international Internet underground. Hacking has also become a method used for extortion, public humiliation, business disruption, intellectual property theft, espionage, and, possibly, war.
Two recent busts by the FBI are illustrative of the common ways that hacking, in essence, has been hacked by the bad guys. The first, Operation Ghost Click, in November of last year, resulted in the arrest of six Estonian nationals who had infected more than four million computers in one hundred countries with a virus that allowed them to generate $14 million in illicit Internet advertising fees. The virus was transmitted disguised as software needed to view online videos. Once installed, it would surreptitiously redirect the infected computer’s Web browser to sites controlled by the hackers. As unintended collateral damage, once the FBI shut down the hackers’ servers, tens of thousands of computers that hadn’t been “disinfected” by their unsuspecting owners were no longer able to access the Internet.
The second FBI sting took place in June. Called Operation Card Shop, it netted twenty-four people in eight countries on four continents who were stealing and selling credit card data through a private, invitation-only, Internet “carding” forum secretly set up and run by the FBI. Users could buy and sell stolen credit card numbers and other personal information, and exchange tips for stealing and using that information. The FBI estimated that these arrests saved 400,000 potential victims a potential $205 million. (The FBI was feeding the stolen information back to the banks, so the losses were, apparently, avoided.)
The profiles of the eleven Americans arrested in Operation Card Shop could be read as a coda to DarkMarket, Misha Glenny’s disturbing portrait of the criminal hackers—more accurately called crackers—involved in an earlier carding scheme that, like Operation Card Shop, centered around an Internet forum where personal data was offered for sale and trade. Like the subjects of Glenny’s book, the Operation Card Shop hackers were young—none was older than twenty-five—and male. For example, Michael Hogue, a twenty-one-year-old from Tucson, Arizona, sold “malware” that let its user infect—through a variety of methods, including booby-trapped links, e-mails, and programs—and then remotely control the operations of the “captured” computer. It could turn on a Web camera and spy on the user, and it could record every keystroke made by the unsuspecting victim, which was a handy feature for stealing passwords and accessing bank accounts.
And then there was nineteen-year-old Christian Cangeopol from Lawrenceville, Georgia. He engaged in a practice called “instoring”—buying expensive electronic equipment in an actual store (hence, “instoring”) with credit cards stolen online and reselling it for cash. If these young men seem like small fry in the criminal underground, it may be because of the way the FBI caught them: by tossing out a net and seeing who swam into it. More typically, as Glenny points out, major Internet crime is the work of syndicates, many of which operate out of the former Soviet Union, if they operate “out” of anywhere.
Around the same time that the FBI announced Operation Card Shop, the security companies McAfee and Guardian Analytics issued a white paper documenting a sophisticated hacking scheme that targeted high-net-worth bank accounts of both businesses and individuals. The hackers were able to acquire the targets’ passwords and banking information, which they then used to transfer funds to their own accounts. Dubbed Operation High Roller, the thefts began in Italy, moved through Europe, jumped to Latin America and from there to the United States like a wave cheer progressing around a stadium.
Remarkably, all of this was remotely orchestrated by sixty high-capacity computers in Russia. Once it was set up, the hack ran itself. “With no human participation required, each attack moves quickly and scales neatly,” the white paper team wrote. “This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term ‘organized crime.’” The authors estimated that at least a dozen criminal syndicates were behind the thefts, and that taken together they accounted for about $78 million in losses. They also supposed that if the entire operation had succeeded, the losses could have been “as high as €2 billion.”
Two billion euros—$2.5 billion in US dollars—is a lot of money, and $78 million is not inconsiderable. By making those sums public, McAfee and Guardian Analytics, like the FBI with its estimate of $205 million that could have been lost through Operation Card Shop had the shop been run by criminals, aim to give the public a feel for the magnitude of the threat posed by cyber criminals. Yet the numbers supplied by McAfee, Guardian Analytics, and the FBI are speculative, based on what might have happened, but did not.
Similarly, when the software company Norton, which creates antivirus programs, issued its 2011 Cybercrime Report, a survey of Internet-based crime around the world, it estimated that consumers were losing around $114 billion annually. The press picked this up and turned it into an equivalence: in monetary terms, cybercrime now rivaled the global drug trade. Here was a shocking new fact of life in the Internet age that, no doubt, caused countless numbers of people to strengthen their computer passwords and download antivirus software. But this may have been the point, since antivirus software manufacturers and Internet security firms have a stake in this game. While cyberthefts were escalating, corporate spending on cybersecurity was, too. By one estimate it has increased 10 percent a year since 2006 to over $80 billion annually.
Another explanation for the high cost of cybercrime may be that it isn’t true. The Norton report numbers, for example, come from a survey of 12,704 adults and 4,553 children and 2,379 teachers between February and March 2011. Extrapolating from their responses, Norton not only came up with the $114 billion number, it also claimed that 431 million people were victims of Internet-related crime that year. But according to Dinei Florencio and Cormac Herley, researchers at Microsoft, to come up with these numbers Norton relied on the kind of statistical analysis used in exit polling, in which the sample is multiplied to get the whole, a method that does not translate because voter preferences and monetary losses can’t be calculated the same way. “Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million,” Florencio and Herley wrote in The New York Times last spring. “Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.”
Still, if upward estimates skew the numbers, so do absent estimates. It is now well documented that corporations and other institutions are reluctant to admit losses or acknowledge security breaches out of fear of alienating customers, seeing stock prices plummet, or encouraging lawsuits from those affected. After hackers broke into the computer system of the Wyndham Hotel chain three times in the past four years, making off with hundreds of thousands of credit card numbers, the company chose not to acknowledge the thefts to shareholders in its annual report. It was the same for Amazon, which failed to report a large-scale theft of customer data from its Zappos and 6pm clothing divisions, an oversight challenged by the Securities and Exchange Commission, which would like companies to be more forthcoming with such information. (The SEC can do no more than express such hopes. It has no statutory power here.)
Despite corporate reluctance, and possibly because of it, the courts have been engaged anyway. After a Russian syndicate stole around 6.5 million passwords from the social media site LinkedIn this past spring, one of the victims initiated a class action suit claiming not only that LinkedIn did not properly guard personal information, but that it purposefully withheld notice of the attack from those whose data was compromised. The passwords could be used to access users’ private information, including phone numbers, addresses, and professional history, and could often be used as well to access other online accounts such as e-mail or bank accounts, since many people use a single password for most of what they do online. Meanwhile, the Federal Trade Commission has brought a lawsuit again Wyndham World Wide, alleging that the company failed to protect its guests and asking the US District Court “to order Wyndham to stop deceiving customers about its information security practices and to order Wyndham to refund lost money to [them].”
As common as it has become for companies to keep cyberattacks under wraps, it is also the case that attacks are now so numerous and sly that businesses and other organizations are often unaware that their systems have been compromised. According to a study by the Internet technology company Juniper Networks, as reported in a publication called Homeland Security News Wire, “in the last year 90 percent of businesses had suffered at least one security breach.” And when Richard Bejtlich, the chief security officer at the American computer security company Mandiant, made inquiries, he and his colleagues found that 94 percent of his firm’s clients did not realize that their companies had been breached—in this case, apparently, by Chinese hackers looking for trade secrets and other information that might give them a business advantage. “In many cases, the skills of the adversaries are so substantial that they just leap right over the fence, and you don’t ever hear an alarm go off,’’ the FBI’s Shawn Henry told The Wall Street Journal.
Richard Bejtlich and his firm are what are known in the hacking world as “white hats” or “ethical hackers.” They use the tools of hacking to penetrate computer systems, find holes in their security, and, ideally, patch them. The good guys in the white hats are so keen not to be confused with the bad guys in the black hats that there is now a course of study offered by the International Council of E-Commerce Consultants to certify their ethical bona fides. This may be, in part, because a lot of the white hats used to be black hats. They have followed the lead of Kevin Mitnick, the man who, a generation ago, was the world’s most notorious black hat hacker, the bane of the FBI, who served five years in prison for breaking into telecom companies, government agencies (including, possibly, the National Security Agency), and academic institutions. Mitnick now runs his own white hat computer security firm and is paid good money to do what he used to do for kicks and the promise of an orange jumpsuit.
The breathless beginning of Mitnick’s latest memoir, Ghost in the Wires, has him breaking into a corporate computer network Mission Impossible–style. To do so he sneaks into the corporation’s offices using a fake ID, then has an assistant climb through a ceiling to let him into the offices of the network administrator, whose computer he then hacks into. He takes his time before letting readers know that his adrenalin-pumping hijinks are all on the up and up. Still, such assurances may not do much to dispel the public perception that all hackers are cut from the same cloth.
One reason it is hard to distinguish between, say, the hackers from Anonymous and the hackers from the Chinese military, and both of these from a nineteen-year-old in Georgia, is that hackers like it that way. Eager to follow the hikers’ dictum to “leave no trace,” they operate from behind proxy servers—intermediary computers between the hackers and their targets—that hide their own computers’ unique identifiers, making it nearly impossible to pinpoint where in the world they are. They also adopt online personalities that, typically, are more wishful than real, and they use monikers that are meant to deceive. (One of the more active members of the hacker group Anonymous who called herself Kayla and claimed she was a teenaged American girl was actually a British man in his twenties who had served four years in the army.) As Parmy Olson points out in her exhaustive and darkly entertaining chronicle We Are Anonymous, “individual personalities could emerge, but people still had no real-world identities.”
In his own research, Misha Glenny found it “impossible to establish fully what was really going on between the players, and with whom they were ultimately working.” This was not just a problem for outsiders like him. Even the “Anons” of Anonymous had little idea with whom they were working, according to Olson. Trust was contingent, and fleeting. When the hacker who went by the name Sabu started sharing personal information, revealing his actual name and hometown, a colleague of his in the Anonymous group, who went by the name Topiary, began to distrust him. It was inverted logic, but it turned out to be spot on. When the FBI announced in March that it had caught Sabu, it also revealed that he had been an FBI informant for the previous eight months, selling out his crew.
As Parmy Olson tells the story, Sabu, whose real name was Hector Monsegur and real address was a sixth-floor apartment in the Jacob Riis public housing project on New York City’s Lower East Side, embraced his new double role, going so far as to identify himself to a police officer as a federal agent, a claim that eventually got him more jail time.
While feeding information to the FBI, Monsegur continued to consort with other Anons, plotting raids that enabled federal agents to gather evidence that would ultimately implicate his “friends.” Under the watchful eye of the FBI, Anonymous was free to carry out its hacks, most notoriously a raid on the “global intelligence” company Strategic Forecasting—or Stratfor—according to Olson, “an Austin-based intelligence service that made money selling a newsletter to clients who included the Department of Homeland Security.” As the FBI looked on, the Anonymous hackers lifted 60,000 credit cards and passwords, which they then used to make nearly $1 million in donations to the Red Cross, Save the Children, and other charities. They also took over five million Stratfor e-mails, which they “donated” to WikiLeaks.
Among other things, the Stratfor e-mails revealed statements by Stratfor employees that the government was spying on US citizens and corporations were spying on union representatives and other activists. They also seemed to indicate that the United States was preparing a secret indictment against WikiLeaks founder Julian Assange.And so, the question arises: Which hackers were wearing the white hats here and which were wearing the black?
The various actions of Anonymous and its offshoots have included shutting down Sony websites twice (once to avenge Sony’s lawsuit against the young hacker who had “jailbroken” its PlayStation gaming console and once for supporting the Stop Online Piracy Act then before Congress),2 briefly shutting down the Web operations of both MasterCard and PayPal after those companies blocked donations to WikiLeaks and Julian Assange,3 and also shutting down the Scientology website in an effort to “expel it from the internet.” If there is a guiding principle to these actions, it is that “information deserves to be free.” It’s not so much freedom of information that’s involved as the freeing of information from organizations that control it.
To try to ascribe a more coherent political philosophy to a bunch of individuals who steadfastly reject coherence by their alliance with an organization that doesn’t exist, since it cannot be joined and doesn’t have members, not only would be folly, it would miss the current of nihilism that runs through Anonymous, whose primary allegiance, at least early on, was to the “lulz”—that is, to fun and games and laughs, no matter at whose expense. (This is where the name of one of the main Anonymous offshoots, LulzSec—derived from the Internet acronym LOL, Laugh Out Loud—comes from.) Why call each other “fags” and “niggers”? Why coerce people into performing sexual acts in front of a webcam by threatening to reveal information about them or to “find their true identities, send them threats on Facebook, or find their family members and harass them, too”? Why—because they think it’s funny to shock and humiliate.
Still, some of the same people who did these things also “liberated” the Stratfor e-mails, just as they hacked into the accounts of a venal government contractor, HBGary, and exposed, among other things, that this firm and several others had approached Bank of America with plans to attack and discredit WikiLeaks. (According to an online report by Forbes, they proposed using “forged documents, pressuring donors, and even blackmailing [a] WikiLeaks supporter.”) It was an Anonymous member, too, who wrote the program that allowed Tunisians to go online without government surveillance—a small bit of code that inadvertently catalyzed the Arab Spring.
Yet it was also in the spirit of the lulz that, around the same time, Anonymous stole the personal data of innocent people hoping to audition for the Fox TV show The X Factor, and took over the website of the Public Broadcasting System because it did not like the company’s documentary on Assange. (So much for the free flow of information.) In that attack, the hackers also inserted a made-up news story on the official PBS news site that claimed the dead rap star Tupac Shakur was actually alive and living in New Zealand, and changed the company’s home page to a cartoon image of a fat man eating a huge hamburger with the caption “LOL HI I EAT CHILDRENS.”
If this seems coarse and childish it may be because so many of the members of Anonymous turned out to be not much older than children themselves. Jake Davis—Topiary—was eighteen at the time of his arrest; T-flow, who wrote the program for the Tunisians, was sixteen. At twenty-eight, Hector Monsegur was almost a generation older. When his participation came to light, he was quickly identified in the press as the group’s leader, an allegation that was probably about as true as it was false. Though Anonymous purposefully operates without structure or hierarchy and claims to be steered solely by the dictates of the “hive mind,” it should be noted that real hives—the ones that give us honey—actually work under the direction of an enlightened monarch, the queen bee. Leadership in Anonymous is more fluid than that, with one (or more) Anons suggesting an action and others joining in or not, but when Monsegur was involved, he did seem to be the one steering the others in a more political direction.
The advantage of having no actual leader, no formal structure, and no preordained agenda is that when the FBI and other law enforcement agencies around the world arrested Monsegur and twenty-four other Anons, taking them offline, Anonymous did not go with them. Instead, it continues to operate, sometimes under its own name, sometimes under the names LulzSecReborn, MalSec, and SpexSec, among others. The names are fungible, just as Anonymous is fungible: anyone, anywhere, is free to work behind its mask. As an unnamed member of LulzSecReborn purportedly told an unnamed interviewer in an exchange that was released on the Romanian website Softpedia, LulzSecReborn “continues where the old LulzSec stopped, to hack military and government sites and release their databases full of sensitive information to the public.” They and their compatriots have been able to make good on the promise: “We are Anonymous. We are Legion. We do not forget. We do not forgive. Expect us.”
Reading about Anonymous, LulzSec, AntiSec, MalSec, DarkMarket, Operation Card Shop, Operation High Roller, the Chinese hackers who recently broke into the Indian navy’s data center, the Islamic Anons who recently stole and published the personal identity card information of Israeli citizens, the Indian hackers who (also recently) defaced two official Pakistani government websites to commemorate the deaths of their countrymen in the 2011 Mumbai bombings, the new release by WikiLeaks, from the raid by Anonymous on Stratfor, of millions of documents from Syria, and on and on, brings to mind the Stuxnet virus. Stuxnet’s genesis—from top-secret idea to top-secret joint creation by Israeli and American programmers to top-secret deployment in an Iranian nuclear enrichment plant to its very public escape onto computers throughout the world—has been precisely unraveled by David Sanger, both in his reporting for The New York Times and in his masterful new book Confront and Conceal. Stuxnet is a weapon in an undeclared war being fought so surreptitiously that for a long time its targets, according to Sanger, had no idea what, if anything, had hit them. Now that it is not secret, and its architecture and coding are available for all to see, Stuxnet has the potential to take hacking to a new level.
If, in its early forms, hacking was about messing with hardware and then messing with the software that controlled the hardware—the kind of hacking that takes place, essentially, in a closed universe—when it moved to the Internet it became an artifact of all of our lives or, at least, the parts of our lives that happen online—our work, our personal correspondence, our banking and shopping, and more. Whatever may be the real number of people affected by cybercrime, we are all vulnerable, no matter how many special characters and numbers and silly phrases we add to our passwords. But it is not just as individuals that we are at risk. Last year alone there were around two hundred attempted or successful attacks on the basic infrastructure that undergirds society, including water treatment plants, the electric grid, oil and gas refineries, power plants, and transportation systems.
Yet even this pales in light of the exponentially destructive power of Stuxnet and whatever other viruses it generates and inspires.4 As the German security expert Ralph Langner, who first cracked the Stuxnet code, wrote in The New York Times, the real threat of Stuxnet is that it will morph into a cheap weapon available to organized crime, rogue nations, terrorists, hacker kids with time on their hands, and anyone who wants to “fix” the world. “Any US power plant, including nuclear, is much easier to cyberattack than the heavily guarded facilities in Iran,” Langner wrote. “An attacker who is not interested in engaging in a long-term campaign with sophisticated disguise (which rogue player would be?) needs to invest only a tiny fraction of effort compared to Stuxnet.”
Despite knowing this, and despite warnings from General Keith Alexander, who heads the United States Cyber Command, that it is “only a matter of time” before a cyberattack causes physical damage to critical, life-sustaining systems, the Senate, in August, under pressure from the US Chamber of Commerce and other business interests, killed a cybersecurity bill intended to shore up infrastructure defenses (much of it operated by corporations who didn’t want to report attacks, pay for improvements, or surrender any autonomy to the government).
And so we continue, come what may, down the Hacker’s Way.
September 27, 2012
Pride and Prejudice
Cards of Identity
Certain proprietary applications that Google distributes with Android, such as Gmail, are not open to manipulation. ↩
It should be noted that the young hacker on whose behalf this attack occurred, George Hotz, disavowed it. In an interview with New Yorker reporter David Kushner (May 7, 2012) he said: “I’m the complete opposite of Anonymous. I’m George Hotz. Everything I do is aboveboard, everything I do is legit.” ↩
Upon which the group tweeted: “Freedom of expression is priceless. For everything else there’s MasterCard,” echoing MasterCard’s own iconic ad campaign. ↩
The Moscow-based security company Kaspersky Lab has identified three other viruses that have been deployed in the Middle East that it believes to be “state-sponsored.” ↩