Authors: Mary Aiken
Talented and lawless, beyond society, the criminal hacker's story could be taken from the pirate playbook, like a mash-up of
Bluebeard
and
Revenge of the Nerds
with a dash of teenage narcissism à la Holden Caulfield thrown in. And while Edward Snowden isn't truly one of them, his sharing of confidential NSA files raises the same questions that are raised by the persistence of hacking in our culture.
Is it heroic or criminal?
Are hackers courageousâor just angry?
According to technology writer Debra Littlejohn Shinder, typical
criminal hackers share a set of personality traits:
â¢
They have a tolerance for risk.
â¢
They tend to have a “control freak” nature and enjoy manipulating or outsmarting others.
â¢
They have advanced tech skills (to varying degrees) but at the very least can manipulate code.
â¢
They have a certain disregard for the law or rationalizations about why particular laws are invalid or should not apply to them.
The media and popular entertainment often use the term
hacking
in a derogatory way. A more accurate view of hacking is not always negative. While there are still hackers, or “black hats,” who violate cyber-security due to pure maliciousness or for personal gain, like stealing credit card numbers (or “carding”) or cooking up a new virus, there has been a rise in “white hats” or “ethical hackers,” who use their skills for good, ethical, and legal purposes. They are often employed by large organizations to test their computer security systems. This is called
penetration testing
. If these hackers find vulnerabilities, they will disclose it to their client.
Falling somewhere in between are the “gray hats.” They don't work for their own personal gain but may do unethical things or commit
crimes, which they tend to justify as for a good cause. For instance, they might test the security of a cyber system, looking for vulnerability, and let the operator know about it.
Suppose, say, that you woke up in the morning and heard a knock at your bedroom door. You opened it and found an ethical burglar standing there, wanting to tell you that he had broken into your house, bypassed your alarm system, entered your bedroom the night before, and left a note by your bedside. Your house has a serious security flaw. What would you say to this intruder? “Thanks”? That's what gray-hat hackers do, and they don't always get thanked for it.
At the start of the Steed Symposium, after introductions were made, a short film was aired. It was set in the futureâ2024âand told the story of a woman who had been given a brain implant, a chip that regulated and controlled her. She had committed a murder, in fact. But she had no motive. She had been directed to kill a man by the chip implanted in her brain.
The audience perked upâhey, maybe this was going to be a good night after all.
The moderator turned to Ralph Echemendia, the cyber-security samurai, and asked how he first got into hacking.
“I was a thirteen-year-old boy growing up in South America, and my friends and I were getting into porn,” he said. “
And it never downloaded fast enough!
That's how I got into hacking.”
The audience loved thatâand burst into laughter and applause. Ralph continued talking about his early yearsâhow he hacked ham radios, hacked old bulletin board systems, and did phone phreaking, or finding ways to mess with the telephone company, usually to get phone service for free. His interest in technology eventually led to jobs in the computer industry. For the past fourteen years, he has conducted security audits and penetration tests, and has consulted for numerous organizations around the world, including the United Nations, Oracle, and various hospitals and financial institutions.
As I listened to Ralph talk, his passion for his work shone throughâand began to shatter my narrow assumptions about hackers and hacker culture. It became increasingly apparent that intellectually, in terms of our view of all things cyber, we were aligned. He didn't talk about tech
as much as he talked about people's lives, about culture and society. And the ways that technology could be used to improve life on earth, not distort it.
The moderator turned to me next. “What's the explanation for why people hack?” she asked.
“If you are talking about humanistic psychology, it could be for an emotion such as love or revenge,” I replied. “But if we are talking behaviorism, then it's all about reward or profit. But my favorite explanation for why people hack is the Freudian, or psychoanalytic, school of thought.”
The moderator looked puzzled. Ralph looked intrigued.
“Psychoanalytic? What's that?” she asked.
“It explains hacking as a psychosexual urge to penetrate.”
“Respect!” Ralph cried out, and fist-bumped me. Our friendship was born.
This is a line I've used beforeâprimarily to wake up an audience of near-comatose cyber-security professionals. It is meant to be a joke aimed at the behavioral sciences, where there are typically several conflicting explanations for one phenomenon, which can be so irritating to the dyed-in-the-wool hard-science community. Recently, though, I was unmercifully trolled on Reddit by technophiles who felt offended by this joke.
I read through the stream of abusive comments, and to be honest, I was pretty impressed by the level of psychoanalytic knowledge expounded, everything from my “father complex” to my alleged desire toâhow can I put it delicately?
âbe intimate with
a hacker. When some commenters actively defended me, I resisted the urge to jump into the conversation and thank them. All in all I was not outraged or shocked or hurt. I saw this trolling behavior for what it wasâsimply interesting feedback, data, and lots of it.
As my good friend John Suler says, “Let your critics be your gurus. You can treat them as an opportunity. Ask yourself why you're ruminating on a comment. Why does it bother you? What insecurities are being activated in you?”
In other words, nobody can make you feel anything. You are responsible for how you interpret, react, and feel. It's good advice to keep
in mind when dealing with barbs and nasty comments online. If you are hanging out in cyberspace, you will surely find them.
Back in the real world, later that week, Ralph and I had dinner. We talked for hours. We discussed everything from the cyberpsychological nuances of socially engineered attacks to how easily your mobile can be compromised to send mischievous texts. And we discovered we shared a passion: kids with tech skills and how to nurture their talent. Like another colleague of mine, FBI Special Agent in Charge Robert Clark, a superdedicated and charismatic man who is very concerned about keeping young teens out of trouble in cyberspace and the real world, Ralph and I have both seen the statistics showing that younger and younger kids are becoming involved in hackingâand crime online.
Surely the generation being raised will have unimaginably fine tech intelligence. We've spent decades rewarding individuals with a high IQ, and more recently EQ (emotional quotient). But what about a new metric, TQâtechnology quotientâto identify, assess, acknowledge, and reward individuals with the superlative tech skill sets that many kids intuitively display? Is a metric for intelligence designed almost fifty years before the first computer and one hundred years before the ubiquity of the Internet still fit for the purpose?
We need to find ways to reach out to tech-talented individuals, especially young people, nurture them, and teach them to think about others as peopleânot computers or machines. The tech-talented have such a lot to offer. And just like the pirates of yore, sailors who could turn a frigate on a sixpence and navigate expertly by the starsâand with the right environment and nurturing, could have made great naval commandersâthe skills of high-TQ individuals could be harnessed to make enormous contributions to the quality of all our lives, or cyber-lives.
As Ralph spoke, I was beginning to see that hackers have their own distinct perspective and moral code. And while I certainly don't endorse anything that involves breaking the law, I do respect raw talent and genius. And if hacker culture can produce a guy like Ralph, there must be good things happening there.
At the end of dinner, Ralph said, “Mary, the way you understand behavior online, you have mad hacking skills.”
What did he mean?
“But, Ralph, I'm not a hacker.”
“Oh, but you areâyou just don't know it.”
After the arrest of Ross Ulbricht and the shutting down of Silk Road in 2013, it wasn't too long before a new site, Silk Road 2.0, sprang up to fill the void. There were lots of copycat sites on the Darknet selling contraband by thenâsites like Evolution, Agora, Sheep, BlackMarket Reloaded, AlphaBay, and Nucleusâoften referred to as
crypto-markets
by law enforcement.
Many of these have come and gone already, but the offerings continue to expand.
The black market has proven amazingly resilient. And the sellers grow more sophisticated each year.
As an article from
Wired UK
attests:
The first thing that strikes you on signing up to Silk Road 2.0 is the choice. There were almost 900 vendors to choose from, selling more drugs than I'd thought possible. Heroin, opium, cocaine, acid, prescription drugs are all readily available. Technically speaking, Silk Road 2.0 is an anonymous market for anything (with some exceptions, such as child pornography), which means there are also sections for alcohol, art, counterfeit, even books. Listings included a complete boxset of
The Sopranos;
a hundred-dollar Marine Depot Aquarium Supplies voucher, and fake UK birth certificates. Each with a product description, photograph and price.
But most people are here for the drugsâ¦.As I browsed through the marijuana offers, I found 3,000 different options advertised by over 200 different vendors.
According to some accounts,
the number of products available on Darknets had more than doubled in less than two years after the 2013 arrest of Ulbricht, to fifty thousand.
Why?
I suspect the swashbuckling stories in the media about Silk Road
may have encouraged curiosity about the Darknet and its offerings. The profusion of how-to guides that help newbies and first-timers figure out how to get to Darknets is also a factor. According to INTERPOL, as of August 2014 there were at least thirty-nine such markets, and the majority use English, although there are sites in French, Polish, and Russian too. An investigation in 2013 estimated that one-quarter of the illegal substances sold in the U.K. were obtained from them. We can't know for certain, but the percentage of drug buyers using Darknets in the United States could be as high, or higher. A study done in 2015 analyzing the size of Darknet markets found that they do a brisk business. In just four years, since the development of the original Silk Road, the total sales volume is generally stable, around $300,000 to $500,000 a day. Even more remarkable,
anonymous marketplaces have proven to be resilient to takedowns and scams, because demand plays a dominant role.
What does that tell me? If we believe that figureâthat as much as one-quarter of the illegal drugs in the U.K. and U.S. are obtained through Darknetsâthen it means one-quarter of those drug buyers have taken the step to download the suitable protocols like Tor and have learned how to use them.
And it means that one-quarter of these drug buyers have arranged for shipping of illicit goods to their residences or post-office boxes. The United Nations Office on Drugs and Crime (UNODC) review of global drug seizure data shows that cannabis seizures obtained through the postal service rose 300 percent in the decade from 2000 to 2011.
It means that one-quarter of these buyers are likely exchanging cryptocurrencyâor using some form of anonymous and untraceable method of payment.
In 2015 the UNODC confirmed that there had been no major change in the regions where illicit crop cultivation and drug manufacture take place:
â¦but the illicit drug markets and the routes along which drugs are smuggled continue to be in a state of flux. The “dark net,” the anonymous online marketplace used for the illegal sale of a wide range of products, including drugs, is a prime example of the constantly
changing situation, and it has profound implications for both law enforcement and drug trafficking.
We know from reliable field reports and investigative journalism that
teens in particular have flocked online to buy drugs in recent years. It is perceived as being safer than entering a bad neighborhood. They may be looking for a quick way to score pot, ecstasy, or some other party drug. They may be using these drugs themselvesâor selling them for a profit to friends. Or, like the pirates of old, they may be simply looking for some excitement and adventure.
Now let's consider what we know about this age group. We know that impaired judgment can be common in teenagers, and when they gather in groups, due to the effects of the risky-shift phenomenon, they are even more likely to be judgment-impaired. Their judgment is further compromised in cyberspace due to the effects of online disinhibition.
Now let's put these factors together with the act of buying drugs, now made as easy and prevalent as pirating music, and ask a new set of questions: Would a teenager be more likely to try a new drug when anonymously browsing the thousands of offerings on a black market site, simply due to the vast selectionâso temptingly described and photographedâthan he would to buy the same drug on the street?
Probably.
Would a young person be more likely to buy more drugs, due to the effects of online disinhibition?
Probably.
Remember the Triple A Engine of the Internet from
chapter 2
? The three ingredientsâaffordability, accessibility, and anonymityâare known to successfully drive people to sites that facilitate sexual communication online. But I believe this construct also explains the success of the black market drug sites. In other words, if you offer something illicit and forbidden, but with the features of the Triple A Engine, buyers will appear in droves.