A caveat to this entire post: I’m not an expert in computer or network security. That said, I do earn a living doing software development. Light stuff, to be sure. Mostly games. Lighthearted stuff. Not a lot of heavy work, in terms of security. No bank databases involved, you know?
In 1966, the US had one of those golden moments—one of those moments that shed glory on the “American experience”, seem to gilt-wrap it into a fine bundle, like a Rockwell painting or a Capra film.
A 32 year old Harvard Law graduate named Ralph Nader had written a book titled Unsafe at Any Speed. In it, he “charged [Chevrolet’s ] Corvair with sloppy—and therefore presumably unsafe—engineering in its rear suspension system.” He accused General Motors, one of America’s biggest corporations at the time,* of playing Monopoly with people’s lives.
In retaliation, GM hired a private investigator to dig up dirt on Nader. The PI told his agents to “check Nader’s life and current activities, to determine what makes him tick, such as his real interest in safety, his supporters if any, his politics, his marital status, his friends, his women, boys, etc., drinking, dope, jobs, in fact all facets of his life.”*
But GM’s timing was more than just late (the book had been out for nearly a year already); it was unlucky. Nader was preparing to testify before a Senate subcommittee on vehicle safety, and the chair of that subcommittee, Senator Abraham Ribicoff, became aware of the legion of snooping investigators trailing after Nader. With righteous fury, Ribicoff called General Motors President James M. Roche on the floor before the subcommittee and demanded Roche make a public apology for his company’s actions. Ribicoff forced Roche to admit to all of GM’s sins and to promise that it would “not be [their] policy in the future to undertake investigation of those who speak or write critically of our products.”
It wasn’t just a David and Goliath story. More like David, Goliath, and David’s big brother. The “Big Brother”. But unlike Orwell’s government, this American one, at this time and place in her history, was acting like you’d want an older sibling to act. She was protecting the little guy. And, in this situation, the little guy was protecting us.
This “protection” sideline for our government hasn’t gone away—in fact, it feels as critical today as it ever was. We expect protection from predatory lenders, from mislabeled bond ratings, from reckless petroleum companies, from HMO’s and insurance providers, from genetically modified foods, from terrorists, from lead toys made in China.
Somewhere in the corner of this now-crowded room is another threat we expect to be protected from, one that our government has aggressively sought to protect us from for over 25 years now. But for the majority of those 25 years, our policies and our enforcement of those policies in combating this threat have been a complete and utter failure. Not because of a lack of zeal, but rather because we’ve forgotten the lesson of Ralph Nader and GM, circa 1966.
That threat is the menace of the “computer hacker”.
The Computer Fraud and Abuse Act (CFAA), enacted in 1984, was originally worded to specifically defend communications and government networks from hackers and “phreakers” (those who manipulated telephone networks, usually with the intent of making free calls… we were still in the days of the BBS, and I imagine a number of phreakers were trying to find ways to freely access boards in other states), but was expanded in the 1990s to protect “any computer connected to the internet”,* which, given today’s widespread interconnectivity, cuts a staggering swath. One of the very few limitations on the use of this blunt law enforcement instrument is a requirement that $5000 in damage must be wreaked by the intruder… but “victims” have a long history of inflating their damages and easily surpassing that value. (This often includes—and this is certainly egregious—correcting the hole that the hacker came through. It’s equivalent to leaving a door of your house open, and then prosecuting a trespasser for the cost of having to get off the couch and shut the door.)
Put frankly, protecting “any computer” is an impossible task for the FBI or any other law enforcement body. And it does not address the two most significant fronts in the anti-hacking war. One is preparedness: correcting holes in our collective security. And the second is a threat from international hackers, outside of the FBI’s (and the CFAA’s) jurisdiction. The fact is that the CFAA and many of our other anti-hacking enforcement tactics are not only not helping us defeat unethical hacking: they’re hurting us.
*
The image of the “computer hacker” has been getting more and more tawdry as its glamor has worn off. Many now seem to immediately associate the word with identity theft and stolen credit card numbers, purse-snatching actions made by low-level cyber thugs. But those who still attribute an element of the super-human to hackers (thanks, Matrix) can entertain more dire doomsday scenarios: bank accounts emptying, telephone systems crashing, or planes falling from the sky.
Those notions (and others even more fantastic) are the ones that have fueled hacker paranoia. It’s that paranoia that led to our extremely aggressive prosecution of “bad” hackers, and our equally backwards, retrogressive approach to cyber security and law enforcement.
For the moment, let’s set aside any stigma, grandiosity, or caricatures that have been so long associated with the word “hacker”. Much of “hacker” mentality is curiosity. Most people, you give them a piece of machinery, and instruct them to insert tab A into slot B: they will. And if they get the expected reaction, they’re happy. A “hacker”, though, might look at the instructions and wonder, “But what happens if I put tab A into slot B backwards?”
A juvenile question, but emblematic: it’s curiosity mixed with a bit of snarky cleverness. That’s why so much software and hardware hacking is about getting things to work in ways they weren’t designed to. If you’ve ever used a bic lighter to pop the cap on a beer, or looked the wrong way through a telescope, you’ve done a simple hack. You did things wrong on purpose because it gave you a tool you didn’t have before, or something interesting happened.
What happens when you put tab A in backwards is a valid question for those who are genuinely curious, but the fact is, almost no one but hackers are curious enough to bother doing it.
So: hacking is not magic. “Cyberpunk” movies, comics, and books have elevated it into an epic religiosity, full of mysteries. But it’s not magic, in the same way that “magic” is not magic. If you don’t understand how a magic trick works, how the playing card you chose suddenly wound up in your back pocket, you’re astounded. If the magician explained it to you, you’d be a lot less impressed. That’s why magicians don’t explain.
Most hackers, on the other hand, are happy to explain lots of things. Many are altruistic. They share with each other constantly, they make software tools and then just give them away. When a magician makes an apparatus for a trick, he usually hoards his secret or monetizes it by selling to other magicians. Some hackers may be smug, but in general, they will explain things to you.
Unfortunately, unless you and said hacker work in the same field of study, you probably won’t understand the explanation. When it comes to that most notorious subset of what we call “hacking”– exploiting security gaps (sometimes called “cracking”)– I know I don’t. There’s an education gap. For me to learn (or for that matter, most judges and federal prosecutors) I’d have to devote time to learning basics in cryptography, server administration, routers… I’m so ignorant, in fact, I’m not sure what I’m ignorant of. Unfortunately, most of us are just not qualified to understand that sort of “hacking” deeply.
But its practitioners are not superhuman, and very few of them are monsters.
*
Toss out those mystical, Hollywood images of what a hacker is, and instead look at some real hackers in the news media this past couple of weeks. Last week, you’ve got the piece on Julian Assange in the New Yorker. Assange is a journalist-hacker-activist-cryptographer-cryptanalyst, and if you read up on his activities, you’ll find that collection of skills makes a sort of sense… He has, in fact, created a life (or had one created for him) in which they’re all necessary and complementary. His biggest recent achievement is the release of footage of a US military helicopter attack.
That attack, in 2007, resulted in the death of two Reuters news staffers, as well as at least fifteen other people (and quite probably more). Reuters, one of our largest news agencies, was unable to get the military to release the footage. But two years later, Assange and the activists he works with came into possession of a digitally encrypted video of the attacks. After three months, Assange and his team cracked the video’s encryption, and then leaked the video via their website, WikiLeaks, a site that they go to great lengths to try to make unblockable, uninterruptable, and unshutdownable. The video appears to shows a tragic failure on the part of the military: unarmed men, including the staffers, being killed.
The upshot is that what Reuters could not do, Assange and a small group of hacker activists did.
But how “threatening” was the helicopter attack video leak? It’s bad press for the US military, and it’s “criminal” to expose sensitive military documents… but we’ve sustained years of being told that information is too sensitive for public release. Which is more unethical: releasing the video or suppressing it?
Because Assange is a “hacker”, he scares the beejesus out of people. He’s in the news again this week, accused of holding diplomatic cables stolen from a US embassy. Many have claimed that, if he is in possession of those leaked cables, his future actions could threaten US security.
But the leaked cables, even if Assange has them, were not hacked. The theory is that he might have been given them by an unhappy military officer. How is this different than the situation existing between a typical journalist and a source?
For a different look at the ethics of this situation, consider the experience of Assange himself at age 20. As a young man, he hacked into a telecom company, saw that an administrator was signed on, and said hello: “It’s been nice playing with your system. We didn’t do any damage and we even improved a few things. Please don’t call the Australian Federal Police.” Just a few years later, Assange was in court, pleading guilty to twenty-five charges of computer related crime. He was fortunate, though. The judge decided that there was no evidence that Assange had any intentions beyond “inquisitiveness” and the pleasure of gaining access. (Fact: the telecom company claimed a hundred thousand dollars in damage, which I doubt highly, and the judge discounted. More likely, Assange’s incursion pointed out existing problems that the company was then obliged to fix.)
If the real threat of Assange is not that he’s a journalist with confidential sources, but rather that he has an anarchist’s view towards freedom of information and has fought to gain the technical acumen and financial resources to do what he likes, I suggest that the experience of that prosecution was part of the crucible that made him.
*
The other big hackers in the news this week are the tragically named Goatse Security (if you have to ask about the name, save yourself and don’t).
They were big news yesterday, as they’d disclosed evidence of insecure servers at AT&T that exposed the email addresses of iPad users. To quote Gawker: “The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network… and is used to identify the SIM cards that associate a mobile device with a particular subscriber. AT&T closed the security hole in recent days, but the victims have been unaware, until now.” (italics mine).
Given that the “victims” include “a GMail user who appears to be Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others,” I would say that the fact that AT&T was not forthcoming about the breach is somewhat irresponsible. It suggests that they would never have admitted the security hole at all, were they not outed by Goatse and Gawker.
Further muddying the situation is a dispute between Goatse and AT&T. Goatse says it notified AT&T before leaking the story to Gawker; AT&T says Goatse never did them that courtesy, that they found out from a customer on Monday. But if you boil it down, AT&T’s contention amounts to: these Goatse people knew we had a problem… and then told the public there was a problem.
The issue of import then, if one follows AT&T, seems to be that AT&T was embarrassed. Not that there was a security hole. Pay no attention to the man behind the curtain; the emperor was fully clothed and iron-clad the entire time.
You can see AT&T’s concern. It’s embarrassing for a large company to get publicly called out on security issues, and it can be expensive in terms of PR, if not the actual cost of fixing the leaks. And, if regular people (including teenagers and twenty year olds) can point out a problem in a government’s or corporation’s security, it undermines the public’s faith in the notion of those reliable, infallible, gigantic entities.
Unless you engage the Lex Luthor effect.
We have an ugly history of gross over-punishments for hackers, supposedly in the name of “deterrence”. But it has also served as a handy way to whitewash the security lapses made by large institutions. To wit: “These hackers aren’t regular people. Regular people don’t get gross over-punishment—this is fair punishment, because hackers are (perhaps magical?) super-criminals. There was nothing wrong with our security. Not when you’re dealing with normal people. But super-criminals are another story. It’s not us. It’s them.”
For an example of the Lex Luthor effect, take one of America’s most famous “hackers”. The US Justice Department called him “a computer terrorist”. The FBI called him “the most wanted computer criminal in the country”. Law enforcement officials told a judge that he was able to “start a nuclear war by whistling into a pay phone”. He was jailed twice. The US Attorney said his capture sent “a message to anyone else who believes that the new technological frontier can be abused for criminal purposes. We will track you down… and put you in prison.” When he was released in the year 2000, he was not allowed to use phones or computers for three years. As if he could somehow rain destruction down with just a rotary phone.
The man I’m referring to is Kevin Mitnick. He’s often identified as a hacker, even though he himself admits that his bag wasn’t software hacking, but just tricking people into giving him the passwords and codes he needed (aka social engineering, aka lying).
If we can trust the wikipedia entry on Mr. Mitnick, the “computer terrorist”, we can trust too the posted description of both his confirmed and alleged crimes. A quick run-down (skipping the ones that have to do with evading arrest): 1) Got free rides on the LA bus system. 2) Hacked into a computer just to “look at” source code. 3) Hacked into some other systems—doesn’t say anything about damaging them. 4) Stole a couple computer manuals. 5) Read some people’s emails. 6) Wiretapped the DMV. 7) Made free phone calls.
Even assuming that some of these actions were preludes to other crimes (possibly ones with financial motives)… What happened to “computer terrorist”? What happened to “nuclear war by whistle”? Where is this boogie man?
*
It’s the case that a number of these “master criminals”, these hackers who’ve been threatened with or have served jail time, they don’t seem to conform to typical portrait of hardened criminals.
Take a look at a “top five” “black hat” (read “unethical” or “criminal”) hackers.* (I believe this list is entirely laughable, but it serves my purpose here.) 1) Jonathan James: A sixteen year old who “stole” NASA software. The software didn’t go anywhere, he just downloaded a copy. Didn’t sell it, didn’t share it. 2) Adrian Lamo (tragic last name, and the man who outed the leaker of the embassy cables mentioned in conunction with Assange earlier): hacked into company intranets, then called them to tell them they had security holes. No clear damage done. 3) Mitnick: enough said. 4) Kevin Poulsen: Hacked an LA radio station call-in contest. Is now a senior editor at Wired and helped MySpace catch sex offenders. 5) Robert Tappan Morris: son of former NSA scientist; accidentally made the first internet worm when he was 23. (His honest accident cost him three years probation and $10,000. He also has the distinction of being the first person indicted under the Computer Fraud and Abuse Act.)
…One’s tempted to ask what the joke is. Someone must be pulling our legs. These five people are our most famous “black hat” hackers? Throw in the Care Bears and My Little Pony and you’ll round the group right out.
The fact is, the FBI (the chief investigator, the “posse”, if you will, in most of the cases just listed) isn’t likely to catch the people out there who really do represent “cyberthreats”. They’re more likely to catch none of them. Big-time “black hats” aren’t in the FBI’s jurisdiction. They’re in the employ of the Chinese government, at work doing corporate and military espionage; they’re in Eastern Europe pulling down badly guarded databases filled with credit card numbers.
The FBI’s not going to catch them. Quite likely, no one is.
*
Accept that no one’s going to catch the real “black hats”. Then what do we do? The only thing we can do is make ourselves less vulnerable. Imagine computer and network security by just thinking about workplace/building security. People can come in open doors and windows—we must make sure they’re locked. People can unlock those doors with keys—we shouldn’t leave keys out to be copied. People can imitate workplace uniforms—so we must check IDs, even if a person is dressed like an employee.
And as a community, we should watch each other’s backs. If a window is open, spread the word. If anyone sees a hole in the dike, they have a civic duty to let the rest of us know. And that’s what the computer security and “hacker” communities usually do. They’ve shown us security flaws in Google’s Chrome browser, Youtube’s video player, and other important tools and websites. Much of the time, the “hackers” quietly inform the creators of the problem. Occasionally, they inform the public, too, causing embarrassment to the creators (though most of the time, this sort of information never leaves the hacker news community). But unless we’re to consider every member of the public bound by non-disclosure agreements to companies they don’t work for, it’s our prerogative to speak our minds as we like. If I have a valid criticism of a company’s work (even if I have the basest motives: perhaps I absolutely hate the company, and act out of pure malice and a desire to humiliate them), speaking it aloud should be no worse a crime than being the theatre critic who destroys a new musical with a thumb’s down. Telling a company first is a courtesy; telling the public first can be reckless and uncouth… but it should not be a crime.
This is the first half of our breakdown in law enforcement, and the problem with the way we approach cybersecurity and “hackers”.
Return to this morning’s (now yesterday morning’s) reports on the AT&T/iPad leak. Within 24 hours, news reports expanded to mention that “the FBI is investigating”.
The FBI’s involvement is not shocking. A number of important people’s email addresses were exposed. One might expect the FBI to contact AT&T, find out how it happened, and set our government at ease that such a situation will be avoided in the future. And perhaps they are doing that.
But that is not the FBI activity that is being reported. The FBI has told the Wall Street Journal that it is investigating “possible computer intrusions”. Gawker has been issued a preservation notice pending an investigation that likely targets the Goatse hackers.
This represents a failure. Because it’s not Goatse’s responsibility to safeguard AT&T user data, or to play nicely with it. They played hard, stomping all over a publicly exposed AT&T server, and sent then sent a copy of the data that leaked out to a news outlet. They fulfilled the intent of their lurid namesake motto, “exposing gaping holes”. Despite the inelegance, it can’t be denied that the community at large has been safeguarded. We are better prepared and—even if AT&T’s claims are true, that they would have found and fixed the problem without Goatse’s interference—the publicity of the hole means that the next programmer working with a database filled with email addresses will think twice before taking a lazy shortcut.
But our thanks to Goatse is the threat of prosecution.
*
Our approaches to cybersecurity law are blind. There are almost no distinction between ethical and unethical hacking—there’s simply a blanket notion of illegality: it’s illegal to access a computer without authorization. The question of intent is an afterthought left to prosecutors and judges. Good guys, bad guys, and oddballs who call themselves Goatse all fall under the same net.
But this inability to separate the good guys from the bad (or odd) is an error that’s also crucial to the second half of our enforcement breakdown: the threat from international hackers.
International hacking is subject to the same illegalities regarding the safety of “any computer” on the internet, but is made largely toothless by the fact that we cannot prosecute overseas offenders. On top of that difficulty is the fact that overseas computers and computer networks are given the same respect as national airspaces. To wit: it’s considered an act of war to breach another country’s “cyberspace”.
Take the case of Shawn Carpenter in the mid 2000s. Carpenter was a former Navy computer specialist working at Sandia National Laboratory under employment by Lockheed. At that time, government and private institutions were suffering a rash of cyber-intrusions that came to be known as Titan Rain. The hackers behind Titan Rain managed to breach a number of high-security networks, from “the Redstone Arsenal military base to NASA to the World Bank”. They stole software used in our attack helicopters, and information on missile defense.
Carpenter began investigating the intrusions, feeding his information to the FBI as an informant codenamed “Spider-man”. He gathered evidence that seemed to indicate that Titan Rain was a massive operation (involving as many as 90 hackers) financed and organized by the Chinese government.
Be clear on this point: Carpenter was working with the FBI. But in doing so, he was counterhacking the Titan Rain hackers. That involved breaching foreign cyberspace and defeating the security on computers both domestic and foreign. (Very often these were computers that Titan Rain had themselves breached first—Carpenter was following their trail.)
Carpenter then was, de facto, guilty of two sins. Violating “any computer”, and threatening national security by invading foreign cyberspace. After many months of cooperation and appreciation, the FBI suddenly turned on him.
The FBI has never explicated the reason behind their change in demeanor. Perhaps when they realized they could have no control over the perpetrators, they turned to the “criminal” within their jurisdiction. Perhaps a full-blown Titan Rain investigation would reveal too much about the security holes in the systems maintained by the military and defense contractors. An embarrassment.
But whatever their motives, the upshot was that Carpenter was stripped of his top secret security clearance, was fired by his employer, and subjected to investigation by the FBI, the law enforcement agency that only too recently had called him “Spider-man”, and told him that, “You’re very important to us.”
Not important enough, however, to publicly confront the Chinese government. In addition to good guys and bad guys, comes this third heading: bad guys we conveniently (or impotently) ignore. These are the real black hats. And they’ll never go away. The only defense is a good offense.
*
Now remember the treatment we gave Ralph Nader in 1966. That Capra moment. And consider that all three of these recent hacker “cases” (Assange, Goatse, and Carpenter) are indicative of our attitude towards hacker whistleblowers. Our knee-jerk reaction, our instinct, is to investigate them. If we’re going to indulge in investigations of hackers to determine whether or not they’re “ethical”, we should likewise examine whether the investigations themselves (and the cost in terms of money and manpower, not to mention the stresses they put their subjects through) are ethical. In 1966, the Senate put a stop to investigating the good guy. The FBI and the rest of us should remember it.
UPDATE, 6/16/10: “One of the ‘Goatse Security’ hackers has been arrested on drug charges after the execution of a search warrant at his Arkansas apartment by agents of the Federal Bureau of Investigation.” The warrant was not related to drug possession, it was issued in relation to the AT&T security breach. The hacker is 24 years old. Goatse says their hacker (who may not be the one arrested) spent just over an hour getting the emails off AT&T’s servers, while AT&T’s chief privacy officer has said that “The hacker deliberately went to great efforts with a random program to extract the information.” Italics mine. Lex Luthor, QED.
Tell truth, I bought two original pieces of art recently. The first one though, only cost me six bucks. That’s right, only six!
RSS Feed