Famous for Fifteen Minutes: A History of Hacking Culture

It is often said that generals always prepare to fight the last war. A risk that is anticipated and planned for can usually be averted. It is the unplanned-for risks that overwhelm us. The appearance of professional Internet criminals was predicted in fiction long before the Internet became a mass medium. During the early years of the Web, we spent a great deal of time and energy looking for ways to defeat the professional thief. The mischief maker, the prankster, and the juvenile delinquent were overlooked.

Then a group of hackers cracked the Web site of the CIA.

The attack did not result in the loss of classified information, did not disrupt the work of the agency, and did not threaten the critical infrastructure. Nevertheless, the damage to the agency’s reputation was considerable. In the 1960s and 1970s, a standard move for the plotters of a military coup was to take over the national television and radio stations. A group of teenage vandals had managed the cyberspace equivalent.

As the overlooked risk became the concern, the anticipated risk was forgotten. Companies building Web sites learned to think of Internet security in terms of protecting their brand from embarrassment. Users learned that they could use the Internet without concern for their own security because government regulations make financial institutions such as credit card companies responsible for risk.

Meanwhile, the Internet became an increasingly important part of the economy. When asked why he robbed banks, Willie Sutton replied, “That’s where the money is.” Today the Internet is where the money is—lots of it—and the Willie Suttons of the Internet have been busy finding out ways to direct some of that money into their own pockets.

Organized crime rings operating out of Eastern Europe, Russia, Nigeria, and Boca Raton, Florida, are using the Internet to steal hundreds of millions of dollars per year. Their methods include confidence tricks, consumer fraud, and extortion.

By the time the professional cybercriminal finally appeared on the scene, security experts had learned to avoid suggesting money as the motive for an attack. As far as the press, the public, and most customers were concerned, Internet security was almost entirely a problem of juvenile delinquency, and anyone who suggested otherwise was engaged in scare-mongering.

The only Internet security problem that could be acknowledged was teenage hackers whose amazing technical skills were matched by a complete lack of social skills. According to the carefully constructed media image, these hackers scoffed at the notion of monetary gain, being interested only in bragging rights. Their attacks were launched to gain an ephemeral fame, or as Andy Warhol might have put it, to be famous for 15 mouse clicks.

The term hacker is a somewhat controversial one in the industry, and some people still try to insist on the original definition, which is a prankster looking for some harmless fun. The term hacker was coined at MIT, where “hacks” have been a part of university culture since long before the first electronic computer arrived on campus.4 Shortly before I arrived at MIT, a police cruiser appeared on top of the great dome above the main MIT entrance. On the centennial of the Wright brothers’ first flight at Kittyhawk, a model of their biplane appeared in the same place. The opening of Star Wars Episode One was greeted by turning the dome into the head of the droid R2D2.

The hacker culture played a major part in the early development of the computer. Many of the most important developments in computer science began as “hacks,” including Space War, the first computer game, and Internet e-mail.

During the 1980s, the term hacker began to be appropriated by another type of person whose idea of fun frequently involved actual malice. The MIT hacker culture acknowledged rules set by the university proctors and a set of self-imposed rules called the hacker ethic. The new hacker culture was an expression of teenage angst, angrily rejecting all forms of limitation and respecting the hacker ethic only when it suited them to do so. The MIT hacker culture was concerned with creating what might now be called street theatre or performance art. It was this tradition that led to the World Wide Web Consortium (W3C) finding a natural home at MIT, because the Web is simply a work of performance art on an unusually extended scale. The new hacker culture was interested in expression of power, at first power over the machines but inevitably becoming power over their users.

In The Hacker Crackdown, Bruce Sterling traces this new hacker culture to the phone phreak culture that surfaced on the West coast of the U.S. in the mid 1970s. The phone phreaks played pranks on the telephone system and occasionally managed to find ways to make a free phone call. Born of the era of flower power, protest, and the summer of love, the phone phreak culture has much more in common with the MIT culture than either had with the new hacker culture. In those days Ma Ball was the telephone company and fairly regarded as a part of the “system”–fair game for anything the phone phreaks might throw at it.

The hackers of the 1990s took their name from MIT, their language from the West coast phone phreaks, and their moral code from schoolyard bullies. Some were precocious in their technical skills, but few unusually so. The computer world has always been dominated by those who learned their craft at 12 and became masters before they left school. The fact that an idea is new does not mean that it must be difficult.

Many computing problems require little more than patience and eidetic memory and are thus a good match for the juvenile mind. We have all met 12-year-olds capable of prodigious feats of memory such as reciting the batting averages of every member of the Boston Red Sox or the results of every match ever played by Neasden United. Why should it be such a surprise that there are 12-year-olds who can recite a list of technological trivia?

As the Internet grew, it became a place where victims of schoolyard bullying could quickly aspire to become bullies themselves in an environment where their victims had no opportunity to retaliate. Hacking was quite easy when all you needed to do was to surf to a Web site, download some tools, and fire them up. Becoming known as an expert in this type of hacking did not require skill or expertise, only malice and good public relations work.

Social engineering is a type of confidence trick used to persuade the target to ignore his better judgment. Many of the newstyle hackers were first-class social engineers, able to wheedle out pieces of information simply by pretending to be someone else. It should be no surprise, therefore, that so many journalists reported without question the claims made by these selfdescribed con artists. Balanced reporting of hacker attacks had to wait until several years later when journalists became aware of the victim’s side of the story.

The Internet was designed by a small circle of academics largely for their own personal use. Security, such as it was, followed what we would now call a perimeter model. To get access to the Internet, you had to first be granted access to one of the few computers connected to it, each of which cost as much as a house. Anyone caught misbehaving was liable to be banned from using the machines. Users of the primordial Internet were accountable for their behavior through peer pressure and responsibilities to their coresearchers. As a last resort, an issue could be referred to the university proctors.

As the Internet expanded beyond a small core of elite universities, accountability began to break down. The network had expanded to the point where a problem could no longer be traced to a source, and even if the individual responsible for an issue could be identified, addressing the matter would take much more than a telephone call to the department head.

Between 1993 and 1996, several factors converged to transform the Internet from a purely academic resource into a global mass medium. The most visible of these factors was the World Wide Web, which for the first time made the Internet accessible to users who were not prepared to navigate arcane and obscure user interfaces. Equally important, however, was the second factor: the transition from being a U.S. government–funded research project with a prohibition on commercial use to an open infrastructure where commercial use was encouraged.

A third factor was the commercial failure of interactive TV, a scheme whose rather too obvious premise was that turning the television screen into a 12-foot wide electronic billboard in the center of the living room and adding a buy-now button on the remote control would make a fortune for cable operators, particularly if it replaced the shopping mall. When the would-be hyperconsumers showed a complete lack of interest in this scheme, its backers suddenly found the need to find an alternative technology in which to funnel the vast sums earmarked for investment in interactive TV. Thus was the great dot-com boom begun.

The effect of these changes was that the Internet lost the accountability mechanisms that had limited malicious acts when it was a purely academic resource at the same time that the Web was becoming increasingly prominent in the mainstream media.

Web commerce was still in its infancy, there were few targets for the money-minded hacker, and, in any case, it was clear to almost everyone involved in the emerging Web that it would be much easier to make an honest fortune than a dishonest one.

Security specialists tend to worry most about the issues they are paid to worry about. In this period, the companies paying people to worry about Internet security tended to be companies involved in selling through the Internet, transferring money, and so on. Companies whose Web sites did not involve money often overlooked the fact that they had staked an even more valuable asset: their brand and reputation.

Defacing Web sites became something of a hacker sport, particularly when the hackers realized that a successful attack against a high-profile target could result in national publicity.

The defenses constructed by security specialists were like a shark barrier constructed by a town that finds nobody is visiting the beach because of the wasps. A hundred thousand script kiddies with no real skills using ready-made attack tools were causing so much mayhem that the activities of any professional criminals were lost in the noise. With attention focused on the wasps, the shark problem was forgotten.

It is often claimed that Internet security is an oxymoron, a contradiction in terms. In fact, the record shows that the industry has been effective at controlling security risks when it has put its mind to doing so. The problem has been that we have often been unsuccessful at persuading the industry to take risks seriously until after the criminal activity has become widespread.

No Professor Moriarty

Fictional cybercriminals are sophisticated types. They steal large sums of money from international banks that, in the Hollywood versions at least, appear to spend more on spiffy graphics than reliable security systems.

Cybercrime is a term that I dislike. The future has no prefix; telephone becomes phone, e-mail has only a tenuous grip on its hyphen, and will in time become simply “mail.” More importantly, a word that bears the cyber prefix sounds like science fiction, not everyday life, which was, of course, William Gibson’s intention when he coined the term to give his science fiction novels a sense of the future.

The term cybercrime has become a liability. It encourages an image of an elite criminal adversary with the cunning of Sherlock Holmes’ nemesis Dr. Moriarty or James Bond’s Ernst Stablo Blofeld. James Bond has to single-handedly defeat a fresh megalomaniac bent on world domination in every film. This leads us to forget the fact that Ian Fleming, the creator of Bond, was a real-life spy and spymaster in a real war against Adolf Hitler, a real megalomaniac who had attempted to realize his goal of world domination by brute force rather than cunning.

Real Internet criminals usually prefer to avoid the sophisticated state-of-the-art security systems that protect the internal systems of the major banks. They attack the system at its weakest point, where security is almost entirely outside the control of the bank: the customers.

The methods of the professional criminal are chosen for effectiveness rather than subtlety. The methods may be clothed in numerous disguises, but in the end, the schemes they use are ages old, dating back long before the invention of the Internet, in the case of the 419 advance fee fraud, to the Middle Ages. Like a mountebank’s shell game, the schemes appear complex if you spend your time watching the movements of the cups but simple if you know that the ball was never under the cups at all.

Sophisticated schemes usually require inside knowledge and are thus self-defeating because the number of suspects is comparatively small. Schemes that lack sophistication might stand less chance of success, but that does not matter to the Internet criminal who can program a computer to perform a million attacks for him simultaneously.

It is generally agreed that almost all spam is dishonest and a significant proportion is outright fraudulent. Peddling quack penis potions might only find a gullible customer one time in ten thousand, but that does not matter to the criminal if he can send a million spam advertisements and net a hundred new customers at negligible cost.

Real crime has always disappointed in its ordinariness in comparison to fiction. Sir Arthur Conan Doyle, the creator of Sherlock Holmes, frequently tried to explain this difference by beginning a story with the detective complaining that too few criminals provided a sufficient challenge for his deductive powers.

One big difference between the fictional and the real criminal is that it is usually detrimental to the plot if fictional criminals are caught as the result of an obvious mistake. Professor Moriarty would never make the mistake of traveling under his real name if he knew he was a wanted man, yet several of the 9/11 hijackers did exactly that.6 Professor Moriarty must plan every criminal scheme with meticulous accuracy, leaving only one detail overlooked. Real criminals are usually lazy to begin with and often make careless mistakes under pressure.

Real detectives tend to rely on luck at least as much as the painstaking logical deductions of Holmes. But luck is usually directly proportional to the amount of effort put into following up leads. The criminal only needs to make one mistake to be caught. In 1999, a plot to blow up Los Angeles International airport was foiled by a chance inspection by a suspicious customs agent.7 That this particular inspection led to the discovery of the plot was largely luck, but the inspection itself was the result of the customs and border patrols being put on high alert because an attack had been anticipated.

We need to make ourselves some luck.

The Internet Vandals Have Grown Up

One possible reason for the sudden rise in Internet crime is that the juvenile delinquents who made up the bulk of the new-style 1990s hackers have simply grown up and need to work for a living. The majority of crime in almost every country is committed by young males between 15 and 25 years of age. As juvenile delinquents grow up, most start working for a living and find that honest employment is more profitable than petty crime. Some take the opposite path and become professional criminals. This group tends to increase the number of crimes each commits to support their family and themselves.

There are no ideal policy options for dealing with juvenile crime. Judges and lawmakers know that prisons act as universities of crime. A juvenile delinquent who is sent to jail is more likely to return as a trained professional criminal than a reformed character. A juvenile delinquent who does not receive a custodial sentence is likely to reoffend anyway. Considerable effort and ingenuity has been expended in the search for finding a noncustodial punishment that serves as an effective deterrent to juvenile crime with little success.

As a result, courts have been unwilling to punish Internet crimes committed by juveniles with significant sentences. Even the recidivist computer criminal Kevin Mitnick received a sentence of less than four years for his second adult conviction in a decade-long crime spree that cost his victims millions of dollars.

Law enforcement usually follows the lead of the courts in detecting and prosecuting crime. Crimes that result in longer sentences tend to be given the highest priority. The widespread belief that Internet crime was almost exclusively online juvenile delinquency coupled with the difficulty of policing a crime with potentially global reach has led to Internet crime being assigned a low priority by law enforcement in almost every country.

Many of the juvenile delinquents behind the Web site defacements during the dot-com 1990s came of age after the bubble had burst. Economic prospects were gloomy, and the demand for computer skills in particular was a buyer’s market with few buyers. Dreams of making millions through stock options evaporated and, for many, getting a job at all became a dream.

Emerging, Failed, and Kleptocratic States

Internet crime is frequently associated with states that are currently in the process of transformation from dictatorship to what in time may become either an open society or a different form of dictatorship. In the parts of the ex-USSR known as theGlobal Balkans,  this transformation is almost complete, and communist dictatorship has been replaced by autocratic dictatorship.

Most of Eastern Europe has joined the European Union, and it is most likely that this will allow them to follow Spain and Greece in building enduring democratic institutions. In Russia and Western Africa, the outcome hangs in the balance. Internet crime can be lucrative for some, but it’s rarely so for the average foot soldier. A programmer in Russia offers to sell custom written viruses for between $50 and $100 apiece. Another offers to rent the use of a botnet for $25 an hour. Supply and demand drive income down to less than half the U.S. minimum wage. But what would be a pittance for a knowledge worker in an industrial economy is a living wage in many parts of the world.

In Peter Pan, the fairy Tinker Bell will die unless children believe in fairies. The rule of law can work in much the same way. When law enforcement is perceived to be weak, deterrence fails and crime rises.

In the Internet age, crime has become global. Policing international crime is inevitably more difficult than policing domestic crime. Local law enforcement often finds it difficult to understand why crime against foreigners should be made a law enforcement priority. This is a particular problem in kleptocratic states where the police and government are often in the pay of the criminals if not the actual perpetrators of the criminal schemes.

The drugs trade provides a dramatic demonstration of the consequences of failing to police transnational crime. The huge profits generated from the drugs trade can easily surpass the legitimate economy of a developing state. Inevitably, drug money finds its way into the political system. The drug cartels only need to corrupt a small number of officials to dramatically reduce the effectiveness of law enforcement. A vicious cycle is established as the violence and murder that accompanies the drugs trade drives away foreign investment and causes domestic capital to take flight. The legitimate economy shrinks further, leaving the country even more dependent on the drugs trade.8

The risk that Internet crime will create a similar cycle in the host states is high. Internet crime is a visible form of crime with the potential to cause major damage to the reputation of a host state.

Growth

In June 2004, Gartner issued a report that estimated bank losses due to phishing fraud were $2.4 billion over the previous year. In September of the same year, the privacy advocacy group TRUSTE estimated that phishing scams had cost U.S. banks $500 million.

At first sight, these reports appear to differ wildly in their assessment of the situation, but another report by the Anti-Phishing Working Group explains the difference. During the period covered by the reports, phishing attacks had been increasing at a rate of 50 percent per month.

The last time I saw a phenomenon grow as quickly as phishing was in 1992 when the World Wide Web grew from a core of 100 developers to millions of users in less than 12 months. When a phenomenon is growing that quickly, attempts to measure the absolute size of the problem are futile. It is more useful to ask what the limits to growth are and when they will be reached.

In the case of the Web, the number of users could not become larger than the number of users of the Internet, and the number of Internet users cannot become greater than the population of the planet. As the number of Web users grew, the number of Internet users who had not used the Web shrank, and the rate of growth slowed to the rate at which the Internet was growing. The result in each case is an S-shaped curve.

If nothing is done to control phishing fraud, we should expect the growth curve to look something like this figure.

The unchecked growth of Internet crime is neither inevitable nor acceptable. If we are successful in providing effective security measures, the growth of phishing crime can be checked, and the Internet crime epidemic will crest and then decline.

Turning the Tide

If we are to win the fight to secure the Internet, we need to change our approach. We must understand security as a process of risk management rather than a binary state that we can either succeed or fail in achieving. We will never stop every scheme of every criminal, but it makes a big difference if the success rate for the criminal is 95 percent, 9.5 percent or 0.95 percent.

Even the best fire service cannot guarantee that your home will not burn to the ground. But this does not mean that a fire service is not a worthwhile investment.

From a commercial perspective, all transactions carry some degree of risk. What matters to the businesses is whether the risk is quantifiable and insurable at an acceptable cost.

As is the custom of our age, demands that the government address Internet crime are becoming more frequent. As is also our custom, these demands are countered by calls for self-regulation and voluntary compliance. Such ideological terms of debate are unhelpful; we need to know what action to take before deciding who should act.

Crime is a government issue. Without law and order, there is no government. Government must be part of the solution, but this does not mean that it is acceptable for businesses to leave the problem to government alone.

Policing crime is an expensive business. Police, courts, and prisons are all charges on the public purse that must be met by taxpayers. Internet crime is particularly expensive to investigate and prosecute; effective investigations require scarce and expensive expertise. It is more than reasonable for governments to object when insecure technologies result in costs to the public purse.

In the nineteenth century, the risk of fire was brought under control by organizing fire companies to put out fires and fire regulations that stopped fires from spreading. Fire regulations exist to protect the community interest and not just the individual from himself. My neighbors can be careless with matches and burn their own houses down if they please, but the fire regulations reduce the risk that I will be harmed by their negligence.

Government action may be necessary to align responsibility with the ability to act in a limited number of cases. It may be that the only way to protect the community interest is that ISPs are required to take certain security measures that benefit the community as a whole rather than providing a direct benefit to themselves. But before deciding that the government policy should either encourage or require any party to implement security measures, we must decide what security measures are needed and whether it is likely that they will be deployed of their own accord.

To combat Internet crime in all its forms, we must find the right arguments and the right strategy as well as the right technology. We can change the Internet infrastructure if we can make a case that is accepted by parties who can provide the necessary resources. We cannot simply develop a technology and demand its acceptance. Nor should we expect governments to subsidize a highly profitable and fast-growing industry with

handouts or tax breaks for deploying security measures.

To unlock the necessary financial and technical resources in the private sector, we must make a business case for applying them. This means focusing on crimes where the cost/benefit of security controls is clearest: crimes where profit is the motive.

Focusing on professional Internet crime does not mean ignoring other serious Internet crimes such as terrorists, pedophiles, or the growing problem of harassment. The common denominator in all Internet crimes is the perception that the Internet is an accountability-free environment beyond the reach of law. As we build out accountability infrastructure to prevent professional Internet crimes, we are also acting against these other types of criminal behavior.

The dotCrime Manifesto was published by Addison Wesley Professional. Dr. Phillip Hallam-Baker has been at the center of the development of the World Wide Web, electronic commerce, and Internet security for more than a decade. A member of the CERN team that created the original Web specifications, his list of design credits includes substantial contributions to the design of HTTP, the core protocol of the World Wide Web.Dr. Hallam-Baker was also responsible for setting up the first-ever political Web site on the World Wide Web and worked with the Clinton-Gore ’92 Internet campaign.