Hackers are usually seen as nasty individuals wreaking havoc on computer systems worldwide. But are they? David Crookes finds out
For the last five years or so, a “mysterious figure” known as The Jester (his leetspeak handle being th3j35t3r) has been a claiming responsibility for a series of high-profile online take downs covering dozens upon dozens of websites. His work has become so infamous that he has his own Wikipedia entry and yet, while he has revealed himself to be a former soldier who served in Afghanistan, his identify remains unknown.
To reveal himself beyond the anonymity the world of social media affords would almost certainly put him in grave danger. That’s because The Jester is waging a war of his own; rallying against websites belonging to jihadist propagandists.
“I realised something needed to be done about online radicalisation and ‘grooming’ of wannabe jihadis,” he told CNNMoney. Disrupting them is his answer, it would seem.
In the course of his campaign, which has also seen him hit targets as diverse as Wikileaks, the site of Iranian President Mahmoud Ahmadinejad and the Westboro Baptist Church in the name of American patriotism, The Jester has become an online celebrity. He has his own website, jesterscourt.cc, and lots of supporters too. A fair few of them visit the ‘Jestergear’ section of his site to snap up water bottles, thermos flasks, t-shirts, watches and iPhone cases, most of which bear various slogans (“make #waswas not #ISIS”, says one).
The Jester likes to post links to his press highlights over the years, from the articles in Time magazine (where he has been named one of the 30 most influential people on the internet), to the cover of Homeland Security Today, to a reference on the Larry King Show. Donations are, of course, welcome, allowing him to continue his work... It is clear he is a hero to many.
He is also not alone. Vigilante hackers exist across the world. Men and women, young and old. They are housewives and unemployed. They are working as solicitors and businessmen. They live in big cities and the smallest of hamlets in the largest of houses and the tiniest of flats. Some of them go after people who attempt to scam using spam emails that seek to trick others out of their money or personal details. Some of them, like laywer Shannen Rossmiller, seek to trap
those who have been radicalised. Brad Willman in Columbia distributed a Trojan horse program to more than 1,000 people in a bid to uncover child-porn activities. Around 70 people were jailed as a result.
Laws Unto Themselves
One thing is for sure, these ‘Hacktivists’ cannot be ignored. They are challenging not only the people they target but everyone of us, making us rethink our view of hackers. It is easy to think of them as people who disrupt the harmony of the internet, causing inconvenience and engaging in criminal acts, but the distinction between good and evil is very much blurred here. Some of these groups and individuals are performing what many believe are good deeds.
The most well-known of all of the hacking groups is Anonymous, whose members and supporters are often pictured wearing ‘V’ masks, an iconic disguise first made famous by the insurgent character V from the Alan Moore/David Lloyd graphic novel V For Vendetta and the subsequent movie adaptation. Rather than being out on the streets protesting, though, Anonymous members tend to sit behind their computers tapping away at their keyboards, seeking to wreak havoc amongst those the group has decided to turn its ire against.
Its now-iconic choice of disguise could, and most likely does,sell countless sloganed t-shirts, but those who are part of it seem to revel in the power that they are able to wield, rather than any revenue they generate – perhaps buoyed by the knowledge that any applause they receive enables the group to carry on its work for a while longer.
Earlier this month, Glenn Canning who lives in Halifax, the capital of the province of Nova Scotia, Canada, praised Anonymous for threatening to publicly identify boys allegedly involved in the cyberbullying that led to the death of his daughter, Rehtaeh Parsons. Had it not been for Anonymous, he argues, the boys would never had been brought to justice. “I have no question about that at all,” he told The Canadian Press agency, following Anonymous’ success in prompting the police in Halifax to reopen their investigation, and eventually lay charges.
Certainly, in the face of injustice, people will invariably seek their own solutions and hackers like Anonymous, in cases such as these, are being seen as a force for good. This is being reinforced by many respectable websites, which list the various great things that are being done in the name of hacking.
In a lot of cases it is difficult to argue against the evidence. Its campaign against white supremacist radio show host Hal Turner in December 2006 helped to establish the model it would follow, and was widely applauded. However a subsequent series of denial of service attacks attack on the Church of Scientology’s website (named ‘Project Chanology’, presumably as a nod to the group’s spiritual home, infamous bulletin board 4Chan) split opinion on the group’s moral grounding in some quarters.
One of the most successful campaigns by Anonymous was the targeting of websites carrying indecent images of children. Acting under the banner ‘Operation DarkNet’, in 2011 Anonymous turned its attentions to tech-savvy people using Tor’s encrypted network to hide their identities and locations, and enabling them operate outside of the reach of the police due to regional borders or the lack of understanding of the technology and its scope. Anonymous, unrestricted by such matters of law or lack of knowledge, successfully brought many sites down – not only doing something that authorities ought to have already been doing, but reinforcing its strong stance against explicit underage materials being posted online. The action also underlined Anonymous’ support for civil rights (the group also claims to be for free speech and democracy).
The group has more recently followed this up with a campaign called Operation Death Eaters, which is began in February 2015. Described as “an international day of protest against child abusers, and those who support child abuse on internet pornography rings through networks such as *** and ***” (the asterisks have been added by ourselves so as not to inadvertently highlight any networks used for such activity), it again showed the potential of hacking as a force for good, albeit one acting outside of the safeguards that the law provides those who are accused.
Indeed, to some Anonymous has become an unofficial internet police and army rolled into one. It has attacked ISIS’ social media accounts, claiming it was an act that destroyed “months of recruiting work”. The message is sent out was strong: “ISIS: We will hunt you, Take down your sites, accounts, emails, and expose you. From now on, no safe place for you online… You will be treated like a virus, and we are the cure… We own the internet… We are Anonymous; we are Legion; we do not forgive, and we do not forget. Expect us.”
Moral Or Immoral?
This kind of hacking could be termed ‘ethical’ even though it is, technically, still very much illegal. There are a good many who would rally against it, however. They include Colin McLean, a lecturer in Ethical Hacking at the University of Abertay in Dundee, who discusses the issue in an interview on these pages. For people such as himself, such issues should be dealt with solely by the police or some other legal authority.
The problems come when people feel that hacking groups can replace official bodies. “Why go through the courts? Why go through the system?” Mr Canning told a journalist. “Why be revictimised again when you can write something and get hold of some people online who can really do a hell of a lot more to bring you a sense of justice than the police and the courts can?” Certainly, it is easy to argue the case, since the very definition of vigilantism – which is what this kind of thing is – describes a civilian or organisation that undertakes law enforcement of actions in the pursuit of self-perceived justice that is without legal authority.
This tendency to vigilantism raises many moral questions. As Wayne MacKay, a law professor and cyberbullying expert at Dalhousie University, puts it: “Even if they’re filling a hole in our justice system does that justify breaking the law?”
While the good is easy to see, what harm can it cause? Alongside the abstract moral conundrum of whether it’s ;’right’, there’s a danger that the likes of Anonymous and The Jester could be damaging work being carried out officially. In some cases, government agencies and the police are already aware of the sites and people being targeted. By pulling sites and social media accounts and by publicly naming folk, the chances of building a careful legal case that would hold water in court is harmed. Hacking could ruin much hard work and it could also taint evidence or gather it in such a way that it proves inadmissible.
Jennifer L. Hesterman, a retired US Air Force Colonel and professor of counterterrorism studies at American Military University, also points out that “hacking jihadist sites may cause them to move underground, which leads to more work for intelligence collectors.” Terrorists’ use of the internet, she adds, “often yields valuable data about their location, communication patterns, etc.”
Aside from the effect on law enforcement, she also draws attention to another argument against the potential for hacking to be an unchallengeable force for good: “open source analysts, theologians, social scientists, psychologists, and professors all visit extremist sites to glean information on shifting ideology, social trends, and subtle changes in behaviour.”
Yet there is still the feeling that some hackers are acting in a positive way. If it wasn’t for Barnaby Jack, for instance, ATMs would be far more vulnerable than they are. When he was 32, he attended the Black Hat computer security conference and he showed that he was able to hack a cash machine in real time – a problem that was quickly resolved before millions of pounds of cash ended up in the hands of thieves. He also showed how smart medical devices were insecure and easily hacked.
By installing malware and exploiting vulnerabilities, Jack highlighted many dangers. Every time he was able to demonstrate this, it gave the potential ‘victims’ of his processes a change to close the loopholes and make their systems more secure. Jack even showed it was possible to assassinate someone by hacking their pacemaker, something that had been seen on the TV drama series Homeland; that brought awareness that the fiction could be come very real, and the vulnerability has since been removed.
It is such a shame, then, that – just before Jack was going to give a presentation on hacking heart implants in 2013 – he died, his life ended by an accidental drug overdose. His death was met by many online tributes praising his good work: “He was a much better person than he was a hacker, and that is saying something,” said one Tweeted condolence. Dan Kaminsky, the American computer security specialist and the chief scientist of White Ops, a firm that specialises in detecting malware activity via JavaScript, wrote: “Nobody caused such hilarious trouble like @barnaby_jack.”
A Lesson In Hackstory
Kaminsky himself is also worthy of accolades, given that he discovered a major internet security hole in 2008 that could – had he not brought it to the attention of Microsoft, Cisco and other major firms – have undermined the Domain Name System. Such a breach would have allowed any bad hacker to redirect people looking for a legitimate website to one that was fake. Kaminsky proved once again that hacking can be a force for good.
Indeed, it’s worth noting that the meaning of the word ‘hacking’ has been skewed many times over the years. It originated within the model railway club at MIT, Boston, originally describing someone who applied ingenuity to create a clever result. As the years rolled by, it came to mean someone who was committing an illegal act, a definition which those still part of the model railway club today roundly detest. They would prefer the expression “computer vandals”.
Times are changing, though, and hacking isn’t necessarily seen to be entirely illegal. People talk of ‘lifehacks’ which, as lifehack.org points out, consists of pointers on productivity and getting things done: “tips for life”, if you will. There are also attempts to reclaim the word. The Urban Dictionary points fingers and says: “Hacking and hackers are commonly mistaken to be the bad guys most of the time. Crackers are the ones who screw things over as far as creating virus, cracks, spyware, and destroying data.”
Even so, care really does need to be taken by the good hackers, as Gary McKinnon realised after he infiltrated US government computers in search of little green men. McKinnon has long said his motivation was entirely innocent and that he believed he was doing a good thing in trying to unearth the ‘truth’ about aliens, but he was arrested twice – 2002 and 2005 – and the US authorities tried to extradite him to face charges of causing $800,000 worth of damage to military computer systems. That’s a crime that could have seen him jailed for 60 years but, fortunately for him, Home Secretary Theresa May withdrew her extradition order in 2012.
Black Or White?
Some who hack for ‘good’ have had positive results, and received much praise. Charlie Miller embarrassed Apple with a display of security flaws, highlighting vulnerabilities in the iPhone and a bug in the MacBook Air. They were then fixed. Johnny Long preyed on Google to find holes, and that helped the search engine giant safeguard the personal information stored on its databases.
These are the white hat hackers; people who want to do good and frustrate the black hat hackers, who epitomise what people think all hackers are – someone who is destructive and hellbent on making life a misery for other people.
As if to underline the positives, dozens of hackers gather for an annual event called Hack for Change in Austin, Texas. This year 179 turned up, 35% of which were women. It’s an event that’s helping to redefine the term hacking, as developers and designers take a proactive approach to affecting social change with apps that aim to make a difference to people’s lives. So whether people are taking over the Twitter account of the Ku Klux Klan, uncovering abuse, discovering security flaws that really ought to be fixed, or creating projects that change the way people live, there is an argument that hacking can be welcome.
“Hacking is a very important skill set in our society, because these are the experts in how the systems work and how the systems fail, says Robert Steele, CEO of Open Source Solution. “The people who use that expertise for bad are bad people. People who use that expertise for good are good people.”
Mad As A Black Hatter?
Imagine attending a conference where people discuss security flaws and internet attacks. That’s the Black Hat security conference in Las Vegas, which took place between August 1st and 6th this year.
While the term Black Hat tends to have negative connotations, this conference is very much a force for good, with more than 10,000 security professionals, government workers and researchers gathering to find out just how they can better prepare against attack from criminal organisations.
Among the talks this year have been deep discussions about hacking chemical production facilities and taking nuclear power plants offline. Delegates have also looked at how criminals and bad hackers may seek to remotely control connected cars.
The event included four days of intense training for security practitioners and there was also a survey. The results showed that 35% of respondents had to deal with security vulnerabilities introduced by their own application development team and 33% from the purchase of off-the-shelf applications or systems.
The report said: “Many Black Hat attendees feel that key threats are being overlooked. Twenty-six percent of respondents say that phishing and social engineering do not get enough attention in the media and at industry events. Accidental data leaks by end users and new vulnerabilities introduced by off-the-shelf software are also areas that are do not receive adequate attention, respondents said.”
Good hackers will continue to exploit these systems in order to find the vulnerabilities that can then be plugged so that criminals do not get there first and wreak havoc. But with warnings at Black Hat that “the growing online threat also is putting continuous pressure on security staffs and departments, even in the largest and most security-savvy organisation” it would seen there is a lot more “good hacking” that needs to be done in order to make networks and computer usage that bit safer.
Breaking Windows
Hackers both good and bad are already trying to break into Windows 10 to see if they can exploit any holes. The only hope is that the good get to plug the gaps before the bad discover them. According to noises coming out of the Black Hat conference in Las Vegas earlier this month, “Windows 10 goes some way toward defeating client-originating Pass-the-Hash attacks” (a hacking technique that allows an attacker to authenticate to a remote server/service). The new operating system allows hashes and other secrets to be hidden even from the kernel. Has it tightened web security, though?
A press release from the recent Black Hat conference (tinyurl.com/pwr5qn7) showed that people have already spent a lot of time with EdgeHTML, Microsoft’s new web rendering engine, in search of weaknesses and were ready to present their findings to a wider audience, something the conference says is “essential for greater understanding so that hackers can be stopped.”