Hackers turned gatekeepers: Digital vigilantes with a moral code

Legions of tenacious computer savants are fighting to get at our personal data. But, argues Stephen Foley, these cybermen and women are actually helping to make the web a safer place
Click to follow
The Independent Tech

As a self-respecting citizen of the digital world, you doubtless pay plenty of attention to security.

You will have chosen a fiendishly clever password for your email. You are diligent in logging out of financial websites after you have dealt with your affairs. You have probably even upgraded the privacy settings on your Facebook profile, to keep every Tom and Dick and Harry from prying.

That's quaint. But against you is ranged a much more sophisticated army. Legions of tenacious computer savants are trying, at every passing minute, to fight their way to your personal data, through tunnels carved out of code. Through the websites you trust. Through the devices you use, so many more of them these days connected to the internet and therefore – potentially – to them, the hackers.

The worst security breaches just get bigger and scarier. Thousands of people's credit card details held by the retailer TK Maxx: hacked. Even the mighty Google, storing Gmail accounts used by human rights activists in China: hacked.

And there is also an increasing stream of low-level hacks, exposing numerous dangerous holes in even the most apparently trustworthy software and devices, from Citigroup's mobile banking app for the iPhone to the iPhone operating system itself. These sound like bad news.

But here is a curiosity. Most of the time, these holes become public not because a company fesses up after some important data has been stolen, but because the hacker reveals the hole without stealing anything. So you are under attack – but don't worry. Most hackers are trying to do you a favour.

The war for our data rages beyond our ken (or certainly beyond mine). I couldn't tell you what an "exit node" is, let alone put a "sniffer" on one. But there is a good place to start: Las Vegas. For 18 years, hackers have been congregating in the city around this time of the summer for an event called DefCon. First they came in their hundreds, fearing arrest; now they come in their thousands, to marvel at the professors of their dark arts. The latest was at the start of this month. Digital cameras were hacked. Two dozen phones from the crowd were lured to connect to a completely bogus phone network constructed out of $1,500-worth of ham radio equipment. A cash machine was installed with software so that it would spew money to anyone with the code. The face that DefCon presents to the uninitiated could not be more intimidating. Bring a "clean" computer, it urges, or else assume that you are going to be sharing the contents of your hard drive with thousands of strangers. As for journalists who might show up: "If you are a major network and plan on doing a two-minute piece showing all the people with blue hair, you probably shouldn't bother."

Most terrifying of all, a computer programmer friend gleefully pointed me to a YouTube video showing an undercover NBC reporter, with a camera hidden in her handbag, being drummed out of the event three years ago. But with a clean laptop in my carry case, and my heart in my throat, it was off to DefCon 18.

The sensation you get is of having been dropped into the middle of a computer game. Immediately it is obvious: there is no line between gaming and hacking. It is all about beating the competition, cracking the code, moving to the next level. It is about showing off. At DefCon the central challenge is Capture the Flag, a pure tap-tap-tap keyboard-based contest to see which team can break into a secure computer system. There was also a "social engineering" game which had attracted the interest of the FBI, in which hackers used a combination of internet searching, fake websites and old-fashioned phone calls to extract information from corporate employees.

It turns out that some dupes are extraordinarily willing to give up sensitive information about the IT infrastructure of multinational companies. And there are scores of less serious games. Every DefCon attendee gets an electronic badge with a USB port and an LCD screen, and is invited to hack into it – and into each other's.

For the dedicated hacker, life is lived as a computer game – except that they are not in a World of Warcraft, they are in the world of servers and data centres and telephone networks where your private information lives and travels. "Hacking is a skill set," says Jeff Moss, aka The Dark Tangent, the improbably youthful 40-year-old who created DefCon and now runs it alongside a more formal (and expensive) IT security conference called Black Hat.

"You might be a criminal hacker, a political hacker, a polite hacker, a humanitarian hacker, but most people don't want to destroy something, they want to make it better. They want to be able to say, 'I understand a little bit more about the way the world works than you do.'"

It is a tradition that has existed for as long as mechanical invention. And it is no coincidence that one of the attractions at DefCon is a lock-picking competition, where volunteer Houdinis must physically unchain themselves in front of an audience. It comes from the same human – or perhaps male – impulse to tinker that gives us the radio ham and souped-up cars. On my count, the ratio of men to women at the event was about 20 to one. The average age must be mid-twenties.

The term "hacking" can be traced back to the antics of the model railway club at the MIT university in Boston. Resident geniuses made rough-and-ready improvements to the signals and switches of their enormous train set, and then branched out into writing simple but groundbreaking programs on the university's first IBM.

The club still exists, and is upset at the direction the term "hacker" has taken in the popular imagination. At the club, "We use the term 'hacker' only in its original meaning, someone who applies ingenuity to create a clever result," it declares. "Here, where the words 'hack' and 'hacker' originated and have been used proudly since the late 1950s, we resent the misapplication of the word to mean the committing of illegal acts. People who do those things are better described by expressions such as 'thieves', 'password crackers' or 'computer vandals'. They are certainly not true hackers, as they do not understand the hacker ethic." Matt Lewis – aka BarKode – says the authorities appear to have learnt the difference. "I got busted after DefCon 4. Days later the Feds showed up at the windows of my house and pulled my mother naked out of the shower. It was a misunderstanding, but when I first came here I flew under an assumed name.

"Things changed later, when the Feds started showing up at DefCon with their badges on the outside. You will always have good hackers and bad hackers, but from the late Nineties they started to see us not as bad guys but as people they could work with." Now the Feds are at DefCon recruiting. Hackers are needed on both sides of the war for your personal data. People muttering dark claims about associations with the security services are also here, looking for volunteers. And perhaps a half of the almost 10,000 attendees work in IT security already. They are here to learn the tricks they must defend against.

Of course there are good hackers and bad hackers. There are even names for them. The "white hats" are purely and simply playing. They try to stay within the law, and are exposing security flaws for the public good. "Black hats" are out to seed mayhem and hack for their own benefit. Inevitably there are "grey hats" too.

The perennial debate is what constitutes responsible disclosure. Should a hacker who discovers a security flaw tell the company, or tell the world? A company might be more inclined to take legal action against the hacker than actually to address the problem. Publishing the flaw for all to see has the advantage of winning you plaudits from your peers, but it invites the black hats to take advantage before the company readies its fix.

Big corporations hate all this public embarrassment – which might be reason enough to celebrate it. Earlier this year, when hackers obtained the email addresses of thousands of AT&T customers who use the Apple iPad over its network, including the New York mayor, Michael Bloomberg, and the White House chief of staff, Rahm Emanuel, the telecoms company said that the perpetrators had "maliciously exploited a function designed to make your iPad log-in process faster," and added that it had called in the FBI. Escher Auernheimer of the group Goatse, which did the hack, took umbrage: "Get real. You fucked up, we helped you that figure out [sic] and informed the public. You should thank us."

But questions do multiply when money is involved. Now that hackers are rebranding themselves as security consultants, and selling their services to corporations, they are often advising on how to fix the very hacks they have perpetrated. There is an echo of the protection racket: "Pay up, or we'll wreck the store." Increasingly, there are shady organisations willing to pay for information from hackers. Computer whizzes who might not have the stomach for burglary themselves might sell the skeleton key, ask no questions, and still get to sleep at night.

So this is a world where moral ambiguity abounds. The reassuring consequence is that its players are constantly debating morality. Most recently, the actions of Wikileaks, which published tens of thousands of leaked military reports and other secret documents from the war in Afghanistan, has sparked ferocious debate among the thinkers of hackerdom (for which, read "all of hackerdom"). Most of the founders of Wikileaks come from the hacker community, so there was already more than enough bitching and rivalry. Some are put off by Wikileaks' overtly liberal agenda. Others fear it won't turn out well for the community.

Jake Appelbaum, Wikileaks' senior editor in the US, wraps his legs into a yoga position on the floor of the hotel lobby as he discusses these big issues with me. Earlier, The Dark Tangent had wondered aloud if the furore over the Afghanistan leaks might prompt a new crackdown on hacking in the US; he would have winced to hear Appelbaum tell me that "all governments exist on a continuum of tyranny". Then again, the Wikileaks volunteer had just been detained for hours when he flew back into the US, and had had his phones confiscated for the FBI investigation into the leaks.

At DefCon, he was giving a talk on how the Chinese government manages to block off the parts of the world wide web that it deems seditious – and how hackers inside and outside China are working to foil its efforts. His "day job" is the Tor Project, which hitches together a chain of computers belonging to volunteers around the world in order to obscure the internet addresses of people searching the web at the start of the chain. His aim is to free the people of China and Burma.

I say that Wikileaks, owned by the carefully named Sunshine Press, seems a polar opposite of the Tor Project, which is all about keeping one's identity in the shadows. Perhaps the Afghan informants whose names appear in Wikileaks reports will want to debate the irony.

Appelbaum marries the two by declaring that "anonymity is a progressive value" (and adding that the US military should never have written down its informants' names). Moss, meanwhile, talks of "a balance" between privacy and openness – as you would expect from someone recently co-opted as a homeland security adviser to the Obama administration.

He quotes veteran hacker Chris Coggans (aka Erik Bloodaxe), who once took against the old hacker cry "information wants to be free". Not my information, it doesn't, he says.

So these are the hackers, playing both sides in the war for your data and pushing forward what we know about what can be done with technology. These are the people who will – eventually, inevitably – tear down the Great Firewall of China. Among their number are those who would unleash terrible viruses for their own amusement, or purloin your financial details for their personal gain, or hand over your supposedly seditious communication to an authoritarian government.

But why would there be more wrong 'uns in the hacker community than in the broader population? On the evidence of DefCon, the opposite is true. About the worst characteristic you could ascribe to the speakers here is vanity. A round of applause at a demonstration at DefCon is about the best accolade a hacker could get. Besides, who really wants to go to jail?

"We are risk analysts, in the end," says one veteran of the event, an affirmed white hat, whose hacker name is Dead Addict. He has attended since the very first DefCon in 1993, though he has shorn off his long hair and eschewed the black trenchcoat that used to be his trademark, better to reflect his new status as a security expert in the smartphone industry. "Sure, you could find an employer really quickly as a black hat, but then you find you are working for the mafia – and what exactly is the risk analysis on that?"

My reassurance is qualified by one worry. Can hacking keep its allure if it doesn't stay underground? Is the Electronic Frontier Found-ation, which defends hackers, really doing us all a favour by rebranding them as "security and encryption researchers"? What can be worse than a piece in a mainstream newspaper saying how wonderful they all are?

So, long may the FBI raids and the corporate lawsuits continue, and long may hacking keep its allure. Without this volunteer army, probing, testing and pushing the boundaries of the technology we rely on, we would all be the poorer – and less secure.