Aaron Crayford was a high school hacker who attacked the Pentagon’s computers, got caught by the FBI, and wasn’t allowed to touch a computer for a decade. His digital exile ended a few years ago, and now he makes a chat app called Mighty. Last week he offered some advice on TechCrunch to the new generation of hackers, those high-profile no-goodniks of Anonymous and LulzSec. His message: don’t hack ’em, join ’em. In his words:
“What Lulzsec and Anonymous don’t realize is these companies aren’t their enemies…there is a much more difficult system to hack…becoming the guy at the head of the board. So when you’re the 40-something-year-old CEO who hears that some kid, some guy in his garage, is tearing your product apart and doing amazing things with it that is hitting your top line revenue…go find that guy, pay him and let’s see what he can do…That’s a real hack worth touting and it ends with you sleeping in a king-sized bed in a mansion on the hill and few can claim it’s been done before.”
I guess that’s also advice for the brass at Sony (and the CIA and PBS and the CPC). But you get the idea: change the system from within and get rich doing it. It’s not the most original idea—hackers have been switching sides and trading black hats for white for years. It’s got a certain poetry to it and is a genuine win-win; for companies, who better to employ than the geeks who would otherwise destroy them? And for the hackers, well, at some point most will take a paycheque over lulz.
But there’s more to it than that. In the case of LulzSec, their tweets and taunts describe something of a manifesto. To summarize, they hack for two reasons: (1) Lulz (duh). And (2) to teach us a lesson about entrusting private companies with our information. LulzSec sez:
“Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people.”
As “grey hat” hackers, Lulzsec, I have argued, provide a public service. They infiltrate systems for fun, not profit, and then they brag about it. Sometimes they publicly dump the data they’ve scraped, just to prove that they have it. In doing so, they hope to humiliate companies into fixing vulnerabilities, and to teach the public a lesson about protecting personal data. The first part is working. The second part isn’t.
After years of breathless, fear-mongering news coverage about the scourge of hackers, the public still doesn’t give a whit about Internet security. No one is really afraid of getting hacked, because so few have paid a tangible price for it. Yes, hacks happen all the time. They’ve happened to me—I had a few thousand dollars mysteriously disappear from my bank account. Did I destroy my bank cards, leave all my social networks and line my hat with tinfoil? No, I called my bank and they reimbursed the cash in 24 hours.
It’s true that no computer system is 100% secure, but neither is any bank. The credit card industry, the insurance industry—both suffer billions of dollars of fraud every year. But all the above make enough profit to absorb these losses easily, and the public continues to use their services. So goes Internet security. The lesson hackers keep trying to teach the public will never be learned.
So what will the real outcome of this new wave of hacking be on the public? An erosion of their digital rights. We can expect more government surveillance of the Internet and harsher penalties for “cyber-crimes.”