When I was 13, I wrote a piece of malicious software and put it on my mother’s computer. It took the Geek Squad guy three days to fix it.
My mother, as it happened, had decided it’d be a good idea to send me to sleep-away camp in Maine. She said it’d be a good experience for me to learn to make friends in a new social setting (which, God forbid she ever reads this, she was completely right about). I didn’t really care for the idea, and after losing a few shouting matches, went up to my room and started figuring out how to program so I could put malware on her computer. Within a couple of days, it was complete.
It’s design was dastardly. Virtually all operating systems have some designated set of programs that start running when your computer starts up. Your computer’s WiFi, for instance, needs to turn on as soon as you turn on your machine, so you don’t have to keep manually connecting to the Internet. The program that lets you navigate your files starts up to let you view your Desktop. Your computer’s clock ticks so it won’t show the wrong time. All I did was add a script to this set of programs that shutdown my mother’s computer. The result? Every time my mother started up her computer, my program shut it right back down, rendering it unusable. No wonder it took the Geek Squad guy three days: he couldn’t even start the damn thing up.
Hearing this story, it might be tempting to think that I was a lesser version of one of those tech prodigies we seem to hear so much about: Zuckerberg hacking the Harvard Facebook directory to get pictures for FaceMash; Jonathan James breaking into the US Ministry of Defense servers at 15 to intercept covert government messages. But the reality is that hacking has very little to do with brilliance, and a great deal to do with an obsessive willingness to spend massive quantities of time to subvert figures of authority without physical confrontation. Computer hacking isn’t so much about epiphanies in front of streaming lines of green text, but about endless research and a meticulous hand capable of examining functionality with a fine-toothed comb.
When I started writing the malware for my mother’s computer, I didn’t even know how to program. I had spent a lot of my time learning how computer viruses worked because mine was chock full of them after I got LimeWire. I was desperate enough to fix my computer that I had spent hours bopping around the Internet to learn how they operated. Then, when my mother decided to send me away, I Googled until I got the answers I wanted (“program shutdown computer,” “program run on startup windows,” etc.). I was able to pull this off not because I had intimate knowledge of computers but because I was fueled by an intense, obsessive desire—particularly an eerily methodical form of anger, burning on a low flame. I think this obsessive desire plays a role in the stories of most successful hackers. Kevin Mitnick, at one time the most wanted hacker in the world, described hacking as an “addiction.”
The process of hacking is actually quite a bit like breaking into a house. You could search for a hidden key, pick the lock, or convince someone inside the house to let you in—all of which might work (though searching for a hidden key requires turning over a bunch of rocks undetected, picking a lock demands technical knowhow and special tools, convincing someone to let you in necessitates unthinkable degrees of smoothness), but all of which seem rather elaborate considering you could just walk around the house to see if someone left a low-level window open. Most hacking is precisely that: persistently looking for low-hanging fruit. As the hacker Count Zero put it an interview with PBS, a hacker is someone who “if they saw something closed and it was doing something, they just wanted to open it… it’s just a general loose sort of mentality based on… technology.” If you can imagine the sort of person who’d check every door in a hallway to see if one’s unlocked, you’ve got a pretty good grip on what a successful hacker looks like.
I’m not drawing this analogy for kicks. Before I could hack computers I opened my sister’s safe by ear and picked the lock on her diary with a paperclip (I’m not proud of that one). I didn’t take anything from the safe and I read very little of the diary—that’s what most people seem to miss about hacking. Often the desire to hack has very little to do with the desire to gain access to what you’re hacking, and everything to do with the power trip of overcoming a system that you’re not supposed to be able to get into. An “anonymous” teen who hacked the US Ministry of Defense (almost certainly Jonathan James) described hacking to PBS as, “power at your fingertips. You can control all these computers from the government, from the military, from large corporations. And if you know what you’re doing, you can travel through the Internet at your will, with no restrictions. That’s power; it’s a power trip.” What did he do once he got in to the US Ministry of Defense? He wasn’t downloading their information, because “usually it’s pointless, bureaucratic stuff you don’t need to know…” He read their code. For fun.
In high school, a friend and I gained administrative access to a number of school computers by following an online guide, enabling us to install whatever we pleased on them. We then setup a system through which we could use the Mac speech synthesizer remotely. “Hello there,” we would have the computer tell an unsuspecting user, poorly muffling adolescent guffaws from across the room. “I see you decided to wear blue today, you silly silly boy.” Sometimes we’d take a screenshot of the Desktop of the computers in the library and make it the background, then adjust the computer settings to hide all the icons and taskbar so people would keep clicking the background thinking everything was frozen. Later, while I was at boarding school, I found a hole in the school email server and wrote a script that enabled me to send school-wide emails from whomever I pleased, but never pulled the trigger.
These things do not require tremendous genius, or even really great technical knowhow. Misha Glenny, a British journalist who covers cyber security, once gave a TED talk in which he discussed how a “carder” (someone who buys or sells stolen credit card information) named RedBrigader made hundreds of thousand of dollars a year without understanding the technology he was using. A large class of hackers act in precisely this way. They spend a great deal of time Googling and installing, but never find security holes themselves. Software like Cain and Abel enables users to monitor entire networks without knowing how they work. I ended up discovering my mother’s email password using this piece of software —though I, like so many hackers, never used the information. The password was even being sent on the network unencrypted—talk about low-hanging fruit.
In fact these sorts of easy pickings are everywhere. Cain and Abel’s webpage says “the program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.” Jonathan James reported spending much of his early hacking days telling website administrators about security holes on their systems, only to get into the security systems using the same holes weeks later. If you look at the Brown Political Review online magazine archives, you’ll notice under the “Latest issues” section something that says, “[downloads query=”category=1 format=”1].” This is Brown Political Review’s server trying to query the database archives to pull up back issues, but inadvertently handing intimate knowledge of how the database works to every user. Hacking can seem mystifying, but maybe that’s just because most people don’t know what an open first story window looks like.
In fact, a lot of the most damaging hacking attacks have very little to do with sophistication and a lot to do with tapping into people that are willing to put in enormous amounts of legwork. Jonathan James distinguished himself from these criminals, saying there are “people that go into corporate web sites, government web sites, and change it.” In fact, he was worried about going to prison because he was going to be surrounded by people that “lack morals.”
So if not monetary gain, what are Jonathan James and other hackers after? What was I after? I think an opportunity to subvert authority. While the rest of the world may see hacking as malicious breaking-and-entering, hackers see it as playful prodding at the stupidity and false assumptions of a tech ignorant society. Last year Anonymous released information about 13,000 accounts, including Amazon, Wal-Mart, and Hulu. Why? “For the Lulz,” they said.
There is a sharp distinction between online thieves and hackers. The people who spend their time poking and prodding for security holes are often distinct from the people who take advantage of those holes. Understanding how to stop cyber crime, then, isn’t so much about stopping hackers, but about creating a culture where hackers don’t feel so powerless that they resort to malicious use of their skills. Figuring out how to take down a computer system and feel powerful aren’t inherently conducive to a criminal lifestyle; it just happens to be the case that, the way cyber culture is, criminal activity is the best way to fulfill these desires.
DASH ELHAUGE B’17 is not a hacker handle, so shhhh.