Hacking, Hackers, and Hacktivism
April 22
Spend five minutes with anyone who studies “hackers” and you will quickly learn that the term is used to define a wide array of discrete subcultures, from homebrew computer programmers all the way through to military-industrial network vulnerability experts. If there is one unifying characteristic amongst all of these cultures (and there may not be), it is most likely the acknowledgement between these groups that the limitations imposed by code as a mode of regulating behavior can, and should, be subverted. Today we look to hackers, who they are, what they do, and what rules and norms govern those who do not recognize code as a governing influence.
Readings
- Defining hackers, hacking, and hacktivism
- Molly Sauter, Activist DDOS Campaigns: When Similes and Metaphors Fail (video, watch from to 1:56 to 21:44)
- Sauter uses the term "DDoS" throughout. This is an abbreviation for "distributed denial of service," a specific form of attack to a web server described in more detail here.
- Benjamen Walker, Doing it for the LULZ (from Too Much Information) (11:00 to 22:45 only, language at times is NSFW. Too Much Information drifts between fiction and non-fiction, but this excerpt is non-fiction.)
- Law and law enforcement
- United States Department of Justice, Prosecuting Computer Crimes (read pages 1-11: Introduction to the Computer Fraud and Abuse Act and Key Definitions)
- Case studies
Optional Readings
- Intelligence Squared Debate: "The Cyberwar Threat Has Been Grossly Exaggerated" (an Oxford-style debate with Marc Rotenberg, Bruce Schneier, Mike McConnell, and Jonathan Zittrain; watch the video of the debate)
Videos Watched in Class
Links
CAPTCHAs: http://en.wikipedia.org/wiki/CAPTCHA
Boston Globe paywall: http://www.poynter.org/latest-news/mediawire/242132/boston-globe-drops-paywall-adds-meter-instead/
Examples of Robots.txt: http://www.robotstxt.org/orig.html
Adblock Plus: https://adblockplus.org/
Heartbleed: http://heartbleed.com
More on heartbleed: http://en.wikipedia.org/wiki/Heartbleed
XKCD explainer of heartbleed: http://xkcd.com/1354/
OpenSSL: http://en.wikipedia.org/wiki/OpenSSL
Bruce on Heartbleed: https://www.schneier.com/blog/archives/2014/04/heartbleed.html
How Netflix Reverse Engineered Hollywood: http://www.theatlantic.com/technology/archive/2014/01/how-netflix-reverse-engineered-hollywood/282679/
Zombie network: http://en.wikipedia.org/wiki/Zombie_(computer_science)
LOIC: http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon
Molly's Book: http://www.amazon.com/The-Coming-Swarm-Hacktivism-Disobedience/dp/1623564565
Evgeny Morozov defending DDOS as civil disobedience: http://www.slate.com/articles/technology/technology/2010/12/in_defense_of_ddos.html
Troll Face: http://knowyourmeme.com/memes/trollface-coolface-problem
CALEA: http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
CFAA: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
Text of CFAA: http://www.law.cornell.edu/uscode/text/18/1030
Teen hacks into worcester airport: http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/
Article discussing War Games impact on CFAA: http://moritzlaw.osu.edu/students/groups/is/files/2012/02/Kapitanyan.FE_.Final_.Weber_.pdf
Weev, whose conviction was just tossed out: http://arstechnica.com/tech-policy/2014/04/appeals-court-reverses-hackertroll-weev-conviction-and-sentence/
ICCID: http://en.wikipedia.org/wiki/ICCID#ICCID
Heartbleed test: https://filippo.io/Heartbleed/
Google bug bounties: http://www.google.com/about/appsecurity/reward-program/
$115k for an apple bug: http://www.forbes.com/sites/firewall/2010/03/25/the-bounty-for-an-apple-bug-115000/
Fire Sale Hacker message on Live Free or Die Hard: https://www.youtube.com/watch?v=AyGhT3YTP7A
Story about the mom who created fake myspace profile: http://www.dailymail.co.uk/news/article-1089908/Mother-faces-jail-300-000-fine-setting-fake-MySpace-profile-bully-girl-later-killed-herself.html
US federal sentencing guidelines: http://en.wikipedia.org/wiki/United_States_Federal_Sentencing_Guidelines
MBTA vs Anderson: http://en.wikipedia.org/wiki/Massachusetts_Bay_Transportation_Authority_v._Anderson
Aaron Swartz: http://en.wikipedia.org/wiki/Aaron_Swartz
MAC address: http://en.wikipedia.org/wiki/MAC_address
Secret Service's National Computer Forensics Institute: https://www.ncfi.usss.gov/ncfi/
Felon Voting: http://felonvoting.procon.org/view.resource.php?resourceID=000286
RECAP the law: https://www.recapthelaw.org
Class Discussion
- In July 2012, someone successfully hacked my iphone and installed spy software on it. Any and all movements on my iPhone were being stored/tracked unbeknownst to me, including app activity (Chase Bank, emails, etc) for one month. I found out about it when I had taken my iPhone in a shop to get checked out - the screen would glitch at times and would randomly lose about 1% per minute. (I learned this was when my GPS data was being tracked up to minute). Among other things, the next step was to file a police report of this incident for my personal safety, as I’ll never be certain which data of mine was compromised. At the time I went to local police, either they didn’t care enough or they just didn’t have proper protocol to handle it.
- I understand this is a miniscule crime, in comparison to the huge cyber-crimes in the class readings. However, it lead me to research how equipped local police are for such smaller incidences. The result: They're not. (yet). I’m certain similar, smaller crimes will only increase over time and will be dealt with by the local police. While crime is increasingly moving online, state and local police are having a hard time keeping up. If the case is significant enough, the police have to hire specialized cyber-security companies to conduct digital investigations. The techniques the police will need to be equipped with are going to have to be more “IT specialist” and less “Law and Order” over the next few years. It seems hackers will be one step ahead, at a local level, until the police shift their skill set to more IT training. Marissa1989 02:41, 21 April 2014 (EDT)
- I'm very glad you mentioned this because I completely agree. On a smaller level such as the local police, I agree that they do not have the resources or the structure in place yet to deal with hacking of cell phones and breaches of personal information. While large national crimes are handled properly, there should also be an active protocol for situations such as this, which happen very often. The lack of a targeted action by law enforcement against these small time criminals facilitate identity theft and unless there is a strong development in the law enforcement IT department, chances are these crimes will only increase with time. Lpereira 09:16, 22 April 2014 (EDT)
- Several readings this week caused me to think about the perceived value, real and potential, of personal data. Targeted hacking of trade secrets, governments, publications like the New York Times and other large-scale operations are rooted in fairly straightforward incentives. So too are hacktivists and hackers that are "doing it for the lulz"- outcomes that are for more about provoking a response or creating change. Targeted hacks of individuals for personal data not only are much more difficult to prevent, identify and pursue on the part of law enforcement- they also happen on a scale that is not seen to have a significant enough impact economically, societally or organizationally to receive the attention truly deserved. Given the frequency of such instances, and the yearly increase in information and services processed solely online, the public service and private sector incentive to have structures in place to respond to such attacks surely must reach a tipping point soon? akk22 14:26, 22 April 2014 (EDT)-----
Cyber warfare will take on a greater importance in conventional warfare and Government hackers will be crucial to this. It only makes sense as weapons, communications and systems become more sophisticated. Hackers may be used to break into countries systems to steal data and cause widespread disruption or break into the phones of country leaders and their key staff. This is evidenced in the Ukraine crisis by relentless hacking attacks on Russian websites by Ukraninan hackers and visa-versa. http://www.bloomberg.com/news/2014-03-05/russia-ukraine-standoff-going-online-as-hackers-attack.html Marissa1989 01:06, 22 April 2014 (EDT)
Andy, thanks for your article on the Aaron Schwartz prosecution. As you put it, "CFAA is shockingly broad when it is laid out" -- but that's not the only issue with it. It's just another case of private industry co-opting the criminal justice system to enforce things that ought to be largely handled by the civil system (which strikes me as lousy public policy). As you noted in your quote from the CFAA itself, "access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement..." In other words, the CFAA makes it a crime to violate the AUP or TOS with your ISP. Outside of copyrights and information technology stuff, how common is it for the US government to get involved in criminalizing the violations of contracts between private parties? Jradoff 09:46, 22 April 2014 (EDT)
In the article "Hacking tool threatens Healthcare.gov site" a DDoS is the least of warranted concerns. A DoS attack is grave in nature and is rather simple to perform. Many attempts have been made to develop systems that could either launch a DoS attack or be immune to one, but to assume that the nefarious minds out there in the arena aren’t constantly working on new and novel methods to exploit systems is naïve and foolish. The rash and explosion of virus and malware activity in the recent decades testifies to the fact that there is no dearth of people working to venture into, exploit and topple your systems. The use of pre configured or automated tools that are easy to operate in order to pursue their disruptive activities against systems in a network are identifiable. . DoS attacks are nothing but an onslaught or assault against your system that will affect in that system not being able to accomplish its intended job. The direction of the argument within the article fails to look at the programming and structure of the website itself that may allow for significant data leakage. VACYBER 13:05, 22 April 2014 (EDT)
I have to say this is one of the topics I was most looking forward to this semester, particularly with the growing number of hacktivist groups and hackers. I was quite intrigued by the recent events around the Heartbleed bug, which they are calling one of the greatest security threats in the online era (http://en.wikipedia.org/wiki/Heartbleed). As I have noticed in many of your posts already, I believe the growing consensus is that hacking is here to stay and will likely become more predominate in our national security moving forward. As more and more functions of our society move online (think traffic grids, manufacturing processes, defense systems), the urgency to protect against hacking threats grows each year.
What will then intrigue me to hear is what is being done to slow down hackers, particularly those who may pose a greater security risk than say, taking over a facebook page. I believe part of the issue is that the NSA needs to be able to attract and retain elite computer hackers who can help in this regard, yet have been unable to do so. The best computer minds would rather take a payday from Google than work for the government at a more modest wage.
Can't wait to hear this lecture and see what there is to be said about slowing hackers in the future.
Drogowski 13:13, 22 April 2014 (EDT)
Grrr... The site logged me out while I wrote my last message and then proceeded to delete it :(
Any ways, I think this weeks' readings raise a lot of questions about the "morality" of internet behavior and online hacktivism. Interestingly, there seems to be an influx of individuals who wouldn't necessarily be apt to breaking and entering in the physical world, but who are doing just that via their computers. I wonder in these cases whether it is the ease, the relative security, or that it feels less invasive/illegal that draws people to hacking rather than more physically invasive means.
It also seems that there is a great degree of ambiguity to the laws which govern how one is expected to comport themselves online. This is made especially clear in Sarah Laskow's article, in which she points out that "The CFAA isn’t a law that journalists are taught to look out for." This presents us with a scary reality, that individuals like you and I, as well as professionals such as reporters, might be subject to laws which we might not realize exist or understand and could easily be breaking, just by doing what we think is simple research. While I understand the necessity of regulation, it can also be a catch-22.
Castille 15:14, 22 April 2014 (EDT)
As it is clear from readings and Aaron's case, the security of information is the crucial question of nowadays. Data contained in computer, data contained in mobile phone is so essential and important that they ruin lifes once they are disclosed. When it comes to criminalization of hackerisim or non-authorized access or "with exceeding authorizatiob" is a right direction from point of security. But, still I think that this is more technological issue rather than legislative. Aysel Ibayeva (Aysel 15:21, 22 April 2014 (EDT))
First of all, I'm surprised that the Intelligence squared debate wasn't in the required readings, as I found to be the most interesting "reading" this week.
On a different note, Phreaks, Hackers, and Trolls got me thinking about how the line between the hacker community and the general public is getting more and more blurred... I would argue that many of the actors on the internet who would have clearly been assigned to the hacker community just 10 years ago, such as trolls, producers of internet memes, etc., are now no longer clearly a part of that community which created them. At the same time, the lines between these individual actors is becoming more pronounced. I was fairly active in the hacker community in the 2000s, and most people in the community would be at once geeks, trolls, security experts, meme designers and political activists, all bound by similar values. Today, it feels as if this community is almost gone, divided instead into those who use internet for the lolz alone, those who merged with the general internet public, and those who are becoming almost too serious about the agenda and activities. If there is something that remains close in the general feeling, its the Open Source community, but it too is very different from what it was. --Seifip 15:39, 22 April 2014 (EDT)
Gabriella Coleman’s account clearly shows the relationship status between phone phreaks, hackers, and trolls. Starting with the discovery of the 2600 hertz tone that could “stop the phone”, phreaking developed a huge following with printed magazines, newspapers, and even a magazine named after the 2600 hertz tone itself. The growth of technology caused the Internet and computers to became more available along with new ways to tinker with it. Due to pop culture growth with movies such as War Games, the challenges imposed by code hacking became the new pastime. Trolls, having similarities with hackers (and possibly even being hackers) are different in their lust for the “lulz”. They specialize in audacious, shocking, and flagrant humor. Occasionally, the worst cases acquire a “disease” called CTS where the trolling becomes such a habit that they no longer restrict it to strangers but look for “lulz” by victimizing their own friends and family.
DDoS attacks are an effective tool that are tricky to guard against. In simple terms, because of the users ability to rapidly intensify the attack by aggregating more users to assist with the attack, the assault becomes overwhelming.
Operation Payback was a series of DDoS attacks by the group “Anonymous”. They were champions of peer-to-peer sites. Attacking music sites, copyright advocates, governments, law firms, censorship sites, and basically any group that held views against free circulation of data on the Internet, Anonymous received lots of criticism and even some DDoS attacks to their own site. Even Pirate Party UK and United States Pirate Party spoke out against their actions calling for a more democratic “legal” way to handle their problems. Even though the affected sites were down for a little while, there was not enough significant damage to the attacked parties to produce permanent damage. The down time can best be compared to people boycotting an unpopular store.
The Computer Fraud And Abuse Act seems to be very vague, especially in the way it was applied in the Scripps “Hackers” and Andrew "weev" cases. It is implied that normal regular Internet surfing could have the potential to land someone in jail. Emmanuelsurillo 15:41, 22 April 2014 (EDT)
I was recently watching a car review show on YouTube and found out that nowadays hackers are so sophisticated that they can even break into one's vehicle. Generally speaking, I do not think that hackers do recognize codes as governing forces of the internet as they can manipulate a lot of them as they wish. More e-commerce sites and even some social networking platforms are increasingly doing their best in order to fight with these groups as a way of controlling their audiences. (cheikhmbacke 15:42, 22 April 2014 (EDT))