Hacking, Hackers, and Hacktivism: Difference between revisions

April 22

Spend five minutes with anyone who studies “hackers” and you will quickly learn that the term is used to define a wide array of discrete subcultures, from homebrew computer programmers all the way through to military-industrial network vulnerability experts. If there is one unifying characteristic amongst all of these cultures (and there may not be), it is most likely the acknowledgement between these groups that the limitations imposed by code as a mode of regulating behavior can, and should, be subverted. Today we look to hackers, who they are, what they do, and what rules and norms govern those who do not recognize code as a governing influence.

Readings

Defining hackers, hacking, and hacktivism

• Gabriella Coleman, Phreaks, Hackers, and Trolls: The Politics of Transgression and Spectacle (from The Social Media Reader)

• Molly Sauter, Activist DDOS Campaigns: When Similes and Metaphors Fail (video, watch from to 1:56 to 21:44)

• Sauter uses the term "DDoS" throughout. This is an abbreviation for "distributed denial of service," a specific form of attack to a web server described in more detail here.

• Benjamen Walker, Doing it for the LULZ (from Too Much Information) (11:00 to 22:45 only, language at times is NSFW. Too Much Information drifts between fiction and non-fiction, but this excerpt is non-fiction.)

Law and law enforcement

• United States Department of Justice, Prosecuting Computer Crimes (read pages 1-11: Introduction to the Computer Fraud and Abuse Act and Key Definitions)

• Sarah Laskow, Reporting, Or Illegal Hacking

Case studies

• Wikipedia, Operation Payback

• Wikipedia, Project Chanology

• Andy Sellars, The Impact of "Aaron's Law" on Aaron Swartz's Case

• David Kravets, Appeals Court Reverses Hacker/Troll "Weev" Conviction and Sentence

• Jeff Ward-Bailey, Hacking Tool Threatens Healthcare.gov Site

Optional Readings

• Intelligence Squared Debate: "The Cyberwar Threat Has Been Grossly Exaggerated" (an Oxford-style debate with Marc Rotenberg, Bruce Schneier, Mike McConnell, and Jonathan Zittrain; watch the video of the debate)

• Andrea Matwyshyn, Hacking Speech: Informational Speech and the First Amendment

• Nicole Perlroth, Hackers in China Attacked The Times for Last 4 Months (New York Times)

• TorrentFreak, Pirate Parties Use Influence to Halt Anonymous’ Operation Payback

• Christopher Soghoian, The Growing Trade in Software Security Exploits

Videos Watched in Class

Links

Class Discussion

In July 2012, someone successfully hacked my iphone and installed spy software on it. Any and all movements on my iPhone were being stored/tracked unbeknownst to me, including app activity (Chase Bank, emails, etc) for one month. I found out about it when I had taken my iPhone in a shop to get checked out - the screen would glitch at times and would randomly lose about 1% per minute. (I learned this was when my GPS data was being tracked up to minute). Among other things, the next step was to file a police report of this incident for my personal safety, as I’ll never be certain which data of mine was compromised. At the time I went to local police, either they didn’t care enough or they just didn’t have proper protocol to handle it.

I understand this is a miniscule crime, in comparison to the huge cyber-crimes in the class readings. However, it lead me to research how equipped local police are for such smaller incidences. The result: They're not. (yet). I’m certain similar, smaller crimes will only increase over time and will be dealt with by the local police. While crime is increasingly moving online, state and local police are having a hard time keeping up. If the case is significant enough, the police have to hire specialized cyber-security companies to conduct digital investigations. The techniques the police will need to be equipped with are going to have to be more “IT specialist” and less “Law and Order” over the next few years. It seems hackers will be one step ahead, at a local level, until the police shift their skill set to more IT training. Marissa1989 02:41, 21 April 2014 (EDT)

I'm very glad you mentioned this because I completely agree. On a smaller level such as the local police, I agree that they do not have the resources or the structure in place yet to deal with hacking of cell phones and breaches of personal information. While large national crimes are handled properly, there should also be an active protocol for situations such as this, which happen very often. The lack of a targeted action by law enforcement against these small time criminals facilitate identity theft and unless there is a strong development in the law enforcement IT department, chances are these crimes will only increase with time. Lpereira 09:16, 22 April 2014 (EDT)

Several readings this week caused me to think about the perceived value, real and potential, of personal data. Targeted hacking of trade secrets, governments, publications like the New York Times and other large-scale operations are rooted in fairly straightforward incentives. So too are hacktivists and hackers that are "doing it for the lulz"- outcomes that are for more about provoking a response or creating change. Targeted hacks of individuals for personal data not only are much more difficult to prevent, identify and pursue on the part of law enforcement- they also happen on a scale that is not seen to have a significant enough impact economically, societally or organizationally to receive the attention truly deserved. Given the frequency of such instances, and the yearly increase in information and services processed solely online, the public service and private sector incentive to have structures in place to respond to such attacks surely must reach a tipping point soon? akk22 14:26, 22 April 2014 (EDT)-----

Cyber warfare will take on a greater importance in conventional warfare and Government hackers will be crucial to this. It only makes sense as weapons, communications and systems become more sophisticated. Hackers may be used to break into countries systems to steal data and cause widespread disruption or break into the phones of country leaders and their key staff. This is evidenced in the Ukraine crisis by relentless hacking attacks on Russian websites by Ukraninan hackers and visa-versa. http://www.bloomberg.com/news/2014-03-05/russia-ukraine-standoff-going-online-as-hackers-attack.html Marissa1989 01:06, 22 April 2014 (EDT)

Andy, thanks for your article on the Aaron Schwartz prosecution. As you put it, "CFAA is shockingly broad when it is laid out" -- but that's not the only issue with it. It's just another case of private industry co-opting the criminal justice system to enforce things that ought to be largely handled by the civil system (which strikes me as lousy public policy). As you noted in your quote from the CFAA itself, "access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement..." In other words, the CFAA makes it a crime to violate the AUP or TOS with your ISP. Outside of copyrights and information technology stuff, how common is it for the US government to get involved in criminalizing the violations of contracts between private parties? Jradoff 09:46, 22 April 2014 (EDT)

In the article "Hacking tool threatens Healthcare.gov site" a DDoS is the least of warranted concerns. A DoS attack is grave in nature and is rather simple to perform. Many attempts have been made to develop systems that could either launch a DoS attack or be immune to one, but to assume that the nefarious minds out there in the arena aren’t constantly working on new and novel methods to exploit systems is naïve and foolish. The rash and explosion of virus and malware activity in the recent decades testifies to the fact that there is no dearth of people working to venture into, exploit and topple your systems. The use of pre configured or automated tools that are easy to operate in order to pursue their disruptive activities against systems in a network are identifiable. . DoS attacks are nothing but an onslaught or assault against your system that will affect in that system not being able to accomplish its intended job. The direction of the argument within the article fails to look at the programming and structure of the website itself that may allow for significant data leakage. VACYBER 13:05, 22 April 2014 (EDT)

I have to say this is one of the topics I was most looking forward to this semester, particularly with the growing number of hacktivist groups and hackers. I was quite intrigued by the recent events around the Heartbleed bug, which they are calling one of the greatest security threats in the online era (http://en.wikipedia.org/wiki/Heartbleed). As I have noticed in many of your posts already, I believe the growing consensus is that hacking is here to stay and will likely become more predominate in our national security moving forward. As more and more functions of our society move online (think traffic grids, manufacturing processes, defense systems), the urgency to protect against hacking threats grows each year.

What will then intrigue me to hear is what is being done to slow down hackers, particularly those who may pose a greater security risk than say, taking over a facebook page. I believe part of the issue is that the NSA needs to be able to attract and retain elite computer hackers who can help in this regard, yet have been unable to do so. The best computer minds would rather take a payday from Google than work for the government at a more modest wage.

Can't wait to hear this lecture and see what there is to be said about slowing hackers in the future.

Drogowski 13:13, 22 April 2014 (EDT)

Grrr... The site logged me out while I wrote my last message and then proceeded to delete it :(

Any ways, I think this weeks' readings raise a lot of questions about the "morality" of internet behavior and online hacktivism. Interestingly, there seems to be an influx of individuals who wouldn't necessarily be apt to breaking and entering in the physical world, but who are doing just that via their computers. I wonder in these cases whether it is the ease, the relative security, or that it feels less invasive/illegal that draws people to hacking rather than more physically invasive means.

It also seems that there is a great degree of ambiguity to the laws which govern how one is expected to comport themselves online. This is made especially clear in Sarah Laskow's article, in which she points out that "The CFAA isn’t a law that journalists are taught to look out for." This presents us with a scary reality, that individuals like you and I, as well as professionals such as reporters, might be subject to laws which we might not realize exist or understand and could easily be breaking, just by doing what we think is simple research. While I understand the necessity of regulation, it can also be a catch-22.

Castille 15:14, 22 April 2014 (EDT)

As it is clear from readings and Aaron's case, the security of information is the crucial question of nowadays. Data contained in computer, data contained in mobile phone is so essential and important that they ruin lifes once they are disclosed. When it comes to criminalization of hackerisim or non-authorized access or "with exceeding authorizatiob" is a right direction from point of security. But, still I think that this is more technological issue rather than legislative. Aysel Ibayeva (Aysel 15:21, 22 April 2014 (EDT))