Security Central: Whatever Happened to the Hacker Ethos?
I was four years old the first time I watched someone hack into a computer. The dreamiest kid in high school dialed into the school’s computer system to change Jennifer Mack’s Biology 2 grade from an F to a C, and gave an entire generation a new face to put to the proverbial Big Romantic Gesture.
David Lightman in WarGames was my first exposure to “hacker culture.” Matthew Broderick managed to take a heap of beige plastic and a rotary phone and turn it into a Quixotic move akin to slaying a 20th century cyber-dragon. Then he took that same sensibility and saved us all from global thermonuclear war with the Soviets, which was slightly less of a big deal to me at four years old than Matthew Broderick’s romance with Ally Sheedy.
I wasn’t at all involved in the hacker subculture as a kid, but I’d still encountered Loyd Blankenship’s The Conscience of a Hacker before the cult classic movie Hackers was released in 1995 when I was 16. It was the modern day Holden Caulfield narrative, calling out to me in what was perhaps the best decade EVER to foster teenage angst.
This is our world now … the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore … and you call us criminals. We seek after knowledge … and you call us criminals. We exist without skin color, without nationality, without religious bias … and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
Hell, yeah! Computer hackers became the living embodiment of the hackneyed “misunderstood youth” in the 1990s, and the hacker-as-savior archetype was reinforced by one Hollywood cutie after another: Edward Furlong in Terminator 2. Jeff Goldblum in Independence Day. Even Ron Livingston in Office Space. Keep your buff jocks, your feather-haired preppies, and your rebels clad in moto jackets and sulks. Give me a pasty-skinned, 130-pound cyber-warrior in glasses any day.
I’ve steadfastly and passionately built a career in technology because I always saw it as the last field filled with dreamers, democratic ideals and rebels with causes. Ours is the field of giants like Turing, Wozniak, Cerf, Jobs, Gates, and Zuckerberg — a legion of larger-than-life characters who literally sat down at a computer screen and built the world we’re raising our kids in.
I guess everyone’s heroes have to die at some point.
As we move from one of the most dismal cybersecurity years on record into an uncertain future where it seems everyone on the internet is out to make a buck off of someone else’s misfortune, I have to ask: What would Neo think of us now? Would David Lightman take one look at 2018 and crawl back to the W.O.P.R., happy to wage war on the Russians (and, of course, high school biology) rather than on his fellow American business owners?
“We’ve introduced the hacker-preneur. The capitalistic hacker,” said Dan Schiappa, SVP and GM of products at security solution provider Sophos, when talking to Channel Futures last week about the company’s new deep-learning enabled malware blocker Intercept X.
Our talk with the Sophos team came hot on the heels of our look back to 2017’s biggest hacks and what they might mean for the channel. There are a few key lessons we can take away from last year’s security debacles (clickbait works and Russia is behind everything), but the most important lesson is also probably its most depressing: Today’s most notorious hackers aren’t villains because they’re smarter or more curious or more open-minded than the rest of us. They’re villains because they’re greedy and have learned how to work the system.
“If something works, [the hacker community is] just going to keep rolling with it. They’re not going to pivot until they’re forced to pivot,” said Schiappa.
2017 provided ample evidence to the truth of that assertion. From Bad Rabbit to NotPetya to WannaCry, last year’s most calamitous hacks had more commonalities than differentiators, so much so that the cyberthreat landscape started to appear formulaic even to the untrained eye.
While the traditional hacker ethos I grew up watching on the silver screen is all about creative genius exercised in dark corners of society in flagrant rebellion against the capitalistic values of “the man,” today’s cyber-attackers seem to be about as noble and unique as the proverbial used-car salesman. To borrow from another nerd trope, it’s as though the “upside down” of Stranger Things has come full-throttle into cybersecurity, complete with its own dark little channel.
“It started with ransomware. Now we’ve seen these [malware-as-services] start to get built out,” said Schiappa. “They provide the hacker with all the tools and technologies for them to go perpetrate these ransomware attacks.”
These malware-as-a-service providers have turned cyberwarfare into a pre-packaged cloud service, with ‘dark channel’ CSPs packaging everything a bad actor needs to wage cyberwar in one neat little offering.
These “malware in a box” offerings don’t require a high degree of technical know-how, with graphical user interfaces and single-line command line scripts easily cobbled together to form an attack. The perpetrator is essentially executing the malware author’s code, which the original programmer has packaged in a product offering, or even subscription service. The provider’s business model is depressingly similar to that of legitimate software and services companies. Cybercriminals pay a monthly fee and the malware author keeps the product up-to-date with fresh exploits, just like software firms issue remote upgrades and patches to their customers.
“In recent years, exploit-kit authors have moved to cloud-based kits, mirroring the trend in the legitimate software industry — in essence, a criminal version of software as a service,” according to Trustwave’s Global Security Report. “Today, most of the major kits use a rental-based business model, wherein customers pay for an account on a server under the kit author’s control and manage their illicit ‘campaigns’ through an administrative interface.”
I ask you this: Could you picture Dade Murphy, David Lightman, or Mr. ‘Neo’ Anderson buying their hacks from a retailer? Nothing could be more anathema to the traditional, romantic hacker ethos. If the actual attacker isn’t the real brains behind the operation, then that leaves creativity and technological advances up to this surreal ‘dark channel.’
“In order for them to continue to build that subscription revenue, they’re going to have to be effective in the tools they provide to the hacker community,” said Schiappa. “What we’re seeing is a tremendous amount of innovation in this space. As a vendor, we have to out-innovate the bad guys.”
So the ‘everyday hacker’ archetype moves from the dingy basement to the glittering boardroom and trades in ratty vintage video game t-shirts for a suit and tie. In leaving the hacker-as-dissident trope behind, the cybercriminal world has evolved into a business just as mature and sophisticated as many of the channel shops we feature on the MSP 501. That’s equal parts scary and sad.
Our boy genius David Lightman has grown up, started a CSP, and is coming for us all.