Hire the hackers! - Misha Glenny
[Music] Now this is a very, uh, unted like thing to do, but let's kick off the afternoon with a message from a mystery sponsor.
Dear Fox News, it has come to our unfortunate attention that both the name and nature of Anonymous has been ravaged. We are everyone and we are no one. We are Anonymous. We are legion. We do not forgive. We do not forget. We are the face of chaos.
Anonymous, ladies and gentlemen, a sophisticated group of politically motivated hackers who have emerged in 2011, and they're pretty scary. You never know when they're going to attack next, who or what the consequences will be. But interestingly, they have a sense of humor. These guys hacked into Fox News's Twitter account to announce President Obama’s assassination. Now, you can imagine the panic that would have generated in the newsroom at Fox. What do we do now, put on a black armband or crack open the champagne?
And of course, who could escape the irony of a member of Rupert Murdoch's News Corp being a victim of hacking for a change? Sometimes, sometimes you know you turn on the news and you say, is there anyone left to hack? Sony PlayStation Network? Done. The government of Turkey? Tick. Britain’s Serious Organized Crime Agency? A breeze. The CIA? Falling off a log. In fact, a friend of mine from the security industry told me the other day that there are two types of companies in the world: those that know they've been hacked and those that don't. I mean, three companies providing cyber security services to the FBI have been hacked. I mean, is nothing sacred anymore for heaven's sake?
Anyway, this mysterious group, Anonymous, and they would say this themselves, they are providing a service by demonstrating how useless companies are at protecting our data. But there is also a very serious aspect to Anonymous. They are ideologically driven. They claim that they are battling a dastardly conspiracy. They say that governments are trying to take over the internet and control it, and that they, Anonymous, are the authentic voice of resistance. Be it against Middle Eastern dictatorships, global media corporations, or intelligence agencies, or whoever it is, and their politics are not entirely unattractive.
Okay, they're a little in koat, and there's a strong whiff of sort of half-baked anarchism about them. But one thing is true: we are at the beginning of a mighty struggle for control of the internet. The web links everything, and very soon it will mediate most human activity because the internet has fashioned a new and complicated environment for an old age dilemma that pits the demands of security with the desire for freedom.
Now this is a very complicated struggle, and unfortunately for mortals like, uh, you and me, we probably can't, uh, understand it very well. Nonetheless, in an unexpected attack of hubris a couple of years ago, I decided I would try and do that, and, uh, I sought, I sort of get it. These were the various things that I was looking at as I was trying to understand it. But in order to try and explain the whole thing, I would need another 18 minutes or so to do it, so you're just going to have to take it on trust from me on this occasion and let me assure you that all of these issues are involved in cyber security and control of the internet one way or the other, but in a configuration that, uh, even Stephen Hawking would probably have difficulty trying to get, uh, trying to get his head around.
So, there you are, and as you see in the middle there is our old friend the hacker. The hacker is absolutely central to many of the political, social and economic issues affecting the net, and so I thought to myself, well, these are the guys who I want to talk to. And what do you know? Nobody else does talk to the hackers; they're completely anonymous, as it were. So despite the fact that we are beginning to pour billions, hundreds of billions of dollars into cyber security for the most extraordinary technical solutions, no one wants to talk to these guys: the hackers who are doing everything. Instead, we prefer these really dazzling technological solutions which cost a huge amount of money, so nothing is going into the hackers.
Well, I say nothing, but actually there is one teeny weeny little research unit in Turin, Italy, called the Hackers Profiling Project, and they are doing some fantastic research into the characteristics, abilities, and socialization of hackers. But because they're a UN operation, maybe that's why governments and corporations aren't that interested in them. And because it's a UN operation, of course, it lacks funding. But I think they're doing very important work because where we have a surfeit of technology in the cyber security industry, we have a definite lack of, call me old-fashioned, human intelligence.
Now so far I've mentioned the hackers Anonymous, who are a politically motivated hacking group. Of course, the criminal justice system treats them as common or garden criminals. But interestingly, Anonymous does not make use of its hacked information for financial gain. But what about the real cyber criminals? Well, real organized crime on the internet goes back about 10 years when a group of gifted Ukrainian hackers developed a website which led to the industrialization of cybercrime: welcome to the now forgotten realm of Carter Planet.
This is how they were advertising themselves a decade ago on the net. Now Carter Planet was very interesting; cyber criminals would go there to buy and sell stolen credit card details, to exchange information about new malware that was out there. And remember, this is a time when we're seeing for the first time so-called off-the-shelf malware—this is sort of ready-for-use out-of-the-box stuff which you can deploy even if you're not a terribly sophisticated hacker. And so Carter Planet became a sort of supermarket for cyber criminals, and its creators were incredibly smart and entrepreneurial because they were faced with one enormous challenge as cyber criminals.
And that challenge is: how do you do business? How do you trust somebody on the web who you want to do business with when you know that they're a criminal? I mean, it's axiomatic that they're dodgy, and they're going to want to try and rip you off. So the family, as the inner core of Carter Planet was known, came up with this brilliant idea called the escrow system. They appointed an officer who would mediate between the vendor and the purchaser. The vendor, say, of stolen credit card details, the purchaser wanted to get hold of them.
The purchaser would send the administrative officer some dollars digitally, and the vendor would sell the stolen credit card details. The officer would then verify if the credit card, uh, the stolen credit cards worked, and if they did, he then passed on the money to the vendor and the stolen credit card details to the purchaser. And it was this which completely revolutionized cybercrime on the web, and, uh, after that it just went wild; we had a champagne decade for people we know as carters.
Now I spoke to one of these carters who we'll call Red Brigade, although that was not even his proper nickname, but I promised I wouldn't reveal who he was. He explained to me how in 2003 and 2004 he would go on sprees in New York, taking out $10,000 from an ATM here, $30,000 from an ATM there, using cloned credit cards. He was making, on average a week, $150,000, tax-free of course, and, uh, he said that he had so much money stashed in his Upper East Side apartment at one point that he just didn't know what to do with it and actually fell into a depression. But that's a slightly different story which I won't go into now.
Now the interesting thing about Red Brigade is that he wasn't an advanced hacker. He sort of understood the technology and he realized that security was very important if you were going to be a carder, but he didn't spend his days and nights bent over a computer eating pizza, drinking coke, and that sort of thing. He was out there on the town, having a fab time, enjoying the high life. And this is because hackers are only one element in a cyber criminal enterprise, and often they're the most vulnerable element of all.
And I want to explain this to you by introducing you to six characters who I met while I was, uh, doing this research. Dimitri Golob, aka Script, born in Odessa, Ukraine, in 1982. Now he developed his social and moral compass in the Black Sea port during the 1990s. This was a sink-or-swim environment where involvement in criminal or corrupt activities was entirely necessary if you wanted to survive as an accomplished computer user. What Dimitri did was to transfer the gangster capitalism of his hometown onto the world wide web, and he did a great job in it. You have to understand that from his ninth birthday, the only environment that he knew was gangsterism; he knew no other way of making a living and making money.
Then we have Renuka Subramaniam, aka Jilzy, founder of Dark Market, born in Colombo, Sri Lanka. As an eight-year-old, he and his parents fled the Sri Lankan capital because Singhalese mobs were roaming the city looking for Tamils like Renuka to murder. At 11, he was interrogated by the Sri Lankan military, accused of being a terrorist, and his parents sent him on his own to Britain as a refugee seeking political asylum. At 13, with only a little English and being bullied at school, he escaped into a world of computers where he showed great technical ability, but he was soon being seduced by people, uh, on the internet. He was convicted of mortgage and credit card fraud and he will be released from Wormwood Scrubs jail in London in 2012.
Matrix 001, Matrix, who was an administrator of Dark Market. Born in Southern Germany to a stable and well-respected middle-class family, his obsession with gaming as a teenager led him to hacking and he was soon controlling huge servers around the world where he stored his games that he had cracked and pirated. His slide into criminality was incremental, and when he finally woke up to his situation and understood the implications, he was already in too deep.
Max Vision, aka Iceman, mastermind of Carter's Market, born in Meridian, Idaho. Max Vision was one of the best penetration testers working out of Santa Clara, California in the late 90s for private companies and voluntarily for the FBI. Now in the late 1990s, he discovered a vulnerability on all US government networks and he went in and patched it up because this included nuclear research facilities, sparing the American government a huge security embarrassment. But also because he was an investor at hacker, he left a tiny digital wormhole through which he alone could crawl, but this was spotted by an eagle-eyed investigator, and he was convicted. At his open prison, he came under the influence of financial fraudsters, and those financial fraudsters persuaded him to work for them on his release. And this man, with a planetary-sized brain, is now serving a 13-year sentence in California.
Adewale Taiwo, aka Freddie Bibi, master bank account cracker from Abuja, Nigeria. He set up his presently entitled news group, bank frauds at dot co dot uk, before arriving in Britain in 2005 to take a master's in chemical engineering at Manchester University. He impressed in the private sector, developing chemical applications for the oil industry while simultaneously running a worldwide bank and credit card fraud operation that was worth millions until his arrest in 2008.
And then finally, Chateauvian, aka Chao, one of the most remarkable hackers ever from Ankara in Turkey. He combines the tremendous skills of a geek with the suave social engineering skills of the master, uh, criminal. One of the smartest people, uh, I've ever met. He also had the most effective Virtual Private Network security arrangement the police have ever encountered amongst global cyber criminals.
Now the important thing about all of these people is they share certain characteristics. Despite the fact that they come from very different environments, they are all people who learnt their hacking skills in their early to mid-teens. They are all people who demonstrate advanced ability in maths and the sciences. Remember, when they developed those hacking skills, their moral compass had not yet developed, and most of them, with the exception of Script and Chao, well, they did not demonstrate any real social skills in the outside world, only on the web.
And the other thing is, is the high incidence of hackers like these who have characteristics which are consistent with Asperger's syndrome. Now I discussed this with Professor Simon Baron-Cohen, who's the professor of developmental psychopathology at Cambridge, and he has done path-breaking work on autism and confirmed also for the authorities here that Gary McKinnon, who was wanted by the United States for hacking into the Pentagon, suffers from Asperger's and the secondary condition of depression. Baron-Cohen explained that certain disabilities can manifest themselves in the hacking and computing world as tremendous skills and that we should not be throwing in jail people who have such disabilities and skills because they have lost their way socially or been duped.
Now I think we're missing a trick here because I don't think people like Max Vision should be in jail. And let me be blunt about this. In China, in Russia, and in loads of other countries that are developing cyber offensive capabilities, this is exactly what they are doing. They are recruiting hackers, both before and after they become involved in criminal and industrial espionage activities, and mobilizing them on behalf of the state.
We need to engage and find ways of offering guidance to these young people because they are a remarkable breed. And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame. Thank you very much for listening.
So, um, so your idea we're spreading is hiring hackers. How would someone get over the kind of fear that the hacker they hire might preserve that little teensy wormhole? I think to an extent you have to understand that it's axiomatic among hackers that they do that. They are, you know, they're just relentless and obsessive about what they do. But all of the people whom I've spoken to who've fallen foul of the law, they have all said, please, please give us a chance to work in the legitimate industry. We just never knew how to get there. What we were doing, we want to work with you.
Okay, well, that makes sense. Thanks a lot.