SOCL491: Cybercrime

Hacking

maxigas @ Lancaster, 2018-04-23

Hacking

Today

  • Primary sources
  • Histories
  • Theories
  • News representations

Hacker scenes

  • Internally diverse
    • Free software development, DIY hardware making, hams (radio amateurs), etc.
  • Gravitate around infosec
    • Example: kinky geek BDSM
  • Geographically and historically variable
    • Phreakers to hackers, North and South, etc.

The case of infosec culture

Information security scenes are great for studying the social construction of risk and value because they bring together people from very different backgrounds, motivations and social positions around a common problem: the risk constructed around information security.

Why cybercrime is rampant?

  • Computers and networks are widespread, yet nobody knows what exactly they are for! (Kirkpatrick 2004)
  • Information technology became part of everyday life without stabilisation and closure. (Pinch and Bijker 1984)
  • General purpose information processing is a versatile technology widely available. (Doctorow 2011)

→ Hacking an engineering culture was key to these developments.

Essay question

In what ways is hacking cybercrime? (In your answer, make sure you characterise both the range of practices called “hacking” and how you understand cybercrime.)

Group work I.

Hackers write

Read, analyse and discuss the primary sources:

  • How the actors relate to each other?
    • Hackers: infosec researchers
    • State: law enforcement
    • Capital: vendor companies
  • What are their concerns about risk?
  • Why something is considered valuable?

Draw a diagram of actors, risk and value!

Handouts

History

Blue Box built by Steve Wozniak and Steve Jobs
Blue Box built by Steve Wozniak and Steve Jobs

Phone phreaking

Phreakers explore phone networks, notably the Bell Telephone Corporation:

  • Nationally regulated monopoly.
  • “The largest machine on the planet.”
  • Publicly exposed in-band control channel.

→ Vulnerabilities are only shared underground! Masters of Deception (Phiber Optik) vs. Legion of Doom (Erik Bloodaxe)

Philes and hacker magazines

  • Originally spread on Bulletin Board Systems (dialup connections to dialin home computers):
    • 1971: TAP (Technological American Party).
    • 1984: 2600: The Hacker Quarterly.
    • 1985: Phrack Magazine.
    • 2013: POC||GTFO.

→ Self-organised knowledge production of security vulnerabilities and engineering culture to nourish a scene!

2600 mag cover, US
2600 mag cover, US

Hacktic mag cover, Netherlands
Hacktic mag cover, Netherlands

POC||GTO mag cover
POC||GTO mag cover

Cryptowars I: OpenPGP, 1991 to 1996

Public access to strong encryption (Levy 2001):

  • Cold war: strict export regulations on “ammunition”, including crypto.
  • 1991: Phil Zimmermann publishes Pretty Good Privacy (PGP) as free software.
    • PGP makes strong crypto available to the general public → controvertial.
    • Three years court case about Zimmermann violating export regulations.
  • In the meantime, strong cryptography becomes necessary for e-commerce.
    • Internet access becomes a commodity available on the consumer market in US.
    • Netscape publishing US and International versions of its web browser (~Firefox).
  • 1996: Law changes, software is not ammunition any more (Bill Clinton).

Infosec becomes a public concern!

GnuPG, popular OpenPGP software
GnuPG, popular OpenPGP software

The L0pht
The L0pht

L0pht congressional testimony (1998)

L0pht Heavy Industries (est. 1992; Fisher 2018):

  • Hacker collective / hacker think tank
  • First proto-hackerspace in the USA (Boston)
  • Advocates: Responsible Disclosure (public sharing)

Infosec as national security (Greenwalt and Pratt 1998)!

cDc launches Hacktivismo

“Global Domination Through Media Saturation”:

  • Cult of the Dead Cow (est. 1984, Texas) hacker group
  • 1995: War on Scientology
    • Anonymous declares the same in 2008, aka Project Chanology (Coleman 2014)
  • 1999: Hacktivismo initiative (Dead Cow 2001)
    • 2001: Hacktivismo Declaration

→ “Digital vigilantism” as a genre of hacking!

cDc deface image
cDc deface image

Hacktivismo Declaration (2001)
Hacktivismo Declaration (2001)

Case study: DeCSS

Censorship case of DVD copy protection removal program (descrambler). Two hacker groups involved: Masters of Reverse Engineering & Drink or Die. Raids and court cases 1999-2004.

  • US courts: distributing the source code is illegal!
  • Hackers argue that code is speech, so:
    • → first amendment protection;
    • ASCII art, haiku, T-shirt, tie, video, prime number versions of the code, showing that programming should be protected as speech and expression of personal opinion.
  • Since every program is represented as a binary number on disk:
    • prime number uncompresses to DeCSS found,
    • first “illegal prime number” in the world!
DeCSS ASCII art (Hannum, Carmody, and Bowley 2002)
DeCSS ASCII art (Hannum, Carmody, and Bowley 2002)
DeCSS tie (Touretzky 2008)
DeCSS tie (Touretzky 2008)
Illegal prime number, DeCSS program (Touretzky 2008; Carmody 2002; Carmody 2001; Caldwell and G. L. Honaker 2000)
Illegal prime number, DeCSS program (Touretzky 2008; Carmody 2002; Carmody 2001; Caldwell and G. L. Honaker 2000)

Negotiable Knuth check
Negotiable Knuth check

Non-negotiable Knuth check
Non-negotiable Knuth check

Facebook bug county program interface
Facebook bug county program interface

Bug bounty programmes (2010s)

Industry alternative to black markets:

  • Major vendors pay for vulnerabilities in their products.
  • Disclosure timeline negotiated with hackers.
  • Hackers given credit in the public advisory.
  • Bug Bounty intermediaries, consultancies and platforms.

Responsible Disclosure embraced by the industry (Friis-Jensen 2014).

Summary

Many options for security vulnerabilities today:

  • Fun: Use it to cause havoc.
  • Profit: Sell it to the highest bidder (on a black market).
  • Patriotism: Give it to the government.
  • Hacktivism: Exploit it for political causes.
  • Reputation: Full disclosure – to build reputation.
  • Science: Full disclosure – for intellectual curiosity.
  • Ethics: Responsible disclosure – coordinated with vendor.
  • Skip: Do nothing.

Risk and value of security vulnerabilities is a highly continent social construct!

Legitimation

Historical trajectory of security vulnerabilities

  1. Underground hobby (1950s to 1980s)
  2. Criminal offence (1980s-2000s)
  3. Lucrative business (2000s)

→ Stratificaton: All layers present today!

Legitimation of hacking

“Heroes yet criminals” (Denker 2014):

  • Criminalisation questioned the legitimacy of hacking, disrupted the underground.
  • Hackers’ response was historically and geographically specific.
  • Often they choose legitimacy as “a consumer protection group”.

Examples: the Chaos Computer Club (Germany), L0pht Heavy Industries (USA).

Full disclosure

“The best lock is where everybody knows how it works but only the one with the key can open it.”

The practice of making the details of security vulnerabilities public – is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure. (Schneider 2007)

We don’t believe in security by obscurity, and as far as we know, full disclosure is the only way to ensure that everyone, not just the insiders, have access to the information we need. (Rose 2010)

Disclosure options

  • No disclosure: very proprietary companies, nation states and black hat hackers.
  • “Responsible disclosure”: “enlightened” vendors, free software projects.
    • Researcher contacts the vendor.
    • Coordinated timeline: they agree on how much time is needed to address the issue.
    • Coordinated release: vendor releases advisory and patch together.
    • Researcher given credit in the advisory.
  • Full disclosure: security researchers, hackers, academics.
  • Burn it!: hacktivists, vigilants, patriots.

Social construction of risk and value

Theories of risk

Risk society

According to British sociologist Anthony Giddens, a risk society is “a society increasingly preoccupied with the future (and also with safety), which generates the notion of risk,” (Giddens and Pierson 1998, 209) whilst the German sociologist Ulrich Beck defines it as “a systematic way of dealing with hazards and insecurities induced and introduced by modernisation itself” (Beck 1992, 21).

  • Conceived as a response to ecological crisis, originally Chernobyl (Beck 1986).
  • In dialogue with the reflexive modernity stream in sociology (Giddens, Beck, Lash).
  • Hackers constructed infosec industry to address their own concerns about modernisation (Kulla 2003).

Theories of worth

Overview

  • Marx: economic base determining ideological superstructures (Marx 1859)
  • Gramsci: cultural hegemony is key to domination (Gramsci 1971)
  • Bourdieu: from economic capital to social and cultural capital (Bourdieu 1986)
  • Boltanski, Stark, Thévenot: orders/economies of worth (Boltanski and Thévenot 2006; Stark et al. 2006)

Base and superstructure (Marx)

The totality of these relations of production constitutes the economic structure of society, the real foundation, on which arises a legal and political superstructure and to which correspond definite forms of social consciousness. The mode of production of material life conditions the general process of social, political and intellectual life. It is not the consciousness of men that determines their existence, but their social existence that determines their consciousness. (Marx 1859, Preface)

Cultural hegemony (Gramsci)

  • Cultural hegemony
  • Organic intellectuals
  • The war of positions

→ The superstructure also a relevant field of social struggle and conflict.

Forms of capital (Bourdieu)

Forms of capital:

  1. Economic capital: resources such as money, assets, property.
  2. Social capital: human relationships of mutual acquaintance and recognition.
  3. Cultural capital: education, knowledge, skills, also objectified in artworks, etc.

The different types of capital can be derived from economic capital, but only at the cost of more or less great effort of transformation, which is needed to produce the type of power effective in the field in question. … The convertibility of the different types of capital is the basis of the strategies aimed at ensuring the reproduction of capital (and the position occupied in social space). (Bourdieu 1986)

Orders of worth (Boltanski, Stark, Thévenot)

  • Different cultural logics operating at the same time!
  • Studied in the context of economic sociology.
  • Stark’s case is transition-era Hungary: mixed economy (1990s).
  • Moral, economic, civic orders mixed in situations.

Main reference: Stark et al. (2006).

Group work II.

Hackers in the news

Read, analyse and discuss the news:

  • Which actors appear in which configurations?
  • What risk and value is distributed between actors?
  • How hacking is constructed/deconstructed as a cybercrime?

Use social theories to understand the social construction of worth and value in relation to cybercrime!

Heartbleed bug logo
Heartbleed bug logo

Heartbleed Handouts

XKCD webcomics:

Guardian Heartbleed bug coverage:

Infosec ecosystem handouts

Hacking today

Zuckerberg congressional testimony

Hackers’ concerns go mainstream:

  • Facebook as a national security risk.
  • Security vulnerabilities as a threat to democracy.
  • GDPR in the EU as a mitigation strategy.

→ Today, hacking is part of state and capital’s toolboxes too!

Questions?

maxigas@anargeek.net

https://slides.metatron.ai/cybercrime/

https://relay70.metatron.ai/

Bibliography

Beck, Ulrich. 1992. Risk Society: Towards a New Modernity. New Delhi: Sage.

Boltanski, Luc, and Laurent Thévenot. 2006. On Justification: The Economies of Worth. Princeton: Princeton University Press.

Bourdieu, Pierre. 1986. “The Forms of Capital.” In Handbook of Theory and Research for the Sociology of Education, ed by. John Richardson, 241–258. First edition. New York: Greenwood. https://www.marxists.org/reference/subject/philosophy/works/fr/bourdieu-forms-capital.htm.

Caldwell, Chris, and Jr. G. L. Honaker. 2000. “Prime Curios!: 48565…29443 (1401-Digits).” Web page. http://primes.utm.edu/curios/page.php?number_id=953.

Carmody, Phil. 2001. “The World’s First Illegal Prime Number?” Web page. http://fatphil.org/maths/illegal1.html.

———. 2002. “An Executable Prime Number?” Web page. http://fatphil.org/maths/illegal.html.

Coleman, Gabriella. 2014. Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. London; New York: Verso. http://monoskop.org/File:Coleman_Gabriela_Hacker_Hoaxer_Whistleblower_Spy_The_Story_of_Anonymous.epub.

Dead Cow, Cult of the. 2001. “Hacktivismo Declaration: International Bookburning in Progress.” Press release. http://www.cultdeadcow.com/cDc_files/declaration.html.

Denker, Kai. 2014. “Heroes yet Criminals of the German Computer Revolution.” In Hacking Europe: From Computer Cultures to Demoscenes, ed by. Gerard Alberts and Ruth Oldenziel, 167–188. First edition. History of Computing. London; Heidelberg; New York; Dordrecht: Springer-Verlag.

Doctorow, Cory. 2011. “The Coming War on General Computation.” Talk at 29C3, The 29th Chaos Communication Congress. http://events.ccc.de/congress/2011/Fahrplan/events/4848.en.html.

Fisher, Dennis. 2018. “‘We Got to Be Cool About This’: An Oral History of the L0pht.” Transcripts published online. https://duo.com/decipher/an-oral-history-of-the-l0pht.

Friis-Jensen, Esben. 2014. “The History of Bug Bounty Programs.” Blog entry on Cobalt company website. https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3.

Giddens, Anthony, and Christopher Pierson. 1998. Conversations with Anthony Giddens: Making Sense of Modernity. Boston: Standford University Press.

Gramsci, Antonio. 1971. Selections from the Prison Notebooks. New York: International Publishers.

Greenwalt, Bill, and Alex Pratt. 1998. “Hearings Announced on Computer Security Failures in Government.” Press release of the US Senate. http://web.archive.org/web/20110927215809/http://hsgac.senate.gov/l0pht.htm.

Hannum, Charles M., Phil Carmody, and Alex Bowley. 2002. “DVDlogo.c.” C source code on website. http://www.cs.cmu.edu/~dst/DeCSS/Gallery/bowley-efdtt-dvdlogo.html.

Kirkpatrick, Graeme. 2004. Critical Technology: A Social Theory of Personal Computing. Hants; Burligton, VT: Ashgate.

Kulla, Daniel. 2003. Der Phrasenprüfer: Szenen Aus Dem Leben von Wau Holland, Mitbegründer Des Chaos-Computer-Clubs [the Voltage Tester - Scenes from the Life of Wau Holland, Co-Founder of the Chaos Computer Clubs]. Werner Pieper & The Grüne Kraft.

Levy, Stephen. 2001. Crypto: How the Code Rebels Beat the Government-Saving Privacy in the Digital Age. London: Penguin.

Marx, Karl. 1859. A Contribution to the Critique of Political Economy. First. Moscow: Progress Publishers. https://people.well.com/conf/inkwell.vue/topics/190/St-Jude-Memorial-and-Virtual-Wak-page01.html.

Pinch, Trevor J., and Wiebe E. Bijker. 1984. “The Social Construction of Facts and Artefacts: Or How the Sociology of Science and the Sociology of Technology Might Benefit Each Other.” Social Studies of Science 14 (August): 399–441. http://libgen.io/scimag/get.php?doi=10.1177%2F030631284014003004.

Rose, Leonard. 2010. “Full-Disclosure.” Mailing list manifesto. https://lists.grok.org.uk/mailman/listinfo/full-disclosure.

Schneider, Bruce. 2007. “Damned Good Idea.” Blog post. https://www.schneier.com/essay-146.html.

Stark, David, Danuel Beunza, Monique Girard, and János Lukács. 2006. The Sense of Dissonance: Accounts of Worth in Economic Life. Princeton: Princeton University Press.

Touretzky, David S. 2008. “Gallery of Css Descramblers.” Web site. http://www.cs.cmu.edu/~dst/DeCSS/Gallery/index.html.