Through the security looking glass

Does anyone else find this passage about teenybopper hackers bizarre?

Even worse, most aren’t going to great lengths to disguise their real-life identities, which could lead to them being arrested or taken advantage of by more experienced hackers looking for victims, he said.

"Most have absolutely no idea of what getting they’re into, they’re swapping stolen credit card data using their real names and photos, they’re committing real crimes and leaving huge paper trails back to their real identities," said Boyd, who also goes by the name "Paperghost" in conducting his underground research.

As sad as it might be, I actually do want these kids caught and taught, even if the lesson is a tough one. To lament about how easy it is to catch them is very strange to me. If someone is going to warn these kids about how easy it is to catch them, it is only going to turn them into better hackers, not models of society.

I do agree on the broader point that all the talk about "cheat codes" in video games makes a lot of this stuff seem okay, and it is a short slippery slope to credit card numbers and the like.

4 comments for “Through the security looking glass

  1. February 5, 2008 at 10:26 am

    For what its worth, I noticed that too – to be fair to the interviewer, we were talking on a bad line with lots of background noise thrown into the mix. So for the sake of clarity…

    I talked at length about how its easier to catch them and also how more experienced hackers lurk on these forums, often using them for their own ends. The sentence as a whole makes sense as presented but *only* with one key omission:

    Remove “being arrested” and it makes a lot more sense. And it’s true – a lot of these kids who are borderline (or just hanging out on these sites with no real intention of doing anything illegal) end up getting into real trouble thanks to pressure from older people also hanging out on the same sites. However you look at it, that kind of scenario IS a shame. Up to that point there was always a chance they weren’t going to do something stupid.

    After that point of course, all bets are off.

  2. February 5, 2008 at 10:53 am

    Also, with regards to the suggestion you made that “If someone is going to warn these kids about how easy it is to catch them, it is only going to turn them into better hackers, not models of society.”

    I have to disagree. These bottom feeders that I’m continually mopping up aren’t really even hackers at this stage, even accounting for some of the fake applications they make. They’re play acting, almost (though carrying out illegal activity all the same). They’re cutting and pasting tutorials from other sources without understanding them, copying lists of CC details from some Warez site without gathering them themselves, rehashing serials and so on.

    They don’t think law enforcement will get them – and by and large, they’re right as they’re either too young to be prosecuted OR they live somewhere where the local police can’t do anything about it anyway. In fact, they never even considered it, hence their real name, address, city, shoe size etc all over the place. Most are so arrogant, they really don’t care whether someone happens to be onto them or not, they don’t intend to start covering their tracks (as can be seen from the numerous chats with these kids that I’ve posted to my site, as well as the many that haven’t seen the light of day).

    So by the time I show up, its almost impossible for them to go “underground” or retaliate anyway because their entire online (and offline) existence just got posted to the web, and its made known to them that this takes place while their sites are taken down. There’s basically nowhere left for them to go.

    They’re also OBSESSED with clinging to their username (especially as part of it normally contains a part of their real name).

    One kid who I removed from Youtube started a forum campaign to get his name back (he failed miserably, of course). When he couldn’t, he literally “retired” (his words) rather than, oh, simply place a “1″ at the end of his name or whatever. No idea why they’re so hung up over this, but it works to our advantage. In fact, some of them put more effort into their (totally fake) hacking videos / applications that they advertise on Youtube than their actual forums and hacking skills. It’s pretty bizarre.

    At any rate, even accounting for the possibility that some *might* try and start hiding a little better, there’s only so much a 12 or 13 year old kid can do to try and cover their tracks. And they majority will still be out there, as they are right now, posting up CC hacks with their photgraphs all over them.

    Going “covert” and hoping secretive mails to law enforcement will cause black helicopters to bumrush their house at 4AM is a lost cause – I know from experience that the Feds are snowed under with major cybercrime, and local police will generally send you a “mail deleted without being read” return receipt.

    At that point, you’re not left with much of an alternative – it’s name and shame to drive them out of their bad habits, or just let them get on with it.

    I had an email from a kid last week from some forum I’ve never even heard of, saying he was sorry for all sorts of things, and he wasn’t going to “hack” anymore and would I like some intel on his old forum buddies – all because of him hearing about my “name em / shame em” approach.

    I’m not gonna complain about that kind of result!

  3. February 5, 2008 at 12:35 pm

    @paperghost:
    frankly, if i’m reading pete’s intent accurately here, the bizarre part is that you prefaced the description with “even worse”…

    being easy to track down doesn’t seem worse to me, it seems better… for one it makes it easier for you and people like you to do what you do… does it also make it easier for really bad guys to victimize them? perhaps, but life has consequences, no matter what age one happens to be… hopefully being as traceable as they are also limits their value to those really bad guys…

    as for the social dynamics you attribute to those scenarios, it’s actually not that different from how things went with the vx scene back in the day and i’m sure one could even find offline analogs as well… yes it’s a shame that kids get into this sort of thing, but there will always be those who are drawn into circles of counter-cultural influence, whether in the cyber-realm or in back alleys… it’s really quite an old story…

    your name and shame campaign is actually probably quite appropriate under the circumstances – i think you’ll find that even though they’re trading in materials with financial value, social rewards make up a significant portion of their motivation (why else would they be so possessive about their nyms)… and that said, once again, the ease with which you can do that seems like it should be considered a good thing…

  4. February 5, 2008 at 1:05 pm

    “frankly, if i’m reading pete’s intent accurately here, the bizarre part is that you prefaced the description with “even worse”…”

    Ah right, I thought Pete meant it made no sense when used like it sounded like I meant it was “even worse” IF they got “arrested”.

    ….of course, them getting arrested IS a good thing if they’ve done something illegal. Like I said, that section is problematic as long as the “being arrested” part is left in – though of course, you can remove the “even worse” and leave ALL of it in instead.

    However, I prefer to keep “even worse” and ditch the “being arrested” – because aside from older hackers making these kids their fall guys (which I *do* think sucks), as the writeup briefly touches on, I’ve seen some of these kids trying to take down illegal porn sites. Aside from the obvious risks of having that material on their PC in the first place, there’s also the worry that it might not take very long for some of the individuals responsible for the UA content to track them down, either.

    People who produce that stuff know security researchers will try and shut them down; comes with the territory. However, I couldn’t really predict their reaction when faced with some inexperienced 13 year old wannabe page defacer leaving their nick all over the place.

    I could imagine a worst case scenario where they start hassling the kid in really freaky ways, or (going one step further) getting on the forums themselves, pretending to be one of them, going as far as a supposed “meet and greet”?

    Who knows. Maybe far fetched, but its not impossible. So yeah, for reasons such as those I *do* think its a shame that they claim to be so awesome at hacking while simultaneously acting so stupidly with regards their PII.

    Not because WE can catch them; but because of who else might be out there waiting to pounce. I have seen what looked like potential child groomers on some of these sites before now – and annoying one of them to any great degree because you whacked their websites? Not a great thing to think about.

    As I mentioned earlier, the conversation was on a bad line, and in places I think I’ve been paraphrased slightly. It happens, and of course sometimes it throws up oddities. Did I say that odd sentence word for word? Is it paraphrased? Was it simply an attempt to make two points in one go and not quite coming off either on the part of interviewer or interviewee? No idea. But as it reads, I agree it seems an odd phrase…which makes me think something went wrong with that particular line somewhere.

Comments are closed.