December 18, 2020

Ghost hackers

Screenshot from 2020-12-17 23-55-51.pngYears ago, a by-then-retired former teenaged hacker listened to my account of what mid-1990s hackers were saying, and sighed at how little things had changed since his 1980s heyday. "It's still that thing of doing it day after day," he said, or more or less, meaning tedious daily hours doggedly poking around sites, trying logins, keeping meticulous records, and matching a user name collected one year with a password spotted the next. Grueling, painstaking work for which you could get arrested. Which he eventually was, leading to said retirement.

Today's young hackers, brought up on video games, are used to such lengthy keyboard stints to grind out points. Does that make them better suited for the kind of work my former hacker, brought up on pinball machines, described? Not necessarily.

In a paper presented this week at the 2020 Workshop on Economics of Information Security, by Cambridge postdoc Ben Collier, he and co-authors Richard Clayton, Alice Hutchings, and Daniel R. Thomas lay out the lives of the vast majority of today's hackers. Attracted by the idea of being part of a "cool cybercrime", they find themselves doing low-level tech support, customer service, and 24/7 server maintenance for well-worn exploits, all while under the threat of disruption from intermediaries, law enforcement, and bugs left by incompetent software coders while impatient, distrustful customers fume at them. Worse, this kind of work doesn't attract the admiration of other hackers and these workers don't get to make creative leaps. It's just routine, boring office work, nothing like the hacker ethic they embraced or the hacker culture's self-image, which hasn't changed in any real sense since the 1990s, when it was described to me with evangelical fervor as thrilling.

The disappointment "fundamentally changes the experience of being in this world," Collier said. Isn't that always the way when your hobby becomes your day job?

These guys are little different from the "ghost workers", Mary L. Gray and Siddharth Suri profile in their 2019 book. However, this group don't expect these conditions, unlike the millions of invisible fixers and maintainers for companies like Uber, Amazon, and every other company that boasts of its special "AI" sauce. In the legitimate economy, these workers occupy the low-status bottom of the hierarchy and have little prospect of attaining the respect and perks of the engineers, research scientists, and top-level management who get all the visibility. The illegitimate economy is no different.

The authors got their idea from a leap of logic that seems obvious in retrospect: the gradual transition from the exploits of lone bedroom hackers to organized cybercrime-as-a- service. What was high-impact, low-volume crime is now high-volume crime, which requires a large, built infrastructure. "True scaling up needs lots of invisible supportive labor to enable true scale." Think the electrical or water grid in a large city.

Based on their forays onto cybercrime forums and numerous interviews, the authors find that neither the public at large nor the hackers themselves have adapted their mental models. "The heart of the subculture is still based on this idea of the mythic, lone, high-skilled hacker," Collier said. "It looks nothing like this invisible maintenance work." Or, of course, like this week's discovery that nation-state hackers have penetrated numerous US federal agencies.

In other words, the work these hackers are doing is exactly the same as life as a sysadmin for a legitimate business - with the same "deep, deep boredom" but with the added difficulty of how to spend their earnings. One of their many interviewees was able to monetize his efforts unusually well. "He ran out of stuff to buy himself and his friends, and finally quit because he was piling up Amazon gift cards in shoeboxes under his bed and it stressed him out." At one point, he even cut up thousands of dollars' worth of the cards "just for something to do". Closed to him: using the money to buy a house or education and improve his life.

WEIS began in 2002 as a unique effort to apply familiar concepts of economics - incentives, externalities, asymmetric information, and moral hazard - to information security, understanding that despite the growing threats no organizations has infinite resources. Over the years, economists have increasingly taken an interest. The result is a cross-the-streams event where a study like this one may be followed by a math-heavy analysis of the relationship between pricing and security-related business strategies, each offering possibilities for new approaches.

Collier concluded that arresting, charging, and convicting these guys is counter-productive because, "It's important not to block their escape routes. They often get in because the main routes in society are blocked." He added, "The systems of value and capital and social status that exist in the world are not working for loads of people, or they don't have access so they make their own alternatives." Cracking down and conducting mass arrests also blocks those routes back into mainstream society.

Would today's teens choose the hacking life if they really understood what the job was going to be like? As someone commented, at the next big arrest perhaps the press release should stress the number of hours the miscreants worked, the sub-McDonalds hourly pay they eventually earned, and the permanent anomie induced by their disappointment, disillusionment, and alienation.

Illustrations: Ben Collier, presenting "Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies" at WEIS 2020.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.