Tuesday, March 12, 2024

Digital Havoc: A Reading List About Hacking

A person shrouded in hood sits at a computer, against a backdrop of green binary code

This story was funded by our members. Join Longreads and help us to support more writers.

It’s 1983. The original Mario Bros. video game is released. Michael Jackson’s Thriller reaches the top of the Billboard album chart. And in the hit film WarGames, a teenage Matthew Broderick breaches the cyberdefenses of a military supercomputer from his bedroom, sparking a global emergency. Back then, outside of the home computing subculture, the term “hacking” would have been unfamiliar to the general public. In fact, the hacking technique Broderick’s character employs onscreen became known as “wardialing” in honor of the movie. We’ve come a long way since then, but I suspect that most of us still have little more than a cursory knowledge of how the internet works, or have any idea as to the nature of hacking beyond that gleaned from WarGames and its countless cinematic descendants. 

We are certainly aware, though, that each passing year an ever-growing digital octopus encroaches more and more into every area of our lives, the majority of us networked to one another for most of our waking hours. Despite endless warnings highlighting the dangers of the digital world, there is a growing acceptance that, in return for the speed and convenience of the internet, we must relinquish a little of our privacy. It’s a trade-off, trusting that the institutions we most rely on—banks, insurance companies, government agencies—will keep our personal details safe.

Seldom, however, are we without a major hacking story. In January 2023, the UK’s postal service was hit by a ransomware attack; after Royal Mail refused to pay $80 million to regain access to its computer system, it suffered huge financial losses. That same year, Oakland, California, declared a state of emergency after a similar cyberassault in which a decade’s worth of sensitive data was stolen. Other attacks hit even closer to home. Witness the 2014 iCloud hack that spilled dozens of celebrities’ private photos across the internet, or the 2015 attack on Ashley Madison, a website enabling extramarital affairs, exposing the personal details of thousands of subscribers.

Perhaps more terrifying still is the prospect of international, state-sponsored hacking: countries mobilizing armies of digital soldiers to infiltrate online platforms. Such organized incursions work to promote one nation’s interest in multiple ways, from targeting sites viewed as critical of the country in question to directly attacking a nation’s infrastructure—its banks, hospitals, television stations, or nuclear plants. For a real-world example, we only have to look at the ongoing conflict in Ukraine, where Russian cyberattacks have knocked out vital telecommunications networks. 

The features collected below are as illuminating as they are concerning, and as intriguing as they are startling. More than anything, though, they remind us that behind all hacking incidents are human stories. Both hackers and their victims are real people—even if, to those behind the keyboard, 1s and 0s have abstracted that connection beyond any feelings of regret.

The Hacker (Maddy Crowell, Columbia Journalism Review, April 2023)

I grew up in the 1980s, when the specter of nuclear war meant the periodic blare of warning siren tests. On those occasions a dark fear gripped my heart, a sense that dangerous and unseen forces would have the final, fatal say on my life. War, as we know all too clearly, continues apace in the physical world, but increasingly it feels as though the largest battles are being fought in the digital arena. Nowadays, a different ongoing global conflict seems to infect every corner of society: a war for our minds. That may sound a tad histrionic; politicians have always been in the business of swaying opinion, and propaganda has always been part of geopolitics. But deepfakes, chatbots, and cyberattacks on newspapers have changed the game considerably, leading to a digital arms race in deception and the ability to spot it.

For every cause, though, a champion. Runa Sandvik is a child of the internet era. She encountered her first computer in 2002, at the age of 15, and instantly became fascinated by the possibilities of hacking, a passion that later blossomed into genuine concern for users’ privacy online; now, she works to protect high-risk civil groups such as journalists and human rights lawyers. Her cybersecuity bona fides only make apprehension over state-sponsored hacking all the more alarming. Yet, aside from the fascinating technological insights this article provides, Crowell makes Sandvik herself intriguing: an unconventional woman who seems to have, perhaps unwillingly, taken on the mantle of defender of human digital rights, and done so with tireless dedication.

When I asked Sandvik what would be required to make yourself entirely safe from cyber threats, she replied: you wouldn’t be online at all, and you would have to live in the forest. I often found her prudence perplexing. I wondered if there were things she was hiding from me—an awareness of risks that only someone with her expertise could appreciate. Or if, in her affable bluntness, she simply wanted to convey that most of us are blind to the surveillance dystopia in which we live.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story (Andy Greenberg, Wired, November 2023)

It’s become a cinematic cliché: the nerdy teen in his parents’ basement, surrounded by screens and equipment, casually hacking into big corporations for his own amusement. Until, that is, the authorities come, not knocking, but smashing down the door. Cue the whiz-kid bad boy’s transformation into hero, helping the very authorities he once fought against to safeguard the world, or at least America. Yet that’s pretty much what happened to Josiah White and his two friends after they created and unleashed Mirai, a virus so deadly that it became a top priority for the FBI.

It’s easy to understand why teenagers might be drawn to the murky world of hacking; there’s little more seductive than a realm where your power becomes greatly magnified, and romance of an individual challenging big corporations only sweetens the prospect. Hackers are the modern-day dashing highway bandit, albeit without the rearing horse and two smoking muskets—a rogue we can’t help but secretly admire. Greenberg does a fantastic job of bringing all the characters in this lengthy tale to life. It’s that depth that makes the story an ultimately redemptive one.

For two months, he had been waiting for the raid. He was now keeping a nocturnal schedule, working at his computer with Paras and Dalton until 3 or 4 in the morning before sleeping until 8 am and then heading into his father’s computer repair shop. But that night, having finally gone to bed after 4 am, he still lay awake, his mind racing with anxiety.

As the banging started and his older brother hurried upstairs from their shared basement-level bedroom, Josiah went into the storage room and quickly switched off his computers. All three of the Mirai creators had been careful to do their hacking on remote servers and to connect to them only from ephemeral virtual machines that ran on their own PCs. So he figured that switching the computers off would erase any lingering data in memory. Then, before turning off his phone, he sent a message to Paras using the encrypted messaging app Signal: “911.”

Leave No Trace: How a Teenage Hacker Lost Himself Online (Huib Modderkolk, The Guardian, October 2021)

Shout out to all the parents out there who worry about what their children might be getting up to online. Teenagers can be enormously secretive, resentful of unwanted intrusion into their personal business. Nowadays, unfortunately, it’s as easy for an adolescent to get into trouble staying at home as being out late. The best we parents can do is instill in our children all the wisdom and advice that we wish we had received at their age, stay connected, and hope for the best.

Fair warning: this is a tale with no happy ending. It’s the story of a young man finding online the confidence and social network he had been unable to discover in real life, and becoming seduced by the power and possibilities of illegal hacking, with a tragic conclusion. Edwin Robb’s not blameless, of course, but you still can’t help but feel a little bit sorry for him. 

Edwin was trawling the internet and scanning networks to see who might be using software with a known hole. In this case, it was HP Data Protector. He searched sites manually using Google, entering “Data Protector” as the search term alongside a specific web or IP address. In early December 2011, Edwin struck gold. He found a university in Norway, NTNU, that was using the software and hadn’t yet installed the update containing the patch. Edwin grabbed his exploit, executed it, and he was inside. Looking around the university’s network, he discovered he had six computer servers at his command. On a roll, Edwin next gained control of a “supercomputer” at the University of Tromsø. He nosed around for a while and then installed a “backdoor”. Now he could access the university’s computer server remotely whenever he wanted to.

Edwin pulled off his stunt without a hitch and earned himself hacker cred with his new friends. Dwaan responded to Edwin’s feat with enthused fist pumps and exclamations of “Loooooooolll” and “OMG!”. This only whetted Edwin’s appetite. He went in search of new targets in other countries. His next victim was the University of Twente in the Netherlands, then a website in Iceland, and after that a university in Japan. He was unstoppable. As long as he took care to connect to a VPN server in Russia first, he left no tracks to follow.

Life of a White-Hat Hacker (Zoe Schiffer, Vox, August 2019)

The white hat/black hat binary used to distill hacking’s morality evokes fantasy roleplaying and metaphysical lore—fitting counterparts given the overarching nerd/geek subculture from which hacking emerged. A white-hat hacker, for those who aren’t familiar with the term, is one who uses their computer skills for “good.” Such people are often hired by companies to test their security systems, exposing vulnerabilities before a less scrupulous operator discovers them. There are also the altruists, home-based hackers who spend their weekends searching for vulnerabilities in software and hardware used in people’s homes. 

It should be reassuring that such people exist, given the amount of smart technology most of us invite into our lives, especially taking into account the observation you’ll find in this excellent piece: it’s often cheaper for companies to pay a fine rather than develop the necessary security for their products. White-hat hacking, it turns out, is bound by its own strict moral code, and the individuals who follow this code make for fascinating subjects.

Most of Dardaman’s contracts run between one and two weeks. Oftentimes, a company won’t tell their security team Dardaman is there, allowing him to move around their networks quietly, observing how things work and finding his way deeper into the system. But the cat-and-mouse game only lasts a few days.

“The goal is by the end of the week that I’m extremely loud,” he added, noting that his final move is typically to gain domain access to the company’s servers to set off alarms on the security team. “If they don’t catch me by the end of the week, they should reassess their security tools.”

Inside the Global Hack-for-Hire Industry (Franz Wild, Ed Siddons, Simon Lock, Jonathan Calvert, and George Arbuthnott, The Bureau of Investigative Journalism, November 2022)

I never cease to be impressed by investigative reporting, especially when presented with narrative skill, as is the case here. The amount of time, dedication, and often personal risk necessary to bring such stories to life is admirable; so too is the ability to tell a story with empathy, sympathy, and suspense. This article is a little different from others on this list, and possibly more frightening. Rather than targeting big corporations, the hackers in India’s underground are routinely paid to access personal email accounts, whether by a wife spying on her husband’s financial affairs or a blackmail victim searching for a way out of their predicament.

What is particularly startling, however, is the apparent complete lack of morality in such hackers. They make no judgments. If a client is willing to pay handsomely, someone can be found who will do their bidding. Isn’t that a fear we all have—the thought of all your private online activity, emails, photos, even movements being completely exposed? This article is one of those rabbit-hole pieces, leading you down ever-darkening corridors into a murky world of diamond dealers, dodgy politicians, and unethical private investigators. It will leave you scrambling to reset all of your passwords.

Before approaching his victims, he researches their personal life looking for details about families, relationships, upbringing, children, wealth and holiday destinations. He does this using automated software to scour the internet for scraps of information about the victim and monitors his targets’ WhatsApp account to establish the time of day they are usually online.

“We have surveillance on you for a week, for two weeks, for three weeks or maybe for a month,” he said. This helps him to be more convincing when posing as an acquaintance of the victim.

Inside a Hacking Competition to Take Down a Water-Treatment Plant (Kaveh Waddell, The Atlantic, October 2016)

I spent countless hours of my childhood writing programs on my dear old ZX Spectrum home computer with its whopping 48 KB of memory. I like to think that I could still knock out a line or two of code if need be (assuming Basic and Logo are acceptable), but I admit to feeling totally lost when it comes to the activities you’ll find chronicled here. This is a competition for college-aged kids, and reading about them jumping from screen to screen, excitedly searching for breaches in the system, fills me with a mixture of admiration and bewilderment, like watching trained acrobats backflip across a stage.

These young hackers may have been playing a game, but in doing so they were rehearsing for real-life encounters. Governments are more aware than ever of the threat of cyberattacks on a country’s infrastructure. If the pretend water plant in this article had been real, a successful hack could have brought about serious consequences. Let’s hope that the talented students who are the subjects of this piece continue to develop their skills in the right direction.

For the next two and a half hours, the water-treatment plant remained under siege from several different groups of hackers, who were attacking each other even as they delved deeper and deeper into the plant’s controls, causing absolute mayhem. At 2:45, a pair of revolving sirens threw blue beams around the room: The system that maintained the plant’s water levels had been disabled, and one of its tanks began to fill at an alarming rate.

“The float’s been submerged!” a technician called out from near the tanks. The float was supposed to cut off water flow the moment it became immersed.

“Is it still filling?” asked another, hunched over a laptop perched on his knees.

“Yes!”

“That’s bad.”

The workers powered down the plant again in order to drain the tank to a safe level.


Chris Wheatley is a writer and journalist based in Oxford, UK. He has too many guitars, too many records, and not enough cats.

Editor: Peter Rubin
Copy Editor:
Cheri Lucas Rowlands



from Longreads https://ift.tt/pHMuEwA

Check out my bookbox memberships! 3, 7, or 15 vintage books a month sent to organization of your choice, or to yourself!
https://ift.tt/0BS1ltI