The Cyber Effect
Page 33
The moderator turned to Ralph Echemendia, the cyber-security samurai, and asked how he first got into hacking.
“I was a thirteen-year-old boy growing up in South America, and my friends and I were getting into porn,” he said. “And it never downloaded fast enough! That’s how I got into hacking.”
The audience loved that—and burst into laughter and applause. Ralph continued talking about his early years—how he hacked ham radios, hacked old bulletin board systems, and did phone phreaking, or finding ways to mess with the telephone company, usually to get phone service for free. His interest in technology eventually led to jobs in the computer industry. For the past fourteen years, he has conducted security audits and penetration tests, and has consulted for numerous organizations around the world, including the United Nations, Oracle, and various hospitals and financial institutions.
As I listened to Ralph talk, his passion for his work shone through—and began to shatter my narrow assumptions about hackers and hacker culture. It became increasingly apparent that intellectually, in terms of our view of all things cyber, we were aligned. He didn’t talk about tech as much as he talked about people’s lives, about culture and society. And the ways that technology could be used to improve life on earth, not distort it.
The moderator turned to me next. “What’s the explanation for why people hack?” she asked.
“If you are talking about humanistic psychology, it could be for an emotion such as love or revenge,” I replied. “But if we are talking behaviorism, then it’s all about reward or profit. But my favorite explanation for why people hack is the Freudian, or psychoanalytic, school of thought.”
The moderator looked puzzled. Ralph looked intrigued.
“Psychoanalytic? What’s that?” she asked.
“It explains hacking as a psychosexual urge to penetrate.”
“Respect!” Ralph cried out, and fist-bumped me. Our friendship was born.
This is a line I’ve used before—primarily to wake up an audience of near-comatose cyber-security professionals. It is meant to be a joke aimed at the behavioral sciences, where there are typically several conflicting explanations for one phenomenon, which can be so irritating to the dyed-in-the-wool hard-science community. Recently, though, I was unmercifully trolled on Reddit by technophiles who felt offended by this joke.
I read through the stream of abusive comments, and to be honest, I was pretty impressed by the level of psychoanalytic knowledge expounded, everything from my “father complex” to my alleged desire to—how can I put it delicately?—be intimate with a hacker. When some commenters actively defended me, I resisted the urge to jump into the conversation and thank them. All in all I was not outraged or shocked or hurt. I saw this trolling behavior for what it was—simply interesting feedback, data, and lots of it.
As my good friend John Suler says, “Let your critics be your gurus. You can treat them as an opportunity. Ask yourself why you’re ruminating on a comment. Why does it bother you? What insecurities are being activated in you?”
In other words, nobody can make you feel anything. You are responsible for how you interpret, react, and feel. It’s good advice to keep in mind when dealing with barbs and nasty comments online. If you are hanging out in cyberspace, you will surely find them.
Back in the real world, later that week, Ralph and I had dinner. We talked for hours. We discussed everything from the cyberpsychological nuances of socially engineered attacks to how easily your mobile can be compromised to send mischievous texts. And we discovered we shared a passion: kids with tech skills and how to nurture their talent. Like another colleague of mine, FBI Special Agent in Charge Robert Clark, a superdedicated and charismatic man who is very concerned about keeping young teens out of trouble in cyberspace and the real world, Ralph and I have both seen the statistics showing that younger and younger kids are becoming involved in hacking—and crime online.
Surely the generation being raised will have unimaginably fine tech intelligence. We’ve spent decades rewarding individuals with a high IQ, and more recently EQ (emotional quotient). But what about a new metric, TQ—technology quotient—to identify, assess, acknowledge, and reward individuals with the superlative tech skill sets that many kids intuitively display? Is a metric for intelligence designed almost fifty years before the first computer and one hundred years before the ubiquity of the Internet still fit for the purpose?
We need to find ways to reach out to tech-talented individuals, especially young people, nurture them, and teach them to think about others as people—not computers or machines. The tech-talented have such a lot to offer. And just like the pirates of yore, sailors who could turn a frigate on a sixpence and navigate expertly by the stars—and with the right environment and nurturing, could have made great naval commanders—the skills of high-TQ individuals could be harnessed to make enormous contributions to the quality of all our lives, or cyber-lives.
As Ralph spoke, I was beginning to see that hackers have their own distinct perspective and moral code. And while I certainly don’t endorse anything that involves breaking the law, I do respect raw talent and genius. And if hacker culture can produce a guy like Ralph, there must be good things happening there.
At the end of dinner, Ralph said, “Mary, the way you understand behavior online, you have mad hacking skills.”
What did he mean?
“But, Ralph, I’m not a hacker.”
“Oh, but you are—you just don’t know it.”
Crypto-Markets
After the arrest of Ross Ulbricht and the shutting down of Silk Road in 2013, it wasn’t too long before a new site, Silk Road 2.0, sprang up to fill the void. There were lots of copycat sites on the Darknet selling contraband by then—sites like Evolution, Agora, Sheep, BlackMarket Reloaded, AlphaBay, and Nucleus—often referred to as crypto-markets by law enforcement.
Many of these have come and gone already, but the offerings continue to expand. The black market has proven amazingly resilient. And the sellers grow more sophisticated each year.
As an article from Wired UK attests:
The first thing that strikes you on signing up to Silk Road 2.0 is the choice. There were almost 900 vendors to choose from, selling more drugs than I’d thought possible. Heroin, opium, cocaine, acid, prescription drugs are all readily available. Technically speaking, Silk Road 2.0 is an anonymous market for anything (with some exceptions, such as child pornography), which means there are also sections for alcohol, art, counterfeit, even books. Listings included a complete boxset of The Sopranos; a hundred-dollar Marine Depot Aquarium Supplies voucher, and fake UK birth certificates. Each with a product description, photograph and price.
But most people are here for the drugs….As I browsed through the marijuana offers, I found 3,000 different options advertised by over 200 different vendors.
According to some accounts, the number of products available on Darknets had more than doubled in less than two years after the 2013 arrest of Ulbricht, to fifty thousand.
Why?
I suspect the swashbuckling stories in the media about Silk Road may have encouraged curiosity about the Darknet and its offerings. The profusion of how-to guides that help newbies and first-timers figure out how to get to Darknets is also a factor. According to INTERPOL, as of August 2014 there were at least thirty-nine such markets, and the majority use English, although there are sites in French, Polish, and Russian too. An investigation in 2013 estimated that one-quarter of the illegal substances sold in the U.K. were obtained from them. We can’t know for certain, but the percentage of drug buyers using Darknets in the United States could be as high, or higher. A study done in 2015 analyzing the size of Darknet markets found that they do a brisk business. In just four years, since the development of the original Silk Road, the total sales volume is generally stable, around $300,000 to $500,000 a day. Even more remarkable, anonymous marketplaces have proven to be resilient to takedowns and scams, because demand plays a dominant role.
<
br /> What does that tell me? If we believe that figure—that as much as one-quarter of the illegal drugs in the U.K. and U.S. are obtained through Darknets—then it means one-quarter of those drug buyers have taken the step to download the suitable protocols like Tor and have learned how to use them.
And it means that one-quarter of these drug buyers have arranged for shipping of illicit goods to their residences or post-office boxes. The United Nations Office on Drugs and Crime (UNODC) review of global drug seizure data shows that cannabis seizures obtained through the postal service rose 300 percent in the decade from 2000 to 2011.
It means that one-quarter of these buyers are likely exchanging cryptocurrency—or using some form of anonymous and untraceable method of payment.
In 2015 the UNODC confirmed that there had been no major change in the regions where illicit crop cultivation and drug manufacture take place:
…but the illicit drug markets and the routes along which drugs are smuggled continue to be in a state of flux. The “dark net,” the anonymous online marketplace used for the illegal sale of a wide range of products, including drugs, is a prime example of the constantly changing situation, and it has profound implications for both law enforcement and drug trafficking.
We know from reliable field reports and investigative journalism that teens in particular have flocked online to buy drugs in recent years. It is perceived as being safer than entering a bad neighborhood. They may be looking for a quick way to score pot, ecstasy, or some other party drug. They may be using these drugs themselves—or selling them for a profit to friends. Or, like the pirates of old, they may be simply looking for some excitement and adventure.
Now let’s consider what we know about this age group. We know that impaired judgment can be common in teenagers, and when they gather in groups, due to the effects of the risky-shift phenomenon, they are even more likely to be judgment-impaired. Their judgment is further compromised in cyberspace due to the effects of online disinhibition.
Now let’s put these factors together with the act of buying drugs, now made as easy and prevalent as pirating music, and ask a new set of questions: Would a teenager be more likely to try a new drug when anonymously browsing the thousands of offerings on a black market site, simply due to the vast selection—so temptingly described and photographed—than he would to buy the same drug on the street?
Probably.
Would a young person be more likely to buy more drugs, due to the effects of online disinhibition?
Probably.
Remember the Triple A Engine of the Internet from chapter 2? The three ingredients—affordability, accessibility, and anonymity—are known to successfully drive people to sites that facilitate sexual communication online. But I believe this construct also explains the success of the black market drug sites. In other words, if you offer something illicit and forbidden, but with the features of the Triple A Engine, buyers will appear in droves.
Okay, then, does this mean that an individual risks a higher chance of becoming involved with drugs due to all the aspects of the digital marketplace?
In my opinion, yes.
There were roughly 187,100 drug-related deaths worldwide in 2013, according to the UNODC, and some 27 million people worldwide had problems with drug use. Obviously, this is the biggest downside to easy illegal drug sales.
As tragic as those numbers are, there is another potential downside to the prevalence of drugs online that could have even greater ramifications. Buying drugs online, particularly in Darknets, requires an individual to enter a “neighborhood” where bad things can happen. There’s actually a well-known criminology construct to explain it.
Cyber-RAT
A famous Canadian criminologist, Kim Rossmo, found that great white sharks and serial killers have common behavioral traits, in terms of how they hunt their prey. They both are focused killers, have a strategy, prefer their victims to be young and alone, and like to attack when light is low.
It would be interesting to consider the hunting patterns of cybercriminals in a place that’s also dark, and where there are plenty of young victims, surfing all alone.
A number of interesting things can happen when a young individual enters a new society and culture, such as the ones that exist on the Darknet. To begin with, consider how the good manners and responsiveness of vendors may send distorted social cues. Like what?
This is a safe place.
This is a place where people are looking after you.
This is a place where they really care about your business—and getting that five-star good-vendor rating.
And this is a place where you could make cool new friends.
In an age when most young people spend so much of their time online, where they make and maintain their social contacts, wouldn’t they wind up making some new acquaintances on Darknets?
In my own work investigating the evolution and behavior of the cybercriminal, I have been influenced by the pioneering work of David Canter, an investigative and environmental psychologist in the U.K. whose great book Mapping Murder is a fascinating read. Canter’s main areas of work are real-world offender profiling and geographical profiling. These theories can be used to demonstrate how environment can impact criminal behavior, and have helped me consider the impact of the cyber environment on crime.
As Canter states: “Criminals reveal who they are and where they live not just from how they commit their crimes, but also from the locations they choose.” In my work, I consider how the cyber location reveals the criminal.
We actually know a lot about pathways into a life of real-world crime due to the abundance of academic work in this area. And I do mean abundance. In the field of criminology, there are biological theories, labeling theories, geographical theories, trait theories, learning theories, psychoanalytic theories, addiction theories, and arousal theories. But if you wanted to know how, specifically, a young person goes from curiosity about the Darknets to cybercrime, or being part of organized cybercrime, we are still putting those pieces together.
As an advisor to Europol, I am currently one of the principal investigators on a new research initiative that will look at how young people get drawn into cybercrime—and specifically what the pathway is from cyber juvenile delinquency to lone cybercrime to organized cybercrime. One of the established criminology theories that we will be experimenting with—and trying to apply to cyberspace—is routine activity theory, or RAT.
Many theories focus on the individual characteristics of criminal offenders, but RAT, which was first introduced by sociologists Lawrence Cohen and Marcus Felson in 1979, examines the environments where crimes occur. The theory maintains that when motivated offenders and suitable targets meet in the absence of capable guardians, crime is likely to happen (motivated offender + suitable target + absence of capable guardians = more crime).
What’s helpful about RAT is that the absence of any of these three conditions can be enough to prevent a crime from happening.
The theory is based on human nature—and the patterns of everyday life that all of us fall into. As one criminological handbook puts it: “Individuals have different routines of life—traveling to and from work, going to school or attending religious functions, shopping, recreating, communicating via various electronic technologies, etc.—and these variations determine the likelihood of when and where a crime will be committed and who or what is the victim.”
Criminals have patterns too—places where they live, work, and play. We know, for instance, that if you enter a real-world neighborhood where more criminals live, you are more likely to be a victim of crime. Now, what if that neighborhood is not policed in any effective way? Crime goes up. Your chances of being a victim go up too.
Now let’s consider this in terms of RAT—or what we might as well call cyber-RAT.
The criminal neighborhoods online—on the Deep Web. How many motivated offenders are there?
Hundreds of thousands.
Suitable targets?
Even more.
How about capable guardians?
You know the answer already.
In the real world, young people have friends, older siblings, parents, neighbors, shopkeepers, teachers, and police who will say, “Don’t stand on the table!” or “Don’t run with scissors!” or “Don’t walk near that ledge!” or “Don’t go to that neighborhood!”
But in cyberspace, authority is minimal and there is a perception that nobody is in charge.
Because nobody is.
Now let’s consider this new bad cyberspace neighborhood, the sites on the Darknet. Imagine a boy who grows up in poverty, and in a real-world bad neighborhood that is populated by gangs. Very likely, that boy will grow up with lots of insights into criminal behavior—and have honed instincts or antennae about criminals. He’ll have “street smarts.” And because of this, he’ll have a pretty good understanding of gang culture and know the protocols and the rules. (Because there will always be rules.)
One of the rules of a gang is that once you are a member, you are a member for life. A boy who grows up in a gang neighborhood will know this, almost instinctively, due to the experiences and environment of his childhood.
Now let’s think about a boy raised in a suburb of Tallinn, Estonia. He may be socially isolated, spending a lot of time online in the safety of his bedroom. He has superb tech skills but no street smarts. He knows nothing about gang life and gang culture. He will have no experience, no wisdom. And yet it will be as easy for him to wander into Darknets as any boy. The boy in suburban Estonia can virtually transport himself within minutes into a high-crime neighborhood, where his tech skills will be viewed as a commodity. And there he could be groomed, coerced, or tapped to join a community that is really a cybercrime gang.
Once he falls into this cybergang, can he get out?
There are hundreds of stories of kids such as I’ve described, and we know this because of the number of mules, or money launderers, that are used by cybercriminals. Sometimes they answer an online ad—or post on a university bulletin board—that offers an opportunity to “stay at home and earn money.” The job is described as a financial manager, an overseas representative, or a payment processor for a new online business. No experience needed. Even some well-known businesses have had their brands hijacked and misused in this way. The job entails receiving money from customers, deducting a commission, and then wiring the balance overseas, usually to a bank in Russia or Eastern Europe. The offer often seems almost too good to be true.