Hackers Not Afraid of Being Caught

An anonymous reader wrote in to point us to an interview with Honeynet Founder Lance Spitzner where he says "Years ago it was hackers who were doing it for the bragging rights, now it's the criminals. The motivation has changed, hacking is now profitable and there's so much money to be made with very little risk to the actual hackers."

I smell a business opportunity.

[dada21]

Of course hacking is profitable -- the laws of supply and demand cover this as any service or product. The laws making hacking illegal only add more gold to the pot. For acts considered criminal, the value to the service provider will still meet what the market dictates. In this case, the chance of getting caught is low, so hacking might not be as profitable as selling pot, but it also depends on the demand. If hackers are making money, that means there is a demand for their service. If only a few hackers are willing to take the risk, a high demand and low supply of service providers means a high cost/profit. That's the nature of the free market.

Yet I don't think this profit will necessarily last forever -- even if laws change to make it easier to catch a hacker and even if the penalties are raised. The Internet is global, not local. With more third party countries gaining Internet access and more people willing to invest the time to learn to hack, I believe hackers will find their jobs outsourced as quickly as call centers and web developers have. So what?

The State will write laws to defend against hacking, but the reality is that the free market will provide better defense. There are laws against breaking and entering, but do they work? No, locks do. In situations where locks don't work, alarms work. In situations where alarms aren't enough, a Colt 45 used once usually fixes that situation. The law has almost no effect on crime other than raising the profit for those willing to take the risk. Hackers make a profit only means that anti-hackers have a new business opportunity -- and if you're good with security, you should make a windfall NOW before the law interferes with YOUR ability to secure your clients. Regulations against hacking might harm you more than they harm the "criminals."

Take advantage of this business opportunity today -- on either side of the "battle."

Re:I smell a business opportunity.

[s20451]

The market provides for both sides, the law provides for no one.

Anyone who thinks anarchocapitalism is a good idea should move to Somalia. The governmental vacuum is basically filled by loosely organized and bad-tempered gangs of mercenaries, although cell phone service is apparently cheap and plentiful. I would prefer the law, thanks.

Re:I smell a business opportunity.

[Archangel+Michael]

"I would prefer the law"

Somalia has laws. What they don't have is ORDER. Laws do not create order. Enforcement of laws does.

Re:I smell a business opportunity.

[99BottlesOfBeerInMyF]

First of all the novelty of an alarm system is notification of the police, who job it is to *gasp* uphold the law.

This is untrue. The chances of the police responding in time to do anything is very slim. The main purpose is to alert the owner and other people nearby, thus increasing the risk of this particular robbery or crime. It is the job of the police to investigate crimes, but they have neither the manpower or the will to prevent crime.

There are plenty of processionals that can or profession demands the ability to pick locks, bypass alarm systems and assault a building in a manner that would make a gun have very little effect.

Relative to the general populace or to the criminal populace, this just isn't true. Locks are easy to pick, alarm systems can be bypassed, but very few criminals take the time to do either when there are easier targets.

Perhaps the knowledge that maybe losing a chunk of your life to jail may put some second thoughts into these people.

Threat of punishment is a motivational factor, but surprisingly, not a very significant one. Studies have shown people in general believe they can get away with crimes without being caught. The main motivation for not committing them is actually a moral one. People do not feel justified in robbery. One of the strongest correlations with robbery and violent crime worldwide is wealth disparity. In places where some people are very poor and others are very rich, despite the rich not necessarily working harder or being smarter than the poor, the rates of these crimes is higher. It is easy to justify robbery when you were born into debt while others were born into extreme wealth. And that is exactly what people do.

Re:I smell a business opportunity.

[xappax]

OK, I hate government just as much as you, but on this matter it seems like you don't really know what you're talking about.

You claim that tighter laws and enforcement against computer criminals will encourage computer crime by driving down the supply of willing "workers". While this may jive with your anarcho-capitalist theory, it just ain't true.

The entire point of the article was that hacking is prevalent because there isn't serious enforcement of the law. The author points out that criminals use insecure methods of communication, not even bothering to conceal themselves, because they're confident that the law won't touch them. If the governments in eastern europe cracked down on internet crime, and actively investigated and arrested computer criminals, many of the current participants would be scared out of the game, no longer confident that they're above the law. There is a threshold of risk beyond which very few people are willing to go, even for a huge reward, and this is even more true of a job that requires in-depth training and is inaccessible to the vast majority of people.

There are plenty of good reasons to oppose cyber-crime crackdowns, and I for one do, but the argument you're making in this case is naive to both the technical and economic realities of international computer crime.

Re:I smell a business opportunity.

[mapkinase]

I wholeheartedly agree with the last paragraph. Further, we need to stop glamorizing hackers, the same way movie industry stopped glamorizing the mob (think Godfather -> Goodfellas transition). The main reason it has not been done yet is the hacker world is almost completely non-violent one. When hackers are associates of the multi-area mafia, they are at the same service level as lawyers, drivers, gray-business owners (pimps, dealers, bookmakers), small-business owners of the meeting places (restaurants, motels), etc... which are not particularly glamorized, but also not vilified enough as hitmen and high-level mob managers are.

Besides this, there are other important differences between breeching brick-and-mortar and breeching digital.

1. One-target-per-act - many-targets-per-act (hence "going after easy targets" emphasized)
2. Localized - internationalized (hence "hard to catch" factor)

Those two factors make huge difference.

Re:I smell a business opportunity.

[technococcus]

Hey, just FYI:

Alarm systems notify the police. The police come to the house. This process will almost certainly take far longer than the process of Break-and-Enter, Rape-and-Pillage, Then Haul Ass that the criminals in any given breaking and entering situation will be using. If you don't believe me, check the home invasion response times on the FBI's website. Nearly all calls (real live actual person calls, not automated alarm triggers!) take 5+ minutes, and a shocking amount have longer response times.

Also, just so you're aware of this next time you rely on the police to protect you/your rights:

It has been upheld three times (to my knowledge, there may have been more, more recent cases that uphold this as well) that a police department and its officers and employees are not responsible for providing for the personal protection or safety of any private citizen's health, life, welfare, or property and that none of these have any obligation to place themselves at any risk to protect any of those. A friend of mine who was a SWAT member on the Indianapolis PD for 20+ years (and spent the last 2 as an entry leader) has mentioned that doing a response to a home invasion call by the book according to many agencies and departments involves showing up and then checking your watch. You sit in the car for 5 minutes. THEN, you go see what's going on. The departments don't want their officers going in where there might still be criminals. So, yeah, the police probably won't be anything like as helpful to you in the defense of your life and property (and the lives and property of your loved ones) as a firearm that you have some skill with. A gun rarely has "very little effect" unless you're storing it improperly for defense (i.e., not near you/on you, not loaded, locked; most of your hunting weapons which stay locked in the safe wouldn't help, but the pistol you carry on a daily basis and the 12-gauge you keep loaded behind the bed would) or are completely unskilled in its use or unwilling to use it as intended (i.e., to fire upon in an attempt to incapacitate an intruder/threat).

Again, this has been a public service announcement for the instruction of all people interested in their own welfare.

Give them new authority

[suso]

Hackers can think whatever they want. The real problem right now is that the governments of the countries they live in don't care and don't do anything about it. Perhaps that's understandable since many of those countries have enough non-tech issues to deal with already. But I think that if that's the case, they just shouldn't be allowed on the internet yet. There really needs to be a bar for entry. I can't tell you how many applications we get for people using stolen credit card numbers and coming from IPs in Africa, Indonesia, etc. Fortunately, we check applications by hand and weed those out. But many hosting companies probably just accept them and create accounts, opening their systems to escalated privlige attacks.

I'm surprised we haven't started seeing vigilantes tracking down hackers and spammers. When governments can't handle things, the mob takes over.

Oh for crap's sake..

[Rob+T+Firefly]

Being a hacker is not a punishable offense. If criminals are using so-called "hacker" skills in criminal pursuits, they're still criminals. Call them criminals.

I'd expect the OMG SCARY word "hacker" to be misused like this in Hollywood films and mainstream news, but not on Slashdot of all places.

Re:Oh for crap's sake..

[B11]

[blockquote] Being a hacker is not a punishable offense. [/blockquote] Not yet anyways. But being a tinkerer and an "outside-the-box" thinker, non-comformist, etc is certainly NOT something being encouraged today, vis-a-vis things like the DMCA, the Patriot Act, etc, etc. Kinda sad actually.

Words change

[Moraelin]

Welcome to the real world: words change meanings continuously. "Thing" once meant a council meeting (waay back in the norse times), now it mean, well, "thing". "Gay" once meant cheerful/happy, then it meant "homosexual", and now it's in the middle of becoming just "uncool". Etc.

That's how we ended up with so many languages. As a species we have a sort of a "Babel tower" mechanism built in. Get two communities isolated for long enough, and even starting from the same language you end up with two new languages or dialects. Each of the two changed words independently, and eventually you end up with the whole language of each not even resembling the language of the other. (Don't believe me? English and Greek both evolved from the same Indo-European roots.)

People hear some cool new word, or a new way to use an existing word, or some wisecrack and latch to it. And if it gets enough followers, there you go, you have a new word or a new meaning for a word.

Some cool kid uses, say, "twink" in a MMO once for someone buffed or equipped beyond the means of a normal player that level. Some people hear it, like it, and start using it too. Repeat a few iterations, and next thing you know it becomes the new primary meaning of that word in relation to MMOs.

And so it was with "hacker" too. Except this time it was also boosted by a whole generation of clueless journalists, who promptly bombarded everyone with their new meaning. Everyone has had it hammered into their heads that "hacker" doesn't mean the old-style "guy who really likes computers and doing amazingly hard/low-level stuff", but, yes, basically "high tech criminal".

As early as the end of the 90's I've had the surprise to hear even computer engineers using it that way. Yes, literally. I was for example at some training back then and the guy teaching goes, "anyone knows what a 'hacker' is?" Me: "Someone who really loves computers and programming?" Him: "Nope, a criminal breaking into other people's computers." Go figure.

So, way I figure it, we might as well let go. That battle is lost, and we don't even have the means to fight it. For every time you tell someone "no, no, no, 'hacker' was never supposed to mean 'criminal'", they'll promptly have a dozen TV show hosts, pseudo-tech journos, etc, hammering the opposite right back into them. That word is lost. By now it's not just "mis-used", it simply _is_ the new meaning of the word.

Give up, move on, find another one.