Stanford Researcher Finds Little To Love In Would-Be Hacker Marketplace

An anonymous reader writes: What if there were an Uber for hackers? Well, there is. It's called Hacker's List, and it made the front page of the New York Times this year. Anyone can post or bid on an 'ethical' hacking project. According to new Stanford research, however, the site is a wreck. 'Most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal.' And it gets worse. 'Many users on Hacker's List are trivially identifiable,' with an email address or Facebook account. The research dataset includes thousands of individuals soliciting federal crimes.

In other news

[CaptSlaq]

Grass is green, sky is blue, water is wet. More at 11.

Re:In other news

[thedonger]

Grass is green, sky is blue, water is wet. More at 11.

I CAN'T WAIT UNTIL 11! TELL ME OTHER OBVIOUS THINGS NOW!

Re:In other news

[Penguinisto]

Yeah... thinking the same thing. Without some sort of participation or backing from established researchers and vendors, this was pretty much a non-starter.

Re:In other news

[thedonger]

Grass is green, sky is blue, water is wet. More at 11.

Now that I think about it, none of those are true in the literal sense. And you probably mean "More at 23" unless you want the wrath of the non-Americans.

Re:In other news

I've never seen the news on at 11.

Re:In other news

Nobody gives a crap what the whiny bitch Euro's think of how we keep time.

Least of all that annoying Greek guy.

Re:In other news

[timholman]

Grass is green, sky is blue, water is wet. More at 11.

I CAN'T WAIT UNTIL 11! TELL ME OTHER OBVIOUS THINGS NOW!

Your dog loves you. But that cute girl down the street? She just wants to be friends.

Re:In other news

[mjm1231]

Grass is green, sky is blue, water is wet. More at 11.

Now that I think about it, none of those are true in the literal sense.

That sentence is only true if words literally don't ever mean anything. Which may be literally true, but is useless. I'm going to go on pretending that they do.

Re:In other news

[funwithBSD]

What about her dog? How does it she feel about me?

Re:In other news

[nyet]

"It is a fair summary of constitutional history that the landmarks of our liberties have often been forged in cases involving not very nice people." - Supreme Court Justice Felix Frankfurter

Re:In other news

[ShanghaiBill]

Grass is green, sky is blue, water is wet. More at 11.

Not in California. Although the sky here is blue and cloudless, the grass is brown and there is no water.

Re:In other news

Kinda sounds like the Dark World from Zelda: A Link to the Past.

Re:In other news

Her dog is in to you. But that cute girl down the street? She won't let you have sex with her dog.

Re:In other news

[ceoyoyo]

It's true in that those universal statements aren't universally true. Grass isn't green in the winter here, it's brown. The sky is blue outside my window currently, but yesterday it was gray. There's an awful lot of water around here that isn't wet during the winter.

Re:In other news

Grass is green, sky is blue, water is wet. More at 11.

I CAN'T WAIT UNTIL 11! TELL ME OTHER OBVIOUS THINGS NOW!

Your dog loves you. But that cute girl down the street? She just wants to be friends.

Actually you make her skin crawl and she'd rather avoid you like the plague but it's not polite to say so.

Re:In other news

[tehcyder]

Her dog is in to you. But that cute girl down the street? She won't let you have sex with her dog.

Yet another example of FEMINISTS interfering with my freedom of expression. My grandfather fought in the war to protect our freedom, and now we let SJWs take it away, piece BY piece in the name of POLITICAL CORRECTNESS!.

Literally Hitler. THANKS Obama.

Re:In other news

[tehcyder]

It's true in that those universal statements aren't universally true. Grass isn't green in the winter here, it's brown. The sky is blue outside my window currently, but yesterday it was gray. There's an awful lot of water around here that isn't wet during the winter.

And don't forget it's all a hologram inside a computer anyway, so let's all just kill ourselves and escape the Matrix.

Re:In other news

I was part of an ethical hacker community, funny thing is that almost none of us charged for our hacks. But some did.

The problem with most Ethical Hacker sites is that they are marketing to a negative audience. As soon as you put the word Hacker in your search you are no longer looking to do something legal or Ethical.

The trick is limit your audience. When people want ethical hacking they rarely use the word hacker. There ere exceptions, like game hacking for instance, people just go there to hack simple games. The community i was part of was just this game hacking we did not break into servers or hack things like game serials. (Though many o us knew how we kept it strictly to "legal" hacks, we did get a few requests for that anyway.) For white collar hacks the search term you will be looking for is pen-testing (short for penetration testing) or vulnerability assessment.

If you want more than that well your getting into illegal stuff, and here the water gets murky. How do you trust a hacker with no ethical code of conduct? How does the hacker trust you? Most of these hackers want "protections" to ensure they are not being targeted.
To make things worse common things like "hack my wife's FaceBook account password for me" are to specific for a hacker to guarantee success. When a hacker first breaks in they have little idea of what they will be able to accomplish at first, so if you want to hack something specific on Facebook, or Google you need to find someone who has already done it. So when someone asks for something like that how the hacker has to accept your request without admitting they already have done this, because you know, you might be the "feds". Or it might be the other way around.

Now for the harsh social aspect of hackers, they are the ultimate tools. Your looking at people who were raised on 4chan. So, to become a hacker you must be forged in fire. And not just any fire, the kind of flame that will drive some to suicide, the kind of fire that can drive some to school shootings. They don't tell you how to hack, they will tell you where to look if you are lucky and often to get that you will need to read between the lines. Hackers don't train other hackers, there is no magical book to tell you how to hack. You must become a hacker on your own.

So to sum this up, hackers are not what the outside thinks they are. It's a harsh place, where distrust is rampant, the social conditions are horrid, and everything you do can end you up in jail. Becoming a respected hacker is not some thing for the faint of heart. There is a reason that the legal side of hacking has taken their own set of keywords.

Re:In other news

[thedonger]

Grass isn't green -- it just absorbs red and blue light. And the sky refracts white light, letting through blue. And even so, "red," "green," and "blue," and "wet" are human created constructs. In an absolute sense, there's no difference between water and air and dirt; they're all made up of the same stuff. Holy shit, that means we can turn lead into gold! I'll be back -- gotta alchemize my fortune.

Re:In other news

[ceoyoyo]

We have a "human construct" called "green" that most of the human construct "us" pretty much agree upon. The human construct "grass" sometimes meets this criteria, and sometimes doesn't. If you truly believe that, in an absolute sense, there's no difference between water, air and dirt, I can suggest some experiments you might wish to conduct that are likely to convince you of the folly of that statement. You're right, they are made up of the same stuff, but arrangement of that stuff is rather important.

PS - you do realize we can actually turn lead into gold, right?

LOL

[ellehooq]

You would think a website offering hacking services would protect the identity of it's users. What a scam.

Uber for X

Ugh. "Uber for X" sort of made sense for startups selling services where people drive out and perform small tasks for you. This is not that.

Re:Uber for X

[shadowrat]

Ugh. "Uber for X" sort of made sense for startups selling services where people drive out and perform small tasks for you. This is not that.

well you're going to love my startup. Oober lets you crowdsource a person to call for your Uber for you. Oober's like Uber for Uber!

Re:Uber for X

[Barny]

Are you providing an API? If so, I could make a startup that caters specifically to people on the go! It will Uber Oober, to contact Uber, so you don't have to!

Called Youber, it is a person-centric service for modern professionals who just don't have time to Uber for Uber.

Hmmm ...

[gstoddart]

Shady stuff on the intertubes? I'm shocked I tell 'ya.

There's really only one question: is the owner aware that his site is being used for illegal stuff, or has be willfully made sure he isn't aware.

Because TFA sure as hell makes it sound like it's pretty blatantly being used for illegal stuff ... and then it's just a matter to which the owner is consciously facilitating this.

So, which is it ... clueless that your site is being used to break the law? Or intentionally not noticing that your site is being used to break the law?

Hacker's List "is intended for legal and ethical use." And, according to the owner, "[n]o one is going to complete an illegal project through my website."

How about "i need hack account facebook of my girlfriend," completed for $90 in January? Or "need access to a g mail account," finished for $350 in February? Or "I need [a database hacked] because I need it for doxing," done for $350 last month?

That does not sound like a site which is in any way policing itself to be a legal operation.

Not even a little.

Re:Hmmm ...

[pr0fessor]

I'm trying to think of some kind of legal hacking that I would want a pseudo anonymous third party to do for me. When it comes to legal hacking I can't think of much that a private individual would need and an enterprises would do so internally or hire a reputable security company before they would use a pseudo anonymous individual.

Re:Hmmm ...

[gstoddart]

Well, and then extend the metaphor to real world things and it gets even harder to understand.

Need access to your neighbor's house? Someone else's car? A safe?

Yes, you would totally go find a pseudo-anonymous entity to help you get into those things, because that's how those things are normally done. No, wait, it completely isn't.

But suddenly hacking into Facebook, or GMail, or a database (so you can use it for doxxing) .. and someone can claim to have a legal business facilitating these transactions? I think not.

Sounds quite sketchy to me, especially when the site owner is adamant that people won't be using his site for anything illegal. I'm with you, I can't think of any situation in which this makes sense.

What next, the pseudo-anonymous physical intimidation service? Mooks List?

Unauthorized computer access is a criminal act. Period.

Re:Hmmm ...

Driving over the speed limit is a criminal act. Period. Crossing the street off the walkpath is a criminal act. Period. There are ethical ambiguities all up in this piece.

Re:Hmmm ...

[gstoddart]

Driving over the speed limit is a criminal act. Period. Crossing the street off the walkpath is a criminal act.

OK, but honestly, nobody is giving you a damned website to act as a marketplace for someone to speed or jaywalk for you.

Which means the site pretty much has one function: to facilitate people doing illegal things on your behalf in exchange for money. As soon as you start facilitating connections between people to break the law, it becomes something else.

If the owner didn't police this, then I'm going to say "ethical ambiguity" is a crock of shit.

How many of these transactions are provably legal? Because reading the examples in TFA, they're pretty much blatantly illegal.

Re:Hmmm ...

[pr0fessor]

You could probably consider some security auditing and penetration testing to be legal hacking given it takes place on your private network and is looking for existing exploits to patch. I doubt there is enough call for that on a private level and corporations aren't going to farm that out on a site like this and from TFA it isn't what is being bid on.

Re:Hmmm ...

[tehcyder]

There's really only one question: is the owner aware that his site is being used for illegal stuff, or has be willfully made sure he isn't aware.

As a guess, he thinks he's being clever, like a lot of people who end up in prison for psychopathically profiting from breaking the law.

Re:Hmmm ...

[tehcyder]

Driving over the speed limit is a criminal act. Period. Crossing the street off the walkpath is a criminal act. Period. There are ethical ambiguities all up in this piece.

Where is the fucking ethical ambiguity in being caught for speeding? If you are genuinely rushing your pregnant wife to hospital, deal with the consequences - big deal you have to pay a fine.

And jaywalking is, as far as I know, a uniquely American piece of absurdity, but just because there are some ridiculous crimes on the statute books does not mean that all crimes on the statue books are ridiculous.

Who does this? A. Millennials!

[jtara]

Who openly posts solicitations to commit a Federal crime, while positively identifying themselves through social media?

The same people that Liberty Mutual doesn't want going around driving three-quarters of a car, that's who!

What will those clueless Millennials do next?

Re:Who does this? A. Millennials!

Probably decide which home you should end up in.

Re:Who does this? A. Millennials!

Elect the next president.

Re:Who does this? A. Millennials!

[TheCarp]

Well for starters, the people on Hacker's List apparently. If you really wanted to know who they are, you can, in fact, easily go ask them.

Re:Who does this? A. Millennials!

[jtara]

Oh, lord! Guess they'll be snap-chatting my feeding tube to their friends, too!

Re:Who does this? A. Millennials!

Bullshit. Attrition has a long documented list of easily identifiable numbnuts soliciting federal crimes going back decades. People would include names, addresses, phone numbers, the lot. "Going postal" was one of my favourite sections.

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein

See? People were dumb in his days too.

Re:Who does this? A. Millennials!

Millenials live and breathe being online. They can't go a few minutes without being connected to their smartphones. Who do you think is less knowledgeable about information technology and thus is more likely to do dumb stuff like solicit hacking services online: millenials or the other generations of people that have a hard time understanding the difference between a browser and the internet?

Re:Who does this? A. Millennials!

Topkek, look! He shat himself again. Check out this vine of him crying lel.

Re:Who does this? A. Millennials!

The crooked one we saw on 60 Minutes.

FBI Honeypot?

What makes anyone think this might not be an FBI honeypot, or at least monitored in detail by the FBI and NSA.

Re:FBI Honeypot?

[GameboyRMH]

If anyone thinks the FBI and NSA aren't monitoring in detail, they're a total moron. The FBI is known to monitor things much less criminal and obvious than this, and the NSA is watching by default even if they didn't mean to in the first place.

Re:FBI Honeypot?

No the FBI is too busy creating fake terrorist and the NSA is sucking up so much useless data it's making us less secure than focusing on actual problems.

Re:FBI Honeypot?

Exactly what I thought too.

"The FBI thanks you for habituating the Hacker's List. Your business means the world to us!"

"federal" crimes?

[xxxJonBoyxxx]

Is a (US) "federal" crime any worse than other crimes? For example, murder is generally a state crime.

Suggestion: use "felony" instead...

Re:"federal" crimes?

Federal means it crosses a state line. Most internet crimes are federal offences because the communications leave your state. This is an automatic penalty raiser.

Re:"federal" crimes?

many federal hacking crimes are misdemeanors, so no. Most hacking crimes are federal. The proceedings are more serious but the punishments are not. It isn't saying worse, it is specifying federal.

Re:"federal" crimes?

[gstoddart]

Well, the fairly obvious answer is that if it's a federal crime, then federal resources will be the ones going after you and won't need to care about state jurisdiction.

For a felony you would not necessarily get the feds turning their resources to you.

So, in terms of which agencies will be coming after you, and with what resources ... pointing out that you'd be violating federal law says you get a whole different class of people coming after you.

Federal crimes may not be worse, but the magnitude of who is investigating it and how much resources they have is an entirely different animal.

I'd say it's very relevant. Because it's the big boys who will be investigating and prosecuting, not local/state agencies.

Re:"federal" crimes?

[Infiniti2000]

In the U.S. a federal crime is worse because you end up going to a federal pound-you-in-the-ass prison.

Re:"federal" crimes?

[jtara]

Internets cross state lines, and so there is Federal jurisdiction. Only the state in which the crime is committed (which can be ambiguous here) would have an interest, and state law in this case would typically be less specific.

You're implying that the author meant to make the crime seem more serious by their use of "Federal". I don't make that assumption. They just accurately stated the likely jurisdiction and who would likely investigate and prosecute.

Re:"federal" crimes?

[funwithBSD]

Ask Dzhokhar Tsarnaev,

he would not be facing death row if it was a state crime.

Re:"federal" crimes?

Ask Dzhokhar Tsarnaev,

he would not be facing death row if it was a state crime.

Very true, but I could tell from the moment he was caught after all the chaos that transpired that, he was going to get the "Timothy McVeigh" plan.
McVeigh got the death penalty before 9-11 happened, The only way Dzokhar was not going to get the death penalty was if he was under 17 or if he had intelligence about ANY terrorist operations or other operatives, he would have just been sent to Guantanamo and waterboarded till he spilled the beans, then we probably would have just never heard about him again.

Dont get me wrong, Dzokhar deserves to die, no question! The US should have 0 tolerance for terrorism.

It amazes me hearing on the news how the victims of the bombing that lost loved ones (who were children) and are missing limbs were going to have a chance to talk in front of him in court about all the pain and suffering he caused.. I don't know if I could do that, I am pretty sure I would have nothing to actually "Say" but would be more for the idea of.. wanting 5 minutes alone in a locked room.. to "Make my point" as in ripping one of his arms out of it's socket and beating him with it within inches of his life.. but that is just me.. not much of a talker, more of a doer on those situations. I value life and I care about people ,but.. that little curly headed fuck is wasting oxygen that the rest of the human race really is more deserving of.

Re:"federal" crimes?

he would not be facing death row if it was a state crime.

Depends on the state.

Re:"federal" crimes?

[ceoyoyo]

If you drop the (US), then quite often. In Canada the maximum punishment for a provincial crime is two years less a day. Anything more serious than that is federal.

Re: "federal" crimes?

Pretty sure Boston marathon is still held in Boston which is still in Massachusetts...

Re:"federal" crimes?

I could tell... he was going to get the "Timothy McVeigh" plan.
McVeigh got the death penalty before 9-11 happened,

Not to split hairs, but McVeigh killed 168 people.

The only way Dzokhar was not going to get the death penalty was if ....

It amazes me hearing on the news how the victims of the bombing that lost loved ones (who were children) ...

Yes, all of the victims were at one time or other, children. But technically only one child was killed, Martin Richard, who was 8. The other two fatalities from the bombings (not subsequently) were over 18.

Its all very upsetting.

It gets worse...

[countSudoku()]

Wait 'till he sees craigslist! Yikes!

how could this possibly go wrong

/obvious

Prices are way too low

Any serious hacker wouldn't even get out of bed for these prices.

"Hacker"...

[antiperimetaparalogo]

'Most requests are [...] unlawful [...]' And it gets worse. 'Many users on Hacker's List are trivially identifiable,' [...] The research dataset includes thousands of individuals soliciting federal crimes.

"worse"? You mean "better"!

deres haxx0rs in ur listz

The entire "haxx0r community" is morally bankrupt, which of course breeds nothing but more bankrupcy.

But since both the white hats and the black hats are eating well there's no pressure to improve.

the real underground

is laughing at this

Re:the real underground

is laughing at this

Agreed, It amazes me how some can be so skilled at foiling security systems, social engineering, SQL injection, Buffer overflowing authentication systems and lots of esoteric programming skills and yet tend to go up on some social media site and all but admit fault to it all just for ego gratification. I sometimes wonder if that is not some coy disinformation ruse. Interestingly though if it is not, the people doing it would be so much easier to catch than someone like Dread Pirate Roberts for instance, and the Feds played a number on him to find out who he was.

  If the millennial "hackers" are bragging on social media, then my assumption about the plummeting IQ of todays youth was worse than I thought. It reminds me of the "hipsters" in the 1990s that were all "gung ho" about legalization of pot, but who happened to smoke pot and always had an amount on them and happened to make a habit of wearing shirts with big pot leafs on them and having crazy 4:20 related bumper stickers all over their cars, and then they whine and complain how "the man" mistreats them and violates their 4th amendment rights when they get pulled over by a cop and searched , randomly... It is not like they didn't just hand probable cause to the cop on a platinum platter.. Ridiculous! In both cases I am reminded of the immortal words of John Wayne about how life is hard, but it's even harder if you're stupid.

Re:the real underground

I don't think that's probably cause. I think that's freedom of speech. Kind of like sticking a select finger out at a cop while driving is freedom of speech... I think.

Hilarious~

This kind of thing happened when MTV had the segment "you hear it first" trying to sell any number of bands 3rd or 4th albums as "debuts". Just because you didn't know about it until today, doesn't mean it didn't exist yet.

FBI ghosts

"The research dataset includes thousands of individuals soliciting federal crimes."

I guess the ghost SW project the FBI put out for programming is finished!

not hackers.

[evilrip]

Can we stop calling common criminals for hackers? Some of us are starting to get really offended, to the point we wonder how anyone of you ever made it out of grade school. Maybe the word you were looking for was "cracker"? rtfm.

Re: not hackers.

Just puhhleease stop the "maker" movement from calling themselves hackers.

Re:not hackers.

[Patent+Lover]

Sorry grandpa, but the term crackers has had nothing to do with computers for at least 30 years. Like it or not but "hackers" has taken its place. Now, what ever happened to script kiddies?

Re: not hackers.

[tehcyder]

Just puhhleease stop the "maker" movement

FTFY.

Re:not hackers.

[evilrip]

"Script kiddies" really only fit a subset of malicious "hackers", if you must. These "skiddies", as we call them, typically abuse tools written by hackers or amateurs for one purpose or another. These people are mostly without programming talent. The fact is that most experienced hackers know what power they wield, understand how much work goes into the r&d stage(playing around, etc.). While i personally never agreed with calling them crackers(a great disservice to many great software crackers out there, something that is an art onto itself), that is in fact what was decided years before the media and all manner of ignorant people decided to use the term exclusively for criminal depictions. The fact is you mostly mean to say "criminals", not hackers. Hackers are how the internet got here in first place; how it broke out of the labs and broke ground in the population at large. That OS, Linux/android, that most likely drives one or more cell phones in your home was once the laughing stock of the commercial world, written off as amateur crap from amateur hackers. Today it dominates the market with only one real competitor in the cell market, and different one in the server market. In case you have an iPhone maybe you should check out the origins of it's Darwin core and FreeBSD origins. By hackers for hackers has become by hackers for everyone and the world owe many brilliant minds an enormous gratitude for sharing all their wonderful code and ideas for FREE. Today corporations and persons both profit enormously from this. In simplified terms "hacker" just means you're playful and curious about things, some of those things might be a worry to some, often ignorant minds, and a delight to others. Tho ignorance is bliss, it can also be incredibly dangerous, yours should not be everyone else' problem. This whole thing started with model train set enthusiasts, so go figure :)

Re:not hackers.

[evilrip]

Sorry grandpa, but the term crackers has had nothing to do with computers for at least 30 years. Like it or not but "hackers" has taken its place. Now, what ever happened to script kiddies?

30 years ago I was still many years away from having cognitive memory, and as I don't even have a kid, I don't see how I can be grandpa. you look kind of ignorant tho. :)

this sounds like

[l0n3s0m3phr34k]

an FBI honeypot trap. Yes, come to the site, ask for people to do illegal things...send them some $, have the FBI show up at your door.