The Underground Myth (Published in Phrack)¶
Volume 0x0c, Issue 0x41, Phile #0x0d of 0x0f:
|=-----------------------=[ The Underground Myth ]=----------------------=|
|=---------------------------=[ By Anonymous ]=--------------------------=|
This is a statement on the fate of the modern underground. There will be none of the nostalgia, melodrama, black hat rhetoric or white hat over-analysis that normally accompanies such writing.
Since the early sixties there has been just one continuous hacking scene. From phreaking to hacking, people came and went, explosions of activity, various geographical shifts of influence. But although the scene seemed to constantly redefine itself in the ebb and flow of technology, it always had a direct lineage to the past, with similar traditions, culture and spirit.
In the past few years this connection has been completely severed.
And so there’s very little point in writing about what the underground used to be; leave that to the historians. Very little point writing about what should be done to make everything good again; leave that to the dreamers and idealists. Instead I’m going to lay down some cold hard facts about the way things are now, and more importantly, how they came to be this way.
This is the story of how the underground died.
The Security Industry¶
Then in the U.S. music scene there was big changes made Due to circumstances beyond our control... such as payola The rock n roll scene died after two years of solid rock - The Animals, circa 1964
There is little doubt that the explosion of the security industry has directly coincided with the decline of the hacking scene. The hackers of the eighties and nineties became the security professionals of the new millennium, and the community suffered for it.
The fact is that hackers, mostly on an individual basis, decided to use their passion as a source of income. Whether this is good, bad, or just pragmatic is completely irrelevant. Nearly all the hackers that could get jobs did. For the individuals that decision has been made (for better or worse), and in general there’s nothing that will change this.
This was a hacker exodus. What really mattered was not the loss of any individuals, but the cumulative effect this had on the underground. The more hackers that left the underground for a corporate life, the fewer that came in. And those who stayed became entrenched, increasingly disconnected.
Collaboration in this new age of career hackers has all but ceased to exist. Individuals are now obsessed with credit. For their career, for their standing in the community, it must be absolutely clear who this research, this vulnerability, or even this opinion belongs to.
There is no trust in this corporate community; an underground issue greatly amplified by corporate motivations. A single person can go months or even years without telling anyone exactly what he is working on, and whats more, will be genuinely worried about someone “publishing” their results before him. There is no respect for the information he holds, no belief that information should be free, no belief that research should be open. All that matters is credit; all that matters is fame and money, their career.
This is purely the fault of the security industry, who has exploited and cultivated this culture, designed it for their needs. The truly sad thing is that the corporate security world hasn’t realized that they are sitting on a gold mine, and as a result the mine is likely to collapse; and likely to take their industry down with it.
The security industry uses information as its sole commodity, information about insecurity. Who has the information, and who doesn’t is what makes this economy work. Whats more, the economy has been founded on the continued output of a finite group of hackers. For the most part, founded on those hackers that came out of the underground scene at their technical prime.
But these hackers are not going to continue their production indefinitely. They will lose their technical edge, move on to other industries, perhaps climb the ladder up to management, and then retire. The question is, then what? Then it will be up to the new wave of young security professionals, whose motivation is as much financial as it is passion for the technology and the thrill of the hacking game.
To imagine that these new wave office workers, university trained and disinterested, can match the creative output of a genuine hacker is laughable. The industry will stagnate under these conditions. The rapid technical advancement we have seen will end, no more breakthroughs: no more new security products or services. Just the same old techniques being rehashed again and again until the rock has been bled dry.
I am trying to show you the symbiotic nature of the security industry and the hacking scene. Industry needs insecurity to survive, there is no doubt about this. A secure and stable Internet is not profitable for long. Hackers provided instability, change, chaos. So the industry became a parasite on the hacking scene, devouring the talent pool without giving anything back, not thinking of what will happen when there are no more hackers to consume.
For this reason, the security industry, much like the hacker underground, is doomed, perhaps even destined for failure. But for now, all that matters is that we have a thriving industry and...
A hacker underground proclaimed to be dead.
Black Hat, Two Faces¶
It would be easy to lay the blame squarely on the shoulders of the security industry. A lot of people have. Unfortunately, its not that simple. Perhaps the underground could have survived without the lure of a six figure job, but one thing should be made clear. The self-proclaimed black hat movement does nothing to help.
Various black hat groups have claimed to be the voice of the underground, but the black hat scene was only ever a pale imitation of the actual underground. The underground wasn’t at all interested in public self-aggrandizement, but this is all the black hats ever did. All that their various rants and escapades accomplished was to show how desperate they actually were for fame and recognition.
But whats worse, while they often talk a big game, they very rarely have the pedigree to back it up. This is mostly because these self-proclaimed black hats are really just as self-serving as the white hats they pretend to detest. With few exceptions, those black hats that aren’t already working in the security industry are those that don’t have the skills to cut it.
The entire anti-security theme was simply embarrassing. This was just the black hat movement admitting that they couldn’t step up and represent in an increasingly technical world. Where once hacking skill commanded respect, now the black hats were promoting misinformation in order to make what few hacks they managed to pull off easier. They couldn’t step up to a challenge, they couldn’t outsmart the white hats they so detest.
This ineptitude and misguided fervor of the black hat scene had a massive negative impact on the hacking underground. The true voice of the underground was lost behind the noise and drama, until the voice became a whisper.
And then eventually fell silent.
The very nature of technology, a dynamic and intractable force, had a lot to say in the demise of the hacking world. In many cases, if a black hat had been active 5 or 10 years earlier they would have been technically competent and may well have contributed significantly. This is because with the utmost respect, and despite all the nostalgia, hackers of the past had it easy.
In the early years, the problems hackers faced were largely related to the availability of information. Isolated groups of people had their tricks and techniques, and sharing this information was problematic. This is in direct contrast with the situation today, where there is an excess of information but a void of quality.
As a result of many differing factors, the world is becoming aware of the threats posed by lax security. When there is money at risk, steps will be taken to protect those assets. We see now an increasing move towards technical security mechanisms being employed as part of a defense in depth strategy, and as a result, to be a hacker today requires immense technical ability in a broad range of disciplines. It takes years of individual study to reach this level.
But unfortunately, fewer and fewer people are willing, or indeed capable of following this path, of pursuing that ever-unattainable goal of technical perfection. Instead, the current trend is to pursue the lowest common denominator, to do the least amount of work to gain the most fame, respect or money.
There has also been an increasingly narrow range in what is published. In part this is because of the lack of accessibility of certain systems (through obscurity or price), but this is also increasingly dictated by fashion. In a desire to fit in with the community, to be accepted in to conferences, to be seen doing the right things in the right places with the right people, researchers are all too happy to slot in to this pattern of predictable and narrow progress.
And even then, the standards of what makes acceptable research, or for what makes a vulnerability interesting, drops with every year. The gap between offensive research and defensive implementations continues to grow, to the point where public vulnerability research has become a parody of what it once was, a type of inside joke.
There is no creativity, no sense of arcana anymore.
From Operation Sundevil to cyber terrorism. The criminalization of computer hacking and, by association, computer hackers had a devastating impact on the underground. Hacking was criminalized in two ways, both of near equal importance: by legislation of computer crimes, and by the new trend of genuine criminals using hacking as a method for fraud.
There should be a clear separation between these two things. The fact that the underground collectively became criminals under the law for what they had been doing for, in some cases, decades. And the fact that in public perception, even among professionals that should know better, there was very little distinction between a genuine hacker and those criminals using hacking purely as a method for profit.
Indeed, little of what organized crime and terrorist/activist groups are doing could justifiably be labeled hacking. It is simply convenient to make this simplification, in media and in industry. The security industry knows the difference, but they have no economic interest in there being any clarity on this point. Any sort of hacking, anything they can sensationalize enough to scare their profit margin up suits them perfectly.
For the underground, these issues largely affected individuals, not the broader structure of things. Each person had to make a personal decision on whether it was worth 1) being seen as a criminal under the law and 2) being seen as a criminal in public perception. Why should the hacker face this when such an easy, safe, respectable alternative is available in the security industry?
Even the term black hat has been twisted into something more closely aligned to organized crime. For all their faults, black hats were not (in theory) motivated by this type of money.
It comes down to an aging hacking population deciding, on an individual basis, to settle down with their families, their material possessions, their careers. No one can argue that there is anything wrong with this. It is just a fact that these hackers left the scene behind.
Leaving a void too large to be filled.
The forgotten aspect of this whole story is, without doubt, the importance of new talent entering the world of hacking. Historically, hacking has belonged to the young. With every passing year, the average age of hackers collectively increases. Some would claim this is a sign of a maturing discipline. For surely, what could youth possibly contribute in this technological landscape? They call them kids, dismiss them as irrelevant.
Despite all of the issues facing the underground, if hackers had managed to get this one aspect right, if they had recognized the importance of those who would come after them, if they had given them something to aspire to be, if they had directly or indirectly taught them the accumulated wisdom that so often separates a hacker from the crowd; then perhaps there still would be a hacker underground.
Nearly all of the situations surrounding the disestablishment of the underground were circumstantial, there was nobody to blame, and nothing that could be done. But one point for which this was not true was the underground’s obligations to young hackers. An entire generation of talented hackers have lost the opportunity to become a part of something bigger than themselves by participating in a functioning hacking community, simply because hackers were too self-absorbed to notice.
The decline of the underground scene happened relatively quickly, and also relatively quietly. The hacker who left the underground behind for his new life was unlikely to justify or explain his choices. In fact it was more likely he would deny being changed at all. It’s likely he’d even continue to have contact with his fellow ex-hackers, in some imitation of the underground scene. This only helped to obscure what was actually happening.
Today’s youth, for the most part, have no true understanding of hackers or hacking. They have no knowledge of the history, no knowledge that a history even exists. Their hacker is the media’s hacker, the cyber terrorist, the Russian mafia. This is unfortunate, but the real trouble begins for those few that somehow become interested enough to look a bit deeper.
The average person requires some form of role model, something to aspire to, to imitate and to an extent, to idolize. At this time, the only visible efforts were the white hat researchers, the black hat horde or various other technically inept self-proclaimed ‘experts’. There is so little inspiring research, and even less inspiring hacking, that anyone new to the world of hacking is almost invariably left with a skewed impression of things.
Indeed, for a lot of the young people that managed to acquire the necessary technical base, hacking was seen as simply an interesting career path. There is no passion in these people, no motivation to extend and create. A competent professional, valued employee.
But no longer a hacker.