Donnerstag, 14. Januar 2010
The Underground Myth
The Security Industry
Then in the U.S. music scene there was big changes made
Due to circumstances beyond our control... such as payola
The rock n roll scene died after two years of solid rock
- The Animals, circa 1964
There is little doubt that the explosion of the security industry has
directly coincided with the decline of the hacking scene. The hackers
of the eighties and nineties became the security professionals of the
new millennium, and the community suffered for it.
The fact is that hackers, mostly on an individual basis, decided to
use their passion as a source of income. Whether this is good, bad,
or just pragmatic is completely irrelevant. Nearly all the hackers that
could get jobs did. For the individuals that decision has been made (for
better or worse), and in general there's nothing that will change this.
This was a hacker exodus. What really mattered was not the loss of any
individuals, but the cumulative effect this had on the underground. The
more hackers that left the underground for a corporate life, the fewer
that came in. And those who stayed became entrenched, increasingly
Collaboration in this new age of career hackers has all but ceased to
exist. Individuals are now obsessed with credit. For their career, for
their standing in the community, it must be absolutely clear who this
research, this vulnerability, or even this opinion belongs to.
There is no trust in this corporate community; an underground issue
greatly amplified by corporate motivations. A single person can go months
or even years without telling anyone exactly what he is working on, and
whats more, will be genuinely worried about someone "publishing" their
results before him. There is no respect for the information he holds,
no belief that information should be free, no belief that research should
be open. All that matters is credit; all that matters is fame and money,
This is purely the fault of the security industry, who has exploited
and cultivated this culture, designed it for their needs. The truly sad
thing is that the corporate security world hasn't realized that they are
sitting on a gold mine, and as a result the mine is likely to collapse;
and likely to take their industry down with it.
The security industry uses information as its sole commodity, information
about insecurity. Who has the information, and who doesn't is what
makes this economy work. Whats more, the economy has been founded on
the continued output of a finite group of hackers. For the most part,
founded on those hackers that came out of the underground scene at their
But these hackers are not going to continue their production
indefinitely. They will lose their technical edge, move on to other
industries, perhaps climb the ladder up to management, and then
retire. The question is, then what? Then it will be up to the new wave
of young security professionals, whose motivation is as much financial
as it is passion for the technology and the thrill of the hacking game.
To imagine that these new wave office workers, university trained and
disinterested, can match the creative output of a genuine hacker is
laughable. The industry will stagnate under these conditions. The rapid
technical advancement we have seen will end, no more breakthroughs:
no more new security products or services. Just the same old techniques
being rehashed again and again until the rock has been bled dry.
I am trying to show you the symbiotic nature of the security industry
and the hacking scene. Industry needs insecurity to survive, there is
no doubt about this. A secure and stable Internet is not profitable for
long. Hackers provided instability, change, chaos. So the industry became
a parasite on the hacking scene, devouring the talent pool without giving
anything back, not thinking of what will happen when there are no more
hackers to consume.
For this reason, the security industry, much like the hacker underground,
is doomed, perhaps even destined for failure. But for now, all that
matters is that we have a thriving industry and...
A hacker underground proclaimed to be dead.
Black Hat, Two Faces
It would be easy to lay the blame squarely on the shoulders of the
security industry. A lot of people have. Unfortunately, its not that
simple. Perhaps the underground could have survived without the lure of
a six figure job, but one thing should be made clear. The self-proclaimed
black hat movement does nothing to help.
Various black hat groups have claimed to be the voice of the underground,
but the black hat scene was only ever a pale imitation of the actual
underground. The underground wasn't at all interested in public
self-aggrandizement, but this is all the black hats ever did. All that
their various rants and escapades accomplished was to show how desperate
they actually were for fame and recognition.
But whats worse, while they often talk a big game, they very rarely have
the pedigree to back it up. This is mostly because these self-proclaimed
black hats are really just as self-serving as the white hats they pretend
to detest. With few exceptions, those black hats that aren't already
working in the security industry are those that don't have the skills
to cut it.
The entire anti-security theme was simply embarrassing. This was just the
black hat movement admitting that they couldn't step up and represent
in an increasingly technical world. Where once hacking skill commanded
respect, now the black hats were promoting misinformation in order to
make what few hacks they managed to pull off easier. They couldn't step
up to a challenge, they couldn't outsmart the white hats they so detest.
This ineptitude and misguided fervor of the black hat scene had a
massive negative impact on the hacking underground. The true voice of
the underground was lost behind the noise and drama, until the voice
became a whisper.
And then eventually fell silent.
The very nature of technology, a dynamic and intractable force, had a lot
to say in the demise of the hacking world. In many cases, if a black hat
had been active 5 or 10 years earlier they would have been technically
competent and may well have contributed significantly. This is because
with the utmost respect, and despite all the nostalgia, hackers of the
past had it easy.
In the early years, the problems hackers faced were largely related to the
availability of information. Isolated groups of people had their tricks
and techniques, and sharing this information was problematic. This is
in direct contrast with the situation today, where there is an excess
of information but a void of quality.
As a result of many differing factors, the world is becoming aware of the
threats posed by lax security. When there is money at risk, steps will
be taken to protect those assets. We see now an increasing move towards
technical security mechanisms being employed as part of a defense in
depth strategy, and as a result, to be a hacker today requires immense
technical ability in a broad range of disciplines. It takes years of
individual study to reach this level.
But unfortunately, fewer and fewer people are willing, or indeed capable
of following this path, of pursuing that ever-unattainable goal of
technical perfection. Instead, the current trend is to pursue the lowest
common denominator, to do the least amount of work to gain the most fame,
respect or money.
There has also been an increasingly narrow range in what is published. In
part this is because of the lack of accessibility of certain systems
(through obscurity or price), but this is also increasingly dictated by
fashion. In a desire to fit in with the community, to be accepted in
to conferences, to be seen doing the right things in the right places
with the right people, researchers are all too happy to slot in to this
pattern of predictable and narrow progress.
And even then, the standards of what makes acceptable research, or for
what makes a vulnerability interesting, drops with every year. The gap
between offensive research and defensive implementations continues to
grow, to the point where public vulnerability research has become a
parody of what it once was, a type of inside joke.
There is no creativity, no sense of arcana anymore.
From Operation Sundevil to cyber terrorism. The criminalization of
computer hacking and, by association, computer hackers had a devastating
impact on the underground. Hacking was criminalized in two ways, both
of near equal importance: by legislation of computer crimes, and by the
new trend of genuine criminals using hacking as a method for fraud.
There should be a clear separation between these two things. The fact
that the underground collectively became criminals under the law for
what they had been doing for, in some cases, decades. And the fact that
in public perception, even among professionals that should know better,
there was very little distinction between a genuine hacker and those
criminals using hacking purely as a method for profit.
Indeed, little of what organized crime and terrorist/activist groups
are doing could justifiably be labeled hacking. It is simply convenient
to make this simplification, in media and in industry. The security
industry knows the difference, but they have no economic interest in
there being any clarity on this point. Any sort of hacking, anything
they can sensationalize enough to scare their profit margin up suits
For the underground, these issues largely affected individuals, not the
broader structure of things. Each person had to make a personal decision
on whether it was worth 1) being seen as a criminal under the law and
2) being seen as a criminal in public perception. Why should the hacker
face this when such an easy, safe, respectable alternative is available
in the security industry?
Even the term black hat has been twisted into something more closely
aligned to organized crime. For all their faults, black hats were not
(in theory) motivated by this type of money.
It comes down to an aging hacking population deciding, on an individual
basis, to settle down with their families, their material possessions,
their careers. No one can argue that there is anything wrong with this. It
is just a fact that these hackers left the scene behind.
Leaving a void too large to be filled.
The forgotten aspect of this whole story is, without doubt, the importance
of new talent entering the world of hacking. Historically, hacking has
belonged to the young. With every passing year, the average age of hackers
collectively increases. Some would claim this is a sign of a maturing
discipline. For surely, what could youth possibly contribute in this
technological landscape? They call them kids, dismiss them as irrelevant.
Despite all of the issues facing the underground, if hackers had managed
to get this one aspect right, if they had recognized the importance
of those who would come after them, if they had given them something
to aspire to be, if they had directly or indirectly taught them the
accumulated wisdom that so often separates a hacker from the crowd;
then perhaps there still would be a hacker underground.
Nearly all of the situations surrounding the disestablishment of the
underground were circumstantial, there was nobody to blame, and nothing
that could be done. But one point for which this was not true was the
underground's obligations to young hackers. An entire generation of
talented hackers have lost the opportunity to become a part of something
bigger than themselves by participating in a functioning hacking
community, simply because hackers were too self-absorbed to notice.
The decline of the underground scene happened relatively quickly, and
also relatively quietly. The hacker who left the underground behind
for his new life was unlikely to justify or explain his choices. In
fact it was more likely he would deny being changed at all. It's likely
he'd even continue to have contact with his fellow ex-hackers, in some
imitation of the underground scene. This only helped to obscure what
was actually happening.
Today's youth, for the most part, have no true understanding of hackers
or hacking. They have no knowledge of the history, no knowledge that
a history even exists. Their hacker is the media's hacker, the cyber
terrorist, the Russian mafia. This is unfortunate, but the real trouble
begins for those few that somehow become interested enough to look a
The average person requires some form of role model, something to aspire
to, to imitate and to an extent, to idolize. At this time, the only
visible efforts were the white hat researchers, the black hat horde or
various other technically inept self-proclaimed 'experts'. There is so
little inspiring research, and even less inspiring hacking, that anyone
new to the world of hacking is almost invariably left with a skewed
impression of things.
Indeed, for a lot of the young people that managed to acquire the
necessary technical base, hacking was seen as simply an interesting career
path. There is no passion in these people, no motivation to extend and
create. A competent professional, valued employee.
But no longer a hacker.
The Forward Link
The hacker underground has been systematically dismantled, a victim of
circumstance. There was no reason for this, no conspiracy, no winner. A
conquered people, but with no conqueror, no enemy to fight. No chance
of rebellion. Conquered by circumstance, if not fate.
At first this would seem to be a bleak message. What is the point of
even trying anymore? Why practice a dead art? But the truth is that the
art is not dead, just the circle that brought the artists together. The
hacker underground is broken, but the hackers are not.
Casualties have been high; but there still exists a scattered,
marginalized, and misrepresented people who are the hackers. Hackers,
not black hat nor white, not professionals, not amateurs (surely none
of this matters), are still out there in this world today, still with
all the potential to be something great.
The question is not then how to artificially group these people into a
new underground movement. The question is not how to mourn the passing of
the golden days, how to keep the memories alive. There are no questions
of this sort, no problems that can be solved or corrected by individual
All that remains is to relax, to do what you enjoy doing; to hack purely
for the enjoyment of doing so. The rest will come naturally, a new
scene, with its own traditions, culture and history. A new underground,
organically formed over time, just like the first, out of the hacker's
natural inclination to share and explore.
It will take time, and there will be difficulties. Some will not be able
to let go of the past, and some will fail for not remembering it. But
in the end, after everything has been said and done, the equilibrium
will be restored.
A new world, at the frontier of cyberspace, belonging to the hackers