Category: Security

Review: A Hacker’s Mind

A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back
by Bruce Schneier
Norton
ISBN: 978-0-393-86666-7

One of the lessons of the Trump presidency has been how much of the US government runs on norms that have developed organically over the republic’s 247-year history. Trump felt no compunction about breaking those norms. In computer security parlance, he hacked the system by breaking those norms in ways few foresaw or thought possible.

This is the kind of global systemic hacking Bruce Scheneir explores in his latest book, A Hacker’s Mind. Where most books on this topic limit their focus to hacking computers, Schneier opts to start with computer hacking, use it to illustrate the hacker’s habit of mind, and then find that mindset in much larger and more consequential systemic abuses. In his array of hacks by the rich and powerful, Trump is a distinctly minor player.

First, however, Schneier introduces computer hacking from the 1980s onward. In this case, “hacking” is defined in the old way: active subversion of a system to make it do things its designers never intended. In the 1980s, “hacker” was a term of respect applied to you by others admiring your cleverness. It was only in the 1990s that common usage equated hacking with committing crimes with a computer. In his 1984 book Hackers, Steven Levy showed this culture in action at MIT. It’s safe to say that without hacks we wouldn’t have the Internet.

The hacker’s habit of mind can be applied to far more than just technology. It can – and is today being used to – subvert laws, social norms, financial systems, politics, and democracy itself. This is Schneier’s main point. You can draw a straight line from technological cleverness to Silicon Valley’s “disrupt” to the aphorism coined by Georgetown law professor Julie Cohen, whom Schneier quotes: “Power interprets regulation as damage, and routes around it”.

In the first parts of the book he discusses the impact of system vulnerabilities, the kinds of responses one can make, and the basic types of response. In a compact amount of space, he covers patching, hardening, and simplifying systems, evaluating threat models as they change, and limiting the damage the hack can cause. Or, the hack may be normalized, becoming part of our everyday landscape.

Then he gets serious. In the bulk of the book, he explores applications: hacking financial, legal, political, cognitive, and AI systems. Specialized AI – Schneier wisely avoids the entirely speculative hype and fear around artificial general intelligence – is both exceptionally vulnerable to hacks and an exceptional vector for them. Anthropomorphic robots especially can be designed to hack our emotional responses.

“The rich are better at hacking,” he observes. They have greater resources, more powerful allies, and better access. If the good side of hacking is innovation, the bad side is societal damage, increasing unfairness and inequality, and the subversion of the systems we used to trust. Schneier believes all of this will get worse because today’s winners have so much ability to hack what’s left. Hacking, he says, is an existential threat. Nonetheless, he has hope: we *can* build resilient governance structures. We must hack hacking.

Review: Tracers in the Dark

Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency
By Andy Greenberg
Doubleday
ISBN: 978-0-385-548/09-0

At the 1997 Computers, Freedom, and Privacy conference, the computer scientist Timothy C. May, a co-founder of the influential Cypherpunks mailing l|ist, presented the paper Untraceable Digital Cash, Information Markets, and BlackNet. In it, he suggested that the combination of the Internet, anonymous digital cash, and the possibility that anyone could be a “mint” (in the money sense) created the conditions for BlackNet, a market in stolen secrets, assassinations, and other illegal goods and services. In trying to stop it, he said, regulators and governments would invoke the “Four Horsemen of the Infocalypse”: nuclear terrorists, child pornographers, money launderers, and drug dealers.

Like all futurists, May was building on existing trends. Digital cash already existed in an early form, and governments were already invoking the Four Horsemen in opposing widespread access to strong encryption (they still are, in debates about the UK’s Online Safety bill. Still, his paper also imagined Wikileaks.

Almost certainly the unknown creator of bitcoin, Satoshi Nakomoto, knew the cypherpunks list. In any event, at the beginning, bitcoin appeared to be – and the community surrounding it sometimes billed it as – sufficiently anonymous and untraceable to enable May’s BlackNet. Tl;dr: not for long.

In the highly readable Tracers in the Dark, veteran Wired journalist Andy Greenberg tells the story of step-by-step technical advances that enabled law enforcement, tax authorities, and others to identify and arrest the owners and users of sites dealing in illegal goods like Silk Road, AlphaBay, and Welcome to Video, and take the sites down.

The essential problem for criminals seeking secrecy is, of course, that the public blockchain indelibly records every transaction for all to see for all time. Not only that, but the bigger the pile of data gets the more useful information it yields to analysis. Following the money works.

Greenberg’s series of detective stories begins and ends with Sarah Meiklejohn, now a professor in cryptography and security at University College London. As a graduate student circa 2012, she began studying how bitcoin was being used, and developed clustering techniques that ultimately made it possible to understand what was happening inside the network and identify individual users and owners. Following in her footsteps are an array of interested detectives: the fledgling company Chainalysis, Internal Revenue Service, the Drug Enforcement Agency, and international police. She herself declined a well-paid offer to join them; she sees her role as that of an impartial researcher issuing a public advisory.

At every step the investigators had help from the criminals themselves, who over and over again were remarkably sloppy about their own security. Ross Ulbricht, was identified as the administrator of Silk Road because he’d once posted his real email address to a coding forum. Alexandre Cazes, the owner of AlphaBay, was successfully arrested because he kept helpfully posting details of his many female conquests to an online forum, helping the agents following him build a detailed understanding of his whereabouts.

Each takedown has been followed by efforts to improve blockchain privacy. But even so, investigators have years’ worth of leads they can still follow up. And by then, as Danish entrepreneur Michael Gronager says toward the end of the book, referring to the then new, more resistant technologies Monero and Zcash, “Any of these systems, anything that’s developed, you always see a couple of years alter, someone finds something.” Nothing’s perfect.