The odd joy of hacking
It’s amazing how some people get their jollies — such as by hacking into and damaging an open-source project’s Web site. As my colleague Edward Correia wrote about in EclipseSource this week, someone jumped onto the redesigned Eclipse Plugin Central site a few weeks ago, causing a service disruption and attempting to infect the site with a virus.
As Edward writes, “To what purpose?” Certainly if someone has that much creativity and talent, there are many of productive uses for those skills… if they choose to apply their skills that way. But it’s easier to destroy than to create.
Last week, I wrote an entry, “Poor sports,” where I suggested that it’s too bad that hackers aren’t publicly identified and humiliated; all we hear is that “the site was hacked.” We never know who did it or why. Of course, some people might thrive on that type of publicity.
Edward’s article got a few comments. Here’s one that stood out:
There are many type of people (“animals”), some of them would just be ethical and good by nature and some of them are evil, no matter what you plea, no matter what you teach them, no matter if you give them 10 commandments, they will stay evil! For them, strict punishments “may work.” Yes, you used the right words “The Real Sickos”.
And there are some who can be inspired and stopped from going into wrong path. For these, teaching and preaching is a good start to control the evil.
I think Media in general and IT media in special must start a campaign of not publicizing big security breaches and hacks, and instead preach the importance of Computing Ethics, at very personal level. Try to create an EVIL image of those who steal or destroys someone’s hard work.
I guess you used very proper language in your post and I think you have the right platform to talk about this issue.
What do you think? Is it good that we in the media publicize these sorts of hacks — even if we can’t identify the culprit? Or does the “publicity” that we give attacks of this sort merely serve to reward/encourage more malicious behavior?
I think this type of hacking/cracking called “defacing” is the electronic and virtual equivalent of a cheap graffiti job we in Norway call “tagging”. There’s no artistic creativity or incentive behind it; the whole purpose is to get your name “out there” and get “street cred”.
In Norway, anti tagging campaigns have mostly worked against its purpose, spraying lots of more fuel on the fire and making the whole rather innocent (nobody gets physically injured, after all) business into a “war”. Other strategies, like just not talking about it and painting it over as soon as possible, have worked much better. The “taggers” don’t get the publicity they want and their tag isn’t on a wall long enough for anyone to notice, so they don’t get any street cred from it either.
Taking the same strategy online to fight defacers would work just as good in my opinion. If a site is recovered from defacing before anyone can notice that it has been defaced and then nobody talks about it afterwards, what do the defacers get out of it?
Since Roman times, the pertinent question to ask is “cui bono?”
Who benefits most from publicity when an incident is reported? Yes, the miscreants no doubt get a charge out of seeing their work make headlines. But it’s only an increment over what they get out of seeing the defaced website, or watching the botnet numbers climb.
We, on the other hand, learn a lot. New attacks are highlighted for administrators, the general public’s consciousness is raised, tolerance for cracking diminished. Journalism is a duty, and while we shouldn’t publish howtos for script kiddies, we serve our readers poorly if we hide what’s happening.
Securing the Internet is as impossible as securing the US borders. But moving slowly toward something less dangerous is certainly worthwhile. Trouble is, that effort is not without a cost in money and convenience, and the public won’t pay it unless they’re aware of the scope of the problem.