In a recent article, the New York Times has cast a spotlight on a new website called Hacker’s List; possibly a reference to the popular classified advertising site Craigslist. The website allows its clients to “Find professional hackers for hire.” Despite the use of the word “professional,” the types of jobs clients desire seem to be limited to relatively mundane, if illegal activities. ZDNet gives several examples of job offers that were posted on the site, including the following:
$10-$350: Need some info and messages from a Facebook account. Other jobs to come if successfull
$300-$600: I need a hacker to change my final grade, it should be done in a week.
$200-$300: Hack into a company email account. Copy all emails in that account. Give copies of the emails employer. Send spam emails confessing to lying and defamation of character to everyone in the email list.
The NYT describes the business of hacking as an “increasingly personal enterprise.” Indeed, in recent years, activities once considered to be within the exclusive purview of the technically inclined have become increasingly available to anyone willing to pay the right amount of money. In 2012, the Wall Street Journal ran an article showing that botnets could be rented for $2 an hour or purchased outright for $700. Botnets can be used to conduct denial of service attacks against websites and computer networks. They can also be used to send out e-mail spam. The article also detailed the price of services strikingly similar to the ones being requested on Hacker’s List: At the time, if someone wanted to spy on an ex, they could purchase a Trojan to snoop on their ex’s text messages. The cost? $350.
More recently, the same hacker group that took the gaming networks of Microsoft and Sony offline reportedly began offering a service called “Lizard Stresser,” essentially selling the service of performing a denial of service attack as opposed to the botnet itself. According to Brian Krebs, the botnet ran at least in part on hacked routers. For a mere $6 a month (less than the cost of a Netflix subscription in the US), Lizard Stresser offers to take down a website for 100 seconds.
I am not a lawyer, but it’s hard to imagine how a site that allows offers for shady activities such as breaking into websites and Facebook accounts can be legal. Meanwhile, the website’s operator makes its money by being paid a portion of each completed assignment. This sounds a lot like the way Silk Road was allegedly used to sell drugs; according to government lawyer Howard, Ross Ulbricht took a part of every deal that took place in Silk Road like a traditional drug boss.
If Hacker’s List remains operational, there will likely be at least two effects. First, there will probably be an increase in illegal activity resulting from the provision of services to those who would not otherwise be able to conduct attacks. A jealous partner such as the woman who wanted a hacker to break into her boyfriend’s Gmail and Facebook accounts would be less likely to perform the attacks by herself if services such as Hacker’s List didn’t exist; if she already had the ability to do it herself, she probably wouldn’t be trying to hire someone to do the deed for her. This means users will have to be more vigilant about their privacy and security. Potential victims cannot assume they are safe from romantic partners, business rivals, and any other individuals who could benefit from a hacking attack simply because such individuals are not technically inclined.
Second, the site is likely to contribute to the negative connotation often associated with the term “hacker.” Although “hacker” can refer to someone who circumvents computer security, even this activity is not necessarily illegal. White hats are routinely hired by organizations to test the security of their computers. To do so, they use the same tactics as black hats; the type of hacker the public is more likely to think of when the term is used.
There is also another category of hackers whose activities may not involve the circumvention of computer security at all. RFC 1392, an old document from 1993, clearly distinguishes between the terms “cracker” and “hacker.” It describes a cracker as “an individual who attempts to access computer systems without authorization.” On the contrary, a “hacker” is defined as “a person who delights in having an intimate understanding of the internal workings of a system.” Despite the obvious difference between having an affinity for tinkering with systems and breaking into them, RFC 1392 acknowledges that the term hacker “is often misused in a pejorative context.” The existence of sites such as Hacker’s List may contribute to the incorrect perception that all hackers, including white hats and hackers who don’t break into computers, are involved in shady or illegal activity.
One possible silver lining from all this is an increase in public awareness of the privacy and security problems that plague our society. Although the proliferation of hacking (and other cybercrime) services may create a more dangerous environment, such services also have the potential to decrease public apathy and increase public vigilance. A world in which the general public is informed and vigilant is a world in which it is far more difficult to conduct such attacks.