Dear Big Companies: Getting Hacked is Good For You

The term "hack" and "hacker" have been dirty words for as long as anyone can remember. Whether it's Julian Assange or charming 80's movies about disenfranchised teenagers with a penchant for anarchy, these terms never fail to evoke that Snidley Whiplash, tie-a-girl-to-the-railroad-tracks vision of cybervillainy that we love to fantasize about. Fogged by fashionable buzzwords and media spin, people tend to forget that the discussion about hacks, and the very idea of hacking, should have less to do with e-vigilantism and more to do with what's actually at stake when folks get lazy about covering their blind spots — our data's security.

So let's talk about security and how this "woe is us" attitude coming from those victimized by hack-attacks isn't going to cut it for much longer. And to begin, let's once again talk about the increasingly sad story of Sony, who, even after a massive and embarrassing pwnage of their PlayStation Network servers, has fallen victim to yet another online attack.

Last Thursday the hacker group Lulz Security broke into Sonypictures.com and came out with a treasure trove of over 1,000,000 user accounts, passwords and other sensitive data. Then on Monday, just hours before Sony's press conference at E3, the collective busted in again, this time leaking Sony's network developer source code. But on both occasions (plus the 14 others documented here), the crux of the problem wasn't the exposure of personal info — it was the pathetically inadequate online security that somehow passes as the status quo for Sony and countless others.

Just for a second, let's not think about hacks as the misdeeds of anarchist computer geniuses. Let's look at them as vaccinations, helpful viruses that aid in combating bad security practices.

Sony's most recent troubles will undoubtedly serve to vilify hackers even more. But before the pitchforks come out, let's take a look at the details of this breach: Sonypictures.com was cracked — not through a sophisticated hack-attack — but through exploitation of a well-documented and long-ago remedied computer vulnerability, a method known as a SQL injection. In 2011, getting hacked through a SQL injection is basically the computer security equivalent of contracting smallpox; you're only going to get so much sympathy before people start thinking that maybe you should have gotten your booster shots.

What's worse, just like with the PlayStation Network breach, all of this data was unencrypted and stored as plain text. That is to say, a major company that collects customer information en masse is not only forgoing its inoculations, but leaving its vital organs bereft of the ribcage that constitutes the most fundamental form of data security.

Behind all the lulz and anti-corporate rhetoric, it's not so much about the hackers "winning" in this instance; they're just doing what they do — Exploiting the same vectors of vulnerability as their biotic analogues. And if the result is an improved attitude toward online security, is that really such a bad thing?

And yet, even in lieu of the increasing volume and frequency of online attacks, the conversation for many companies and less tech-savvy media outlets seems to always drift away from "what are we doing wrong?" to "let's catch those darn-pesky hackers." It's unfortunate because if there's one thing that differentiates cyber security from the regular kind (and it doesn't take a computer security expert to know this), it's that the former should always take priority over the latter.

Government response to the issue, however, remains intensely focused — some would say hell-bent — on hunting down digital intruders. The United States has become particularly bullish about pursuing cybercriminals, to the point where it has created waves of mistrust within the hacker collectives themselves.

FBI infiltrations of hacker spots on forums and IRC channels have become so prevalent that Eric Corley, publisher of the Hacker Quarterly estimates 1 in 4 'hackers' operating on the net are either federal agents or ex-hackers molded into informants through threats and intimidation. And let's not forget President Obama's not-so-subtle remark that foreign cyberattacks could be considered acts of war. LulzSec responded to that, of course, by hacking the FBI.

But as the US's failed War on Drugs has proven, aggresive crackdowns like this are rarely effective deterrents. Despite all, the perps, who are proving to be increasingly resourceful and fearless, remain the object of scrutiny rather than the inadequate security measures and laws which govern the issue at hand.

Witness the famous iPad Hack of 2010: When Apple and AT&T discovered that the details of the iPad's 180,000 early adopters had been compromised — after the hackers handed their data over to Gawker — there was no applause. Even though the group involved, Goatse Security, had disclosed the vulnerability only after it had been fixed as a public service to AT&T's unsuspecting customers. Yet the hacker, not the hack, was immediately the star of the show, and the implications of the intrusion — a hugely popular consumer product with gaping security holes — were lost in the ensuing media buzz.

Pundits downplayed it as just a harmless little prank, nothing worth worrying about. Mayor Bloomberg himself — a victim of the hack — shrugged it off, saying that data breaches are unavoidable. "We live in a world where information is available all over the place and there's going to be security breaches every day, all over the world," he said. "That's what happens when you have information." — not a particularly positive or reassuring stance from an elected official.

Not long afterwards, Andrew Auernheimer aka Weev, the hacker responsible, was visited by FBI agents. They detained him, seized his computers, and charged him with numerous felony counts. Through his benign trespassing, it looked as if Weev might go down as the first security expert arrested for making a company look bad.

Weev was certainly an easy target: a "celebrity hacktivist" known in 4chan circles for his naughty trolling lulz, drug use, and vaguely anti-Semitic posturing, he's long had something coming as far as the authorities are concerned. (See our interview with him here) Personalities aside, these 'grey hats' — hackers of the Anonymous sort who evince some consideration for the public good while doing possibly illegal things — tend to be much more widely supported than their malicious counterparts.

But no matter what flavor of digital outlaw, the 'cops & robbers' response is the only one that makes sense to law enforcement that is, for the most part, still firmly entrenched in meat-space.

When someone snatches a purse or robs a bank IRL, our first reaction is to find and reprimand the bad guy. But having your back door unlocked and files rummaged by digital intruders has far wider and much more immediate consequences, and merely changing the locks is rarely, if ever, sufficient. This heedless pursuit of the culprits in lieu of upgrading our digital immune systems demonstrates a fundamental misunderstanding of how cyber security works — that is, there are always more hackers.

It boils down to this: What companies need to have — especially the ones we trust with personal data — is regulatory oversight of their online security. The solution is not giving more powers to the private sector, because if we can assume anything from looking at all the effort and money these companies spend on things like post-hack PR and lobbying for draconian copyright laws at the consumer's expense, it's that security of this data is just not that high on their priority lists next to public image and protection of profits.

The burning question of course is why shouldn't it be? — The FDIC regulates banks to protect the integrity of deposits. Is our data somehow less valuable?

There will always be vulnerabilities in software, so long as it's written by humans. But maybe the trick is not tough talk about hacker crackdowns, but encouragement of hacking to improve security.

Google, if you'll remember, not long ago challenged hackers to find security holes in their Chrome web browser, promising to pony up cold hard cash in return for its discovery. And delivered.

The notoriously pock-marked, late-to-the-party Internet Explorer? Not so much. Even when Google's staff was handing out zero-day Windows exploits, nothing short of haughty sneer could be heard from Microsoft's direction.

So there are two schools of thought here: Hacks as old-school crime scenes, and hacks as opportunities for proactive security measures that will give us all a needed wake-up call. There needn't be an awards ceremony for those that operate within the darker-grey areas of the law, but perhaps being kept on our toes in the security game might not fry our circuits either.

Connections
The Virtues and Vices of Anonymity: Just-Arrested iPad Hacker Is Also An Internet Troll Legend
Microsoft Says Kinect Hacking Is OK
How to Get Rich on Bitcoin, By a System Administrator Who's Secretly Growing Them On His School's Computer
Spambots and Pornstars: A Q+A With A Former Hacker Tween
The World's First Volunteer Cyber Army