18:40
TEDGlobal 2011

Misha Glenny: Hire the hackers!

Filmed:

Despite multibillion-dollar investments in cybersecurity, one of its root problems has been largely ignored: who are the people who write malicious code? Underworld investigator Misha Glenny profiles several convicted coders from around the world and reaches a startling conclusion.

- Underworld investigator
Journalist Misha Glenny leaves no stone unturned (and no failed state unexamined) in his excavation of criminal globalization. Full bio

Now this is a very un-TED-like thing to do,
00:15
but let's kick off the afternoon
00:18
with a message
00:21
from a mystery sponsor.
00:23
Anonymous: Dear Fox News,
00:26
it has come to our unfortunate attention
00:28
that both the name and nature of Anonymous
00:31
has been ravaged.
00:33
We are everyone. We are no one.
00:35
We are anonymous. We are legion.
00:38
We do not forgive. We do not forget.
00:41
We are but the base of chaos.
00:44
Misha Glenny: Anonymous, ladies and gentlemen --
00:49
a sophisticated group
00:52
of politically motivated hackers
00:54
who have emerged in 2011.
00:56
And they're pretty scary.
00:59
You never know when they're going to attack next,
01:01
who or what the consequences will be.
01:04
But interestingly,
01:07
they have a sense of humor.
01:09
These guys hacked into Fox News' Twitter account
01:12
to announce President Obama's assassination.
01:16
Now you can imagine the panic that would have generated
01:20
in the newsroom at Fox.
01:23
"What do we do now?
01:25
Put on a black armband, or crack open the champagne?"
01:27
(Laughter)
01:30
And of course, who could escape the irony
01:32
of a member of Rupert Murdoch's News Corp.
01:36
being a victim of hacking for a change.
01:39
(Laughter)
01:42
(Applause)
01:44
Sometimes you turn on the news
01:48
and you say, "Is there anyone left to hack?"
01:51
Sony Playstation Network -- done,
01:53
the government of Turkey -- tick,
01:56
Britain's Serious Organized Crime Agency -- a breeze,
01:58
the CIA -- falling off a log.
02:01
In fact, a friend of mine from the security industry
02:03
told me the other day
02:05
that there are two types of companies in the world:
02:07
those that know they've been hacked, and those that don't.
02:10
I mean three companies
02:13
providing cybersecurity services to the FBI
02:16
have been hacked.
02:20
Is nothing sacred anymore, for heaven's sake?
02:22
Anyway, this mysterious group Anonymous --
02:25
and they would say this themselves --
02:27
they are providing a service
02:29
by demonstrating how useless companies are
02:31
at protecting our data.
02:35
But there is also a very serious aspect to Anonymous --
02:38
they are ideologically driven.
02:41
They claim that they are battling
02:44
a dastardly conspiracy.
02:46
They say that governments are trying
02:49
to take over the Internet and control it,
02:51
and that they, Anonymous,
02:54
are the authentic voice of resistance --
02:56
be it against Middle Eastern dictatorships,
02:59
against global media corporations,
03:01
or against intelligence agencies,
03:04
or whoever it is.
03:06
And their politics are not entirely unattractive.
03:08
Okay, they're a little inchoate.
03:12
There's a strong whiff
03:15
of half-baked anarchism about them.
03:17
But one thing is true:
03:20
we are at the beginning
03:22
of a mighty struggle
03:24
for control of the Internet.
03:26
The Web links everything,
03:29
and very soon
03:31
it will mediate most human activity.
03:33
Because the Internet has fashioned
03:35
a new and complicated environment
03:37
for an old-age dilemma
03:39
that pits the demands of security
03:42
with the desire for freedom.
03:45
Now this is a very complicated struggle.
03:48
And unfortunately, for mortals like you and me,
03:52
we probably can't understand it very well.
03:55
Nonetheless,
03:58
in an unexpected attack of hubris
04:00
a couple of years ago,
04:02
I decided I would try and do that.
04:04
And I sort of get it.
04:07
These were the various things that I was looking at
04:11
as I was trying to understand it.
04:13
But in order to try and explain the whole thing,
04:15
I would need another 18 minutes or so to do it,
04:18
so you're just going to have to take it on trust from me on this occasion,
04:21
and let me assure you that all of these issues
04:26
are involved in cybersecurity and control of the Internet
04:28
one way or the other,
04:31
but in a configuration
04:33
that even Stephen Hawking would probably have difficulty
04:35
trying to get his head around.
04:38
So there you are.
04:41
And as you see, in the middle,
04:43
there is our old friend, the hacker.
04:45
The hacker is absolutely central
04:47
to many of the political, social
04:50
and economic issues affecting the Net.
04:52
And so I thought to myself,
04:55
"Well, these are the guys who I want to talk to."
04:58
And what do you know,
05:01
nobody else does talk to the hackers.
05:04
They're completely anonymous, as it were.
05:06
So despite the fact
05:09
that we are beginning to pour billions,
05:11
hundreds of billions of dollars,
05:14
into cybersecurity --
05:16
for the most extraordinary technical solutions --
05:19
no one wants to talk
05:23
to these guys, the hackers,
05:25
who are doing everything.
05:27
Instead, we prefer these really dazzling technological solutions,
05:30
which cost a huge amount of money.
05:35
And so nothing is going into the hackers.
05:38
Well, I say nothing,
05:41
but actually there is one teeny weeny little research unit
05:43
in Turin, Italy
05:47
called the Hackers Profiling Project.
05:49
And they are doing some fantastic research
05:52
into the characteristics,
05:55
into the abilities
05:57
and the socialization of hackers.
05:59
But because they're a U.N. operation,
06:01
maybe that's why governments and corporations
06:03
are not that interested in them.
06:05
Because it's a U.N. operation,
06:07
of course, it lacks funding.
06:09
But I think they're doing very important work.
06:12
Because where we have a surplus of technology
06:15
in the cybersecurity industry,
06:19
we have a definite lack of --
06:22
call me old-fashioned --
06:25
human intelligence.
06:27
Now, so far I've mentioned
06:29
the hackers Anonymous
06:31
who are a politically motivated hacking group.
06:33
Of course, the criminal justice system
06:36
treats them as common old garden criminals.
06:38
But interestingly,
06:40
Anonymous does not make use of its hacked information
06:42
for financial gain.
06:44
But what about the real cybercriminals?
06:46
Well real organized crime on the Internet
06:50
goes back about 10 years
06:53
when a group of gifted Ukrainian hackers
06:55
developed a website,
07:00
which led to the industrialization
07:02
of cybercrime.
07:04
Welcome to the now forgotten realm of CarderPlanet.
07:07
This is how they were advertising themselves
07:13
a decade ago on the Net.
07:15
Now CarderPlanet was very interesting.
07:18
Cybercriminals would go there
07:20
to buy and sell stolen credit card details,
07:22
to exchange information
07:25
about new malware that was out there.
07:27
And remember, this is a time
07:30
when we're seeing for the first time
07:32
so-called off-the-shelf malware.
07:34
This is ready for use, out-of-the-box stuff,
07:36
which you can deploy
07:39
even if you're not a terribly sophisticated hacker.
07:41
And so CarderPlanet became a sort of supermarket
07:45
for cybercriminals.
07:48
And its creators
07:50
were incredibly smart and entrepreneurial,
07:52
because they were faced
07:54
with one enormous challenge as cybercriminals.
07:56
And that challenge is:
07:59
How do you do business,
08:01
how do you trust
08:03
somebody on the Web who you want to do business with
08:05
when you know that they're a criminal?
08:07
(Laughter)
08:10
It's axiomatic that they're dodgy,
08:12
and they're going to want to try and rip you off.
08:14
So the family, as the inner core of CarderPlanet was known,
08:17
came up with this brilliant idea
08:20
called the escrow system.
08:22
They appointed an officer
08:24
who would mediate between the vendor and the purchaser.
08:27
The vendor, say, had stolen credit card details;
08:30
the purchaser wanted to get a hold of them.
08:33
The purchaser would send the administrative officer
08:36
some dollars digitally,
08:39
and the vendor would sell the stolen credit card details.
08:41
And the officer would then verify
08:44
if the stolen credit card worked.
08:47
And if they did,
08:50
he then passed on the money to the vendor
08:52
and the stolen credit card details to the purchaser.
08:54
And it was this
08:57
which completely revolutionized cybercrime on the Web.
08:59
And after that, it just went wild.
09:04
We had a champagne decade
09:06
for people who we know as Carders.
09:08
Now I spoke to one of these Carders
09:11
who we'll call RedBrigade --
09:13
although that wasn't even his proper nickname --
09:15
but I promised I wouldn't reveal who he was.
09:17
And he explained to me how in 2003 and 2004
09:19
he would go on sprees in New York,
09:22
taking out $10,000 from an ATM here,
09:25
$30,000 from an ATM there,
09:28
using cloned credit cards.
09:31
He was making, on average a week,
09:34
$150,000 --
09:37
tax free of course.
09:40
And he said
09:42
that he had so much money
09:45
stashed in his upper-East side apartment at one point
09:47
that he just didn't know what to do with it
09:49
and actually fell into a depression.
09:51
But that's a slightly different story,
09:53
which I won't go into now.
09:55
Now the interesting thing about RedBrigade
09:57
is that he wasn't an advanced hacker.
10:00
He sort of understood the technology,
10:02
and he realized that security was very important
10:04
if you were going to be a Carder,
10:07
but he didn't spend his days and nights
10:10
bent over a computer, eating pizza,
10:12
drinking coke and that sort of thing.
10:14
He was out there on the town
10:16
having a fab time enjoying the high life.
10:18
And this is because
10:20
hackers are only one element
10:22
in a cybercriminal enterprise.
10:25
And often they're the most vulnerable element of all.
10:28
And I want to explain this to you
10:34
by introducing you to six characters
10:36
who I met
10:38
while I was doing this research.
10:40
Dimitry Golubov, aka SCRIPT --
10:43
born in Odessa, Ukraine in 1982.
10:46
Now he developed his social and moral compass
10:49
on the Black Sea port during the 1990s.
10:52
This was a sink-or-swim environment
10:55
where involvement in criminal or corrupt activities
10:58
was entirely necessary
11:02
if you wanted to survive.
11:04
As an accomplished computer user,
11:06
what Dimitry did
11:08
was to transfer the gangster capitalism of his hometown
11:10
onto the Worldwide Web.
11:14
And he did a great job in it.
11:16
You have to understand though
11:18
that from his ninth birthday,
11:20
the only environment he knew
11:22
was gangsterism.
11:24
He knew no other way of making a living
11:26
and making money.
11:28
Then we have Renukanth Subramaniam,
11:30
aka JiLsi --
11:32
founder of DarkMarket,
11:34
born in Colombo, Sri Lanka.
11:36
As an eight year-old,
11:38
he and his parents fled the Sri Lankan capital
11:40
because Singhalese mobs were roaming the city,
11:42
looking for Tamils like Renu to murder.
11:45
At 11, he was interrogated by the Sri Lankan military,
11:48
accused of being a terrorist,
11:50
and his parents sent him on his own to Britain
11:52
as a refugee seeking political asylum.
11:56
At 13,
11:59
with only little English and being bullied at school,
12:01
he escaped into a world of computers
12:04
where he showed great technical ability,
12:07
but he was soon being seduced
12:09
by people on the Internet.
12:12
He was convicted of mortgage and credit card fraud,
12:14
and he will be released from Wormwood Scrubs jail in London
12:17
in 2012.
12:20
Matrix001,
12:22
who was an administrator at DarkMarket.
12:26
Born in Southern Germany
12:29
to a stable and well-respected middle class family,
12:31
his obsession with gaming as a teenager
12:33
led him to hacking.
12:36
And he was soon controlling huge servers around the world
12:38
where he stored his games
12:42
that he had cracked and pirated.
12:44
His slide into criminality
12:46
was incremental.
12:48
And when he finally woke up to his situation
12:50
and understood the implications,
12:53
he was already in too deep.
12:55
Max Vision, aka ICEMAN --
12:58
mastermind of cardersMarket.
13:00
Born in Meridian, Idaho.
13:02
Max Vision was one of the best penetration testers
13:04
working out of Santa Clara, California
13:08
in the late 90s for private companies
13:11
and voluntarily for the FBI.
13:13
Now in the late 1990s,
13:16
he discovered a vulnerability
13:18
on all U.S. government networks,
13:20
and he went in and patched it up --
13:23
because this included nuclear research facilities --
13:25
sparing the American government
13:29
a huge security embarrassment.
13:31
But also, because he was an inveterate hacker,
13:33
he left a tiny digital wormhole
13:36
through which he alone could crawl.
13:38
But this was spotted by an eagle-eye investigator,
13:40
and he was convicted.
13:43
At his open prison,
13:45
he came under the influence of financial fraudsters,
13:47
and those financial fraudsters
13:49
persuaded him to work for them
13:51
on his release.
13:53
And this man with a planetary-sized brain
13:55
is now serving a 13-year sentence
13:58
in California.
14:00
Adewale Taiwo, aka FeddyBB --
14:02
master bank account cracker
14:05
from Abuja in Nigeria.
14:07
He set up his prosaically entitled newsgroup,
14:10
bankfrauds@yahoo.co.uk
14:13
before arriving in Britain
14:18
in 2005
14:20
to take a Masters in chemical engineering
14:22
at Manchester University.
14:24
He impressed in the private sector,
14:26
developing chemical applications for the oil industry
14:29
while simultaneously running
14:32
a worldwide bank and credit card fraud operation that was worth millions
14:34
until his arrest in 2008.
14:37
And then finally, Cagatay Evyapan,
14:41
aka Cha0 --
14:43
one of the most remarkable hackers ever,
14:45
from Ankara in Turkey.
14:47
He combined the tremendous skills of a geek
14:49
with the suave social engineering skills
14:52
of the master criminal.
14:56
One of the smartest people I've ever met.
14:59
He also had the most effective
15:02
virtual private network security arrangement
15:04
the police have ever encountered
15:06
amongst global cybercriminals.
15:08
Now the important thing
15:10
about all of these people
15:12
is they share certain characteristics
15:14
despite the fact that they come from very different environments.
15:16
They are all people who learned their hacking skills
15:20
in their early to mid-teens.
15:23
They are all people
15:26
who demonstrate advanced ability
15:28
in maths and the sciences.
15:30
Remember that, when they developed those hacking skills,
15:33
their moral compass had not yet developed.
15:35
And most of them, with the exception of SCRIPT and Cha0,
15:39
they did not demonstrate
15:42
any real social skills in the outside world --
15:46
only on the Web.
15:49
And the other thing is
15:51
the high incidence of hackers like these
15:53
who have characteristics which are consistent
15:55
with Asperger's syndrome.
15:58
Now I discussed this
16:01
with Professor Simon Baron-Cohen
16:03
who's the professor of developmental psychopathology at Cambridge.
16:05
And he has done path-breaking work on autism
16:09
and confirmed, also for the authorities here,
16:13
that Gary McKinnon --
16:15
who is wanted by the United States
16:17
for hacking into the Pentagon --
16:19
suffers from Asperger's
16:21
and a secondary condition
16:23
of depression.
16:25
And Baron-Cohen explained
16:27
that certain disabilities
16:29
can manifest themselves in the hacking and computing world
16:31
as tremendous skills,
16:34
and that we should not be throwing in jail
16:36
people who have such disabilities and skills
16:38
because they have lost their way socially
16:41
or been duped.
16:44
Now I think we're missing a trick here,
16:46
because I don't think people like Max Vision should be in jail.
16:49
And let me be blunt about this.
16:52
In China, in Russia and in loads of other countries
16:54
that are developing cyber-offensive capabilities,
16:57
this is exactly what they are doing.
17:00
They are recruiting hackers
17:02
both before and after they become involved
17:04
in criminal and industrial espionage activities --
17:07
are mobilizing them
17:10
on behalf of the state.
17:12
We need to engage
17:14
and find ways of offering guidance
17:16
to these young people,
17:18
because they are a remarkable breed.
17:20
And if we rely, as we do at the moment,
17:22
solely on the criminal justice system
17:24
and the threat of punitive sentences,
17:27
we will be nurturing a monster we cannot tame.
17:30
Thank you very much for listening.
17:33
(Applause)
17:35
Chris Anderson: So your idea worth spreading
17:48
is hire hackers.
17:50
How would someone get over that kind of fear
17:52
that the hacker they hire
17:56
might preserve that little teensy wormhole?
17:58
MG: I think to an extent,
18:00
you have to understand
18:02
that it's axiomatic among hackers that they do that.
18:04
They're just relentless and obsessive
18:07
about what they do.
18:10
But all of the people who I've spoken to
18:12
who have fallen foul of the law,
18:14
they have all said, "Please, please give us a chance
18:16
to work in the legitimate industry.
18:19
We just never knew how to get there, what we were doing.
18:22
We want to work with you."
18:25
Chris Anderson: Okay, well that makes sense. Thanks a lot Misha.
18:27
(Applause)
18:30

▲Back to top

About the Speaker:

Misha Glenny - Underworld investigator
Journalist Misha Glenny leaves no stone unturned (and no failed state unexamined) in his excavation of criminal globalization.

Why you should listen

In minute detail, Misha Glenny's 2008 book McMafia illuminates the byzantine outlines of global organized crime. Whether it's pot smugglers in British Columbia, oil/weapons/people traffickers in Eastern Europe, Japanese yakuza or Nigerian scammers, to research this magisterial work Glenny penetrated the convoluted, globalized and franchised modern underworld -- often at considerable personal risk.

The book that resulted is an exhaustive look at an unseen industry that Glenny believes may account for 15% of the world's GDP.

Legal society ignores this world at its peril, but Glenny suggests that conventional law enforcement might not be able to combat a problem whose roots lie in global instability.

While covering the Central Europe beat for the Guardian and the BBC, Glenny wrote several acclaimed books on the fall of Yugoslavia and the rise of the Balkan nations. He's researching a new book on cybercrime, of which he says: "The key to cybercrime is what we call social engineering. Or to use the technical term for it, there's one born every minute."

Watch TED's exclusive video Q&A with Glenny: "Behind the Scenes of McMafia" >>

More profile about the speaker
Misha Glenny | Speaker | TED.com