I’ve been thinking lately about Matt Honan, who wrote almost a year ago in Wired about his experiences with a hacker named Phobia who hacked Honan’s Apple account, and soon after used his access to the account to wipe out Honan’s electronic memories–everything Honan had acquired and stored on his Apple devices. Honan later was contacted by Phobia, and in the course of their correspondance Honan asked why Phobia had done him such grievous harm:
I asked Phobia why he did this to me. His answer wasn’t satisfying. He says he likes to publicize security exploits, so companies will fix them. He says it’s the same reason he told me how it was done. He claims his partner in the attack was the person who wiped my MacBook. Phobia expressed remorse for this, and says he would have stopped it had he known.
“yea i really am a nice guy idk why i do some of the things i do,” he told me via AIM. “idk my goal is to get it out there to other people so eventually every1 can over come hackers”
The ethos expressed in those few words is close to monstrous. Here’s what it boils down to:
1) If I hack you, it’s your fault for being unprotected. (As Clint Eastwood said in “Unforgiven” after being taken to task for shooting an unarmed man, “He shoulda armed himself.”) Therefore…
2) I have the right to hack anybody who’s vulnerable to hacking. And that’s a good thing, because…
3) I serve a higher purpose when my hacking wrecks the lives of people who are too careless or innocent to protect themselves. As Phobia wrote to Honan, “my goal is to get it out there to other people so eventually every1 can over come hackers”.
Phobia is confused, to say the least. You can’t simultaneously not know why you do the things you do, and purport to have a goal that represents the justification for doing what you do. Beyond that, there’s an obvious hypocrisy in Phobia’s comments. If you claim to be concerned for the welfare of others—for example, to care about whether they can protect themselves from some kind of harm—you don’t start your relationship with those others by launching a brutal surprise attack. In a civil (read: moral) society, you don’t attack strangers on the street (or anywhere else) on the pretense that it’s a lesson to the vulnerable to make themselves less vulnerable.
Indeed, civil societies reserve special scorn and punishment for those who attack the most vulnerable. As one obvious example, pedophiles are not commended for “teaching” little kids to protect themselves from sexual predators. Responsibility in a civil society lies with the perpetrator, not the victim, not God.
Of course it’s important for all of us to take steps to avoid being victimized in all sorts of ways, but that’s not the point. My being weak or defenseless does not make my attacker noble or justified, whether or not the attack is successful. The moral measure of a person in a civil society is how well he or she treats vulnerable people, not how successfully he or she takes advantage of their vulnerability. (I won’t pretend that there aren’t plenty of people out there who have achieved fame and fortune in modern society by taking advantage of the vulnerable; I’m saying that such people don’t get to claim the moral high ground, which is what’s happening when a hacker says he does what he does to make the world safe from hackers.)
In this sense, hackers like Phobia are not vanguards of a new cyber-civilization, as Phobia seems to fancy himself. They are the precise moral equivalent of a street thug ambushing an old woman, or a man throwing acid in his ex-lover’s face (a recently popular activity in some parts of the world, and one that is also intended to teach the victim a lesson). They are representative of the worst tendencies in humanity, not the best, and it’s discouraging that some very bright young people (Phobia is 19) have convinced themselves that victimizing the vulnerable is representative of high ethics.
I doubt that Phobia thinks of himself as religious, but his justifications are eerily similar to the tenets of any number of fundamentalist religions. Many fundamentalists will tell you that if you’re attacked—by a terrorist, a cyclone, an angry dog, a fellow fundamentalist, or anything else—it’s God’s will (which is another way of saying “it’s your fault”). If the fundamentalist hears from God (or the little voice inside his head that purports to be God) that you should be attacked, the attack will begin as soon as is practically feasible. After you’re righteously punished, you will be more likely to heed God’s will; if not, God’s will is still satisfied, it being the will of God that the faithful seek relentlessly to destroy unbelievers. No fundamentalist ever seems to think that it’s God’s will to be kind to everybody. Nor does any hacker. Once you’ve established a higher purpose that supercedes the mere interests of any individual, kindness has nothing to do with it.
Civil societies rely on due process and rule of law, which were developed painstakingly over centuries precisely to protect individuals and societies from arbitrary attacks by the self-empowered, be they bandits or kings. Before due process and rule of law, life was (as Hobbes put it) nasty, brutish, and short, which is a pretty good description of a typical cyberattack (although of course modern attacks are recently tending to the ongoing and persistent, as opposed to the episodic).
Do hackers really want to return society to the law of the jungle? Do they really want every man and woman to decide for themselves what “right” means, in utterly exclusive and non-negotiable terms, and to act without further ado to destroy those who stray from the path of righteousness? Do they really want to add to the world’s sum total of pain and anguish, of which neither will ever be in short supply, with or without the help of hackers?
We live in an era in which authorities of all sorts have been revealed to be both unethical and incompetent, and it’s not surprising that many in this era have anointed themselves as moral authorities with the right to mete out drastic punishment as they see fit. But that doesn’t make it right.
If you’re a hacker, and you disagree with this argument, write and tell me why.
Category: IT risk Tags: