It took about five minutes to cripple Visa.com. By the time Dutch police arrested the 16-year-old boy they say was responsible Thursday, the damage had been done. Of course, the boy wasn't alone. He was aided by a volunteer army of thousands. The scary thing: They were using tools anyone can get.
If the WikiLeaks dump, and the subsequent cyberattacks, have made anything clear it's this: 2010 belongs to hackers.
Hacking, the practice of getting your hands on computer tools, systems and documents – especially when it's unauthorized – is nothing new: from MIT students in the 1950s to "phreakers" who manipulated telecom systems around the globe.
But their impact has suddenly skyrocketed. Over the past decade, the digital medium in which hackers operate has become the single most important driver of cultural, commercial and geopolitical change in the world. And online, the limbs of everything from credit card companies to national security agencies lay far more unguarded than their real-world counterparts.
From easily obtainable cyberwarfare tools to being glorified in Stieg Larsson novels to jailbroken iPhones, hacker culture is also cycling from the underground to the mainstream.
"Hackers used to break into networks and pull classified data, but back in the day this information was kept amongst the community," says Michael Calce, who, under the pseudonym Mafiaboy, became one of the most famous computer criminals in the world a decade ago when he managed to temporarily bring down the websites of several major companies, including Yahoo and CNN.
"Now that information is on a global pedestal. WikiLeaks is just an example, there's going to be a lot more of this to come."
MATTERS OF STATE
The most significant breach of a U.S. military computer network ever, according to deputy secretary of defence William J. Lynn III, took place in 2008.
"It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East," Mr. Lynn wrote in a recent issue of Foreign Affairs magazine. "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command."
For the first time, a senior government official had confirmed what most security experts already strongly suspected – the U.S. was under constant cyberattack from foreign enemies, and some of those attacks had succeeded prying information from some of Washington's most sensitive computer networks.
In recent years, Western nations have switched much of their security policy focus to computer networks, cognizant of the fact that a growing number of malicious actors, from petty criminals to state-sponsored "patriotic hackers," are constantly probing government networks for weaknesses. U.S. President Barack Obama created a new White House office to deal with cybersecurity. Earlier this year, a group of 15 nations, including the U.S., China and Russia agreed in principle to work on limiting cyberattacks.
In 2007, Estonia's critical infrastructure, including the computers of banks and broadcasters, came under attack. In that case, the culprits included pro-Russian "patriotic hackers," as well as vast networks of maliciously co-opted computers around the globe, whose users had no idea they were aiding an act of war.
The overlap of state agencies, multinational companies and borderless hackers has become a defining theme of 2010. Canadian BlackBerry-maker Research In Motion saw many of its overseas markets at risk this year, after governments in India, Saudi Arabia and the United Arab Emirates threatened to ban BlackBerrys unless they were given more access to information passing through the devices. Google was the victim of state-sponsored hacking in China – something the WikiLeaks cables helped shed light on. Indeed, the growing popularity of cloud computing – hosting data and using software on third-party servers that are accessible from anywhere in the world – has only increased the potential reward for anyone capable of breaking into the servers of companies such as Google or Amazon.
The realization that the world's critical infrastructure is moving online – and often in a far less secure version than in the physical world – has already changed the way information warriors operate. This summer, a malicious piece of code called Stuxnet surfaced on the Web. But unlike previous iterations of viruses and worms, Stuxnet was designed with one target in mind: large-scale industrial processes. And in many ways, it succeeded – the Iranian government recently acknowledged Stuxnet had played a role in damaging its nuclear program.
But despite concerted efforts by nations to beef up digital security, it's unclear just how effective those efforts have been. In the wake of the 2008 incident, the military temporarily banned the use of flash drives, and put more emphasis on software and hardware to detect unauthorized users.
But Bradley Manning, the soldier suspected of providing WikiLeaks with its trove of classified data by burning it onto a recordable CD from a military computer, doesn't appear to have been deterred by the military's policies.
The Pentagon probably doesn't lump the Manning incident in with foreign cyberattacks, but it probably qualifies as the most embarrassing data breach in the U.S. military's history. It also functions as a microcosm of a larger transformation in the world of hacktivism, one that has the potential to one day make cyberattacks one of the most effective geopolitical tools.
Just as Mr. Manning's information only made waves when it was transmitted and retransmitted by thousands of Internet users around the globe, hacking itself is morphing from a solitary exercise practised by the technically proficient into something more social – a multiplayer game with real-world impact.
HACKING GOES SOCIAL
On Wednesday, a group of hacktivists operating under the moniker Operation Payback launched a massive cyberattack against Visa's website. The offensive – known as a Distributed Denial of Service attack – basically involves directing so much Internet traffic to the targeted website that it crashes under the pressure. It is the Internet equivalent of getting thousands of people to call a company's customer service phone line at the same time. Although its impact is often temporary and minimal, DDoS is one of the simplest forms of cyberwarfare, and is notoriously difficult to defend against. In most cases it simply requires the enlistment of many computers – the software to perform the attack is readily available all over the Web.
"If you know what you're looking for, it's almost like walking into a 7-Eleven now," says Mark Jeftovic, President of EasyDNS, a Toronto-based Internet domain name service provider.
Operation Payback – part of a network called Anonymous that has previously targeted groups such as the Church of Scientology – has close ties to an Internet forum called 4Chan. The massive online community is often criticized for being a hotbed of racism, misogyny and otherwise juvenile content. However its members often act in cohesion, and can make life miserable for whatever entity incurs their wrath.
This week, they decided to go after the companies that severed ties with WikiLeaks following the cablegate release. First they launched a DDoS attack against the website of Switzerland Post Finance, the Swiss bank that froze WikiLeaks founder Julian Assange's account. They also targeted MasterCard, which had stopped processing donations to WikiLeaks, as well as Visa and PayPal. One after the other, the sites slowed down or became temporarily inaccessible under the onslaught of traffic.
In terms of actual damage, the attacks were largely trivial. Indeed, Operation Payback probably gained more through publicity than any technical assault on their targets' websites. Still, DDoS attacks are taken seriously enough that they often result in criminal charges, such in the case of Canadian hacker Mr. Calce.
But the most significant aspect of the Operation Payback attack was the means by which its directors managed to corral the thousands of computers necessary to make it work. On its Twitter feed, Operation Payback directed followers to download a program that would effectively let the hackers take control of a part of the followers' computers, and use them to launch attacks. Suddenly, the offensive became an exercise in social media, leveraging a base of like-minded computer users to wage digital war against multinational corporations. Anyone who liked the idea of going to battle on the Web for a cause they believed in could enlist with just a couple of clicks. And perhaps most frighteningly for the targets of the attacks, thousands of people were motivated enough to sign up.
"For most of us, the Internet is just a means to an end," says Alexandra Samuel, director of the Social and Interactive Media Centre at Emily Carr University of Art and Design "But for a certain community of people, the Internet is an end in of itself. On an issue like [WikiLeaks] they're not identifying with the U.S. or the U.K. or Sweden – they're citizens of the Internet."
In a short statement about the pro-WikiLeaks attacks, website spokesman Kristinn Hrafnsson said: "We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets."
Hacking, like several other areas of computing, can be very loosely classified as white hat or black hat – the former is a term that describes hackers who work on fixing weak code or otherwise working toward some greater good; the latter describes those who break into systems with malicious intent. The rise of groups such as Anonymous, and their DDoS attacks against companies they deem unethical, has split the hacker community, and created a third, "grey hat," category.
"Some of the counterattacks [against perceived anti-WikiLeaks entities such as Amazon] some of that youthful righteous indignation I can understand," says Jack Daniel, a veteran information security expert and regular fixture at DefCon, North America's largest hackers' convention. "But if the battle is about free speech, we have to accept that free speech is sometimes stuff we don't agree with.
"Either buy more from Amazon or start buying less, but don't try to shut them down. That just solidifies the anti-hacker mentality."
PUNK ROCK ROOTS
Julian Assange had a deep voice for a teenager, which was helpful, because he was about to pose as a government employee in order to steal a password.
It was 1987, more than two decades before facilitating the biggest classified information leak in history, and the then-16-year-old was sitting in his bedroom in Emerald, a tiny town just outside Melbourne, Australia. He was trying to break into a mainframe computer in Sydney. To do so, he would have to call a client who had an account on the mainframe and convince him he was a government employee in need of the client's password. To simulate a busy government office, Mr. Assange tape-recorded himself reading Shakespeare at a volume just low enough to simulate background chatter, with his dot-matrix printer running and the click-clack sound of his fingers randomly hitting keyboard keys. When he called the client, he played the tape over the phone. The gamble worked – the client fell for it and handed over his password. Shortly afterward, Mr. Assange was logged into the mainframe in Sydney, scrolling through confidential e-mails. He had proven his worth to Australia's underground digital community. He was a hacker.
Mr. Assange's exploits were detailed in a 1997 book he co-authored called Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier. The book chronicles some of the most notorious hacking incidents of the 1980s and 90s – back when Mr. Assange went by the nickname Mendax, from the poet Horace's "splendide mendax," or "nobly untruthful." In his introduction to the book, Mr. Assange quotes Oscar Wilde: "Man is least himself when he talks in his own person. Give him a mask, and he will tell you the truth."
The book paints a picture of a teenager who escaped to the digital world for many of the same reasons that still draw in new hackers today: a chance to become someone more powerful, able with a few keystrokes to access confidential information that would be kept under lock and key in the real world. But perhaps most of all, the allure of hacking for Mr. Assange and countless others is the ability to effect change without becoming part of any government or corporate group. According to one story in Underground, Mr. Assange manages to break into the network of Canadian telecom firm Nortel, spending hours jumping from one of the company's computers to the next. His technical skills earn him respect within the hacking community, and some of his closest friends exist only as aliases on a computer screen.
In the late 80s, it was very easy for Mr. Assange's exploits to go unnoticed. But today's generation of hackers, hacktivists and hangers-on, armed with easy-to-use tools and access to myriad government and corporate targets, are operating far less quietly. It is almost impossible to measure the financial and geopolitical ramifications should attacks such as Operation Payback continue to grow in popularity. Already, some security experts are bracing for disruptions to the lucrative holiday shopping season, as tens of thousands of people download the program that allows their computers to be used in DDoS attacks. A freelance cyberarmy of the dismayed and disgruntled is only just starting to flex its muscles.
Some clues as to where the hacktivist movement is headed might be found in the movement's early days. Then, as now, the subculture was dominated by young, bright minds with fanatically held principles about issues such as transparency and a near-nihilistic skepticism of authority figures.
In one passage in Underground, Mr. Assange is dismayed to find out that some fellow hackers in the U.S. had gone to work for the military. It seems to him a violation of some unspoken code – a code he would continue to follow with the founding of WikiLeaks and the decision to release the biggest cache of classified documents in history.
"Hackers, he thought, should be anarchists, not hawks."