Skip to main content

Songs on the Security of Networks
a blog by Michał "rysiek" Woźniak

How (not) to talk about hackers in media

Polish version of this entry has originally been published by Oko Press.

Excessive use by the media of words “hacker”, “hacking”, “hack”, and the like, whenever a story concerns information security, online break-ins, leaks, and cyberattacks is problematic:

  1. Makes it hard to inform the public accurately about causes of a given event, and thus makes it all but impossible to have an informed debate about it.
  2. Demonizes a creative community of tinkerers, artists, IT researchers, and information security experts.

Uninformed public debate

The first problem is laid bare by the recent compromise of a private e-mail account belonging to Michał Dworczyk, Polish PM’s top aide.

Headlines like “Hacker attack against Dworczyk” or “Government hacked” put Mr Dworczyk and the government in a position of innocent victims, who got “attacked” by some assumed but unknown (and thus, terrifying) “hackers”, who then seem to be the ones responsible.

How would the public debate change if instead the titles were “Sensitive data leaked from an official’s insecure private account” or “Private e-mail accounts used for official government business”? Perhaps the focus would move to Mr Dworczyk’s outright reckless negligence (he did not even have 2-factor authentication enabled). Perhaps we would be talking about why government officials conduct official business using private e-mail accounts – are they trying to hide anything?

These are not hypothetical: after the leak became public Polish government immediately blamed “Russian hackers”

The problem is bigger than that, though. Every time an Internet-connected device turns out not to be made secure by the manufacturer (from light bulbs, through cars, all the way to sex toys), media write about “hacking” and “hackers”, instead of focusing on the suppliers of the faulty, insecure product. In effect, energy and ink are wasted on debating “how to protect from hackers”.

On the one hand, this doesn’t help with solving the actual issues at hand (government officials not using secure government infrastructure, politicians not using most basic security settings, hardware manufacturers selling insecure products).

On the other: laws are written and enacted (like the Computer Fraud and Abuse Act in the USA) which treat tech-savvy, talented and curious individuals as dangerous criminals and terrorists. This leads to security researchers who responsibly inform companies about security issues they find being charged with “hacking crimes”.

Hacker community

A large part of these talented, tech-savvy people would call themselves “hackers”, though not all hackers are necessarily tech-savvy. Hacker is a curious person, someone who thinks out of the box, likes to transgress and to share knowledge: "*information wants to be free".

Haker needs not be an IT professional. MacGyver or Leonardo da Vinci are great examples of hackers; so is Polish artist Julian Antonisz. They espouse creative problem solving and the drive to share and help others.

Polish hacker community (like communities in other places) revolves around hackerspaces. Most of them are official, registered organizations (foundations or associations, usually) with members, boards, and a registered address. Polish hackers took part in public debates, pressed thousands of medical visors and sent them (for free) to medical professionals fighting the pandemic, organized hundreds of hours of cybersecurity trainings for anyone interested. They also became subjects of a sociology paper.

Globally, hackers are just as active: they take part in public consultations, 3d-print missing parts for medical ventilators, or help Arab Spring protesters deal with Internet blocks.

It’s difficult to say when the hacker movement had started – no doubt Ada Lovelace is a member, after all – but MIT’s Tech Model Railroad Club is often mentioned as an important place and time (late 1940’s and early 1950’s) for the birth of the modern hacker culture. Yes, the first modern hackers were model rail hobbyists. At that time in communist Poland we called such people “tinkerers”.

As soon as personal computers and the Internet started becoming popular, so did hacker culture (while also becoming somewhat fuzzy). First hackerspaces emerged: spaces where hackers could dive into their hobbies and share knowledge. Places to sit with a laptop and focus, get WiFi, power, and coffee. Sometimes there’s a server room. Often – a wood- or metalworking workshop, 3d printers, electronic workshop, laser cutter. Bigger ones (like the Warsaw Hackerspace) have heavier equipment, like lathes.

Hackerspaces are an informal, global network of locations where members of the community, lost in an unfamiliar city, can get access to power and the Internet, and find friendly faces. Gradually some hackerspaces started associating into bigger hacker organizations, like the Chaos Computer Club in Germany. Related movements also sprang up: the free software movement, the free culture movement.

Eventually, Fablabs and Makerspaces became a thing. These focus more on the practical, creative side of the hacker movement.

Borders here are blurry, many Fab Labs and Makerspaces do not self-identify as part of the hacker movement. In general: Makerspaces focus less on the hacker ethic, and more on making things. They also tend to be less interested in electronics and programming. Fablabs in turn are makerspaces that are less focused on building a community, and more on creating a fabrication labortory available commercially to anyone who’s interested (and willing to pay).

Hacker ethic

There is no single, globally recognized definition of the hacker ethic – but there are certain common elements that pop up on almost any relevant list:

  • knowledge empowers, access to it should not be stifled (“information wants to be free”);
  • authority is always suspect, so is centralization (of knowledge, power, control, etc.);
  • the quality of a hacker is not judged based on skin color, gender, age, etc., but based on knowledge and skill;
  • practice is more important than theory.

Hackers are often keenly aware of the difference between something being illegal, and something being unethical. Illegal and unethical actions are way less interesting than illegal but ethical actions.

Hence hackers’ support for journalists and NGOs.

Hence tools like the Tor Project, SecureDrop, Signal, or Aleph, broadly used by journalistic organizations around the world, but started and developed by members of the hacker community.

And hence actions of groups like Telecomix, ranging from helping Tunisians and Egyptians circumvent Internet blockages, to swiping server logs proving that companies from the USA were helping the Syrian government censor the Internet and spy on Syrian citizens.

Why did Telecomix decide to publish these server logs? Because Syrian government’s actions, and actions of the co-operating Americans, were utterly unethical, and technology was used by them in ways that are not acceptable to hackers: blocking access to knowledge and stifling opposition. Hacker ethics in action.

Hackers and burglars

As with any ethical question, making value-judgments about such actions is not a black-and-white affair. The line between a hacker and a cybercriminal is fuzzy, and roughly defined by that not-entirely-clear hacker ethic. But that still does not make it okay to outright equate all hackers to cybercriminals.

A good synonym for the verb “hack” (in the hacker culture context) is “tinker”. Usually that means something completely innocent, like fixing one’s bicycle or installing new shelves in the garage. And while “tinkering” with somebody else’s door lock does sound quite shady, we still won’t say: “someone tinkered into my apartment and stole my TV set.”

There are hacker-burglars, just like there are tinkerer-burglars. And yet if a tinkerer breaks-in somewhere, we’d call them a burglar. When a tinkerer steals something from someone, we’d call them a thief.

It would be absurd to claim some large robbery was perpetrated by a “gang of tinkerers” just because tools were used in the process.

We would not call “tinkerers” a group of kids who break into teachers’ launge by breaking the lock with a screwdriver.

And finally, we would also not speak of “tinkerers” while refering to a criminal group financed, equipped, and trained by a nation state, which guides the groups’ efforts.

And yet, somehow, we are not bothered by headlines like: “300 Lithuanian sites hacked by Russian hackers” or quotes along the lines of: “13-year-old boy hacked into school computer system to get answers to his homework.”

There is an important difference between an organized crime group (whether it is active on-line or off-line is a separate matter), and a state espionage unit. The Chinese thirteen year old has nothing in common with Russian cyber-spies, and these in turn don’t have much in common with a criminal gang demanding ransom on-line. Calling all of them “hackers” is neither informative, nor helpful.

Reality bytes

Outside of computer slang, the verb “hack” means “to chop, to cut roughly”. At some point at MIT the word started to be used as a noun meaning “a practical joke”, “a prank”, especially when referring to pranks which required inventiveness and dedication. In hacker culture it gained one additional meaning: “perhaps not very elegant, but efective and ingenious solution to a problem.”

The “problem” could be wrong voltage of the current in the model railway tracks, or Internet being blocked in Tunisia, or… no public access to a library of scientific papers. And since information wants to be free", somebody should fix that.

That, however, can easily be interpreted as a “cyberattack” – thanks to the aforementioned laws written in order to “defend from hackers”. That led to persecution of a hacker, activist, co-founder of Reddit, the creator of SecureDrop and co-creator of the RSS format, Aaron Swartz. After his death, JSTOR decided to make their library a bit more open to the public.

Had the hacker movement not been demonized so much, perhaps law enforcement agencies would treat that case differently, and Aaron would still be alive.

Frequently Asked Questions

How should people who break into individual and corporate systems with malicious intent be called?

Crackers” or “cybercriminals”, if we’re talking about criminal break-ins. “Vandals” (perhaps with an adjective, like “digital”, “internet”, etc.), if we’re talking about breaking in and defacing a website – especially if it did not require high technical skill (like in the case of the notorious admin1 password on Polish Prime Minister’s website during ACTA). “(Cyber)spies” if we’re talking about attacks perpetrated, financed, or otherwise connected to nation state governments.

When in doubt, one can always call them “attackers”, “malicious actors”, etc.

Technical note: often there even was no actual break-in! For example, in case of “young hackers” who allegedly “broke into” servers of a Polish provider of cloud services for schools, the perpetrators “overloaded the servers, temporarily making it difficult to continue on-line classes.” It’s not that different from a group of people staging a sit-in in front of the school entrance – hardly a break-in!

When to actually call someone a hacker

In the similar situations as we would be inclined to call them a “tinkerer” if a given event was not related to computers. This is really a very good model.

[Tinkerers] broke into the glass-case with school announcements and posted unsavory messages” – doesn’t sound all that well. Even if these vandals do call themselves “tinkerers”. So, also not: “[Hackers] broke into a website and defaced it.”

[Tinkerers] manufactured 50.000 anti-covid face shields and sent them to hospitals and other medical institutions” – that works. So, also: “hackers manufactured…

[Tinkerers] broke into a minister’s apartment” makes utterly no sense. And so does “hackers broke into minister’s e-mail account”: you want “unknown perpetrators”, “attackers suspected to be working with foreign intelligence services”, etc.

What are hackathons?

Hackathons are events where technically-skilled people try to solve certain problems or achieve some goal in a strictly limited time. Hackathons can be charity-focused (like Random Hacks of Kindness or Polish SocHack a few years ago), or focused on creating technological startups (like the Startup Weekend).

What is hacking, really?

Hacking is simply tinkering, although it does suggest that computers are being used (usually, but not always). No, really. You can check for yourself at your local hackerspace.

Isn’t the fight for this word already lost? Wouldn’t it be easier to just find a new word for this community?

We tried – “hacktivist” and “digital activist” did not come from nowhere. But they immediately started being co-opted to mean “cybercriminal”, for example here:

“Activists or hacktivists are threat actors motivated by some political, economic, or social cause, from highlighting human rights abuse to internet copyright infringement and from alerting an organization for its vulnerabilities to declaring online war with people or groups whose ideologies they do not agree with”

There are examples of words that have been reclaimed by their communities. The LGBTQ+ movement successfully reclaimed several words that used to be slurs used against homosexual people (nobody in mainstream media would today use the f-word!). Similarly, the Black community in the USA successfully reclaimed the n-word.

Finally, and perhaps most importantly: why should we give up on this word without a fight at all? This is how we call ourselves, this is how this community refers to itself, are we not worthy of a completely basic measure of respect? Why should we just silently accept being lumped with criminals and spies, only because some people find it easier to type “hacker” than trying to figure out what actually happened in a particular case?