This piece has been written for and originally published in Polish by OKO.press.
When attributing, please attribute to: "Michał 'rysiek' Woźniak, Fundacja Ośrodek Kontroli Obywatelskiej „OKO”", and include a link to the original piece on OKO.press website.
Excessive use by the media of words “hacker”, “hacking”, “hack”, and
the like, whenever a story concerns information security, online
break-ins, leaks, and cyberattacks is problematic:
- Makes it hard to inform the public accurately about causes of a
given event, and thus makes it all but impossible to have an informed
debate about it.
- Demonizes a creative community of tinkerers, artists, IT
researchers, and information security experts.
The first problem is laid bare by the recent
compromise of a private e-mail account belonging to Michał Dworczyk,
Polish PM’s top aide.
Headlines like “Hacker attack against Dworczyk” or
“Government hacked” put Mr Dworczyk and the government in a
position of innocent victims, who got “attacked” by some assumed but
unknown (and thus, terrifying) “hackers”, who then seem to be the ones
responsible.
How would the public debate change if instead the titles were
“Sensitive data leaked from an official’s insecure private
account” or “Private e-mail accounts used for official
government business”? Perhaps the focus would move to Mr Dworczyk’s
outright reckless negligence (he did not even have 2-factor
authentication enabled). Perhaps we would be talking about why
government officials conduct official business using private e-mail
accounts – are they trying to hide anything?
These are not hypothetical: after the leak became public Polish
government immediately
blamed “Russian hackers”…
The problem is bigger than that, though. Every time an
Internet-connected device turns out not to be made secure by the
manufacturer (from light
bulbs, through cars,
all the way to sex
toys), media write about “hacking” and “hackers”, instead of
focusing on the suppliers of the faulty, insecure product. In effect,
energy and ink are wasted on debating “how to protect from hackers”.
On the one hand, this doesn’t help with solving the actual issues at
hand (government officials not using secure government infrastructure,
politicians not using most basic security settings, hardware
manufacturers selling insecure products).
On the other: laws are written and enacted (like the Computer
Fraud and Abuse Act in the USA) which treat tech-savvy, talented and
curious individuals as dangerous criminals and terrorists. This leads to
security researchers who responsibly inform companies about security
issues they find being
charged with “hacking crimes”.
A large part of these talented, tech-savvy people would call
themselves “hackers”, though not all hackers are necessarily tech-savvy.
Hacker is a curious person, someone who thinks out of the box, likes to
transgress and to share knowledge: “*information
wants to be free”.
Haker needs not be an IT professional. MacGyver or Leonardo da
Vinci are great examples of hackers; so is Polish artist Julian
Antonisz. They espouse creative problem solving and the drive to
share and help others.
Polish hacker community (like communities in other places) revolves around
hackerspaces. Most of them are official, registered organizations
(foundations or associations, usually) with members, boards, and a
registered address. Polish hackers took part in public
debates, pressed
thousands of medical visors and sent them (for free) to medical
professionals fighting the pandemic, organized
hundreds of hours of cybersecurity trainings for anyone interested.
They also became subjects of a
sociology paper.
Globally, hackers are just as active: they take part in public
consultations, 3d-print
missing parts for medical ventilators, or help
Arab Spring protesters deal with Internet blocks.
It’s difficult to say when the hacker movement had started – no doubt
Ada Lovelace is
a member, after all – but MIT’s Tech Model
Railroad Club is often mentioned as an important place and time
(late 1940’s and early 1950’s) for the birth of the modern hacker
culture. Yes, the first modern hackers were model rail hobbyists. At
that time in communist Poland we called such people
“tinkerers”.
As soon as personal computers and the Internet started becoming
popular, so did hacker culture (while also becoming somewhat fuzzy).
First hackerspaces emerged: spaces where hackers could dive into their
hobbies and share knowledge. Places to sit with a laptop and focus, get
WiFi, power, and coffee. Sometimes there’s a server room. Often – a
wood- or metalworking workshop, 3d printers, electronic workshop, laser
cutter. Bigger ones (like the Warsaw
Hackerspace) have heavier equipment, like lathes.
Hackerspaces are an informal, global
network of locations where members of the community, lost in an
unfamiliar city, can get access to power and the Internet, and find
friendly faces. Gradually some hackerspaces started associating into
bigger hacker organizations, like the Chaos Computer
Club in Germany. Related movements also sprang up: the free software
movement, the free culture movement.
Eventually, Fablabs and Makerspaces
became a thing. These focus more on the practical, creative side of the
hacker movement.
Borders here are blurry, many Fab Labs and Makerspaces do not
self-identify as part of the hacker movement. In general: Makerspaces
focus less on the hacker ethic, and
more on making things. They also tend to be less interested in
electronics and programming. Fablabs in turn are makerspaces that are
less focused on building a community, and more on creating a fabrication
labortory available commercially to anyone who’s interested (and willing
to pay).
Hacker ethic
There is no single, globally recognized definition of the hacker
ethic – but there are certain common elements that pop up on almost any
relevant list:
- knowledge empowers, access to it should not be stifled
(“information wants to be free”);
- authority is always suspect, so is centralization (of knowledge,
power, control, etc.);
- the quality of a hacker is not judged based on skin color, gender,
age, etc., but based on knowledge and skill;
- practice is more important than theory.
Hackers are often keenly aware of the difference between something
being illegal, and something being unethical. Illegal and unethical
actions are way less interesting than illegal but ethical actions.
Hence hackers’ support for journalists and NGOs.
Hence tools like the Tor
Project, SecureDrop, Signal, or Aleph, broadly used by
journalistic organizations around the world, but started and developed
by members of the hacker community.
And hence actions of groups like Telecomix, ranging
from helping Tunisians and Egyptians circumvent Internet blockages, to
swiping
server logs proving that companies from the USA were helping the Syrian
government censor the Internet and spy on Syrian citizens.
Why did Telecomix decide to publish these server logs? Because Syrian
government’s actions, and actions of the co-operating Americans, were
utterly unethical, and technology was used by them in ways that are not
acceptable to hackers: blocking access to knowledge and stifling
opposition. Hacker ethics in action.
Hackers and burglars
As with any ethical question, making value-judgments about such
actions is not a black-and-white affair. The line between a hacker and a
cybercriminal is fuzzy, and roughly defined by that not-entirely-clear
hacker ethic. But that still does not make it okay to outright equate
all hackers to cybercriminals.
A good synonym for the verb “hack” (in the hacker culture
context) is “tinker”. Usually that means something completely
innocent, like fixing one’s bicycle or installing new shelves in the
garage. And while “tinkering” with somebody else’s door lock does sound
quite shady, we still won’t say: “someone tinkered into my apartment
and stole my TV set.”
There are hacker-burglars, just like there are tinkerer-burglars. And
yet if a tinkerer breaks-in somewhere, we’d call them a
burglar. When a tinkerer steals something from someone, we’d
call them a thief.
It would be absurd to claim some large robbery was perpetrated by a
“gang of tinkerers” just because tools were used in the process.
We would not call “tinkerers” a group of kids who break into
teachers’ launge by breaking the lock with a screwdriver.
And finally, we would also not speak of “tinkerers” while refering to
a
criminal group financed, equipped, and trained by a nation state,
which guides the groups’ efforts.
And yet, somehow, we are not bothered by headlines like: “300
Lithuanian sites hacked by Russian hackers” or quotes along the
lines of: “13-year-old
boy hacked into school computer system to get answers to his
homework.”
There is an important difference between an organized crime group
(whether it is active on-line or off-line is a separate matter), and a
state espionage unit. The Chinese thirteen year old has nothing in
common with Russian cyber-spies, and these in turn don’t have much in
common with a criminal gang demanding ransom on-line. Calling all of
them “hackers” is neither informative, nor helpful.
Reality bytes
Outside of computer slang, the verb “hack” means “to chop,
to cut roughly”. At some point at MIT the word started to be used as a
noun meaning “a practical joke”, “a prank”, especially when referring to
pranks which required
inventiveness and dedication. In hacker culture it gained one
additional meaning: “perhaps not very elegant, but efective and
ingenious solution to a problem.”
The “problem” could be wrong voltage of the current in the model
railway tracks, or Internet being blocked in Tunisia, or… no public
access to a library of
scientific papers. And since information wants to be free”, somebody
should fix that.
That, however, can easily be interpreted as a “cyberattack” – thanks
to the aforementioned laws written in order to “defend from
hackers”. That led to
persecution of a hacker, activist, co-founder of Reddit, the creator
of SecureDrop and co-creator of the RSS format, Aaron Swartz. After his
death, JSTOR decided
to make their library a bit more open to the public.
Had the hacker movement not been demonized so much, perhaps law
enforcement agencies would treat that case differently, and Aaron would
still be alive.
Frequently Asked Questions
How
should people who break into individual and corporate systems with
malicious intent be called?
“Crackers” or “cybercriminals”, if we’re talking
about criminal break-ins. “Vandals” (perhaps with an adjective,
like “digital”, “internet”, etc.), if we’re talking
about breaking in and defacing a website – especially if it did not
require high technical skill (like in the case of the notorious
admin1
password on Polish Prime Minister’s website during
ACTA). “(Cyber)spies” if we’re talking about attacks
perpetrated, financed, or otherwise connected to nation state
governments.
When in doubt, one can always call them “attackers”,
“malicious actors”, etc.
Technical note: often there even was no actual break-in! For example,
in case of “young
hackers” who allegedly “broke into” servers of a Polish provider of
cloud services for schools, the perpetrators “overloaded the
servers, temporarily making it difficult to continue on-line
classes.” It’s not that different from a group of people staging a
sit-in in front of the school entrance – hardly a break-in!
When to actually call
someone a hacker
In the similar situations as we would be inclined to call them a
“tinkerer” if a given event was not related to computers. This is really
a very good model.
“[Tinkerers] broke into the glass-case with school announcements
and posted unsavory messages” – doesn’t sound all that well. Even
if these vandals do call themselves “tinkerers”. So, also not:
“[Hackers] broke into a website and defaced it.”
“[Tinkerers] manufactured 50.000 anti-covid face shields and sent
them to hospitals and other medical institutions” – that works. So,
also: “hackers manufactured…”
“[Tinkerers] broke into a minister’s apartment” makes
utterly no sense. And so does “hackers broke into minister’s e-mail
account”: you want “unknown perpetrators”, “attackers
suspected to be working with foreign intelligence services”,
etc.
What are hackathons?
Hackathons are events where technically-skilled people try to solve
certain problems or achieve some goal in a strictly limited time.
Hackathons can be charity-focused (like Random
Hacks of Kindness or Polish SocHack
a few years ago), or focused on creating technological startups (like
the Startup
Weekend).
What is hacking, really?
Hacking is simply tinkering, although it does suggest that computers
are being used (usually, but not always). No, really. You can check for
yourself at your local
hackerspace.
We tried – “hacktivist” and “digital activist” did
not come from nowhere. But they immediately started being co-opted to
mean “cybercriminal”, for example here:
“Activists or hacktivists are threat actors motivated by some
political, economic, or social cause, from highlighting human rights
abuse to internet copyright infringement and from alerting an
organization for its vulnerabilities to declaring online war with people
or groups whose ideologies they do not agree with”
There are examples of words that have been reclaimed by their
communities. The LGBTQ+ movement successfully reclaimed several words
that used to be slurs used against homosexual people (nobody in
mainstream media would today use the f-word!). Similarly, the Black
community in the USA successfully
reclaimed the n-word.
Finally, and perhaps most importantly: why should we give up on this
word without a fight at all? This is how we call ourselves, this is how
this community refers to itself, are we not worthy of a completely basic
measure of respect? Why should we just silently accept being lumped with
criminals and spies, only because some people find it easier to type
“hacker” than trying to figure out what actually happened in a
particular case?