One must beware of overgeneralization and hyperbole, which characterize a great deal of discourse on the digital age.
My Master’s in Cyber Security is an interdisciplinary affair, with a handful of modules outside of my traditional School of Computing & Communications (SCC). One of these was the Department of Sociology’s Cybercrime module—SOCL491—which has taken up my last week of studies. The clearest sign that I have moved outside of my SCC comfort zone and into some form of real academia is the requirement to do actual pre-course reading. Each of the five days of lectures has come with a list of texts, ranging in both form and quantity from Mondays handful of articles, CYBERWAR episode and film to Thursday’s four articles, an entire journal and a book. In this series of posts, I will critically discuss each day’s readings.
To begin with: Monday. The day was divided into the topics of
introduction and social theory under Dr Moore, followed by
hacking with the mononymic Maxigas.
Cybercrime (Ch. 1), Principles of Cybercrime
Considering the theme of this first day is
Introduction, there is a degree of being taught to suck eggs. The first chapter of Prof. Jonathan Clough’s book commences with the story of Estonian Sergei Tsurikov, sentenced in 2014 to eleven years in a US prison for his role in the 2008 RBS WorldPay hack. Clough believes that this case
illustrates many of the features and challenges of modern cybercrimes.
Through the lens of routine activity theory, which states that the three factors necessary for the commission of a crime are motivation, opportunity and lack of a capable guardian to defend against it, Clough addresses the
key features of digital technology that facilitate crime and hamper law enforcement: scale; accessibility; anonymity; portability and transferability; global reach; and an absence of capable guardians. Clough briefly touches on the idea of Prof. Lawrence Lessig’s four modalities of constraint—the law, architecture, social norms and the market—in the discussion of guardianship, and clarifies that the area of interest in the subsequent chapters will be primarily legal.
Clough covers the historic nomenclature for his topic, outlining earlier (as well as less emotive and more descriptive) terms such as
computer-related crime and
crime by computer, strange intermediary mis-steps like
and the currently vogue terms of
high technology crime
net-crime. Clough defends his decision to favour
cybercrime as a result of its UN and Council of Europe adoption, before delineating Prof. David Wall’s concepts of
computer-supported crimes, pointing out that the division has been adopted in multiple legal systems, including the UK and the US.
Next up is the thorny issue of
cyberterrorism. Pointing out that there is
no accepted norm in international law for what constitutes terrorism, Clough nonetheless distinguished between technology-enabled terrorism—think Daesh’s online dissemination of execution videos—and
cyberterrorism in the narrower sense of . Clough concludes by acknowledging that
the use of computer network tools to harm or shut down critical national infrastructure
to date, cyberterrorism…is in the realm of speculation.
He then returns to a discussion of the
the scale of the problem, addressing difficulties in the acquiring of accurate figures on cybercrime, before moving on to the online/offline dichotomy.
Rarely, if ever, would it be the case that conduct which may be prosecuted offline should not be criminal online. Conversely, where conduct is not criminalised in the offline environment, the question is whether technology has had such an impact on the nature of the conduct or its prevalence that it necessitates criminalisation.
Most intriguing, to my mind, is the section on
virtual crimes, where Clough relates the story of Mr Bungle, made famous by Julian Dibbell’s article A Rape in Cyberspace. However, as Clough has admitted, his focus is primarily on criminal law, and this topic is subsequently given an overview that limits discussion of many of the more fascinating ontological aspects of this
true cybercrime. Finally, Clough summarises the Council of Europe’s 2001 Convention of Cybercrime and outlines the structure of the book that is to follow, but not for me.
Virtual Criminality: Old Wine in New Bottles?
Prof. Peter Grabosky’s paper makes the suggestion
that , whilst allowing that
virtual criminality is basically the same as the terrestrial crime with which we are familiar
some of the manifestations are new, but that the only real difference between
cyber crime is one of medium. The motives for crime remain the same, be they
…greed, lust, power, revenge, adventure, and the desire to taste
Much like Clough, Grabosky’s most interesting avenue of thought remains similarly underdeveloped. Regarding
interpersonal relations in cyberspace, and despite the article pre-dating it by a couple years, Grabosky proffers a salient point regarding much-maligned online communities such as 4chan (see Tuesday’s readings for more), stating that
[t]he illusion of anonymity seems to have elicited more candour over the internet than one would expect in face-to-face communications, but asking
…whether the role play that occurs in some chatrooms constitutes something completely different from good theatre…. He admits that
…some of this role play is extremely aggressive, or otherwise antisocial, but asks if it is really
…any more so than a performance of Hamlet?
Grabosky goes on to address the issue of
cyber-paeds (again, see Tuesday), asking if the fears are really new.
Cyberspace, he states,
serves the same function as the busstop, the schoolyard or the disco. At this mention of
the disco, I realise that 2001 really was quite a long time ago. He also offers that
…one may divide conventional criminals into two classes: the competent and the incompetent.
He then addresses the
new challenges for the state posed by this new wine, no matter how old the bottle may be.
[T]he capacity of public police is now acknowledged to be limited, with their role now
…often limited to that of legitimizing insurance claims and providing a few kind words (and perhaps some crime prevention advice) to the victim. Grabosky makes a compelling case that
[i]ndividuals are…largely on their own as far as crime prevention is concerned…so those who can afford it acquire sophisticated alarm systems and live in Grabosky’s point is that
[t]he necessity of self-reliance in crime control is no less in cyberspace than in one’s physical neighbourhood.
Grabosky goes on to address some of the
paradoxes of the digital age, such as cryptography’s dual role as both the bane of law enforcement and as a
…fundamental pillar of electronic commerce. Additionally,
[t]he annals of law enforcement are expanding with examples of police officers posing as 13-year-old girls who arrange online assignations with those who were once described as Following this, he addresses the threats to privacy as they existed even in his pre-September 11th world and
dirty old men.
the transnational dimension as it pertains to the difficulty of establishing jurisdiction. For example,
…Germany makes it a crime to disseminate neo-Nazi propaganda [whilst] the right to do so is protected by the Constitution of the United States of America.
Finally, Grabosky covers the ease by which third parties can be implicated within cybercrimes before conclusing that
[t]he policing of terrestrial space is now very much a pluralistic endeavour [and] [s]o too is the policing of cyberspace. However,
[i]n cyberspace today, as on terrestrial space two millenia ago, the first line of defence will be self-defence.
Cybercrime (Ch. 2), The Handbook of Measurement Issues in Criminology and Criminal Justice
Prof. Thomas Holt begins by reiterating the various definitions of cybercrime that Clough has covered previously. The unique focus of Holt’s work, however, is on the issues relating to the accurate measuring of cybercrime, which were only touched upon by Clough.
[T]here are few if any reporting categories for cybercrime in the existing national-level data sources for crimes made known to the police in many countries, such as the FBI’s Uniform Crime Reporting (UCR) and National Incident-Based Reporting System (NIBRS).
At present, the only forms of cybercrime that can be readily derived from NIBRS data are (1) sexual offences against children and (2) various forms of fraud.
There are multiple obstacles to data-gathering. Victims are unlikely, in many cases, to know that they even are victims. In the event that they find out, they may be unwilling to report it to the authorities out of fear of personal or professional humiliation, or they may just now know how to go about it. Equally, there may be a perception of
chalking it up to experience and that reporting the incident to the authorities would be unlikely to result in much action.
Holt announces that
…some researchers have begun to use data developed from online environments such as Web forums, bulletin board systems (BBS), and archival Web sites. The benefits of this approach seem to me manyfold, such as allowing unprecedented access to populations of, as Grabosky would put it,
competent criminals, unlike the previously-caught (and thus presumably
incompetent) that criminology has generally had to rely on in the past. There are, however, ethical issues with the use of such data, with Holt questioning whether the requirement to sign up for certain forums serves to declare their contents private.
The Zero Day Market (S01E09), CYBERWAR
This episode of CYBERWAR is quintessential Vice—heavy on dramatism, but not entirely without substance. Host Ben Makuch might do silly things like describing zero-day vulnerabilities as
figurative torpedoes, but there is nonetheless an interesting investigation into the world of zero-days. The centerpiece is a sequence in which Charlie Miller hacks a car as Makuch drives (and which seemed strangely familiar—Miller was brought in to do the same thing in an episode of Vice’s earlier Phreaked Out).
There are also interesting sections on the development of the first bug bounty programs and the anticlimax of the CanSecWest Pwn2Own finale, including what Makuch (who as we know works for Vice and is thus cool™) derides as a
super-tame hacker rap party. To be fair, it does look quite shit. Some much-needed perspective is added by Emerson Tan, who states that
if you were a criminal, you wouldn’t bother buying 0days. He explains that
they’re very, very expensive, it costs a huge amount of money to test them to make them reliable [and] if you’re a criminal, you just want the thing that works, and for the lowest cost for the maximum return. Demonstrating an exploit marketplace (and critiquing their web design), Tan reinforces the attack surface provided by the
millions and millions and millions and millions of people who fail to patch their software.
Makuch proceeds to get kicked out of a gated community on his way to an interview and stonewalled by a US government representative as to the nature of the zero-days held by the government. Finally, he interviews Chris Soghoian, who makes some interesting points around the militarisation of the police in the US via the trickle-down of military equipment from the armed forces, through the federal agencies and into the hands of state and local law enforcement. Soghoian fears that the same shall be true of the cyberweapons in the government’s possession, and that
when you give those tools to people who are going to be operating them without much training, and without much oversight, we’re gonna see abuses. We’re gonna see police officers spying on their ex-spouses, or their next-door neighbour who’s pissing them off. That, at least, is an angle I don’t think I’ve seen before.
DEFCON: The Documentary
The lecturer only specified a 30-minute portion of the film as the reading, but I’ve never been one for half-measures (hence why I am currently half-way through the first season of CYBERWAR). The film covers the 20th instalment of DEF CON, the largest annual hacker convention in the world. Format-wise it’s nothing special, following in the vein of Sadofsky’s other work, such as BBS: The Documentary, but it was perfectly entertaining. If anything, it’s made me even more upset that I’m not going along with the rest of LUHack to this year’s event.
An Interview with Hacker
Phineas Fisher as a Puppet
In an extended version of a scene from the Cyber Mercenaries episode (S01E03) of CYBERWAR, Ben Makuch interviews
Phineas Fisher about their attack on Hacking Team, with the condition that Fisher is to be represented by a frog puppet. Fisher’s own account of the hack in Hack Back!: A DIY Guide will likely be of far more interest to anyone with a degree of technical understanding, but the sight of Makuch attempting the usual Vice dramatics opposite a knock-off Kermit is well worth seeing regardless. Fisher explains that they can see similarities between themselves and Hacking Team’s employees, but that they differ primarily due to different upbringings and that they diverge specifically at the issue of whether they believe the police to be a force for good, as Hacking Team (presumably) do, or evil, as Fisher does.