Sunday, September 13, 2009

Albert Gonzales: Two-Faced Hacker

An adage says there is no honor among thieves. U. S. Secret Service agents who employed a self-taught 28-year-old computer genius named Albert Gonzales to inform them of the activities of other hackers may now wish they'd never heard of him. Not only was Gonzales tipping off hackers that they were targets of federal investigations, Gonzales went on to break all records, not once but twice, for the largest amount of stolen credit-card and debit-card data: some 130 million numbers he amassed with the help of unnamed foreign cohorts, many in the former Soviet Union countries. Placed under arrest in 2008, Gonzales at first pled innocent, but as charges mounted up, first in New York, then in Massachusetts and New Jersey, and as he finally faced federal charges, on August 28 he decided to plead guilty. He will be behind bars at least until middle age, by which time his hacking skills will be hopelessly out of date. But will there still be hackers in 2034? My guess is: almost certainly.

I could dwell on the details of Gonzales's high lifestyle in his native town of Miami, but it is like the high-living stories of most other thieves: spend it while you got it, because you don't know when you'll ever have it again. You wonder if the Secret Service folks paying him for information ever noticed the BMW and the Rolex, but maybe he'd quit dealing with them by the time he was rolling in dough from more profitable employment.

This raises an ethical question that everyone who deals with computer security has to face: when does trying to think like a hacker in order to outwit other hackers cross the line into the gray area when you become a hacker yourself?

The term "hacker" means different things in different contexts. Back in the Middle Ages of electronics, I used to take apart old stereos and radios and put them back together in screwy ways. This was what many people would now term a type of hacking, which in its most general sense means using technology for a purpose that its designers did not originally plan on. But (except for the occasional prank) my purposes in hacking were innocent. Gonzales clearly intended to make a lot of money illegally by collecting tons of computer-record identities and selling them to the highest bidder. In this way he stayed in the background and got the advantages of wholesale crime without having to mess with the retail variety. And clearly he did it for the money, or for what the money could buy.

Now that computer hacking is an ongoing, large-scale criminal activity, the air of playful innocence that used to characterize its aficionados has largely dissipated. Perhaps justly, most organizations and government agencies assume that anyone hacking into their system is doing it to steal, or worse—there are always terrorists, and we have written occasionally about the danger of cyberwars waged by militant hackers.

For those interested in fighting crime, it will always be necessary to learn how the criminals do it in order to fight back. And in the case of hackers, agencies without enough homegrown talent will often look for a turncoat, but the possibility of double-agenthood—exactly what Gonzales did—is always present in such cases.

One of the best ways to keep good hackers from going bad is a thing that is becoming hard to find these days—or at least, I wouldn't know where to start looking for it, unless you could try the U. S. armed forces. What I'm talking about is a deep level of commitment to the good of a nation or organization that becomes the core of one's professional life. But it requires a stable lifetime of commitment on the part of the organization to achieve that, a stability that is increasingly hard to find these days.

One night, years ago, back in Massachusetts, I attended a talk given by a fellow who for years had been a supervisor in the New England Power Pool. This was the organization that coordinated operations of the Northeastern power plants and utilities to make sure everybody's power was reliable, stable, and there when they needed it. Power failures in the dead of winter in New England can be life-threatening, and as I listened to this guy talk, I realized that he was dedication incarnate. He wasn't blustery or table-pounding or anything—but he gave the impression of solid, firm, intelligent commitment to the high calling of keeping New Englanders' lights on, no matter what.

This was back in the days before utility deregulation, when power companies were quasi-governmental entities with more or less guaranteed profits. Perhaps it is just the nostalgic faulty memory of an aging engineer remembering a scene from his younger days, but it does seem to me that the stability engendered by the regulatory environment back then allowed the development of people who could really dedicate their lives to a good cause professionally, without worrying about layoffs and changing careers four or five times in their lifetimes. And, yes, it also allowed for incompetents to featherbed (goof off) for years in companies that didn't care about such things. Was the good worth the bad? I don't know, but I tend to think so.

The computer industry seems never to have been stable enough to produce a cadre of dedicated people whose entire careers could be given over to enforcing computer security for one firm. I'm sure there are such people, but in the nature of the business they've changed jobs several times, especially if they're good, and being dedicated to the good of an industry is a different thing from dedication to a stable group of people in one organization. But my metaphorical hat is off to those guardians of our credit card numbers, whoever they are and whoever they have worked for, who are constantly on the lookout for the activities of people like Albert Gonzales. May their numbers increase—securely.

Sources: Lately the Associated Press, with reasons that are not hard to imagine, has taken to putting sternly-worded copyright notices at the end of their articles, almost no matter where they appear. While they have every right to do so (and since this is a blog on engineering ethics I will attempt to honor their intentions), avoiding any piece of news that happens to appear under an Associated Press byline may get rather dicey at times. At any rate, this blog used material posted on August 18 at at, and background from other sources.

No comments:

Post a Comment