Skip Navigation
BlackBerry Blog

Why Don’t We Just Eliminate All the Hackers?

FEATURE / 12.04.18 / Pete Herzog

Answers to most every hacker question…

Is it the Company’s Fault They Were Breached?

In some ways. We could have a philosophical argument about fault and victims, or we can just agree that it’s happening and as long as it is, the victim needs to do something to protect themselves.

The world sucks sometimes, and breaches are part of that suck. So, while the criminal hacker is always at fault for attacking, the victim is never at fault for being a victim. But there’s an exception: when property, including money, data, identifying info, etc. of the company’s customers and employees gets stolen, then those people are the actual victims, and the company is now sharing part of the guilt for not safeguarding that property.

It’s at least like a drunk driving accident, where the driver is both guilty for dangerously poor judgment and is a victim at the same time. Unless another car is involved, in which case more charges are levied on the driver for the other crimes committed due to that poor judgment, and the other car’s occupants are the true victims.

Unfortunately, too often customer data loss from a breach is at most a breach of contract to properly protect client or employee property, but in reality should it also include some form of criminal collusion or maybe aiding and abetting with the criminal? And you know why it’s not?

Mainly because it would chill innovation and modernization, which both have at the least some major economic repercussions. And if it was criminal, then many companies wouldn’t report it to avoid incriminating themselves, which is worse for the real victims, customers and employees because they may never know they’ve been robbed and can’t take steps to counter further problems or even demand remuneration from the company.

So, it seems the current reality is yes, the company is at fault, but if they follow the proper fessing-up to their mistakes, they can avoid penalties and taking blame, which is the whole point of finding out who is at fault.

Only Foreigners Attack Us, Right? So it’s a Foreign Policy Issue?

A foreign policy issue? Criminal hackers want many things - from money to fulfilled egos - it isn’t a nation-specific issue. The traditional understanding is that criminal hackers look for opportunities - whether it’s a vulnerability in an application to gain direct entry, or a popular topic that may trick you to clicking on a link - criminal hackers will use that opportunity to strike.

Many cybersecurity companies and government agencies have given advice over the years on how to protect yourself online that I will condense here into a single sentence on how to assure yourself complete protection: don’t have a bank account, register for anything online or offline, use social media, vote or use any government benefits of any kind, be in the military, use your personal identity number for anything, have any kind of electronic medical implant, drive a car newer than the 1980s with ABS and fuel injection, store any kind of data whether pictures or addresses on an electronic device that is networked in any way, or not walk into a “Smart City”. Additionally, you’d be wise to also not try to put footsy pajamas on a wild raccoon even if it has little pictures of raccoons on it. That won’t help you against hackers but it’s just sound advice from my experience and I don’t want you to suffer it too.

Shouldn’t I Just Secure My Devices and Computers?

Yes. Yes, you should. But it won’t help. You are you, that thing you reluctantly see in the mirror, and you are all the social, economic, and familial versions of you that exist electronically as data, money, resources, effort, and relationships all over the place. So, locking down all your devices is just a first step.

And mainly, you should do it so that your devices can’t be used as a stepping stone to attack other machines and other people, especially loved ones. So, do it for the same reason you vaccinate, to not be part of the problem. But remember, criminal hackers don’t need to hack you to get your money or data.

Do Honeynets Make me a Threat and Therefore a Target to Hackers?

No, honeynets (or honeypots to some) are awesome! It’s likely as close to being a lion toying with its prey as you’ll ever get without the costume and judgmental stares from your neighbors. They trap criminal hackers and bots and waste their time so their techniques can be studied and help us build better defenses. Except, unless you are a security researcher who understands what’s going on in there, you won’t be able to build better defenses from the information and you won’t stop criminal hackers from hacking your other devices or computers.

However, it is advised you don’t leave taunting messages in your honeynet or publicly trash talk criminal hackers with dares and threats, as that might actually make you a target to random Internet users who find you and your hubris more worthy of attack than the criminal hackers do who aren’t going to waste their time. But go ahead and try it, maybe I’m wrong. It’s not like it’s ever been studied or anything.

Hackers Never Targeted Me Until I Started Downloading Music Illegally - Coincidence or not?

No. And maybe yes. Anything you do online can draw attention to you. Especially anything you download to your computer or any websites you visit to find things you want to download which can be compromised, and thereby get you compromised. And it doesn’t even have to be the downloading of something potentially illegal. It can be literally anything. This goes back to the whole anything not protected could eventually be a stepping stone for another attack.

What's a Cheap Way to Keep Hackers from Getting Me?

Don’t use any online services, or offline services that have any online component. Chances are more likely you’ll be a victim of another place that has your money or data getting hacked than you specifically or directly.

Also, if you’re afraid of phishing, malware, or ransomware, use your computer’s built-in tools to prevent any new installs or write to any system or program directories. Sometimes you can do it by not being root or administrator as a user, but it may not be enough. But you asked for cheap, not impenetrable.

They Cause So Much Damage, Why Don't We Just Eliminate All the Criminal Hackers?

How?

Hacking back? Better Cyber Police? Military Force Against Them?

Who exactly would we eliminate?

I'm Just Asking Hypothetically…

One thing most cybersecurity experts agree on is that attribution online is hard. Really, really hard. Which means something, because those people don’t agree on a whole lot. So, the biggest problem is knowing who to eliminate, and we probably couldn’t eliminate every criminal hacker if we wanted to because we can’t really find them. Or maybe we just accept a very high level of collateral damage?

The bigger issue is that criminal hackers, while a menace, don’t even come close to the amount of theft caused by drugs, corruption, and all types of fraud. So maybe we eliminate that first. It’s got to be easier because at least we can see who’s doing it.

But really, for all the criminal hackers out there, there’s a lot more online traffic that looks like it’s nefarious but isn’t. It’s research, marketing, curious kids using hacking to learn how to navigate online, and even misconfigured systems making mistakes.

So, while we don’t need criminal hackers in our ecosystem, we do need hackers who know how things work and how to keep things running. Who do you think built a lot of this stuff anyways? Who do you think is helping build the cybersecurity defenses we use? Without hackers, it would all be a lot worse.

How Much Worse Could it Be?

Well, for starters, you wouldn’t be reading this.

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.