I read about the Twitter hackers being arrested and charged in parallel with a great story by Adam Greenberg in Wired about Marcus Hutchins, the young geek who was credited with partly stopping the devastating WannaCry malware in 2017.
The brilliant and tireless Hutchins was a hero to many, but in the tell-all interview in Wired that is not how he sees himself at all.
Instead, Hutchins is consumed by regret and guilt. Regret because he slid into a world of crime that at first seemed cool but quickly became repugnant and dangerous. Guilt because many in the infosec industry who unconditionally supported him weren't aware that Hutchins' past included writing info-stealing banking malware.
Hutchins, now 25, was arrested and went to court for what he did. He continues to feel like a fraud with his peers for not coming clean on his dodgy past right from the start.
Moreover, and this needs to be stressed to kids by parents and schools, hacker life as in Hutchins' candid interview is not glamorous. There might be a few short-lived highs like when a criminal caper goes right, but otherwise it's lack of sleep, bad food like microwaved frozen pizzas, and loneliness and worrying that you will be caught while you hack hidden away from the world.
Because hackers get caught even though their activities might seem safe for them initially, as they're abstracted by their computers and networks from the hurt they cause. No wonder that it takes a shock to the system for kids to understand what they've done.
Take the Florida teenager in the Twitter hack: he started off with Minecraft cheats, and graduated to SIM swapping. This is when you steal phone numbers by porting them to a new Subscriber Identity Module card which allows a hacker to bypass two-factor authentication for password resets for email and service accounts. That way, the teenager involved in the Twitter hack managed to steal almost US$1 million ($1.5m) in Bitcoin crypto currency.
The money was spent on bling like jewel-encrusted sneakers and an expensive BMW. It's not like the hacker kids are subtle so as to avoid attention, but even then it doesn't look like the teenager got into trouble.
Here's the important thing though, that everyone from parents, schools and the invulnerable hackers themselves need to be aware of: digital crime has hit epidemic proportions and enormous monetary losses (we're talking billions of dollars a year) and there are strong incentives to find those who hack and hurt innocent people.
Cops who were initially flummoxed by new technology are getting better at tracing hackers.
Reading the indictment against one of the Twitter hackers, the criminal investigator from the US Internal Revenue Service clearly knew how to spot the basic mistakes they made and follow the digital trail left behind.
Those Bitcoin tumblers and mixers that criminals and scammers use to hide where their ransoms and stolen funds go to? There's a growing industry of companies that write software to trace obfuscated transactions recorded on the shared, immutable Blockchain database.
Kids shouldn't go "lolz, stupid cops won't find me" because eventually they will. If not directly, then by some crime web board operator that folds as law enforcement puts the squeeze on, and shops the script kiddies who registered to buy some remote access tool (RAT) for a few tenners to hack people with.
In the US especially, the penalties for hacking are simply enormous. If convicted, the Twitter hackers face decades in prison, quarter-million-dollar fines and restitution demands. It's also very hard to defend yourself against hacking charges as there is rarely evidence or witnesses in the accused's favour.
Another thing that can't be emphasised enough is that becoming a criminal hacker means you'll be exploited. Hutchins was run by the mysterious Vinny who pushed the young Briton further into digital crime. Wily Vinny's better than Hutchins and the Twitter hackers at hiding and hasn't yet been caught. Vinny will have other young, willing hackers groomed, doing all the work for him/her and taking all the risk, while s/he reaps the benefits.
Putting bright yet impressionable kids into a pipeline to prison like this seems really stupid as it's destructive for everyone involved.
To stop that process probably needs a broad long-term strategy, like the Dutch and UK police Hack_Right effort started two years ago with parental and school input.
Such a strategy would seek to explain how rubbish life as a black hat hacker is and that there's no gain or future in being one. It's the other side, being a white hat hacker, that's cool and matters.
The happy moments in the Hutchins interview were all about when he worked as a white hat hacker, doing good things and earning not just the respect of his peers, but good money as well.
In fact, that he had turned the corner was his saving grace and kept Hutchins out of prison. If that's not the right tale to tell the hacker kids trying to be cool online, I don't know what is.
