Wednesday, September 14, 2016

Welcome to the Dark Net

[ed. See also: Someone is learning how to take down the internet.]

His name is not Opsec, but I will call him that to guard his privacy. In webspace he is known as a grand master of the dark art of hacking. He is one of a small elite—maybe a hundred, maybe fewer—all of whom are secretive and obsessed with security. They do not talk about their work with their families. They generally do not talk to the press. Nonetheless, through friends of friends, Opsec agreed to speak and to introduce me to his perspectives. In “meatspace,” as he and others like him call the real world, Opsec lives in a metropolitan area in a little wooden house by a railroad track. He is in his mid-30s, physically imposing, and not a geek. He hangs out in a local bar, where the regulars know vaguely that he works with computers.

He is a fast talker when he’s onto a subject. His mind seems to race most of the time. Currently he is designing an autonomous system for detecting network attacks and taking action in response. The system is based on machine learning and artificial intelligence. In a typical burst of words, he said, “But the automation itself might be hacked. Is the A.I. being gamed? Are you teaching the computer, or is it learning on its own? If it’s learning on its own, it can be gamed. If you are teaching it, then how clean is your data set? Are you pulling it off a network that has already been compromised? Because if I’m an attacker and I’m coming in against an A.I.-defended system, if I can get into the baseline and insert attacker traffic into the learning phase, then the computer begins to think that those things are normal and accepted. I’m teaching a robot that ‘It’s O.K.! I’m not really an attacker, even though I’m carrying an AK-47 and firing on the troops.’ And what happens when a machine becomes so smart it decides to betray you and switch sides?”

Opsec lives in a hall of mirrors. He understands that webspace and meatspace, though connected, remain largely distinct. Given sufficient motivation and time, Opsec can break into almost any secure network without setting off alarms. Breaking in used to thrill him, because once inside he could roam as he liked, but success comes too easily now: with such an attack, he has to find only a single way in. By contrast, defense presents the challenge of out-thinking every aggressor. This appeals to him, and he works now on the defending side. Usually this means protecting company networks from criminal attacks, or reacting to attacks after damage has been done. Opsec does not do the routine stuff. He is the man for the serious cases. He has seen some big ones. But even he was taken aback when, late last year, he stumbled upon a hack—a sliver of alien software on American shores—which suggested that preparations were being made for a cyber-attack of unprecedented scale.

I will call his client the Company. It is an Internet behemoth. It streams entertainment online and makes direct regular connections to more than 70 million personal computers worldwide. The Company does not charge for the connections but rather for the services it provides. It is very profitable. And it is under frequent attack from many parts of the world. Most of the attacks are drive-by shootings—spray-and-prays that succumb harmlessly to the defenses that Opsec has helped design. But some are carefully aimed and have threatened the Company’s existence.

He first intervened six years ago, after a data center had been hacked (as Opsec puts it) in a fucking major way. The intruders had gone after key systems, including the central payment processor and the C.E.O.’s computer, and had stolen credit-card and financial data as well as the Company’s proprietary source code—the secret formula upon which the business is built. Opsec worked for nearly six months to clean up the mess. By backtracking he discovered that the hackers were a group associated with the Chinese army. They operated out of a specific building near Shanghai, which he was able to locate, and specialized in targeting entertainment companies. Eventually he was able to identify some of the individuals involved, and even to obtain pictures of them. Nominally, that was the end of it. Opsec told me that because a government was involved, and legal recourse in China was unrealistic, no further action was taken.

What do you do when there is no law? Counter-hacking is a temptation, but can be dangerous. The Russian mob, for instance, has a poor sense of humor, and Colombian drug cartels are not much fun, either. Also, among independent hackers there is no small number of psychopaths. Over the years the Company has endured death threats, rape threats, and bomb scares. It gets personal. In a world without privacy, home addresses as well as the names of spouses and children are easily found. As the Democratic National Committee recently discovered, it is better not to get hacked in the first place.

After the original breach by the Chinese, Opsec had urged the company’s management to establish a vigorous information-security program, which it did by building three NASA-like control rooms scattered in data centers around the world. Collectively, they are staffed around the clock. The sole purpose is to catch intruders, and to catch them as quickly as possible. The average industry delay in detecting a malicious hack is 188 days. For the Company, Opsec was hoping to reduce the delay to minutes or even seconds. But late last year, when the operations manager called him at home and urgently requested his presence at the Company’s high-tech campus, about 20 miles away, he knew that those defenses had failed. Almost as disturbing, the alarm had been raised not by the security team but by an ordinary technician, a system administrator doing the drudgery of a routine review.

by William Langewiesche, Vanity Fair | Read more:
Image: Matthieu Bourel