The week of August 10, 2014

What the media gets wrong about hackers

By Gregg Housh

“They call themselves Anonymous. They are hackers on steroids, treating the Web like a real-life video game. Sacking websites, invading MySpace accounts, disrupting innocent people’s lives—and if you fight back, watch out. Phil Shuman tracks down the hacker games in this Fox 11 investigation.”

This now-infamous news segment from 2007 (as you may have guessed from the MySpace reference) wasn’t the first time that I realized most news media couldn’t be trusted to report about hacking, but it was one of the funniest. Here was a very serious anchor on a respectable news outlet blathering on about exploding yellow vans and gay porn, even trying to explain “lulz” to his viewers. It wasn’t hard-hitting reporting—it was comedy gold.

It also foreshadowed what would soon become a common practice in the modern media: a complete misrepresentation of who hackers are, and what makes them hackers in the first place.

Part of the blame for the media’s hacker-coverage ineptitude certainly comes from the complex nature of computer security. Another part comes from overzealous reporters jumping on dubious stories they have no business reporting. But much of the blame falls on hacker culture itself.

Hackers are, as a rule, braggards. And their reputations usually mean a great deal to them. It’s normal for them to oversell their skills and escapades. When journalists catch wind of the larger-than-life stories they trump up online, you can’t really blame them for jumping at the tales.

Of course, news organizations often make things worse with over-the-top shots of computer monitors, superhuman typing speeds, and ridiculous graphical interfaces. They build up these grandiose ideas of what hacking looks like in their heads, and then when confronted with the boring reality, they are forced to sex it up for the camera.

Good social engineers—hackers who trick people into turning over their personal information through, say, phone calls or email—are even less likely to be honest with reporters. It’s hard for people like that to stop playing games with people’s heads. And credulous reporters looking to make a name for themselves are the easiest target for trolling you could hope for. The end result? The public is told that all hackers are criminal masterminds, cybergods and boogeymen that can swoop in and take control of anyone’s digital life.

That narrative obscures the true nature of most hacks, and of hackers themselves.

The majority of “hacks” that you might hear about on the nightly news or in mainstream publications are simple automated attacks. You download a program someone else built, set the target, and click a few buttons. Sometimes you don’t even set a target, you just release it into the wilderness of the Internet and hope it hits something. It takes no skill whatsoever.

My hours spent fighting against firewalls and various system protections are too boring to report.

People who use tools like this to hack are often derisively called “script kiddies,” or “skiddies,” by the hacking community. They’re not building things. They’re not finding vulnerabilities. They’re not even learning how to trick people into handing over information they shouldn’t. They’re just kids running someone else’s scripts.

The most egregious “hacks” that the media picks up on are DDoS, or distributed denial-of-service, attacks. A DDoS attack is not a hack, in the true sense of the word. A DDoS attack does not involve breaking into someone else’s computer in any way. It doesn’t expose user data, doesn’t destroy files. A DDoS attack is very simply throwing so many requests for a response at a server that it does not have the processing power to spare on actual user requests. It’s like a hundred crazy couponers blocking every lane in the grocery store: It’s obnoxious but not damaging anything. So every time I see some talking head blathering on about DDoS as a hack, I want to throw things at the screen.

The frustrating thing—for journalists, at least—is that the reality of hacking is fairly boring, with rare moments of pure drama. It’s hours and hours of banging your head against a wall, tweaking lines of code, and staring at screens with black backgrounds and white text. It’s research and cold-calling people at all hours of the evening trying to trick somebody into slipping out their passwords. It’s weeks spent building your rainbow tables (a tool used to convert hashed password tables into usable data—real hacker stuff) and digging through databases. It’s caffeine and party-hard GIFs and no sleep for three days running.

No matter how I try to describe those moments I had to journalists, the vast majority of them don’t get it, or simply glaze over and stop paying attention. My hours spent fighting against firewalls and various system protections are too boring to report.

The media wants flashy sensationalism, so they dress it all up as something more than it is—boring, complicated, and sometimes completely made up.


Gregg Housh is an activist, writer, technical consultant for television and movies, and Web developer based in Boston. He is heavily associated with the Anonymous movement and hacktivism.