A Sociology of Hackers
Tim JORDAN <email@example.com>
Paul TAYLOR <firstname.lastname@example.org>
The rapid growth of a world-wide computer network and its increasing use for the construction both of online communities and for reconstructing existing societies, means that unauthorized computer intrusion, or hacking, has wide significance. The 1996 report of a computer raid on Citibank that netted around $10 million indicates the potential seriousness of computer intrusion. Other, perhaps more whimsical, examples are the attacks on the CIA World Wide Web site, in which its title was changed from Central Intelligence Agency to Central Stupidity Agency, or the attack on the British Labor Party's web-site, in which titles like "Road to the Manifesto" were changed to "Road to Nowhere." These hacks indicate the vulnerability of increasingly important computer networks and the anarchistic, or perhaps destructive, world-view of computer intruders. (Miller, Gow and Norton-Taylor)
It is correct to talk of a world-view because computer intrusions come not from random, obsessed individuals but from a community that offers networks and support, such as the long running magazines Phrack and 2600. At present the only outlines of this community have come through biographically based journalistic accounts of either specific events, such as the pursuit and capture of Kevin Mitnick (Shimomura, 1996, Littman, 1996, Goodell, 1996), or of the role such intrusions play in the development of computer networks. (Sterling, 1992) The disparate attitudes to hackers shown in the recent collection, High Noon on the Electronic Frontier, eloquently demonstrate the lack of a coherent perspective on hacking. (Ludlow) In short, there has been no detailed sociological investigation of this community. To do this an introduction is needed to the nature of computer-mediated communication and of the act of computer intrusion, the hack. Following this the hacking community will be explored in three sections: first, a profile of the number of hackers and hacks; second, an outline of its culture through the discussion of six different aspects of the hacking community; and third, an exploration of the community's construction of a boundary, albeit fluid, between itself, the computer underground, and its other, the computer security industry. Finally, a conclusion that draws all material together will be offered.
In the early 1970s technologies that allowed people to use decentered, distributed networks of computers to communicate with each other were developed. Late in the 1970s a means by which the different networks of computers could be, in turn, connected to each other was developed, the Internet, and a worldwide network of computers became a reality. (Hafner and Lyons, 1996, Quarterman, 1990) In the early 1990s a new means of organizing and accessing information contained on computer networks was developed that utilized multi-media "point and click" methods, the World Wide Web. This new method made accessing computer networks far more intuitive and underpinned their entry into wider social consciousness and mass use. (3W, 1994, 32, Shields, 1996b, Jones, 1995b) The size of this global community of computer communicators is difficult to measure but in January 1998 there were at least 40 million and at most 100 million users. (Jordan, forthcoming 1998a, Rickard, 1995, Quarterman, 1993, 42-43) Computer communication has also become key to many industries, not just through the Internet but also through communications networks such as those that underpin automated teller services. The financial industry is the clearest example of this, as John Perry Barlow says "cyberspace is where your money is."
The example of the Citibank hack is a useful place to begin relating computer intrusion to computer networks, as it both demonstrates the significance of hacking, because of the amount of money involved, and the fact of a community that supports hacking. In the Citibank hack, the expertise to gain unauthorized control of computerized deposits was developed by a group of Russian hackers who, demonstrating one of the popular self-representations of hackers, were uninterested in taking financial advantage. The hacker ethic to these intruders was one of exploration and not robbery. But, drunk and depressed, one of the hackers sold the secrets for $100 and two bottles of vodka, allowing organized criminals to gain the expertise to steal $10 million. (Gow and Norton-Taylor)
Here the difference between hacking and criminality lies in the communally held ethic that glorified being able to hack Citibank but stigmatized using that knowledge to steal. To gain an initial understanding of what unites hackers into a community, the act of the hack appears a good place to begin. Defining the hack will provide a starting point from which a detailed account can be developed, this account will then allow us to understand the community that values the hack. The following definition of the hack should be understood as the hypothesis or beginning point and not as a pre-judgement of the nature of hacking. All analyses must begin with some initial understanding or assumption about the nature of the object being studied; this analysis begins with the hack.
To gain unauthorized access to a computer, via another computer and communications links, a password can be guessed, randomly generated or stolen (either by physically acquiring it or by electronically capturing it). For example, in the Prestel hack, which resulted in the Duke of Edinburgh's mailbox becoming vulnerable, the hacker simply guessed an all too obvious password (222222 1234). (Schifreen, interview) Alternatively, some computers and software programs have known flaws that can be exploited. One of the most complex of these is, for example, "IP spoofing" in which a computer connected to the Internet can be tricked about the identity of another computer during the process of receiving data from that computer. It was this technique that was used to break into Tsutomu Shimomura's computer and which initiated the process during which one of the most famous hackers of all, Kevin Mitnick, was tracked down and caught in a blaze of publicity. (Shimomura, 91 and passim) Perhaps most important of all is the ability to "social engineer," to gain access to computers not by technical wizardry but by social wizardry. This can be as simple as talking people into giving out their passwords by impersonating someone, or it can be stealing garbage in the hope of gaining illicit information (trashing), or it can be looking over someone's shoulder as they use their password and memorizing it (shoulder surfing). However, what makes an intrusion a hack or an intruder a hacker is not the fact of gaining illegitimate access to computers by any of these means but a set of principles about the nature of such intrusions.
Turkle identifies three principles that define a good hack: simplicity,
the act has to be simple but impressive; mastery, however simple
it is the act must derive from a sophisticated technical expertise;
and, illicit, the act must be against some legal, institutional
or even just perceived rules. (Turkle, 1984, 232) The idea of
a hack can therefore be applied to other acts than computer intrusion
and here there are links to other interpretations of hacking.
Dutch hacker Ralph used the example of stealing free telephone
time to explain the hack.
it depends on how you do it, the thing is that you've got your guys that think up these things, they consider the technological elements of a phone-booth, and the they think, "Hey wait a minute, if I do this, this could work," so as an experiment, they cut the wire and it works, now they're hackers. Okay, so it's been published, so Joe Bloggs reads this and says, "hey, great, I have to phone my folks up in Australia," so he goes out, cuts the wire, makes phone calls. He's a stupid ignoramus, yeah? (Ralph, Dutch hacker, interview)
A second example would be the Citibank hack mentioned above, whose
technical possibility was developed by a group of hackers, who
then passed the information for virtually no personal gain to
computer literate criminals who, in turn, utilized this knowledge
to perform the robbery. The criminals did not perpetrate a hack
and would not be considered part of the hacking community, though
their crime depended on hacking. In his Hacker Handbook, Hugo
Cornwall goes so far as to describe hacking as:
a recreational and educational sport. . . . Every hacker I have ever come across has been quite clear about where the fun lies: it is in developing an understanding of a system and finally producing the skills and tools to defeat it. In the vast majority of cases, the process of "getting in" is much more satisfying than what is discovered in the protected computer files. (Cornwall, 1985, vii)
A hack is an event that has an original moment and though it can be copied, it loses its status as a hack the more it is copied and the more closely it is copied. Further, the good hack is the object-in-itself that hackers seek, not the result of the hack. This is important as it explains why hackers could create the expertise to steal vast sums of money but not use it. It also explains the often noted claim that hackers usually do not alter or damage the systems they intrude upon, unless that intrusion is necessary to perform the hack. For example, if a good hack is the ability to alter the destination of a phone call then it is this ability that constitutes the hack. But for a hacker to prove they have the ability to perform this hack they must alter the destination of a phone call. An example of this occurred when a hacker called Fry Guy ensured that anybody who called the Palm Beach County Probation Department in Florida actually spoke to a phone-sex worker called "Tina" in New York State. The essential beauty of this hack was not its nature as a practical joke but the technical ability to create the joke, as can be seen in details such as that no extra charges were incurred by callers despite the fact that many were unintentionally making a long distance rather than local call. (Sterling, 1992, 98-99)
The key to understanding computer intrusion in a world increasingly reliant on computer-mediated communication is understanding a community whose aim is the hack. It is this community that makes complex computer intrusion possible and a never ending threat, through its limitless search for a good hack. It is this community that stands forever, intentionally poised both at the forefront of computer communications and on the wrong side of what hackers see as dominant social and cultural norms.
Analyzing any intentionally illicit community poses difficulties
for the researcher. (Jupp) The global and anonymous nature of
computer-mediated communication exacerbates such problems because
any attempt to generate a research population from the computer
underground will necessarily be self-selecting and it will be
difficult to check the credentials of each subject. The methodological
difficulties involved in examining a self-styled "outlaw"
community that exist in cyberspace are exemplified by the interview
conducted with the American hacker whose probation conditions
forbade use of a computer, excluding him from e-mail interview,
and whose interview was then conducted by the hacker illicitly
gaining free use of a phone, allowing an interview to be taped
by the UK based researcher. Another example is offered by the
already mentioned Prestel hack, which was conducted as part of
a loosely-knit North London based group on which the arrests that
followed the hack had a predictable effect. The Prestel hacker
There used to be a hacking community in the UK, the hackers I used to deal with 8 or 9 years ago were all based in North London where I used to live and there were 12 of us around the table at the local Chinese restaurant of a Friday night. . . . within about 20 minutes of me and my colleague Steve Gold being arrested: end of hacking community. An awful lot of phone calls went around, a lot of discs got buried in the garden, and a lot of people became ex-hackers and there's really no-one who'll talk now. (Schifreen, interview)
Demographic data is particularly difficult to collect from an underground community. However, some statistics are available. Following presentation of these, an in-depth exploration of the hacking community on the basis of qualitative research will be presented. Professional security consultants, whose interests are best served by a large underground, have placed the number of hackers as high as 50,000 or 35,000. (Sterling, 1992, 77, Gilboa, 98) However, after his extensive investigation of the US police force's crackdown on the computer underground in the early 1990s, Sterling estimated there were 5,000 active hackers with only around 100 in the elite who would be "skilled enough to penetrate sophisticated systems and truly to worry corporate security and law enforcement." (Sterling, 1992, 77 & 76-77) For the same time period, Clough and Mungo estimated there were 2,000 of "the really dedicated, experienced, probably obsessed computer freaks" and possibly 10,000 others aspiring to this status. (Clough and Mungo, 218) Though no more than an indication, the best, indeed only, estimates for the size of the hacking community or computer underground are given by these figures.
Another means of measuring the size of the computer underground is by its effects. Though this cannot hope to indicate the actual number of hackers, as one hacker can be responsible for extensive illicit adventures (Stoll, 1989), measuring the extent of hacking allows one indication of the underground's level of activity. Four surveys are available that generate evidence from the "hacked" rather than hackers: the 1990 UK Audit Commission's survey, the 1991 UK National Computing Center Survey, the 1993 survey conducted as part of this research project, and the 1996 WarRoom Research information systems security survey. Results from all four sources will be presented, focusing on the amount and type of hacking.
The 1990 UK Audit Commission surveyed 1500 academic, commercial and public service organizations in the United Kingdom. This survey found 5% of academic, 14% of commercial and 11.5% of public service organizations had suffered computer intrusion and that organizations estimated each instance of hacking as costing £31,500 (1990 prices). (Audit Commission) The UK National Computing Center (NCC) survey of security breaches in the United Kingdom received responses from 883 commercial and public service organizations and examined security and fraud issues in general. This survey explored the category of "logical breaches," which are breaches, failures or intrusions to computer systems that cause some disruption to the information held on those systems. The NCC survey found that 40% of distribution, transport and utility organizations, 34% of information technology organizations, 32% of financial and business services, 29% of local governments and 28% of manufacturing organizations suffered breaches. Importantly, only 8% of logical breaches came from hacking and only 14% of breaches came from intruders outside the organizations, as opposed to 61% from inside. However, though only 8% of breaches were from hackers, 25% of breaches that had serious impact came from hackers, suggesting a hacking breach had greater impact than other types of breaches. (NCC)
A survey was conducted as part of this research project, hereafter referred to as the Taylor survey, and received 200 respondents from the following backgrounds: academic (39.5%), commercial (41%), public service organizations (2.5%), other (14%) and some combination of the above (3%). Responses were from cyberspace. Across all respondents, 64.5% had experienced a hack, 18.5% a virus only and 17% no detected illicit activity. There was no significant difference in the amount of hacking between commercial and academic respondents. A total of 28.5% of respondents had suffered a malicious hack, though only 6% reported the severity of the incident as very serious, while 36% reported it as not very serious, 28.5% as not serious at all, 12.5% as variable severity and 17% as not applicable. In terms of the number of incidents, 19.5% reported 10 or more, 50.5% 1 to 5 and 13% 6 to 10. Finally, 64% reported that the greatest threat to the security of their systems came from insiders, 25.5% that the same threat came from insiders and outsiders and 7.5% that the greatest threat came from outsiders with 3% replying don't know. (Taylor)
The Taylor survey reported a significantly higher level of hacking than the Audit Commission or NCC report. The 1996 WarRoom survey supports these higher levels of hacking. This survey is based on 236 responses from commercial USA firms (Fortune 1,000 companies) of which 58% reported attempts by outsiders to gain computer access in the 12 months prior to July 1996, 29.8% did not know and 12.2% reported no such attempts. The types of intrusions can be categorized as 38.3% malicious, 46.5% unidentifiable as malicious or benign and 15.1% benign. Costs per incident were estimated at over $50,000 US by 84% of respondents, with 41% estimating loss per incident at the extraordinary figure of $500,000. If the figures of $50,000 per incident and 58% of companies suffering an incident per year are accurate, and great caution must be shown particularly in relation to estimates of cost, then the cost of hacking to Fortune 1,000 companies would amount to $29 million a year. (WarRoom)
The level of hacking activity reported in these surveys varies greatly between the Audit Commission and National Computing Center surveys on the one hand and the Taylor and WarRoom surveys on the other. A number of possibilities explain this. The first two, lower levels of hacking come from surveys of specifically UK organizations, while the Taylor survey was over half from the USA and a third UK and the WarRoom survey was solely USA. This might suggest a higher level of hacking into USA organizations, though this, of course, says nothing about the national source of a hack. Second, the WarRoom and Taylor surveys stressed the confidentiality of respondents. This is a key issue as organizations show a consistently high level of caution in relation to reporting hacking intrusions. For example, the WarRoom survey found that 37% of organizations would only report computer intrusion if required by law, that 22% would report only if "everyone else did," that 30% would only report if they could do so anonymously and only 7% would report anytime intrusion was detected. (WarRoom) From this perspective both the Audit Commission and NCC surveys might have underreported hacking because they did not place sufficient emphasis on the confidentiality of responses. Third, the Taylor and WarRoom surveys were conducted later than the Audit Commission and NCC surveys and may reflect rising levels of hacking. This is hard to judge, but 73% of respondents in the Taylor survey expected rising levels of security breaches in the future. Fourth, the Audit Commission and NCC surveys have much larger sample populations and so might be expected to provide more accurate figures. Unfortunately, there is no way of deciding which of these factors explain the differences in reported levels of hacking.
In terms of the seriousness of breaches, the NCC, Taylor and WarRoom surveys all report a higher level of either malicious hacking or inadvertent damage caused by hackers than many in the hacking community claim occurs. While it is possible that hacks that cause damage are mainly perpetrated by those simply using expertise developed within the hacking community, as in the Citibank hack, the level of such hacking reported in the Taylor and WarRoom reports makes this unlikely.
The available statistics suggest the computer underground may not be very large, particularly in the number of elite hackers, but it is having a significant effect on a range of organizations. To fully grasp the nature of this effect requires turning to the qualitative fieldwork conducted in this project.
To find "hacker culture" you have to take a very wide view of the cyberspace terrain and watch the interactions among physically diversified people who have in common a mania for machines and software. What you will find will be a gossamer framework of culture. (Marotta, interview)
Hackers are often understood as solitary individuals who are more comfortable relating to machines than to other humans. This is a mistake for two reasons. First, though hackers may hack in solitude this no more undermines the claim that they are part of a community, than would the claim that because most writers write in solitude there can be no such thing as a literary community. Second, contrary to their popular mythology, hackers often hack in groups, both in the sense of physically being in the same room while hacking and of hacking separately but being in a group that physically meets, that frequents bulletin boards, online places to talk, and that exchanges e-mail. It is a rare story of a hacker's education that does not include being trained by more experienced hackers or drawing on the collective wisdom of the hacking community through online information. It would be a mistake to assume that because hackers communicate via computers that they communicate only with computers; rather computers mediate communication between humans just as telephones do. (Sterling, 1992, Quittner and Slatalla)
The "imagined community" that hackers inhabit can be outlined through the following elements: technology, secrecy, anonymity, boundary fluidity, male dominance and motivations. Community is here understood as the collective identity that members of a social group construct or, in a related way, as the "collective imagination" of a social group. Both a collective identity and imagination allow individuals to recognize in each other membership in the same community. The computer underground, or at least the hacking part of it, can in this way be understood as a community that offers certain forms of identity through which membership and social norms are negotiated. Even though some of these forms are articulated as being externally imposed, the nature of Internet technology for example, the way these forms are understood allows individuals to recognize in each other a common commitment to an ethic, community or way of life. (Jordan, 1995, Diani, 1992, Anderson)
Most obviously, the hacking community is characterized by an easy,
if not all-consuming, relationship with technology; in particular,
with computer and communications technology.
What we are confronted with is a generation that has lived with computers virtually from the cradle, and therefore have no trace of fear, not even a trace of reverence. . . . When I started my career in computing . . . you had one shot at a run a day. It was sacrosanct. It no longer is to those kids. You go in, have a bash at a keyboard. They're convinced by experience that nothing much can go wrong. (Professor Herschberg, Computer Science, Delft University, interview)
It is not just that technology forms the material basis of the hacking community, after all, computer intrusion would make no sense without the changes in information technology of the last 30 years, but that hackers share a certain appreciation of or attitude to technology. It is the assumption that technology can be turned to new and unexpected uses that define hackers' attitudes to technology. The notion of the hack expresses this in the belief that acts that are simple, masterful and illicit can be performed with or on technology. This attitude need not then be confined to computer mediated communication. Dutch hacker Dell claimed to have explored the subterranean tunnels and elevator shafts of Amsterdam, including government fallout shelters (Dell, interview), while Utrecht hacker Ralph argued hacking "pertains to any field of technology. Like, if you haven't got a kettle to boil water with and you use your coffee machine to boil water with, then that in my mind is a hack, because you are using technology in a way that it's not supposed to be used." (Ralph, interview) It is, then, the belief that technology can be bent to new, unanticipated purposes that underpin hackers' collective imagination.
Hackers demonstrate an ambivalent relationship to secrecy. Here
the nature of a hack demands both secrecy, because it is illicit,
and publicity, as otherwise no one will recognize the simplicity
and mastery involved. Hacker Mofo expresses this ambivalence when
discussing the inadvertent publicity given to a particular security
hole in the Unix computer language by Robert Morris' failed hack,
the infamous Internet worm.
I think you might be interested to know that I and many others have used the Unix sendmail bug to access many systems throughout the world (without damaging data in any way) until that stupendous asshole, Robert Morris, royally phucked everything up for us. I've known about the printf() sendmail bug ever since I got access to the source code. Only a dummy would publicize something as good as that by doing something completely phucking stoopid like what Morris did. His idiocy cost hackers/phreakers more than anyone can imagine. (Mofo, hacker, interview)
The ambiguity of Mofo's statement is that most hackers had, and would, find out about the sendmail bug not from an examination of Unix source code (the commands that make up Unix) but from other hackers. Sharing information is key in the development of hackers, though it makes keeping illicit acts hidden from law enforcement difficult.
Gaining recognition is also important to hackers. A member of the Zoetermeer hacking group noted "Hacking can be rewarding in itself, because it can give you a real kick sometimes. But it can give you a lot more satisfaction and recognition if you share your experiences with others. . . . Without this group I would never have spent so much time behind the terminals digging into the operating system." (Zoetermeer, hackers, interview) A good hack is a bigger thrill when shared and can contribute to a hacker gaining status and access to more communal expertise. For example, access to certain bulletin boards is only passed onto those proven worthy.
The tension is between the need to keep illicit acts away from the eyes of police and other authority figures but in front of the eyes of peers, those who are considered superior hackers, or even the general public. No hack exemplifies this more than a World Wide Web hack, such as the already mentioned Labor Party and CIA hacks, where the object is to alter an internationally accessible form of public communication but at the same time keep the identity of the perpetrator secret. In the case of the Labor Party hack, the hacker managed to be quoted on the front page of UK national newspapers but also to keep his/her identity secret. There is also the fact that though many hackers are not bothered about material gain, they tend to take trophies in the form of copied documents or pieces of software. Trophy gathering is paradoxical because a trophy is one of the few solid bases for prosecuting hackers when they are caught, because it proves both to the hacking community and to law enforcement that the hacker "was there." The ambivalence toward secrecy is also the source of the often noted fact that hackers are odd criminals, seeking publicity. As Gail Thackeray, one-time police nemesis of hackers, noted "What other group of criminals . . . publishes newsletters and holds conventions?" (Thackeray, cited in Sterling, 1992, 181)
The third component of the hacking community is anonymity. As
with technology, what is distinctive is not so much the fact of
online anonymity, as this is a widely remarked on aspect of computer-mediated
communication (Baym, 1995, 139-141; Dery, 1993, 561), but the
particular understanding of anonymity that hackers take up. There
is also a close relation to the concept of secrecy with a similar
tension between proclaiming and concealing an identity. Netta
Gilboa notes one complex version of this interplay of named and
hidden identity on the online chat channel for hackers that is
part of Internet Relay Chat (IRC):
hackers can log into the #hack channel using software . . . that allows them to come in from several sites and be on IRC as many separate connections, appearing to be different people. One of these identities might then message you privately as a friend while another is being cruel to you in public. (Gilboa, 102-103)
Gilboa experienced the construction of a number of public identities all intended to mask the "real" identity of a hacker. A second example of this interplay of anonymity and publicity is the names or "handles" hackers give themselves and their groups. These are some of the handles encountered in this research: Hack-Tic (group), Zoetermeer (group), Altenkirch (German), Eric Bloodaxe, Faustus, Maelstrom, Mercury, Mofo. Sterling notes a long list of group names -- such as Kaos Inc., Knights of Shadow, Master Hackers, MAD!, Legion of Doom, Farmers of Doom, the Phirm, Inner Circle I and Inner Circle II -- and that "contemplating this list is an impressive, almost humbling business. As a cultural artefact, the thing approaches poetry." (Sterling, 1992, 75) Hackers use names designed to identify themselves while simultaneously keeping their offline identity secret, to sign their hacks (sometimes even leaving messages for the hacked computer's usual users), to meet online and to bolster their self-image as masters of the hack: simple, masterful, illicit.
The fourth quality of the hacking community is fluidity of boundaries
and the speed at which membership changes. Hacking shares the
characteristics ascribed to many social movements of being an
informal network rather than a formally constituted organization
and, as such, its boundaries are highly permeable. (Jordan, 1995,
Diani) There are no formal ceremonies to pass or ruling bodies
to satisfy to become a hacker. The informal and networked nature
of the hacking community, combined with its illicit and sometimes
obsessional nature and with the fact that it seems to be an activity
particularly associated with young males (cf. section below),
means that a high turnover of hackers occurs. (Clough and Mungo,
18) Hackers may form groups within the overall loose structure
of the hacking community and these may aspire to be more formally
organized; however the pressures of law enforcement mean that
any successful hacking group is likely to attract sustained attention
at some point.
People come and go pretty often and if you lay off for a few months and then come back, almost everyone is new. There are always those who have been around for years . . . I would consider the hacking community a very informal one. It is pretty much anarchy as far as rule-making goes. . . . The community was structured only within the framework of different hacking "groups." Legion of Doom would be one example of this. A group creates its own rules and usually doesn't have a leader. . . . The groups I've been in have voted on accepting new members, kicking people out, etc. (Eric Bloodaxe, hacker, member of Legion of Doom, interview).
Gilboa claims that the future of hacking will be a split between lifelong hackers, often unable to quit because of police records and suspicion, and 90% of hackers who will move on "when they get a job they care about or a girlfriend who sucks up their time." (Gilboa, 111) A more prosaic, but equally potent, reason why the hacking community's membership is fluid is given by hacker Mike: "If you stop, if you don't do it for one week then things change, the network always changes. It changes very quickly and you have to keep up and you have to learn all the tricks by heart, the default passwords, the bugs you need" (Mike, hacker, interview). The sheer speed at which computer communications technology changes requires a powerful commitment from hackers.
The fifth component of hacking culture is male dominance and an associated misogyny. The research for this project failed to uncover any significant evidence of female hackers. The literature on hackers fails to uncover all but a tiny number of female hackers (Taylor, 92) and Gilboa states, "I have met more than a thousand male hackers in person but less than a dozen of them women." (Gilboa, 106) This imbalance is disproportionate even in the field of computer mediated communication, for example in 1991 one-third of bachelor degrees in computer science in the USA were received by women, 27% of masters and 13% of Ph.D.s. (Spertus, i) The proportion of, at the very most, 1:10 hackers being women is closer to the proportion of men to women users of the Internet in the early 1990s when the ratio appears to have been 1:9 or 1:8. (GVU)
A number of factors are used to explain the paucity of women in the computer sciences in general: childhood socialization, where boys are taught to relate to technology more easily than girls; education in computers occurs in a masculine environment; and a gender bias toward men in the language used in computer science. (Spertus, Turkle, Taylor, 91-103) Given these factors, producing a general bias toward males in relation to computers, the drive toward the good hack exacerbates this as it involves a macho, competitive attitude. Keller goes as far as to describe the machismo of hackers as "aberrant behavior." (Keller, 58) Hackers accordingly construct a more intensely masculine version of the already existing male bias in the computer sciences.
Even when hackers are closely associated with women, they may
see men and women as having innate aptitudes that make hacking
a naturally male pursuit.
When Adam delved and Eve spun . . . who was then the gentleman? Well, we see that Adam delves into the workings of computers and networks, and meanwhile Eve spins, what? Programs? Again, my wife programs and she has the skills of a hacker. She has had to crack security in order to do her job. But she does it as her job, not for the abstract thrill of discovering the unknown. Eve spins. Females who compute would rather spend their time building a good system, than breaking into someone else's system. (Mercury, USA hacker, interview)
Whether Mercury's understanding of differences between men and women is accurate or not, the fact that he, and many other hackers, take such attitudes means that the hacking community will almost certainly feel hostile to women. Added to these assumptions of, at best, separate spheres of male and female expertise in computing is the fact that anonymity often fuels sexual harassment. "The fact that many networks allow a user to hide his real name . . . seems to cause many males to drop all semblance of civilization. Sexual harassment by e-mail is not uncommon" (Freiss, German hacker, interview). Gilboa, a woman, recounts an almost epic tale of harassment that included hackers using her online magazine as a "tutorial" example of how to charge phone calls to someone else and taking over her magazine entirely and launching a fake version; being called a prostitute, child molester and drug dealer; having her phone calls listened to as well as having her phone re-routed or made to sound constantly engaged; and having her e-mail read. Gilboa's experience led her to pathologize hackers, suggesting that work must be done to explore the characteristics of hackers she identified -- such as lack of fathers or parental figures, severe depression and admittance to mental institutions -- before she settled for a basic understanding of hackers as bullies. (Gilboa, 112) While not conclusive, the present study suggests that one answer to Gilboa's puzzlement at her treatment lies not only in the individual psyches of hackers but in the collective identity hackers share and construct that is in part misogynist.
Finally, hackers often discuss their motivations for hacking. They are aware of, and often glory in, the fact that the life of a dedicated hacker seems alien to those outside the hacking community. Some of this sense of oddity may diminish as online life becomes familiar to more people, but even if it does, the obsessive nature of much hacking, the "disinterested" nature of the hack (where it is the hack itself that is the object, not what can be gained from it) and the dominance of online over offline life for hackers will almost certainly make them seem and feel alien to a wider public.
The result of this is that hackers discuss among themselves their own motivations. These are sometimes couched as self-justifications, sometimes as explanations and sometimes as agonized struggles with personal obsessions and failures. However, whatever the content of such discussions, it is the fact of an ongoing discourse around the motivation to hack that builds the hacking community. These discussions are one more way that hackers can recognize in each other a common identity that provides a collective basis for their community. Within this general framework, a number of recurring elements to discuss can be identified, but it must be stressed that it is not so much the content of these as the fact of their ongoing discussion that is important. Hackers' obsession with their own motivations must be understood as a component of the construction of their collective identity.
A number of motivational themes that are often intermingled have emerged from fieldwork. First, hackers often confess to an addiction to computers and/or to computer networks, a feeling that they are compelled to hack. Second, curiosity as to what can be found on the worldwide network is also a frequent topic of discussion; here the more secure or exotic the target of a hack is, the more an unending search for more secure and more exotic targets is reinforced. Third, hackers often claim their offline life is boring compared to the thrill of illicit searches in online life. Fourth, the ability to gain power over computer systems, such as NASA, Citibank or the CIA Web site, is an attraction; hackers often comment on their powerless offline life, as students and unemployed or employed workers, and contrast this with the control they may have in online life over the computer systems of major military or corporate institutions. Fifth, as one would expect, community peer recognition from other hackers or friends is a reward and goal for many hackers, signifying acceptance into the community and offering places in a hierarchy of more advanced hackers. Finally, hackers often discuss the service to future computer users or to society they are offering because they identify security loopholes in computer networks (this motivation will be discussed at length in the next section).
Hackers articulate their collective identity, and so construct
a sense of community, from discussing this array of different
interpretations of their motivations. The clearest way of seeing
hackers simultaneously develop their collective identity and explore
their personal motivations is to offer a number of examples.
I just do it because it makes me feel good, as in better than anything else that I've ever experienced . . . the adrenaline rush I get when I'm trying to evade authority, the thrill I get from having written a program that does something that was supposed to be impossible to do, and the ability to have social relations with other hackers are all very addictive. . . . For a long time, I was extremely shy around others, and I am able to let my thoughts run free when I am alone with my computer and a modem hooked up to it. I consider myself addicted to hacking. . . . I will have no moral or ethical qualms about system hacking until accounts are available to the general public for free. . . . Peer recognition was very important, when you were recognized you had access to more. (Maelstrom, hacker, interview)
Maelstrom explores almost the whole range of motivations including curiosity, the thrill of the illicit, boredom, peer recognition and the need for free or cheap access. By developing his own interpretation out of the themes of motivation, he can simultaneously define his own drives and develop a sense of community. It is this double movement in which individual motivations express the nature of a community, that makes the discussions of motivations important for hackers.
I did hacking because for me it was a way to learn more about the system, curiosity and not anything else. . . . I was pretty good at that time, I got high grades and didn't have to do anything about it, so I was bored if I didn't do anything. . . . I mean why do people do crosswords? It's the same thing with hackers. (J. C. Van Winkel, hacker, interview)
If people were given legitimate access to the systems they wanted to learn about, and were given the ability to send mail and communicate with each other interactively, much of the hacking would subside. Having a legal Internet account is what has saved me. (Eric Bloodaxe, hacker, interview)
Van Winkel and Bloodaxe do not develop as complex a view as Maelstrom,
but each offers a couple of elements that are recognizably the
same as Maelstrom's. Van Winkel focuses on a combination of curiosity
and boredom, while Bloodaxe takes up the social implications of
restricting access. Finally, the account offered by perhaps the
most notorious of all hackers, Kevin Mitnick, of his motivations
provides another common articulation of reasons for hacking.
You get a better understanding of cyberspace, the computer systems, the operating systems, how the computer systems interact with one another, that basically was my motivation behind my hacking activity in the past. It was just from the gain of knowledge and the thrill of adventure, nothing that was well and truly sinister as trying to get any type of monetary gain or anything (Mitnick, hacker, interview)
These six factors all function largely between hackers, allowing them a common language and a number of resources through which they can recognize each other as hackers and through which newcomers can become hackers. These are structures that are largely internal to the hacking community, not because they do not affect or include non-hackers, but because their significance is largely for other hackers. Technology, secrecy, anonymity, boundary fluidity, male dominance and motivations all gain significance from their part in creating the hacking community; they are the communal structures inside the boundaries of this outlaw community. This raises the issue of how an external boundary is constructed and maintained. How do hackers recognize a distinction between inside and outside? How do hackers adjust, reinvent and maintain such a distinction? This is the subject of the third and final section of this definition of the hacker community.
If the six elements explored in the previous paragraph were taken
as a definition of the hacking community, then this analysis of
hackers' culture would suggest that hackers are a self-constituted
community: able to maintain and reproduce themselves in splendid
isolation. Any such conclusion would be incorrect. The hacking
community has, for example, an often spectacular relationship
to the media (though this is one largely driven by the internal
structures of anonymity and secrecy). Undoubtedly, the most important
relationship to another community or group, the one that most
defines the hacking community, is the intimate and antagonistic
bond to the computer security industry (CSI). This relationship
is constitutive of the hacking community in a way that no other
is; put another way, there is no other social group whose existence
is necessary to the existence of the hacking community. This does
not mean the computer underground and the computer security industry
have a comfortable or easy relationship, far from it. Here are
a sample of views of hackers from members of CSI.
Hackers are like kids putting a 10 pence piece on a railway line to see if the train can bend it, not realizing that they risk derailing the whole train. (Mike Jones, security awareness division, Department of Trade and Industry, UK, interview)
Naturally, hackers often voice a similar appreciation of members
of CSI. For example, while admitting psychotic tendencies in the
hacking community, hacker Mofo notes:
my experience has shown me that the actions of "those in charge" of computer systems and networks have similar "power trips" which need to be fulfilled. Whether this psychotic need is developed or entrenched before one's association with computers is irrelevant. (Mofo, hacker, interview)
However, the boundary between these two communities is not as clear as such attitudes might suggest. This can be seen in relation to, first, the membership of the communities and, second, the actions members take.
Hackers often suggest that their dream is that their skills would be used by CSI to explore security faults, thereby giving hackers jobs and legitimacy to pursue the hack. The example of a leading member of one of the most famous hacker groups, the Legion of Doom, Eric Bloodaxe aka Chris Goggans, is instructive. Having become a leading member of the hacking community, Goggans and some other hackers set up a computer security firm, Comsec, and he later moved to become senior network security engineer for WheelGroup, a network security company. (Quittner and Slatalla, 145-147 & 160-162) On the CSI side, there have been fierce debates prompted by the occasional suggestion that hackers might be useful because they identify security problems. For example, IBM employs a group of hackers who can be hired to attack computer systems.(Lohr, 1997) These debates are striking because CSI is the community most concerned with stopping hackers. There is, then, little room for CSI to admit that hackers may be useful because this would undermine their efforts to end hacking; if hackers usefully identify security failures, then perhaps they should be encouraged and not prosecuted. The mere fact that such debates have occurred demonstrates the fluidity in the membership of the two communities; if hackers are useful for finding security lapses, are they members of CSI or of the hacking community? (Spafford, Denning) In the IBM case, an attempt at differentiating the hired hackers from criminal or illegitimate hackers is made by hiring only hackers without criminal records; given that hacking is by definition illicit, this is a practice akin to turning those criminals who have not been caught into police.(Lohr, 1997)
Both sides also try to assure themselves of radical differences
because they undertake similar actions. For example, Bernie Cosell
was a USA commercial computer systems manager and one of the most
vehement anti-hackers encountered in this study, yet he admitted
that he hacked
once or twice over the years. I recall one incident where I was working over the weekend and the master source hierarchy was left read-protected, and I really needed to look at it to finish what I was doing, and this on a system where I was not a privileged user, so I "broke into" the system enough to give myself enough privileges to be able to override the file protections and get done what I needed . . . at which point I put it all back and told the systems administrator about the security hole. (Cosell, USA systems manager, interview)
More famous, but making the same point, is the catalogue of hacks Clifford Stoll had to perpetrate in his pursuit of a hacker; these included borrowing other people's computers without permission and monitoring other peoples' electronic communications without permission. (Stoll, Thomas) Such examples mean that differences between the two communities cannot be expressed simply through differences in what they do but through the meaning of actions. This can be seen in Cosell's action to take advantage of a security loophole but then make sure the loophole is closed so that nobody else, not even someone in a similarly dire situation as he felt himself to be in, can make use of the bug. The meaning of such actions is delineated chiefly through ethical debates about the nature of hacking and these can be most clearly seen in the analogies that are drawn between cyberspace and non-virtual or real space.
One difficulty for many CSI professionals is simply explaining the nature of computer crime; the realm of cyberspace and the Internet is different from the world everyone lives in whose rules can be taken for granted. They solve this difficulty by drawing analogies between computer intrusion and a range of easily understood everyday crimes, the most obvious of which are robbery, burglary or breaking and entering of some sort, though rape is also a common analogy. These analogies draw on the easily understood notion that a computer is something, like a bank, car or house, that can be "got into." "I have been in more systems than one can imagine, ranging from military installations, financial installations to soda companies." (Eric Bloodaxe, hacker and CSI, interview) Using this analogy makes it easy to understand the danger of hackers; people who break into banks, schools or houses usually do so to steal or perhaps to commit vandalism. The ethical differences between hackers and the CSI are clearly drawn.
The problem for these analogies is that hackers seem like strange
burglars because so often nothing seems to be lost when they have
broken in. How often does a burglar leave behind an exact copy
of the video recorder they have stolen? But this is a more accurate
description of theft in cyberspace than theft as it is generally
experienced. Further, hacker culture leads them to publicize their
break-ins, sometimes even stressing the utility of their break-ins
for identifying system weaknesses. What bank robbers ring up a
bank to complain of lax security and point out means of strengthening
security? The simple analogy to theft breaks down very quickly
when it is examined and must be complicated to begin to make sense
of what hackers do.
There is a great difference between trespassing on my property and breaking into my computer. A better analogy might be finding a trespasser in your high-rise office building at 3 a.m. and learning that his backpack contained some tools, some wire, a timer and a couple of detonation caps. He could claim that he wasn't planting a bomb, but how can you be sure? (Cosell, USA systems manager, interview)
Cosell's analogy continues to draw on real world or physically
based images of buildings being entered but also tries to come
closer to the reality of how hackers operate. However, the ethical
component of the analogy has been weakened because the damage
that hackers do has become implied; where is the bomb? It is striking
that Cosell does not claim there will definitely be a bomb, only
that it is possible. If all possible illegal actions were prohibited,
then many things would become illegal, such as driving, because
it is possible to speed. The analogy of breaking and entering
becomes strong on implied dangers but weak on the certainty of
danger. The first casualty of a more accurate analogy is, then,
the clear ethical content offered by the equation of hacking with
vandalism or burglary. The second casualty of accurate analogies,
as has been noted in passing, is the notion of theft altogether.
John Perry Barlow notes:
when we think of theft in the physical world, we are thinking of an act in which I might achieve possession of an object only by removing it from you. If I steal your horse, you can't ride. With information, I can copy you software or data and leave the copy in your possession entirely unaltered. (Barlow, interview)
The analogies of CSI professionals change when they attempt to
be accurate. "My analogy is walking into an office building,
asking a secretary which way it is to the records room and making
some Xerox copies of them. Far different than breaking and entering
someone's home." (Cohen, interview) Clearly there is some
ethical content here, some notion of theft of information, but
it is ethically far muddier than the analogy burglary offers.
Questions would have to be asked about whose information this
is and whether there is any legitimate reason for making this
information public. At this point, the analogy breaks down because
the ethical content can be reversed to one that supports hackers
as "whistle-blowers" of abuses that everyone should
The concept of privacy is something that is very important to a hacker. This is so because hackers know how fragile privacy is in today's world. . . . In 1984 hackers were instrumental in showing the world how TRW kept credit files on millions of Americans. Most people had not even heard of a credit file until this happened. . . . More recently, hackers found that MCIs "Friends and Family" program allowed anybody to call an 800 number and find out the numbers of everyone in a customer's "calling circle." As a bonus, you could also find out how these numbers were related to the customer. . . . In both the TRW and MCI cases, hackers were ironically accused of being the ones to invade privacy. What they really did was help to educate the American consumer. (Goldstein)
The key analogy of CSI that distinguishes its members' views from
hackers', has now lost the implied ethical content of robbery.
Goldstein makes the case for it being the correct principled action
to broadcast some hidden information. CSI's analogy is left only
with an opposition on principle to trespass. As just noted, this
principled position is open to question on the basis of whatever
information is being obtained; if there is some greater social
good to be served by broadcasting the information, then perhaps
hackers are no longer robbers and burglars, but socially responsible
I know only too well how simple it is to view and alter consumer credit, to transfer funds, to monitor telephone conversations etc. . . . I can monitor data on any network in existence, I can obtain root privileges on any Sun Microsystems Unix. If I, a 22 year-old, non-degreed, self-taught individual can do these things, what can professionally taught, profit motivated individuals do? There is no privacy. . . . People need to know the truth about the vulnerabilities of the computers they have entrusted their lives to. (Eric Bloodaxe, hacker and CSI, interview)
CSI professionals draw another distinguishing, ethical position
from the analogy to breaking and entering in reply to claims like
Goldstein's and Bloodaxe's. Some argue that showing a system is
insecure is not in itself justification for going around trying
all systems to see if they are insecure.
If a policeman walks down the street testing doors to see if they are locked, that's within his "charter" -- both ethically and legally. If one is open, he is within the same "charter" to investigate. . . . If I come home and find the policeman in my house, I can pretty well assume he's doing me a favor because he's found my door unlocked. However, if a self-appointed "neighborhood watch" monitor decides to walk down the street checking doorknobs, he's probably overstepped his "charter." If he finds my door unlocked and enters the house, he's trespassing. (Johnson, system manager, interview)
While restating the analogy to physical trespass, Johnson does not deal with the central ethical point made by Goldstein and Bloodaxe; those in charge of our social systems, like the police, cannot necessarily be trusted. The difference between Goldstein and Johnson is not as clear cut as that between thief and policeman and seems to have become one between two different political or ethical assessments of the nature of society. In the face of such complexities, CSI analogies sometimes abandon breaking and entering altogether; "it is no more a valid justification to attack systems because they are vulnerable than it is valid to beat up babies because they can't defend themselves." (Cohen, interview) Here many people's instinctive reaction would be to side with the babies, but a moment's thought reveals that in substance, Cohen's analogy is no different from Johnson's -- a computer system is not human and if information in it is needed by wider society, perhaps it should be attacked -- and so his use of babies simplifies but does not establish the ethical differences between the two communities.
The twists and turns of these sorts of analogies show that CSI
professionals use them not so much to clearly define hacking and
its problems, but to establish clear ethical differences between
themselves and hackers. The analogies of baby-bashing, rape and
robbery all appeal emotively to try and establish hacking as wrong.
The key point is that while these analogies work in an ethical
and community building sense, they do not work in clearly grasping
the nature of hacking because analogies between real and virtual
space cannot be made as simply as CSI professionals often assume.
Physical (and biological) analogies are often misleading as the appeal to an understanding from an area in which different laws hold. . . . Many users (and even "experts") think of a password as a "key," despite the fact that you can easily guess the password, while it is difficult to do the equivalent for a key. (Brunnstein, Computer Science, Hamburg University, interview)
The key process of boundary formation between the hacking and
CSI communities occurs in the creation of physical analogies by
CSI professionals to establish ethical differences between the
communities and their reinterpretation by hackers. However, this
does not exclude hackers from making their own analogies.
Computer security is like a chess game, and all these people that say breaking into my computer systems is like breaking into my house: bull-shit, because securing your house is a very simple thing, you just put locks on the doors and bars on the windows and then only brute force can get into your house, like smashing a window. But a computer has a hundred thousand intricate ways to get in, and it's a chess game with the people that secure a computer (Gongrijp, Dutch hacker, interview).
Gongrijp engages in the formation of boundaries through ethical analogy by comparing computer intrusion to chess in exactly the same way as CSI professionals do. Of course, it is an odd game of chess that results in the winner receiving thousands of people's credit records or access to their letters. Gongrijp's elision of the fact that a game of chess has no result but a winner and a loser at a game of chess whereas hacking often results in access to privileged information, means that the analogy to chess is inaccurate and presents hacking as a harmless, intellectual pursuit. It is on the basis of such analogies and discussions that the famed "hacker ethic" is often invoked by hackers. Rather than hackers learning the tenets of the hacker ethic, as seminally defined by Steven Levy, they negotiate a common understanding of the meaning of hacking, which the hacker ethic provides a ready articulation of.
The main process at work here is, however, the drawing on analogies to physical space by CSI professionals to establish a clear ethical basis for their attitude to hackers and criticism of these analogies by hackers to establish their own ethical basis in opposition to CSI. In these processes can be seen the construction by both sides of boundaries between communities that are based on different ethical interpretations of computer intrusion, in a situation where other boundaries, such as typical actions or membership, are highly fluid.
The nature of the hacking community needs to explored in order to grasp the social basis that produces hacking as a facet of computer networks. The demise of hacking has been announced several times. Several years after his analysis of the great hacking crackdown of 1990, Sterling remarked that hacking was on the downturn as young people were more interested in talking to each other on Internet Relay Chat. (Sterling, 1994) However, the figures given previously and the rise of the World Wide Web hack, offering as it does both spectacular publicity and anonymity, point to the endemic nature of hackers now that worldwide computer networks are an inescapable reality. Hackers show that living in a networked world means living in a risky world.
The community found by this research articulates itself in two key directions. First there are a number of components that are the subject of ongoing discussion and negotiation by hackers. In defining and redefining their attitudes to technology, secrecy, anonymity, membership change, male dominance and personal motivations, hackers create their imagined community. That their imagined community is also virtual simply adds a layer of complexity to their collective identity. Second, hackers define the boundaries of their community primarily in relation to the Computer Security Industry. These boundaries stress an ethical interpretation of hacking because it can be difficult to distinguish clearly the activities or membership of the two communities. Such ethics emerge most clearly through the analogies that are used by members of each community to explain hacking. In particular, the way the analogy of breaking and entering is articulated and re-articulated creates different ethical interpretations.
Hackers are often pathologized as obsessed, isolated young men. The alien nature of online life allows people to believe hackers more easily communicate with machines than humans. The fear of the power of computers over our own lives and of hackers over computers compounds this terror. The very anonymity that makes their community difficult to study, equally makes hackers an easy target for such pathologizing. Our research shows that hacking cannot be clearly grasped unless such fears are put aside to try and understand the community of hackers, the digital underground. From within this community, hackers begin to lose their pathological features in favor of collective principles, allegiances and identities.
The interviews listed in the bibliography were conducted by Paul Taylor from 1989-1992. This period coincided with the passage of the Computer Misuse Act 1990 in the UK, limiting the willingness of UK hackers to discuss their actions. To overcome these specific problems and the generally noted methodological problems in dealing with "outlaw" communities, the use of e-mail interviews was necessary. This led to interesting methodological conclusions because the use of e-mail facilitated growing trust between hackers and researcher that often led to face-to-face interviews. Instead of either type of interaction being superior, the use of both methods together built trust. This method may now be far more difficult to use as many people are less willing to spend significant amounts of time on e-mail. For example, John Perry Barlow was happy to conduct e-mail correspondence of some length for this study in the early 1990s, but when contacted for an interview concerning a study of online politics (Jordan, forthcoming 1998b) he declined to discuss issues via e-mail, pointing out that he received 150-200 e-mails a day, leading to his being interviewed in the back of a taxi and at the Heathrow bar.
Thanks to Sally Wyatt, Alan White and Ian Taylor for comments on this piece.