Using ANT to understand dark side of computing - Computer underground impact on eSecurity in the dual use context Mario Silic University of St Gallen Institute of Information Management Mueller-Friedberg-Str. 8 • 9000 St. Gallen • Switzerland Email: mario.silic@unisg.ch January 2015 Working paper Abstract: Dark side of computing – computer underground (CU) – from its roots in Yippies 1960s counterculture movement to today’s new hackers, CU definition has seen various adaptations to the new digital era phenomena. Using Actor Network Theory (ANT) we analyze computer underground and provide complete anatomy of the modern hacker organization. We explore computer underground as hacker subcultures, and discuss group formation and translation from ANT perspective. With supporting interviews and observations we will present detailed analyzes of the computer underground ecosystem. The discussion reveals interesting insights about the ‘black box’ of file sharing, and the ideologies of those involved. Scarcity and quality are strong motivators for engaging in underground file sharing communities, with access to high quality music files and scarce music files being a reward for actively participating. The quality of content is maintained through strict rules for converting and uploading new music. Because underground communities are quite sophisticated, it is argued that it is possible to learn from them and use this knowledge in the development of future online music systems and communities. Keywords: Ethnography, Actor Network Theory, Hacker subculture, computer underground, information security 1 Introduction There is no unique definition of the computer underground (CU), but all illegally conducted activities performed by one or more individuals can be seen as CU. Historically, computer underground can be divided in two parts: 60s and 90s hackers. Levy (1984) defines 60s hackers as the group that strived for creation and loved control over their computers while 90s hackers as striving to destroy and tamper and love the power computers gives them over people. Computer underground (CU) is part of the information security and as such deep and through understanding of CU is needed. To further explain mechanics reigning in CU, this research paper is using Actor Network Theory (ANT) proposed by Callon and Latour (Callon and Latour 1981; Callon 1986; Latour 1993a). ANT’s concepts of group formation and translation will provide insights into the CU world. In this context, there is an important dual-use challenge (Silic, 2013; Silic & Back, 2013, 2014a, 2014b, 2015). In this paper we argue that computer underground and all negative events and actions are results of a missing understanding of the relationships between different subgroups of the computer underground (White hat, Black hat, Grey hat, Blue hat, Neophyte, Script kiddie, Hacktivist, Elite hacker). This paper is structured as follows. Firstly the literature on information security and hacker subculture as part of the computer underground is reviewed. We argue that there is a lack of detailed understanding of computer underground, the motivations for engaging in illegal activities. After we present research methodology, discussion of group formation and translation will be explored highlighting concepts from actornetwork theory. Finally, discussion and conclusion will reveal and provide helpful insights on computer underground and associated ideologies. 2 Literature Review 2.1 Information security In the literature, information security has received different definitions. More holistic view of information security is focusing on processes and people while integrating technology (Baskerville 1993; Straub and Welke 1998; Dhillon and Torkzadeh 2006; Da Veiga and Eloff 2007). To define information security we follow Zafar’s (Zafar et al. 2009) definition which says that information security is all about “…understanding the potential threats of an organization and assessing the risks associated with those threats with continuous assessment of technology, policies and procedures, and personnel to assure proper governance of information security issues”. Past research on information security viewed security from different angles: technical (Denning 1992; Dymond and Jenik 1999; Bass 2000; Wong et al. 2000; Li and Guo 2007; Yang and Huang 2007) and socio-behavioral (Sipponen et al. 2008; Dhillon and Backhouse 2001; Ratnasingham 1998). Technical direction in the IS research is mainly focusing on the technology itself and how solutions can benefit the information security concerns, prevention and tasks. On the other hand, socio-behavioral direction is dealing with understanding employees and management behaviors that impact IS. According to Latour and Law, IS occurrences should be seen through socio-technical angle with human and non-human actors. 2.2 Computer underground and Hacker sub-culture According to Thomas (1993), computer underground is “a broad and somewhat invisible community comprising people who systematically interact electronically … in order to engage in a variety of shared activities”. These people are generally referred as hackers or modern-day “Robin Hoods” (Rogers, 2001) that live and act in a virtual world described by Halbert (1997): “an invisible community with a complex and interconnected lifestyle, an inchoate anti-authoritarian political consciousness, and dependent on norms of reciprocity, sophisticated socialization, rituals, networks of information sharing, and an explicit value system”. Moreover, the emergence of computer technology has created dramatic changes in social communication, economic transactions, and information processing and sharing, while simultaneously introducing new forms of surveillance, social control, and intrusions on privacy (Marx, 1988a: 208-211; Marx and Reichman, 1985). Finally, if computer underground represents a “highly complex mosaic of interest, motives, and skills and it possesses a language and a set of values, information-processing techniques, and norms that shape its cultural identity” (Thomas 1993), then computer underground subcultures are an even more complex phenomena to research and understand underlying mechanics. In this research paper, we propose computer underground as community where hackers have different subcultures and we follow Halbert’s (1997) description of the invisible community with complex interconnections and relationships. 2.3 Actor Network Theory The ANT theory is an interdisciplinary approach to the social sciences and technology studies. This research framework was developed by studies in Science, Technology and Society (STS) for tracing heterogeneous networks of actors and their interactions involved in the production of science and technology (Latour 1987, Callon et al. 1996 ). In the literature, actor-network theory is mainly used to study the technology design as a micro issue (Walsham, 1997) and while many other approaches to research in technological areas treat the social and the technical in entirely different ways, actornetwork theory (ANT) proposes instead a socio-technical account in which neither social nor technical positions are privileged (Tatnall, Gilding 1999). An information systems researcher using an actor-network approach in an investigation like this would concentrate on issues of network formation, investigating the human and non-human actors and the alliances and networks they build up (Tatnall and Gilding 1999; Tatnall 2000). ANT theory proposes different elements: Actors (macro and micro) represent human or non-human entity able to make its presence individually felt (Law 1987) by the other actors, Networks which are the unfolding of interactions between actors that produce certain configurations, Translation where macro-actor (Callon and Latour, 1981) introduced a concept of a macro-actor) plays leader role and tries to have all micro actors aligned in an alliance. Inscription which explains how to protect one’s interests, Alignment and Irreversibility, Black Boxes defines point when technology reaches its end point and becomes omnipresent. ANT shows us how “to map out the set of elements (the network) that influence, shape, or determine an action. But each of these elements is in turn part of another actor-network and so forth” (Monteiro, 2000, p. 76). For our research paper ANT is particularly interesting as it enables us to show the process where actors are guided by their own interests which once incorporated into the computer underground ecosystem, through translation and inscription processes, becomes its integral part. 3 Research Methodology As computer underground communities are part of internet, technology which is today very welcomed by ethnography approach (Hine 2000, 2005; Beaulieu 2004), we will use observations as primary data collection method. Interviews were conducted in second lieu to confirm observational insights and further complete our initial data. 3.1 Ethnography Internet Relay Chat (IRC) is a protocol for live interactive text messaging or chat. Community is built with a forum approach where members can post their answers and engage into discussions. As it is also a general practice, in this underground community, members do not reveal their full names when registering, but rather choose fake names or nick names to identify themselves. Hence, it is not possible to have the access to the real persons, but rather to virtual members. Our research was conducted in three phases. Observations of the IRC community, representing our field work (main concept of Ethnography), were held for thirty-five consecutive days. We used first phase (ten days) to get familiar with the community and record some background information. Also, it permitted us to identify different participants, their information security knowledge, processes established in the community, participation rules and procedures. Based on the learning’s from the phase 1, we were able to proceed with the next phase (phase 2 – twenty days) used to document the language used among community participants, motivations to progress in the community hierarchy and understand underlying mechanics part of the community ecosystem. Phase three (five days) allowed us to review insights from the previous phases and get confirmation on the ‘field’ initial conclusions. As scope of this research is not illegal behavior or illegal activities performed by community participants, there was no need to take into consideration any possible ethical issues. Moreover, Hackersforums.net is an open community easily accessible to any new member that registers through online form. Therefore, we conducted covert observations where we registered as community member without actively participating in discussions not to create any possible bias. Also, we did not collect any participant’s posts to the community forums, but we only documented different challenges and motivations leading to complete our understanding of the ecosystem. Finally, Ethnography has been used especially in research where highlight is put on studies of Internet and virtual communities (Star 1995). 3.2 Interviews To conduct interviews we contacted ten Defcon participants. Defcon1 is the world's longest running and largest underground hacking convention where participants are coming from different areas: computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers. Our interviewees were information security professionals (40%), hackers (50%) and journalists (10%). Interviews were between 30 to 58 minutes long (on average 42 minutes) with a total of 58 pages of transcribed text. Once data were collected we used NVivo software program (version 10) to code the interviews. Hackers interviews were useful to understand their view of the computer underground ecosystem. Information security professionals provided useful insights on the organizational security perspective and the way computer underground impacts organizations. Journalist interview was useful to get bigger picture of different angles of computer underground such is financial risks for the modern economy. 1 http://en.wikipedia.org/wiki/DEF_CON 3.3 ANT framework In this research paper we will focus on issues of network formation investigating the human and non-human actors and network they create (Tatnall and Gilding 1999; Tatnall 2000). To analyze computer underground, we propose the following framework which is a generic representation of the computer underground ecosystem. The framework is displayed and described in Table 1. Concept Actor Description Any element which bends space around itself makes other elements dependent upon itself and translate their will into the language of its own. Actors, all of which have interests, try to convince other actors so as to create an alignment of the other actors' interests with their own interests. When this persuasive process becomes effective, it results in the creation of an actor-network. Callon, M. and B. Latour(1981). Below, we define major actors2 of the computer underground network. (1) (2) White hat (Breaks security for non-malicious reasons) Black hat (Hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005)) (3) Grey hat (combination of a Black Hat and a White Hat Hacker) (4) Elite hacker (A social status among hackers, elite is used to describe the most skilled) (5) Script kiddie (non-expert who breaks into computer systems by using pre-packaged automated tools written by others) (6) Neophtyte (new to hacking or phreaking and has almost no knowledge or experience of the workings of technology, and hacking) (7) Blue hat (someone outside computer security consulting firms who is used to bug test a system prior to its launch) (8) Hacktivist (hacker who utilizes technology to announce a social, ideological, religious, or political message) (9) Nation state (Intelligence agencies and cyberwarfare operatives of nation states) (10) Organized criminal gangs (Criminal activity carried on for profit) (11) Bots (Automated software tools, some freeware, available for the use of any type of hacker.) 2 en.wikipedia.org/wiki/Hacker_(computer_security) Actor Network A heterogeneous network of aligned interests. Interest What an actant wants to achieve with an action Enrollment The moment that another actor accepts the interests defined by the actor (Callon, 1986). Actor seeks to influence another actor to act in a particular manner. Translation The creation of an actor-network. Table 1: Actor network framework for computer underground 4 Computer underground Actor-Network ANT enabled us to see the computer underground as a heterogeneous network embodying human as well as non-human actors (or actants) (Latour, 1987). Moreover, it also forces us to ‘follow the actors’ (Latour, 1987) by identifying the links between different actors that form the network. In the following section we will explore computer underground by using ANT concepts to understand motivations for participating in underground communities, and different actors’ inter-relationships. In order to preserve anonymity we will mask identify by adding INT with corresponding interview number (e.g. INT02 for interview number 2). Also, observations were used as the main data source to which we will refer in the next sections. 4.1 Network associations For Callon and Latour (1981) black box can be defined as a term that “contains that which no longer needs to be considered, those things whose contents have become a matter of indifference”. In the same line, computer underground, from ANT perspective, can be seen as a black box. To start with analysis we first identified different actants of the network to create associations between each of the actants. For Ritzer, actants are part of networked associations, “which in turn define them, name them, and provide them with substance, action, intention, and subjectivity” (Ritzer, 2005). It means that actants will use networks to express their nature. Ritzer also notes that “Actors are combinations of symbolically invested “things,” “identities,” relations, and inscriptions, networks capable of nesting within other diverse networks” (Ritzer, 2005). We have identified different network associations between actants. One such example of associations is between hackers that will never access or modify private data without the permission of their owners, where trust is the main characteristics of the link between group members. Generally, computer underground, according to Czarniawska and Hernes (2005) can be seen as “super actor that seems to be much larger than any individuals that constitute it, and yet it is an association – a network – of these individuals, equipped with a ‘voice’” 4.2 Translation For Callon (1986) translation leads to the process where actors agree that the network is worth building, worth participating in, and worth defending. Also Callon proposes that translation involves all the strategies through which an actor identifies other actors and arranges them in relation to each other (Callon et al.,1983). Callon (1986b) outlined also the process of translation as four ‘moments’: 1) problematisation which can be defined as something that is indispensable and where one or more key actors will try to define the exact nature of the problem as well as the roles of other actors that could fit with the proposed solution; 2) interessement which can be defined as the way allies are locked in place. It corresponds to processes that are trying to provide identity and role as defined in problematisation moment; 3) enrolment which is the definition and coordination of the roles where the end result is the establishment of a stable network of alliances and 4) mobilisation which refers to representativeness of the spokesman and arrives when the proposed solution gains wider acceptance (McMaster, Vidgen et al. 1997). In this process some actors will appear as spokespersons for other actors. 4.3 Actors in the computer underground In the case of computer underground the actor network research identified some of the important actors: hackers. Further observations and interviews revealed other actors part of the network: White hat, Black hat, Grey hat, Elite hacker, Script kiddie, Neophtyte, Neophtyte, Blue hat, Hacktivist, Nation state and Bots. Description of all actors is defined in Table 1. From this point, we explored and followed the actors, both human and non-human, looking for different negotiations, interactions, alliances and network formations. We identified obvious human to human interactions but also a nonobvious ones human to non-human interactions, like hackers trying to understand how software programs (bots) work, and how they can adapt them to their needs. For Latour (1986), issue with power is related to the fact that once you have the power nothing really happens and you are powerless; while when you exert power others will act and perform the action. In sum, power can be explained by the relationship between two or more actants in which the way one behaves is affected by the way the other behaves. To map the computer underground actor-network it was mandatory to explore relationships between different actors. This mapping process revealed number of controversies, surrounding different relationships in the computer underground, that contribute to those controversies. As there are different hacking groups, to enable participants to access them and to have a successful group formation, computer underground participants must follow some predefined rules and unwritten procedures. If members want to climb in the computer underground hierarchy they have to prove themselves through different actions. They have to gain status and reputation by giving things away. Example of this attitude is that member needs to write some open source code and provide it for free to other members in order to build his reputation. At this point, member goes through Obligatory Passage Point where he is enrolled in the network but needs to continue showing his technical skills. They need to become active members of the computer underground community. References Baskerville, R. (1993). “Information Systems Security Design Methods: Implications for Information Systems Development,” ACM Computing Surveys (25), pp. 375-414. Bass, T. (2000). “Intrusion Detection Systems and Multisensor Data Fusion,” Communications of the ACM (43)2, pp. 99-105. Beaulieu, A. (2004). Mediating ethnography: Objectivity and the making of ethnographies of the internet. Social Epistemology, 18(2-3), 139-163. Available: http://www.virtual- nowledgestudio.nl/staff/anne-beaulieu/documents/mediatingethnography.pdf [accessed Feb. 2007]. Callon, M. (1986b). “Some Elements of a Sociology of Translation: Domestication of the Scallops and the Fishermen of St Brieuc Bay”. Power, Action & Belief. A New Sociology of Knowledge? Law, J. London, Routledge & Kegan Paul: 196-229. Callon, M. 1986. "Some Elements of a Sociology of Translation: Domestication of the Scallops and Fishermen of St. Brieuc Bay," in Power, Action and Belief: A New Sociology of Knowledge?, J. Law (ed.). London: Routledge, pp. 196-233. Callon, M. and Latour, R. (1981) Unscrewing the big Leviathan: How actors macrostructure reality and how sociologists help them to do so. In: Knorr-Cetina, K. and Cicorel A.V. (eds.), Advances in social theory and methodology. Towards an integration of micro- and macro-sociologies. Boston: Routledge & Kegan Paul, 277-303. Callon, M., and Latour, B. 1981. "Unscrewing the Big Leviathan: How Do Actors Macrostructure Reality," in Advances in Social Theory and Methodology: Toward an Integration of Micro and Macro Sociologies., K. Knorr and A. Cicourel (eds.). London: Routledge. Callon, M., Law, J., and Rip, A., editors, 1996, Mapping the Dynamics of Science and T echnology: Sociology of Science in the Real World (London: Macmillan). Da Veiga, A. and J. H. P. Eloff. (2007). “An Information Security Governance Framework,”Information Systems Management (24) pp. 361-372. Denning, P.J.: Passwords. American Scientist 80, 117–120 (1992) Dhillon, G. and G. Torkzadeh. (2006). “Value-Focused Assessment of Information System Security in Organizations,” Information Systems Journal (16), pp. 293-314. Dhillon, G. and J. Backhouse. (2001). “Current Directions in IS Security Research: Towards Socio-rganizational Perspectives,” Information Systems Journal (11)2, pp. 127-153. Dymond, P., Jenkin, M.: WWW distribution of private information with watermarking. In: The 32nd Annual Hawaii International Conference on Systems Sciences (HICSS-32), Maui, HI, USA (1999) Halbert, D. (1997). Discourses of danger and the computer hacker. Information Society, 13 (4), 361–374. Hine, C. 2005. "Virtual Methods and the Sociology of Cyber-Social-Scientific Knowledge," in Virtual Methods: Issues in Social Research on the Internet, C. Hine (ed.). Oxford: Berg. Latour, B. 1993a. "Ethnography of a "High Tech" Case," in Technological Choices: Transformation in Material Cultures since the Neolithic, P. Lemonnier (ed.). London: Routledge: Taylor & Francis Group. Latour, B., 1987, Science In Action (Cambridge: Harvard University Press). Latour, B.: Science in action: how to follow scientists and engineers through society. Harvard University Press, Cambridge (1987) Latour, B.: Technology is society made durable. In: Law, J. (ed.) A sociology of monsters: essays on power, technology and domination, pp. 103–131. Routledge & Kegan Paul, London (1991) Law, J., Bijker, W.: Postscript: Technology, stability, and social theory. In: Bijker, W., Law, J. (eds.) Shaping technology/building society: Studies in sociotechnical change, pp. 290–308. MIT Press, Cambridge (1992) Li, Y. and L. Guo. (2007). “An Active Learning Based TCM-KNN Algorithm for Supervised Network Intrusion Detection,” Computers & Security (26) 7-8, pp. 459-467. Marx, Gary T. 1988a. Undercover: Police Surveillance in America. Berkeley: University of California Press.1988b. "The Maximum Security Society." Deviance et Societe, 12(2): 147-166. Marx, Gary T., and Nancy Reichman. 1985. "Routinizing the Discovery of Secrets: Computers as Informants." Software Law Journal, 1(Fall): 95-121. McMaster, T., Vidgen, R. T. and Wastell, D. G. (1997). Towards an Understanding of Technology in Transition. Two Conflicting Theories. Information Systems Research in Scandinavia, IRIS20 Conference, Hanko, Norway, University of Oslo. Monteiro, E. (2000). Actor-network theory. In C. Ciborra (Ed.), From control to drift: The dynamics of corporate information infrastructure (pp. 71–83). Oxford: Oxford University Press. Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Company. p. 258. ISBN 1-59345-303-5.Robert Moore Ratnasingham, P. (1998). “Trust in Web-Based Electronic Commerce Security,” Information Management and Computer Security (6)4, pp. 162-166. Ritzer, G. (Ed.). (2005). Encyclopedia of social theory. Thousand Oaks, CA: SAGE Publications, Inc. doi: 10.4135/9781412952552 Rogers, M. K. (2001). Modern-day robin hood or moral disengagement: Understanding the justification for criminal computer activity. Unpublished dissertation, University of Manitoba, Winnipeg, CA. Silic, M. (2013). Dual-use open source security software in organizations – Dilemma: Help or hinder? Computers & Security, 39, Part B(0), 386-395. doi: http://dx.doi.org/10.1016/j.cose.2013.09.003 Silic, M., & Back, A. (2013). Information security and open source dual use security software: trust paradox Open Source Software: Quality Verification (pp. 194-206): Springer. Silic, M., & Back, A. (2014a). Information security: Critical review and future directions for research. Information Management & Computer Security, 22(3), 279-308. Silic, M., & Back, A. (2014b). Shadow IT–A view from behind the curtain. Computers & Security, 45, 274-283. Silic, M., & Back, A. (2015). Identification and Importance of the Technological Risks of Open Source Software in the Enterprise Adoption Context. Sipponen, M., Wilson, R.: Baskerville. R.: Power and Practice in Information Systems Security Research. In: International Conference on Information Systems 2008, ICIS 2008 (2008) Star, S. L. (1995). The Cultures of Computing. Blackwell Publishers, Oxford. Straub, D. W. and R. J. Welke. (1998). “Coping with Systems Risk: Security Planning Models for Management Decision Making,” Management Information Systems Quarterly (22)4, pp. 441-469. Tatnall, A. (2000). “Innovation and Change in the Information Systems Curriculum of an Australian University: a Socio-Technical Perspective”. PhD thesis. Education. Rockhampton, Central Queensland Tatnall, A. (2000). “Innovation and Change in the Information Systems Curriculum of an Australian University: a Socio-Technical Perspective”. PhD thesis. Education. Rockhampton, Central Queensland University. Tatnall, A. and Gilding, A. (1999). Actor-Network Theory and Information Systems Research. 10th Australasian Conference on Information Systems (ACIS), Wellington, Victoria University of Wellington. Tatnall, A. and Gilding, A. (1999). Actor-Network Theory and Information Systems Research. 10th Australasian Conference on Information Systems (ACIS), Wellington, Victoria University of Wellington. Thomas, J. 1993. Doing Critical Ethnography. Newbury Park: Sage Publications. University. Walsham, G., “Actor-network Theory and IS Research: Current Status and Future Prospect”, in Information Systems and Qualitative Research, A.S. Lee, J. Liebenau and J. DeGross, J.I. (ed.), London: Chapman & Hall, pp. 466–480, 1997. Wong, C. K., M. Gouda, and S. S. Lam. (2000). “Secure Group Communications Using Key Graphs,” IEEE/ACM Transactions on Networking (TON) (8)1, pp. 16-30. Yang, J. and S. S. Huang. (2007). “Mining TCP/IP Packets to Detect Stepping-Stone Intrusion,” Computers & Security (26) 7-8, pp. 479-484. Young R, Lixuan Zhang, and Victor R. Prybutok. 2007. Hacking into the Minds of Hackers. Inf. Sys. Manag. 24, 4 (January 2007), 281-287. DOI=10.1080/10580530701585823 http://dx.doi.org/10.1080/10580530701585823 Zafar, Humayun and Clark, Jan Guynes (2009) "Current State of Information Security Research In IS," Communications of the Association for Information Systems: Vol. 24, Article 34. Available at: http://aisel.aisnet.org/cais/vol24/iss1/34