Hackers are the new lawyers(calebmadrigal.com)
calebmadrigal.com
Hackers are the new lawyers
http://calebmadrigal.com/hackers-are-the-new-lawyers/
50 comments
Lol. The OP really doesn't understand what lawyers do all day. Running a a so-called 'hacking back' team isn't done lightly. And instigating an attack, hacking without the 'back', is just plain dangerous. I may not be the sort of lawyer that is sent to openly attack rivals via abusive legal process, but I do have a slide deck of hacking back stories that ended badly. One ends with a panicked call to an attorney after a response team snapped a pic from the webcam of the attacking machine ... an virus infected desktop in a kid's bedroom. That team suddenly found the need for legal process and advice, something they eschewed only minutes previously.
Just to clarify, I am NOT suggesting companies should be hacking back :) I'm just pointing out a trend, which could continue to evolve.
Except that it's not even a trend. Which companies hack back? Every major internet firm publicly disavows hacking back (much less launching offensive attacks) specifically because of the massive liabilities it could expose them to.
>Lol.
lol indeed
lol indeed
I think lawyers are still the new lawyers.
One of the major benefits of society is to remove the need for individuals to keep their own firepower. You're allowed to defend yourself, but the goal is to make it so you can feel safe in a city of 8 million people with no more than a heavy bag, cell phone, or can of mace.
In the digital world, you still need self-defense (network protections, strong passwords, small attack surface), but hopefully not everybody has to hire cyber-thugs to defend their turf. If another cyber-thug attacks you, you figure out who they are, call your lawyer, and let the state deal with it.
It's not perfect, but I'd think lawyers will learn unmasking techniques before corporations hire body-guard divisions full of black-hat crypto types. And international conflict is always messier...
One of the major benefits of society is to remove the need for individuals to keep their own firepower. You're allowed to defend yourself, but the goal is to make it so you can feel safe in a city of 8 million people with no more than a heavy bag, cell phone, or can of mace.
In the digital world, you still need self-defense (network protections, strong passwords, small attack surface), but hopefully not everybody has to hire cyber-thugs to defend their turf. If another cyber-thug attacks you, you figure out who they are, call your lawyer, and let the state deal with it.
It's not perfect, but I'd think lawyers will learn unmasking techniques before corporations hire body-guard divisions full of black-hat crypto types. And international conflict is always messier...
Unfortunately lawyers still depend on the law as their weapon. And laws tend to respect borders whereas cyber weapons do not. The ability for a lawyer to defend against a cyber attack is incredibly limited.
I think the article addresses this in both suggesting these attacks are more common in China (where lawyers from other countries tend to be notoriously ineffective) and in the hypothetical scenario that corporations grow in power to be above the law.
I think the article addresses this in both suggesting these attacks are more common in China (where lawyers from other countries tend to be notoriously ineffective) and in the hypothetical scenario that corporations grow in power to be above the law.
That's also fortunate, because if some country has odd laws (and many do), at least their effects don't spread too much. Politicians and lawyers try their best to combat this (with laws as their weapon) through treaties.
It's really two-sided coin. On the other hand, average person don't have to to learn about technical stuff. On the other, there is also weird stuff like illegal numbers, battles on encryption, censorship, restrictions on reverse engineering and learning, all the copyright/DRM weirdness, and, on more common level, also a lot of uncertainity about if something's legal or not[1] (because, duh, engineering and lawmaking are completely different worlds and they mismatch heavily).
____
[1] You encounter a computer system. You just can't tell if it's legal to access it or not. And a smart lawyers can make it look both ways - it's not tech (where things are straightforward but harsh), just humans persuading other humans.
It's really two-sided coin. On the other hand, average person don't have to to learn about technical stuff. On the other, there is also weird stuff like illegal numbers, battles on encryption, censorship, restrictions on reverse engineering and learning, all the copyright/DRM weirdness, and, on more common level, also a lot of uncertainity about if something's legal or not[1] (because, duh, engineering and lawmaking are completely different worlds and they mismatch heavily).
____
[1] You encounter a computer system. You just can't tell if it's legal to access it or not. And a smart lawyers can make it look both ways - it's not tech (where things are straightforward but harsh), just humans persuading other humans.
> You encounter a computer system. You just can't tell if it's legal to access it or not.
I find this point of view fascinating. Walking down the street, do you have any trouble telling which buildings are legal to access and which are not?
I would posit that there is nothing unclear about the law here. In meat-space, the social norm is clear: you go into other peoples' property only if you have business there, you go in through the front door, and once there, you do only what the owner would want you to do. Otherwise, your entry is illegal. Nobody complains that you can't tell just by looking at a building whether going inside is legal or not.
Some people resist this clear social norm in cyber-space. They want to posit a "right to tinker" or a "right to explore." It is that resistance that creates uncertainty, not the law.
I find this point of view fascinating. Walking down the street, do you have any trouble telling which buildings are legal to access and which are not?
I would posit that there is nothing unclear about the law here. In meat-space, the social norm is clear: you go into other peoples' property only if you have business there, you go in through the front door, and once there, you do only what the owner would want you to do. Otherwise, your entry is illegal. Nobody complains that you can't tell just by looking at a building whether going inside is legal or not.
Some people resist this clear social norm in cyber-space. They want to posit a "right to tinker" or a "right to explore." It is that resistance that creates uncertainty, not the law.
> In meat-space, the social norm is clear
Local social norm, in your meat-space neighborhood, sure. Also, norms from the other places, if you've did the research, or if their norms are close enough to what you're used to so your behavior is compliant or at least tolerable (for a foreigner).
Still, nerd social awkwardness issues aside, I tend to believe there there are quite different social norms in drastically different meatspace areas.
On the Internet it's only worse. You can't even tell which country/jurisdiction the site you plan to visit belongs to (no, addresses from whois may be a continent away from the legal system site ToS mentions). I neither think there are universal laws regarding this (to best of my knowledge, there aren't), nor that you can always know whenever it's legal to click that link you saw someone had posted on IRC or not, or read that link's contents, or save it.
(Ever thought that "liking" a post on a social network can be a criminal offense punishable with a few years in jail? In some countries it could be.)
Local social norm, in your meat-space neighborhood, sure. Also, norms from the other places, if you've did the research, or if their norms are close enough to what you're used to so your behavior is compliant or at least tolerable (for a foreigner).
Still, nerd social awkwardness issues aside, I tend to believe there there are quite different social norms in drastically different meatspace areas.
On the Internet it's only worse. You can't even tell which country/jurisdiction the site you plan to visit belongs to (no, addresses from whois may be a continent away from the legal system site ToS mentions). I neither think there are universal laws regarding this (to best of my knowledge, there aren't), nor that you can always know whenever it's legal to click that link you saw someone had posted on IRC or not, or read that link's contents, or save it.
(Ever thought that "liking" a post on a social network can be a criminal offense punishable with a few years in jail? In some countries it could be.)
> In meat-space, the social norm is clear
I think it is only clear most of the time.
There are plenty of odd situations.
I might ask where the restroom is in a retail store and learn I need to walk through a back storage room to get there.
What if I walk into a business an it appears empty, as if the sole proprietor just walked out and forgot to lock it.
Where exactly is the dividing line between the park or field and the similar looking lawn.
If I am hiking in the woods and I come upon the back of a sign I will walk around to the front. If it says "Tresspassers will be shot" I really start to worry what I just walked through.
Cyberspace hasn't had time to work out good samaritan laws or castle doctrine and the only property are purely technical in nature. I mean, do I own the VM on a VPS host or does the VPS host, certainly I own the software on it I wrote and they own the host OS but where is that line? Then IP laws come into play...
I think it is only clear most of the time.
There are plenty of odd situations.
I might ask where the restroom is in a retail store and learn I need to walk through a back storage room to get there.
What if I walk into a business an it appears empty, as if the sole proprietor just walked out and forgot to lock it.
Where exactly is the dividing line between the park or field and the similar looking lawn.
If I am hiking in the woods and I come upon the back of a sign I will walk around to the front. If it says "Tresspassers will be shot" I really start to worry what I just walked through.
Cyberspace hasn't had time to work out good samaritan laws or castle doctrine and the only property are purely technical in nature. I mean, do I own the VM on a VPS host or does the VPS host, certainly I own the software on it I wrote and they own the host OS but where is that line? Then IP laws come into play...
Absolutely, "paper" trails through and walking along rivers and beaches bordered by private property are other interesting examples of where the law and "norms" of the situation are often pretty blurry.
That's just land, computers are a whole other level of complexity, plus the "norms" are not yet decided.
[deleted]
While the situations you cite are relatively less common, I don't think the social norm in those situations is at all unclear. Walking through the back storage room to find the restroom after asking is fine, but doing so without asking isn't nor using is your bathroom trip to rifle through merchandise.
I think it's only us nerds with our low social sensitivity and literal minded-ness would think otherwise.
I think it's only us nerds with our low social sensitivity and literal minded-ness would think otherwise.
> Walking down the street, do you have any trouble telling which buildings are legal to access and which are not?
Do you expect the same response to hacking your local computer club as hacking the IRS?
There are more than one set of social norms on the internet.
The "I know it when I see it" test is useless because it does nothing in the cases where you actually need the test to decide anything. There was never any question what happens to someone who hacks the DoD and sells secrets to the Russians -- you don't need any kind of computer-specific laws for that because it's illegal regardless of how you do it.
The problem cases are the ones where the argument is over whether permission was implicit vs. absent vs. not required. For example, should it be illegal for a journalist to access internal documents a company published on their website but probably didn't intend to? What if the journalist has to guess the URL? And those seem to be exactly the sort of cases that can be charged only under the CFAA and not any other law.
> Some people resist this clear social norm in cyber-space. They want to posit a "right to tinker" or a "right to explore." It is that resistance that creates uncertainty, not the law.
A law the relies on social norms adopts the uncertainty inherent in the social norms. In the context of the internet where all cultures are together in the same "space" this gives the law more than the usual amount of uncertainty.
Which makes the problem one that is much easier to solve technically than legally. If you in fact prevent unauthorized access using technical means then there is no occasion to resort to legal process or contend with the uncertainty of differing social norms, which is already inherently necessary for extrajurisdictional attackers who aren't subject to legal process regardless.
And if the problem can (and for foreign attackers must) be addressed mainly through technical means then the justification for uncertain laws with harsh penalties is significantly eroded, while the cost in terms of chilling effects and potential for abuse is not reduced at all.
Do you expect the same response to hacking your local computer club as hacking the IRS?
There are more than one set of social norms on the internet.
The "I know it when I see it" test is useless because it does nothing in the cases where you actually need the test to decide anything. There was never any question what happens to someone who hacks the DoD and sells secrets to the Russians -- you don't need any kind of computer-specific laws for that because it's illegal regardless of how you do it.
The problem cases are the ones where the argument is over whether permission was implicit vs. absent vs. not required. For example, should it be illegal for a journalist to access internal documents a company published on their website but probably didn't intend to? What if the journalist has to guess the URL? And those seem to be exactly the sort of cases that can be charged only under the CFAA and not any other law.
> Some people resist this clear social norm in cyber-space. They want to posit a "right to tinker" or a "right to explore." It is that resistance that creates uncertainty, not the law.
A law the relies on social norms adopts the uncertainty inherent in the social norms. In the context of the internet where all cultures are together in the same "space" this gives the law more than the usual amount of uncertainty.
Which makes the problem one that is much easier to solve technically than legally. If you in fact prevent unauthorized access using technical means then there is no occasion to resort to legal process or contend with the uncertainty of differing social norms, which is already inherently necessary for extrajurisdictional attackers who aren't subject to legal process regardless.
And if the problem can (and for foreign attackers must) be addressed mainly through technical means then the justification for uncertain laws with harsh penalties is significantly eroded, while the cost in terms of chilling effects and potential for abuse is not reduced at all.
> In the digital world, you still need self-defense (network protections, strong passwords, small attack surface), but hopefully not everybody has to hire cyber-thugs to defend their turf. If another cyber-thug attacks you, you figure out who they are, call your lawyer, and let the state deal with it.
That doesn't actually work here. If someone attacks you from Russia or China or Nigeria, there are no lawyers that can help you.
The reason hack back is unwise and unnecessary is that you don't need deterrence to prevent cyber attacks. In meatspace anybody with a rock and two hands can steal your television and the defenses necessary to prevent that are significantly more expensive than relying on the state to use prison as a deterrent.
But it's a lot more practical to maintain a secure digital system than a secure physical system, because digital systems fail closed rather than fail open. If you can't pick a physical lock you can still break a window or bust down the door, but the equivalent brute force against digital systems yields only denial of service rather than unauthorized access.
That doesn't mean you can't screw it up. Possible to succeed is not the same as impossible to fail. But it means it's possible to have a good enough defense that you require no offense.
That doesn't actually work here. If someone attacks you from Russia or China or Nigeria, there are no lawyers that can help you.
The reason hack back is unwise and unnecessary is that you don't need deterrence to prevent cyber attacks. In meatspace anybody with a rock and two hands can steal your television and the defenses necessary to prevent that are significantly more expensive than relying on the state to use prison as a deterrent.
But it's a lot more practical to maintain a secure digital system than a secure physical system, because digital systems fail closed rather than fail open. If you can't pick a physical lock you can still break a window or bust down the door, but the equivalent brute force against digital systems yields only denial of service rather than unauthorized access.
That doesn't mean you can't screw it up. Possible to succeed is not the same as impossible to fail. But it means it's possible to have a good enough defense that you require no offense.
[deleted]
> If someone attacks you from Nigeria, there are no lawyers that can help you.
This statement is all shades of Wrong. In Nigeria at least, I know you can easily report to the Country's Economic and Financial Crimes Commission (EFCC), which is currently doing a very good job of getting back foreign stolen money through internet scams.
This statement is all shades of Wrong. In Nigeria at least, I know you can easily report to the Country's Economic and Financial Crimes Commission (EFCC), which is currently doing a very good job of getting back foreign stolen money through internet scams.
Your contention supposes that Nigerian scammers are stealing money because they're keen to invest in easily confiscated securities instruments rather than spending the money like it's burning a hole in their pocket. And that the purported successes of the Nigerian "EFCC" are real and typical rather than government propaganda from a government trying to spin their country's association with 419 scams. And that having your money stolen and then going through an international bureaucratic process to maybe get some of it back is in any way comparable to not having it stolen to begin with.
But let's suppose all of that is true. If someone in Nigeria steals your money, you pick up the phone and in five minutes they're in jail and your money is returned. Then you're doing this:
http://slatestarcodex.com/2014/05/12/weak-men-are-superweapo...
Because there are still many places where no such process is available. Many of the attacks from China are state-sponsored. Many of the attacks from Russia are from organized crime who have law enforcement on payroll. ISIS. You haven't done anything to refute the point, you're just arguing about which examples I should be using this year.
But let's suppose all of that is true. If someone in Nigeria steals your money, you pick up the phone and in five minutes they're in jail and your money is returned. Then you're doing this:
http://slatestarcodex.com/2014/05/12/weak-men-are-superweapo...
Because there are still many places where no such process is available. Many of the attacks from China are state-sponsored. Many of the attacks from Russia are from organized crime who have law enforcement on payroll. ISIS. You haven't done anything to refute the point, you're just arguing about which examples I should be using this year.
How is hiring a lawyer to defend yourself against legal attacks any different than hiring a "cyber-thug" to defend yourself against technical attacks?
Yes, lawyers are still needed. For the sake of brevity, I didn't call the title "Hackers are the new lawyers, but lawyers are still useful." :)
I think this greatly overestimates the importance of IT and high technology in the modern economy. Outside of the pure tech companies that are well known on HN, most technology is used to facilitate the rest of whatever the company in question does. It isn't the business itself.
Most economic value is due to labor and tangible products, and cyber attacks can only indirectly touch those. Cyber attacks are unfortunate, sure, but they're hardly all that damaging to the core operations of the organizations they affect, unless, of course, it's something like Stuxnet, where physical damage is done.
Most economic value is due to labor and tangible products, and cyber attacks can only indirectly touch those. Cyber attacks are unfortunate, sure, but they're hardly all that damaging to the core operations of the organizations they affect, unless, of course, it's something like Stuxnet, where physical damage is done.
>It isn't the business itself.
Neither is lawyering, that's his point. Lawyers do not (usually) create value, they protect it, same as the hackers he is talking about.
>Cyber attacks are unfortunate, sure, but they're hardly all that damaging to the core operations of the organizations they affect, unless, of course, it's something like Stuxnet, where physical damage is done.
The Sony hack: http://www.vanityfair.com/hollywood/2015/02/sony-hacking-set...
Bangladesh Bank hack: https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
Neither is lawyering, that's his point. Lawyers do not (usually) create value, they protect it, same as the hackers he is talking about.
>Cyber attacks are unfortunate, sure, but they're hardly all that damaging to the core operations of the organizations they affect, unless, of course, it's something like Stuxnet, where physical damage is done.
The Sony hack: http://www.vanityfair.com/hollywood/2015/02/sony-hacking-set...
Bangladesh Bank hack: https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
It's too early to tell about the Bangladesh Bank hack, but in the Sony case there weren't any long term consequences as far as I'm aware. Which goes to my point: business value isn't in technology for the most part. Attacking technology doesn't do much to change the underlying value of a business.
Additionally, software is eating much of the enterprise. By and large software makes companies more efficient. Lawyering makes them less. Adding hackers doesn't just protect the enterprise, it improves it.
The point of lawyers is not to make companies "more efficient," so that's a strange criticism of them.
I'm not criticizing them, just pointing out another reason why Hackers are replacing them.
> I think this greatly overestimates the importance of IT and high technology in the modern economy.
On HN? Inconceivable.
On HN? Inconceivable.
Absolutely. One just has to look af the Global 2000 list to see how little tech and software make businesses directly. It's usually indirect as you say, even minimized in many.
off topic... after listening to
Hackers: Heroes of the Computer Revolution during my commute over the last month (and to a degree Masters of Doom) it is distracting to see the word "hacker" in relation to cyber attacks/espionage. When I was growing up hacker always meant someone who broke into computer systems/networks, then I started hearing about hacking actually meaning something else originally and of course in more recent years with hacker news, hardware hacking and other usage of the word becoming more popular "hacker" seemed to take back its original meaning. Now after listening to some books that only use the word under its original meaning it is hard to take articles seriously that use it in relation to breaking into systems. When I saw the title of this article I misunderstood their usage of "hackers" /rant
Catchy title, almost like a click bait.
Lack of content and it failed to back itself up.
These kind of posts...I don't understand how they are first page of hackers news.
This isn't really a statement about the relative importance of certain professions, it's mostly a statement about China. They're a lawless country, and we should probably just disconnect their country from the rest of the internet until that changes. Or at least fine them and issue sanctions until they pay up.
It would be a very bad idea for a US company to start a renegade hacking team that broke into other companies and stole their documents. That would get you thrown in jail, no matter who you were.
It would be an even worse if you started counter-hacking random ips that attacked your machines, because you'd end up with soccer moms crying to politicians on national television about what you did to their kids.
It would be a very bad idea for a US company to start a renegade hacking team that broke into other companies and stole their documents. That would get you thrown in jail, no matter who you were.
It would be an even worse if you started counter-hacking random ips that attacked your machines, because you'd end up with soccer moms crying to politicians on national television about what you did to their kids.
I expected this to be about how tech has replaced law as the recommended "just learn this and you'll have a good job" career path for today's students.
This is something we as a community should probably have a conversation about. Too many people went to law school, and now they can't find jobs. Meanwhile, the "tech" (read: software) zeitgeist has enthusiastically taken up the mantle by proclaiming that everyone should learn to code and start making $100k. We're only devaluing our own work and setting unrealistic expectations by doing this.
This is something we as a community should probably have a conversation about. Too many people went to law school, and now they can't find jobs. Meanwhile, the "tech" (read: software) zeitgeist has enthusiastically taken up the mantle by proclaiming that everyone should learn to code and start making $100k. We're only devaluing our own work and setting unrealistic expectations by doing this.
I mean...I guess? I can see where this analogy is supposed to go, but I feel the author is dismissing how close corporate espionage toes the line between legal and illegal. Even if it's in a scummy manner, lawyers use the laws at hand to protect IP both offensively and defensively.
Finding business strategy is one thing. "Let's run through their service, deconstruct it, and see how we can make ours better than theirs." That's above board."Find a hole, pivot, take what you can." Pump the brakes there, sweetie.
Or maybe I'm just interpreting this wrong.
Finding business strategy is one thing. "Let's run through their service, deconstruct it, and see how we can make ours better than theirs." That's above board."Find a hole, pivot, take what you can." Pump the brakes there, sweetie.
Or maybe I'm just interpreting this wrong.
this is a great insight, i have been thinking the same thing for some time. Another angle is the "media image" your company has. I read the book "Trust-Me-Lying-Confessions-Manipulator" after watching some YC videos and was blown away how a few people can use technology (bots, tweets..etc) to influence small local blogs, which influence larger blogs and in turn media outlets like CNN etc.. He talked about using this strategy to shape public opinion which eventually called in the lawyers and caused congress member to resign, and in another case help his friend promote a low budget movie to a national level etc.
I can't help but wonder if the competitors of Theranos understand this idea (use tech to influence media to influence regulators)and used it as a weapon that Theranos has not done a good job of defending against.
It would be fun to run an analysis of all news articles mentioning Theranos and see historically the sentiment analysis of each one, and at what average sentiment point the regulators got involved.
You could extrapolate and see if there is an average media sentiment that can predict when regulators will get involved. Could be a great "weapon" to use.
I can't help but wonder if the competitors of Theranos understand this idea (use tech to influence media to influence regulators)and used it as a weapon that Theranos has not done a good job of defending against.
It would be fun to run an analysis of all news articles mentioning Theranos and see historically the sentiment analysis of each one, and at what average sentiment point the regulators got involved.
You could extrapolate and see if there is an average media sentiment that can predict when regulators will get involved. Could be a great "weapon" to use.
In certain aspects corporations already do have more power than government. However that's because of money rather than tech chops. It's important now more than ever for companies to have a viable security model.
Catchy title but lack of content and it failed to back itself up.
[deleted]
I am disappointed. I thought "Lawyers are the new Knights" was a Serial Experiments Lain reference.
Nothing new under Neuromancer's sun.
You know, I just watched Lain for the first time like 3 months ago. It's quite plausible my subconscious was influenced by it.
When you will design the login button of your site in development with "Open the nExt", you will know for sure you have been influenced. When you start praying Lain before accessing any network, it's time to call a doctor.
I was expecting to see an article which predict hackers will develop AI which obsoletes many lawyers.
It turns out an article predicting crackers becoming military force by acquiring secret information of competitors.
A company who don't spend their effort on R&D and just cloning competitors technologies cannot dominate the market. A company which doesn't seriously concerns security deserve to die.
No worries at all.
A company who don't spend their effort on R&D and just cloning competitors technologies cannot dominate the market. A company which doesn't seriously concerns security deserve to die.
No worries at all.
How is this getting upvoted?
Except China does do the most hacking, us Americans do. We have more computers, computer scientists, money and government sanctioned orgs doing hacking.
Also this article is super-naive. If a country were not the USA and caught hacking a bunch of western businesses then the US political and military machine would start up. Look at what we pressured others to do about the pirate bay and megaupload.
Also this article is super-naive. If a country were not the USA and caught hacking a bunch of western businesses then the US political and military machine would start up. Look at what we pressured others to do about the pirate bay and megaupload.
As far as corporate espionage via hacking goes, China is way ahead of the US or any other country.
A hacker is really the red-shirt ensign on the away team
This title is truly unfortunate, because if the article becomes popular it will contribute to the Computer Programmer Licensing movement.