This will be controversial, but wouldn’t one be able to say there is a benefit to the society of having kids hacking systems, doing pranks, even collecting ransomware, and not fearing ridiculing their subjects in contrast to having national state attackers that harvest and sell secrets? The first type of attacker would pressure security to be taken seriously, whereas the second type of attack would rarely be noticed and disclosed.
A clear distinction should be made, this isn't kids hacking companies for 'fun' or some kind of Kevin Mitnick-esque story where the thrill was having something they shouldn't or bypassing systems. These people wanted money and notoriety and got it by any means necessary, yet it took THREE arrests to finally put an end to it. They weren't just targetting multibillion dollar corporations, either.
Meanwhile in the very same country, the teenage criminal who helped ransom MGM casinos and London's transportation (twice arrested) is also free and likely actively deploying ransomware and sim swapping as we speak. I get that they're legally "children", but it's not like they're 9 year olds being tricked into do other peoples bidding, these are quite literally criminal masterminds working for themselves, and should be charged as one. "I promise I won't go online again" and supervision for a couple months obviously isn't working when you have companies getting hacked from a hotel room.
They don't end nation-state attacks, but public exposure from teenagers hacking corporate computer systems can make them do their homework of fixing low-hanging vulnerabilities. As a result, the attacks from nation-state attackers could become more expensive.
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I think the volume of destructive activities outweighs the constructive ones, even if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies. Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
The entire history of hacking shows that kids will, do, and always have hacked corporate systems. They'll absolutely hack each other while they're at it, but much of that time will also involve hacking corporate systems. Even kids who hack video games are very often hacking corporate systems because it's corporations who control the game servers.
I would much rather have corporations and the countless third party companies/hardware/services they depend on all patching and hardening their stuff for fear of pesky children cheating in video games than let all those corporations become complacent. As it stands today corporations do only the bare minimum when it comes to security as repeatedly evidenced by the endless leaks and data breaches which rarely involve complex vulnerability chain attacks full of zero days and most often could have easily been avoided by protecting against threats that are very well known and for which solutions already exist.
The harm caused by trolls and cyberbullies is dwarfed by the harms these corporations would cause society if they had any less pressure to take even the most basic steps to protect our accounts and our data.
> I just see two problems in the world not "the lesser of two evils".
You're right about that. It's far from an ideal solution. I'd much rather if that pressure came from regulation that would consistently deliver severe consequences for any company that decides to cut costs/increase profits by neglecting their responsibility to protect our data and the systems and services we pay for and depend on. That way, all systems would be reasonably protected. We wouldn't have to worry as much about pranking teenagers causing disruptions and posting penis pictures, and it would still make it harder for the adult hackers to gain access and do much worse.
Kids absolutely do hack corporate systems. They do now, they did 10 years ago, and when I was hip deep in that scene in the early 1990s that's what they were doing. They also go after each other, but that's a side quest.
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I was a member of many video game communities as a kid
Your youth maintained your innocence, consider yourself lucky.
you may never hadn't a clue at the time, but those pre-release builds, firmware dumps, decryption keys, _______ source code, pii dumps, debugging symbols, and other general degeneracy facets were not reverse engineered in a white-room environment by 17 year olds, but rather compiled and scavenger hunted from the depths of google, re-used passwords, internal email dumps, physical intrusion (yes), blind XSS that phoned home an admin panel months later....I could go on, but that was nostalgic enough.
I think the volume of destructive activities outweighs the constructive ones,
You are essentially promoting "head in sand", if not directly.
if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies.
50%/50% drugs to success - The bell curves both ways. But remember the context, 10 years ago, emailing a bug report could get your door kicked in.
Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
This gets grey real fast.
After checking out your cart on a hypothetical web-store, you are redirected to the receipt page. Sharing the link with a cohort via email, you leave off a single digit in the r? parameter in the URL, causing a receipt from someone else to display.
It was a brisk fall dew-filled dawn the next morning when the State-Cyber-Police made their swift, immemorial performance. Donned with insignia "pastor sapientiae," they had long ago forgotten their purpose, aside from the prevention of the proliferation of the unwise and their defiance of authority.
That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
> That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
Improvements are expenses. The only unknown here seems to be whether nation-state attackers would recruit these gifted and experienced kids at a rate larger than corporations would be able to improve their security.
What your basically describing is HackerOne but for kids. And I actually don't think it's a bad idea, they could consider doing a teenager version or do some program aimed at high schoolers. I'm sure it would be very well received, I would have thought it was the coolest thing ever.
I do believe in leniency towards juveniles so as not to discourage curiosity and learning. However, many attacks can be severely damaging. It seems this individual had many second chances but hasn't changed. Some intervention is necessary.
I think you could generalize the OP's point to extend past children and still consider their question. I think you're focusing on the children part and ignoring the point.
Plus you're not "utilizing children" in the way you would with child labor. This is more "children are doing things, could we utilize this natural behavior to improve our society?" That's no exploitive of children unless you pressure them into hacking. It's also reasonable that we consider children are less likely to be severely punished because kids are, in fact, pretty dumb (which does not mean they also aren't pretty smart. Context matters ;)
Anyways, that's all besides the point of OP's question:
Can we see hackers as a valuable tool for society? Since they put pressure on corporations to improve their security. Whereas when nation state hackers do similar things it is all kept quiet and so the knowledge of what needs to be fixed is less wide spread.
I think yes. As an analogy I think hackers in this way can be seen like a virus and the human immune system. Low exposures and in healthy systems allows the body to develop antibodies and fight off bigger attacks and/or when the body is weaker. But too much and the host is permanently damaged. But no viruses and the immune system becomes weak and fragile too.
Personally, I think if we want to get the former immunity boosting we should be promoting ways for people to hack on systems in non-malicious ways. Bug bounty programs. Clear paths to responsible disclosure. All that jazz. Accidents will happen and some will go too far, but intent does matter. But we also hear on HN about how people have found vulns, reported it, and the response is to sue the person disclosing for hacking. Even if this is exclusively untrue (lol), if it is widely believed then what incentive does someone have to report a vuln if they find it? Because they sure have incentives to do malicious things with that information.
I'm big on morals and sticking to them. But at the same time I don't think we can have a functional society where people's only incentive to do the right thing is that warm and fuzzy feeling inside, especially when there are incentives to do the wrong thing. Maybe we should reward good behavior instead of bad behavior...
