The darker side of the global economy is Misha Glenny‘s domain of predilection (see his previous book, McMafia on that). In Darkmarket, Cyberthieves, Cybercops, and You, he tackles the hacking world through an investigation into several Internet forums dedicated by carders for carders (carders are these people who steal your credit card numbers and PINs and use them to make money, a thriving business in the global economic / easy credit age).
While McMafia was about old-fashioned organized criminal networks as they adapted to the borderless, global environment created by the end of communism and the triumph of neoliberalism, Darkmarket is about the new breed of organized criminality, using the tools of 21st century technology.
The structure of the book is roughly similar to that of McMafia. Glenny follows a bunch of individuals, which gives us an insider look at their criminal world. The positive side of this is that it creates a fascinating narrative. The downside is that, at some point, it gets harder to see the forest from the multiplicity of trees. It is hard to get a grip of the larger context, extent of the problem and other objective, macro data on this (if they exist). So, in Darkmarket, we follow the rise and fall of the major carder forums (Carder Planet, Shadowcrew, Carder Market and Darkmarket) as well as that of their major players (minus one, still at large at the end of the book). So, anyhoo, here is what I could tease out on the macro side.
Among the individuals we follow throughout the book are also the cops who try to stop carders around the world, from the US, all over Europe and in Turkey. It is half-amusing, half-depressing to find the old-fashioned bureaucratic patterns being reproduced in law enforcement (with the US Secret Services conducting its own carding-busting operation without telling the FBI, doing the same, of course, and both agencies competing for resources and who will catch carders first).
Hacking as crime poses specific problems for law enforcement:
“We now find ourselves in a situation where this minuscule elite (call them geeks, technos, hackers, coders, securocrats, or what you will) has a profound understanding of a technology that every day directs our lives more intensively and extensively, while most of the rest of us understand absolutely zip about it.” (Loc. 81)
As the book shows, law enforcement agencies are still playing catch-up with technology and knowledge and hackers are always ahead of the game.
And then, of course, the global nature of Internet criminality:
“Most importantly, it is much much harder to identify when people are up to no good on the Web. Laws governing the Internet vary greatly from country to country. This matters because in general a criminal act over the Web will be perpetrated from an IP (Internet Protocol) address in one country against an individual or corporation in a second country, before being realised (or cashed out) in a third. A police officer in Colombia, for example, may be able to identify that the IP address coordinating an assault on a Colombian bank emanates from Kazakhstan. But then he discovers that this is not considered a crime in Kazakhstan, and so his opposite number in the Kazakh capital will have no reason to investigate the crime.” (Loc. 107)
And all this takes place in the context of the ever-expanding surveillance society where both governments and corporations compete over who is going to grab most of our information for their own purposes. Take encryption, for instance:
“The political implications of digital encryption are so immense that the government of the United States started to classify encryption software in the 1990s as ‘munitions’, while in Russia should the police or KGB ever find a single encrypted file on your computer, you could be liable for several years in jail, even if the document only contains your weekly shopping list. As governments and corporations amass ever more personal information about their citizens or clients, encryption is one of the few defences left to individuals to secure their privacy. It is also an invaluable instrument for those involved in criminal activity on the Web.” (Loc. 153)
Pursuing cybercriminality is a tricky game. One can always try to infiltrate forums where carders meet and exchange tricks of the trade and do business with each other. Figuring out with whom one is interacting is incredibly difficult as hackers and carders are justifiably paranoid to an extreme degree. From Glenny’s writing, one would thing that all these guys (and they are all guys) are all 15 year olds that never left high school. Forums are ridden with cliques, ingroup / outgroup conflicts where accusation of being from law enforcement are thrown around, individuals get taken down and thrown out of the forums on the basis of rumors started by business rivals. Trust is the main currency and it is hard to come buy, so, these forums are strictly monitored by administrators (criminals themselves) who manage the whole environment very closely.
And, of course, fighting cybercriminality means having to deal with the banks who issue thee credit cards:
“The attitude of most banks to cybercrime is ambiguous. While writing this book, a gentleman from my bank, NatWest, called me and asked if I had made any recent purchase at a jewellers in Sofia, the capital of Bulgaria. Furthermore, he enquired whether I had spent 4,000 francs settling a bill with Swiss Telecom. I said that I had not. I was then told that my NatWest Visa card had been compromised, that I would need a new one, but that I could be safe in the knowledge that NatWest had cancelled the £3,000 for which the card had been fraudulently used. Like everyone else who goes through that experience, I was hugely relieved when the bank gently reassured me that I was not liable.
But who is actually paying for that? The bank? No, they are insured against such losses. The insurance company? No, because they set the premiums at a level that ensures they don’t lose out. So maybe it is the bank after all, given that they’re paying the premiums? Yes. But they recoup the money by levelling extra charges on all consumers. Essentially, bank fraud is paid for by all bank customers.
This is something that banks understandably do not wish to have widely advertised. Similarly, they do not like the public to learn how often their systems have been compromised by cyber criminals. Journalists find it impossible to get any information out of banks about the cyber attacks that rain down on them daily. That is understandable. What is less excusable is their frequent reluctance to work with police, in case the information be revealed in open court. By refusing to admit that their customers are victims of cybercrime, for fear of losing an edge against their competitors, banks are indirectly assisting the work of criminals.
Banks like to keep the extent of fraud quiet partly for competitive reasons and partly because they do not want their customers to demand a return to the old ways. Electronic banking saves them huge sums of money because the customer is carrying out tasks that were once the preserve of branches and their staff. If we were all to refuse to manage our finances via the Internet, banks would be compelled to reinvent the extensive network of branches through which they used to serve us. That would cost an awful lot of money and, as we now know, the banks have spent everything they have, along with hundreds of billions of taxpayers’ cash, underwriting egregious speculative ventures and their obscenely inflated bonus payments.” (Loc. 581 – 600)
And in the Age of Plastic, there are billions of cards around, and huge sums of money available for the criminal creative class and a lot of members of carder forums are from former communist countries where they are more or less left alone by law enforcement as long as they don’t mess with Russia.
So Carder Planet was the first of its kind and it lasted four years but it eventually fell, and in its place emerged a whole bunch of new forums dedicated to the same activities with a global reach:
“Websites modelled on CarderPlanet sprang up everywhere: theftservices.com, darknet.com, thegrifters.net and scandinaviancarding.com. There were many more, including one bound by the delightful acronym parodying American academic communities, IAACA (International Association for the Advancement of Criminal Activity).
But none succeeded like Shadowcrew during its two years of existence. And RedBrigade was one of the many carders on Shadowcrew who hit the jackpot. Law enforcement was just beginning to become aware of the extent of the business. Banks were effectively clueless, ordinary folk oblivious.
Hackers were streets ahead, and Mammon ruled everywhere – the hedge-fund managers, the oligarchs, the oil sheikhs, the Latin American mobile-phone moguls, the newly empowered black economic elite in South Africa, the old white economic elite in South Africa, Chinese manufacturers of global knick-knacks, techno gurus from Bangalore to Silicon Valley.
Hundreds of carders made vast fortunes during Shadowcrew, many of them sufficiently naive to piss it all away on the trappings of arriviste wealth. In those days there were no checks on your computer’s IP address when you made purchases over the Web. There was no Address Verification System on the credit card: you could ship goods anywhere in the world (except Russia and other former Soviet countries), regardless of where the card was issued, and nobody would cross-check it at any stage.
This novel crime took root well beyond its Ukrainian- and Russian-language nursery. It began to globalise spontaneously. RedBrigade recalled how established Asian criminals would now communicate with college kids from Massachusetts who were talking to East Europeans, whose computers overflowed with credit-card ‘dumps’. Behind some of the nicknames on Shadowcrew were criminal agglomerates like All Seeing Phantom, revered among his peers.” (Loc. 1466)
It is amazing that anyone can make any sense of this, let alone infiltrate it and identify the main participants and administrators in these operations.
But carding is only one form of Internet threat. Glenny identifies three:
- cybercrime: including carding, the theft and cloning of credit-card data for financial gain;
- cyber industrial espionage;
- cyberwarfare: the design and manufacture of both defensive and offensive cyber weapons.
And to that last, government have responded with a militarization of cyberspace:
“Computing networks had become so critical a part, both of the Defense Department’s infrastructure and of its offensive and defensive operational capability, that Robert Gates, the Secretary of Defense, made the momentous decision to create a new military domain – cyberspace. This fifth military domain – a sibling to land, sea, air and space – is the first-ever man-made sphere of military operations, and the rules surrounding combat in it are almost entirely opaque. Along with the domain, the Pentagon has set up USCYBERCOMMAND to monitor hostile activity in cyberspace and, if necessary, plan to deploy offensive weapons like Stuxnet. For the moment, the US is the acknowledged leader in the cyber offensive capability.” (Loc. 2774)
One can only imagine the level of surveillance and violation of any kind of legality happening.
The presence of Turkey as a hub for cybercriminality itself is an interesting example of global development:
“After the millennium Turkey had become an increasingly attractive venue for hackers, crackers and cyber criminals. In the late 1990s much cyber criminal activity had clustered in certain regions of the so-called BRIC countries. An economist from Goldman Sachs had conferred this acronym on Brazil, Russia, India and China as the leading countries of the emerging markets, the second tier of global power after the G8 (though, politically, Russia straddles the two).
The BRICs shared important social and economic characteristics. Their economies were moving and opening after several decades of stagnation. They had large populations whose combined efforts registered huge growth rates, while a resurgence in exuberant and sometimes aggressive nationalism accompanied the transition to the status of dynamic global actor. Their education systems offered excellent basic skills. But, combined with extreme inequalities of wealth, this spawned a new class of young men, poor and unemployed, but – in contrast to earlier generations – with great material aspirations as they absorbed the consumer messages that are an intrinsic part of globalisation. To meet these aspirations, a minority started beavering away in Internet cafés, safe from detection by law enforcement or indeed anyone else, where they found myriad online opportunities to educate themselves in the art of hacking.
Turkey qualified as an honorary BRIC, with an economy that, when compared to Russia’s, for example, looked much more dynamic. The country’s population, at around eighty million, and its growth rates were increasing even faster than those of the acknowledged BRICs. Everyone recognised its strategic importance, nestling against the Black Sea and Mediterranean Sea while bordering Bulgaria, Greece, Iran, Iraq, Syria, Armenia: there is barely a neighbour that hasn’t experienced a major upheaval or war in the past two decades. The unpredictable has been ever present in Turkish politics but, as the millennium turned, Turkey’s burgeoning economic power and sophistication emphasised its pivotal role in several vital geo-strategic regions – the Middle East, Central Asia, the Black Sea and the Balkans.” (Loc. 2949)
Turkey is where the heart of Darkmarket was and the whole unravelling of the organization makes for a great read, involving kidnapping, beatings, double agents, women, just like any good thriller and the new character of the virtual criminal. But even though traditional criminal organizations tend to look at hackers as amateurs and second class citizens of the underworld, Darkmarket showed that such a conception was no longer sustainable. DM was a complex organization with different circles and divisions of labor:
- The first were the administrators, moderators and others holding senior ‘bureaucratic’ positions on the site. These tended to be men with advanced hacking skills and certainly fluent computer skills who were not really making money (except for the big honcho).
- The second circle mostly comprised skilful experienced criminals who worked largely on their own.
- The third circle was home to highly professional criminals who were virtually invisible – unknown except by myth and reputation to the police and their fellow carders. Those were the ones making the real money.
But the whole operation was so mysterious, even DM has been shut down, no one knows for sure whether all the main actors have been identified and arrested, whether the site has been reconstituted further underground. There is absolutely no certainty in that domain.
So, mix all that with individual cases of hackers and you have a pretty compelling read, divided in 40 really short chapters. That was all well and good until we get to the little steaming pile that Glenny drops towards the end of the book. Throughout the book, you can tell that Glenny has a certain admiration for the hackers he writes about. He finds them intelligent and resourceful. So, his big idea is that throwing them in prison is a waste because they are so smart and they could be used for some other purpose and they are such nice guys after all. The real BS comes when Glenny invokes some evo psych garbage on the male brain versus female brain to explain why hackers are almost exclusively men.
There is no doubt that this is a macho / manly / dudely universe, but it is not because women don’t have the brain for it. It is more because of this:
“By now, it should surprise no one to hear that software development is a bit of a boys’ club. We’ve all read editorials bemoaning the lack of women in tech.
The easy explanation is that programming appeals more to a male mind-set. But while it’s easy, it’s also cheap. Things aren’t nearly so simple.
Some say the problem is our education system. Schools and colleges should be doing more to encourage girls and young women to explore computing. Right now that’s not happening. Overall enrollment in university computer science programs is up 10 percent from last year, but enrollment among women is down.
Others say companies should provide the encouragement. Some companies already are; Etsy, for example, is offering $50,000 in grants to send women to its Hacker School training program in New York City this summer.
That’s admirable, but it falls short of addressing the real problem, which is that software development isn’t just failing to attract women. It’s actively pushing them away. Worse, they’re not the only ones.
There are women who have a genuine passion for programming to rival any man. But even if they manage to get hired over their male counterparts, they often find themselves in hostile, male-dominated work environments.
“As the woman, I’ve been the only person in the group asked to put together a potluck,” writes Katie Cunningham, a Python developer at Cox Media Group. “I’ve been the only one asked to take notes in a meeting, even if I’m the one who’s presenting. I once had a boss who wanted to turn me into a personal assistant so badly, it ended up in a meeting with HR.”
Just as harmful, she says, were the casual jokes and comments from her male coworkers. If she didn’t shrug them off with a smile, she was told she had a bad attitude. Cunningham says the subtle sexism she encountered as a programmer was so discouraging that she once considered leaving the field for good. “I almost prefer outright sexism, because at least that you can point out,” she writes.
These problems certainly aren’t limited to programming. Women in all sorts of fields face similar discrimination. But the software development field’s hostility toward women may be symptomatic of a broader malady.”
And there is tons of research on the subject. And those of us old enough to have been around the Internet for a while remember the Kathy Sierra fiasco. There is no need to invoke some mysterious element of the male brain that make them better at coding and hacking. It is good old fashioned mysogyny. That nonsense was a bad way to end an otherwise interesting book.