What the Dark Web going mainstream means for you

Need some hacking done? Penetration testing for your web site? Change your college grades? Hack your ex’s email and social media accounts? Now you too can hire a hacker because marketplaces for freelance hackers are no longer the province of the dark web. Today they operate openly alongside the likes of other freelance sites offering more traditional work like graphic design, web site building, or fixing that shutter that’s about to fall off the house. In fact, there are now enough freelance hacker sites that at least one meta site, Hacker For Hire Review, has sprung up to review and rate them. Whether your company operates the legacy or the VRM model, there are a few takeaways here.

Security is more important than ever
The first of these, for me at least, goes back to the “TLS is mandatory for a VRM web site” idea. Not everyone can amass millions of users and become an attractive target for financially motivated hackers. But a web site with just one user can manage to royally torque someone off. When anyone can hire a hacker for a hundred bucks or so, which is to say when the skill barrier for cyber revenge is eliminated, the threat model against which to defend expands dramatically.  Malicious hacking is no longer the exclusive domain of financially motivated cyber-gangs, skilled hacktivists, and nation-states.  You must assume your web site or app will be a target.

But cheaply bought revenge isn’t the only threat to your cyber-reputation.  Your best and most satisfied customers are more cyber-savvy than ever before and they want to know that you are a trustworthy custodian of their data.  Sites like Attrition.org have a long history of exposing security charlatans, but mostly to industry and the security trade.  Some long-standing watchdog groups have turned their eyes on cyber security, and some new ones such as the Electronic Frontier Foundation are natives of the Internet.  But thanks to blogging and cheap web hosting “name and shame” web sites hosted by small businesses, niche communities, and individuals are appearing like VRM mushrooms popping up out of customer-service cow patties.

  • Mouse Print features vendor scams hidden in the fine print of contracts, terms of service, ads, etc.
  • Plain Text Offenders exposes web sites that store passwords in plain text and other issues related to broken user account management.
  • TOS;DR provides browser plug-ins that perform collaborative rating of the Terms of Service of various web sites and companies. (The name means “Terms of Service; didn’t read.”)
  • The web sites haveibeenpwned.com, PwnedList, and Shouldichangemypassword.com all run your credentials against databases recovered from major breaches and tell you which company lost your login.
  • Once the province of Sysadmins only, many end users now use the SSL Labs web site to see if their bank or other vendor is secure.
  • If your site has bad database coding, you may end up on the SQL Injection Hall of Shame.

In fact, “Hall of Shame” is one of the growing cybersecurity memes and they come in many varieties: Cloud Hall of Shame, Password Hall of Shame, the HTTPS Hall of Shame, and many more.  The fledgling cyber insurance industry is feeling the impact and attributes a drought of actuarial data to the shame of breach reporting.

A Hall of Shame report submitted by a prospective customer probably means that customer won’t be back.  But a a loyal customer submitting a Hall of Shame report has a lot invested in the relationship and may burn it down trying to fix it.  These are the customers who, up to now, might have take their complaint to the BBB, the FTC, their District or State Attorney, regulatory agencies such as the Insurance Commissioner, or the local equivalents of these in their home country.  The Hall of Shame used to be the last resort but disaffected customers now have one more tool at their disposal: hire a hacker.  If your security vulnerability is publicly demonstrated and costs you a lot of money perhaps that will get it fixed, the reasoning goes.

The shifting balance of power
We can also glean some insight from the high number of scammers operating as hacker-for-hire web sites or as operatives on those sites. Certainly there are legitimate jobs available for ethical hackers such as data recovery, penetration testing, threat modeling, and coding. But the high proportion of scams tells us that there are plenty of people out there who feel that the only way to get justice for wrongs inflicted upon them, perhaps their only recourse against an unresponsive vendor, is to act outside the law.  Whether their complaint is legitimate or they happen to be inherently evil people is less important than these three things:

  1. It is increasingly possible for ordinary people to take some measure of customer satisfaction by force.
  2. The potential impact of a customer’s unilateral action is increasingly large.
  3. The customer’s cost for that unilateral action (as measured in skills, opportunities or straight-up cash) is plummeting.

It is no longer a question of whether a company will consider their customers’ wishes when deciding how to interact with them.  Customers will interact with your company and they will do so on their own terms.  The only question is how collaborative that interaction will be.  Companies who tend to act unilaterally will find their customers responding the same way.

The more opaque the company is to its customers, the more likely it becomes that customer interactions will skew toward the negative.  Conversely, the more responsive a company is to their customers, the more likely it is that customer interactions skew positive.

A VRM perspective
The VRM community should know that sloppy security is getting riskier not just for you but for the whole community. If your web site has users and you do not yet know how to spell OWASP, it’s time to learn. Because VRM is disruptive there will be a tendency to attribute any breaches to the data model. In that event, some are sure to say that a VRM breach proves that regular people cannot be the custodians of their own data.

There is some truth to this. I know from experience that when IBM’s MQ didn’t have security by default, the effectiveness of security as implemented individually by 10,000 customers varied widely. Moving some of that responsibility to a capable internal team raised the bar across the board.  In a VRM world where vendors offer APIs with which to access our own data, there will be 10,000 app developers offering software built on those APIs. We know that the effectiveness of the security in their applications will vary widely, and we also know that we have to do better than the historical example of security being porous until you get to the 80th or 90th percentile. (And I’m being generous there.)

But that doesn’t mean we cannot be trustworthy custodians of our own data.  Doing so will require greater security fluency among ordinary people but we are seeing that emerge now.  The VRM challenge isn’t to drive security forward because if we take that approach our user base will eclipse us in the near future.  Our challenge is to practice security at a level that our users of 5 to 10 years hence will demand as table stakes.

A not-yet-VRM perspective
For the more traditional vendors who are not (yet) practicing VRM, the appearance of tools that give customers not just a voice but the power to inflict damage means that the price of bad customer service is rising. It’s bad enough they can trash you on social media, now for $100 they can buy a spear phishing campaign and breach your firewall. (Verizon recently reported that a spear phishing campaign of only 10 emails has a 90% chance of successful infiltration.)

The prize that everyone is after is, of course, all that customer data.  The way it looks to your customers is that data about them, the transactional history, demographic and psychographic data that describes them in fine detail, seems to go to everyone except the person the data describes and is often used in ways harmful to that person.  In a non-VRM business model, customer attitudes about data privacy are therefore influenced mostly by the abuses of it.  That sets the stage for legislative action and an adversarial relationship between vendors and customers.  Even companies who are conscientious custodians of customer data are feeling the backlash.

But it doesn’t have to be that way.  Customers aren’t nearly as interested in punishing companies as they are in simple reciprocity.  People always tell me that the average person doesn’t care about privacy and yet we are outraged over data sharing.  Those things reconcile if you consider that the outrage originates not from privacy concerns but the fact that you’ll share our data with everyone but us.  Doc Searls calls this the Calf-Cow Relationship but for people who haven’t heard of VRM the ant-aphid relationship might be what comes to mind.  Is that really how you see your customers?  Because for many corporations, that’s how they see you.  Just give us our data so we can stop being adversaries and collaborate.

The best example I know of this comes from smart power meters.  Consumers in Naperville, IL pooled their money, got some expert advice, and created a form letter individuals could use to protest smart meters.  The letter was so effective that it became known within the industry as the “infamous Naperville letter.”  The utility industry concluded from this that consumers don’t like smart metering. At about the same time, a company called Plum (it was Ube at the time) raised over $300,000 on Kickstarter on a promise to develop wall switches and outlets that meter power usage and provide an API to access their data and to send commands.

Smart meters report usage in aggregate for the entire house.  Plum devices meter per-switch and per-socket.  Maybe it isn’t metering that people don’t like.  Maybe it is the thought of yet another category of personal data being siphoned off, for exclusive use of some corporate entity and all its friends, but withheld from the very people whose physical activities in the privacy of their own home are the source of the data.  What Plum proved was that if you give people access to that data not only do they love it, but they beat down your door asking for more.

A business perspective
The dark web hacker-for-hire marketplaces didn’t push themselves into the mainstream, they were pulled there by demand.  People feel increasingly disenfranchised by their governments, their vendors, institutions, law enforcement, healthcare providers, all of whom have benefited by a shift in the balance of power away from individuals.  I have a theory that for many anti-vaxxers it isn’t about the (pseudo) science but rather that choosing not to vaccinate is one of the few places an individual can still defy every authority who would oppose them.  The appearance of hacker-for-hire marketplaces has the same feel.  It is a new way for ordinary people to take back power and agency.  It’s a way to put a mark in an otherwise very empty win column.

When people feel so out of control and so helpless that sufficient demand arises to support open marketplaces for illegal services, the right response isn’t more prohibition.  The right response is to be the company who gives people power and agency in the relationship.  Let’s end the war over personal data by agreeing that the person whose activities generate it has just as valid a claim to it – all of it – as the party who collects it, and then make sure that person has access to it if they want it.

Give your customer data to your customers.  Give us an open API and let us do cool things with it.  Let’s be collaborators instead of adversaries.

Leave a Reply