Secret teen hacker army ridiculed

Wayward minister making stuff up again?

Protecting users from Firesheep and other Sidejacking attacks with SSL

The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.

Lord West, the Home Office security minister, first suggested that former hackers (or "naughty boys", as he described them) might play a key role in Britain's revamped cyberdefence strategy back in June. At the time it seemed like just another in the admiral-turned-minister's growing list of eccentric observations on various aspects of security policy.

For example, he later suggested that a net-flinging entanglement "bazooka" designed to stop speedboats might be just the job for use on "topless lovelies". This was doubtless surprising to its developers, who saw it as a weapon against USS Cole-style suicide attacks.

However, last weekend the Sunday Express reported that the MI5 had hired "50 computer-savvy hackers – some of them still teenagers – to work in a newly formed top secret Cyber Operations Command." The majority of the teens are Asians, the paper adds. All are subject to the same level of background security checks used to clear the employment of other intelligence staff. The Sunday Express helpfully adds that this means they have signed the Official Secrets Act and are forbidden from "tell[ing] their parents or girlfriends what they do in the windowless basement area in the Security Service building beside the Thames".

Lord West reportedly described the new hires as "youngsters who use their talents to stop other hackers from closing down this country".

Mathew Bevan (AKA Kuji), a British hacker arrested and unsuccessfully prosecuted for hacking into secure US government networks back in 1994, who later became a successful security consultant, helped us pick apart the many implausibilities of the story.

"These hackers were described as having been 'naughty', but did not have any criminal records," Bevan told El Reg. "How on earth they came to the attention of GCHQ without getting caught (as being caught would suggest that charges would be brought, and if not how come?)."

Bevan noted the lack of buzz about any attempt to recruit hackers by members of the security service.

"I have not heard of any UK hacker/ex-hacker/naughty boy actually having been approached to work at this level," he said. "The truth is that of course they couldn't find 50 UK hackers, because those who are actively hacking are doing their best to not get caught. So they had to outsource to India or China. This begs the question, how on earth did these people even manage to pass the stringent security checks which are performed to work within government offices? Even the USA is saying that due to the amount of hacking coming out of China, that employing Chinese to secure America's Government machines is perhaps not a good idea."

The Welsh former-hacker turned successful hypnotherapist concludes that the whole MI5 hacker-hire story is exaggerated, at best. He speculates that the motive for creating such an elaborate yarn might be one of gaining bragging rights, a posture full of contradictions.

"So this elite team of 'naughty boys', of course, it's not true," Bevan said. "The details have been exaggerated at the least but most likely have been made up, just another attempt at psyops and a way of us to look cool to the American administration, which has said it has hired hackers."

"We have to go bragging to the world that we have ex-hackers in our employment whilst at the same time we are actively trying to extradite or prosecute others. This is sending out a conflicting message as to whether hacking is wrong or a career choice. When it comes to team size, if you have to claim that you have such a big and impressive one everyone knows that its probably very tiny and disappointing," Bevan concludes.

Security consultant Rik Ferguson, someone who has actually worked with GCHQ, said that the idea of idea of hiring reformed hackers to face off against state-sponsored cyberspies, tech-savvy terrorists and cybercriminals from eastern Europe is woefully misguided.

"What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism," Ferguson writes. "I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either."

Ferguson repeats Bevan's point that the government is sending out mixed messages about the legality of hacking, more influenced by Hollywood than reality, by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset.

"It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds, especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?"

Ferguson's critique of "schoolboy tales of hiring 'naughty boys' for hi-tech derring-do" can be found here. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.