Ex-LulzSec member: 'Hacking is turning something upside down to see how it operates’
Mustafa Al-Bassam was ten years old when he first began "thinking of ways to break" basic computer programs. He was 18 when handed a 20 month suspended sentence for hacking the likes of games maker EA, News International and Sony's playStation network.
How it began
Browsing the internet as a teenager, Al-Bassam began to notice how programmers had made mistakes that created security holes. A meticulous and talented programmer, he turned to the infamous Anonymous movement, which was gathering momentum and began sharing tips on how to exploit these vulnerabilities in online chat rooms.
In 2011, aged just 16, Mustafa and five other young men formed LulzSec, an offset of Anonymous, which they shunned for its "own set of social norms." LulzSec became a "sandbox" for the five programmers to discuss vulnerabilities they found in companies' code.
That summer the team embarked upon "50 Days of Lulz", a spate of cyber attacks that would bring down some of the most influential businesses in the world, including Sony, Fox, the NHS and EA games.
LulzSec included Jake Davis, who was then 18, from Lerwick, Shetland and identified as "Topiary" online; Ryan Cleary, then 19, from Wickford, Essex and titled "Viral" and Ryan Ackroyd, then 24, from Mexborough, South Yorkshire who took the moniker "Kayla."
Only Ryan and Cleary were handed prison sentences in 2013 after admitting to stealing 24.6 million individual pieces of customer data from Sony, a hack that took the PlayStation Network down for several days and cost the company a reported $20 million in revenue.
Following the sentences, Police e-crime Unit head Charlie McCurdie commented: "Theirs was an unusual campaign in that it was more about promoting their own criminal behaviour than any form of personal financial profit.
"In essence, they were the worst sort of vandal - acting without care of cost or harm to those they affected."
How to stop cybercrime
Now that Al-Bassam has completed his 20-month suspended sentence, 500 days of unpaid community service work and two-year internet ban imposed by the police, he is embarking on a computer science course at King's College London, and helping the police deal with the increasing undercurrent of cybercrime.
"Law enforcement sees hacking as witchcraft and wants to burn them [hackers] at the stake," Al-Bassam says.
He believes the UK should move toward a "less punishing attitude" and focus on holistic approaches to educate young people on why breaking into systems is wrong.
The national crime agency have taken note. It has already put an initiative in place to target users and sellers of a piece of malware that makes it easy to monitor keystrokes and spy on PC users through their webcams. The police say they have monitored users and sellers of the cheap Blackshades Remote Access Tool.
The agency will alert young people who have bought the tool - but have yet to have executed it - that what they are doing is wrong, and issue a 'first warning' so that they are aware what they are doing could get them in trouble, Louise Pordage, senior manager at KPMG and former Home Office National Crime Agency project lead, revealed during a Tech London Advocates conference yesterday.
'Hacking is turning something upside down'
"Hacking is turning something upside down to see how it operates," Al-Bassam says.
While cybercrime is on the increase, corporates often cite a lack of tech talent as an obstacle for innovation. Observing online chat rooms, it's clear that there are plenty of young people who have the neccessary skills companies need.
The government - and corporates - should work together to ensure these skills are put to good, says ethical hacking guru and founder of the Innotech Network, Jennifer Arcuri. Addressing the psychology behind hacking could save companies a lot on inneffective security products too, she adds.
"Albert Einstein defined crazy as doing the same thing over-and-over again and expecting a different outcome. If we walked into a time machine and went back five years, talked to all the major vendors at a trade show they would give you a song and dance about an IPS, and IDS, a fancy malware, an AV, here's a firewall. But if you look at what has happened in the last year with Defcon and LulzSec and so on, they would say the exact same thing.
"We don't need another firewall. What we are dealing with is one hundred percent human against human. We are facing cognitive behavioural problems and doing the same thing over and over again is not going to give us an answer."