The hackers who stole hundreds of private photos of female celebrities this week were likely motivated not by money but an anarchic sense of fun — and they may never be caught, a notorious Canadian hacker-turned-security-consultant says.
“They want to wreak havoc, they want to have fun, they want to show what they can do,” explained Michael Calce, a Montreal resident previously known as Mafiaboy.
Calce was 15 years old in 2000 when he took down several high-profile websites, including Yahoo, Amazon and CNN, by jamming their servers with repeated requests for data.
That attack was launched out of curiosity and a desire to test the boundaries of online security — something that has become less common among high-profile hacks, he said.
“The shift is generally toward monetary gain right now, but it doesn’t mean that there’s not going to be a joker every now and then who comes along and wants to piss in everyone’s Cheerios,” said Calce, who now works as a security consultant, advising companies on how to handle hacks.
“I think the person was able to do it and he figured ‘What the hell,’” Calce said — fun at the expense of the about 100 women whose private photos are now circulating online.
The photos were first posted publicly to 4chan’s /b/ message board, an online community where anonymous posters can share images and text.
Many of the Internet’s more enduring memes, like Rickrolling, have originated in discussions on the board, which often feature dark humour veiled in levels of inscrutable inside jokes, as well as images and comments many consider obscene.
“4chan has always since the beginning been poised as a place to circulate anything that is particularly risqué, shocking, offensive,” said McGill University professor Gabrielle Coleman, an anthropologist whose studies include online communities like 4chan, as well as hacker culture.
Reports suggest that the images may have been shared within a close community dedicated to stealing photos before they were dumped on 4chan.
Many such ‘pirate boards’ exist on the internet, Coleman said. Some are password-protected and accessible by invitation only, while others rely on “security through obscurity,” she said.
“I can imagine some people are there because of the content – they just want pictures of nude celebrities – but it’s also dabbling in forbidden goods … It’s a kind of trophy, where the goods are both the celebrity status and the fact that it was secret and it was a hack,” Coleman said.
But outside of that community, whoever gained access to the compromised iCloud accounts may not want public credit for the hack, Calce said — something that has changed since the former hacker’s early days online.
For Calce, that validation and recognition from peers was a huge part of the thrill of his hours spent trying to gain access to secure systems. But it was that thrill that lead to Calce’s conviction on charges of mischief for which he served eight months at a youth rehabilitation centre. He was only caught after he talked about the attack.
This celebrity photo hacker, however, may never be identified outside of their small community.
“You can hop through so many tunnels and proxies that it makes it incredibly difficult to find people,” Calce said, referring to a method of connecting to a target by way of several other, often geographically separate networks.
Many proxy services are also engineered to prevent tracing and do not keep any logs, or are based in countries with strong data protection laws.
Investigators trying to track a hacker who has connected through overseas networks may have a hard time convincing foreign companies to give up data logs or identifying information.
The celebrity photos in this hack appear to have been stolen from private accounts on iCloud, an online storage service that many people use to automatically backup photos taken with their iPhones.
Apple has released little information about the attack, but has said that it was targeted at individuals and that the whole service was not compromised.
The attack does not appear to have been particularly complex, and this type of hack has become much more accessible to the average user, Calce said.
Automated programs designed to crack iCloud and other private accounts are freely available online — many advertised as tools for security professionals or law enforcement.
Still, no matter how many steps an attacker takes to disguise his or her identity, there’s always a risk, Calce said.
“Pretty much every time you go in there’s some little bit of a footprint somewhere,” he said.
Since the photos were released, 4chan has introduced a formal process for copyright owners to request that content be taken down.
4chan’s administrator, Christopher Poole – or Moot, as he is known online – has often complied with law enforcement investigations related to content on the website, but the new takedown process could allow victims of similar hacks to have their images removed.
“The fact that Moot is changing his policy, and that there’s been this really amazing discussion about the implications of this [hack], shows that people are really taking this seriously,” Coleman said.
The FBI is investigating the hack. But Coleman said arrests and prosecutions won’t stop hackers from sharing material stolen from private accounts.
“If there are crackdowns against people, if they’re arrested, it won’t stop this activity. It’ll just drive it further underground,” she said.