Public prosecutor Francisco Hernández Guerrero takes to the stage to address an audience of young hackers, most of them dressed in black t-shirts and with the enigmatic air of those who possess knowledge beyond the reach of mere mortals. Hernández walks up and down holding his microphone like some kind of TV preacher. Normally a shirt-and-tie man, he’s made a concession today, and also sports a black t-shirt beneath his jacket. But he pulls no punches as he closes his presentation: “This is the last time you’ll see me on friendly terms. If we ever run into each other in court, be ready for the bad guy.”
Hernández is leading Spain’s fight against cybercrime for the public prosecutor’s office. His speech included a number of veiled warnings to his audience, who have come here to help Hernández and his team. “The state is no longer on top of this problem, and we have had to ask for help from those who know more than us, but who will also have to follow the rules: we need to know that you are with the good guys.”
This unusual event, attended by around 400 people, took place on October 2 at the University of Castilla-La Mancha, in Albacete, and was dubbed the Navaja Negra (Black Knife) Conference on computer security. Navaja Negra is the hackers’ collective based in Albacete led by crOhn and s4urOn.
The term hacking may have negative connotations these days, but it originally applied to the process of using computer programming to access information technology systems, something many so-called white hat hackers do in the interest of public safety. Hackers can keep their knowledge to themselves, share it with their communities, or sell it to the highest bidder. Not all hackers like to remain in the shadows, and their vanity can get the better of them, as journalist Mercé Molist found out when researching her book Hackstory, which provides an in-depth account of Spain’s hacker community.
Spain’s first generation of cyberpirates are now well into their forties. People like Antonio Hernández, AKA Belky, whose long gray locks give him the appearance of an aging rocker, taught himself how to hack using a Spectrum computer when he was 15, and was there during the early days when the trick was to use the telephone networks without paying – back then all the knowledge was in the United States and connecting to the US university system was expensive. He remembers pirate phone cards, phone booths in which you could make free calls, and launching concerted attacks on the computer systems of big institutions and universities. “We didn’t think we were breaking the law, we were playing, investigating, there was no awareness of any danger, we didn’t make any money out of it,” he says. “But things have changed, now people talk about ethics, about fame, about the law, and everything has been professionalized. The romance has gone out of it.” Belky has worked for security firms, and says his circle of friends is much smaller than it used to be.
Among those speaking at the conference is 22-year-old Juan Manuel Fernández. He lives in a small community in Almería province, in eastern Andalusia, where broadband internet didn’t arrive until eight years ago. “I’ve always liked to know how things work,” he says, explaining that he’s just completed a degree in biology at university, although he never attended class: “People gave me their lecture notes and I learned from the internet and by talking to experts. There are other ways to learn these days.” He also has a degree in computer science from Spain’s distance learning university. His talk is titled The walking press: zombificando webs (The walking press: zombifying webs). He has created a virus that can trap webs or blogs created in Wordpress that can be used as part of concerted attacks. “The idea is to show that you need to strengthen your blog to prevent it being used by others.” After his presentation he says he probably won’t bother attending any more conferences, and found the experience a negative one overall.
The conference runs for 12 hours, with no break: one presentation after another, along with workshops, such as those run by Sergi Álvarez, who shows how to create an operating system. He says he is unemployed, though perhaps not for long: among those attending the conference are representatives of some of the biggest companies operating in Spain, including consultant Deloitte, which has set up its own information technology security division.
Deloitte puts its hackers in a different building to other employees: “It prevents professional jealousy”
Deloitte, along with Telefónica, is sponsoring the conference: times have changed, and hackers are now a sought-after commodity. “We tried to inculcate our values, but it’s not easy,” says an executive from one multinational. “To start with, we have to explain to our own directors that these people do not wear suits, that they will come to work wearing jeans and a t-shirt, earrings, or whatever, and they may not turn up until midday sometimes, and that they’re not that bothered about money either, because if they want to go to Japan, they can probably hack into an airline’s system and get themselves a free ticket.” Deloitte puts its hackers in a different building to other employees: “It prevents professional jealousy.”
Most hackers are self taught, usually from an early age. Such is the case with Iñaki Rodríguez, who was given his first computer at the age of four, and could program by the time he was 10. “The fun thing is that you can modify something that is seemingly already complete. Hacker culture is a way of understanding the world, you are driven by the quest to learn more,” he says.
But the world of business is catching on, and more and more business schools and universities are offering qualifications in information technology security. That said, many experts believe that the true hacker spirit cannot be taught. “I have thought about this a lot,” says Francisco Hernández Guerrero, “and I believe that these people are the five percent of society who should be allowed to do their own thing. They are a kind of aristocracy of knowledge, in an almost medieval sense.”
Among the most popular sessions at the conference was one presented by Daniel Echeverri and Ismael González, who have come up with a tool to audit the hidden Tor network, long considered invulnerable to the authorities, and a place where anonymity is guaranteed and it is supposedly possible to buy anything, or even hire a contract killer. But Echeverri and González believe they have found a way to trace criminals who operate from behind TOR.
In his presentation Hackeando tu CEO (Hacking your CEO), José Selvi explained in detail how he hacked into the cellphone of a senior executive at a multinational company, without even knowing the phone’s number. He and a friend crosschecked the frequencies in three places from which he made calls, and then came up with the idea of sending a WhatsApp update that contained a Trojan horse. When the executive clicked to accept the update, his phone was trapped: they could now listen in to his conversations, read his emails and even use the device’s camera.
Needless to say, representatives from Spain’s national and regional police forces also attended the conference and gave out their cards to everybody. They asked for help: “We accepted long ago that we do not have the resources to tackle cybercrime, and that any help we can get from third parties is welcome,” says Hernández. “The fact is the hackers are smarter than us.”