Philippine Lawbytes 185: Parting Shot in the COMELEAK Hacker Case (Part 4), Copyright by Dr. Atty. Noel Guivani Ramiscal

Mr. Paul Biteng has consistently maintained that he informed COMELEC by an email through its website regarding the vulnerabilities he found on the COMELEC website, specifically the Precinct Finder, through Structured Query Language (SQL) injections. Even in his interview with “Tech in the Province” last November 23, 2020, posted in YouTube, he was adamant that he gave that email, but the COMELEC never responded. He posited that it was because of that email, that he was the one arrested last 2016 for the COMELEAK hacks.

The surprising thing in this case was the revelation by Atty. Alcantara that the defense was not given access to the electronic evidence in the e-devices and Mr. Biteng’s Gmail account that the law enforcement agents seized.

The production and presentation of the email message was crucial to the cases and should have been done by the law enforcement agencies and the prosecution. The email message should not only have contained the actual content but all the metadata that is present in the Gmail account of Mr. Biteng that was seized by the NBI. All emails will contain in their metadata the originating IP address and the destination IP address. These are automatically generated in email systems. The examination of the IP addresses was crucial so as to establish if COMELEC lied about not getting the email warning of Mr. Biteng, or if Mr.Biteng was actually telling the truth.

Access to the e-data, particularly in the email account of Mr. Biteng was crucial to his defense, because it could prove exculpatory. Thus, the State’s refusal was legally unwarranted and actually defeated the right of the accused to present a proper defense. Access to e-data by the accused that is in the sole custody of the State, is a fundamental component of the accused’s constitutional right to Due Process.

There is also the fact that one of the e-devices that the police had in their custody, which definitely did not belong to Mr. Biteng, had an IP address that was confirmed by a DOST ASTI expert to have been assigned to the NBI. This alone is sufficient to raise doubts about the charges against Mr. Biteng, and actually give credence to the belief that Mr. Biteng was just a “fall guy”.

And most importantly, it must not be forgotten that the cybercrime cases charged against Mr. Biteng stem directly from the Data Privacy violations that the National Privacy Commission (NPC) adjudged the COMELEC, in particular, one of its former top officials, Juan Andres D. Bautista, to be guilty of, and has in fact, recommended his criminal prosecution to the DOJ.

The NPC decision on the COMELEC data breach underscored Mr. Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures. The decision decried “(t)he lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos.” The NPC unequivocally stated that a “head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action”. Thus, the NPC concluded that the “wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence”.

The NPC decision cited Mr. Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law. Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty” [see In re: Investigation of the security incident involving COMELEC website and/or data processing system, NPC Case No. 16-001, 28 December 2016].

Given all these facts, it would be reasonable to ask why did the State expend valuable government resources including the Judiciary’s, prosecuting Mr. Biteng for three years, the person who is apparently the most innocent of all in this matter, who merely warned the COMELEC?

But the ultimate issue that needs clarification is, what has happened to the NPC recommendation that the disgraced and impeached (by the House of Representatives) Mr. Bautista be prosecuted for the alleged data privacy violations he committed against the personal identifying information of the Philippine electorate he allegedly failed to safeguard? There appears to be no current news about his prosecution or trial for what the NPC had characterized then as “the worst recorded breach on a government-held personal database in the world”.

Philippine Lawbytes 184: The Evidentiary Lessons in the COMELEAK Hacker Case (Part 3), Copyright by Dr. Atty. Noel Guivani Ramiscal

Let’s break down the evidentiary lessons in the Biteng case.

Making a hacking video tutorial is not a crime (not yet anyway). Hacking videos made by computer technology professionals and amateurs on just about any electronic or computing device, software or hardware, without any criminal purpose, and nothing more, cannot be an indication of criminal activity or a malicious will. Hacking videos perform an essential service to the DIY industry, and they are great tools for those finding their way in the field of cybersecurity. I have relied on countless YouTube hacking videos from fleecing the most valuable parts of damaged computers, to re-pairing my Jabra speak 710 to my Jabra Link 370 to save me needed resources.    

In the same vein, posting videos, or holding or administering social media accounts, unless these are supported by other pieces of related, relevant pieces of evidence compelling enough to remove reasonable doubt, cannot be the bases for conviction.

Then too, evidence of allegedly incriminating terms, website visits, net histories, either culled from laptops, e-devices or the Internet are not conclusive. I was asked about this during Mr. Biteng’s trial, and I gave myself as an example, being a legal advocate for LGBTQIA rights. A couple of years ago, I did extensive research on sexual reassignment surgeries (SRS), mostly online, including YouTube, and did actual rounds of inquiries for certain client friends of mine, of government agencies/GOCCs like the PhilHealth, SSS, Pag-ibig and BIR regarding the legal consequences of transitioning from one’s biological gender to the right gender.

As I expected, transgendered individuals in the Philippines have the least recognized rights and are the least protected in law. And as I suspected, but it still came as a little surprise, no matter what computer I used, mine or in internet cafes, anywhere in the Philippines, or abroad, the moment I log into my Gmail account, do my Google search and go into YouTube, harrowing accounts and procedures of SRS would greet me in YouTube. Gmail and YouTube are both owned by Google. This went on for about a year. This is a result of Google consolidating all my searches and my Gmail usage and creating a profile for me that is not my truth. I am not personally seeking any SRS, I am very happy with what God has biologically given me.

The general lesson in all these types of electronic evidence is important to remember. Profiling and triaging a person due to the videos they post, the social media account they maintain, their internet histories and a few terms and phrases found in the person’s computer or e-devices can be interesting, but may not be sufficient, or could even be wrong.

What is crucial in criminal cases involving cyberhacks are digital device identifiers that would connect the perpetrator with the actual device/s seized by the police, and the e-data contained in this/these device/s show that such person committed the actual crime charged with the use of the same device/s.  

This is where Atty. Alcantara and Judge Bunye-Medina asked me at length about the nitty gritty stuff regarding Internet Protocol (IP) addresses. I have already written extensively about IP addresses, please just look for the connecting links to this article. Suffice it to say that an IP address is like a house number. It tells special computers called “routers” where a message is going to, and coming from, just like the addresses on an envelope guide couriers and postal services. Every communication across the internet includes the IP addresses of both the sending and receiving parties. Due to its importance as a “locational” tool, IP addresses have been used by websites, social media providers, search engines, and a host of web applications to pinpoint the direction or location of users to provide localized content. And in criminal cases, IP addresses are also useful in providing the police an initial, albeit quite incomplete clue, as to where and what computing device was used to commit a crime, and possibly by whom. I talked about the different types of IP addresses that we have in the Philippines and I even told the good Judge how to find the IP address of a net connected device, say a mobile phone, by using Google search on that phone and typing “what’s my IP address.”  

I also informed the court about another type of device identifier, the Media Access Control (MAC) number, which I have also written about in the past issues of my blog. Both the IP address and MAC number are utilized by law enforcement agents in honing or zoning in on particular devices that appear to have been implicated in the commission of the crime, hoping to incriminate their owners or users as the perpetrators.

I stated to the court that by themselves, these IP addresses and MAC numbers would just be useless data. Judge Bunye-Medina asked me pointedly how these data could incriminate. The Philippines has no relevant jurisprudence on this matter.

Citing a Memorandum I made where I  did a study of the police procedures in several American cases, the facts may vary, but I told the court that there is a pattern where the police would seek to identify the IP address of an electronic device identified to have been possibly used in the commission of a cybercrime, correlate it with the MAC address, find the ISP or TELCO provider that serves the specific device, and subpoena the ISP or TELCO to provide the name and address of the particular subscriber connected with the device. The police would not stop there. They would do additional identity and background checks on the individual identified as the subscriber, before the police would seek a court warrant for the search and seizure of the electronic device.

In court, I told the good Judge and Atty. Alcantara that the prosecution must present relevant evidence showing the connection of the IP address and/or MAC number with the actual electronic device that was seized, provide evidence that the accused is the owner and/or user of such device, and finally give evidence that the accused actually used the device to commit the cybercrime. Absent these connections, the prosecution would fail.    

In Mr. Biteng’s case, the prosecution totally failed. They did not present any iota of evidence that tied Mr. Biteng to any device that was identified to have been used to commit the crimes charged against him. What is worse is that it was proven by the defense that one of the devices kept in custody by the police had an IP address that had been assigned to the NBI since 2015! This apparently meant, on its face, that such device was used by someone from NBI to possibly hack the COMELEC system.

The State, through the government prosecutors could not overcome the severe negative implications of this startling revelation for its cause. It must be emphasized that the State, through the police and the government prosecutors had full control and access to all the e-devices confiscated from the person of the accused, and then some. What exacerbates this is that Atty. Alcantara apprised me of the fact that the evidence these e-devices contained were not actually shared by the prosecution to the defense for the duration of the entire trial.  

Praise the heavens then for conscientious lawyers like Atty. Alcantara, who zealously fights for the rights of their clients; and informed and competent judges like Judge Bunyi-Medina (whom I do not know personally, having met her for the first time when I testified in her court) who rigorously apply the standard of evidence in criminal cases, including cybercrimes, and do not take the path of least resistance. We judge judges by their decisions. In this case, her decision which had been distributed to members of the media, revealed her commitment to upholding the rule of Evidence and the Law.

Philippine Lawbytes 183: The Dubious Evidence Presented Against the Acquitted Alleged COMELEAK Hacker (Part 2), Copyright by Dr. Atty. Noel Guivani Ramiscal

What were the pieces of evidence presented by the State against Mr. Biteng?

The National Bureau of Investigation brought to the court certain evidence they gathered when they profiled him. Amongst these were:

1. the alleged appearance of Paul Biteng’s name in a hacking video tutorial on YouTube, on a site associated with the Phantom Hacker Khalifax;

• Mr. Biteng was associated by the NBI with the hacker group Anonymous Philippines, allegedly as the administrator of its Facebook account;

• The moniker “kh4lifax” was supposedly visible on the defaced COMELEC website that Anonymous Philippines supposedly “owned.”

• A screenshot of the defaced COMELEC website supposedly appeared on the Facebook account of Anonymous Philippines;

• The NBI supposedly found the terms “kh4lifax” and “Comelec” on Biteng’s computer hard drive which they confiscated.

It must also be noted that aside from the social media and gmail accounts of Mr. Biteng, the NBI also confiscated the computer and electronic devices used by Mr. Biteng. But the device identifiers in these electronic devices had not been connected to Mr. Biteng, in the commission of the crimes he was charged.

THE COURT’S RULING:

The meat and gist of the Court’s ruling can be found in these portions of the Court’s decision which deserve to be quoted in full:

Nowhere in these videos and posts were it convincingly shown that accused defaced the Comelec website. In fact, the bulk of the evidence only sought to prove that accused posted 1. hacking tutorials prior to the commission of the subject offenses; 2. a screenshot of the defaced Comelec website; and 3. comments regarding the Comelec hacking incident.

In the mind of this Court, the commission of these acts, even if coupled with a finding that accused is the author thereof, cannot convincingly prove the latter’s guilt with the requisite quantum of evidence required. In the same manner, the Court cannot discount the possibility that the author of the said posts is a different person, who somehow accessed accused’s social media accounts.

Why did Judge Bunye-Medina posit the possibility of another perpetrator committing these offenses that Mr. Biteng had been charged and suffered for three years? The answer lies in the uncontroverted fact, established by the defense expert testimony from DOST ASTI, that an Internet Protocol (IP) address of one of the computers supposedly used in the commission of the offenses charged against Mr. Biteng, belonged to, and had been assigned to the NBI since 2015!

Philippine Lawbytes 182: The Case of the Acquitted Alleged COMELEAK Hacker (Part 1), Copyright by Dr. Atty. Noel Guivani Ramiscal

NOTICE AND DISCLAIMER:

As a general rule, I do not blog about the cases I have handled or been involved in some manner.  But certain cases become exceptions because the lessons they hold are too important and they deserve to be known in the public’s interest and the protection of the rights of accused, particularly those who are truly innocent.

Way back in 2016, COMELEC suffered the first major data privacy breach of its electronic systems that was made known to the public. Mr. Paul Loui Biteng was the primary suspect charged for hacking and defacing the COMELEC website, earning him the moniker of “COMELEAK” hacker. The cases against him have dragged for several years. In this connection, I was asked by his brilliant defense lawyer, Atty. Harold Alcantara to appear as a cybercrime law expert with respect to certain technical aspects of the cases, last October 29, 2019, in the Manila Regional Trial Court Branch 32, presided over by Judge Thelma Bunyi-Medina.

I did not plan on writing about these cases, but a journalist from a newspaper of general circulation already mentioned me in connection with these cases in a February 28, 2020 write-up, concerning the acquittal of Mr. Biteng. I then decided to write about the matter, particularly honing on the character of Mr. Biteng as a hacker, and the electronic evidence aspect, after I secured Mr. Biteng’s consent last March 9, 2020, via a phone call. But with everything that has happened since then globally and in our country, it is only now that I had the time to sit down and collect my thoughts on the cybercrime cases he was charged and acquitted by the Regional Trial Court.

ABOUT MR. BITENG: AS AN ETHICAL HACKER AND A ZERO DAY/BUG BOUNTY HUNTER

Due to the real time security issues posed by zero day vulnerabilities present in all software programs and online platforms that are run via source codes, big time IT companies like Microsoft, Google and Facebook have established bug bounty programs that offer fees or rewards to any hacker that can actually spot any security bug or zero day vulnerability in their products and websites that they do not know and report it to them, first.

This type of activity requires considerable computing skills, like penetration testing, from those who take up the challenge of becoming bug hunters. This is also a legitimate activity that has the express consent of the companies involved. Any intrusion into their computing systems by bug hunters is authorized.

Mr. Biteng has achieved fame and goodwill as a bug hunter. His contributions and achievements as an ethical hacker has been recognized by Microsoft [see https://microsoft.com/en-us/msrc/researcher-aclnowledgments-online-services-archive]. He was in fact designated as a “White hat” by no less than FaceBook [https://facebook.com/whitehat/thanks]. Among prominent internet netizens and members of the Philippine hacking community, he is highly regarded and even considered as “Unang Bayani” (First Hero) by some.

In using his computing skills for the benefit of securing the Internet experience of everyone who uses the products and platforms, for example, of FaceBook and Microsoft, Mr. Biteng has proven by his deeds that he has considerable skills that are recognized by global IT companies/leaders, and that he has used them responsibly. He is an embodiment of the characteristics of a “White hat”.

WHY IS THE CHARACTER AND ACTUATIONS OF MR. BITENG AS A HACKER IMPORTANT TO THESE CASES?

There were statements made in the media that he allegedly admitted to hacking and defacing the COMELEC website, but he also said that he made those admissions under duress because he was kept under detention by the police for one week. In court, he did not admit to committing the offenses. What he did admit to was that he warned the COMELEC about the vulnerability of its website.

Why did he do this? The reason was simple and uncontroverted. COMELEC, in its unhesitant declaration of absolute trust in its website offered a bounty of Php100,000.00 to anyone who can point to, and prove any security flaw or vulnerability in its website. COMELEC’s unequivocal challenge to all and sundry is a universal open invitation to hack/crack its website to uncover any flaws that can compromise its security and the data it contained. Mr. Biteng, being what he is, did what he had to do, as a white hat, to rundown the false security claims that COMELEC made to hype its claims about its IT systems. He reported the results of his SQL injections on COMELEC’s Precinct Finder to the COMELEC, to which COMELEC did not respond.

COMELEC’s challenge arguably constituted a “jail free” card or pass to hack its system, and any white hat worth his/her hat who took the challenge did not commit any crime, because his/her acts would not amount to “illegal access” under the Philippine Cybercrime Prevention Act.

Philippine Lawbytes 181: Why Ethical Hackers Can Be Considered Criminals Under the Narrow View of Ethical Hacking by the Supreme Court, Copyright by Dr. Atty. Noel Guivani Ramiscal

In the 2014 consolidated constitutional challenges to several provisions of the Philippine Cybercrime Prevention Act (R.A. 10175) [see Louis “Barok” C. Biraogo vs. National Bureau Of Investigation And Philippine National Police, G.R. No. 203299; Philippine Bar Association, Inc. vs. His Excellency Benigno S. Aquino III, in his Official Capacity as President of the Republic of the Philippines, et. al, G.R. No. 203501; Bayan Muna Representative Neri J. Colmenares vs. The Executive Secretary Paquito Ochoa, Jr., G.R. No. 203509; Disini, et. al, vs. The Secretary of Justice, et. al, G.R. No. 203335, etc., hereinafter “Consolidated cases”, February 11, 2014], the Supreme Court expressly dealt with ethical hacking. The relevant provision is the definition of “illegal access” which the law defined as “access to the whole or any part of a computer system without right” [R.A. 10175, Section 4(a)(1)].

The Supreme Court viewed “ethical hackers” as “professionals who employ tools and techniques used by criminal hackers but would neither damage the target systems nor steal information. Ethical hackers evaluate the target system’s security and report back to the owners the vulnerabilities they found in it and give instructions for how these can be remedied. Ethical hackers are the equivalent of independent auditors who come into an organization to verify its bookkeeping records. Besides, a client’s engagement of an ethical hacker requires an agreement between them as to the extent of the search, the methods to be used, and the systems to be tested. This is referred to as the “get out of jail free card.” Since the ethical hacker does his job with prior permission from the client, such permission would insulate him from the coverage of Section 4(a)(1).”

It is clear from this view that only hackers who are employed as security professionals, system penetration testers, and the like, who have express authorization to “hack” their clients’ systems would be protected and exempt from the coverage of R.A. 10175’s penal scope.

There are two observations that I must make here which are important in understanding how the Supreme Court’s limited conception of “ethical hacking” can actually harm or inflict unwarranted penalties on people with hacking skills who do not see their use of their skills as resulting in illegal results.

First, the Supreme Court’s characterization of “ethical hacking” does not clearly cover the actions of bounty hunters of bugs, viruses and zero day exploits who are not explicitly or implicitly allowed by the owners of websites, software and hardware that they target, to examine these.

Putting “ethical hacking” in the context of “employment” or consultancy contracts, which is the perspective of the Supreme Court, would not apparently cover the bug bounty programs that Microsoft, Google, FaceBook and other big time IT companies offer to everyone in the world. It would also evidently not cover challenges issued by government agencies, and private individuals like the famous Alex Lingad in the Philippine hacker community, to everyone and anyone to prove that they can hack or penetrate these agencies’ or individuals’ websites. Successful bounty hunters and hackers are rewarded for their singular exploits and shows of skills, and not because they are employees or consultants of these companies, agencies or individuals.

Second, what is absent from the Supreme Court’s discussion is the ascertainment of the intent of the hacker in accessing the computing systems of another. Indeed, R.A. 10175 does not appear to consider the intention of one who accesses a computing system without any right. Section 8 of this law provides:

Sec. 8. Penalties. — Any person found guilty of any of the punishable acts enumerated in Sections 4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two hundred thousand pesos (Ph₱200,000.00) up to a maximum amount commensurate to the damage incurred or both.  

• a hacker without right, intentionally introduced a malware in the computing system to hijack it, and then extort Bitcoins from the owner of the computing system. 

The law punishes uniformly any form of online access “without right” which means that all forms of unlawful access, even if no damage was wrought to the computing system, and the motivation was simply of curiosity, or to help protect the computing system, are punished with prision mayor. It is only in the fines, where the distinction can be drawn, and this depends on the amount of “commensurate” damage that such unlawful access has wrought.

I had appeared in Congressional hearings prior to the passage of R.A. 10175, specifically, when I was formerly connected with a multinational educational system, and I had shared my view that the “intent” of the hacker, in cases of unauthorized access, must be given due consideration to obviate any inconsistency and injustice in the punishment and sentencing. This is all the more apropos considering criminal laws typically have a mens rea requirement. For instance, the “alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses” under the Philippine Cybercrime Prevention Act, actually requires evidence of either criminal intent or recklessness on the part of the offender (see (4)(a)(3) Data Interference, R.A. 10175). But such is not the case for “illegal access”.

Consider these types of hackers:

• a hacker, without right, who entered a computing system to find a bug, found it, and then warned the owner of the computing system to protect the system;

• a hacker, without right, who entered a computing system to introduce a patch to fix a security bug in the system, and fixed it, therefore actually protecting the system; and

Under R.A. 10175, and the Supreme Court ruling in the consolidated cases, all three hackers would be considered criminals, even if the first two hackers actually  performed a tremendous beneficial service to the owner of the computing system, while the third hacker actually stole the data of the computer system owner, and held it for ransom. The punishment must fit the crime, and it is on this point that R.A. 10175 fails.

Courts, who are instruments of Justice, Truth and Wisdom must be made aware of incongruities like these, so they can wield their tremendous power of Judgment in an informed compassionate manner and possibly help reform the legal system.

Philippine Lawbytes 180: Zero-Day Vulnerability and the Possible Responses of a Hacker, Copyright by Dr. Atty. Noel Guivani Ramiscal

Another important development that has made significant headlines in cybersecurity is the development, tracking down and sales of zero-day vulnerabilities. A zero-day vulnerability is an error in the programming code of computer software, unknown to the computer user, software manufacturer and anti-virus vendors, that can have destructive consequences.

These vulnerabilities or “bugs” arise because source codes of software are not perfect, having been written by humans. As these software products are deployed to the market, issues or bugs arise that need to be fixed by the developers through patches. But not all these bugs are made known to the developers, and the actions of those who discover these bugs before they are known to everyone would determine what hats they wear.

Black hats may exploit the vulnerability for malicious purposes, including infiltrating malware or spyware or allowing unwanted access to user information. They can keep the vulnerability, weaponize it, such that it can be designed to operate immediately with a payload that harms the targeted computing systems, and use it to wreak havoc or sell it for tremendous amounts of money.

White hats who discover the vulnerability would inform the developer either for free or for a fee and they may sometimes come up with patches to fix the bugs themselves and offer them to the developer.

Gray hats, who operate in the blurry boundaries of what is legal and what is not, may do something else. They may break into the computing systems that are susceptible to the zero day vulnerability, and apply the patch themselves. The intrusion is unauthorized, and therefore from the standpoint of the Philippine Cybercrime Prevention Act, illegal. But the result of the gray hat’s action is that it saved the computing system from the payload of a weaponized zero-day bug unleashed by a black hat.

This is not some far-fetched scenario. In the last quarter of 2018, a Russian gray hat has admitted to fixing a security vulnerability in over 100,000 Mikro Tik routers that allowed attackers to bypass authentication and download the user database file, which can then be decrypted and harvested for usernames and passwords. The Russian gray hat applied the fix himself without the knowledge and consent of the routers’ owners and “added firewall rules that blocked access to the router from outside the local network” to safeguard the owners’ networks. [A Mysterious Russian Grey Hat Vigilante has patched over 100,000 routers, October 12, 2018, https://www.thesslstore.com/blog/mysterious-russian-grey-hat-vigilante-patched-over-100000-routers/]. This is a Good Samaritan act, which the Philippine Cybercrime Prevention Act rewards with imprisonment and/or fine.  

Philippine Lawbytes 179: (Part 2) Knowing a Hacker by the Hat, Copyright by Dr. Atty. Noel Guivani Ramiscal

Hackers are further subdivided by their motivations, actions and designations in the hacker culture, particularly in the “hats” they wear or identify with.

White Hats or the Ethical Hackers

These hackers employ the same methods used by “crackers” or black hats in engaging in computer intrusions and penetrations but they differ from black hats in that their activities are allowed or permitted by the owners of computing systems they access. Often, these hackers are engaged as employees or consultants of the owners of computing systems, or they are research scientists or computer specialists that have gained fame for their exploits which they present in scientific conferences, or in competitions they participate in, around the world.

Examples of “white hats” include: Joanna Rutkowska, a cybersecurity researcher whose expertise is stealth malware, perhaps better known as rootkits, which can disguise itself in a computing system to exploit vulnerabilities. She revealed the vulnerabilities in the Vista kernel and the Intel Systems; Charlie Miller, a computer security researcher, who is best known for exposing vulnerabilities in Apple products like the MacBook Air bug, iPhone and iPad, and the Safari browser; and Kevin Mitnick, the former most wanted cybercriminal in the US, who has now reformed and turned into a cybersecurity consultant with a company that specializes in penetration testing and a zero day brokerage firm.

Black Hats or the Criminal Hackers

They utilize their extensive knowledge and social engineering skills with malice, to profit from their exploits of their victims. Black hat hackers can range from script kiddies who spread malware, to experienced crackers that aim to steal data, specifically financial information, personal information and login credentials, and/or to modify or destroy data for financial gain.

Examples include: Albert Gonzalez who has been accused of masterminding the biggest ATM and credit card theft in history; from 2005 to 2007, he and his cybergroup had allegedly sold more than 170 million card and ATM numbers, and in 2010, Gonzalez was sentenced to 20 years in U.S. federal prison; Vladimir Levin who transferred $10 million from the accounts of Citibank clients to his own accounts around the world and was captured; and Jonathan James, who at 16 years old, became the first juvenile imprisoned for cybercrime in the United States. He had hacked government systems such as NASA and the Department of Defense at the age of 15. On May 18, 2008, at the age of 25, James committed suicide using a gun [see Norton and Chandler Grant, Top 10 Notorious Black Hat Hackers, https://listverse.com/2012/05/08/top-10-notorious-black-hat-hackers/]

Gray Hats or the In-Betweens

Gray hat hackers, who are usually cybersecurity researchers, even academics, will look for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they will report them to the owner, sometimes requesting a small fee to fix the issue. If the owner does not respond or comply, then sometimes the hackers will post the newly found exploit online for the world to see. If they are academics, they can present their findings in conferences, risking prosecution. Their activities are not generally malicious, but because they get their information without permission from the owners of compromised systems, under the Philippine Cybercime Prevention Act, their unauthorized access is still illegal.

Philippine Lawbytes 178: (Part 1) The Different Types of Computer Hackers, Copyright by Dr. Atty. Noel Guivani Ramiscal

Cybercrimes are on the rise, amid the global pandemic, where most people are constrained to rely on the Internet to procure the basic necessities they desire, do their shopping, pay their bills, and basically do everything that they can do electronically, to avoid going out of their homes. Reports have been circulated by IT security firms and research entities concerning the exponential tick in data breaches and fraud crimes during the lockdowns. The Bureau of Internal Revenue even came out with a warning last October 26, 2020, concerning an online phishing scam circulated to trick unwary taxpayers of clicking on links on a fraudulent BIR website and revealing their usernames and passwords, thinking they were using the BIR e-services.

I had been asked several times in the past, particularly in my lectures, as to the types and motivations of different computer hackers. It is high time to state what they are.

1. Script-kiddies

These are people who are starting out with limited programming knowledge, so they utilize software tools available online to exploit security weaknesses in the sites and systems they are targeting, often without even knowing exactly what they are doing. The computer attacks they muster are often considered nuisances like website defacement. But it would also be wrong not to lookout for their kind because some of them do graduate to become skilled hackers, crackers, maybe even cyberterrorists.

2. Hackers

This group consists of people with more than adequate and even sophisticated programming skill sets that allow them to design intrusion programs and penetrate some of the most complex security systems. There was a distinction drawn between the motivations of these people and their actual actions.

Hackers are often drawn to computer intrusions out of curiosity, pride, feelings of power, camaraderie with other hackers, and even voyeuristic attitudes, in actually being able to uncover secrets and information on their targets, which are not known by the public.

For others, the adrenaline rush of hacking is so strong as to be addictive like any physical opioid. There is the case of British hacker, Paul Bedworth, who was the first person to be tried under the UK’s Computer Misuse Act. He successfully raised addiction as a defense. Bedworth was so pathologically beholden to hacking that he would lock himself in his room and stay fixated on his computer for days until he dropped from exhaustion.

3. Crackers and Cyberterrorists

Crackers on the other hand hack to profit from their computer crimes, although they may also be enamored with the conquest of breaking into supposed secure systems. They can be dangerous and include those who attack computer systems for personal profit, economic espionage, write viruses, hijack computing systems for extortion purposes.

Cyberterrorists are grouped with crackers because they share similarly malevolent purposes, but crackers are different from cyberterrorists in terms of purpose. Crackers are out for their personal gains, and they usually work alone. Cyberterrorists are imbued with political, often radical agenda, they intend to sow fear and destruction on their victims, and they often work in groups that are supported by States. However, it is also true that these cyberterrorists can also be trained or mandated by the Sponsor State, to target big commercial companies and States for their intellectual property secrets and other valuable electronic assets and information, not for the purpose of sowing fear and destruction, but for enriching the dollar reserves and coffers of the Sponsor State.

In knowing the type of cyber attacker that launched an attack, law enforcement agents and governments can tailor their response. And in the age that we live in, such response can vary, from criminal prosecutions and incarcerations to mere diplomatic protests.