The History of Hacking: From Exploration to Geopolitics

Zusammenfassung

Hacking began as curiosity: MIT students staying up all night to find tricks in the TX-0 computer that its designers had not imagined. It passed through phone phreaking, through the first virus outbreaks, through the era of teenage intruders, through organized crime, and arrived in the 21st century as an instrument of state power — the subject of treaties, sanctions, and military doctrines. The word “hacker” has been contested throughout this history. To some it described brilliant, boundary-pushing programmers; to others, criminals. Both were sometimes right. What remained constant was the hacker’s essential method: finding what a system does that it was not supposed to do, and using that knowledge in ways the system’s designers did not intend. For the cultural dimension of hacker identity, see The Hacker Culture; for the defensive response to attacks, see Cybersecurity: The Invisible War.

The MIT Tradition: Hacking as Craft

The first hackers in the computing sense were students at MIT’s Tech Model Railroad Club (TMRC) in the late 1950s, who transferred their culture of ingenious improvisation to the TX-0 and then the PDP-1 computers in Building 26. The TMRC’s Signals and Power subcommittee maintained the club’s elaborate model railroad layout; understanding exactly how the system worked, finding shortcuts and clever modifications, was the dominant subculture. When computers arrived, the same ethos applied.

“Hack” in TMRC usage meant an elegant, efficient, or clever solution — particularly one that achieved a goal in an unexpected way. The earliest MIT computer hacks were pranks and demonstrations of technical mastery: programs that played music on the PDP-1’s speaker, a chess-playing program, a spacewar simulation. The ethical framework was positive: understanding systems deeply, sharing discoveries freely, improving everything that could be improved. Richard Stallman, who arrived at MIT in 1971, articulated this ethos explicitly: programs should be freely available, understood, and improvable by anyone.

This tradition — hacking as deep technical understanding in service of creativity — is the lineage that produced Unix, the internet’s core protocols, open-source software, and much of what defines computing culture. It is also the tradition that named “hacker” after itself and spent the following decades watching the word acquire connotations its originators found alien.

Phone Phreaking: The Pre-Internet Underground

In parallel with MIT’s academic hacking culture, a separate tradition emerged around the phone network. John Draper (“Cap’n Crunch”) discovered in 1971 that a toy whistle included in Cap’n Crunch cereal produced a 2600 Hz tone — exactly the frequency used by AT&T’s long-distance switching equipment to signal that a trunk line was idle. By blowing the whistle into a telephone handset and using a “blue box” (a device generating the appropriate control tones), phreakers could place free long-distance calls and access internal AT&T switching equipment.

Draper was arrested multiple times but remained influential. More significant were Steve Wozniak and Steve Jobs, who built and sold blue boxes in their college years — Jobs later said the project taught them that two guys with electronics could “control hundreds of millions of dollars of infrastructure.” The business lesson shaped Apple’s approach to technology more than the technical lesson did.

Phone phreaking established several patterns that defined subsequent hacking: the exploitation of unexpected system behaviors; the creation of an underground community sharing technical knowledge; and the ambiguous legal status of people who understood systems better than their owners.

The 2600 Hz Frequency

AT&T’s in-band signaling — using the same frequency range for both voice and control signals — was a design vulnerability implicit in the network’s architecture. Modern phone systems use out-of-band signaling (SS7, introduced in the 1970s) that separates control channels from voice channels. The phreakers’ exploitation of in-band signaling was one of the first large-scale demonstrations that protocol design choices have security implications that become apparent only when adversaries explore them.

The First Viruses and Worms

The first malicious programs were not designed for financial gain. The Creeper (1971), written by Bob Thomas at BBN Technologies, was an experimental self-replicating program that spread across ARPANET, displaying “I’m the creeper, catch me if you can!” The Reaper program was subsequently written to find and delete Creeper — the first antivirus program, created specifically to counter the first worm.

Elk Cloner (1982), written by 15-year-old Rich Skrenta as a prank, was the first virus to spread in the wild on personal computers: it spread by infecting Apple II floppy disks and displayed a poem when the computer booted on its fiftieth use. No financial motivation; pure adolescent mischief.

The Brain virus (1986), written by Pakistani brothers Basit and Amjad Farooq Alvi ostensibly to protect their medical software from piracy, was the first IBM PC virus. It infected the boot sectors of floppy disks and displayed the brothers’ names and phone numbers — an early example of what would become a recurring pattern: virus authors who left attribution either from pride or as a form of perverse advertising.

The Morris Worm (November 1988) was a different order of magnitude. Graduate student Robert Morris at Cornell released a worm that exploited three Unix vulnerabilities: a buffer overflow in fingerd, a debug backdoor in sendmail, and the ability to crack weak passwords. The worm was not designed to be destructive — Morris intended it as a demonstration — but a bug in its replication logic caused it to run multiple instances on each infected machine, consuming memory until systems crashed. Approximately 6,000 machines were infected — roughly 10% of the connected internet — and recovery took days. Morris was the first person convicted under the Computer Fraud and Abuse Act (1986). He later became a professor at MIT and a successful venture capitalist.

The Morris Worm demonstrated that the internet’s interconnected nature transformed individual vulnerabilities into systemic risks. It also prompted the founding of CERT/CC (Computer Emergency Response Team Coordination Center) at Carnegie Mellon, the first organization dedicated to tracking and responding to internet security incidents.

The Teenage Intruder Era

The late 1980s and 1990s produced a cohort of hackers who became famous through their intrusions into high-profile systems and, in several cases, their subsequent arrests and prosecutions. The pattern was consistent: technically skilled teenagers with minimal resources, significant time, and a culture that valorized penetration of “interesting” systems.

The era’s first nationally visible incident involved not a lone prodigy but a group: The 414s, a Milwaukee friend group named after their city’s area code, who in 1982–83 accessed over sixty systems including Los Alamos National Laboratory and the Memorial Sloan-Kettering Cancer Center. Arrested in 1983, they faced minimal criminal consequences but maximum political ones: their story appeared on the cover of Newsweek, prompted congressional hearings, and directly produced the Computer Fraud and Abuse Act of 1986.

Kevin Mitnick was the most famous individual. Beginning in the mid-1980s, Mitnick penetrated systems at Digital Equipment Corporation, Motorola, Nokia, and dozens of other companies, taking source code and proprietary data. His skill at social engineering — convincing employees to reveal passwords or access credentials over the phone — was as important as his technical abilities. He was arrested in 1988, released, and re-arrested in 1995 after a cat-and-mouse game with security researcher Tsutomu Shimomura that became a book (Takedown, 1996). He served five years in federal prison, including eight months in solitary confinement. After release, he became a security consultant and public speaker on social engineering.

Kevin Poulsen (“Dark Dante”) represented a different order of technical sophistication. Operating from the late 1980s as a fugitive from federal charges, Poulsen used his deep knowledge of Pacific Bell’s switching infrastructure to seize control of radio station phone lines and guarantee himself the winning call — and a Porsche 944 — in an on-air contest. He also accessed FBI databases containing information about federal wiretaps. Captured in 1991, he received the longest sentence yet imposed on a hacker: 51 months. After release, he reinvented himself as a journalist at Wired and later co-created SecureDrop, the anonymous whistleblower submission system now used by major news organizations worldwide.

Adrian Lamo (“the homeless hacker”) operated without fixed address, hacking Yahoo!, Microsoft, and the New York Times from public libraries and Kinko’s. He turned himself in after each major intrusion. His legacy was defined not by his hacking but by a decision in 2010: when Chelsea Manning contacted him having leaked 750,000 classified documents to WikiLeaks, Lamo reported her to the FBI. Manning served seven years; Lamo was permanently reviled by the hacker community as an informant. He died in 2018 at thirty-seven.

Gary McKinnon hacked 97 US military and NASA systems between 2001 and 2002 from his North London flat, searching for evidence of UFO cover-ups. He left messages on compromised systems reading “Your security is crap.” The US sought his extradition and up to seventy years in prison. Britain spent ten years refusing, citing his Asperger’s diagnosis and the extradition treaty’s asymmetry. Home Secretary Theresa May blocked extradition in 2012. McKinnon was never tried for intrusions he fully admitted.

The Chaos Computer Club (CCC) in Germany represented a different model. Founded in Hamburg in 1981, the CCC operated as a hacker organization that emphasized demonstrating vulnerabilities to pressure companies and governments into improving security, rather than exploiting them for personal gain. The 1984 CCC hack of the German Bundespost’s Bildschirmtext network (BTX system), in which members transferred 134,000 Deutschmarks to the CCC’s account overnight and returned the money the next day, forced public discussion of security vulnerabilities in state telecommunications infrastructure.

Hacker groups — Cult of the Dead Cow, Legion of Doom, Masters of Deception — formed, competed, infiltrated each other, and were periodically arrested in waves of law enforcement action. Operation Sundevil (1990), a Secret Service sweep against hackers, was notable as much for its overreach as its effectiveness: several prosecuted individuals faced charges far exceeding the actual damage caused, partly because courts and prosecutors lacked the technical knowledge to evaluate what was and was not serious.

From Curiosity to Crime: The Commercial Era

As commerce moved online, hacking motivation shifted. The late 1990s saw the emergence of organized financial cybercrime: credit card theft from e-commerce databases, identity theft at scale, and the first coordinated attacks for financial profit.

The Love Bug / ILOVEYOU worm (May 2000) spread via email attachments, overwrote files, and caused estimated damages of $10 billion — at the time, the most expensive malware incident in history. Its authors in the Philippines faced no prosecution; the Philippines had no computer crime law at the time. The incident prompted international discussions about jurisdictional gaps in cybercrime law.

The Russian Business Network (RBN), active from approximately 2006 to 2008, was among the first documented criminal enterprises structured around providing cybercrime infrastructure as a service: bulletproof hosting, malware distribution, and spam services for hire. It represented the maturation of cybercrime from individual actors to organized businesses with customers, service-level agreements, and customer support.

Botnet operations — networks of thousands or millions of compromised computers controlled by a single operator — became the dominant infrastructure of financial cybercrime. Botnets sent spam, participated in distributed denial-of-service extortion attacks, and harvested credentials from banking customers through keyloggers. The Conficker worm (2008) infected an estimated 10 million machines, creating one of the largest botnets ever assembled.

Zero-Days: The Vulnerability Economy

A zero-day vulnerability is a software flaw unknown to the software’s vendor — for which, therefore, zero days have elapsed since a patch became available. Zero-days are valuable: they enable attacks against systems that are fully patched and otherwise defended. A market for zero-days developed in the 2000s, with prices ranging from thousands of dollars for minor vulnerabilities to millions for remotely exploitable flaws in high-value targets like iOS or Chrome.

The market participants included:

Bug bounty programs: Companies offering rewards to researchers who report vulnerabilities rather than selling them to other parties.
Government agencies: NSA, GCHQ, and their equivalents in China, Russia, Israel, and other countries purchase zero-days for offensive use in intelligence collection.
Brokers: Companies like Zerodium that purchase zero-days from researchers and resell them to government customers, offering up to $2.5 million for iOS full-chain exploits.
Criminal organizations: Purchasing zero-days for direct financial exploitation.

The dual-use nature of vulnerability research — the same knowledge that enables offense enables defense — means the “vulnerability economy” has no clean solution. Restricting research harms defense; unrestricted markets enable offense. Most countries have struggled to articulate coherent policy.

Hacktivism: Anonymous and LulzSec

The 2000s produced a new category of hacker: the hacktivist, motivated by political ideology rather than curiosity or profit.

Anonymous emerged from 4chan’s /b/ imageboard around 2003 as a culture of collective anonymous action. Early operations were chaotic pranks. Project Chanology (2008), targeting the Church of Scientology after it tried to suppress a Tom Cruise video, marked the turn to explicit political action and introduced the Guy Fawkes mask that became hacktivism’s global symbol.

Operation Payback (2010) targeted anti-piracy organizations, then pivoted to Operation Avenge Assange — DDoS attacks on PayPal, Visa, Mastercard, and Bank of America after they cut off payment processing to WikiLeaks. PayPal estimated $5.5 million in damages. The FBI arrested fourteen participants who had failed to hide their IP addresses while using the collective’s attack tool.

LulzSec — six core members operating for fifty days in 2011 — combined genuine technical skill with deliberate public theatricality. They hacked Sony Pictures (one million accounts), PBS (publishing a fake story that Tupac was alive), the CIA website, Senate.gov, and multiple law enforcement systems. Their leader, Hector Monsegur (“Sabu”), was arrested by the FBI in June 2011 and immediately became an informant. He operated undercover for eight months while providing the FBI with intelligence on ongoing operations. The remaining members were arrested in coordinated raids in February–March 2012. Associated hacker Jeremy Hammond received ten years for the Stratfor hack. The youngest LulzSec member, Mustafa Al-Bassam (fifteen years old during the hacks), received a suspended sentence and later completed a PhD in computer science.

Advanced Persistent Threats: Nation-State Hacking

The modern era of hacking is dominated by Advanced Persistent Threat (APT) actors — typically nation-state intelligence agencies or their proxies, operating with state resources, geopolitical objectives, and time horizons measured in years rather than days.

Operation Aurora (2009–2010), attributed to Chinese state-affiliated actors, targeted Google, Adobe, Juniper Networks, and at least thirty other major companies. The attackers sought source code and, at Google, the Gmail accounts of Chinese human rights activists. Google’s public disclosure — unprecedented at the time for a major corporation to attribute an attack to a nation-state — shifted how the technology industry discussed state-sponsored hacking.

Stuxnet (2010) was the first publicly known cyberweapon designed to cause physical damage. A joint U.S.-Israeli operation code-named Olympic Games, Stuxnet targeted Siemens programmable logic controllers operating centrifuges at Iran’s Natanz uranium enrichment facility, causing them to spin at destructive speeds while reporting normal operation to monitoring systems. Approximately 1,000 centrifuges were damaged. Stuxnet’s sophistication — four zero-day exploits, complex propagation logic, and precise operational targeting — established that nations were willing to use cyberweapons against physical infrastructure.

The Shadow Brokers (2016–2017) published a series of NSA hacking tools, including EternalBlue, an exploit for a Windows file-sharing vulnerability. EternalBlue was subsequently used in WannaCry (May 2017, attributed to North Korean actors), which encrypted 200,000+ computers across 150 countries, disrupting the UK’s National Health Service, and in NotPetya (June 2017, attributed to Russian military intelligence), which caused an estimated $10 billion in damages — the most destructive cyberattack in history. NotPetya initially appeared to be ransomware targeting Ukraine but was in fact a wiper designed for maximum destruction, spreading collaterally to companies worldwide including Maersk, Merck, and FedEx.

Dead End: Security Through Obscurity

The defining failure mode of early computer security was security through obscurity: the belief that keeping a system’s design secret was an adequate substitute for making the design actually resistant to attack. IBM, Microsoft, and most commercial vendors treated their source code as a trade secret and assumed that attackers could not exploit vulnerabilities they could not see.

This assumption failed repeatedly. Attackers did not need source code: they could analyze compiled binaries, probe network protocols, and fuzz APIs to find vulnerabilities without any knowledge of the implementation. The security community’s response — Kerckhoffs’s principle (1883), which states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge — had been articulated by Auguste Kerckhoffs in the context of military ciphers, but its application to software security was resisted for a century.

The open-source security model — “many eyes make bugs shallow” (Linus’s Law) — proved at least partially correct: widely reviewed software tends to have fewer long-lived vulnerabilities than equivalently complex closed-source software, though the relationship is not simple. The most serious vulnerabilities in modern infrastructure (Heartbleed in OpenSSL, 2014; Log4Shell in Log4j, 2021) have occurred in widely-used open-source libraries, demonstrating that open code is necessary but not sufficient for security.