[Moderator: I know, I said no more poor stories, but the topic is of interest to many readers. This article has been ripped on in many other forums. It will most likely be added to Errata soon.] Forwarded From: "Kiera L. Wooley" <kwooleyat_private> Cracking the Mind of a Hacker by James Glave 8:25 a.m. 20.Jan.99.PST SAN JOSE, California -- The average computer cracker is an obsessive middle-class white male, between 12 and 28 years old, with few social skills and a possible history of physical and sexual abuse. That was the controversial conclusion of Canadian psychologist Marc Rogers, in his "Psychology of a Hacker" session, held late Tuesday at the RSA Data Security Conference. A former police computer crimes investigator and author of a doctorate focusing on hackers and cyber terrorists, Rogers offered a new taxonomy for network intruders. "Hackers have been dubbed the enemy of information security," said Rogers. "They research their targets, they know a lot about us. They are very good at intelligence-gathering or sharing." In 1998, the Computer Security Institute estimated that intrusions cost corporations US$236 million worth of damage, according to Rogers. But information systems managers have very little knowledge of what makes a hacker tick. Thus, Rogers developed psychological profiles to aid law enforcement investigators and the legislators who are writing new anti-cracker laws. Rogers offered what he called a new taxonomy of hackers, categorizing intruders as newbies or script kiddies (who are beginners), cyberpunks (older, but still antisocial geeks), insiders (disgruntled employees), coders (who actually write the exploits), professionals (hired guns), and full-fledged cyber terrorists. Computer security experts in attendance hotly contested Rogers' claims, alleging that his work plays to sensationalist fears and creates a stereotype of limited value to investigators. "He has got the age group, but when it comes to social groups he's got that wrong completely," said Alton Tuttle, a freelance computer security consultant. "In most social groups you are going to find a baseline of people who were [sexually] abused," he added. "Statistically, the majority of what he said was wrong," added Peter Shipley , chief security architect for the Big Five firm KPMG. "I know a lot of hackers, [including one who] spends an hour and a half in the gym every day. He is built! I know of women who are knock-down gorgeous who are hackers." Shipley said that criminal profiles are proven to work to track down serial killers but that "the hacker profile is so diverse and wide that a strong profile could not be useful." Rogers characterized members of one subgroup he called "cyberpunks" as socially inept, burdened with unresolved anger that they take into cyberspace. "They relate better to computers than humans," Rogers said. "They can spend hours and days glued to a computer." He described an incident several years ago when investigators raided a residence, expecting to find a computer left running an automated attack. A machine at that location had been attempting the same routine on a system for days. What the investigators found instead, Rogers said, was a man suffering from a mental disorder. "He had a porta-potty under the seat, and he was buzzed out on Coca-Cola and candy." Shipley said that Rogers was going for shock value with such descriptions. "He is trying to paint hackers as 25-year-old men who can't control their bowels." Rogers said that while there was no empirical evidence linking computer criminals with what he termed computer-addictive disorder, hackers tend to be obsessive types. Shipley and freelance network engineer Aaron Peterson said that the intense, focused mindset typical of someone trying to model a problem could easily be mischaracterized as obsessive. Rogers closed out his talk with a grim scenario for corporate America. He said that some crackers claim to be under contract to fix Y2K legacy code and are in a position to introduce all manner of logic bombs and back doors into the "fixed" code. "I think you are going to find a real mish-mash of things happening once the year 2000 rolls along," he said. Michael King, spokesman for the Hackers Defense Foundation, said he had never heard of such a claim. "Generally, people won't tell even their best friends something like that," King said. "There are not many [crackers] out there who would let themselves get that carried away." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:59 PDT