[ISN] Cracking the Mind of a Hacker

From: mea culpa (jerichoat_private)
Date: Fri Jan 22 1999 - 22:46:13 PST

  • Next message: mea culpa: "[ISN] REVIEW: "Cyber Crime, How to Protect Yourself...Criminals""

    [Moderator: I know, I said no more poor stories, but the topic is of
     interest to many readers. This article has been ripped on in many 
     other forums. It will most likely be added to Errata soon.]
    
    
    Forwarded From: "Kiera L. Wooley" <kwooleyat_private>
    
    Cracking the Mind of a Hacker
    by James Glave
    8:25 a.m.  20.Jan.99.PST
    
    SAN JOSE, California -- The average computer cracker is an obsessive
    middle-class white male, between 12 and 28 years old, with few social
    skills and a possible history of physical and sexual abuse.  That was the
    controversial conclusion of Canadian psychologist Marc Rogers, in his
    "Psychology of a Hacker" session, held late Tuesday at the RSA Data
    Security Conference.
    
    A former police computer crimes investigator and author of a doctorate
    focusing on hackers and cyber terrorists, Rogers offered a new taxonomy
    for network intruders.
    
    "Hackers have been dubbed the enemy of information security," said Rogers. 
    "They research their targets, they know a lot about us. They are very good
    at intelligence-gathering or sharing."
    
    In 1998, the Computer Security Institute estimated that intrusions cost
    corporations US$236 million worth of damage, according to Rogers.
    
    But information systems managers have very little knowledge of what makes
    a hacker tick. Thus, Rogers developed psychological profiles to aid law
    enforcement investigators and the legislators who are writing new
    anti-cracker laws.
    
    Rogers offered what he called a new taxonomy of hackers, categorizing
    intruders as newbies or script kiddies (who are beginners), cyberpunks
    (older, but still antisocial geeks), insiders (disgruntled employees),
    coders (who actually write the exploits), professionals (hired guns), and
    full-fledged cyber terrorists. 
    
    Computer security experts in attendance hotly contested Rogers' claims,
    alleging that his work plays to sensationalist fears and creates a
    stereotype of limited value to investigators. 
    
    "He has got the age group, but when it comes to social groups he's got
    that wrong completely," said Alton Tuttle, a freelance computer security
    consultant. 
    
    "In most social groups you are going to find a baseline of people who were
    [sexually] abused," he added. 
    
    "Statistically, the majority of what he said was wrong," added Peter
    Shipley , chief security architect for the Big Five firm KPMG. "I know a
    lot of hackers, [including one who] spends an hour and a half in the gym
    every day.  He is built! I know of women who are knock-down gorgeous who
    are hackers." 
    
    Shipley said that criminal profiles are proven to work to track down
    serial killers but that "the hacker profile is so diverse and wide that a
    strong profile could not be useful." 
    
    Rogers characterized members of one subgroup he called "cyberpunks" as
    socially inept, burdened with unresolved anger that they take into
    cyberspace. 
    
    "They relate better to computers than humans," Rogers said. "They can
    spend hours and days glued to a computer." 
    
    He described an incident several years ago when investigators raided a
    residence, expecting to find a computer left running an automated attack.
    A machine at that location had been attempting the same routine on a
    system for days. 
    
    What the investigators found instead, Rogers said, was a man suffering
    from a mental disorder. "He had a porta-potty under the seat, and he was
    buzzed out on Coca-Cola and candy." 
    
    Shipley said that Rogers was going for shock value with such descriptions. 
    "He is trying to paint hackers as 25-year-old men who can't control their
    bowels." 
    
    Rogers said that while there was no empirical evidence linking computer
    criminals with what he termed computer-addictive disorder, hackers tend to
    be obsessive types. 
    
    Shipley and freelance network engineer Aaron Peterson said that the
    intense, focused mindset typical of someone trying to model a problem
    could easily be mischaracterized as obsessive. 
    
    Rogers closed out his talk with a grim scenario for corporate America.  He
    said that some crackers claim to be under contract to fix Y2K legacy code
    and are in a position to introduce all manner of logic bombs and back
    doors into the "fixed" code. 
    
    "I think you are going to find a real mish-mash of things happening once
    the year 2000 rolls along," he said. 
    
    Michael King, spokesman for the Hackers Defense Foundation, said he had
    never heard of such a claim. 
    
    "Generally, people won't tell even their best friends something like
    that,"  King said. "There are not many [crackers] out there who would let
    themselves get that carried away." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:59 PDT