[ISN] Deciphering the hacker myth

From: InfoSec News (isnat_private)
Date: Wed Feb 06 2002 - 00:37:16 PST

  • Next message: InfoSec News: "[ISN] Chat-program bugs could bite millions"

    By Rachel Konrad 
    Staff Writer, CNET News.com
    February 5, 2002, 12:00 PM PT
    Newsmakers - Sarah Gordon doesn't dye her hair black or wear a nose
    ring, and neither do the people she studies.
    The senior research fellow at Symantec Security Response, Gordon is an
    expert on the psychology of virus writers and hackers. And she's on a
    mission to clean up stereotypes about these "bad guys."
    Contrary to popular myth, Gordon says, cyber-rebels aren't underground
    loners, and they're not necessarily nerdy--or even smart. She believes
    they join "the dark side" of the Internet because they don't extend
    the same moral code from the real world to the virtual world. She
    blames teachers, journalists and parents for the breach.
    Gordon lives in upstate New York with her husband, Internet
    architecture expert Richard Ford. She met him in England in 1994, when
    Ford was editing Britain's "Virus Bulletin." Ford attacked Gordon in
    an editorial for failing to attend a conference in Bulgaria. She
    called to complain, and he asked her to lunch. Thus began a
    trans-Atlantic courtship via Unix chats, which continued until they
    were married in 1995.
    Gordon participated in the White House's Cyber-Incident Steering Group
    last year and conducts research at hacker conferences such as Def
    Con--an annual event that bills itself as the "largest underground
    Internet security gathering on the planet." She was previously a
    researcher for the AntiVirus Research and Development team at IBM's
    Thomas J. Watson Research Center.
    She talked to CNET News.com about hacker ethics, stereotypes, and the
    next big threat to cybersecurity.
    Q: Most academics distinguish between hackers and virus writers.  
    What's the difference in terms of the character and ethical code of
    each group?
    A: Hackers have a much more highly developed skill set and a different
    way of thinking. They're into bigger systems in the bigger picture.  
    Virus writers for the most part aren't as technologically astute and
    don't have a big view. They think on the application level, not on the
    system level. The two cultures are sort of coming together with
    blended threats, but they're not really integrating on an intellectual
    or social level.
    It seems like new viruses are cropping up on a weekly or monthly
    basis. Who's writing them?
    They run the whole spectrum, from kids to people who do it at midnight
    when they come home from their corporate jobs. But in general, virus
    writers are young people under 30. You're talking about kids who pick
    up a script. You can have kids 10 or 12 years old getting into the
    game. I've known one virus writer who was 11.
    What motivates them to write viruses instead of playing soccer or
    reading books?
    Basically, they think it's a game. They don't realize the impact. They
    play with computers at school and at home, and we encourage that, but
    we don't encourage responsible behavior on the computer. They find a
    virus and tinker with it, and they don't realize what they're doing.
    These kids generally don't have mal-intent. But keep in mind, it only
    takes two or three people to send out a virus, and it multiplies over
    and over, and it can really mess up the system. So while they may not
    realize the impact, the effects can be quite destructive.
    The other thing that motivates these kids is the media. You see a
    virus writer in magazines and on news shows referred to as a rocket
    scientist. You hear so-called experts talk about how the government
    and private industry should recruit these kids to do security. One
    time, I remember hearing about virus writers as people "on the fringe
    of the Internet frontier," and I just cringed. When kids see this
    person being promoted as brilliant, they'll want to emulate that.
    You're saying virus writers don't have IQs higher than the average
    They're not necessarily smart, and you definitely don't have to be a
    rocket scientist to do this. It's two lines of code...Viruses aren't
    research or academic pursuits, and they're not at all respectable or
    legitimate. They're just stupid. Media in the United States and United
    Kingdom are doing a better job reporting consistently about how easy
    it is to start a virus, and more people realize that these aren't the
    work of rocket scientists. But the message isn't the same everywhere.
    Do viruses reflect some sort of grand, moral breach in our society, or
    are they merely the work of a bunch of prepubescent kids with nothing
    else to do?
    A little of both. The problem is that in school, computers are taught
    as games, not things that can cause real impact on people. I wouldn't
    read mail in my neighbor's mailbox, and I think the vast majority of
    kids know that this is wrong. But if it's in the e-mail in-box, kids
    will read it. They don't have the same morality in the virtual world
    as they have in the real world because they don't think computers are
    part of the real world.
    How long might it take to develop a moral code that is consistent from
    the physical to virtual worlds?
    It doesn't happen in one generation. It will take a long time. But we
    have to do something about it because the shift won't happen
    automatically. Educators can start teaching kids at a very, very young
    age what things are acceptable and what aren't--for instance,
    providing guidelines like, "We may share passwords but we don't steal
    Internet service providers can also go a long way in teaching that
    just because something's legal or allowed doesn't mean it's ethical.  
    You can put up virus codes online, and that's not against the law, but
    it is irresponsible. If people tell their ISPs they don't appreciate
    that these viruses are posted, maybe that will change. But if no one
    complains, the ISPs and the kids may think, "Hey, this cool. This is
    counterculture." Every kid at some point wants to be a rebel, and
    they'll pick up on it if it's around.
    What about parents?
    Absolutely. If your child loves computers, don't put it in the bedroom
    where you can't see it. It's critical for parents to know what the
    kids are doing--whether it's after school at the mall or at the
    slumber party. It's not different because it's the computer. You
    wouldn't keep your child in the bedroom with a closed door with a
    bunch of adult strangers. It should be the same way with a computer.
    Isn't the concept of rebellion timeless, and it just happens to be
    manifesting itself as viruses because we're living in a digital era?  
    Won't there always be hackers?
    Sure. Rebellion is (in) the nature of mankind. We'll always see in
    each generation a certain degree of rebellion. A long time ago, the
    biggest act of rebellion ever created was the printing press. Then it
    was the spray-paint can. Now it's the computer. It's probably going to
    be the computer for some time; you have new groups of people in
    countries coming online every day, and they all need to discover this
    stage of rebellion.
    Since you've been studying hackers, has there been any shift in our
    culture's perception of these folks?
    Yes, and it's encouraging. There's been a shift since the early '90s
    toward whether it's OK to make viruses available online. We queried
    people at Def Con about whether it's OK to make viruses available to
    the public. In the earlier days, almost everyone said, "Hey, that's
    cool and acceptable." But last year, only one or two people in the
    audience said that. The tide is turning.
    But Def Con has become so institutionalized, and it's largely the
    domain of American hackers. So many recent viruses seem to be coming
    out of Russia, China, the Philippines and other places. Are you
    optimistic about a cultural shift happening there?
    The tide is only turning in one small corner of the world. I don't
    know that this is happening across the rest of the world. You take a
    kid in a country where there aren't a whole lot of opportunities, you
    give the kid a powerful tool to get a job or get out of the situation
    they're in--they're going to start experimenting and trying to get
    some notoriety or fame. What would you do if you were that kid? I
    don't blame that kid, really. We have to understand the problem on a
    global scale.
    >From your research, what will be the hottest act of cyber-rebellion in
    the next couple of years?
    We'll see more integrated threats. It's not enough to have antivirus
    protection. You need firewall intrusion-protection. Also, the focus is
    on computers now, but as there are more and more mobile devices, there
    will be more threats. We're doing research at Symantec and presenting
    a paper on Java-enabled mobile phones, which could be shaping up as
    the next big threat.
    Lots of technophiles say that the threat from viruses and hackers is
    overblown and that Symantec and other large security companies are
    preaching paranoia in order to boost sales of their products. How do
    you respond?
    Well, let me ask you: What do you have on your computer that's
    important to you? What if a virus came in and wiped everything out?  
    Would it hurt you? I don't mean to be funny, but that's the bottom
    line. There's proof that viruses are spreading in the computer world.  
    It's a small price to pay to not have everything wiped out.
    The threats aren't overblown. We don't pull this stuff out of thin
    air. I don't see a lot of sensationalism, frankly. I hear that
    argument that we're over-blowing the security threat and that we're
    making it up. But once these people get hit, they never say that
    Let's talk about hackers, as opposed to the relatively immature and
    technically basic virus writers. Why do hackers break into computer
    systems and steal intellectual property?
    Hacking is in many ways about control, and the ability to control a
    system is very enticing. The control doesn't necessitate much
    interaction with other people. The computer is a reciprocal thing; it
    asks you for input and you give it, and vice versa. That's a very
    powerful thing.
    Paint a picture of the garden-variety hacker, as opposed to a
    virus-writing kid. Are they nerdy, loners, social outcasts?
    No, not at all. The people who get attention, who make it into the
    news, are a bit different, and a lot of them have dyed black hair and
    pierced noses. They make good pictures on the front page, but really
    most hacking is done by the guy next door--the guy who doesn't make
    good news.
    Frankly, many people who break into systems have wives and husbands in
    the other room. They're just sitting at the computer after a day of
    work, and they're hacking late at night. And a lot of them have
    developed pretty sophisticated social systems with other hackers. For
    a lot of them it turns into a game played back and forth: "I'll break
    into your system, you break into mine." It's about knowledge.
    You said "husbands and wives." Are there many female hackers?
    It's still predominantly male, but there are more female hackers now,
    and there are a few female virus writers. It didn't become popular for
    girls to be in computer classes until about two years ago, so I
    suspect we'll be seeing more. And Anna Moore won that contest at Def
    Con, remember? (Anna is a 15-year-old home-schooled student from
    Norman, Okla., who belongs to hacker club 2600 and won an ethics
    contest at the convention modeled after the hit television show
    How did you get interested in the hacker ethic and cybercrime?
    It was the mid-1980s and I got a computer and happened to find a few
    systems on the Internet at the time. I rewired my modem and learned to
    solder; they didn't have those things in the 1980s in South Bend
    (Indiana, where she was a student at Indiana University).
    I was running a bulletin board system with my CoCo (the nickname of
    the Tandy/RadioShack TRS-80 Color Computer) and got in touch with many
    people from all around the world, including some hackers. I got the
    Ping-Pong virus myself in about 1991, and I had to set about taking
    care of it. I started doing papers on it, and the academic circuit
    liked it. I went back to school and did some more projects on it for
    Indiana University. Before I knew it, CNN was in my living room and I
    was doing interviews. I didn't plan any of it.
    Your job seems really interesting. How does someone become a hacker
    ethics expert?
    I dropped out and ran away--don't do that. Stay in school and get a
    hard background in math, science, law and ethics. People who study
    science need a multidisciplinary approach. If you like computer code,
    get involved in computer science courses, but get involved in
    something else, too: Get a degree in engineering or biology and then
    get an internship at Symantec or IBM Research. Find what you love and
    just do it. Find out what makes your heart beat fast, and run with it.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 04:08:03 PST