Deciphering the hacker myth

[InfoSec News <isn () c4i org>]

http://news.com.com/2008-1082-829812.html

By Rachel Konrad 
Staff Writer, CNET News.com
February 5, 2002, 12:00 PM PT

Newsmakers - Sarah Gordon doesn't dye her hair black or wear a nose
ring, and neither do the people she studies.

The senior research fellow at Symantec Security Response, Gordon is an
expert on the psychology of virus writers and hackers. And she's on a
mission to clean up stereotypes about these "bad guys."

Contrary to popular myth, Gordon says, cyber-rebels aren't underground
loners, and they're not necessarily nerdy--or even smart. She believes
they join "the dark side" of the Internet because they don't extend
the same moral code from the real world to the virtual world. She
blames teachers, journalists and parents for the breach.

 
Gordon lives in upstate New York with her husband, Internet
architecture expert Richard Ford. She met him in England in 1994, when
Ford was editing Britain's "Virus Bulletin." Ford attacked Gordon in
an editorial for failing to attend a conference in Bulgaria. She
called to complain, and he asked her to lunch. Thus began a
trans-Atlantic courtship via Unix chats, which continued until they
were married in 1995.

Gordon participated in the White House's Cyber-Incident Steering Group
last year and conducts research at hacker conferences such as Def
Con--an annual event that bills itself as the "largest underground
Internet security gathering on the planet." She was previously a
researcher for the AntiVirus Research and Development team at IBM's
Thomas J. Watson Research Center.

She talked to CNET News.com about hacker ethics, stereotypes, and the
next big threat to cybersecurity.


Q: Most academics distinguish between hackers and virus writers.  
What's the difference in terms of the character and ethical code of
each group?

A: Hackers have a much more highly developed skill set and a different
way of thinking. They're into bigger systems in the bigger picture.  
Virus writers for the most part aren't as technologically astute and
don't have a big view. They think on the application level, not on the
system level. The two cultures are sort of coming together with
blended threats, but they're not really integrating on an intellectual
or social level.


It seems like new viruses are cropping up on a weekly or monthly
basis. Who's writing them?

They run the whole spectrum, from kids to people who do it at midnight
when they come home from their corporate jobs. But in general, virus
writers are young people under 30. You're talking about kids who pick
up a script. You can have kids 10 or 12 years old getting into the
game. I've known one virus writer who was 11.


What motivates them to write viruses instead of playing soccer or
reading books?

Basically, they think it's a game. They don't realize the impact. They
play with computers at school and at home, and we encourage that, but
we don't encourage responsible behavior on the computer. They find a
virus and tinker with it, and they don't realize what they're doing.

These kids generally don't have mal-intent. But keep in mind, it only
takes two or three people to send out a virus, and it multiplies over
and over, and it can really mess up the system. So while they may not
realize the impact, the effects can be quite destructive.

The other thing that motivates these kids is the media. You see a
virus writer in magazines and on news shows referred to as a rocket
scientist. You hear so-called experts talk about how the government
and private industry should recruit these kids to do security. One
time, I remember hearing about virus writers as people "on the fringe
of the Internet frontier," and I just cringed. When kids see this
person being promoted as brilliant, they'll want to emulate that.


You're saying virus writers don't have IQs higher than the average
person?

They're not necessarily smart, and you definitely don't have to be a
rocket scientist to do this. It's two lines of code...Viruses aren't
research or academic pursuits, and they're not at all respectable or
legitimate. They're just stupid. Media in the United States and United
Kingdom are doing a better job reporting consistently about how easy
it is to start a virus, and more people realize that these aren't the
work of rocket scientists. But the message isn't the same everywhere.


Do viruses reflect some sort of grand, moral breach in our society, or
are they merely the work of a bunch of prepubescent kids with nothing
else to do?

A little of both. The problem is that in school, computers are taught
as games, not things that can cause real impact on people. I wouldn't
read mail in my neighbor's mailbox, and I think the vast majority of
kids know that this is wrong. But if it's in the e-mail in-box, kids
will read it. They don't have the same morality in the virtual world
as they have in the real world because they don't think computers are
part of the real world.


How long might it take to develop a moral code that is consistent from
the physical to virtual worlds?

It doesn't happen in one generation. It will take a long time. But we
have to do something about it because the shift won't happen
automatically. Educators can start teaching kids at a very, very young
age what things are acceptable and what aren't--for instance,
providing guidelines like, "We may share passwords but we don't steal
them."

Internet service providers can also go a long way in teaching that
just because something's legal or allowed doesn't mean it's ethical.  
You can put up virus codes online, and that's not against the law, but
it is irresponsible. If people tell their ISPs they don't appreciate
that these viruses are posted, maybe that will change. But if no one
complains, the ISPs and the kids may think, "Hey, this cool. This is
counterculture." Every kid at some point wants to be a rebel, and
they'll pick up on it if it's around.


What about parents?

Absolutely. If your child loves computers, don't put it in the bedroom
where you can't see it. It's critical for parents to know what the
kids are doing--whether it's after school at the mall or at the
slumber party. It's not different because it's the computer. You
wouldn't keep your child in the bedroom with a closed door with a
bunch of adult strangers. It should be the same way with a computer.


Isn't the concept of rebellion timeless, and it just happens to be
manifesting itself as viruses because we're living in a digital era?  
Won't there always be hackers?

Sure. Rebellion is (in) the nature of mankind. We'll always see in
each generation a certain degree of rebellion. A long time ago, the
biggest act of rebellion ever created was the printing press. Then it
was the spray-paint can. Now it's the computer. It's probably going to
be the computer for some time; you have new groups of people in
countries coming online every day, and they all need to discover this
stage of rebellion.


Since you've been studying hackers, has there been any shift in our
culture's perception of these folks?

Yes, and it's encouraging. There's been a shift since the early '90s
toward whether it's OK to make viruses available online. We queried
people at Def Con about whether it's OK to make viruses available to
the public. In the earlier days, almost everyone said, "Hey, that's
cool and acceptable." But last year, only one or two people in the
audience said that. The tide is turning.


But Def Con has become so institutionalized, and it's largely the
domain of American hackers. So many recent viruses seem to be coming
out of Russia, China, the Philippines and other places. Are you
optimistic about a cultural shift happening there?

The tide is only turning in one small corner of the world. I don't
know that this is happening across the rest of the world. You take a
kid in a country where there aren't a whole lot of opportunities, you
give the kid a powerful tool to get a job or get out of the situation
they're in--they're going to start experimenting and trying to get
some notoriety or fame. What would you do if you were that kid? I
don't blame that kid, really. We have to understand the problem on a
global scale.


> From your research, what will be the hottest act of cyber-rebellion in
the next couple of years?

We'll see more integrated threats. It's not enough to have antivirus
protection. You need firewall intrusion-protection. Also, the focus is
on computers now, but as there are more and more mobile devices, there
will be more threats. We're doing research at Symantec and presenting
a paper on Java-enabled mobile phones, which could be shaping up as
the next big threat.


Lots of technophiles say that the threat from viruses and hackers is
overblown and that Symantec and other large security companies are
preaching paranoia in order to boost sales of their products. How do
you respond?

Well, let me ask you: What do you have on your computer that's
important to you? What if a virus came in and wiped everything out?  
Would it hurt you? I don't mean to be funny, but that's the bottom
line. There's proof that viruses are spreading in the computer world.  
It's a small price to pay to not have everything wiped out.

The threats aren't overblown. We don't pull this stuff out of thin
air. I don't see a lot of sensationalism, frankly. I hear that
argument that we're over-blowing the security threat and that we're
making it up. But once these people get hit, they never say that
again.


Let's talk about hackers, as opposed to the relatively immature and
technically basic virus writers. Why do hackers break into computer
systems and steal intellectual property?

Hacking is in many ways about control, and the ability to control a
system is very enticing. The control doesn't necessitate much
interaction with other people. The computer is a reciprocal thing; it
asks you for input and you give it, and vice versa. That's a very
powerful thing.


Paint a picture of the garden-variety hacker, as opposed to a
virus-writing kid. Are they nerdy, loners, social outcasts?

No, not at all. The people who get attention, who make it into the
news, are a bit different, and a lot of them have dyed black hair and
pierced noses. They make good pictures on the front page, but really
most hacking is done by the guy next door--the guy who doesn't make
good news.

Frankly, many people who break into systems have wives and husbands in
the other room. They're just sitting at the computer after a day of
work, and they're hacking late at night. And a lot of them have
developed pretty sophisticated social systems with other hackers. For
a lot of them it turns into a game played back and forth: "I'll break
into your system, you break into mine." It's about knowledge.


You said "husbands and wives." Are there many female hackers?

It's still predominantly male, but there are more female hackers now,
and there are a few female virus writers. It didn't become popular for
girls to be in computer classes until about two years ago, so I
suspect we'll be seeing more. And Anna Moore won that contest at Def
Con, remember? (Anna is a 15-year-old home-schooled student from
Norman, Okla., who belongs to hacker club 2600 and won an ethics
contest at the convention modeled after the hit television show
"Survivor.")


How did you get interested in the hacker ethic and cybercrime?

It was the mid-1980s and I got a computer and happened to find a few
systems on the Internet at the time. I rewired my modem and learned to
solder; they didn't have those things in the 1980s in South Bend
(Indiana, where she was a student at Indiana University).

I was running a bulletin board system with my CoCo (the nickname of
the Tandy/RadioShack TRS-80 Color Computer) and got in touch with many
people from all around the world, including some hackers. I got the
Ping-Pong virus myself in about 1991, and I had to set about taking
care of it. I started doing papers on it, and the academic circuit
liked it. I went back to school and did some more projects on it for
Indiana University. Before I knew it, CNN was in my living room and I
was doing interviews. I didn't plan any of it.


Your job seems really interesting. How does someone become a hacker
ethics expert?

I dropped out and ran away--don't do that. Stay in school and get a
hard background in math, science, law and ethics. People who study
science need a multidisciplinary approach. If you like computer code,
get involved in computer science courses, but get involved in
something else, too: Get a degree in engineering or biology and then
get an internship at Symantec or IBM Research. Find what you love and
just do it. Find out what makes your heart beat fast, and run with it.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.