[iwar] [fc:Deciphering.the.hacker.myth]

From: Fred Cohen (fc@all.net)
Date: 2002-02-05 21:10:43


Return-Path: <sentto-279987-4436-1012972149-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 05 Feb 2002 21:13:08 -0800 (PST)
Received: (qmail 10523 invoked by uid 510); 6 Feb 2002 05:09:34 -0000
Received: from n31.groups.yahoo.com (216.115.96.81) by all.net with SMTP; 6 Feb 2002 05:09:34 -0000
X-eGroups-Return: sentto-279987-4436-1012972149-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.191] by n31.groups.yahoo.com with NNFMP; 06 Feb 2002 05:09:09 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 6 Feb 2002 05:09:08 -0000
Received: (qmail 40587 invoked from network); 6 Feb 2002 05:09:08 -0000
Received: from unknown (216.115.97.172) by m5.grp.snv.yahoo.com with QMQP; 6 Feb 2002 05:09:08 -0000
Received: from unknown (HELO red.all.net) (12.232.72.98) by mta2.grp.snv.yahoo.com with SMTP; 6 Feb 2002 05:09:07 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g165Ah506299 for iwar@onelist.com; Tue, 5 Feb 2002 21:10:43 -0800
Message-Id: <200202060510.g165Ah506299@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 5 Feb 2002 21:10:43 -0800 (PST)
Subject: [iwar] [fc:Deciphering.the.hacker.myth]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Deciphering the hacker myth

By Rachel Konrad 
Staff Writer, CNET News.com
February 5, 2002, 12:00 PM PT

newsmakers Sarah Gordon doesn't dye her hair black or wear a nose ring, and
neither do the people she studies.

The senior research fellow at Symantec Security Response, Gordon is an
expert on the psychology of virus writers and hackers. And she's on a
mission to clean up stereotypes about these "bad guys."

Contrary to popular myth, Gordon says, cyber-rebels aren't underground
loners, and they're not necessarily nerdy--or even smart. She believes they
join "the dark side" of the Internet because they don't extend the same
moral code from the real world to the virtual world. She blames teachers,
journalists and parents for the breach.

Gordon lives in upstate New York with her husband, Internet architecture
expert Richard Ford. She met him in England in 1994, when Ford was editing
Britain's "Virus Bulletin." Ford attacked Gordon in an editorial for failing
to attend a conference in Bulgaria. She called to complain, and he asked her
to lunch. Thus began a trans-Atlantic courtship via Unix chats, which
continued until they were married in 1995.

Gordon participated in the White House's Cyber-Incident Steering Group last
year and conducts research at hacker conferences such as Def Con--an annual
event that bills itself as the "largest underground Internet security
gathering on the planet." She was previously a researcher for the AntiVirus
Research and Development team at IBM's Thomas J. Watson Research Center.

She talked to CNET News.com about hacker ethics, stereotypes, and the next
big threat to cybersecurity.

Q: Most academics distinguish between hackers and virus writers. What's the
difference in terms of the character and ethical code of each group?
A: Hackers have a much more highly developed skill set and a different way
of thinking. They're into bigger systems in the bigger picture. Virus
writers for the most part aren't as technologically astute and don't have a
big view. They think on the application level, not on the system level. The
two cultures are sort of coming together with blended threats, but they're
not really integrating on an intellectual or social level.

It seems like new viruses are cropping up on a weekly or monthly basis.
Who's writing them?
They run the whole spectrum, from kids to people who do it at midnight when
they come home from their corporate jobs. But in general, virus writers are
young people under 30. You're talking about kids who pick up a script. You
can have kids 10 or 12 years old getting into the game. I've known one virus
writer who was 11. 

What motivates them to write viruses instead of playing soccer or reading
books?
Basically, they think it's a game. They don't realize the impact. They play
with computers at school and at home, and we encourage that, but we don't
encourage responsible behavior on the computer. They find a virus and tinker
with it, and they don't realize what they're doing.

These kids generally don't have mal-intent. But keep in mind, it only takes
two or three people to send out a virus, and it multiplies over and over,
and it can really mess up the system. So while they may not realize the
impact, the effects can be quite destructive.

The other thing that motivates these kids is the media. You see a virus
writer in magazines and on news shows referred to as a rocket scientist. You
hear so-called experts talk about how the government and private industry
should recruit these kids to do security. One time, I remember hearing about
virus writers as people "on the fringe of the Internet frontier," and I just
cringed. When kids see this person being promoted as brilliant, they'll want
to emulate that. 

You're saying virus writers don't have IQs higher than the average person?
They're not necessarily smart, and you definitely don't have to be a rocket
scientist to do this. It's two lines of code...Viruses aren't research or
academic pursuits, and they're not at all respectable or legitimate. They're
just stupid. Media in the United States and United Kingdom are doing a
better job reporting consistently about how easy it is to start a virus, and
more people realize that these aren't the work of rocket scientists. But the
message isn't the same everywhere.

Do viruses reflect some sort of grand, moral breach in our society, or are
they merely the work of a bunch of prepubescent kids with nothing else to
do?
A little of both. The problem is that in school, computers are taught as
games, not things that can cause real impact on people. I wouldn't read mail
in my neighbor's mailbox, and I think the vast majority of kids know that
this is wrong. But if it's in the e-mail in-box, kids will read it. They
don't have the same morality in the virtual world as they have in the real
world because they don't think computers are part of the real world.

How long might it take to develop a moral code that is consistent from the
physical to virtual worlds?
It doesn't happen in one generation. It will take a long time. But we have
to do something about it because the shift won't happen automatically.
Educators can start teaching kids at a very, very young age what things are
acceptable and what aren't--for instance, providing guidelines like, "We may
share passwords but we don't steal them."

Internet service providers can also go a long way in teaching that just
because something's legal or allowed doesn't mean it's ethical. You can put
up virus codes online, and that's not against the law, but it is
irresponsible. If people tell their ISPs they don't appreciate that these
viruses are posted, maybe that will change. But if no one complains, the
ISPs and the kids may think, "Hey, this cool. This is counterculture." Every
kid at some point wants to be a rebel, and they'll pick up on it if it's
around. 

What about parents?
Absolutely. If your child loves computers, don't put it in the bedroom where
you can't see it. It's critical for parents to know what the kids are
doing--whether it's after school at the mall or at the slumber party. It's
not different because it's the computer. You wouldn't keep your child in the
bedroom with a closed door with a bunch of adult strangers. It should be the
same way with a computer.

Isn't the concept of rebellion timeless, and it just happens to be
manifesting itself as viruses because we're living in a digital era? Won't
there always be hackers?
Sure. Rebellion is (in) the nature of mankind. We'll always see in each
generation a certain degree of rebellion. A long time ago, the biggest act
of rebellion ever created was the printing press. Then it was the
spray-paint can. Now it's the computer. It's probably going to be the
computer for some time; you have new groups of people in countries coming
online every day, and they all need to discover this stage of rebellion.

Since you've been studying hackers, has there been any shift in our
culture's perception of these folks?
Yes, and it's encouraging. There's been a shift since the early '90s toward
whether it's OK to make viruses available online. We queried people at Def
Con about whether it's OK to make viruses available to the public. In the
earlier days, almost everyone said, "Hey, that's cool and acceptable." But
last year, only one or two people in the audience said that. The tide is
turning. 

But Def Con has become so institutionalized, and it's largely the domain of
American hackers. So many recent viruses seem to be coming out of Russia,
China, the Philippines and other places. Are you optimistic about a cultural
shift happening there?
The tide is only turning in one small corner of the world. I don't know that
this is happening across the rest of the world. You take a kid in a country
where there aren't a whole lot of opportunities, you give the kid a powerful
tool to get a job or get out of the situation they're in--they're going to
start experimenting and trying to get some notoriety or fame. What would you
do if you were that kid? I don't blame that kid, really. We have to
understand the problem on a global scale.

From your research, what will be the hottest act of cyber-rebellion in the
next couple of years?
We'll see more integrated threats. It's not enough to have antivirus
protection. You need firewall intrusion-protection. Also, the focus is on
computers now, but as there are more and more mobile devices, there will be
more threats. We're doing research at Symantec and presenting a paper on
Java-enabled mobile phones, which could be shaping up as the next big
threat. 

Lots of technophiles say that the threat from viruses and hackers is
overblown and that Symantec and other large security companies are preaching
paranoia in order to boost sales of their products. How do you respond?
Well, let me ask you: What do you have on your computer that's important to
you? What if a virus came in and wiped everything out? Would it hurt you? I
don't mean to be funny, but that's the bottom line. There's proof that
viruses are spreading in the computer world. It's a small price to pay to
not have everything wiped out.

The threats aren't overblown. We don't pull this stuff out of thin air. I
don't see a lot of sensationalism, frankly. I hear that argument that we're
over-blowing the security threat and that we're making it up. But once these
people get hit, they never say that again.

Let's talk about hackers, as opposed to the relatively immature and
technically basic virus writers. Why do hackers break into computer systems
and steal intellectual property?
Hacking is in many ways about control, and the ability to control a system
is very enticing. The control doesn't necessitate much interaction with
other people. The computer is a reciprocal thing; it asks you for input and
you give it, and vice versa. That's a very powerful thing.

Paint a picture of the garden-variety hacker, as opposed to a virus-writing
kid. Are they nerdy, loners, social outcasts?
No, not at all. The people who get attention, who make it into the news, are
a bit different, and a lot of them have dyed black hair and pierced noses.
They make good pictures on the front page, but really most hacking is done
by the guy next door--the guy who doesn't make good news.

Frankly, many people who break into systems have wives and husbands in the
other room. They're just sitting at the computer after a day of work, and
they're hacking late at night. And a lot of them have developed pretty
sophisticated social systems with other hackers. For a lot of them it turns
into a game played back and forth: "I'll break into your system, you break
into mine." It's about knowledge.

You said "husbands and wives." Are there many female hackers?
It's still predominantly male, but there are more female hackers now, and
there are a few female virus writers. It didn't become popular for girls to
be in computer classes until about two years ago, so I suspect we'll be
seeing more. And Anna Moore won that contest at Def Con, remember? (Anna is
a 15-year-old home-schooled student from Norman, Okla., who belongs to
hacker club 2600 and won an ethics contest at the convention modeled after
the hit television show "Survivor.")

How did you get interested in the hacker ethic and cybercrime?
It was the mid-1980s and I got a computer and happened to find a few systems
on the Internet at the time. I rewired my modem and learned to solder; they
didn't have those things in the 1980s in South Bend (Indiana, where she was
a student at Indiana University).

I was running a bulletin board system with my CoCo (the nickname of the
Tandy/RadioShack TRS-80 Color Computer) and got in touch with many people
from all around the world, including some hackers. I got the Ping-Pong virus
myself in about 1991, and I had to set about taking care of it. I started
doing papers on it, and the academic circuit liked it. I went back to school
and did some more projects on it for Indiana University. Before I knew it,
CNN was in my living room and I was doing interviews. I didn't plan any of
it. 

Your job seems really interesting. How does someone become a hacker ethics
expert?
I dropped out and ran away--don't do that. Stay in school and get a hard
background in math, science, law and ethics. People who study science need a
multidisciplinary approach. If you like computer code, get involved in
computer science courses, but get involved in something else, too: Get a
degree in engineering or biology and then get an internship at Symantec or
IBM Research. Find what you love and just do it. Find out what makes your
heart beat fast, and run with it.  

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part
strategy. The FREE Server Security Guide shows you how.
http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST