Slashdot Mirror
The Psychology of Virus Writers
securitas writes "BBC Technology reports on the psychology of virus writers and the work of security researcher Sarah Gordon, who has been studying this area for 20 years. ''The stereotype that virus writers are all young teenage boys with no social life, hiding in their basement is not accurate,' she said. In contrast, she said, most virus creators are typical for their age, are on good terms with friends and family and are often contributors to their local community.' The story is an interesting contrast to a previous BBC report about why people write viruses."
Because it's good business, when you're being paid by spammers to create huge networks of compliant computers.
The kids who learnt how to do this 5-10 years ago are now living off it. For the really good virus writers, it's become a career.
Ceci n'est pas une signature
Many of the people writing newer viruses (those that relate to spam) are of a different breed entirely. I personally believe the people responsible for modern Internet spamming worms are more malicious than teenage hackers would ever want to be. These menaces to society consider themselves businessmen. You wish we were dealing with teenage hackers. Read up on Internet spam and viruses, and see this less technical article along the same lines.
I have never used antivirus program for the last 4 or 5 years and my computer has never be infected with a virus. Actually it is a mistery for me why people execute apparently infected file on their computers and then blame others for their stupidity.
I remember the times when viruses spread around with floppies. It got written into boot sector and loaded into memory when floppy was inserted into drive. Then antivirus programms were necessary. Nowadays, however, it is not a technical issue to write a virus but purely human engineering. Those virus writters have better understanding of average human psychology than I have and they know that average Joe will download untrusted file, or will run the attachment, regardless how suspicious it may look.
Why care about virus writers? They will always be arrond like those who draw grafiti on walls which is a nuisance but not something that any sane man would seriously believe to. Better educate people how to use their computers and whom to trust online.
The article in general didn't seem to be too Slashdot worthy, so to speak.
I mean, for the general public it might be big news that writing viruses, especially nowadays with MS Outlook everywhere, has become a challenge just about only for a few teenagers. The article didn't mention anything about even the possibility of someone writing viruses for some ill purpose e.g. creating spam drones, preparing for a DDoS attack or whatever.
In a typical psychologist style there were general statements like "viruses written by hackers are more complex". Who's a hacker? For me it's Linus and Alan Cox etc. not someone running "nmap" and waiting for a new exploit to be published. The point is there is no clear definition of a"hacker" and the statement becomes plain meaningless. What does "typical of their age mean"? Oh nevermind.
Btw. Also I'm not sure what she meant by "participating in the local community". Does that mean slashdot?
"In contrast, she said, most virus creators are typical for their age, are on good terms with friends and family and are often contributors to their local community"
Couldn't the same be said for most crimminals?
For corporations, all it takes is one guy with a laptop to get infected and bypass the firewalls. You might not be affected, but IT depts are.
Do you even lift?
These aren't the 'roids you're looking for.
How do you know you've not got a malicious programme running if you never check? It's not like viruses randomly start games of casino with the stake being your HD any more...
I think ethics should be in the school curriculum, but not just with respect to computers. There are far too many self centred people coming out of schools. And by ethics I do not mean religious dogma; I mean an honest, frank, and thoughtfull discussion of consequential and deontological ethics, without reference to religion.
I'd also like to see First-aid and basic emergency procedures a required part of the curriculum... it really sucks to be the only one at an accident scene who knows first aid when you're one of the casualties.
Firstly, virus writers are people who find challenges in their work; they do it for fun or money; rarely if ever is there a hacker who was motivated to gain their knowledge from feelings of intense hate or greed. It takes a lot of time, talent, and work to learn to hack, and usually somewhere along the line you get a political and social education that, due to the inherently high intellegence you recive, learn to cherish and use.
Case in point, why hasn't the doomsday virus been released? Think blaster accept it turns your computer into a spam machine and deletes everything accept windows and the virus, for example. Any hacker with sufficient knowledge of how to do this also knows that we live 3 meals from anarchy; if the accounting and shipping systems of a major food chain go down because of your virus and can't be brought back up again, the food won't get delivered. What happens to the inner cities and suburbs? The farms? Other countries?
They know if they do this that they are indirectly fucking themselves, and many infact fear other hackers doing this. This is the reason for blaster; to show everyone how insecure the system is and all it takes is one person with sufficient knowledge to start ww3.
Additionally, hackers are extremly social beings. They all come from varied backround but almost all have 2 things in common; they faced conflict at a young age that they overcame, and that they overcame our school system dumbing down intact enough that they still have a love for learning and playing. They love to be social, infact, some 2600 meetings involve people bringing their boxen, and trying to hack eachother to kingdom com, this is the basis of social virus writing she is talking about although some groups may be more militant than others. Some hacker cons also feature this but wherever there's a major con, there is also feds and police but the smaller meetings are unpoliced and patrons (such as stores, becuase face it, they don't hold these at houses that often) usually welcome the groups as they bring buisness. The more friendly groups welcome newbies to learn so long as they don't come too often (even the best of us will go on a homicidal rampage if people ask questions too often, too repeditvly).
What bothers me is how she ends the article "There are much better ways to use your time online." which shows she knows nothing about the subject she's writing about. Do what else online? But crap? Play games? Watch pr0n and jack off, pirate music and movies, get angry about stuff help political movements? Join a irc group circle jerk where everyone else calls everyone else l33t?
Writing viruses is a crucial part of our society, if it weren't for these smaller groups we wouldn't know how insecure everything is and if we didn't know how insecure everything is, we wouldn't be trying to secure it. Take Independance Day (Yea, the movie with all those aliens and ships nuking us). Why did we win? Because the aliens had bad computer security, that's why. People call me nuts, but when it boils down to it, do you want to be safe from the pain or do you want to take the pain full on and if you survive it, will you then learn?
I also had a big problem with this part;
"I believe that with correctly designed curriculum, talking about ethics can really reduce these behaviours," she said, "they need to learn from the first time they use a computer what is appropriate and what is not." .
Oh, so it's wrong for me to figure out what's wrong with a computer and fix it, but it's right for microsoft to lie to millions of people and advertise their OS as secure then bribe judges to be nice to them? This bitch has no idea what she's talking about and BBC by publishing her bullshit has further done damage to the reputation of hackers everywhere.
Finally, to end this on a constructive note, If you want to have a good understanding of hackers and their nature, listen to radio freek america. They do all sorts of hacking on air th
Candy-Coated Knowledge
I think the error already was made when someone tried looking for a reason. Reasons are conscious acts, the people doing this are not even aware of why they are doing this, even though they "think" they are. This is about natural competitive instincts, but in a different environment. It's a way of expressing yourself, and it will continue as long as these people receive feedback, which is what this article and many others provide.
As reported in this Slashdot story, the interview is here (free reg, etc.)
The relevant question and response were:
We've been getting hit with a lot of viruses and worms lately. What's your idea for ending the attacks?
When you have people who hook up these machines that weren't designed for the Internet, and they don't even want to know about all the intricacies of network security, what can you expect? We get what we have now: a system that can be brought down by a teenager with too much time on his hands. Should we blame the teenager? Sure, we can point the finger at him and say, ''Bad boy!'' and slap him for it. Will that actually fix anything? No. The next geeky kid frustrated about not getting a date on Saturday night will come along and do the same thing without really understanding the consequences. So either we should make it a law that all geeks have dates -- I'd have supported such a law when I was a teenager -- or the blame is really on the companies who sell and install the systems that are quite that fragile.
"Virus writing is not rocket science," she said, "it's undesirable and irresponsible behaviour."
Whatever else you might claim about computer viruses, they sure haven't led to as many deaths as rocket science has.
The article was so general! Anyone could have made those statements.
If you know the culture of American women, this is typical. Ms. Gordon uses words like hacker that have no clear definition. This is just someone pretending to be logical and scientific. She is not actually logical. It's like a supermodel wearing sailor suit. The supermodel is not actually a sailor, she is just trying to be cute.
It would be an interesting social investigation to try to discover why Ms. Gordon works for Symantec. Does she have duties in which she is actually useful? Any method of educating virus writers not to be anti-social would reduce Symantec's income. Knowing Symantec, I doubt there is any intention of being altruistic. Why does Ms. Gordon work there? Did someone think she is attractive? Did someone at Symantec hire her in a flight of fantasy?
Ms. Gordon is not a programmer. She has never written a virus. It is safe to say she knows very little about what actually happens inside a programmer's mind, other than what is obvious to anyone who questions.
But aren't stereotypes a logical and efficient way of group things (in this case people)?
All systems of knowledge acquisition are fallable and stereotyping is no exception. The problem with stereotyping is that there is no room for corrections or recalibrations. People usually stereotype groups that they do not associate with, usually minorities. They have no opportunity to correct any mistakes in their assessment. For example, let's say that you're a New Yorker and you stereotype all people from West Virginia as rednecks. What is the likelihood that you will meet a West Virginian and think otherwise? Almost none. Your narrow-minded perspective of West Virginian remains flawed and uncorrected.
Best code I ever saw was in a 68000-based bootsector virus, that used all 4-byte length instructions throughout the code. I thought that was pretty odd, until I noticed a jmp to an instruction near the beginning, half way through an instruction... damn son of a bitch had the other half of the virus somehow interleaved with itself, saving some space and producing some of the most insanely hackish, but somehow operational code I've ever seen. I can't even conceive of that kind of genius. We'll all miss the Lady.
These days, we're better at epidemiology too. Sapphire was a near-optimal worm for spread speed - a small, perfect little design, whose random scan's peak infection speed blew away everything else. The small code size enabled UDP single packet infection, which proved to be far more of an effective vector for rapid spread than a more intelligent scanner.
The answer to your question; why don't people that good write viruses anymore? Because there are less of us, because some of us are dead, because some of us grew out of it, and because those that are left know damn well enough not to release a virus that isn't absolutely 100% fucking perfect because you'll get caught.
I can virtually guarantee you'll never see a virus written by me.
0x7a69
LOL! Man, that is so dead on about these kids who are 6 months out of mom's basement and think they know all about how the real world works :)
The parent post also neglected to realise that super-destructo viruses have a very short lifespan in the wild, because a virus that kills its hosts doesn't spread nearly as well as one that only subtly disables something but leaves the majority of the system in working order. Also, it's a lot more likely to get noticed and targeted for extermination *real* early in its career.
~REZ~ #43301. Who'd fake being me anyway?