Slashdot Mirror
The Psychology of Virus Writers
securitas writes "BBC Technology reports on the psychology of virus writers and the work of security researcher Sarah Gordon, who has been studying this area for 20 years. ''The stereotype that virus writers are all young teenage boys with no social life, hiding in their basement is not accurate,' she said. In contrast, she said, most virus creators are typical for their age, are on good terms with friends and family and are often contributors to their local community.' The story is an interesting contrast to a previous BBC report about why people write viruses."
Do virus writers really go to virus conventions? I'd think you'd find people like Ms Gordon, undercover FBI, wannabe 133t teenagers, and maybe a couple former virus writers out of jail and trying to find admiration.
Do you even lift?
These aren't the 'roids you're looking for.
How about running a similar investigation on /. folk?
The owls are not what they seem
"The stereotype that virus writers are all young teenage boys with no social life, hiding in their basement is not accurate" It is quite normal for teenage boys with no social life(something they have no control over) to hide in their basement. I believe it was Linus Torvalds who said that we could alll breathe easier if all these poor people could just get some dates. (someone will probably redirect this to the NYT magazine interview)
10 Bits= $.25
100 Bits= $.50
110 Bits= $.75
1000 Bits= 1 byte
Because it's good business, when you're being paid by spammers to create huge networks of compliant computers.
The kids who learnt how to do this 5-10 years ago are now living off it. For the really good virus writers, it's become a career.
Ceci n'est pas une signature
"Mua ha ha."
The coolest voice ever.
Many of the people writing newer viruses (those that relate to spam) are of a different breed entirely. I personally believe the people responsible for modern Internet spamming worms are more malicious than teenage hackers would ever want to be. These menaces to society consider themselves businessmen. You wish we were dealing with teenage hackers. Read up on Internet spam and viruses, and see this less technical article along the same lines.
For your average email virus, slap on a SMTP engine, a searcher to grab email addresses, and a semi-interesting email so people will run the program, and bam, you're got yourself an email virus, preying upon people's stupidity.
/. lawyers and people who play one: virus writing is illegal, I know, but is writing a trojan illegal? And if it is, how do you define a trojan?
On the other hand, things that attack vulnerabilities such as buffer overruns, etc are harder because you actually have to do some research.
A question for
Stereotype is a word that seems thrown around an awful lot these days, and it's often used in a negative context. But aren't stereotypes a logical and efficient way of group things (in this case people)?
I'm not saying that every stereotype is right all the time, and some are downright wrong, and have been perpetuated, not out of a means of mentally sorting and grouping, but out of hate or fear.
Anyway, I'm gonna go hang out in the backyard of my white Protestant family's backyard and talk about golf while barbecuing.
Cloud City Digital: DVD Production at its cheapest/finest
The article says Ms. Gordon has been studying this for 20 years. I think she is the one that needs to have a social life.
Chaos will always win out over order because chaos is more organized
I have never used antivirus program for the last 4 or 5 years and my computer has never be infected with a virus. Actually it is a mistery for me why people execute apparently infected file on their computers and then blame others for their stupidity.
I remember the times when viruses spread around with floppies. It got written into boot sector and loaded into memory when floppy was inserted into drive. Then antivirus programms were necessary. Nowadays, however, it is not a technical issue to write a virus but purely human engineering. Those virus writters have better understanding of average human psychology than I have and they know that average Joe will download untrusted file, or will run the attachment, regardless how suspicious it may look.
Why care about virus writers? They will always be arrond like those who draw grafiti on walls which is a nuisance but not something that any sane man would seriously believe to. Better educate people how to use their computers and whom to trust online.
It's true, I'm on the second floor not in the basement.
-Tim Louden
"In contrast, she said, most virus creators are typical for their age, are on good terms with friends and family and are often contributors to their local community"
Couldn't the same be said for most crimminals?
For corporations, all it takes is one guy with a laptop to get infected and bypass the firewalls. You might not be affected, but IT depts are.
Do you even lift?
These aren't the 'roids you're looking for.
How do you know you've not got a malicious programme running if you never check? It's not like viruses randomly start games of casino with the stake being your HD any more...
If I had some mod points, you'd get Insightful easy.
(start rant)
Fact is, people, most users are idiots. People run attachments and expect geeks to fix it, all the time blaming someone else for their stupidity.. Seriously, you will not believe the number of times I have been called over by a computer illiterate person, asking whether the Windows prompt boxes on their screens are real (it's really the web page ads that masquerade as prompt boxes). I wish there was some kind of mandatory license to use the Internet; if you know what the hell you're doing, fine, you get to use the internet with no restrictions. But if you fail, a Special Ops Geek Force will invade your home, and lockdown your computers (e.g. firewall, popup blockers, antivirus, etc, that all work automatically). And maybe we can have some fun educating some chicks about computers.
I think ethics should be in the school curriculum, but not just with respect to computers. There are far too many self centred people coming out of schools. And by ethics I do not mean religious dogma; I mean an honest, frank, and thoughtfull discussion of consequential and deontological ethics, without reference to religion.
I'd also like to see First-aid and basic emergency procedures a required part of the curriculum... it really sucks to be the only one at an accident scene who knows first aid when you're one of the casualties.
Firstly, virus writers are people who find challenges in their work; they do it for fun or money; rarely if ever is there a hacker who was motivated to gain their knowledge from feelings of intense hate or greed. It takes a lot of time, talent, and work to learn to hack, and usually somewhere along the line you get a political and social education that, due to the inherently high intellegence you recive, learn to cherish and use.
Case in point, why hasn't the doomsday virus been released? Think blaster accept it turns your computer into a spam machine and deletes everything accept windows and the virus, for example. Any hacker with sufficient knowledge of how to do this also knows that we live 3 meals from anarchy; if the accounting and shipping systems of a major food chain go down because of your virus and can't be brought back up again, the food won't get delivered. What happens to the inner cities and suburbs? The farms? Other countries?
They know if they do this that they are indirectly fucking themselves, and many infact fear other hackers doing this. This is the reason for blaster; to show everyone how insecure the system is and all it takes is one person with sufficient knowledge to start ww3.
Additionally, hackers are extremly social beings. They all come from varied backround but almost all have 2 things in common; they faced conflict at a young age that they overcame, and that they overcame our school system dumbing down intact enough that they still have a love for learning and playing. They love to be social, infact, some 2600 meetings involve people bringing their boxen, and trying to hack eachother to kingdom com, this is the basis of social virus writing she is talking about although some groups may be more militant than others. Some hacker cons also feature this but wherever there's a major con, there is also feds and police but the smaller meetings are unpoliced and patrons (such as stores, becuase face it, they don't hold these at houses that often) usually welcome the groups as they bring buisness. The more friendly groups welcome newbies to learn so long as they don't come too often (even the best of us will go on a homicidal rampage if people ask questions too often, too repeditvly).
What bothers me is how she ends the article "There are much better ways to use your time online." which shows she knows nothing about the subject she's writing about. Do what else online? But crap? Play games? Watch pr0n and jack off, pirate music and movies, get angry about stuff help political movements? Join a irc group circle jerk where everyone else calls everyone else l33t?
Writing viruses is a crucial part of our society, if it weren't for these smaller groups we wouldn't know how insecure everything is and if we didn't know how insecure everything is, we wouldn't be trying to secure it. Take Independance Day (Yea, the movie with all those aliens and ships nuking us). Why did we win? Because the aliens had bad computer security, that's why. People call me nuts, but when it boils down to it, do you want to be safe from the pain or do you want to take the pain full on and if you survive it, will you then learn?
I also had a big problem with this part;
"I believe that with correctly designed curriculum, talking about ethics can really reduce these behaviours," she said, "they need to learn from the first time they use a computer what is appropriate and what is not." .
Oh, so it's wrong for me to figure out what's wrong with a computer and fix it, but it's right for microsoft to lie to millions of people and advertise their OS as secure then bribe judges to be nice to them? This bitch has no idea what she's talking about and BBC by publishing her bullshit has further done damage to the reputation of hackers everywhere.
Finally, to end this on a constructive note, If you want to have a good understanding of hackers and their nature, listen to radio freek america. They do all sorts of hacking on air th
Candy-Coated Knowledge
Please get over this. I know that there are "white hat" "hackers" out there who want the meaning of hacker to be something different, but you lost that battle a LONG time ago. Ask anyone on the street these days, and they'll tell you a hacker is someone who maliciously breaks into people's computers. You can't change that, just come up with a different name to call yourself or live with the reaction most people will have when you tell them you are a hacker.
Any hacker with sufficient knowledge of how to do this also knows that we live 3 meals from anarchy; if the accounting and shipping systems of a major food chain go down because of your virus and can't be brought back up again, the food won't get delivered. What happens to the inner cities and suburbs? The farms? Other countries?
Kid, critical shit isn't connected to the Internet. It's just not. Web servers don't count as mission critical. I don't think that anybody died because of "Blaster". Hackers are *not* that important.
They all come from varied backround but almost all have 2 things in common; they faced conflict at a young age that they overcame, and that they overcame our school system dumbing down intact enough that they still have a love for learning and playing.
Yeah, you're describing dorks in school that got beat up. Boo-fuckin'-hoo. If you read the article you'd realize that she said that this is NOT the stereotypical virus writer.
Writing viruses is a crucial part of our society, if it weren't for these smaller groups we wouldn't know how insecure everything is and if we didn't know how insecure everything is, we wouldn't be trying to secure it
Insecure from what? Oh yeah, script kiddies telling us how insecure our boxes are. It's a vicious cycle. Security wouldn't be a problem if not for these little spoiled shits with too much time on their hands.
Take Independance Day (Yea, the movie with all those aliens and ships nuking us). Why did we win? Because the aliens had bad computer security, that's why.
That was the most ridiculous movie I've ever seen. That doesn't prove anything. And yes, you are nuts. Fucking nuts if you think that the movie "Independence Day" proves anything.
Oh, so it's wrong for me to figure out what's wrong with a computer and fix it, but it's right for microsoft to lie to millions of people and advertise their OS as secure then bribe judges to be nice to them?
Last I checked, virus writers aren't fixing anything.
Kid, you're delusional. Get a job. Get a life. Get laid.
At the risk of responding to a -1 post...
Maybe it makes us feel good to educate these people, at the same time as we are installing a firewall for them and pointing them to lavasoftusa.com?
Every person posting on this site knows the difference, and for the most part, people that don't aren't likely to matter until you have explained it to them.
Doesn't it make sense to have an immediate reaction test like the word hacker to assess unknown people with?
I for one welcome our new "know the difference" underlords.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Anyway, I'm gonna go hang out in the backyard of my white Protestant family's backyard and talk about golf while barbecuing.
1) Your backyard has a backyard? Cool!
2) Golf while barbecuing? Do you have a grill hitched to the back of the golf cart? 'Cause that would be neat, but the greenskeeper might get mad. Oh, you meant ((talk about golf) while barbecuing), not (talk about (golf while barbecuing)). Gotcha.
Bet you thought these would be at least somewhat relevant questions about stereotypes. In the words of Dark Helmet: "Fooled you!"
I want to drag this out as long as possible. Bring me my protractor.
Read about Scott Atran's Paper on the psychology of suicide bombers.
Unless we take the time to understand and remove preconceived moral notions we put ourselves at a disadvantage vis a vis solving the problem by fixing the underlaying issues
Help fight continental drift.
Did someone think she is attractive? Did someone at Symantec hire her in a flight of fantasy?
Have you seen a picture of her? Maybe attractive if I put on my beer goggles. She probably didn't get her job just on looks and while not be a programmer the media seems to think she's a computer security expert. Disclaimer: I only know what little I've read about her. Personally, I think you're right about the article. It makes a lot of weeping statements and generalizations without facts to back them up.
In her experience many malicious hackers have a borderline criminal view of the world and do not share mainstream ethical norms.
That's what I'd expect someone from Symantic to say. Because Symantic makes it's money protecting and promoting Microsoft junk, this lady is far from impartial. Good virus writers may be hackers, but blaming hackers for viruses is like blaming people for murder.
Her view of script kiddies is also simplistic and patronizing. I'd wager that most script kiddies' outside the "mainstream ethical" norm's thought process has more coherence and depth to it than her blather.
While I don't write viruses and I don't think they are a reasonable form of protest - the moral standpoint is correct. Microsoft is an evil company that produces and forces shoddy, invasive software on the world. They have screwed their business partners, employees, shareholders and customers. Their vision of computing makes TIAA look small and well behaved. Virus writers realize thses things and point them out to people . They exploit holes in Microsoft software to mail out personal information, drive people nuts with adverts and do other things that Microsoft does themselves. They seek to make the public aware of these practices and flaws and have to shout out and make the user notice. They, as most of us here, believe that the world would be better off without Microsoft. People are better off with free software that protects their privacy and control of their machine than they are with Microsoft. Virus writers are pointing out the flaws directly. In deed, these people go out of their way to do it and have no prospect of rewared other than a job well done. Criminal? Perhaps, but so is Microsoft, the convicted anti-trust and IP violator. Condeming the virus writer as criminal and unethical shows a poor understanding of the class.
Friends don't help friends install M$ junk.
Yeah, the usual fakery did show up, in your reply.
Ms. Gordon is not actually logical?
Hired for her looks?
Typical of the "culture of American women"?
One psychologist writes an article (intended for mass consumption, not an academic audience), and you forgo logic to assume all women are illogical.
Let me guess, women make their decisions based on emotions, you buy into the theory that PMS is behind most female crimes, etc.
At least TRY to be logical when attacking someone else for being illogical.
In terms of the actual article, keep her audience in mind. She has a purpose in writing what she did. This was not purely scientific, but a rhetorical performance, with a particular audience: the general public. She therefore catered her use of language (and how much depth she went into regarding her methods and results) to such an audience.
Had this been written for an academic journal of some repute, you'd be reading something very different.
That pal you refered to was nick-named "Dark Avenger". I think he quit communicating with Ms. Gordon when she became Mrs. Gordon.
I don't call them "viri", either. I call them "virii", which is the accepted slang pluralization of the proper English "viruses" in the virii community.
Shows how much you know.
I emailed Sarah godron for a article she wrote entitled Don't let your kids grow up to be hackers. I directed her to numurous url's with that more then explain the difference between a hacker a cracker and a virus wrtie. She basicly told me it was some one else's article. And the media twisted the articles word around. Then she also told me that consumers do not know the difference so they make the article as scary and apealing to the idiotic mind as they can.
/crackers and such, Every single one of them told me They did not write the original article it was the works of some one else basicly just using there name. And every single one of them also told me It's what the people want to here.
But my main point is here, Every single reporter that I have emailed about making false claims about hackers
So don't take these articles for what they are the media twists them and re writes them all to make them apear sexier, And non of the so claimed authors are truely the real author.
She is probably a psycologist by trainning.
So she may know for what she speaks in a general sense.
BUT... why hire her?
Quite simple even from the early days of anti-virus companys a certan amount of hype was needed to keep in business.
Macafie's early virus infection stats were so inflated some in the field were very scepitcal.
Unix experts were quick to point out that ANY secure operating system would resist virus infection and blamed viruses on Dos having primitive multitasking with out the precaution of security to prevent abuse.
It is possable some Mac users may have repeated this sentiment before the Macintosh had multitasking support of it's own is so it was incommen enough that I never heard of it. But with presure from the compeating Windows GUI the Mac added multitasking and not much later the first Mac virus was born.
Soon after antivirus companys leapped to clame this disproved the Mac clame that viruses were a Dos phonominon and that this proves that ALL systems may be infected.
However the long winded Unix rant on the subject did predict that other operating systems will fall to the same fate IF they folow Microsofts example. Apple did.
In short anti-virus companys used FUD to counter the clame that good os design would thwart viruses.
Years later....
A very dumb design flaw in an obscure Linux graphics libary encuraged users to disable the security of Linux to play games.
Repeating the Unix clame.. "Any SECURE operating system" Not any Unix.. not any good.. The key word is SECURE. With this bug Linux users were disabling the security of Linux just to play games.
A short time later a virus is born.
What happened here is simple. Like MacOs Linux folowed Microsofts example. Only this time Linux removed a feature instead of adding one but it's all to the same results.
Once the virus was discovered it took no time for the PR machine of anti-virus companys to jump on the bandwagon. They declaired the "No Unix virus myth" to be dead and prommised a line of anti-virus software for Linux to be available shortly.
Linux users no matter how stupid do learn. There were no more reports of infection and no anti-virus software was made avaiable.
Both cases prove the original Unix rant yet anti-virus companys chouse to see it diffrently.
Every so often anti-virus companys put out new press releaces clamming a "New Linux virus" when all that has been created was an opinion paper that can be summerised "I think Linux viruses are possable" usually assuming Linux is a Windows 95 clone.
However I think we've seen the last of those articals as sombody pointed out that viruses are obsolete and worms are the future. He has a point.
This makes the virus companys jobs even harder as Microsoft has started taking the issue reasonably sereously.
(They've taken it sereously back when Windows 95 was created. Sereously in the fact that they needed to con the public into believing Windows wasn't a security risk but not enough to actually make 95 not a security risk)
While viruses work fine on a typical insecure system with no actual defects to exploit worms can't infect with out a defect.
But worms spread faster and by the time antivirus software can do anything your already infected.
All antivirus companys can do is provide disinfection software however (ahem HINT HINT) open source software could easly do the same job.
Also worms need to attack a server with a defect so the flaw is not found in Windows itself but an application in most cases one included in the Windows install CD.
If the typical user would remove applications they were NOT using and install updates and keep an eye on the services they were using there wouldn't be an issue.
But as the typical Windows user dosn't do any of that worms are going to have plenty of opratunitys to attack and there isn't a single thing Microsoft can do about it.
Many users eather don't know or don't care. Those that do
I don't actually exist.
The parent post is not well written, but it does answer the question posed by the grandparent post.
Basically, he says that virus software is closely related to fraud, or is fraud itself. His argument is that there are 4 kinds of users:
- Those who are technically knowledgeable and care about their systems.
On windows, I use the ZoneAlarm firewall to supplement my hardware firewall. I
keep my system updated. I know that a new virus won't be detected by
anti-virus software, because to detect a new virus, there must be a new virus
definition, and that won't be available in the first few days. I don't click
on spam attachments. I don't use Outlook Express.
- Those who are technically knowledgeable and don't care. A friend of mine
said, "Install anything you like on that test system, I restore from a backup
every week.
- Those who are not technically knowledgeable and don't care about their
systems. These people just reformat their hard drives and reload their one or
two programs whenever they have problems.
- Those who are not technically knowledgeable and care about their systems.
This group includes technically knowledgeable people who have users in their
family, for example, who are not technically knowledgeable.
Anti-virus software manufacturers sell only to this last group. The people in the last group don't realize that anti-virus software that runs when starting the computer slows a system. Running the software just after a virus definition update provides some protection without slowing the system. However, the best protection is updating the Windows system, running a firewall, and educating the users. That's because anti-virus software cannot detect a virus if it doesn't have a virus definition, so there is the possibility of being infected by a new virus, even if you are running anti-virus software continuously.So, the parent poster says, hiring someone who may or may not be a psychologist is a public relations move to try to convince the people in group 4 to buy anti-virus software. For that purpose, it doesn't matter if the psychologist actually knows anything, because the lack of knowledge would not be detected by the user.
My experience has been that even poor quality articles show some evidence of the depth of thought of the researcher. Going by that indication, the Symantec researcher knows nothing useful.
It is interesting to note that the grandparent post was modded up to 5 and then back down to 1.