The Hacker Profiling Project

NewsForge writes "NewsForge is running a story about a project aiming to profile hackers like the police do with common criminals. Not based out of the U.S. per se, this project falls under the auspices of the United Nations Interregional Crime and Justice Research Institute (UNICRI). The project was co-founded by Stefania Ducci, in 2004, along with Raoul Chiesa." From the article: "NewsForge: What would the project concretely produce as final output? Stefania Ducci: The final goal is a real and complete methodology for hacker profiling, released under GNU/FDL. This means that, at the end of our research project, if a company will send us its (as detailed as possible) logs related to an intrusion, we — exactly like in the TV show C.S.I. when evidence is found on the crime scene — will be able to provide a profile of the attacker. By 'profile' we mean, for example, his technical skills, his probable geographic location, an analysis of his modus operandi, and of a lot of other, small and big, traces left on the crime scene. This will also permit us to observe and, wherever possible, preview new attack trends, show rapid and drastic behavior changes, and, finally, provide a real picture of the world of hacking and its international scene."

What have they done to our language

[Silver+Sloth]

From Wikipedia

In computer programming, a hacker is a software designer and programmer who builds elegant, beautiful programs and systems.

Well, that's what it used to mean. Someone who was close to the metal, not some jumped up script kiddie with no morals. now even Newsforge is using it in its pejorative form. Personally I think they mean crackers.

Re:What have they done to our language

[wired_LAIN]

If the title of a news article was "UN institutes Cracker profiling" the non-slashdot crowd would interpret it as "UN is racist against white people"

Re:What have they done to our language

[bhalter80]

How dare you use that slur against white people :)

Re:What have they done to our language

[mordors9]

Even accepting that you are correct that they are talking about crackers, I have the feeling that most of the script kiddies will not make the list. I assume they are talking about the real deal type guys that make their own cracks and then the other guys try to imitate them. Many of whom may even fall under our common definition of hacker. Those people that will discover a neat hack and then inform the other party of the problem. If not, if it is the script kiddies, it will be a very long and meaningless list.

Re:What have they done to our language

[krgallagher]

"some jumped up script kiddie with no morals"

Add "who hasn't had a date in years, living in his parents basement." to that and I think we will have our profile.

Re:What have they done to our language

[westlake]

Well, that's what it used to mean. Someone who was close to the metal, not some jumped up script kiddie with no morals. now even Newsforge is using it in its pejorative form. Personally I think they mean crackers.

The usage that takes hold in the larger world is what matters.

This is precisely why arguing that "copyright infringement is not theft" is so futile. The idea is too deeply entrenched in the language to be uprooted now.

Re:What have they done to our language

[Skuld-Chan]

Why can't there be illegal hackers? Just like there are good and bad people in every occupation.

I've met people who do seemingly illegal things, but use brilliant self made solutions.

Re:What have they done to our language

[Silver+Sloth]

Back when the term was coined there came along with it 'hacker ethics' and a massive discussion about what was, and was not, ethical. This is all in the Wikipedia article I referenced. Once the non techie media got hold of it it was twisted to mean only those who use computers for wrongdoing.

When the tabloid press misuse the word then, OK, I'll live with it but when Newsforge misuses it, or should I say uses it with its now accepted tabloid meaning, I feel a twinge of regret for the passing of an age.

Re: What have they done to our language

[davermont]

I'm tired of the supercilious attitude surrounding the use of the word "hacker". I think most of you are smart enough to derive which definition of "hacker" to apply within a given context. The fact of the matter is that the skill sets of "white hat" and "black hat" are essentially the same, and this is why the word is thrown about without consideration for the feelings of the innocuous, well-intended hacker. We all may as well face the fact that the word is well-ingrained in popular culture to mean something different from what it means within the hacker community. This isn't going to change any time soon. Besides, the last time I heard the word "cracker" it was used to mean something closer to "Nascar enthusiast" than it was to profile a type of computer geek. :)

Re:What have they done to our language

[oh_the_humanity]

Crackers crack programs, registration/functionality restrictions etc. Hackers in the mainstream terminology is the correct word to use. We all know real hackers, are tinkers and inquisitive people, who like exploring the bounds of what is commonly accepted usage of data/equipment.

Re:What have they done to our language

[jacksonj04]

Sod the word "hacker", I want to know why "itsatrap" can seemingly refer to every single subject on Slashdot.

Re:What have they done to our language

[charlesnw]

Hasn't had a date in years implies he had one ever :)

Re:What have they done to our language

[ConceptJunkie]

If the title of a news article was "UN institutes Cracker profiling" the non-slashdot crowd would interpret it as "UN is racist against white people"


Either that or they are comparing things like Ritz, Club and Saltines.

Re:What have they done to our language

[steeviant]

They're not talking about making a list of hackers, they're talking about profiling.

So for instance they will look at the level of technical knowledge needed to do what was done, which could help them determine whether they're looking for a script-kiddie or a guru.

They could look at how quickly the attacker was able to locate their target, which on a reasonably sized network may tell them whether it was an inside-job, a skilled attacker, or a script-kiddie who struck it lucky.

They could look for signs of auditing, the more traces of auditing of the network that can be found, the less experienced the hacker is likely to be.

They can look at the language used in any defacements to determine a likely geographical region that an attacker is based in.

They can determine whether the person is just curious, setting themselves up for some future attack, gathering information etc etc.

You can see that once you apply enough criteria you could narrow the list of possible suspects down, and also have a set of criteria to compare any new suspects against.

Re:What have they done to our language

[darthgnu]

Remember kids, George W. Bush doesn't care about white people.
[/election day propaganda]

Re:What have they done to our language

[Lars+T.]

If the title of a news article was "UN institutes Cracker profiling" the non-slashdot crowd would interpret it as "UN is racist against white people"

Don't most Americans do that anyway?

But Brits might think they hired Fitz.

Like CSI?

[ajlitt]

"exactly like in the TV show C.S.I. when evidence is found on the crime scene"
You mean they stand around in a dark room and spout techno-BS while a computer graphically and textually points out the obvious?

Re:Like CSI?

[andphi]

To quote Gil Grissom: "There are too many forensics shows."

Re:Like CSI?

[Otter]

I was going to say the opposite -- don't they understand that in real life, you can't actually drop a fingernail cutting into a mass spec and have it instantly pop up a chemical structure and a list of suspects? Maybe, as you say, the key is leaving the lights off all the time.

Re:Like CSI?

I think he is talking about the way they can take a dot in a grainy photo of a distant crowd, "enhance" it and blow it up, and come up with a perfect picture of the perp.

Re:Like CSI?

[Lumpy]

Nooo!

they mean they will take pictures of it from wierd angles and with wild lighting to make it look far more dramatic than it really is.

you will also get things blurted out like.....

"The log here has a Gentoo Fingerprint, I think we are dealing with a Computer mastermind!"

Re:Like CSI?

[A+beautiful+mind]

A couple of episodes into CSI (I started at some random point) there was an episode where Grissom explained in a smartass way that the rubber on a car's wheels protects the people in the car from lightning. Sure thing, except that the real explanation is that the car is made of metal and it acts as a Faraday cage, that's why you don't fry in a car if hit by lightning.

Funny, entertaining, I have the best appetite while watching CSI and I regularly enjoy supper watching CSI, but its not scientific. I hope most people realise that. :)

Re:Like CSI?

[kfg]

I saw CSI for the first time about a week ago. Frankly I was first annoyed and then appalled. It wasn't until I saw the closing credits that I fully understood why. I won't name names, but his initials are "J.B."

If they are going to procede as CSI we are all doomed. I mean who wants to go around for the rest of their lives looking at the world through orange tinted glasses?

Although I admit that the clean, shiny luxury accommodation holding cells would be a nice upgrade on reality.

KFG

Re:Like CSI?

[John+Hurliman]

The goal of the project is to be as cool as a TV drama series? More proof that life imitates art.

Re:Like CSI?

[Otto]

Sure thing, except that the real explanation is that the car is made of metal and it acts as a Faraday cage, that's why you don't fry in a car if hit by lightning.

Actually, that's not correct either.

The real explanation is that a car is a big wide chunk of metal and that metal provides a better path to ground than the path which happens to go through your soft fleshy tissues.

For it to be a Faraday cage, it would have to be sealed or having only small holes (with their size depending on the frequency of the EM radiation you're wanting to block). Considering that you've got big chunks of glass instead of metal in it, a Faraday cage it definitely is not. Proof: You can pick up radio signals inside the car. A Faraday cage would not be able to get those, even with an external antenna and wires leading into the cage.

Sorry for being pedantic, but this is /. after all...

Re:Like CSI?

That was pointlessly pedantic, considering that the same mechanism underlies both explanations.

Re:Like CSI?

[A+beautiful+mind]

From Wikipedia: Contrary to popular notion, there is no 'safe' location outdoors. People have been struck in sheds and makeshift shelters. A better location would be inside a vehicle (a crude type of Faraday cage). It is advisable to keep oneself away from any attached metallic components once inside (keys in ignition, etc.).

Also, as the anonymus coward poster described, you've just described the same underlying mechanism.

Re:Like CSI?

[maxwell+demon]

don't they understand that in real life, you can't actually drop a fingernail cutting into a mass spec and have it instantly pop up a chemical structure and a list of suspects?

Oh yes, you can. Here's the source code of that program's main function:

#include <iostream>
#include "chemistry.h"
#include "suspects.h"
 
int main()
{
  char dummy;
  std::cout << "Please drop fingernail cutting into mass spec, then press enter.\n";
  std::cin >> dummy;
  pop_up_chemical_structure_of_keratin();
  pop_up_usual_suspects();
}

Re:Like CSI?

[cloakable]

s/Gentoo/Slackware

Re:Like CSI?

[Otto]

Actually, no, the same mechanism does NOT underlie both explanations. A Faraday cage operates on a completely different principle.

Re:Like CSI?

[Otto]

Citing Wikipedia? You can do better. How about an actual scientific paper instead of something made by users who likely are just as wrong as the original poster?

Suffice it to say that Wikipedia is wrong, yet again. Any decent physics class would tell you so.

OH NO

Too bad I bought the Rootkits book from Amazon, I know I should have gotten it at the bookstore and should have paid cash.

Tools are the same for everyone

[hey]

Oh that hacker is using Rootkit 123 so it must be somebody on the Internet!

Lemme guess

[$RANDOMLUSER]

White kid? Bad complexion? Limited social skills? Above average intelligence? Lives in parents basement?

"Round up the usual suspects"

Re:Lemme guess

[djh101010]

"Round up the usual suspects"

...and suddenly, it got strangely quiet on slashdot...

UN

[jimbolauski]

So if one does get cought by the UN will they just sanction them and them place them on double secret probabtion.

Re:UN

[networkBoy]

Which they can feel free to ignore, as long as they shout "I'm ignoring the sanctions!"

At least til my bosses, bosses, [...], boss declairs war on them. ;-)
-nB

Re:UN

[CCFreak2K]

And if they do something heroic, do they get a parade thrown in their honor?

One question

[squidfood]

Will the rankings be computerized?

Re: One question

[davermont]

Who cares? If you want to make it to Grand Marshal you have to have hacking under your profile 24/7.

what about "evidence" like...

[wired_LAIN]

UN: the hacker seems to have left an unintelligible string of words in your system. We're not sure what it means. "All your base are belong to us... bitch"

-Exactly- like on C.S.I.?

[Nevtje(hr]

I hope not, cos that would mean that they would look for the hacker in a "furry" community only to find out that the actual vigilante was a farmer who acted in good faith trying to protect his sheep. Ehhh...

Something interesting that might be related to it

[Ernesto+Alvarez]

Reminds me of a project the Argentinian military presented about a year ago in a security congress I went to.

The idea was to "fingerprint" hacking attempts by measuring timing in typing on terminals. Say, a hacker would attack a system, a fingerprint would be taken (of the unknown hacker's typing habits) and then on another break-in, a new fingerprint would be taken and compared to previous ones to determine if it is a formely filed hacker.

Another possibility from that idea was to use the fingerprint also to verify the user's identity (you have to enter a password, but the server also fingerprints you and denies access if the fingerprint does not match).

Definitely one of the best expositions in the congress. Pity I cannot find any papers. I found the original presentation, in spanish though, by searching for "Remote identification of keystroke patterns" on google.

I can see their profile of me already...

[jtorkbob]

Subject: One Perl Hacker; four-space indentation; 12% comments; averaging 34 lines per sub; prefers OO interface when available; abhores cuddly elses.

Cm'on now, can't we even get our terminology straight?.

Re:I can see their profile of me already...

hacker - n.

1 one who circumvents the security of computer systems
2 an inexperienced player, esp. of golf
3 obsolete a computer expert, esp. a computer programming expert

Get your own terminology straight.

Re:I can see their profile of me already...

[MadMidnightBomber]

Subject: One Perl Hacker; four-space indentation; 12% comments;

You can do comments in perl ? Tell me more.

profiling by system logs???

[pulse2600]

Hmm...I see by the look of this log showing the Denial of Service attack on Megacorp's Web server, the suspect is:

40 year old white male
lacks typical social skills
unmarried, no girlfriend
drinks highly caffinated beverages
has a scraggly, unkempt beard
does not shower
lives in his parent's basement...(for free)

That narrows the list of a bajillion suspects down to...hmm...maybe this profiling thing doesn't work as well as it does on tv? Screw it, bring 'em all in!

Re:profiling by system logs???

[westlake]

That narrows the list of a bajillion suspects down to...hmm.

---a much smaller number than the Geek may want to think about.

Great idea..

[Frumious+Wombat]

That way when someone joins a project, you can look up his profile and read, "thinks that orange on neon green is an acceptable combination for user interfaces", and know to only let him work on the back-end of a project.

Frankly, some of those interfaces out there in FS/OS land are at least a misdemeanor. This project is long overdue.

Don't like change?

[Vellmont]

Word meanings change, and can have multiple meanings. Sorry if you've some personal attatchment to those 6 letters arranged in a certain, but the fight was over long ago. Find a new word for what you're talking about, because hacker now means someone who breaks into computers. You can't fight what 99% of the population accepts as the definition, no matter what some wikipedia entry says.

Re:Don't like change?

[Silver+Sloth]

I totally agree that the war is lost, but it's a sad day when a title I used to aspire to becomes a pejorative term on Newsforge

Re:Don't like change?

[TheDreadSlashdotterD]

But that begs the question, should we really take this lying down?

I'm sorry, couldn't resist.

Re:Don't like change?

[DarkShadeChaos]

"You can't fight what 99% of the population accepts as the definition"

You mean Wikiality? :-D

Re:Don't like change?

[a.d.trick]

I wouldn't say that hacker no longer refers to a wizardly computer programmer, ever. As you said works can have multiple meanings, and in certain contexts, it's perfectly acceptable to use the word like that. At the moment, there's a problem because there's not really a good word to replace hacker (in the programmer sense) that retains all the connotations. Also, in other context, it has completly different meaning (as in 'css hack'), It may be that hacker is becoming a single morpheme word. All in all, it's a pretty butchered word.

And yes, you can fight what words mean (school teachers do it all the time). Sometimes it works, usually it doesn't, and it's often a waste of time.

Re:Don't like change?

[NoGUI]

Incorrect. Both deffinitions are as accurate today as they ever were since both are still part of accepted use. There is no 'fight' here, it's just the usage functions in the English language. Find a new language to police, or learn the rules in this one Vellmont. NoGUI - out

Re:Don't like change?

The fight is never over. If 'liberal' is now an insult, and 'gay' is now a socially acceptable term, then hacker can be re-appropriated also. And people will become better informed about the real issues behind the word as a result.

Re:Don't like change?

Among all the hackers I know, we still use the word hacker the way it was meant to be used, and always will. I call myself a hacker on my resume, and its on my business card. You can fight it, and many people actively do so. I won't have the word stolen from me by idiots, regardless of how many of them there are.

Re:Don't like change?

[Vellmont]

Incorrect. Both deffinitions are as accurate today as they ever were since both are still part of accepted use.

I didn't say that the old-school definition of hacker was incorrect, only that 99% of the populace only knows the computer breakin definition.

There is no 'fight' here, it's just the usage functions in the English language.

Obviously you're wrong, since there's so many people upset by the computer breakin definition and actively resist it. My point is that it's useless to try to change the definition when the battle is already lost. You might as well be pissed off that for the vast majority of people would say "vandal" no longer refers to the east germanic tribe, but refers to people destoying property.

Find a new language to police, or learn the rules in this one

Who's policing this language? I'm merely stating the reality that the only "rules" of a language are the ones that people agree on. If 99 out of 100 people think hacker means person who breaks into computers, you're only going to be confusing and sound like a putz when you try to claim otherwise. Sure there are specialized environments where hacker can mean the old-school definition, just like there are specialized environments where vandal can mean the east germanic tribe but this is mainstream media article, not that specialized environment.

Re:Don't like change?

[MyNymWasTaken]

The "fight" never ended. Different groups have different meanings for the same word. When the meanings for the same word are contradictory, then there will fracas when the groups meet. What one group decided long ago is irrelevant to the other.

Here's a novel concept. If you need a word for a new concept, create a new one - either from historical language roots, another modern language, or completely out of your own imagination. To completely change the meaning of an already existing word is weak & simple-minded and/or plainly malicious & devious. It is equivalent to forcibly, and without cause, evicting a concept from its word. It is malicious to claim "we control this word now, you'll need to find a new word for the original meaning now."

Just because a guy is sucking on a fag doesn't mean he is gay. After all, he may be stressed out and unhappy about something - which is the reason he smoking a cigarette.

Re:Don't like change?

[mshomphe]

I know what you mean. At one point, I wanted to be President of the United States...

Re:Don't like change?

I call myself a hacker on my resume, and its on my business card.

Then you won't be too surprised to be unemployed, or behind bars.

Try and put "international arms dealer" on your resume, too.

Re:Don't like change?

[NoGUI]

Fair 'nuff. Thanks for not being a moron. ; )

Re:Don't like change?

[zobier]

It is better to be described as a hacker by others than to describe oneself that way.

Comment removed

[account_deleted]

Comment removed based on user account deletion

T-Shirts.

[Kenja]

Most of em have NiN, Tool or Warhammer t-shirts on. Just have a S.W.A.T team take out the mall food courts and we can get em all.

Quibble with the write-up

Should read:

NewsForge is running a story about a project aiming to profile hackers like the police do with other common criminals.

Hacker profile???

[Chineseyes]

Why don't they just watch swordfish? What hacker hasn't been asked to crack a govt database with 8192 bit encryption at gunpoint while getting a blow job by a hot chick in the back of a club.

Re:Hacker profile???

[db32]

Are you trying to say that isn't real?! I mean Kevin Mitnik was able to launch nuclear missiles by whistling into phones.

Re:Something interesting that might be related to

[FooAtWFU]

I think if this were actually implemented on a widespread basis, sophisticated hackers using some form of remote access would be able to come up with some sort of remote client that randomizes or otherwise alters (uniformizes) the delays between sent keystrokes. As for physical access, now... well, once you have someone with physical access, you're doomed anyway. . .

Goody-goody

[Joebert]

Dear Stefania, I have followed with enthusiasm the course of your disgrace and public shaming. My own never bothered me except for the inconvenience of being incarcerated, but you may lack perspective. In our discussions down in the chatroom it was apparent to me that your father, the dead night watchman, figures largely in your value system. I think your success in putting an end to Jame Gumb's career as a couturier pleased you most because you could imagine your father being pleased. But now, alas, you're in bad odour with the HPP. Do you imagine your daddy being shamed by your disgrace? Do you see him in his plain pine box crushed by your failure; a sorry, petty end of a promising career? What is worst about this humiliation Stefania? Is it how your failure will reflect on your mommy and daddy? Is your worst fear that people will now and forever believe they were indeed just good old trailer camp tornado bait white trash and that perhaps you are too? By the way I couldn't help noticing on the HPP's rather dull public website that I have been hoisted from the Project's archives of the common hacker and elevated to the more prestigious 1010 Most Wanted list. Is this coincidence, or are you back on the case? If so, goody goody, cause I need to come out of retirement and return to public life. I imagine you sitting in a dark basement room bent over papers and computer screens. Is that accurate? Please tell me truly, Special Agent Ducci. Regards, your old pal mr.joebert, MD2020 P.S. Clearly this new assignment is not your choice rather I suppose it is a part of the bargain but you accepted it Stefania. Your job is to craft my doom. So I am not sure how well I should wish you but I'm sure we'll have a lot of fun. Tata, J.

Mod up

[Gabesword]

This has been modded as funny but it really needs to be modded insightful. Governments the world over are trying very hard to get data such as the Amazon purchase data and store that in a useful database. Buying a book about rootkits very well may put you on a list of, oh, let's call them hackers who need to be kept track of. This, "hacker", book purchase can be cross referenced with the hacker's employment records, possibly including training received. It is all too possible that your phone or data line could be tapped and monitored because you are suspected of a crime based on nothing more than you having the skills necessary to commit said crime. Just because I am capable of lifting a baseball bat and swinging it doesn't mean that I should be an immediate suspect should someone be murdered by baseball bat. Having the ability to commit a network intrusion shouldn't make me a suspect of a network intrusion. That should only be the case if there is some indication that it was me.

Re:Mod up

[jotok]

Governments the world over are trying very hard to get data such as the Amazon purchase data and store that in a useful database.

I'm sorry, but can you cite a source where such an attempt to acquire the data has been made? Or are you just betting on the general tendency of governments to try to encroach more and more upon our privacy? I ask because healthy paranoia is one thing, but I think you might be going overboard.

Re:Mod up

[1iar_parad0x]

Most of the script-kiddie hacking that businesses worry about could easily be perpetrated by the average IT professional. A good sysadmin or software engineer, if unethical, is a lot more dangerous than your average (ugh, I hate to use this term) 'hacker'. Sheesh, I'd be worried about more worried about the guy who reads Stevens books on Unix and TCP/IP than someone reading a book on rootkits.

Incidentally, I'm a little ashamed to admit this, but I once picked up a book on rootkits for Windows because the cover art caught my eye. I had some experience with Windows system programming and I never got a handle (pun intended!!) on the NT kernel. Thinking there might be some great 'black magic' in this rootkit book, I sat down with a cup of coffee and began to read. You know what I realized, I was impressed with the amount of time the authors took to research the material but I realized that the book was nothing more than professional script kiddie. It didn't even contain a good explanation of Windows Driver Development Kit. I figured I'd be better off picking up some documentation from MSDN and tinkering myself. In short, I felt the material was lacking a professional engineering polish. It read like script kiddie. Fortunately your average C++ programmer (outside of Russia :)) is a little more ethical and doesn't spend time contemplating how to ruin your computer.

Re:I think i speak for all of us...

[El+Torico]

Of course, providing false information is a useful strategy too. Feel free to provide as much information as you like.

Here's the questionnaire that they refer to - http://hpp.recursiva.org/en/q1.php.

Crackers, not hackers, for the umteenth time

I'm a forth generation hacker, cut my teeth on all the 8-bits, mainly a C=64, and I bristle every time someone uses the term in a pejorative sense. Hackers generally just love to code, create, repair, build, and figure things out. They rather like to create, or enhance.

I believe Andrew Burt, founder of nyx.net, one of the free unix shells, coined the term "spider" but that really doesn't work for me. "Crackers" is a more appropriate term.

I think these folks at the U.N need to do less to criminalize a bunch of crackers who are basically tech savy graffiti artists, and go after the real criminals within their own ranks. Do something about that appalling use of depleted uranium by the United States military, for starters.

einstein

http://anarchy.shellprompt.com/
http://rootpassword.com/

Good Luck

[Steve+Fuller]

I'm sure people who are experts at network penetration and social engineering are smart enough to
A. Not respond
B. Lie
C. Use these results to their advantage

Don't worry about that intrusion on the development server - the profile suggests it was only a script-kiddie looking for mp3s

What is next? A questionnaire if the Mafia prefers 9mm or .357s?

Re:Good Luck

[Joebert]

D. Find the boses ex-girlfriend before she calms down.

Re:Good Luck

[Rob+T+Firefly]

By the way, Slashdot, have I ever mentioned before that in real life I'm a 50-year-old blonde Chinese woman from Decatur, Illinois named Suzanne who loves "American Idol" and professional sports, and whose favorite food is eggplant?

Re:Good Luck

A woman on Slashdot!

Please, please marry me?

C.S.I. Second Life

[garlicbready]

just like CSI you say?
interesting
will it feature lots of weird camera angles, like from the floppy disks point of view?
how about from the keyboard point of view, looking straight up the nose of the hacker

Re:Geographic Location?

[micah_hainline]

You can get geographic information from IP addresses, so it isn't entirely unreasonable.

Alternate uses

[optkk]

"The final goal is a real and complete methodology for hacker profiling, released under GNU/FDL. This means that" ... anybody who seriously wants to crack into somewhere will look up the profile of somebody on the other side of the world and follow the text book examples. Nice.

Self rating

[plopez]

Looks like lots of self rating on the site. With out a better test (more thorough, less transparent) and/or follow up interview, even if the person is honest I find it to be of questionable validity.

Re:Self rating

[jotok]

Eh, if included as part of a larger body of work it could be perfectly valid. Generally speaking this would be data from a "top-down" approach, which you would follow up with a "bottom-up" study (e.g. observe closely what hackers do and say on IRC, for example). Also, nobody really has any hard numbers for "how valid" this kind of study is, so you could also consider it assumption-testing (including assumptions like "this is of questionable validity")...at some point you have to test even the obvious assumptions.

Re:Self rating

[maxwell+demon]

Well, the profiling probably will look like this:

Type 1: Fills in the questions.
Type 2: Hacks the server and puts his answers into the database directly.
Type 3: Hacks the server and deletes the data base.

Well someone had to post it...

[Warbothong]

So here it is: http://www.adequacy.org/stories/2001.12.2.42056.21 47.html enjoy

What about this profile?

[rduke15]

I wonder how they would profile that middle school hacker who was suspended for three days (The 8th grader in question used the "net send" command to send a single word message ("Hey!") to the 80 machines tied to his school's network.)

For logs, I suppose a teacher would have sent in a screen capture of the messenger window?

pr0filer @ Defcon 7 anyone?

[syntax]

I remember this being tried in 1999 with the 'pr0filer' project they revealed at Defcon 7. I remember lots of boos, people filling up their database with garbage, and it eventually sinking into nothingness.

Re:Something interesting that might be related to

and that program is called....perl

Studies like this do more harm than good

[Decius6i5]

On the one hand they state:

If a company will send us its logs related to an intrusion, we will be able to provide a profile of the attacker.

On the other hand they state:

The purpose of this study is trying to describe objectively hackers' everyday life, providing the people that have a poor knowledge of the hacking scene and the digital underground with a clear vision, uninfluenced by mass media or personal prejudices, putting an end to all the stereotypes surrounding this world.

I might suggest that the primary stereotype that the hacker subculture would like to put an end to is the idea that people in the hacker scene are responsible for most computer crimes.

The questionnaire should yield a profile of hackers who practice hacking in their spare time and without professional purposes. It is unlikely that cyber-warriors, industrial spies, governmental agents, and military hackers, who practice hacking professionally, will fill out the questionnaire, due to the obvious prudence required by their activities.

What is the difference between a "cyber warrior" and a "military hacker?" Aren't there other groups committing computer crime who don't merely "practice hacking in their spare time and without professional purposes." Like organized criminals? Who is running the bot nets? Who is sending out the phishing scams? Who is installing the malware? I might suggest that these people are neither "driven by the love for knowledge" nor are they employed by the military, and a study like this isn't going to shed any light on them.

The complete version of the questionnaire will be distributed exclusively to the persons who we are sure belong to the hacker underground. This group will act as a control group toward those who have filled out the compact version.

What does it mean if the compact version deviates from the control group? That people lied on the survey, or that the control group was poorly selected? Is this science or politics?

If you want to understand computer criminals, do a broad study of people who have been convicted of committing the sort of crime you are interested in.

Re:Studies like this do more harm than good

[CCFreak2K]

What is the difference between a "cyber warrior" and a "military hacker?"

My guess is "Tron" and "some IT guy in the government." Maybe Tron's user.

Crack the project?

[misfit815]

If they're smart, they'll somehow fork a honeypot off of this, since advertising such a project seems to be equivalent to putting a big digital bullseye on their foreheads.

Re:Geographic Location?

[v3xt0r]

As a hacker, you can just as easily spoof IP addresses using an insecure HTTP Proxy from another Country, or control a botnet of remote compromised machines, so it isn't entirely logical, unless you can get the logs of those machines and trace back to the actual source of the attack, which could be layers upon layers of proxies, in some cases.

Duh

[sharp-bang]

Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge. Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.

You've got to be kidding.

What's the methodology for this profile? Googling the word "hacker"? Please. Tell me something I didn't know years ago. (For example, MEECES.

Seriously, these guys sound like they have a seriously flawed survey methodology, in that all they are doing is self-selecting their sample and parroting the results. Moreover, I don't see how they plan to create anything useful out of the forensic data they expect everyone to send them. In that regard, I see little difference between what they say they are going to do and what the Honeynet Project has been doing for years.

Re:Duh

[jotok]

Their methodology could possibly be flawed, but are you qualified to certify someone else's experimental results? Even very obvious assumptions are technically useless unless you test them at some point. Meaning, you say "Duh," but these assumptions are not really something anyone has put to the test, are they? The fact that they have given support to something we already "know" is not a valid grounds for critique, so I must assume you are criticizing their actual experimental methodology. But I can't imagine anyone with a background in research criticizing basic experimentation, because anyone with a grounding in empirical methods would see the first stages (top-down data acq, surveys, etc.) as very important in helping you form the initial hypotheses to test with the next round of experiments, even though they don't really tell you very much in terms of hard data. So in this case they could be setting up to test the MEECES model--how often is "Entrance into Social Group" a motivator compared to the others, and how does it correlate to age, gender, socioeconomic status, education level, skill level...and on and on. This is quite valid, but then perhaps it might be too fine a point for your average IT geek to grasp on the first go-round. ...Just sayin'.

Re:Duh

[sharp-bang]

The fact that they have given support to something we already "know" is not a valid grounds for critique, so I must assume you are criticizing their actual experimental methodology.

I'm criticizing both. I see your point re: first-stage methodology, but it sounds like they're handing out surveys to people who fit a preestablished profile through self-selection, which fails Psych Stat 101 as far as the validity of their results. Beyond that I cannot say, since their website is long on appeals for credibility and short on experimental protocols. I have no idea what they "could be" testing, but the tone suggests that their literature review has not yet been done.

As to the validity of critique: please. I can't imagine anyone with a background in profiling criminal behavior on the Internet finding value in the aforementioned statement, and I can't imagine anyone with a background in research seriously asserting that obvious hypothesis so obvious is worth testing.

Re:Duh

[jotok]

I see your point regarding self-selection criteria but I'm not sure that invalidates the results (it does limit the hypotheses you can test severely, I admit). Surely anything is worth testing so long as it's never been formally tested, if only because the exact nature of a given relationship can always been characterized more precisely. Example: It's pretty obvious that some people hack for money (extortion schemes and whatnot)--we see them in the news all the time. You can assume from the observed behaviors that these hackers will probably fit a certain profile. But this kind of top-down modeling always has trouble with complex specific forms. It's why you see ballistics problems in physics textbooks that say things like "Assume a point-shaped or spherical cow flying through the atmosphere..." -- the models are robust but less so when you try to account for specifics.

Likewise, I think it's a good idea to test all of this because yes, "Duh," people can make money hacking and it's been happening a lot more lately. How much more? How much money are they making? Is a script kiddie as likely to get approached to do a "job" as a more experienced hacker? Etc. You handle these with a multidisciplinary approach (slight tangent--this is why when Dawkin's "Modern Synthesis" fails to explain forms, we get the morphogenesis crowd coming in to plug the gaps).

There is actually some really interesting work being done in this same area (modeling hackers and so forth) by some of the bioinformatics crowd, but the approaches I've seen so far stress a bottom-up approach (e.g. observe them in chat rooms and on usenet, try to connect new exploit code with this developer or that, etc.). I imagine this would probably meet your requirements for rigor more than what we see in this article.

Re:Duh

[sharp-bang]

Surely anything is worth testing so long as it's never been formally tested, if only because the exact nature of a given relationship can always been characterized more precisely.

What you say is technically true, but not necessarily economically viable. Also, I think you are assuming that these guys are doing new and unique work. They are not.

Likewise, I think it's a good idea to test all of this because yes, "Duh," people can make money hacking and it's been happening a lot more lately. How much more? How much money are they making? Is a script kiddie as likely to get approached to do a "job" as a more experienced hacker? Etc.

These are good things to know, but a lot of my comments are informed by the fact that I work in this field (information security) and have seen similar approaches fail for similar reasons. It was this sort of self-selecting survey approach that caused so many people to completely miss the rise in criminal motivation and activity in the so-called "hacker community" a few years ago. The fact was that the composition of the community (really a superposition of communities) changed but researchers were still focusing on the same people for cultural reasons, and because their methodologies and protocols were similarly weak.

Also, the blithe request for network forensics, with absolutely no information presented on methodology of analysis, or even the handling of the data, really stuck in my craw. Having reviewed these guy's website, I have no confidence that they know what they are doing.

There is actually some really interesting work being done in this same area (modeling hackers and so forth) by some of the bioinformatics crowd, but the approaches I've seen so far stress a bottom-up approach (e.g. observe them in chat rooms and on usenet, try to connect new exploit code with this developer or that, etc.). I imagine this would probably meet your requirements for rigor more than what we see in this article.

Agreed and agreed. It's not so much 'rigor' but that the line of enquiry bear fruit. The Kilger work cited earlier was 'mere' phenomenology, but leverages existing law enforcement profiling technique and has been shown to be practical. Arguably practicality is not the whole end goal of scientific enquiry, but, like physicists, I would hope that information security researchers bear in mind that they are constrained to reality. There's also some neat stuff being doing by analyzing social networks formally (i.e. mathematically).

Only for just 3 Easy Pay payments of $45...

What I find anoying about these articles is that they dont provide enough background to be informative (e.g., What is the cost of the project?How did the project come about?Who will have access to the analysis information?Who are the project participants (including companies)?, and so on

BTW if anyone knows who the individual that authorized the project, please send me their contact information so I can sell them the shirt off my back.

Police want a hacker, polly want a cracker

[EmbeddedJanitor]

Yes,it is sad that Newsforge got this wrong. If is right that slashdot, which is always correct, should point this out to them.

Language unfortunately gets screwed up and typically ends up going with the mass usage. Colour becomes color. Milliard (10^9) becomes billion...

Re:Geographic Location?

[Jimmy+King]

I assume they mean determining the region (and I would still consider this just as untrustworthy as using the IP) by figuring in things such as the types of attacks used, apparent knowledge, what they were attacking, what information they took/used/ignored, etc as compared to trends of the same measures from different areas of the world.

The biggest flaw with this is...

[Afecks]

The only people willing to fill out the questionnaire are stupid enough to fill out the questionnaire!

Re:Geographic Location?

[Beryllium+Sphere(tm)]

IP addresses can be spoofed, but you can get a vague idea about time zone if the attacks are manual instead of being automated. If you get an old-school intruder who leaves taunts behind, you can make guesses from the style and grammar: my wife used to be able to pinpoint a student's native language based on how they wrote English.

If you're pointing at your head....

[EmbeddedJanitor]

here are some more: color (colour), milliard (billion), dick (richard).

from TFA...

[Aurisor]

" NF: Why should hackers collaborate with you?

SD: Because the purpose of this study is trying to describe objectively hackers' everyday life, providing the people that have a poor knowledge of the hacking scene and the digital underground with a clear vision, uninfluenced by mass media or personal prejudices, putting an end to all the stereotypes surrounding this world. "

BWAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHA! *wipes tears from eyes*

What have they done to our wiki?

Well, that's what it used to say.

The Wikipedia page on Hackers has also defined them as "LONELY LITTLE BOY WITH NO FRIENDS", made claims that a variety of people are hackers, and even asserted that the reader is a noob.

While Wikipedia is a wonderful resource, I suggest you link to a particular revision of an article if you wish to claim it as authoritative.

Finally

[wzzzzrd]

[...]released under GNU/FDL[...]

Finally GNU is used by "Teh Evil[tm]". I mean, come on, this is ridiculous.

We already have one.

[CCFreak2K]

We already have a profile for at least one hacker.

Hackers?

[Eric+Smith]

Why profile hackers?

They should be worried about people that break into computers. Such people are "wannabes", not hackers. They may have some of the skills that would be suited to becoming a hacker, but they don't have the true hacker mentality, which is about building things, not breaking them. As ESR states, "being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer."

Re:Hackers?

Not to defend this silly study, but ESR's perspective is part ignorance, part arrogance and mostly just tired. Like any other technical subject that hackers are interested in, there is a spectrum of people interested in thinking about how things break, and their intelligence varies from "kiddies" up to university professors. 2600's biennial conference in New York has featured people like the Woz, Stallman, Bruce Schneier, and Matt Blaze. Obviously people who "aren't very bright."

The fact is that calling people who delight in overcoming barriers imposed by software stupid "crackers" for 20 years hasn't managed to convince the media to stop confusing hackers and computer criminals. By continuing to insist on doing this ESR only further contributes to the confusion, and hurts the community thereby. The reality is that technical interests, intelligence, and morality are all othragonal to eachother. There are very smart, creative, ethical people doing things that you malign.

Re:Hackers?

[Eric+Smith]

calling people who delight in overcoming barriers imposed by software

There's a big difference between overcoming barriers on the one hand, and vandalism, theft and fraud on the other. The people that commit the latter are not "hackers", they are criminals, and need to be dealt with accordingly.

stupid "crackers" for 20 years hasn't managed to convince the media to stop confusing hackers and computer criminals

That the media confuses the two only demonstrates that the media is ignorant (willfully or otherwise). The media calling a bunch of miscreants "hackers" does not make them hackers.

2600's biennial conference in New York has featured people like the Woz, Stallman, Bruce Schneier, and Matt Blaze.

I didn't make any disparaging remarks about 2600, so I'm not sure why you're even bringing it up. I read 2600 magazine from time to time. Some of the content seems to be from hackers. Some isn't. The fact that they invite some really intelligent people to speak at their conferences has little or nothing to do with the issue at hand.

There are very smart, creative, ethical people doing things that you malign.

I don't care how smart or creative they are. If what they do is break into other people's computers, steal data, deface web sites, distribute malware, or use botnets for spamming or DDoS attacks, they aren't "hackers", they're criminals.

Re:Hackers?

I didn't make any disparaging remarks about 2600, so I'm not sure why you're even bringing it up. I read 2600 magazine from time to time. Some of the content seems to be from hackers. Some isn't. The fact that they invite some really intelligent people to speak at their conferences has little or nothing to do with the issue at hand.

I bring this up because the link you posted to Raymond's site, where he references alt.2600. Thats certainly one of the poorest newsgroups on usenet, but Stallman isn't just talking about it. Its an example. He is talking about 2600 magazine, their meetings, their conferences, defcon, and the entire culture that exists around all of that, which calls itself a hacker scene. He is calling those people stupid, and drawing a line between them, and "real" hackers. Quoting the jargon file:

From the early 1980s onward, a flourishing culture of local, MS-DOS-based bulletin boards developed separately from Internet hackerdom. The BBS culture has, as its seamy underside, a stratum of 'pirate boards' inhabited by crackers, phone phreaks, and warez d00dz. These people (mostly teenagers running IBM-PC clones from their bedrooms) have developed their own characteristic jargon... Though crackers often call themselves 'hackers', they aren't (they typically have neither significant programming ability, nor Internet expertise, nor experience with UNIX or other true multi-user systems). Their vocabulary has little overlap with hackerdom's, and hackers regard them with varying degrees of contempt.

We is writing off an entire culture. As a matter of fact, a lot of people who are or were a part of that culture DO have significant programming, Internet, UNIX, and other expertise. The majority of the people involved with that culture aren't stealing data, defacing web sites, distrubiting malware, spamming, launching DDoS attacks, etc.... There is a clear ethic in that culture that says do no harm. There are bad apples in that community, as there are in every community, particularly ones that are clearly young and anti-authoritarian, but Stallman is not merely calling out bad apples. He was drawn this broad brush in which he says that the mindset of a hacker can be applied to nearly any question. It can be applied to making music. But by his definition it cannot be applied to thinking about how computer security systems fail, because thats what these people do. Computer security is not an interesting subject that intelligent people trifle with. People who take an interest in that are not hackers. People who participate in that culture are not hackers. That is his message. And its wrong.

Re:Hackers?

but Stallman isn't just talking about it.

Er, Raymond... My apologies. Its late here. :)

How About Political Crook Profiling

[SloWave]

This reminds me of somethat that I've been thinking of for a while. By tracking various publicly available information, it should be possible to profile the current politician crop as to how corrupt they really are. For example, if a politician has attended the same parties that Abramoff attended or even was even in the same cities at the same time more than probability allows, then that would count towards that politician's corruption index. Say if that politician used the same lawyers that mob connected people use, then the index goes way up.

Factor in every piece of information of this type, test against known corrupt politicians like the Abscam people, Tom Delay, Randy Cunningham, Marion Barry, etc, throw in a little Baysian logic, and find the current corrupt crop of politicians. Be interesting to test George Bush and Dick Cheney against this index. Think about it.

sounds alot like d0xmaster

[NynexNinja]

sounds alot like d0xmaster :)

To test for a null hypothesis

[Amitz+Sekali]

The idea was to "fingerprint" hacking attempts by measuring timing in typing on terminals. Say, a hacker would attack a system, a fingerprint would be taken (of the unknown hacker's typing habits) and then on another break-in, a new fingerprint would be taken and compared to previous ones to determine if it is a formely filed hacker.

Extending the above, it's better to use the fingerprinting as the basis of prosecuting an alleged hacker, by testing the null hypothesis, which is: a particular hacker is the one we have profiled.

Speaking of broken language...

Did anyone actually read their survey form? As a sociologist-in-training, I have to say that it's one of the poorest pieces of work I've had the...experience of reading. Grammar errors galore, mistargeted questions, redundancy, bias, loaded questions (though those are to be expected in a survey on criminal activities), over-lengthy, items poorly ordered, questions that will return prima facie bogus results...and enough sampling problems to fill a doctoral thesis.

O heavens above, I pray this research doesn't get used for policy creation...unfortunately, the agnostic in me bets it will be.

Semantic war

[S3D]

From Wikipedia : In computer programming, a hacker is a software designer and programmer who builds elegant, beautiful programs and systems.

It's possible that changing of the meaning of the word form positive to pejorative is the sign of how society see software developers. It's similar how in modern russian old word for "Jew" become offensive word, and it's modern form also sometimes used as offence (less so after the fall of communism)

Re:Something interesting that might be related to

[theonetruekeebler]

Something similar was done in World War II. Telegraph operators tend to develop individual styles in how they operate the key. This style is called a "fist." Radio intercept operators listened to enough Morse code traffic that they could readily identify the sender of a message by the fist of whoever was sending it. A lot could be learned about a message by knowing who sent it: Operator A only sends messages to the sixth fleet, Operator B seems to be an officer because when a message is critical he always sends it himself, and best of all, Operator C always sets his Enigma machine rotors to "GITA" at the start of each message.

For things like telnet traffic, it may be trickier to do this: When your IP stack receives multiple single characters from an application within, say, a fifth of a second, it will put them in a single packet before sending them. This is specifically intended to handle things like SSH and telnet traffic -- there's no sense sending three 55 byte packets over the net when you could send one 57 byte packet, right? But the consequence is that we can no longer do fine-grained timing analysis of keystrokes received over the 'net. Of course, this may make things easier when our wiley hacker types particular strings very fast because they always arrive as a single packet.

Have them profile you!

[maxwell+demon]

Didn't you always want to know where your speed inefficiencies lie? After all, that's what a profiler is for, isn't it?