Slashdot Mirror
Researchers Use Machine-Learning Techniques To De-Anonymize Coders (wired.com)
At the DefCon hacking conference on Friday, Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, presented a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. "Their work could be useful in a plagiarism dispute, for instance, but it could also have privacy implications, especially for the thousands of developers who contribute open source code to the world," reports Wired. From the report: First, the algorithm they designed identifies all the features found in a selection of code samples. That's a lot of different characteristics. Think of every aspect that exists in natural language: There's the words you choose, which way you put them together, sentence length, and so on. Greenstadt and Caliskan then narrowed the features to only include the ones that actually distinguish developers from each other, trimming the list from hundreds of thousands to around 50 or so. The researchers don't rely on low-level features, like how code was formatted. Instead, they create "abstract syntax trees," which reflect code's underlying structure, rather than its arbitrary components. Their technique is akin to prioritizing someone's sentence structure, instead of whether they indent each line in a paragraph.
The method also requires examples of someone's work to teach an algorithm to know when it spots another one of their code samples. If a random GitHub account pops up and publishes a code fragment, Greenstadt and Caliskan wouldn't necessarily be able to identify the person behind it, because they only have one sample to work with. (They could possibly tell that it was a developer they hadn't seen before.) Greenstadt and Caliskan, however, don't need your life's work to attribute code to you. It only takes a few short samples.
The method also requires examples of someone's work to teach an algorithm to know when it spots another one of their code samples. If a random GitHub account pops up and publishes a code fragment, Greenstadt and Caliskan wouldn't necessarily be able to identify the person behind it, because they only have one sample to work with. (They could possibly tell that it was a developer they hadn't seen before.) Greenstadt and Caliskan, however, don't need your life's work to attribute code to you. It only takes a few short samples.
... could be an interesting use case.
I occationally contribute to open-source projects, but I do so under my full name anyway. Seeing that they are able to identify authors of compiled code too, it might be interesting to see if they can identify the authors of viruses & malware that has been making the rounds the last decade. Who to sue . . .
Another use case might be the javascript found on web pages. A noscript-like utility could ditch all javascript written by the wrong people - i.e. ad-related or spyware-related stuff. Loose it without the loss of functionality a full script blocking yields.
About half the time I code something, I end up grabbing a chunk of code that someone else has written which almost does what I want but not quite, copy/pasting it, and making a few tweaks to it so it'll do what I want.
That's kinda the whole reason software is different from crafting or manufacturing - zero cost of duplication. So there's no point doing duplicate work if someone else has already done it. In fact that's the fundamental rationale underlying open source.
No need of a complex AI engine. 1) Using line numbers smells an old dev used to early Basic stuff, 2) Using 10 and 20 confirms 1), 3) "Hello" not even "Hello, world" confirms that the dev has no other experience and is probably a lousy programmer, 4) print / goto shows a total lack of imagination, and 5) posted anonymously, so we're looking at an old degenerated pretending-programmer not really proud of his code, posting anonymously in the hope of getting a desperate funny mod while being actually almost certain to leave an unappreciated lousy post. That was easy.
Slashdot, fix the reply notifications... You won't get away with it...
Yeah, you shouldn't need to worry then. From TFA:
Experienced developers appear easier to identify than novice ones. The more skilled you are, the more unique your work apparently becomes. That might be in part because beginner programmers often copy and paste code solutions from websites like Stack Overflow.
We need new tool to parse code, create syntax tree, transform in ways to do same tasks but masks the ident of the authors, and re-emits, anonymized.
Pffft, just copy someone else's code, problem solved. If anything happens it'll get blamed on them.
Just cruising through this digital world at 33 1/3 rpm...
Once I've worked with a team for a while, I can generally recognise who coded something it from their style.
There are plenty of stylistic elements that distinguish the actual coder, even in shops with tight coding standards. Some favour for loops, some unrole their code, some cram lots of logic on one line, while others aggressively decompose. Some will write very abstract code, others tightly focused on the specific case. Some will use lots of getter setters, others will favour tell don't ask, some will use favour 'do { ... } while()', others will use while loops. Some very short snappy functions, some longer functions, some use programming domain naming, others favour business domain naming. Some favour arrays, others favour collections.
I've often be approached by collegue with comments, such 'this looks like your code' and they are usually right, so this is not some special skill I possess. It is absolutely realistic that an algorithm or AI could identify these elements with static analysis and metrics and a sufficient sample.
is the obvious application
I just want to know what my old Perl code does. Maybe this can help!