Cracking the Mind of a Hacker
by James Glave
8:25 a.m.  20.Jan.99.PST

SAN JOSE, California -- The average computer cracker is an obsessive
middle-class white male, between 12 and 28 years old, with few social
skills and a possible history of physical and sexual abuse.  That was the
controversial conclusion of Canadian psychologist Marc Rogers, in his
"Psychology of a Hacker" session, held late Tuesday at the RSA Data
Security Conference.

A former police computer crimes investigator and author of a doctorate
focusing on hackers and cyber terrorists, Rogers offered a new taxonomy
for network intruders.

"Hackers have been dubbed the enemy of information security," said Rogers.
"They research their targets, they know a lot about us. They are very good
at intelligence-gathering or sharing."

In 1998, the Computer Security Institute estimated that intrusions cost
corporations US$236 million worth of damage, according to Rogers.

But information systems managers have very little knowledge of what makes
a hacker tick. Thus, Rogers developed psychological profiles to aid law
enforcement investigators and the legislators who are writing new
anti-cracker laws.

Rogers offered what he called a new taxonomy of hackers, categorizing
intruders as newbies or script kiddies (who are beginners), cyberpunks
(older, but still antisocial geeks), insiders (disgruntled employees),
coders (who actually write the exploits), professionals (hired guns), and
full-fledged cyber terrorists.

Computer security experts in attendance hotly contested Rogers' claims,
alleging that his work plays to sensationalist fears and creates a
stereotype of limited value to investigators.

"He has got the age group, but when it comes to social groups he's got
that wrong completely," said Alton Tuttle, a freelance computer security

"In most social groups you are going to find a baseline of people who were
[sexually] abused," he added.

"Statistically, the majority of what he said was wrong," added Peter
Shipley , chief security architect for the Big Five firm KPMG. "I know a
lot of hackers, [including one who] spends an hour and a half in the gym
every day.  He is built! I know of women who are knock-down gorgeous who
are hackers."

Shipley said that criminal profiles are proven to work to track down
serial killers but that "the hacker profile is so diverse and wide that a
strong profile could not be useful."

Rogers characterized members of one subgroup he called "cyberpunks" as
socially inept, burdened with unresolved anger that they take into

"They relate better to computers than humans," Rogers said. "They can
spend hours and days glued to a computer."

He described an incident several years ago when investigators raided a
residence, expecting to find a computer left running an automated attack.
A machine at that location had been attempting the same routine on a
system for days.

What the investigators found instead, Rogers said, was a man suffering
from a mental disorder. "He had a porta-potty under the seat, and he was
buzzed out on Coca-Cola and candy."

Shipley said that Rogers was going for shock value with such descriptions.
"He is trying to paint hackers as 25-year-old men who can't control their

Rogers said that while there was no empirical evidence linking computer
criminals with what he termed computer-addictive disorder, hackers tend to
be obsessive types.

Shipley and freelance network engineer Aaron Peterson said that the
intense, focused mindset typical of someone trying to model a problem
could easily be mischaracterized as obsessive.

Rogers closed out his talk with a grim scenario for corporate America.  He
said that some crackers claim to be under contract to fix Y2K legacy code
and are in a position to introduce all manner of logic bombs and back
doors into the "fixed" code.

"I think you are going to find a real mish-mash of things happening once
the year 2000 rolls along," he said.

Michael King, spokesman for the Hackers Defense Foundation, said he had
never heard of such a claim.

"Generally, people won't tell even their best friends something like
that,"  King said. "There are not many [crackers] out there who would let
themselves get that carried away."

Subscribe: mail with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute []

[an error occurred while processing this directive]