Critical evaluation of current means of coping with computer crime – should we ask hackers what they want?

*Stepan Konecny

Institute for Research on Children, Youth and Family, Faculty of Social Studies, Brno, Czech Republic

*This study was supported by MSM0021622406

Hackers and mass media

• almost mythological power of hackers• „quasi-psychological“ profile of hacker‘s

personality• mass media usually prefer describing only

blackhat hackers

Introduction to the problem

• The difference between hackers and security experts need not to be as big as we think

• It is not so difficult to cross the border from one of this group to another

• Bad social representation of hackers is usually caused by the mass media‘s description of their illegal activities

• Current legislation prefers only persecution, not prevention

• Young people interested in computer security don‘t have an opportunity to learn and test the security of servers and web pages in a safe environment

Goals of this study

• Are there any signs of character abnormalities?

• Find out/define/ starter(s), which trigger risky behavior

• Advantages and disadvantages named by hackers themselves

Method and sample

• Semi-structured online interviews • Respondents was contacted through the

security portals and discussion forums + snowball technique

• 8 participants (another 6 was excluded for social engineering which is not typical kind of hacking)

• Age of participants was about 18-32• All participants were men

Please describe your typical hacking. In which areas are you interested in?

• My|Ms/SQL injection, file Inclusion, log injection, Command Execution, cross site scripting, Cross Site Request Forgery, information disclosure, ajax worms ... (4194)

• Everything, from webappz over rooting, mass owning and zeroday explotation (Nostur)

• Searching security leaks in web applications (.cCuMiNn.)• My goal is not to attack other web sites or servers a

destroy them. I am trying to warn the owner and to help with fixing errors. By this way I also learn, how to avoid those errors when I am programming my web applications (RubberDuck)

How did you come to hacking?

• I was simply fascinated by original thought of hacking, the amount of possibilities, how to get to the system etc. (4194)

• I‘ve loved hacker‘s movies and the word „hacking“ had for me magical denotation (.cCuMiNn.)

• Probably the most powerful driving force for me was to gain respect from others due to skills I have. (cm3l1k1)

• I saw a book „Hacking without mysteries“, my parents bought it for me and I started to study. Then I started looking for another „comrades-in-arms“ by discussion forums. (RnmX4)

• I wanted to work for the USA government (since I was inspired by some movie) and it was a foolish idea of course. (ShaiMagal)

Do you remember any important event from time you started hacking?

• I wouldn‘t looking for some particular event which made me to interested in hacking. (.cCuMiNn.)

• A lot of events happened when I became interested in computers because it was in my teenage years. If you ask me if I lived only „with computers“, I wouldn‘t say that (cm3l1k1)

• Nothing important happened (Nostur)

If you could change anything from this time, what would it be?• Nothing (4194)• Definitely nothing. It was better than going to

the pubs with friends and getting drunk (cm3l1k1)

• I don‘t regret anything. Maybe I could study informatics much more earlier (Emkei)

• I wasted a lot of time looking for some skillful hacker who would teach me. For that reason I am always ready to advise anyone, who is not completely lame.(RnmX4)

Can you describe pros and cons of your hacking?

+ skills can be useful in your work (4194)

+ increasing your analytic/creative/logic thinking (4194)

+ I can change prices in e-shops or lease my botnet which can bring me money (Emkei)

+ I love that feeling when you become admin of the system (Nostur)

+ you can manifest your opinion, e.g. I recently „corrected“ some russian web pages when Russia attacked Georgia (RnmX4)

- you loose an ability for active communication with others (.cCuMiNn.)

- incomprehension from mass media and public. They will think of you as a terrorist (RubberDuck)

- if they catch you, you will go to the jail (RnmX4)

When you imagine someone younger at your positions, what advice would you give him or her?

• Create your own application/methods instead of using applications already made by another hacker. On the black market you can only sold those applications, which are original and were not revealed yet (4194)

• Lrn2google? (Nostur)• Learn, learn, read, read, try and try (RubberDuck)• Sell your knowledge (Shaimagal)

Are you member of any hacker‘s community?

• I am member of few non-public communities (4194)• Of course (Nostur)• I am founder a community, which serves to newbie to

learn step-by-step how to hack and at the same time are learned, that they are able to not only destroy someone‘s job but refine (Rubberduck)

• I am definitely member of community, we have a lot of 0day exploits, botnet (not the smallest one ) etc. (RnmX4)

• I am not member of any community. In normal communities no one will trade with you. Exchange of exploits, zombies or valuable information proceed always between people, who can trust each other. (Emkei)

In a future, do you think you might engage in computer security as a professional?• Yes, sometimes I think about it

(RubberDuck,.cCuMiNn.)• I am already doing it, but a lot of companies think

that they have their applications secured enough and the don‘t need security audit (cm3l1k1, Nostur, Shaimagal)

• Maybe. On the one side I like my freedom and in a case of penetration testing i prefer my instinct and experience before standard procedures prefered by certified companies (Emkei)

General conclusions

• We have to critically re-evaluate existing attitude towards hackers – what we only do is looking for them when we want to punish them. Maybe it would by more effective if we educate them and then try to employ them.

• In opposite of mass media presentation, all young hackers need not to be deviant individuals

• Although some of our participants may be only „script kiddies“, they can still be dangerous when they try to learn something

• The main motivation for hacking is not usually to harm, but only improving one‘s skill, which is often connected with testing one‘s skill on operating systems

General conclusions

• The typical first motivation for interesting in hacking is a romantic presentation of hacker from movies – it is connected with superior skills, powerfulness, respect from others

• We should try to establish a communication with young hacking applicant, who are interested in this area for some time and they are considering professional career in this area

• The majority of them are motivated to be(come) professionals, some of them even mentioned collaboration with police or Ministry of the Interior affairs.