Tuesday, December 12, 2006

Hacker Psych 101

Well, it's happened again. The Los Angeles Times reports that for more than a year prior to Nov. 21, 2006, somebody was siphoning personal information such as Social Security numbers from a database of more than 800,000 students and faculty at UCLA. Eventually, the system administrators noticed some unusual activity and suppressed the hack, but by the time they closed the door, a great many horses had escaped the barn.
This is one of the biggest recent breaches of data security at a university, but it is by no means the only one. The same article reports that 29 security breaches at other universities during the first six months of this year affected about 845,000 people.

Why is hacking so common? This is a profound question that goes to the heart of the nature of evil. It's good to start with the principle that, no matter how twisted, perverse, or just plain stupid a wrong action looks to observers, the person doing it sees something good about it.

For example, it's not a big mystery why people rob banks. In the famous words of 1930's gangster Willie Sutton, "Because that's where the money is." To a bank robber, simply going in and taking money by force is a way to obtain what they view as good, namely, money.

There are hackers whose motivation is essentially no different than Willie Sutton's. Identity theft turns out to be one of the easiest types of crime for them to commit, and so they turn to hacking, not because they especially enjoy it, but because it will lead to a result they want: data they can use to masquerade as somebody else in order to obtain money and goods by fraud. This motivation, although deplorable, is understandable, and fits into our historical understanding of the criminal mind, such as it is. As technology has advanced, so must the technical abilities of criminals. At this point it isn't clear whether money was the motive behind the UCLA breach or not. Because the breach had gone on so long without notable evidence of identity theft, it's possible that this was a hack for the heck of it.

Many, if not most, hacks fall into this second category. For an insight into why people do these things if they're not making money or profiting in some other way, the insights of Sarah Gordon, a senior research fellow at Symantec Security Response, shed some light on the matter.

Gordon's specialty is the ethics and psychology of hacking. In her job at Symantec, she has encountered just about every kind of hack and hacker there is. In an interview published in 2003, she says that the reason many people feel little or no guilt (at least not enough for them to stop) when they write viruses and do hacks is that they don't consider computers to be part of the real world. Speaking about school-age children learning to use computers for the first time, she said, "They don't have the same morality in the virtual world as they have in the real world because they don't think computers are part of the real world."

Gordon says that parents and teachers should share part of the blame. When a child steals someone's password and uses it, for example, a teacher could ask, "Would you steal Johnny's house key and use it to poke around in his bedroom?" Presumably not. But the analogy may be a difficult one for children to make—and many adults, for that matter.

Gordon thinks it may take a generation or two for our culture's prevailing morality to catch up with the hyper-speed advances in computer technology. She sees some progress in the U. S., noting that there is a new reluctance to post viruses online, whereas a few years ago no one thought there was anything wrong with the practice. Still, she thinks that hacking and virus-writing is an act of rebellion that remains popular in countries where young people are experiencing computers and networks for the first time, and rebellion is just part of human nature. A boy who grew up in a thatched hut with no running water, moves to a city, and finds that he can disrupt the operations of thousands of computers halfway across the world with a few keystrokes can receive a power buzz that he can get nowhere else in his life.

It seems to me that the anonymity provided by the technical nature of computer networks also contributes to the problem. Some say that a test of true morality is to ask yourself whether you would do a bad thing if you were sure you'd never get caught. The nature of computer networks ensures that very few hackers and virus writers do get caught, at least not without a lot of trouble. And it looks like lots of people fail that kind of test.

Well, I'm a teacher, so if there are any students reading this, I'm here to tell you that just because you can hide behind a computer screen, you shouldn't abandon the Golden Rule. But it may take a few years for the message to soak in. At the same time, I recognize a broader generalization of Sarah Gordon's notion that rebellion is part of human nature: evil and sin are part of human nature. I think this was a feature of humanity that many computer scientists neglected to take into consideration way back when they were establishing the foundations of some very pervasive systems and protocols that would cost billions of dollars to change today. Eventually things will get better, but it may take a generation or more before password theft and bicycle theft are viewed as the same kind of thing by most people.

Sources: The Dec. 12 L. A. Times story on the UCLA security breach is at http://www.latimes.com/news/local/la-me-ucla12dec12,0,7111141.story?coll=la-home-headlines. The interview with Sarah Gordon is at http://news.com.com/2008-1082-829812.html.

1 comment:

  1. Hi,
    I really enjoyed your blog entry on technology, hackers, and the future. Actually, all of your blog entries are very interesting!

    However, I especially like how you summarised the 'hacker' aspect of the research I've done. I'm so glad you found it interesting enough to comment on.

    I just wanted to say THANK YOU!

    Dr. Sarah Gordon
    Senior Principal Research Engineer
    Symantec Security Response

    ReplyDelete