One Secret That Stops Hackers: Girlfriends

[Eugen Leitl]

http://www.informationweek.com/news/security/management/240003767

One Secret That Stops Hackers: Girlfriends

The majority of hackers "age out" of hacking as they get older and find
girlfriends, families, and other responsibilities. Why not invest in
educating young hackers sooner, instead of locking them up later?

Mathew J. Schwartz | July 16, 2012 11:43 AM

Want to put a stop to hacking? The solution is simple: Get hackers
girlfriends.

To be sure, that prescription is tongue-in-cheek, but it speaks to a hacking
truth: Based on arrests of alleged Anonymous, LulzSec, TeamPoison, and other
hacktivist group participants--not to mention many cyber-crime gangs--it's
the rare participant who's over the age of 25--or even 19.

Clearly, the early 20s are an inflection point in most hackers' lives, when
they transition from engaging in criminal activity to becoming law-abiding
citizens. Accordingly, might outreach programs, perhaps involving older
ex-hackers, help keep them out of jail? They might even steer would-be
hackers into lucrative professions that put their skills to better use, such
as penetration testing.

The question of whether outreach programs would be effective requires working
backwards, starting with the reason hackers--who are overwhelmingly
male--stop hacking. That's typically because they get girlfriends, jobs,
children, or other responsibilities. "We see a lot of adolescent hackers just
'aging out,' and there are relatively few who remain life-course persistent,"
says cyberpsychology expert Grainne Kirwan, a lecturer in psychology at
Ireland's Dun Laoghaire Institute of Art, Design and Technology, in a phone
interview.

While conducting research for her criminology Ph.D., Kirwan interviewed about
20 hackers and found that the majority stopped hacking due to their changing
life circumstances. "The chances are by the time they turn 18 or 19 they'll
age out, and if they haven't stopped then, by the time they get married,
settle down, and have kids, they won't have time to do this type of behavior
anyway," she explains. "As they get older, their moral development gets
better, and they don't have the ability to commit crimes anyway."

Kirwan said the aging-out phenomenon isn't limited to young hackers. "What we
know from general criminology research is that offenders age out, and that
they tend to age out when they start to settle down, find a significant
other, and [other] factors that will reduce the likelihood of their wanting
to offend," she says.

The prevalence of minors who hack hasn't gone unnoticed in law enforcement
circles. Speaking earlier this year at the RSA conference in San Francisco,
Eric Strom, unit chief for the Cyber Initiative and Resource Fusion Unit
Cyber Division at the FBI, said the bureau believes that in general,
hacktivist groups are run by a small number of people who combine "technical
knowhow and the ability to impress upon younger people" the desire to launch
certain types of attacks. But, he said, "the challenges of going after the
larger group [of participants] is that most of them are minors."

How should law enforcement address that, especially when those kids' parents
likely think their son is upstairs doing his homework, not launching a law
orbit ion canon distributed denial-of-service (DDos) attack?

To answer that question, it helps to know why hackers hack. In fact, most
hackers--who are older minors or young adults--"are desperately trying to
assert their own independence, and believe they can make a change in the
world that their parents can't," says Kirwan. "They kind of forget that it's
their parents' generation who invented hacking."

Many kids involved in hacking view their activities as a benign form of
protest, when the laws--as currently written--can criminalize some types of
related behavior. "They are sitting at their computer and saying, 'I'm not
committing a crime,' because it doesn't feel like committing a crime,"
explains Kirwan.

The FBI's Strom said the bureau tries to draw a clear line between online
protests and online attacks. "Certainly if they're just complaining about
something, they have every right to do that--and we don't have any problem
with that," said Strom. But if they hack into a system or go after someone in
law enforcement and their family, that's a different story.

Also, there can be seeming inconsistencies between what's legal in the real
world as opposed to online. "In the western world, we generallyb& encourage
political activism, even when it might have a negative effect on business,"
said Grady Summers, vice president of Mandiant, speaking at this year's RSA
conference. For example, workers can picket their place of business over poor
working conditions, and people can protest in front of foreign embassies or
set up Occupy Wall Street camps that may impact local businesses. But by
comparison, "the digital equivalent of that--a DDoS attack that takes a site
offline for a few hours--is clearly criminal," he said.

Should the laws pertaining to DDoS attacks, when launched for protest
purposes, be changed? Regardless of wrong or right, in today's
"must-be-seen-as-tough-on-crime" political arena, it's unlikely that related
laws or jail times would ever be curtailed. Furthermore, do we really have a
full enough understanding of exactly why people hack?

"What do we really know about hackers engaged in bad stuff? Do we have a
proper, accurate, working taxonomy of people involved in cyber-criminal
activity, cyber espionage, cyber warfare, and so on?" said Darkmarket author
Misha Glenny, speaking at this year's RSA conference. "Who are the
masterminds behind the attacks? Are they suave social engineers, are they
highly skilled hackers, or are they psychopathic characters who combine both
attacks?"

Another question concerns whether many hackers might also have Asperger's
syndrome, a form of autism characterized by having difficulties with social
interaction, and often also an affinity for obsessive or repetitive routines.
Kirwan says a connection between hacking and Asperger's has been noted
anecdotally because "it's a facet of some of the most publicized cases." For
example, both the lawyers for NASA hacker Gary McKinnon and accused LulzSec
member Ryan Cleary have said their clients have the disorder.

The Asperger's theory would handily explain why many kids hack, as well as
why they're so good at it. "People who have Asperger's syndrome are less
likely to find full-time employment or to settle down with a family," says
Kirwan. "Another trait for people with Asperger's is they will find out
everything they know about something they like." But she cautions against
trying to reduce the cause of hacking to just a developmental disorder. "I
certainly don't want to do a tarring with one brush," she says.

Keeping the potential Asperger's connection in mind, if most hackers do
simply age out, could prevention programs be put in place to help deter
minors before that happens? For example, why not turn to older, more mature
ex-hackers to educate younger hackers about the risks, or to try and help
them put their talents to a legalband, given the state of the information
security job market, likely quite remunerative--use? "Putting the two
together seems like it would reduce the crime, but the next step is to test
that and see if that's what really happens," says Kirwan.

Unfortunately--at least where Kirwan's hacking studies are concerned--hacking
interviews and research conducted for her Ph.D. have given way to the
responsibilities of a full teaching load. "It would be fantastic if I could
buy out a bunch of my time and work on a project like this," she says. "But
we'd need the funding to do that, and at the moment, that funding doesn't
seem to be around."

So here's to a show of hands from businesses and government agencies that
don't want to get taken down by hacktivists: Rather than locking up hackers
after the fact, who wants to fund better hacking research and practical
hacking-prevention campaigns?

Black Hat USA Las Vegas, the premiere conference on information security,
features four days of deep technical training followed by two days of
presentations from speakers discussing their latest research around a broad
range of security topics. At Caesars Palace in Las Vegas, July 21-26.
Register today.