Learning about Security Threats: Profiling

This excerpt is from Chapter 16, Profiling in Know Your Enemy: Learning about Security Threats written Lance Spitzner and published by Addison-Wesley. To read the entire chapter, download it here for free.

(Note: This chapter is written by Max Kilger, Ofir Arkin and Jeff Stutzman.)

A SOCIOLOGICAL ANALYSIS OF THE WHITEHAT/BLACKHAT COMMUNITY
As noted above, the previous chapters focused on the technical tools and techniques used in helping to detect and identify specific types of attacks and the individuals or groups conducting them. In this section, we will turn our attention to a broader, more theoretical look at the members of this social community. As mentioned in the introduction to this chapter, an understanding of the blackhat community is equally as important as an understanding of the technical tools used to discover their exploits. In gaining an understanding of the blackhat community, we will look briefly at the identity crisis that exists within the community, the motives of individuals and groups, and a look at the social structure of the combined whitehat/blackhat community to identify some of the large-scale forces shaping the attitudes, behaviors, and actions of its members.

The theory and motivations discussed in this section, while specifically aimed at external threats, also generally apply to other specific situations such as insider threats. However, insider threat situations also contain significant intervening forces, such as the nature of the relationship between the company or organization and the employee/attacker. The complex manner in which these intervening forces interact with the organizational environment lie beyond the scope of this chapter and so are not discussed here.

HACKER, CRACKER, BLACKHAT, WHITEHAT: IDENTITY CRISIS AND THE POWER OF LABELS
At the heart of many of the myths surrounding members of both whitehat and blackhat groups is the extensive history of labeling and mislabeling of groups and individuals that has occurred. Labels are a very powerful component of social life and can have far-reaching consequences for an individual, a group, or an entire culture. They are also a key element in how individuals create and maintain identities for themselves and others. In this case, we are dealing entirely with a latent social label -- that is, an identity that is not directly observable. There is no official "hacker identity card," no reliable identifiable physical characteristics (despite attempts by the media to suggest the contrary), nor any single means among members of the community themselves for identifying others that share their identity.

While the latent nature of this social identity makes it easier for individuals to self-identify themselves as hackers, it also presents problems both to the stability of their self-identity as well as to their effectiveness in communicating their identity to others and gaining entrance to a social group of others who also identify themselves as hackers. It also suggests that efforts to produce some sort of objective census of individuals who label themselves as blackhats, whitehats, or some other identity within the hacker community are most likely bound to fail. A brief look at the history of the hacker label will help provide some background on how some of this identity crisis evolved. The origin of the term "hacker" is the computing community itself. The word appeared in early versions of the "Jargon File," a community-maintained file of shared words, phrases, and their meanings which eventually was published in print as The Hacker's Dictionary, by Eric S. Reymond (1996). The meaning of the term hacker can be extracted from Reymond's book:

":hacker: /n./ [originally, someone who makes furniture with an axe] 1. A personwho enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating {hack value}. 4. A person who is good at programming quickly.5. An expert at a particular program, or one who frequently does work using it or on it; as in 'a UNIX hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence 'password hacke', 'network hacker'. The correct term for this sense is {cracker}.

Note that meanings 1 through 7 of the definition do not ascribe intention or assign a moral value judgment to individuals labeled as hackers. In this sense, the term hacker could and originally was applied to everyone who fit the description, whether their actions were viewed as being helpful or criminal.

So how did the term hacker come to have its negative connotations? The news media played a large role in associating criminal behavior with the term hacker. Whenever the news media would report some computer crime-related incident, they would label the perpetrators "computer hackers." According to the formal definition cited above, they were probably perfectly correct in doing so. However, the unfortunate consequence of this repeated news media labeling of criminal incidents as being caused by "computer hackers" was the eventual association by the public of the term hacker with the concept of a computer criminal. Eventually, individuals within the computer community who called themselves hackers tired of the negative identity they carried and attempted to redefine these "evil-doer" hackers as crackers, after their popular pastime of attempting to crack computer-encrypted password files. Further attempts at redefinition followed. More recently, hackers working for goals viewed as positive by society have labeled themselves as "whitehats," while those working for negatively evaluated goals are labeled as "blackhats," in the tradition of the old American West. One natural extension of this nomenclature has been the emergence of "grayhats," individuals or groups whose actions are viewed as somewhere in an ambiguous no-mans-land between the whitehats and the blackhats.

Such efforts made by "hackers" to redefine their identity underscore the importance that labels hold in the world. One veteran member of the hacker community addressing relative newcomers at a recent hacker convention proclaimed "Blackhats, whitehats, we don't wear no stinkin' hats!" to emphasize their rejection of even those labels used within the community itself.

However they define themselves, it is likely that this identity crisis will continue for some time to come. Even today it is common to find references to perpetrators of computer crimes referred to as hackers in the news media, and further instances of this negative stereotyping in the news and popular media are likely to continue. Thus, the stigma that colors the entire computer community is likely to be difficult to shake, even for whitehatted members. In subsequent discussions of motives and social structure, it will be helpful to keep in mind this crisis of identity that many members face.

Want to read more? Download the entire chapter here for free.