Security

Hackers: From innocent curiosity to illegal activity

Researchers asked why talented youth skilled in "computerese" evolve into criminal hackers. Michael P. Kassner explains their unexpected results.

I'd like to introduce you to Ben, an intelligent, personable young man, who has shown a propensity for all things techy. At the age of eleven, Ben tested and passed both the Technician and General class ham radio license.

In middle school, Ben took to computers like Minnesota mosquitoes take to bare skin. By the time Ben graduated from high school he had accumulated a string of computer and networking certs including MCSE and CCNA, a 4.0 GPA, and was awarded numerous collegiate scholarships.

Because of a few stunts in high school, Ben had a somewhat tense relationship with the school district's CIO. Fortunately, Ben skirted the issue by helping the district's IT department plug the security gaps he discovered.

Ben is now in his second year at university. Up until recently, his biggest dilemma was deciding whether he wanted to major in Computer Science, Electrical Engineering, or perhaps both. The operative word being "was." As of today, it is unknown if Ben will even be in college next year.

Ben is in trouble — deep trouble for illegal computer hacking.

If people had known

I wish the April 2013 ACM article, "Why Computer Talents Become Computer Hackers," written by Professors Zhengchuan Xu, Qing Hu, and Chenghong Zhang would have been published sooner — a whole lot sooner. Maybe people concerned about Ben's welfare would have better understood the mess he was getting into, and helped him.

In their paper, the researchers divided the process of evolving into a criminal hacker into three stages: initiation, growth, and maturation. According to the paper, the middle stage is the only one getting any real attention:

Published studies focus primarily on the middle stage — growth — of the evolutionary path of computer hackers, in which hackers organize into loosely connected groups and virtual or real communities; acquire technical skills through mentoring and sharing; and establish social orders, group norms, and individual and social identities.

The professors expressed concern about the other stages:

However, little research has targeted the first and last stages — initiation and maturation — leaving many questions unanswered or with no clear answers, including: how, and why certain talented young people evolve into pathological computer hackers?

Since there was little research into initiation and maturation of hackers, the team decided to conduct their own study of six young and talented computer hackers, hoping to gain insight into why individuals with so many gifts prefer a criminal lifestyle over a promising career.

Ever evolving

Let's look at what happens in each of the stages (I condensed what the researchers described in their paper): Initiation
  • Early interest in computers: The research team found all but one of the subjects developed an early interest in computers.
  • Innocent motives: The subjects wanted to know more about computers, and enhance their online experiences. To do so required the subjects to alter existing software or overcome network restrictions.
Growth
  • Minds are not challenged: All six subjects were capable of being A-students, but were uninterested, preferring to spend their time learning hacking skills.
  • Porous security: The research team chose to mention what we all know, computers and networks are insecure. Meaning the subjects did not have much of a barrier to overcome.
  • Tolerated by schools: This appears to be a touchy subject; to get it right I'm going to quote the researchers:"Although it's clear not all school computer administrators are indifferent to hacking, evidence shows our student hackers were usually able to mend the relationship to avoid punishment after their hacking was exposed." In other words there were no repercussions.
Maturation
  • Associate with other hackers: If I have a problem, I go to the experts for an answer. No sense reinventing the wheel, ask someone who's already done it.
  • Shifting moral values: This concern is tough to quantify, and getting answers had to be difficult. Every one of the subjects felt they knew the difference between right and wrong, and have not stepped over the line. But, the subjects admitted they would consider it if their survival depended on it, or justice would be served.

Those are the evolutionary steps; the researchers then tried to figure out which ones had the most impact on convincing someone to take on malicious hacking. There were three.

The number one enabler is the lack of security and the abundance of software vulnerabilities. It is just too much of an enticement for young inquisitive minds. The other top enablers were tolerance of hacking by schools, and association with other more experienced hackers.

What can we do?

The researchers came to the conclusion there are two things we can do:

This framework calls for zero tolerance for hacking in schools and early intervention (such as through courses in computer ethics in middle and high schools, supervised competitions in defending computer security, and organizing computer security services for organizations) to strengthen the moral values of students against hacking and channel their interest in computers in a positive direction.
Zero tolerance and early intervention, I asked a few teachers and administrators what they thought about the team's conclusions. Unfortunately, I have not received any answers by deadline. So, I'd love to hear from you (particularly those who teach): do you agree with the paper's conclusions?

Final thoughts

What am I taking away from this article? Some serious guilt. Looking back, I recall numerous situations where I reacted just like most teachers — far too reserved — when students told me about their hacking exploits. I am also guilty of providing "information" when questioned at seminars or school talks.

I would like to extend my thanks to Professors Xu, Professor Hu, and Professor Zhang; along with the ACM for providing the data, and allowing me to borrow quotes from the article.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

// —>

Normal0falsefalsefalseEN-USX-NONEX-NONE

/* Style Definitions */

table.MsoNormalTable

{mso-style-name:"Table Normal";

mso-tstyle-rowband-size:0;

mso-tstyle-colband-size:0;

mso-style-noshow:yes;

mso-style-priority:99;

mso-style-qformat:yes;

mso-style-parent:"";

mso-padding-alt:0in 5.4pt 0in 5.4pt;

mso-para-margin-top:6.0pt;

mso-para-margin-right:0in;

mso-para-margin-bottom:6.0pt;

mso-para-margin-left:0in;

mso-pagination:widow-orphan;

font-size:11.0pt;

font-family:"Calibri","sans-serif";

mso-ascii-font-family:Calibri;

mso-ascii-theme-font:minor-latin;

mso-fareast-font-family:"Times New Roman";

mso-fareast-theme-font:minor-fareast;

mso-hansi-font-family:Calibri;

mso-hansi-theme-font:minor-latin;}

try {

var pageTracker = _gat._getTracker("UA-9822996-4");

pageTracker._trackPageview();

} catch(err) {}

// —>

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks