On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk, "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday, we're looking at who are the Echo Generation hackers. Wednesday , we'll look at how they use online social media for hacks. And on Thursday, we'll talk about how Chris uses features of social networks and Web 2.0 to shut these kids down.
It's a world of fake hacks and stolen Habbo Hotel and World of Warcraft gaming accounts. Sometimes there's money associated with it, but most often the scams and the pranks are just for prestige.
Welcome to the next generation of computer hackers, the teenybopper edition, where the kids, ages 11 to 16, don't consider YouTube, MySpace.com, Facebook, and Xanga to be social-networking sites. They call them "social engineering sites."
They're the geek subset of the so-called Echo Boomers, a generation defined as children born between 1982 and 1995; they are also sometimes called "Generation Y" or "Millennials." The Echo Boomer name is a direct reference to the Baby Boomers, born some 30 years before, and many in fact children of Baby Boomers. According to CBS News, Echo Boomers already spend $170 billion a year of their own and their parents' money, so from a marketing perspective they're significant.
They're the first generation to experience the growth of the Internet at a very early age. Some are early adopters of cutting-edge Web 2.0 applications and services such as video streaming and social networking. Some of these kids have begun to dabble in computer hacking, but unlike previous generations of computer hackers, it's not about discovery, it's all about them.
According to Chris Boyd, director of malware research at Facetime Security Labs, Echo Boomer computer hackers "don't seem to be as wise to the risks as older generations were." They leap from social-networking site to social-networking site. And they are quite happy to post photographs of themselves on sites selling stolen credit cards. They're non-anonymous on the Internet, he says, often keeping the same username, which makes them easy to shut down.
But keeping one username in particular is behavior that is not necessarily true of all mainstream teenage users, suggests Danah Boyd (no relation to Chris Boyd). As a Ph.D. candidate at the University of California at Berkeley and a fellow at Harvard Law School's Berkman Center for Internet and Society, her graduate work has focused on how people manage their presentation of self in online environments. Her subsequent research has found anecdotal evidence of teenagers who create a throw-away e-mail account for the sole purpose of creating a new social site page. Then, over time, if they lose their password to the site or to the e-mail account, they simply create a new account and a new profile page.
Where the teens are
In January 2007, the Pew Internet & American Life Project released a study of 935 mainstream U.S.-based youth aged 12 to 17 years old. Overall, 41 percent of the youths aged 12 to 13 had social site profiles, while 61 percent of the youths aged 14 to 17 did. But by gender, the differences are clear. Seventy percent of girls aged 15 to 17 have a social site profile compared with only 50 percent for boys the same age.
In the study, the mainstream teens said the social network they updated most was MySpace (85 percent), with Facebook (7 percent) and Xanga (1 percent) far behind. A quarter of the teens surveyed said they visited their site once a day, with another 20 percent saying they visited more often. Another 20 percent said they visit once every two weeks. Not surprisingly, use of the social-network site changed with computer access. Youths who accessed the Internet at home accessed social sites more often--58 percent as opposed to 42 percent who accessed the Internet from school or some other public terminal.
The importance of these social-network profile sites in the lives of mainstream Echo Boomers varied among those surveyed. Ninety percent said they use the sites to stay in touch with friends they see often, and 82 percent said they stay in touch with those they do not see as often. A majority use the sites for making social plans. But when it comes to making new friends, the teens were evenly split. And as for flirting, 83 percent (male and female) said they did not do that. Sixty percent of the youths surveyed reported limiting access to their site profiles.
Why they're online
In one paper, Danah Boyd likens online social networks to radio and mass media in past generations, except that social networks allow interaction as opposed to being fed information from the mass media. Echo Boomers may be the first generation to interactively define who they are. She adds, "this is highly beneficial for marginalized youth, but its effect on mainstream youth is unknown."
"Because the digital world requires people to write themselves into being," she writes, "profiles provide an opportunity to craft the intended expression through language, imagery and media. Explicit reactions to their online presence offers valuable feedback. The goal is to look cool and receive peer validation."
She added, "for those seeking attention, writing comments and being visible on popular people's pages is very important and this can be a motivation to comment on others' profiles."
This is consistent with Chris Boyd's research into Echo Boomer hackers that create one username and see how it plays on the social networks. "This is more of a lifestyle statement to a lot of these kids. A lot of it is about fame and fortune," he said.
He said in his research that he sees kids starting between the ages of 11 and 13 on online gaming sites. "A lot of these kids mature on to Habbo Hotel,.Runescape, and things like that. From there they start to learn about the basic hacks and cracks and patches." Some start to run their own forums. That's when, he said, they start to get a bit more adventurous; then they start looking into the phish pages, the fake account stealer programs that you get for Runescape. He said there's a strong link between gaming communities and teenage computer hacking although he doesn't know if anyone's ever actually set down some hard statistics.
He cites an example of a kid on a forum who posted that his YouTube account had been shut down. The kid wanted others on the forum to launch a campaign to get his username reinstated. "Rather than recreate the username with a one or a two on the end," Boyd said, "he was so obsessed with his own particular username, with the uniqueness of it and all that, that, in his own words, he'd rather retire from the hacking scene than lose his username."
Additional research suggests that teens of a certain age have "settled," and are therefore much more protective of their nascent identities online. They're individuating from their parents; they're trying a version of themselves out in the real world, so their usernames take on additional value and weight. So when they cross the line into criminal hacking, in many ways it is just as personal as though they themselves were engaged in petty crime on the streets. And that is an important intersection for teenagers who dabble in writing malicious software.
By keeping the same username across Xanga, Facebook, and MySpace, Chris Boyd expects to find a paper trail online. And he does. He has tracked many offenders across numerous sites, some going back a few years, and done so in about 10 minutes or less using Google. "It's weird," he says. "Now when you hear about hackers it's all profit motivated--they're not doing it for hacking kudos anymore; they're not in it for the fame; they're in it for the money. There was a time when (hacking) was all about exploration, being notorious or well-known or a famous hacker. It's almost that a lot of these kids have reverted back to that way of thinking."
Except they don't see any reason to hide.
Boyd goes on to say a lot of what he's seen online is like an American Idol sort of hacker fame. Rather than having any sort of real standing of fame within the hacking community, a lot of the hacks are quite facile--a lot are fleeting. "It's because they haven't got a concept of the consequences of it all. It's almost like a fad--and it's a pretty dangerous fad, I think."
On Wednesday, we'll look at exactly what these Echo Boomer hackers are doing online.