Going beyond popular hacker stereotypes, Symantec's Sarah Gordon says cyber-rebels aren't evil--they're just misunderstood.
The senior research fellow at Symantec Security Response, Gordon is an expert on the psychology of virus writers and hackers. And she's on a mission to clean up stereotypes about these "bad guys."
Contrary to popular myth, Gordon says, cyber-rebels aren't underground loners, and they're not necessarily nerdy--or even smart. She believes they join "the dark side" of the Internet because they don't extend the same moral code from the real world to the virtual world. She blames teachers, journalists and parents for the breach.
Gordon lives in upstate New York with her husband, Internet architecture expert Richard Ford. She met him in England in 1994, when Ford was editing Britain's "Virus Bulletin." Ford attacked Gordon in an editorial for failing to attend a conference in Bulgaria. She called to complain, and he asked her to lunch. Thus began a trans-Atlantic courtship via Unix chats, which continued until they were married in 1995.
Gordon participated in the White House's Cyber-Incident Steering Group last year and conducts research at hacker conferences such as Def Con--an annual event that bills itself as the "largest underground Internet security gathering on the planet." She was previously a researcher for the AntiVirus Research and Development team at IBM's Thomas J. Watson Research Center.
She talked to CNET News.com about hacker ethics, stereotypes, and the next big threat to cybersecurity.
Q: Most academics distinguish between hackers and virus writers. What's the difference in terms of the character and ethical code of each group?
A: Hackers have a much more highly developed skill set and a different way of thinking. They're into bigger systems in the bigger picture. Virus writers for the most part aren't as technologically astute and don't have a big view. They think on the application level, not on the system level. The two cultures are sort of coming together with blended threats, but they're not really integrating on an intellectual or social level.
It seems like new viruses are cropping up on a weekly or monthly basis. Who's writing them?
They run the whole spectrum, from kids to people who do it at midnight when they come home from their corporate jobs. But in general, virus writers are young people under 30. You're talking about kids who pick up a script. You can have kids 10 or 12 years old getting into the game. I've known one virus writer who was 11.
What motivates them to write viruses instead of playing soccer or reading books?
Basically, they think it's a game. They don't realize the impact. They play with computers at school and at home, and we encourage that, but we don't encourage responsible behavior on the computer. They find a virus and tinker with it, and they don't realize what they're doing.
These kids generally don't have mal-intent. But keep in mind, it only takes two or three people to send out a virus, and it multiplies over and over, and it can really mess up the system. So while they may not realize the impact, the effects can be quite destructive.
The other thing that motivates these kids is the media. You see a virus writer in magazines and on news shows referred to as a rocket scientist. You hear so-called experts talk about how the government and private industry should recruit these kids to do security. One time, I remember hearing about virus writers as people "on the fringe of the Internet frontier," and I just cringed. When kids see this person being promoted as brilliant, they'll want to emulate that.
You're saying virus writers don't have IQs higher than the average person?
They're not necessarily smart, and you definitely don't have to be a rocket scientist to do this. It's two lines of code...Viruses aren't research or academic pursuits, and they're not at all respectable or legitimate. They're just stupid. Media in the United States and United Kingdom are doing a better job reporting consistently about how easy it is to start a virus, and more people realize that these aren't the work of rocket scientists. But the message isn't the same everywhere.
Do viruses reflect some sort of grand, moral breach in our society, or are they merely the work of a bunch of prepubescent kids with nothing else to do?
A little of both. The problem is that in school, computers are taught as games, not things that can cause real impact on people. I wouldn't read mail in my neighbor's mailbox, and I think the vast majority of kids know that this is wrong. But if it's in the e-mail in-box, kids will read it. They don't have the same morality in the virtual world as they have in the real world because they don't think computers are part of the real world.
How long might it take to develop a moral code that is consistent from the physical to virtual worlds?
It doesn't happen in one generation. It will take a long time. But we have to do something about it because the shift won't happen automatically. Educators can start teaching kids at a very, very young age what things are acceptable and what aren't--for instance, providing guidelines like, "We may share passwords but we don't steal them."
Internet service providers can also go a long way in teaching that just because something's legal or allowed doesn't mean it's ethical. You can put up virus codes online, and that's not against the law, but it is irresponsible. If people tell their ISPs they don't appreciate that these viruses are posted, maybe that will change. But if no one complains, the ISPs and the kids may think, "Hey, this cool. This is counterculture." Every kid at some point wants to be a rebel, and they'll pick up on it if it's around.
What about parents?
Absolutely. If your child loves computers, don't put it in the bedroom where you can't see it. It's critical for parents to know what the kids are doing--whether it's after school at the mall or at the slumber party. It's not different because it's the computer. You wouldn't keep your child in the bedroom with a closed door with a bunch of adult strangers. It should be the same way with a computer.
Isn't the concept of rebellion timeless, and it just happens to be manifesting itself as viruses because we're living in a digital era? Won't there always be hackers?
Sure. Rebellion is (in) the nature of mankind. We'll always see in each generation a certain degree of rebellion. A long time ago, the biggest act of rebellion ever created was the printing press. Then it was the spray-paint can. Now it's the computer. It's probably going to be the computer for some time; you have new groups of people in countries coming online every day, and they all need to discover this stage of rebellion.
Since you've been studying hackers, has there been any shift in our culture's perception of these folks?
Yes, and it's encouraging. There's been a shift since the early '90s toward whether it's OK to make viruses available online. We queried people at Def Con about whether it's OK to make viruses available to the public. In the earlier days, almost everyone said, "Hey, that's cool and acceptable." But last year, only one or two people in the audience said that. The tide is turning.
But Def Con has become so institutionalized, and it's largely the domain of American hackers. So many recent viruses seem to be coming out of Russia, China, the Philippines and other places. Are you optimistic about a cultural shift happening there?
The tide is only turning in one small corner of the world. I don't know that this is happening across the rest of the world. You take a kid in a country where there aren't a whole lot of opportunities, you give the kid a powerful tool to get a job or get out of the situation they're in--they're going to start experimenting and trying to get some notoriety or fame. What would you do if you were that kid? I don't blame that kid, really. We have to understand the problem on a global scale.
From your research, what will be the hottest act of cyber-rebellion in the next couple of years?
We'll see more integrated threats. It's not enough to have antivirus protection. You need firewall intrusion-protection. Also, the focus is on computers now, but as there are more and more mobile devices, there will be more threats. We're doing research at Symantec and presenting a paper on Java-enabled mobile phones, which could be shaping up as the next big threat.
Lots of technophiles say that the threat from viruses and hackers is overblown and that Symantec and other large security companies are preaching paranoia in order to boost sales of their products. How do you respond?
Well, let me ask you: What do you have on your computer that's important to you? What if a virus came in and wiped everything out? Would it hurt you? I don't mean to be funny, but that's the bottom line. There's proof that viruses are spreading in the computer world. It's a small price to pay to not have everything wiped out.
The threats aren't overblown. We don't pull this stuff out of thin air. I don't see a lot of sensationalism, frankly. I hear that argument that we're over-blowing the security threat and that we're making it up. But once these people get hit, they never say that again.
Let's talk about hackers, as opposed to the relatively immature and technically basic virus writers. Why do hackers break into computer systems and steal intellectual property?
Hacking is in many ways about control, and the ability to control a system is very enticing. The control doesn't necessitate much interaction with other people. The computer is a reciprocal thing; it asks you for input and you give it, and vice versa. That's a very powerful thing.
Paint a picture of the garden-variety hacker, as opposed to a virus-writing kid. Are they nerdy, loners, social outcasts?
No, not at all. The people who get attention, who make it into the news, are a bit different, and a lot of them have dyed black hair and pierced noses. They make good pictures on the front page, but really most hacking is done by the guy next door--the guy who doesn't make good news.
Frankly, many people who break into systems have wives and husbands in the other room. They're just sitting at the computer after a day of work, and they're hacking late at night. And a lot of them have developed pretty sophisticated social systems with other hackers. For a lot of them it turns into a game played back and forth: "I'll break into your system, you break into mine." It's about knowledge.
You said "husbands and wives." Are there many female hackers?
It's still predominantly male, but there are more female hackers now, and there are a few female virus writers. It didn't become popular for girls to be in computer classes until about two years ago, so I suspect we'll be seeing more. And Anna Moore won that contest at Def Con, remember? (Anna is a 15-year-old home-schooled student from Norman, Okla., who belongs to hacker club 2600 and won an ethics contest at the convention modeled after the hit television show "Survivor.")
How did you get interested in the hacker ethic and cybercrime?
It was the mid-1980s and I got a computer and happened to find a few systems on the Internet at the time. I rewired my modem and learned to solder; they didn't have those things in the 1980s in South Bend (Indiana, where she was a student at Indiana University).
I was running a bulletin board system with my CoCo (the nickname of the Tandy/RadioShack TRS-80 Color Computer) and got in touch with many people from all around the world, including some hackers. I got the Ping-Pong virus myself in about 1991, and I had to set about taking care of it. I started doing papers on it, and the academic circuit liked it. I went back to school and did some more projects on it for Indiana University. Before I knew it, CNN was in my living room and I was doing interviews. I didn't plan any of it.
Your job seems really interesting. How does someone become a hacker ethics expert?
I dropped out and ran away--don't do that. Stay in school and get a hard background in math, science, law and ethics. People who study science need a multidisciplinary approach. If you like computer code, get involved in computer science courses, but get involved in something else, too: Get a degree in engineering or biology and then get an internship at Symantec or IBM Research. Find what you love and just do it. Find out what makes your heart beat fast, and run with it.