This excerpt is from Chapter 2, Players: Hackers, Crackers, Phreaks, and Other Doodz in Software Forensics written by Robert M. Slade and published by McGraw-Hill. You can download the entire Chapter 2 here for free.
Because we may be using software forensics to attempt to identify authors of software, it may help to have a rough idea of the type of people we are looking for. Those who write malicious software, or attempt to distribute or resell commonly available commercial software, tend to belong to communities of like-minded individuals. Over the years, we have been able to glean ideas about the characteristics of this tribe. For this information, we are all indebted to researchers such as Sarah Gordon, Dorothy Denning, Ray Kaplan, and, more recently, the members of the Honeynet Project.
A couple of provisos: Whenever you deal with people, there will always be exceptions. There are those who seem to pursue security breaking from motives that are, if not exactly admirable, at least untainted by thoughts of commerce or attention. Indeed, we can't really say that all endeavors related to the creation of viral software or intrusion utilities are even illegal. While most of the activity involved in security breaking is highly repetitive, there are also those few who do come up with one or two original ideas, and experiment with them.
As another example of a deviation from a stereotype, most studies of those involved in security breaking activities have been done in western societies: Europe, North America, and Australia. Recently, groups have been quite visible in China. There are two major populations, the red guests, and the black, or terrible, guests. The black guests are apparently quite akin to Western groups, with a lack of cooperation, antiestablishment positions, and random activities. The red guests, on the other hand, seem to form very stable groups, are executives in technology companies, have links with the Chinese government, and run coordinated exercises. In this case, we have a very large group running completely contrary to the expected norms for the community, and this may be derived from the differing foundations of Eastern and Western social thought.
Therefore, we can't make blanket statements about all of those within such a community. However, as with almost any stereotypes, there are reasons for the characterizations presented here.
Particularly in doing forensic analysis, we need to beware of falling into mental traps occasioned by our own "profiles" of the adversary. If we get too caught up in any one idea, we are going to blind ourselves to important evidence, whether it be proof of innocence or guilt. While it is beneficial to have an idea of the attributes of the majority of the people we are studying, it is absolutely vital always to accept the possibility of exceptions.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in March 2004