Ethical hacking: bad in a good way
IP-centric building design: rethinking the office
Googleworlds - discovering the dark side
Browse issues
What goes on inside the hacker mind? How are their thought processes shaped by social and technological change? And could techniques like Neuro-Linguistic Programming help to turn talented but misguided IT personnel away from a beckoning Black Hat career?
Hackers are a strange, often highly-talented, bunch of individuals. Born out of the phone 'phreakers' who emerged in the 1970s and 1980s, they tend to fall into two behavioural groups: 'White Hats' - self-styled vigilantes for justice and the technology consumer, seeking out flaws in IT systems and software, helping to solve them for the common good; and 'Black Hats' - possibly possessed of obsessive/compulsive personality profiles who have made an early stage lifestyle choice in their technology career.
A third category - the 'Grey Hat', 'cracker', or ethical hacker - is starting to emerge more prominently as organisations seek additional ways to test their defences.
While White Hats tend to fall into the same broad category as law enforcement agents - generally working for the common good - the behavioural characteristics of Black Hats tend to point to a different part of the psychological spectrum, where conditions such as obsessive-compulsive disorder are to be found. These disorders often come with an obvious 'addiction' to the sheer thrill of hacking, born of having found ways around the supposed ingenuity of 'invulnerable' cyber security defences.
By the nature of their actions, most Black Hats have a self-styled ethico-moral code, working to their own rules generally formulated against a backdrop of the 'us and them' mentality. Black Hats can indeed be dangerous as - unless their abilities are channelled in the 'right' direction - they will hack systems as they see fit until they are eventually detected, located and caught, or they relocate to work for cyber-crime gangs and operations located around the world, at which point they drop-off the conventional professional IT radar.
Much has been written about former Black Hat hackers, and the fact that they often seem to be beyond the reach of law. It should be remembered that the fact they have been - and continue to be - caught and, in most cases, prosecuted in some shape or form, may signal they are not as proficient as the more dangerous category of Black Hat hackers. They often work with criminals, even though they may delude themselves that they are working for 'the common good'. The resources at our disposal for tracking down such cyber criminals are also better than they were just a few years ago.
As well as tending towards being an obsessive/compulsive, Black Hat hackers seem subject to a form of IT 'addiction' - the continued repetition of a behaviour 'despite adverse consequences, or a neurological impairment leading to such behaviours'.
Arguably the most notorious hacker with these compulsive personality traits was Kevin Mitnick, who started as a phone 'phreaker' ('phreaking' is the activity of a culture of people who study, experiment with, or explore telecommunication systems - including equipment and systems connected to public telephone networks), and was convicted multiple times.
Mitnick first gained unauthorised access to a computer network when, in 1979, at the age of 16, a friend gave him the phone number for the networked system used by computer systems vendor DEC (Digital Equipment Corporation). He then copied DEC's software - illegally, of course - a crime he was eventually charged with (and convicted of) in 1988. He was sentenced to 12 months in prison followed by three years of supervised release.
Near the end of his supervised release, Mitnick famously hacked into the Pacific Bell voicemail computers, and went on the run for two-and-a-half years, during which time he hacked into multiple computer networks, using cloned analogue mobile phones to hide his location. When he was caught in February 1995, he was in possession of several cloned mobile phones, more than 100 cellular mobile codes, and multiple false identities. He was subsequently handed a lengthy term in prison. It's worth noting that the judge in Mitnick's 1988 computer fraud trial accepted a defence on the basis of personality disorders, ordering Mitnick to complete a course of therapy for his addictive condition.
These days Mitnick is billed on the keynote circuit as a hallowed 'ex-hacker', and also makes a living as a security consultant. In an address at the IP Expo conference in London in October 2013, he recalled his former life as a hacker. Back in the 1970s, he said, hacking was significantly different.
Today, cybercriminals use a hybrid mix of social engineering and client-side computer exploits to get at organisations' ICT systems. It is, he added, much easier to attack any given IT system than it is to defend it - and it does not matter what security software you have installed, because it just takes one person in the targeted organisation to make a bad business decision, and "it's game over".
Mitnick added: "Cyber-security is about people, processes and technology, and organisations need to bolster the weakest link - which invariably is the human element."
While public appearances by Mitnick and his ilk may fascinate (he is certainly not regarded as one of the 'bad guys' by the admirers who flock for his autograph), the fact that such events are something of a media circus can obscure more serious analysis of his personality traits and psychological profile. What happens when someone like the young Mitnick applies for a job with a conventional employer? Where does their motivation lie, and what can employers do if they suspect they've put a hacker on the payroll?
Social engineers = social misfits?
What makes a hacker tick? What principles (if any) are their psychological mainsprings, as it were, wound around? Some starting clues can be found in 'Ghost in the Wires: My Adventures as the World's Most Wanted Hacker', a 2011 book that Mitnick co-authored with Apple Computer co-founder Steve Wozniak.
The book tells a fascinating story - largely because the most interesting segments are more to do with the psychology of hacking rather than the 'misuse' of technology techniques. Mitnick has now come to recognise - and even understand - that his actions were centred more on the dark science of social engineering (or 'hacking the human') than the actual misuse of computer technology - even though the 'misuse' element clearly played a major part in the execution of his hacking exploits and allied activities.
By his own admission, Mitnick classes social engineering as the art of convincing people to give up information they hold when they clearly should not do so. If, however, you exploit the human emotion of people wanting to help their fellow humans, then when you call-up the headquarters of a major company, name-drop a few key people within the organisation, and "chat-up the other person", it becomes relatively easy to extract nuggets of information that can be used as bait to persuade other people to reveal additional information.
From there, for example, people will then believe you when you say you are 'out in the field' and need access to a password that is sitting on your desk at the office. Mitnick, of course, finessed his actions constantly: this allowed him to gain access to everything from birth certificates to top-secret source code for the mobile phones of the 1980s and 1990s.
In many ways Mitnick was at the peak of his abilities in the 1980s, a decade when security technology and training to block social engineering scams - such as those carried out by Mitnick - were immature. A consideration of the hacker generation of the 1970s and 1980s suggests behaviours that appear driven by a mixture of arrogance plus an inability to easily distinguish right and wrong from good and bad, possibly co-existant with a degree of autism spectrum disorder (ASD).
Gary McKinnon, the so-called 'UFO hacker' who was a Scottish IT administrator accused in 2002 of perpetrating the 'biggest military computer hack of all time', has always maintained that he was searching for evidence of free energy suppression and a cover-up of UFO activity and other technologies that might've been potentially useful to the public. Whatever he was actually looking for, his ability to allegedly hack into nearly 100 United States military and Nasa computer systems, deleting critical operational files and rendering weapons systems inoperable, demonstrates notable technological acumen.
Subsequently the US government had accused him of causing in the region of $800,000-worth of damage. If he were to be convicted in the US, McKinnon - who has reportedly been diagnosed as having an ASD called Asperger syndrome - could have faced a prison sentence of up to 60 years. In October 2012 - around a decade after his original arrest - McKinnon, now in his mid-40s, was relieved to hear the UK Home Secretary Theresa May announce that the government was blocking his US-led extradition to the US on the grounds of his autism, and in the interests of compassion and his human rights, plus common sense.
Hacktivism and socio-history
Comparing and contrasting Mitnick and McKinnon can reveal the psychological differences between the two men. While Mitnick was - and arguably still is - the archetypal shy-boy-turned-extrovert-on-stage actor, McKinnon appears to remain relatively withdrawn - which is not surprising when you consider the pressure he was under for a decade. But while the two hackers - separated as they are by decades in their exploits - have their own distinct psyches, it is important when trying to better-understand hacker motivation to note the societal changes they have lived through.
Back in the 1970s and 1980s, hacking was viewed by the authorities as a kind of electronic joyriding - something that was reflected in Mitnick's 'Robin Hood' media coverage of the time - whereas the exploits of modern hackers are largely viewed as real and pretty inexcusable crimes against society in general. The fact that members of the public are now also victims of viruses and online banking hacks has been a game-changer.
This shifting in society's view of the different generations of hackers is not by coincidence, and is the deliberate evolution of the view of hacking that has been orchestrated - partly through the media - by successive governments and their agencies on both sides of the Atlantic.
This also demonstrates to a degree the 'psychological steerage' that governments have over the media and, through the press, reflect on to the public. However, the rise in the general level of understanding about computer hacking among the population - particularly in the UK - has been paralleled by a desire to 'expose' the government for its apparently covert activities; activities that to some run contrary to the culture of openness and transparency that characterise modern democratic government.
This trend has also given rise to the 'us and them' mentality, further triggered by more media jumping on the bandwagon, which has resulted in some hackers claiming their activities are carried out with good intention. This sentiment has spawned the 'hacktivist' - as witnessed by Anonymous and other such groups. Their abilities have been made more effective through the use of powerful utility software such as the Low Orbit Ion Cannon (LOIC) application, which allows a novice hacker to launch a sophisticated denial-of-service (DoS) attack on a target of the hacktivist leadership's choice.
Anecdotal evidence suggests that governments are well aware of the actions of hacktivist groups, and have infiltrated elements of such organisations in the UK, the US, and Europe. These undercover 'cyber agents' - whose psychological composure is likely to be highly complex, to say the least - are thought to have been instrumental in the arrest and prosecution of active hacktivists, as seen in recent prosecutions.
Subjective observations
In more than 25 years of tracking hacker issues, this writer has subjectively observed behavioural tendencies relative to ASD among many of the ind