Debunking the Hacker Profiler (part 1)

Beginning on March 29, 1999, John Vranasevich began a series called 
"How To Be A Hacker Profiler". These 'special reports' are supposed 
to enlighten readers on how hackers operate, insight into hacker
culture, and more.

With 'news' or 'reports' like this, it is often difficult to point out 
the errata contained in them like other articles because they lack
substantial fact. Instead of the regular unfounded accusations, misquoting,
or outright libel, the Errata staff is left with vague descriptions of
unclear events or more often, poorly written descriptions about what most of
us consider common sense.

For those of you in a professional field, you have no doubt at some point
run into someone that just didn't sit right with you. At first, you can't
quite put a finger on why you thought they were less than honest, or why
they screamed "i'm a fraud", but SOMETHING stuck with you and gave you
that feel. Well, here it is with us. We will try to express why these 
'special reports' are nothing more than regurgitated common sense wrapped
up in buzz words and old ideas.

Further, we will bring attention to some points in the reports that make
you wonder why Vranasevich resorted to such menial tactics in writing. Was
it the only way to get his point across? Or rather, was it for lack of
anything else solid to write?

As with other errata, we list his text in white, and our own comments in
red. We are not quoting the entire article as Vranasevich has a tendancy
to threaten lawsuits. 

You be the judge. How To Be A Hacker Profiler - Monday, March 29 1999 Ok, before I go any further, let me just say that I know that I'm going to get flamed by just about every hacker who's ever been on the internet. So be it, I don't care (in other words, don't bother sending me flame mail, because I'm just going to throw it away). [Translated: Hackers will see through this tripe and challenge me.] I am by no means a criminal psychologist, or a behavioral scientist. What I'm going to describe in this special report is based on over 6 years of studying the "underground", and from talking with well over [This is a clever wording. "studying" the underground for six years? He is 20 years old at the time of writing this. His claim is that when he was *14* years old, he began studying the underground. Since 1991, the four Errata contributers and dozens of their associates have not heard of John Vranasevich until the last twelve months. In previous claims, Vranasevich (who also goes by 'JP') has said that he is NOT a hacker. So now we have JP claiming that he was a fourteen year old, studying hacker culture while he was not a hacker? Why does that sound fabricated..] 7,000 different hackers. You won't be able to find the things in this report (for the most part) anywhere [Over 7000 different hackers? Any basis for this number? A little over 1160 hackers 'studied' each year. How did he qualify each to be a hacker? At what point is 'hacker' defined at all?] else. They're techniques, observations, and comparisons that I've been devising on my own over the past few years. This is the first time that these ideas have ever been presented for public review and critique. I'm hoping that by posting them, people will write in, and share their own observations with ["..first time.. represented for public review and critique". First, JP explicitly says do not send negative feedback. Second, this statement should be qualified with "that I have seen". These observations and exact topics have been discussed in a wide variety of forms for over a decade. This type of material can be seen in hacker conferences (1), corporate training seminars, some books, and more.] me, and possibly find flaws in some of my "assumptions". A lot of this information is coming from my personal notes and databases, and a lot of it, up until now, I considered to be "Trade Secrets" so to speak. So, I'm not going to go into a lot of areas here (Basically, I just want to be able to start some [Email, IRC logs, and general 'notes' are "Trade Secrets"? What hacker or security professional DOESN'T do that?] =-= An Overview - What would a hacker profiler do? (Let's first come up with a job description) But just because the mainstream hasn't gotten a hold of the data, doesn't mean that it doesn't exist. What I hope to cover in this report are just a few of the many scenarios, circumstances, and similarities, that I've found by working with the "underground" over the years. I hope that you'll find it interesting, informative, and perhaps, foreshadowing, of some of the techniques which may some day be common tools in the "Digital Profiler's" arsenal. [Does JP really think he is the first to think of ANY of this? That in the past three decades of computer crime, investigators have not thought of this?] =-= Graphics, H4x0r T4lk, and Design (Why Webpage Hacks Are Like A Murder Crime Scene) While the most serious attacks are that against an infrastructure, and not a simple webpage, webpage hacks can provide valuable insights into any particular hacker or hackgroup. Even hackers who commit the most serious of crimes, more than likely have at one time or another, done a simple "webpage hack" or two. [This is a great pointer suggesting JP has only been around for the last three years at BEST. Statements like this conveniently lump all hackers into a stereotype embodied by hackers in the late 1990's. Consider these numbers: Attrition has mirrors of web hacks dating back to 1995. Year Hacks Mirrored Super Conservative 1995 9 50 1996 24 100 1997 42 200 1998 213 500 1999 600 1000 With these numbers, we can see that there are almost 900 mirrors of hacked page. If we say there were really 1850 defacements since 1995, that brings up several points. 1. Out of 7000 hackers, explain less than 2000 web defacements and the quote "hackers.. more than likely have at one time or another, done a simple 'webpage hack'". There is a serious gap in numbers here. 2. Hacking dates back to the late 70's in the form that JP references. That leaves roughly 20 YEARS of hackers that never defaced web pages. The web protocol (HTTP) didn't gain widespread usage until 1994. This statement shows a serious lack of insight into the history of hackers and their activities. 3. This kind of shortcoming and naive belief leads to poor assumptions and inaccurate conclusions. Thinking that he has spoken to such a large amount of hackers (still in question), and being so wrong in the numbers and their activities calls every subsequent 'fact' into further question. =-= Bash Histories, and System Commands (More Than Meets The Eye) Welcome to the world of rootkits and system commands! I'm not going to go very in-depth here, but I will describe a couple of interesting "fields". Some probably more obvious than others. Now, you probably won't be so lucky as to simply have a bunch of syslogs laying around after the hacker has left. But, there are other ways that the actions of users on your systems can be, and should be (and on most "important systems" are), logged. These are just a few examples. But, you can see that even though we don't have any "physical evidence" or "visibly unique evidence" we are still able to come up with identifiable fields. [Here we have the absolute most vague recommendations possible. While all of this 'fielded database' stuff is fun, technical examination of computer logs and evidence (ie: computer forensics) is the best and most reliable way of catching a computer intruder. Even if you manage to create this database and cross reference everything, none of it helps you prevent future intrusions, and it may only marginally help you in prosecuting someone IF the authorities catch them. The fields in this type of database add up to a small slice of circumstancial evidence at best. =-= How To Gather Intelligence (Know Thy Enemy) Let's go back to my "real world" analogy for a moment. A police officer is at a crime scene, and discovers what's believed to be the perpetrator's thumbprint on a door handle. He lifts it, and takes it back to the lab, where it's scanned into a computer. The print is now compared against every print in a national database, to see if there's a match. If there is, the officer now has the name of a suspect. If there's not, he has little more than what he started with (until, of course, a suspect is found using other means). The goal is to get a database with fingerprints with of as many people as possible. This is done by printing people who are arrested, or by having parents get their children fingerprinted in kindergarten (for their own protection, of course). Now, let's move back into the "digital realm". The same concept obviously holds true. In order for the "field principle" to be worth anything, one must first come up with a database to use to compare data against. This helps not only to "identify" a hacker or hackgroup (like one would "identify" a fingerprint in the national database), but also to help examine motive, threat potential, and possibly predicting future hacks, based on what hackers or groups similar to them have done in the past. [This is a HORRIBLE analogy. JP is comparing a database of fingerprints, which he even admits are a *unique* form of identifying someone.. to a database he says "may not currently [have] one field which would prove to have 0 duplications of occurance..". In the fingerprint database, you have a single field with 0 duplications of occurance. In the 'hacker profiler' database, EVERY field can (and is likely to) have duplications of occurance. This is a bigger concern when done by amateurs with no criminal profiling experience, and no formal training. In a field that requires precision, this is comparing apples to volvos.] =-= IRC (Trusting A Stranger) No matter what group they fall in, almost EVERY hacker uses (at one time or another) IRC. Internet Relay chat is the primary means of communication for most hackers. It is on IRC that hackers often get their [This is the kind of claim that JP simply can not back. Going back to my previous example showing that hacking has been going on for over two decades, and IRC was created in 1988, that leaves at least 9 years that hackers had no IRC. During this time they relied on email, 'talk', and voice communication. Even after IRC became a regular haunt of hackers, to say it is the PRIMARY means of communication for MOST hackers is absurd. Hackers also know that IRC is an insecure protocol and that whatever is said on public channels and in private messages is subject to prying eyes. This fact alone pushes them toward more direct or secure communication methods. Now, let's go back to hackers. Communicating on irc, you can become anyone you want to be, and gain trust with any given group very quickly. By first studying a group, you can learn what their ideals are, how ["Any given group very quickly"? There are some groups out there that will not trust anyone they haven't met, or who demonstrates an equal level of talent as existing group members. These are extremely hard to find out any information on, let alone gain their trust.] =-= Creative Methods Of Capture (Using A Helicopter To Win A Game Of Hide and Seek In Your Back Yard) When I use the word "capture", I'm not necessarily talking about "arrest". In my case, "capturing" a hacker means identifying them for use in our coverage of any given hack (something that I think we have a good track record of being able to do). ["We have a good track record. Trust us!" Since JP and AntiOnline conveniently doesn't share details about their profiling, their word will have to do. But, lets look at two other specific examples of JP/AO reporting on hacked sites and their conclusions. /errata/charlatan/negation/www/ao.011.html Here we see that JP relies on ATTRITION archiving of hacked sites to support his articles. Not only does he not rely on his own six-year-in-the-making database, he goes to the site of someone he continually slanders to get the information he needs. /errata/charlatan/negation/www/ao.012.html In this 'news' article, JP claims that a second group of hackers really hacked E-bay. JP had no access to the servers to read logs, and they did not deface the web page giving him other external clues he claims are required to profile. Yet he reports that this second group is the ones really responsible for serious hacking. "Based on his own analysis of the hacked Colorado site - a copy of which was e-mailed to him before state technicians acted - Vranesevich said he suspects "A Changing World'' was little more than the electronic equivalent of roadside graffiti." Is that the best his 'hacker profile' technique could do? Any four year old could conclude that. If this is what you can look forward to after all that work building a 'fielded database'..] This is one area where I really don't want to "spill the beans" so to speak. Coming up with these "common sense" methods can often be time consuming, and once they're known to the general "underground population", they become useless. [One of the major points we are trying to convey is agreed to 100% by JP here. This is all common sense.] =-= Taking A Second Look (Webpage Access Logs And Hacker Behavior) Look at that access log for a minute. You'll see the domains (or ips, depending) of all users that requested files from the servers. Say your main page is made up of two elements, index.html and logo.gif. The "hacked version" of the page contains say, three elements: index.html, hackerlogo.gif, and YouAreOwned.jpg. If the site is moderately to heavily trafficed, looking for the first time "YouAreOwned.jpg" appears in the access logs will give you a pretty good indication what time the site was hacked. Useful information indeed. [So is the file creation time. A simple 'ls -l' will show you the time the file was created or last modified on the system.] Go back to your webpage access logs. Cut out everything between 5 minutes before you see the altered graphics showing up, to 5 minutes after they first appear. Guess what? I'd bet my bottom dollar that the hacker's true IP address appears in there at least once. [And JP would be paying up more than he realizes. If these hackers are talking on an IRC channel while the system is being hacked, half a dozen IPs may view the page before AND after, yet none of them would be the real hacker.] Look for IPs or domains which visited once before the site was hacked, and once after the site was hacked. Guess what? You now have the hacker's true domain in that list somewhere. Although this may not "prove" that he's the one, and this method may come up with a small list of possible "suspects", at least now you have something to go by (and some good circumstantial evidence of top of that, placing the hacker at the scene of the crime), which is more than you had before. [Or you may have a list of people from an IRC channel or mail list that was given a five minute heads up to the hack. In that case, you now have anywhere from one to a hundred false positives in your 'suspect' list.] =-= Foreign Government, Or 16 Year Old? (Risk Assessment - Why The US Military Gets It Wrong) I hate to bring up this case again, but it's such a perfect example, I feel that I have to. In the spring of last year, the US Military went into high alert, the president was notified, and over 40 FBI agents worked around the clock, to investigate what Deputy Secretary of Defense called the most "organized attacks against the US infrastructure to date". It was feared that these attacks were actually the beginnings of a "cyberwar" being waged by Iraq. This DOD project, dubbed Solar Sunrise turned out to be a huge embarrassment for the military, and a major story for AntiOnline, when I announced that the attacks had truly been originating from three teenagers (two 16 year olds in the US, and an 18 year old from Israel). [It is ironic that JP mentions this case. JP's knowledge of these events came from direct contact with the attackers, not from his profiling. Worse, JP was in continual contact with these hackers during the attack and would not cooperate with DOD officials when asked (read: criminal negligence, obstructing justice).] As I said before, this is a perfect example of how the military got it dead wrong, and how a profiler could have helped to have prevented an embarrassing, and COSTLY investigation. [The DOD personnel had logs to go by. Not defaced pages or IRC chat or other elements of 'profiling' that JP lists. While the logs may show a technical skill level, they will never truly show an age or anything more personal about your attacker. In this case, with what they had to go on, a profiler would not have helped a whole lot.] Are you getting the picture now? If I was the US military, I wouldn't be worried about the "massive, organized scans", I'd be worried about the small, every day occurrences. [This is a revelation coming AFTER the various news articles on the DOD detecting these slow scans and responding to them, just as JP describes. The Navy, using IDS software detected slow scans that were broken out over months. Sounds like they are one step ahead of the security guru profiler here.] =-= The Categories Of Hackers (Grouped By Motivation and Threat) Group 3 - Political Motivations: This is yet another category that people in Group 1 claim to be part of. These are people who have strong political beliefs, or who are facing political hardships (such as those in China). These hackers break into systems (traditionally which are at least related to the political movement that they're speaking out against) in order to get their opinions heard. Breaking into these types of systems will often lead to press coverage, which in their eyes helps to further their cause. Sorting hackers into this group can often be difficult. It's like going back to the 60s and trying to decide how many people became hippies to speak out against war, and how many of them just liked the sex and drugs that came along with the movement. [What JP describes here is more and more commonly being referred to as 'hacktivists'. This one is very interesting to point out, because JP's friend, partner and business associate Carolyn Meinel claims that this exact type of hackers are "computer criminals (AKA "hacktivists") who believe they have the right to censor the Internet." Such conflicting opinions when they write some material almost word for word?] =-= In Conclusion (What's the point?) To date, system administrators, law enforcement, and the military, look at the TECHNICAL aspects of the hacker, instead of the PERSONAL aspects of the person doing the hacking. It's a totally different, and rather untouched upon, realm. [We see here that JP has not dealt with many (if ANY) computer crime investigators. The ones I have met and talked to are familiar with these 'methods' and a generation beyond.] Shout-Outs to MeaCulpa, Bronc, Innerpulse, and the "HFG Crew". All of whom I'm sure will be throwing a holy fit over this report. [And once again, JP realizes that at least one person (Mea Culpa) will point out errors in this 'special report'. This is his attempt at damage control before it happens.] Yours In CyberSpace, John Vranesevich Founder, AntiOnline =-= [Footnotes: (1) It is interesting to note that JP has apparently not attended a single hacker conference in all of his years studying the underground. No Defcon, SummerCon, PumpCon, HoHoCon, CuervoCon, HOPE, or any others. In all my talks with hackers and security professionals alike, no one I know seems to have met him. How can one claim to have ANY expertise on hackers when he has not seen them in a social setting devoted to their talents?