Security Scene Errata

Debunking the Hacker Profiler (part 1)

Beginning on March 29, 1999, John Vranasevich began a series called
"How To Be A Hacker Profiler". These 'special reports' are supposed
to enlighten readers on how hackers operate, insight into hacker
culture, and more.

With 'news' or 'reports' like this, it is often difficult to point out
the errata contained in them like other articles because they lack
substantial fact. Instead of the regular unfounded accusations, misquoting,
or outright libel, the Errata staff is left with vague descriptions of
unclear events or more often, poorly written descriptions about what most of
us consider common sense.

For those of you in a professional field, you have no doubt at some point
run into someone that just didn't sit right with you. At first, you can't
quite put a finger on why you thought they were less than honest, or why
they screamed "i'm a fraud", but SOMETHING stuck with you and gave you
that feel. Well, here it is with us. We will try to express why these
'special reports' are nothing more than regurgitated common sense wrapped
up in buzz words and old ideas.

Further, we will bring attention to some points in the reports that make
you wonder why Vranasevich resorted to such menial tactics in writing. Was
it the only way to get his point across? Or rather, was it for lack of
anything else solid to write?

As with other errata, we list his text in white, and our own comments in
red. We are not quoting the entire article as Vranasevich has a tendancy
to threaten lawsuits.

You be the judge.

http://www.AntiOnline.com/SpecialReports/hacker-profiler/
How To Be A Hacker Profiler - Monday, March 29 1999

Ok, before I go any further, let me just say that I know that I'm going to get flamed by just about every
hacker who's ever been on the internet. So be it, I don't care (in other words, don't bother sending me
flame mail, because I'm just going to throw it away).

[Translated: Hackers will see through this tripe and challenge me.]

I am by no means a criminal psychologist, or a behavioral scientist. What I'm going to describe in this
special report is based on over 6 years of studying the "underground", and from talking with well over

[This is a clever wording. "studying" the underground for six years? He
is 20 years old at the time of writing this. His claim is that when he was *14*
years old, he began studying the underground. Since 1991, the four Errata contributers
and dozens of their associates have not heard of John Vranasevich until the last
twelve months. In previous claims, Vranasevich (who also goes by 'JP') has said that he
is NOT a hacker. So now we have JP claiming that he was a fourteen year old, studying
hacker culture while he was not a hacker? Why does that sound fabricated..]

7,000 different hackers. You won't be able to find the things in this report (for the most part) anywhere

[Over 7000 different hackers? Any basis for this number? A little over
1160 hackers 'studied' each year. How did he qualify each to be a hacker? At what
point is 'hacker' defined at all?]

else. They're techniques, observations, and comparisons that I've been devising on my own over the past
few years. This is the first time that these ideas have ever been presented for public review and
critique. I'm hoping that by posting them, people will write in, and share their own observations with

["..first time.. represented for public review and critique". First, JP explicitly
says do not send negative feedback. Second, this statement should be qualified with
"that I have seen". These observations and exact topics have been discussed in a wide
variety of forms for over a decade. This type of material can be seen in hacker
conferences (1), corporate training seminars, some books, and more.]

me, and possibly find flaws in some of my "assumptions". A lot of this information is coming from my
personal notes and databases, and a lot of it, up until now, I considered to be "Trade Secrets" so to
speak. So, I'm not going to go into a lot of areas here (Basically, I just want to be able to start some

[Email, IRC logs, and general 'notes' are "Trade Secrets"? What hacker or
security professional DOESN'T do that?]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/overview.html
An Overview - What would a hacker profiler do? (Let's first come up with a job description)

But just because the mainstream hasn't gotten a hold of the data, doesn't mean that it doesn't exist.
What I hope to cover in this report are just a few of the many scenarios, circumstances, and
similarities, that I've found by working with the "underground" over the years. I hope that you'll find
it interesting, informative, and perhaps, foreshadowing, of some of the techniques which may some day be
common tools in the "Digital Profiler's" arsenal.

[Does JP really think he is the first to think of ANY of this? That in the
past three decades of computer crime, investigators have not thought of this?]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/webhacks.html
Graphics, H4x0r T4lk, and Design (Why Webpage Hacks Are Like A Murder Crime Scene)

While the most serious attacks are that against an infrastructure, and not a simple webpage, webpage
hacks can provide valuable insights into any particular hacker or hackgroup. Even hackers who commit the
most serious of crimes, more than likely have at one time or another, done a simple "webpage hack" or
two.

[This is a great pointer suggesting JP has only been around for the last three years
at BEST. Statements like this conveniently lump all hackers into a stereotype embodied
by hackers in the late 1990's. Consider these numbers: Attrition has mirrors of web
hacks dating back to 1995.

Year Hacks Mirrored Super Conservative

1995 9 50
1996 24 100
1997 42 200
1998 213 500
1999 600 1000

With these numbers, we can see that there are almost 900 mirrors of hacked page. If we
say there were really 1850 defacements since 1995, that brings up several points.

1. Out of 7000 hackers, explain less than 2000 web defacements and the quote "hackers..
more than likely have at one time or another, done a simple 'webpage hack'".
There is a serious gap in numbers here.

2. Hacking dates back to the late 70's in the form that JP references. That leaves
roughly 20 YEARS of hackers that never defaced web pages. The web protocol
(HTTP) didn't gain widespread usage until 1994. This statement shows a serious
lack of insight into the history of hackers and their activities.

3. This kind of shortcoming and naive belief leads to poor assumptions and inaccurate
conclusions. Thinking that he has spoken to such a large amount of hackers (still
in question), and being so wrong in the numbers and their activities calls every
subsequent 'fact' into further question.

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/commands.html
Bash Histories, and System Commands (More Than Meets The Eye)

Welcome to the world of rootkits and system commands! I'm not going to go very in-depth here, but I will
describe a couple of interesting "fields". Some probably more obvious than others.

Now, you probably won't be so lucky as to simply have a bunch of syslogs laying around after the hacker
has left. But, there are other ways that the actions of users on your systems can be, and should be (and
on most "important systems" are), logged.

These are just a few examples. But, you can see that even though we don't have any "physical evidence" or
"visibly unique evidence" we are still able to come up with identifiable fields.

[Here we have the absolute most vague recommendations possible. While all of this
'fielded database' stuff is fun, technical examination of computer logs and evidence
(ie: computer forensics) is the best and most reliable way of catching a computer
intruder. Even if you manage to create this database and cross reference everything,
none of it helps you prevent future intrusions, and it may only marginally help
you in prosecuting someone IF the authorities catch them. The fields in this type
of database add up to a small slice of circumstancial evidence at best.

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/intelligence.html
How To Gather Intelligence (Know Thy Enemy)

Let's go back to my "real world" analogy for a moment. A police officer is at a crime scene, and
discovers what's believed to be the perpetrator's thumbprint on a door handle. He lifts it, and takes it
back to the lab, where it's scanned into a computer. The print is now compared against every print in a
national database, to see if there's a match. If there is, the officer now has the name of a suspect. If
there's not, he has little more than what he started with (until, of course, a suspect is found using
other means). The goal is to get a database with fingerprints with of as many people as possible. This is
done by printing people who are arrested, or by having parents get their children fingerprinted in
kindergarten (for their own protection, of course).

Now, let's move back into the "digital realm". The same concept obviously holds true. In order for the
"field principle" to be worth anything, one must first come up with a database to use to compare data
against. This helps not only to "identify" a hacker or hackgroup (like one would "identify" a fingerprint
in the national database), but also to help examine motive, threat potential, and possibly predicting
future hacks, based on what hackers or groups similar to them have done in the past.

[This is a HORRIBLE analogy. JP is comparing a database of fingerprints,
which he even admits are a *unique* form of identifying someone.. to a database he says
"may not currently [have] one field which would prove to have 0 duplications of occurance..".
In the fingerprint database, you have a single field with 0 duplications of occurance. In
the 'hacker profiler' database, EVERY field can (and is likely to) have duplications of
occurance. This is a bigger concern when done by amateurs with no criminal profiling experience,
and no formal training. In a field that requires precision, this is comparing apples to volvos.]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/irc.html
IRC (Trusting A Stranger)

No matter what group they fall in, almost EVERY hacker uses (at one time or another) IRC. Internet Relay
chat is the primary means of communication for most hackers. It is on IRC that hackers often get their

[This is the kind of claim that JP simply can not back. Going back to my previous
example showing that hacking has been going on for over two decades, and IRC was created in 1988,
that leaves at least 9 years that hackers had no IRC. During this time they relied on email,
'talk', and voice communication. Even after IRC became a regular haunt of hackers, to say it
is the PRIMARY means of communication for MOST hackers is absurd. Hackers also know that IRC
is an insecure protocol and that whatever is said on public channels and in private messages
is subject to prying eyes. This fact alone pushes them toward more direct or secure communication
methods.

Now, let's go back to hackers. Communicating on irc, you can become anyone you want to be, and gain trust
with any given group very quickly. By first studying a group, you can learn what their ideals are, how

["Any given group very quickly"? There are some groups out there that will not trust
anyone they haven't met, or who demonstrates an equal level of talent as existing group
members. These are extremely hard to find out any information on, let alone gain their trust.]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/creative.html
Creative Methods Of Capture (Using A Helicopter To Win A Game Of Hide and Seek In Your Back Yard)

When I use the word "capture", I'm not necessarily talking about "arrest". In my case, "capturing" a
hacker means identifying them for use in our coverage of any given hack (something that I think we have a
good track record of being able to do).

["We have a good track record. Trust us!" Since JP and AntiOnline conveniently doesn't
share details about their profiling, their word will have to do. But, lets look at two other
specific examples of JP/AO reporting on hacked sites and their conclusions.

/errata/charlatan/negation/www/ao.011.html
Here we see that JP relies on ATTRITION archiving of hacked sites to support his articles.
Not only does he not rely on his own six-year-in-the-making database, he goes to the site
of someone he continually slanders to get the information he needs.

/errata/charlatan/negation/www/ao.012.html
In this 'news' article, JP claims that a second group of hackers really hacked E-bay. JP had no
access to the servers to read logs, and they did not deface the web page giving him other
external clues he claims are required to profile. Yet he reports that this second group is
the ones really responsible for serious hacking.

http://www.denverpost.com/news/shot0426n.htm
"Based on his own analysis of the hacked Colorado site - a copy of which was e-mailed to him
before state technicians acted - Vranesevich said he suspects "A Changing World'' was little
more than the electronic equivalent of roadside graffiti." Is that the best his 'hacker profile'
technique could do? Any four year old could conclude that.

If this is what you can look forward to after all that work building a 'fielded database'..]

This is one area where I really don't want to "spill the beans" so to speak. Coming up with these "common
sense" methods can often be time consuming, and once they're known to the general "underground
population", they become useless.

[One of the major points we are trying to convey is agreed to 100% by JP here. This
is all common sense.]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/secondlook.html
Taking A Second Look (Webpage Access Logs And Hacker Behavior)

Look at that access log for a minute. You'll see the domains (or ips, depending) of all users that
requested files from the servers. Say your main page is made up of two elements, index.html and logo.gif.
The "hacked version" of the page contains say, three elements: index.html, hackerlogo.gif, and
YouAreOwned.jpg. If the site is moderately to heavily trafficed, looking for the first time
"YouAreOwned.jpg" appears in the access logs will give you a pretty good indication what time the site
was hacked. Useful information indeed.

[So is the file creation time. A simple 'ls -l' will show you the time the file
was created or last modified on the system.]

Go back to your webpage access logs. Cut out everything between 5 minutes before you see the altered
graphics showing up, to 5 minutes after they first appear. Guess what? I'd bet my bottom dollar that the
hacker's true IP address appears in there at least once.

[And JP would be paying up more than he realizes. If these hackers are talking on
an IRC channel while the system is being hacked, half a dozen IPs may view the page before AND
after, yet none of them would be the real hacker.]

Look for IPs or domains which visited once before the site was hacked, and once after the site was
hacked. Guess what? You now have the hacker's true domain in that list somewhere. Although this may not
"prove" that he's the one, and this method may come up with a small list of possible "suspects", at least
now you have something to go by (and some good circumstantial evidence of top of that, placing the hacker
at the scene of the crime), which is more than you had before.

[Or you may have a list of people from an IRC channel or mail list that was given
a five minute heads up to the hack. In that case, you now have anywhere from one to a hundred
false positives in your 'suspect' list.]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/risk-assessment.html
Foreign Government, Or 16 Year Old? (Risk Assessment - Why The US Military Gets It Wrong)

I hate to bring up this case again, but it's such a perfect example, I feel that I have to.

In the spring of last year, the US Military went into high alert, the president was notified, and over 40
FBI agents worked around the clock, to investigate what Deputy Secretary of Defense called the most
"organized attacks against the US infrastructure to date". It was feared that these attacks were actually
the beginnings of a "cyberwar" being waged by Iraq. This DOD project, dubbed Solar Sunrise turned out to
be a huge embarrassment for the military, and a major story for AntiOnline, when I announced that the
attacks had truly been originating from three teenagers (two 16 year olds in the US, and an 18 year old
from Israel).

[It is ironic that JP mentions this case. JP's knowledge of these events came
from direct contact with the attackers, not from his profiling. Worse, JP was in continual
contact with these hackers during the attack and would not cooperate with DOD officials when
asked (read: criminal negligence, obstructing justice).]

As I said before, this is a perfect example of how the military got it dead wrong, and how a profiler
could have helped to have prevented an embarrassing, and COSTLY investigation.

[The DOD personnel had logs to go by. Not defaced pages or IRC chat or other
elements of 'profiling' that JP lists. While the logs may show a technical skill level,
they will never truly show an age or anything more personal about your attacker. In this
case, with what they had to go on, a profiler would not have helped a whole lot.]

Are you getting the picture now? If I was the US military, I wouldn't be worried about the "massive,
organized scans", I'd be worried about the small, every day occurrences.

[This is a revelation coming AFTER the various news articles on the DOD
detecting these slow scans and responding to them, just as JP describes. The Navy, using
IDS software detected slow scans that were broken out over months. Sounds like they are one
step ahead of the security guru profiler here.]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/category.html
The Categories Of Hackers (Grouped By Motivation and Threat)

Group 3 - Political Motivations:

This is yet another category that people in Group 1 claim to be part of. These are people who have strong
political beliefs, or who are facing political hardships (such as those in China). These hackers break
into systems (traditionally which are at least related to the political movement that they're speaking
out against) in order to get their opinions heard. Breaking into these types of systems will often lead
to press coverage, which in their eyes helps to further their cause. Sorting hackers into this group can
often be difficult. It's like going back to the 60s and trying to decide how many people became hippies
to speak out against war, and how many of them just liked the sex and drugs that came along with the
movement.

[What JP describes here is more and more commonly being referred to as
'hacktivists'. This one is very interesting to point out, because JP's friend, partner and
business associate Carolyn Meinel claims that this exact type of hackers are "computer criminals
(AKA "hacktivists") who believe they have the right to censor the Internet." Such conflicting
opinions when they write some material almost word for word?]

=-=

http://www.AntiOnline.com/SpecialReports/hacker-profiler/conclusion.html
In Conclusion (What's the point?)

To date, system administrators, law enforcement, and the military, look at the TECHNICAL aspects of the
hacker, instead of the PERSONAL aspects of the person doing the hacking. It's a totally different, and
rather untouched upon, realm.

[We see here that JP has not dealt with many (if ANY) computer crime investigators.
The ones I have met and talked to are familiar with these 'methods' and a generation beyond.]

Shout-Outs to MeaCulpa, Bronc, Innerpulse, and the "HFG Crew". All of whom I'm sure will be throwing a
holy fit over this report.

[And once again, JP realizes that at least one person (Mea Culpa) will point
out errors in this 'special report'. This is his attempt at damage control before it happens.]

Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
JP@AntiOnline.com

=-=

[Footnotes:

(1) It is interesting to note that JP has apparently not attended a single hacker
conference in all of his years studying the underground. No Defcon, SummerCon,
PumpCon, HoHoCon, CuervoCon, HOPE, or any others. In all my talks with hackers
and security professionals alike, no one I know seems to have met him. How can
one claim to have ANY expertise on hackers when he has not seen them in a social
setting devoted to their talents?