Debunking the Hacker Profiler (part 3) Beginning on March 29, 1999, John Vranasevich began a series called "How To Be A Hacker Profiler". These 'special reports' are supposed to enlighten readers on how hackers operate, insight into hacker culture, and more. With 'news' or 'reports' like this, it is often diffictul to point out the errata contained in them like other articles because they lack substantial fact. Instead of the regular unfounded accusations, misquoting, or outright libel, the Errata staff is left with vague descriptions of unclear events or more often, poorly written descriptions about what most of us consider common sense. For those of you in a professional field, you have no doubt at some point run into someone that just didn't sit right with you. At first, you can't quite put a finger on why you thought they were less than honest, or why they screamed "i'm a fraud", but SOMETHING stuck with you and gave you that feel. Well, here it is with us. We will try to express why these 'special reports' are nothing more than regurgitated common sense wrapped up in buzz words and old ideas. Further, we will bring attention to some points in the reports that make you wonder why Vranasevich resorted to such menial tactics in writing. Was it the only way to get his point across? Or rather, was it for lack of anything else solid to write? As with other errata, we list his text in white, and our own comments in red. We are not quoting the entire article as Vranasevich has a tendancy to threaten lawsuits. You be the judge.
http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/ How To Be A Hacker Profiler - Part III - Monday, May 03 1999 However, the mainstream aren't the only ones that have been reacting to this series. Apparently some in the hacker culture are feeling a bit threatened by it (oh no). Take a look at the following that a hacker named BroncBuster (aka Erik Ginorio) posted to a popular underground webboard: "[...] Look at JPs article on how to profile a hacker, he admits he put bots in channels on various IRC servers to record host masks, nicks and what is said for later use. Sounds like Big Brother watchin. They have totally went over the fence, and are tring their best to wipe out people like us [....] This is like the X-files movie, but in real life..." [This is not Erik feeling threatened, this is Erik pointing out an obvious concern MANY people have.] =-= http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/association.html Guilt By Association? (An Apple Never Falls Far From Its Tree) I will refer to the hacker family tree as being "Interface #2" in the Hacker Profiler's Tool Bag. "Interface #1", would be the master database of hackers (as mentioned in my previous reports). Unfortunately, this second interface is even more dynamic than the first. Also, it's much harder to organize this data, as it doesn't fall into a simple, flat, interface. So, break out the giant whiteboard, the erasable markers, and the stencils. We're going to be making, "The Hacker Family Tree". [This is a gimick. Creating a 'hacker family tree' would be nothing more than a bunch of names, each connected to every other name almost. The thought that some hackers only talk to a handful of other people (which would lead to a chart of this nature) shows a serious lack of understanding of how hackers work.] =-= http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/developing.html Developing The Hacker Family Tree (Branches, Roots, And Cow Shit) Trying to determine who originally created the exploit and what members of the group got ahold of it first, is important. HOWEVER, even more important is determining how it was first LEAKED. Who was the first person outside of that group to get the exploit, and who gave it to him? The above is just one example of how you can begin to draw the interconnections between groups. Monitoring the interconnections between separate groups, can help you to observe, and eventually, PREDICT the dynamics of the underground. [This is also near impossible to do. In the past year, I have seen close to a dozen private exploits leaked to public mail lists like bugtraq. I have also witnessed the groups talk about it happening and try to figure out how it got out. In each and every case, the group that originated it couldn't figure it out. How does a hacker profiler expect to be able to do this?] =-= http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/mentor.html A Mentor, And The Next Generation (A Chip Off The Old Block) It's usually a pretty easy task to catalog these mentor/student relationships. [I would say it is only easy to catalog the casual and public relationships. How many go on via private email or private messages on IRC? =-= http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/tell_them.html Tell Them That You Know (How Old A Tree Is By Counting Its Rings) Here's an example of how AntiOnline protected itself against a threatened attack late last year: The group was H4g1s. They hacked Yahoo.com, Slashdot.org, several Nasa websites, and then Rootshell. On the RootShell.com hack, they announced that "AntiOnline Was Next". What did we do? Did we unplug all of our computers and put them back into their boxes until the hackers vanished (sounds funny, but many network admins do the equivalent of this by setting up ridiculously restrictive firewalls)? No, we simply let H4g1s know, that we KNEW who they were. [And he is sure this is all it took? And he is sure that the original 'threat' was serious? No. h4g1s has "threatened" dozens of networks like this. It means nothing. JP is merely reading a lot more into things to boost the 'facts' of his 'report'.] So, we never received so much as an attempted hack against our site from that group. [So JP can detect every single attack and automatically know who commits each, and who is behind each? Then he can't say this. As a test, a friend of mine wrote a quick script to throw about ten signature attacks against the antionline network. Did JP notice? No. Did his 'hack attempt' page get updated with these attempts? No.] =-= http://www.AntiOnline.com/SpecialReports/hacker-profiler-iii/die.html Let The Hackers Kill Themselves (Giving The Family Tree Root Rot) The Hacker Profiler finds an organized group of hackers. They are writing original exploits together, planning attacks, and carrying them out with military like precision. Here is one of the more common sense ways that a Hacker Profiler could create internal conflict, putting an end to that group once and for all. [So the group ends, but do the hackers? No. They either reform under new name (and your work just became harder), or they split up become even harder to track as individuals since they no longer communicate as a group.] This isn't rocket science. Your main goal here, is to simply make people believe that you are an actual member of that group, and then to piss off as many of the other members as possible. Light a match and drop it on the ground. There will be a forest fire before you know it, and nothing but smoldering ashes when it's all said and done with. ["Works everytime, guaranteed or your money back!". Hackers are often a BIT smarter than that. They tend to catch on to people like that.] =-= [In conclusion: After reading all three of the Hacker Profiler 'special reports', how much of that was really new? How much can you actually use in the upcoming year to track hackers? If it is really that easy to track these hackers and disrupt their social circles, why haven't law enforcement picked up on any of this? As with anything, how can JP make such sweeping statements about such a diverse group of people? He can't.]