Welcome curious minds to another deep dive. Today. We're pulling back the curtain on a topic often shrouded in mystery and well a lot of misconception. Hackers. Yeah, definitely forget the movie stereotypes for just a moment, because we're going way beyond those surface level ideas to you uncover who's really behind the screen.
Indeed, and we've got some really fascinating sources today. There are excerpts from this pioneering study called Profiling Hackers. The science of criminal profiling as applied to it looks at this underground world with a pretty unique blend of technical and psychological analysis.
Right, So, our mission for you today is basically to unpack what truly motivates these individuals, how they operate, and importantly, what their complex world means for all of us in our increasingly digital lives.
Think of it as a shortcut maybe to understanding the who and the why behind the code.
Okay, let's dig into this then, because when we hear criminal profiling, I think, you know, our minds often jump to a very specific image maybe Silence of the Lambs, right.
The movies.
Yeah, But the roots of this science they go way deeper and twist in some surprising ways, especially when you try to apply it to the digital world.
It's really fascinating how far back it goes. You can actually trace some of it back to believe it or not. Eighteen eighty eight, London.
Wow, eighteen eighty eight. Yeah. Yeah.
Doctor Thomas Bond, he was a professor of forensic medicine, did an autopsy on a Jack the Ripper victim. And he didn't just do the autopsy, he assessed the attacker's surgical skills, even offered like an interpretation of the murderer's behavior based on their methods.
So an early kind of profiling.
Right there, exactly, an early form.
Incredible. So okay, from those very early beginnings, when did it start to get more formalized like the FBI profiling we hear about.
That really took shape much later in the nineteen seventies at the FBI in Quantico, Virginia, AUCA. Right, Yeah, special agents like Howard Teton and Patrick Mulaney. They kicked off this applied criminology program that eventually led to the Behavioral Sciences Unit, the BSU.
The famous BSU, that's the one.
And then later you had John Douglas and Robert Wrestler interviewing convicted serial killers. That work led them to develop the organized disorganized model, which is actually still influential today.
And that model looks at things like intelligence, social skills.
Planning exactly, things like the level of planning, intelligence levels, social adequacy, employment types. It helps make sense of the crime scene and the kind of person behind it.
Okay, that makes sense for you know, a physical crime scene, but how on earth do you apply that kind of thinking to cyberspace Hacking doesn't really fit the typical violent crime mold.
That is the core challenge, isn't it. Traditionally profiling focuses on violent crimes, sexually related crime, serial crimes. Hacking, Yeah, it doesn't fit neatly.
So how do you bridge that gap?
Well, the key thing is the serial nature of computer attacks. It's often a habitual crime, repeated behavior.
Ah okay, the repetition.
Yes, that repetition allows us to identify constants and behavior, which is fundamental to any kind of profiling.
But here's where it gets really really interesting. I think the crime scene itself is just completely.
Different, totally different.
It's not a physical place. You don't have fingerprints or DNA. Nope, it's all electronic abstraction. Right, You're relying entirely on analyzing log files and audit trails.
That's your evidence. Logs and trails and.
Things like traditional geographical profiling, the marauder versus commuter models, they just.
Don't apply, not at all, because, like our sources point out, in cyberspace, distance doesn't really exist. Everything is, as they put it, a mouse breadth.
Away a mouse breadth. I like that. So this is a huge question. How do you profile something so abstract?
Well, the answer really needs a joint approach. You need the computer security experts to tell you the what and the how, what happened, how they got in the technical side, right, and then you need the criminal profiling skills to explain the why, why did the attack happen, and crucially what kind of attacker are we likely dealing with.
So it's a combination of tech know how and behavioral science exactly.
That dual perspective is absolutely crucial to get the full picture.
Which makes perfect sense. Then why the Hacker's Profiling Project the HPP was started back in two thousand and four. It's described as like a first big step in really understanding this huge underground world of hacking, trying to sort out the different categories of hackers and you know, actual criminal attackers.
And their approach was unique, wasn't it.
Yeah, totally. They went directly to the source, focusing not on the how, but the why and the who. They even to use things called honeynets.
Ah, the honeypots, bait.
Systems exactly deliberately unprotected systems set up as bait basically to watch attacks happen live and gather data on how hackers actually.
Behave smart So to really get a handle on hackers, it probably helps to look at how cybercrime itself has evolved, even how we think about crime has changed. Oh so well, Historically you had figures like Cesara Lombroso back in the late nineteenth century. He saw fraud as a kind of civilized metamorphosis of crime.
Civilized metamorphosis.
Yeah, like replacing primitive cruelty with lies and greed, a more advanced way to be criminal, I suppose.
Okay.
Then later Edward Sutherland came along and really challenged that he defined white collar crime offenses by respectable, high status people in their jobs, implying, you know, a breach of trust.
Ah, the breach of trust angle that seems key for digital stuff too.
Absolutely, this evolution in understanding crime from brute force to subtle deception and violating trust, it really sets the stage for how we profile digital offenses and.
That white collar crime idea. It translates surprisingly well to the digital age, doesn't it. Our sources point out that even say, some big telecommunications companies can be offenders, not just victims.
Oh definitely Yeah, taking over illegal markets for personal data, maybe using data for really invasive marketing campaigns.
That blurs the line.
And the Internet just changed everything completely.
Think about it. Phishing, massive credit card fraud, identity theft viruses. None of that really existed before the Internet became widespread and the user base shifted dramatically. Early IT users, they were relatively few and pre technically aware.
They knew the risks debate.
Today's users are as, the sources say, legion huge numbers, and many are unfamiliar with the jargon the attack techniques. They're vulnerable to misleading media hype too, So.
An unaware target is basically de facto unprotected.
That's how the sources put it. If you don't know the danger, you can't defend against it.
It's also really interesting how digital theft is just fundamentally different. When someone steals a file online, it's not gone, is it. No, it's just copied, it's still there, Yeah, which makes detection incredibly hard, often really delayed.
Yeah, like those big incidents with the Windows NT source code or the Cisco router code being stolen. The companies might not even know for ages exactly.
And as the reasons why people did this stuff evolved, the way we talk about them.
Changed too, right, Yeah, absolutely.
You know. Back in the nineteen eighties, digital crimes were often just about destruction, wiping data, that.
Sort of thing. Cure vandalism almost pretty much.
But then in the nineteen nineties you got these intelligent, self replicating viruses, things like I Love You or Veronica.
Oh, I remember those.
They were huge, news huge, and with those the main objectives seemed to shift. It became more about attacker, notoriety, getting your name out there, making a splash, and.
The terms we use change too. Hacker didn't always mean bad guy, not at all.
Initially, hacker just meant like a computer enthusiast, someone who loved figuring things out, tinkerers exactly, But by the early eighties, you had younger programmers using those skills for more harmful things, breaking into military systems, writing viruses.
So the meaning soured.
It did, the term took on a negative con and that's when the term cracker was coined specifically to distinguish people using skills maliciously hacker versus cracker.
You got it. So our sources also categorize these individuals right using colors, Yeah.
The colors of the underground. It helps give a clearer picture of the different motivations and roles.
Okay, break it down for us, all right.
First you have the black hats. These are the folks who violate systems, often for personal game. They definitely cross the line into criminal acts for them stealing information, selling it that's just business.
Sounds straightforwardly criminal it is.
And what's particularly dangerous, the sources note is there are even legal black hackers, people who work on commission, maybe move to a country where destroying a specific system isn't technically illegal there and then do the damage.
Wow, Okay, that's insidious. What's next?
Then you have the gray hats.
They often call themselves ethical hackers, sometimes ironically pink hats. They don't really want the black or white label.
So somewhere in the middle kind of.
They might have done an intrusions in the past, but maybe they've moved away from that. This group includes skill testers, people who find exploits create viruses, but don't necessarily see it as wrong. What's the motivation then, often targeting OS writers, maybe for security breaches they haven't fixed, and they can be volatile. They might switch sides if they feel ignored or aren't given credit for finding a flaw.
Interesting and the white hats.
White hats are the hunters.
They use their skills explicitly for good cooperating with authorities, working as security consultants, trying to strengthen defenses.
The good guys essentially okay, but they're less sophisticated groups too, right, often younger.
Yes, definitely there are the wannabe lamers. Our sources call this category amusing, which maybe is a bit harsh, but I do. You'd find them on like low profile forums publicly asking really basic questions. Yo, man was the b thirst Way teaser.
Hack www dot Nasa dot gov.
Things that show they don't really know what they' doing.
Okay, so mostly harmless, maybe.
Mostly annoying probably, But then you have script kitties. These are described as culturally advanced compared to the wannabes, but actually dangerous to systems.
How so, if they're not super skilled.
They use tools developed by others, stuff found on places like bug track mailing lists. Those are forms where vulnerabilities get discussed.
Ah, so they don't need deep knowledge themselves exactly.
They just use the tools to break in, often just to brag about it. They get called point and clickers because the attacks involve very little reasoning or study, just running a program someone else wrote.
Still dangerous though, oh absolutely.
Then beyond those you get into the more professional, specialized categories like who well, cyber warriors. These folks keep a really low profile. They might target less obvious systems, ISPs, universities, and they operate either for money or.
Based on strong ideals.
Okay, industrial spies highly skilled, purely motivated by money. Our sources say this category has seen an x spinal increase.
Wow, and that includes insiders too.
Yeah, often includes insiders employees illegally accessing sensitive company info for personal gain.
That's a huge threat definitely.
Then you have government agents. Often these are actually former hackers.
Really government's hire hackers.
Oh yeah, employed for espionage, counter espionage, monitoring other governments, individuals, strategic industries. This marriage between hacking and intelligence agencies goes back to the mid nineteen eighties.
Apparently fascinating.
And the last category military hackers. These are professional hackers working directly within a country's armed forces, ordered to hack as part of specific military strategies, fighting wars behind the scenes in the digital realm.
It's a whole hidden battlefield. So with all these different types black hats, gray hats, script kitties, government agents, what do our sources say really drives them psychologically? I mean, beyond the stereotypes.
Yeah, that's the million dollar question, isn't it. The media image is often way off. Our sources point to this really important historical document, the Hacker Manifesto, written by someone called the Mentor back in nineteen eighty six.
The Hacker Manifesto. What does it say?
It really reveals a core part of the hacker identity, this constant search for challenges, a passion for breaking limits that seem.
Impossible, pushing boundaries exactly.
But it also expresses a lot of sort of adolescent anger and resentment towards the status quo towards adults, authority figures, feeling misunderstood, deeply misunderstood. Yeah, and because of that, many find this incredibly strong sense of belonging, this unconditional solidarity within the hacker community itself.
That quest for challenge you mentioned, it sounds a lot like that psychological concept of flow.
Oh. Absolutely six on Mahale's idea of flow, that state where you're totally absorbed thoughts and feelings, working together, clear goals, skills matching the challenge, immediate feedback, and.
It makes you want to tackle harder things.
Precisely, it pushes into jewels to seek greater complexity, constantly increase their skills. That fits the hacker drive perfectly.
So besides the challenge, what else motivates them?
Well?
A huge one is just inquisitiveness, an inexhaustible thirst for knowledge, as the sources put it, curiosity, intense curiosity. Many see themselves almost like scientists, using computers as microscopes to understand how systems work, and crucially then sharing that knowledge.
Sharing is key for many.
Yes, they see the Internet as this inherently democratic tool, something that cuts across class, ethnicity, gender, skin color, a level playing.
Field interesting any other motives?
Yeah, for many, it's also just fun in games, the thrill of getting into a system, though interestingly they often get bored once they're inside unless they have a specific goal.
Bored after breaking in.
Yeah, the challenge was getting in, and some apparently even get a thrill from the idea of getting caught.
Wow. Okay, risk takers.
Definitely and another powerful driver, especially for maybe the gray or way hats, is this idea of fighting for freedom and making the.
PC world safer.
How So, they want to defeat what they see as communication monopolies. They believe the public is often misinformed, maybe by big companies or governments.
So they see themselves as what whistleblowers.
Kind of maybe defenders of basic human rights, using their intellect, their courage to fight against censorship, against those hiding information.
And for this group, sharing knowledge freely is paramount.
Yes, for many, freely sharing what they discover is the fundamental principle of hacker ethics.
Okay, hacker ethics, what does that actually entail?
Now?
Our sources mention things like not damaging systems. Right.
The ideal, according to these ethics is that true hackers strive not to damage or crash the systems they penetrate. They might modify log file, sure, but only to erase their traces, covering their tracks exactly. And the other key principle is sharing discoveries freely without payment. That commitment to information freedom is why something like industrial espionage is considered totally contrary.
To hacker ethics, because it's about selling information, not freeing it precisely. But you mentioned earlier sometimes this ethic doesn't quite match reality, like with sharing discoveries.
Yeah, that's where it gets nuanced. While the idea of a shared ethic is powerful, the reality is described as quite abstract and definitely not uniform. Well, there's this ongoing debate within the community itself, like full disclosure releasing vulnerability details immediately to the public versus responsible disclosure telling the software vendor first, giving them time to fix it.
Ah. Okay, So even they don't agree on the right.
Way exactly, that ethical debate is very much alive and kicking, showing it's not some monolithic code everyone follows.
And what about the stereotype the antisocial nerd in the basement.
Yeah, the sources push back hard against that. They say many hackers are surprisingly well normal normal, sociable, good students, They have friends, play sports, social lives. The studies painting them as antisocial drug abusers often based on very limited segments of the community, not.
The whole picture doesn't more complex much more.
Although for some computers definitely do serve as an escape route escaping what uncomfortable realities, maybe divorced parents, feeling oppressed at school, maybe avoiding street gangs. They find refuge in the virtual.
World in a sense of belonging.
A huge sense of belonging in the underground community. It often becomes their main allegiance, a core part of their identity.
But it's not just about escaping negative situations. Right. There's that story about Animore starlt pure Heart.
Right, that's a great counter example. She was the first woman to win the cyber Ethical Survivor title at Defcon, a major hacker.
Conference, and her story is different.
Very different.
Her parents actually encouraged her interest in computers. They helped her develop an ethical sense around it, talked openly with her about hacking.
So the family environment can be a huge factor.
Absolutely highlights how that environment can really shape whether someone's path goes towards ethical hacking or darker stuff.
And within the underground itself, how do social relationships work.
Well, it often acts as this haven, a place where you're judged purely on your skills, your knowledge, not your ethnicity, not your social class, not how much money you have.
Meritocracy based on tech skills.
Pretty much, and that environment really fosters free information sharing, mentorship. You gain respect through what you know and what you contribute, not through wealth.
Okay, and the substance abuse link you said the stereotype is mostly wrong.
Yeah, the sources are quite clear. Most hackers do not abuse hard drugs or excessive alcohol. Clearheadedness is actually valued. You need to be sharp to do this stuff well.
But it can be a factor sometimes it can.
But often after they stop hacking, maybe due to getting caught or being exposed, the hacking itself can become almost like an addiction, a hacking dependency.
Really.
Yeah, And when that's taken away, some might turned to substances to try and replicate those sensations fill that void.
Wow, that's a really interesting perspective. And what about their view on authority you mentioned resentment earlier.
It's a very particular view. Hackers often see the main superpowers in their world, the hacker community itself, governments, and the wider Internet community as ideally existing in an equal relationship, equal how horizontal, peer to peer, no one group dominating the others. They equate that kind of structure with true democracy.
And control of information is central to that.
Absolutely, for many of them, the real crime isn't the act of hacking itself, what is it then, but rather hiding the truth. That's a direct quote, and it's a powerful conviction shaping how they see the world and their place in it.
Okay, So the HPP project, the Hacker Profiling Project, didn't just talk about these ideas. They gathered actual data right from hackers themselves, exactly.
They didn't just theorize. They went out and gathered data using extensive questionnaires, distributed them global, even at underground events hacker conferences and such.
So they got input from the community directly.
Yeah, allowing them to trace general hacker profiles by cross referencing lots of different sources, real data from the source, and.
The results were surprising.
Quite surprising, Yeah, especially regarding age.
That stereotype of the young teenage hacker, the kid in the basement, right, the data kind of shatters that. Yes, there's a large number in the ten twenty age bracket, but there was also a significant percentage in the thirty five to forty group, and even forty one forty.
Five really older hackers.
Yeah, the average age was actually twenty seven for females and twenty five for males in their sample. It suggests that many who started years ago are still very much active. It's not just a phase for everyone.
That is surprising. What about socioeconomic status did that fit the stereotype?
Not really either. A majority of the interviewees said they were from upper middle forty four percent or lower middle thirty seven percent class backgrounds.
So not confined to one economic group.
Yep. It really seems to cut a across different societal lines, not just you know, disenfranchised youth or anything like that.
And where they lived. Does everyone live in big cities?
Well a lot, due forty five percent were in large urban areas, but interestingly, twenty one percent lived in very small towns and.
Villages, small towns. How does that work?
It really shows how information and communication tech itself enables this. It sparks interest in people who historically would have found it really hard to even access the systems or equipment needed, geography becomes less of a barrier.
Makes sense. What about education? Are they all college dropouts?
Well, the data showed a significant drop in university graduates who continue hacking, and many hackers expressed a dislike for formal schooling why they found it not very stimulating or felt they learned nothing new. But at the same time, they're clearly smart and skills exactly. They describe themselves as inquisitive, they have high technical skills. It points to this profound love for self directed learning outside of traditional classrooms.
They learn what they.
Want to learn.
Okay, and motivations. Did the data confirm that curiosity factor? It did.
Thirty percent cited inquisitiveness as their number one reason for hacking, just wanting to know how things.
Work, and any other major reasons.
Yeah, A notable fourteen percent said they do it for the good of the final users, actively looking for weaknesses and systems to try and make them safer for everyone.
The ethical hacker motivation again.
Seems so and for those who don't fear being arrested, which is quite a few, the top reasons they gave were fascinating, what were they? Thirty six percent cited the inadequacy of investigators. Basically, they think law enforcement can't catch them, and thirty five percent pointed to their own precautions and technical devices. They think they're too clever or well.
Hidden, confidence or maybe arrogance, probably a bit of both. This next stat is really striking to me. Eighty percent of the responders don't think they're damaging anyone with what they do. Yeah, eighty percent, even though eighty one percent admit that what they're doing is legal in their country.
It highlights this huge disconnect, doesn't it a core paradox? They see their actions as non malicious even while knowing they're breaking the law.
Their internal ethical compass is just different from the legal one.
Very different, And that probably explains why traditional deterrence don't always work.
Right, because this study also found that law seemed pretty unsuccessful. As deterrence didn't.
It largely unsuccessful?
Yeah, fifty five percent of hackers who said they'd stopped only stopped temporarily. They went back to it after a break.
So stopping wasn't permanent for most.
Not at all.
And even among those who claimed to have stopped, seventy nine percent admitted they still dabbled in hacking occasionally.
Wow. So it's really hard to give up.
It suggests the challenge isn't just about the fear of legal consequences. It's tapping into something deeper, some ingrain drive, or maybe even that dependency we talked about.
What about online identity? The use of.
Nicknames also interesting. Fifty six percent said they use more than one nickname or.
Handle okay, multiple aliases, yeah.
And get this.
Of those using multiple nicknames, sixty five percent admitted to feeling like they have more than one personality.
Multiple personalities, like a disorder.
No, the study is careful to say it's not about mental illness in that clinical sense. It's more about creating these distinct online personas, like an armor almost that protects their real identity and lets them operate differently online digital.
Mask makes sense, and their social circles. Do their families know mostly know?
A surprising sixty eight percent of parents were reportedly not aware of their children's hacking activities.
Sixty eight percent. That's huge. Are they mostly loaners?
Many operate alone fifty five percent, but a significant chunk thirty eight percent work both alone and in groups.
Sometimes in these groups, do they know each other in real life?
Often not within the groups, thirty percent of members had never met each other face to face there never, and fifty four percent don't even live in the same city or country as their hacking partners. They rely heavily on encrypted communication chat, IRC, Internet relay chat.
That kind of thing, truly a global virtual underground way. One last set of findings that really caught my eye about sharing information.
Ah, yeah, the sharing piece.
Fifty nine percent said they do warn the cystant administrator after finding a breach, assuming they didn't intentionally damage anything.
Right nearly sixty percent, which fits that helping security motive for some.
But then maybe the most surprising stat for me, fifty three percent state they never share their discoveries with anyone else. Yeah, over half. That directly contradicts that core hacker ethic of free information exchange we talked about.
It absolutely does.
It challenges that principle head on, and only thirty two percent said they'd inform their own group after warning the sissiedmund So.
Much for solidarity and free knowledge sharing in practice for many, at least.
It suggests a much more complex, maybe more individualistic, or even competitive dynamic going on than the stated ideals might suggest. It's not all communal building.
Wow. Okay, so this deep dive, it really paints a picture of a hacker world that's far more complex, much more nuanced than the usual caricatures we see in movies or the news.
Absolutely, from those surprising historical roots in Jack the Ripper profiling all the way to the intricate motivations the different subcultures, it's clear you have to look way beyond just the technical skills to understand who hackers are.
Yeah, we've seen that they're often driven by this incredible curiosity, right, a desire to challenge authority, sometimes a profound belief in information freedom.
But it's a world also profoundly shaped by anonymity, by this constantly shifting ethical landscape, and that inherent tension between security and access, between locking things down and wanting knowledge to be free.
So here's something to think about as we wrap up in a world where technology is becoming as one of our sources. Beautifully put it an organic extension of our thoughts and words.
Yeah, that's a powerful phrase.
It really is. So in that world, how do we as a society figure out how to foster the positive sides of this that relentless curiosity, the drive for knowledge while still addressing the very real dangers that come from the darker corners of hacking.
That's the critical question, isn't it. How do you nurture the good without enabling the bad?
Exactly what stands out most to you listening today about the true motivations and the messy ethical landscape of this digital underground, something to definitely keep thinking about.