Gordon is a Senior Research Fellow at Symantec Research Laboratory. Her research at Symantec includes a focus on ethics and technology. Previously, she worked on the Anti-Virus Research and Development Team at IBM's Thomas J. Watson Research Center in New York. In that capacity, she undertook a number of studies to try to understand the motivations and mentality of individuals who created and released computer viruses on the internet. Many of her findings are published on her web site. Her current research at Symantec includes modeling security product certification standards and examining various aspects of "cyberterrorism."

I became interested in viruses because, quite simply, I got one. Viruses were a relatively new phenomenon at that time, so I set about learning as much as I could about them. As I did this, I came into contact with virus writers, as well as antivirus product developers. There seemed to be a bit of disparity between things that were said about the virus writers and the way the virus writers themselves treated me, so I set out to see exactly what was the truth.

It wasn't hard to make contact initially. Most of the active virus writers were all taking part in various FidoNet (precursor to internet) echomail exchanges. I was already active there, as I had designed and developed my own BBS, and received the echomail several times per day.

Sometimes I would meet them at various universities, sometimes (literally) "at the mall." Sometimes we would talk on the phone, sometimes we exchanged email, sometimes personal mail. I think it was easy for me to do because I was not "the enemy"; I was not judging them, I just wanted to understand more about their viruses, and what they thought about them. In the late eighties, early nineties, I was pretty much into "the internet" (it was nothing like it is now), and once they learned about IRC, sometimes I'd meet up with them there.

When alt.comp.virus came about (this is another story), I was still actively talking with a lot of them; now I don't do that very much at all. As there are so many, I am forced to use various sampling methods to make the (few) generalizations that can be made. Of course, with some people I've stayed in touch.

Is it possible to give a profile of a "hacker"? Or a virus writer? Is there overlap between the two types?

If by "profiling" you mean "Can you tell me what type of person is likely to write a virus?" or "Who might hack?" the short answer is "yes and no." Mostly no. But here are some observations.

Initially the virus writing and hacking communities were very much two separate groups. Hacking required a totally different skillset and mindset from virus writing. Now, with the massive connectivity available, the two skillsets are having some crossover. However, in general, hackers frown upon virus writers. After all, hacking requires system knowledge and skill and is somewhat "sexy" in today's counterculture, while virus writing is still looked down upon, mostly for its indiscriminate damage and lack of required skill.

How true is the stereotype that the hacker subculture is made up of bright, but socially maladapted adolescent boys? And what about girls? Has the demographic changed with the growth of the internet in the past few years?

I think in any area of scientific investigation, you have to be aware of dangers of stereotyping. But I'll try to answer here based on my experience and research.

Bright? Yes. But again, depends on how you define bright. Some people would argue that doing something illegal is not generally very bright. But I'd counter that with the fact that most people in the hacker subculture are not out doing illegal things and that people with deep systems knowledge don't generally get it by osmosis. . . .

Maladjusted? Sometimes. Again, depends on how you define maladjusted. Certainly the hackers I've known were perfectly fine within their own environments--aren't we all? They have good relationships with peers, with their girlfriends or boyfriends (husbands or wives), normal jobs, do pretty well in school (sometimes very well), etc. But at the same time you should consider that if you take any of us and compare us with a different set of people with different values and worldviews, you'd might say we were "maladjusted." At the same time there are people who have problems.

Adolescent? Sometimes. But then again, sometimes not.

I've known (and know) female hackers--more all the time, as more females have access to the technologies.

As for virus writers, it's somewhat different. There are some females, but this appears to be a predominately male activity. In many ways, the only thing virus writers seem to have in common is a love of writing viruses. So, I guess the bottom line answer to your question is that the stereotype does not generally fit. You may read more about this 'socially maladapted' soul in news reports--after all, it makes for better news. Who wants to read about the handsome well-adjusted boy next door who broke into a computer and got community service time? Much more exciting to read about a technopath who never comes out of the basement except to go to 2600 meetings, eats only at Taco Bell, dresses only in army fatigues, listens to nothing but gregorian chants and so on and so forth. The truth is that these populations are made up of many types of people.

People often talk about a "hacker ethic," a sort of honor among thieves that includes respect for technical artisanship, and a reluctance to engage in certain destructive activities. Have you found that this exists?

Certainly the "take only memories" ethic has existed amongst many hackers for years. However, the face of the internet has changed and it's no longer just people with highly evolved skillsets out there discussing ideas and exploring concepts (and systems). Now, there are lots of kids just out "joyriding" on computer systems. Joyriders often ditch their cars, sometimes they burn them. It's the same with some (not all) of today's kids who call themselves "hackers." There still exist people who feel that exploration is a good and just thing, and that their end justifies the means. You just don't read about them so much in the news.

What happens when hackers grow up? The sense is that some of them turn into "white hats" and go to work for law enforcement or private security companies.?

They grow up, get married, get a house, two dogs, drive Saturns, you know, just like everyone else. I can tell you about people who write and make viruses freely available, but when they grow up they stop putting their viruses out there. They realize that this is irresponsible, and that they are just making up rationalizations when they say, "It's up to the guy who takes it to decide what to do with it . . . It's not MY responsibility, I'm just making it available." All of the hackers I know who have grown up (gotten older), continue to work with computers in some form or other. Many work for security companies.

For more on Gordon's research into the "aging out" of virus writing activity, see her paper 'Virus Writers, Yesterday, Today, and Tomorrow."

Many people make the analogy that criminal or antisocial behavior on the internet is merely a mirror of analogous behavior in the physical world. Web site defacement is like graffitti; passwords or credit card numbers stolen off the internet is simply thievery and fraud relocated to a new medium. Do you think there is a psychological difference between cybercriminals and real world criminals?

I understand the arguments made against "cybercrime" being a "different" sort of crime, and to some degree I agree with them. My work with cyberterrorism so far tends to support the premise that just as we don't call terrorism done with an ice pick "ice pick terrorism," there's no need to put a special label on terrorism done with computers.

At the same time, there are critical differences. There is a certain degree of supposed (and sometimes real) anonymity in virtual environments. This anonymity breeds feelings of "invincibility"in many cases. Time and risk also have different values in virtual environments. Whereas breaking into a bank might require two hours of planning, procurement of a getaway car, acquisition of weaponry, risk of being shot by guards, etc., breaking into a database to move some money around can take a minute or less, with none of the immediate physical risks.