How did you get interested in studying the psychology of virus writers? And
how do you get to know them?
Gordon is a Senior Research Fellow at Symantec Research Laboratory. Her
research at Symantec includes a focus on ethics and technology. Previously, she
worked on the Anti-Virus Research and Development Team at IBM's Thomas J.
Watson Research Center in New York. In that capacity, she undertook a number of
studies to try to understand the motivations and mentality of individuals who
created and released computer viruses on the internet. Many of her findings are
published on her web site. Her current research
at Symantec includes modeling security product certification standards and
examining various aspects of "cyberterrorism."
I became interested in viruses because, quite simply, I got one. Viruses were a
relatively new phenomenon at that time, so I set about learning as much as I
could about them. As I did this, I came into contact with virus writers, as
well as antivirus product developers. There seemed to be a bit of disparity
between things that were said about the virus writers and the way the virus
writers themselves treated me, so I set out to see exactly what was the truth.
It wasn't hard to make contact initially. Most of the active virus writers
were all taking part in various FidoNet (precursor to internet) echomail
exchanges. I was already active there, as I had designed and developed my own
BBS, and received the echomail several times per day.
Sometimes I would meet them at various universities, sometimes (literally) "at
the mall." Sometimes we would talk on the phone, sometimes we exchanged email,
sometimes personal mail. I think it was easy for me to do because I was not
"the enemy"; I was not judging them, I just wanted to understand more about
their viruses, and what they thought about them. In the late eighties, early
nineties, I was pretty much into "the internet" (it was nothing like it is
now), and once they learned about IRC, sometimes I'd meet up with them
When alt.comp.virus came about (this is another story), I was still actively
talking with a lot of them; now I don't do that very much at all. As there are
so many, I am forced to use various sampling methods to make the (few)
generalizations that can be made. Of course, with some people I've stayed in
Is it possible to give a profile of a "hacker"? Or a virus writer? Is there
overlap between the two types?
If by "profiling" you mean "Can you tell me what type of person is likely to
write a virus?" or "Who might hack?" the short answer is "yes and no." Mostly
no. But here are some observations.
Initially the virus writing and hacking communities were very much two separate
groups. Hacking required a totally different skillset and mindset from virus
writing. Now, with the massive connectivity available, the two skillsets are
having some crossover. However, in general, hackers frown upon virus writers.
After all, hacking requires system knowledge and skill and is somewhat "sexy"
in today's counterculture, while virus writing is still looked down upon,
mostly for its indiscriminate damage and lack of required skill.
How true is the stereotype that the hacker subculture is made up of bright,
but socially maladapted adolescent boys? And what about girls? Has the
demographic changed with the growth of the internet in the past few
I think in any area of scientific investigation, you have to be aware of
dangers of stereotyping. But I'll try to answer here based on my experience and
Bright? Yes. But again, depends on how you define bright. Some people
would argue that doing something illegal is not generally very bright. But I'd
counter that with the fact that most people in the hacker subculture are
not out doing illegal things and that people with deep systems knowledge don't
generally get it by osmosis. . . .
Maladjusted? Sometimes. Again, depends on how you define maladjusted.
Certainly the hackers I've known were perfectly fine within their own
environments--aren't we all? They have good relationships with peers, with
their girlfriends or boyfriends (husbands or wives), normal jobs, do pretty
well in school (sometimes very well), etc. But at the same time you should
consider that if you take any of us and compare us with a different set of
people with different values and worldviews, you'd might say we were
"maladjusted." At the same time there are people who have problems.
Adolescent? Sometimes. But then again, sometimes not.
I've known (and know) female hackers--more all the time, as more females have
access to the technologies.
As for virus writers, it's somewhat different. There are some females, but this
appears to be a predominately male activity. In many ways, the only thing
virus writers seem to have in common is a love of writing viruses. So, I
guess the bottom line answer to your question is that the stereotype does not
generally fit. You may read more about this 'socially maladapted' soul in
news reports--after all, it makes for better news. Who wants to read about
the handsome well-adjusted boy next door who broke into a computer and got
community service time? Much more exciting to read about a technopath who
never comes out of the basement except to go to 2600 meetings, eats only at
Taco Bell, dresses only in army fatigues, listens to nothing but gregorian
chants and so on and so forth. The truth is that these populations are made
up of many types of people.
People often talk about a "hacker ethic," a sort of honor among thieves
that includes respect for technical artisanship, and a reluctance to engage in
certain destructive activities. Have you found that this exists?
Certainly the "take only memories" ethic has existed amongst many hackers for
years. However, the face of the internet has changed and it's no longer just
people with highly evolved skillsets out there discussing ideas and exploring
concepts (and systems). Now, there are lots of kids just out "joyriding" on
computer systems. Joyriders often ditch their cars, sometimes they burn them.
It's the same with some (not all) of today's kids who call themselves
"hackers." There still exist people who feel that exploration is a good and
just thing, and that their end justifies the means. You just don't read about
them so much in the news.
What happens when hackers grow up? The sense is that some of them turn into
"white hats" and go to work for law enforcement or private security
They grow up, get married, get a house, two dogs, drive Saturns, you know, just
like everyone else. I can tell you about people who write and make viruses
freely available, but when they grow up they stop putting their viruses out
there. They realize that this is irresponsible, and that they are just making
up rationalizations when they say, "It's up to the guy who takes it to decide what to do with it . . . It's not MY responsibility, I'm just making it available." All of the hackers I know who have grown up (gotten older), continue to work with computers in some form or other. Many work for security companies.
Many people make the analogy that criminal or antisocial behavior on the
internet is merely a mirror of analogous behavior in the physical world. Web
site defacement is like graffitti; passwords or credit card numbers stolen
off the internet is simply thievery and fraud relocated to a new medium. Do
you think there is a psychological difference between cybercriminals and real
I understand the arguments made against "cybercrime" being a "different" sort
of crime, and to some degree I agree with them. My work with cyberterrorism so
far tends to support the premise that just as we don't call terrorism done
with an ice pick "ice pick terrorism," there's no need to put a special label
on terrorism done with computers.
At the same time, there are critical differences. There is a certain
degree of supposed (and sometimes real) anonymity in virtual environments. This
anonymity breeds feelings of "invincibility"in many cases. Time and risk also
have different values in virtual environments. Whereas breaking into a bank
might require two hours of planning, procurement of a getaway car, acquisition
of weaponry, risk of being shot by guards, etc., breaking into a database to
move some money around can take a minute or less, with none of the immediate
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation