Sunday, 11 May 2008

Hacker Ethnography

I have had the comment that hackers are by nature creative [1] as a defense of the anti-hero mythos of the hacker.

Research by a number of psychologists [2] will be used in this post. Also some statistical calculations will also be included.

Even the web [3] derived image held by much of the hacker underground is a determination of a defined type. This is a strong correlation to the statistical likelihood of the “hacker” being an INT[J or P] with a minority of ENT[JP] Myer Briggs personality type. I myself am an INTJ bordering on the [EI]NTJ being borderline Extrovert/Introvert on the scale. I am however well off the chart for NTJ.

What is an INTJ?
We are the rarest of the lot [4], [5]. Us INTJ’s account for less than 1% of the population.
David Keirsey (http://www.keirsey.com/), links INTJs as the "Mastermind Rational" [6], placing us as the natural strategists. We are creative; this is not always based on following a task we do not like as we are strategists.

What is an INTP?
Also rare at just over 1% of the population [4],[5], these are Keirsey’s Architects [7]. They work on interests from the drawing of blueprints for buildings or roads or bridges to code.

Where is the issue with the argument?
There are a few flaws with the argument that hackers (in any derivation of the term) are creative developers of society.

First, arguing on the assumption that the stereotype is true we have the flaw that hackers being creative are also inventive based on the perceived INT[JP] stereotype. The flaw is that it is the ENTP type who is the inventor. Us INT[JP]’s are the strategists but not the inventors (we do try).

In fact, when on the right side of the fence, INTJ’s have correlated extremely well to the field of Law. There is creativity in the formulation of a deal strategy, but it is not artistic. It is not going to build the world.

So there is a minority of ENTP’s or inventor types who are hackers. This takes us to the next point, statistical distributions of populations.

In all large populations there are outliers. These are those who, in forming the group, are removed from the more generalized distributions. This is the problem with an argument from analogy.

If for instance I was to ask if a person in a tweed coat, with glasses and with a tie was most likely:
[A] A Farmer
[B] An Accountant
[C] An Engineer

Many would say either B or C, but the reality is that this is based on making false assumptions. There is no data being presented on the location or population distributions. In fact, if the community was mostly rural, the likely answer is A.

The biggest problem with the argument and use of analogy is in the issue of causation vs correlation.

Our minds have evolved for an environment in which we are not a part of. Common sense was a good guide 10,000 years ago. It is a poor guide now. We see causal effects in mere correlation.

This allows us to make statements as to the nature of a group based on a few individuals, the problem is that we are wrong more times than not. We see a few people who are anti-hero’s who have also done something right. This does not demonstrate a causal link. It is mere associative brain chemistry.

The issue is that we allow those who are doing no good, the majority to be seen as not being all that bad.

Cowboys in the west were leaders in settling new areas, but they did not built them. Hackers are the leaders in the web, but they did not build it. Sometimes the people are one and the same, but like the founders of many western US towns having been former cowboys, the internet has former hackers.

The former cowboys built by no longer being cowboys. Cowboys are the drovers. They move on. The ranchers displaced them even when some are one and the same.

I say this as one who did many things wrong in my youth and would have (and was) seen as a hacker, but being tainted with a past does not make a future.

The difference is that people grow. This means that we drop our childish ways and ideas and take on new ones. Being a hacker in ones youth does not make one always so.

The real issue.
Creative personality types are higher in “hacker types” – which is the same type who make good lawyers – think on it. The issue here is that it is not that high.

INT[JP] personality types account for 1.9% of the overall population. There is a skew in those who become computer programmers and hackers with research demonstrating that INTJ and INTP types account for 18.2% and 17.5% of the overall population of computing professionals [8]. This is 35.7% or about a third.

Even making the assumption that INTJ/P types who are computing professionals are hackers on the wrong side of the fence, we still have the issue that they are not in a majority (in contradiction to the popular hacker press).

Back to the real issue. Does the status of an anti-hero aid in the creation of anything other than its own mythos?

Here I have to state no. It is a destructive factor. INTJ’s make good lawyers/judges and good criminals all at the same time. How one spends ones time is an issue.

It was stated that “I'd start by pointing out that almost every major category of security software is derived from hacker tools.” Here the only way this can be true is in an assumption that all programmers are also hackers. This is far from truth.

Let us investigate,

  • Firewalls, not from hacker tools
  • Snort, not from “hacker tools”, but in response to them

I would argue this statistically, but I can not find enough tools that are derived from hacker tools. If I take a random sample of tools, I keep coming up with the following:

Hypothesis:
Most security tools are derived from hacker tools

The idea being to reject this at the alpha = 5 level

Taking a sample from 500 tools pulled from a Google search, the 100 from sectools.org and classifying these I did a multivariate analysis. I took a sample (blind) of 50 tools and checked the classification distribution to test the hypothesis. This sampling was run 10 times [9].


summary (Hacker_tools())
5.769 9.032 10.500 10.440 11.860 13.290




summary (Not_Hacker_tools())
29.78 36.32 39.29 39.05 42.15 47.26

When we compare these two results in a simple boxplot - there is no overlap at all.


It is simple to state that the hypothesis fails even with visual inspection. But to be through, we get a p-value of 0.000000000000000000...

We have strong evidence from this that we can reject the hypothesis that "Most security tools are derived from hacker tools".

So a little statistics - or also known as "assumption be gone" - and we see that hackers are not the foundation of secure coding tools (rather they would appear to account for about 21% of such tools).

References
[1] http://gse-compliance.blogspot.com/2008/05/taming-wild-wild-web.html (comments)
[2] Myers, I. B., & McCaulley, M. H. (1985). Manual: A guide to the development and use of the Myers-Briggs Type Indicator. Palo Alto, CA: Consulting Psychologists Press.
[3] http://www.catb.org/jargon/html/appendixb.html
[4] Jacobson, C. M. (1993). Cognitive styles of creativity: Relations of scores on the Kirton Adaption-Innovation Inventory and the Myers-Briggs Type Indicator among managers in the USA. Psychological Reports, 72, 1131-1138.
[5]Gryskiewicz, S. S. (1982, January). Creative leadership development and the Kirton Adaption-Innovation Inventory. Paper presented at the 1982 Occupational Psychology conference of the British Psychological Society, Brighton, England.
[6] http://www.keirsey.com/handler.aspx?s=keirsey&f=fourtemps&tab=5&c=mastermind
[7] http://www.keirsey.com/handler.aspx?s=keirsey&f=fourtemps&tab=5&c=architect
[8] Capretz, L. F., (2003) Personality types in software engineering, International Journal of Human-Computer Studies, Vol 58 , Issue 2, February, 2003. pp. 207 – 214. Chang, T., and Chang, D., (2000) The role of Myers Briggs type indicator in electrical engineering education, International Conference on Engineering Education (ICEE), 2000.Retrieved on August 2, 2006 from http://www.ineer.org/Events/ICEE2000/Proceedings/papers/MD6-2.pdfDeMarco, T., and Lister, T., (1999) Peopleware: Productive Projects and Teams. 2nd ed. New York, NY: Dorset House Publishing, 1999. Hunter, M. G., (1994) “Excellent” systems analysts: key audience perceptions, ACM SIGCPR Computer Personnel, Vol. 15(1). pp. 15-31

[9] Test Method

The 10 Google searches are:

  1. security tools firewall
  2. security tools authentication
  3. security tools confidential
  4. security tools malware
  5. security tools host
  6. security tools server
  7. security tools internet
  8. security tools government
  9. security tools finance
  10. security tools network

Sectools.org came up so many times that it was added and another 500 selected.

A site like http://www.windowsecurity.com/software/Misc.-Network-Security-Tools/ (the security tools network search) returned multiple tools. In this case 60. I started from the top of the Google search and added tools to the 500 was achieved.

This process was run 10 times for each of the aforementioned searches.

The list of 600 tools was added into R in an array. A random 50 tools was selected. These where classified into the hacker/not_hacker classification.

1 comment:

Craig S Wright said...

As a postscript.

Remember also that most people side with Pen testing for a security control though it is less than 35% as effective as a *well run* audit.