This could very likely be a carefully (and cleverly constructed) identity.
This girl might not exist; but because we all really really want a 16 year old girl to be the hacker the discrepancies are glossed over (the art of a good lie is not giving too much detail and letting other people's imagination fill the gaps).
On the other hand the personality strikes me strongly as female, so if it is an facade it is a very well constructed one, which the imposter empathises with.
But, on the whole, the setup "feels" wrong (and I tend to trust my instincts in such matters).
When I had a lot more time, I would go into Yahoo chat and basically phish for pedophiles usernames/passwords. I can tell you that a "hehe" after anything will set the hook.
I could on average phish about an account a minute and I was never figured out. I only fell out of character once to warn an 18 year old kid, that talking to 14 year old girls sexually online wasn't the best use of his time. He freaked out and thought I was a cop!
It's relatively trivial to do this, most people will ignore minor slip ups provided you have the right context. I would set context by doing the following:
1. I would set my profile to the geolocation of the room I intended to work. I would then find a school and neighborhood to say I was from.
2. I would suggest I was home sick (and thus alone).
3. I would use an innocent, although, sexual name in my username like "booty"
4. I would use emoticons and "hehe" on probably 75% of all messages sent.
5. I would let them contact me first. If you contact them they get scared. If they contact you, they feel like they are in control.
For example, I could tell them the wrong name and many wouldn't notice, or if they did simply saying, "Oh, that's my middle name" is usually sufficient.
With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?
Definitely older than Hacker News. I got it from Reddit, and I think Reddit got it from UseNet (possibly via 4chan or IRC).
I paraphrased though, and the grandparent post must have a better memory (or better Google skills) than me, which is probably why you can't find an exact match...
The oldest versions I've heard went something like “Welcome to the internet, where the men are men, the women are men, and the children are FBI agents.”
Pretty sure the line goes back further than that though.
My guess is that it’s a parody of A Prairie Home Companion’s line about “Lake Wobegone, where all the women are strong, all the men are good looking, and all the children are above average.” Though that might itself be playing on some earlier such line?
I think of the hitch-hikers guide to the galaxy (from the 70s?): "Where men are real men, women are real women and small furry creatures from Alpha Centori are real small furry creatures from Alpha Centori."
Which is presumably itself a parody, I'd guess of some standard line from a Western. But I couldn't pin it down to exactly where.
That the internet has been thus for a long time is disappointing, but not surprising.
I've studied oral-formulaic poetry, and one of the interesting aspects of it is that everyone tells the same stories over and over, and what makes one retelling superior is not the actual content, but the way it's delivered. I may well have seen it before. But long line lengths and easy Verdana text make HN good for memorable one-liners, and your retelling had punctuation, capitalization, and pithiness.
Going back about 10 years, there was a community that made a pseudo-sport out of this kind of activity and similar online masquerades, it was called baiting.org. The site is still up, though inactive.
Finding one in Yahoo! Chat in the 90s wasn't very hard it was tough trying to find someone, anyone to chat with who wasn't a pedophile, those chatrooms were insane! ...and the webcams too!
I'm big on systems and testing and generally more interested in people than the technical nature of technology. I just wanted to see if it would work. I did this off and on from the time I was 14 to 17 or so. I lived literally in the middle of nowhere, where the nearest town had about 27 people. It was an interesting way to spend time in high school.
To me it was a big experiment to maximize conversion and minimize detectability.
The biggest take away from this is that I realized that social interactions have formulas and you can take advantage of those formulas. You can also find shortcuts to the formula or make certain parts of the formula more important or less important based on context.
I am hoping you are hinting that this story is an exact replica of that behavior... pulling off a social formula, on a slightly bigger scale. Even if you are not, having gone through a similar phase back in early years with that exact same motivation, I am!
This is a text book usage of social engineer. Putting in divorced parents, single child getting all the attention from the engineer dad making the kid an above average amongst his/her peers, and then putting in a girl, so to make you focus less on the flaws in the story and drool over the hot-geek image more... evergreen combination.
I would doubt though that Forbes came up with this on their own. Rather, it could very much be someone from anon, just having little more fun.
Thanks for making that explicit. My point was that the context (story) she used makes it so we want to believe her. In the same way I could setup a context that makes you want to believe and ignore irregularities.
I would expect that the journalist as a filter makes this even more likely. The journalist would then ignore irregularities or dull them in the story presenting the most consistent pieces in the story, not the least.
I would say one advantage that I had, is I could test responses, over and over again. But that is always what allowed me to basically have a formula that would result in 95%+ conversion on the phishing attacks. The other 5% often times where do gooders trying to tell me not to be in chat rooms or to warn me about pedos.
Thanks for the explanation. I suspect most people downvoted you because they didn't understand your motivation.
I particularly liked your comment about finding formulas for social interactions. Have you tried looking for work at a social startup? From what I have heard of Facebook's culture, you would fit right in.
I don't have the logs, so it would be based more on memory than anything else. It'd be less than scientific, and I went into Yahoo Chat rooms 6 months ago to see if they had changed and it is much less fruitful now with the population being mostly made up of bots.
This would be a great answer to the "Real life hacking" YC question, especially with your mention of the formula behind human interaction you discuss in another reply.
You're at +6 right now, so the number of people (including me) who think that your comment was interesting and useful to the conversation outweigh the number of people who objected to it. HN is generally self-correcting; I would say that not asking about downvotes for at least two hours or until you get down to -4 or below is probably a good rule of thumb, as I expect that HN's tendency to self-correct is lessened past either of those points (because of fewer people reading the thread or because people won't bother reading the comment), assuming that you can't see why it's been downvoted. That's just my advice, though, as I most often see comments asking about downvotes following comments which have a positive votecount.
On a more technical note regarding the described background, "Kayla" apparently started by learning how to break software and exploit bugs by her dad and grew up learning about the Linux Kernel... then moved to SQL injection.
That last bit makes absolutely no sense. It's easier to learn SQL injection than the many, many different ways that memory management can go wrong. References to her memorising Windows Opcodes sound like a random phrase thrown in for credibility (you do after a while remember certain functions - 11 years after writing my first ARM shellcode I still remember it, even though I'll probably never use it).
The whole description of how she progressed just doesn't sound right. You can be up and running with SQL injection in less than an hour, learning buffer overflows and understanding them properly probably takes about a day and a bit at best (and that's assuming that you know C, how to use a debugger and how a compiler works). The Micro-SD strategy also seems a little extreme (but is viable, our testing gets done under a VM, there's no reason why that couldn't go on a micro SD card).
I'm calling BS on Kayla being a girl, mainly because the story just doesn't fit right compared to the application of Occam's Razor - that this is someone else trying to cover their tracks.
When you have an expert parent (or other adult influence) you can, and frequently do, learn things in a "weird" order. Further study after study from teaching land shows that "the natural order" to learn things is not nearly as fixed as one would think, the order you learned in is not the only way. The order you were taught in is not the only alternative way.
I remember I started learning in C, reading security and working on perl all the same time. I didn't even know about SQL for a couple years after that. This was in the late 90's and early 00's tho, things were a bit different, but it isn't improbable nor impractical to have this learning curve in a semi-self taught way. It is even less improbably given that her dad probably taught what he knew best, C and Kernel stuff.
When I was a kid, my grandfather was an electrician. I grew up learning about house wiring, and how to do it properly and quickly. I learned how to solder and do stuff with wires long before I ever did basic electronic theory stuff. It never occurred to me that 120VAC was any more dangerous than a small fire. Imagine my surprise when in college I first encountered these professors who were terrified of wall current ('of course it will hurt you, just don't be stupid' is still how i think of both fire and electricity, the stuff isn't magic). I was confused when we went over stupid "this is how a dpdt switch works" and annoyed that we never played with any circuits more advanced than I grew up doing for over a year. I had never had any basic electronic theory at that point.
So: do you disbelieve me because I didn't learn in some natural progression as an electrician apprentice would? Because I didn't learn in the order the courses laid out in college?
tl; dr -- the idea of a "natural progression" in learning is just bunk.
I've hung out in the anonops irc quite a bit, and `k certainly comes across as female. I hadn't linked her to the Kayla > YOU spam before, but that was almost 3 years ago, now. If it is a constructed identity, then it's been carefully cultivated.
It is an awesome story, though. Regardless of whether it's true or not, it's effective at both rallying the neckbeards and shaming opponents. It's funny to see how much deference is paid to her on IRC, although I only started going there after news of the HBGary incident broke, so she already had quite a lot of cred.
`k may or may not be a 16 year old girl, but it's a hell of a troll if she isn't. I'm not aware of many anons who could pull something like that off for so long. There were a few back in the day who had managed to become trusted enough at anontalk to get promoted to wiseguys, but that took a couple months, not a couple years. For that reason, as well as her general demeanor, I'm inclined to believe her.
Indeed, and there are 2 references in the various tales of a good understanding and practice of social engineering, and anyone with that understanding would not go around telling the press genuine background stories that could start to be pieced together.
But then of course the smartest ones are the people no one will ever hear about, so who knows.
Not just from this piece, I did a little more digging and my impression was that this person comes across as female (based on the sort of language used, areas of interest etc.).
Yeah, it's interesting to guess.. There are mild grammar errors in each longer sentence she's quoted with.. and two of them conflict strangely (she uses 'into' correctly once, but not again). I'm just playing detective, but either smells like someone young.. or like someone intentionally peppering grammar issues to sound it. I dunno. If I had to vote I'd call BS. I think it's someone older.
Why? Kids are smart and have time. 16 is not that young. I knew how to do SQL injection and buffer overflow exploitation at that age, although I also knew not to use those skills against someone who didn't ask for it.
Basically, everyone is excited because she's a girl.
Her father is a software engineer, though. It's much easier to learn pretty high-level skills in a field when you're young if you have a parent in that field.
My bs meter was high for a number of reasons. This paragraph was the most notable:
"Meanwhile she refuses to be chained to her computer, limiting herself to a few hours a night online. She rarely visits online forums "they’re boring"and a few days a week takes a course in college to further her goal of being a teacher. She lives in an English-speaking country not the U.K.but won’t say more about it"
So the previous paragraph stated she was "memorizing Windows Opcodes and scouring source code for exploitable bugs", but then suddenly she only spends a few hours online? Not likely. Most hardcore hackers I know don't just drop off the radar. The hunt to break into systems is like a drug. I have yet to read about, or know any hacker who simply spends a few hours online a day. At the speed internet security moves, this person's knowledge would be useless inside of 6 months.
Also, how does this person maintain her expert hacker knowledge with a few cursory hours a day on the internet? Literally impossible. Add in the admission she deletes all her emails and wipes all her drives clean? Really? Does this person memorize every line of code she uses then?
My conclusion? A carefully crafted profile of an Anon personality. Although I have no doubt this person probably exists, it certainly is not a 16 year old girl, and a majority of the information in the article is total BS. When you apply some very basic logic, the story just falls apart.
> Add in the admission she deletes all her emails and wipes all her drives clean? Really? Does this person memorize every line of code she uses then?
I agree that the persona is bullshit and that 'she' is a probably a mid-to-late 20s male but...
Where does it say that she/he deletes wipes all her drives clean? It only says that (s)he wipes her web accounts. From reading the article, (s)he keeps her personal files/documents on a MicroSD card; quite a smart and disposable solution really.
Perhaps the personal files are encrypted also? It's interesting to imagine what other steps you could take to protect your privacy, it probably wouldn't be too difficult to do alternating sharding at the bits and bytes level over SSH with off-site storage (Half on MicroSD, half off-site), does any tool do something similar currently? You could even put a self-destruct timer on the offsite storage (if last_login > 5 days ago: format hard drive with 40-pass erase) or maybe a kill-switch containing sensitive informatoin (ala Wikileaks).
She has no physical hard drive and boots her computer from a microSD card. "I could hide this card anywhere or chew into a million pieces in a few seconds," she says by e-mail.
"A few hours" could be anything between 2 and 8-10 hours. When I was a teenager I'd get in front of the computer as soon as I got back from school and keep the computer on until I went to bed. That added up to ~6 hours a day on average. Anything more would be unrealistic for someone who needs to go to school every day.
Some of the other discrepancies, though, look more suspicious. The very notion that a security-conscious person who has just committed a federal crime would spill so much about his/her life in a random newspaper article reeks of BS.
Dad allegedly showed her how to find bugs in C source code and exploit them. It was all harmless and Kayla had only been using the Internet to talk to friends on MSN. But she began looking into hacking, and learned scripting languages like Perl...
I've always known C was just a gateway to the dangerous stuff.
Each night she wipes every one of her web accounts and deletes every email in her inbox. She has no physical hard drive and boots her computer from a microSD card. “I could hide this card anywhere or chew into a million pieces in a few seconds,” she says by e-mail. She keeps her operating system on a USB stick and uses a virtual machine (VM) to carry out her online shenanigans.
I don't know... what came to mind after reading "deletes every email in her inbox" was POP, which pretty much always deletes your remote mail once it's been retrieved. How many millions of people still use POP over IMAP or webmail? Quite a few I would guess.
For 5+ years, I've been downloading my email with fetchmail, which deletes the message on the server. Once a minute. I don't like the thought of my emails sitting in the cloud for too long.
Not to mention that she gave a lot of personal history surrounding her parents and family history. That might not uniquely identify her, but it does narrow the search considerably. My guess: if he/she is even a single real person, much of this is fabricated.
That is what I was thinking. Ya know, you probably don't want to disclose your operational security procedures because well, they aren't common and not being common, their trackable.
And then I was thinking about how the police sometimes "leak" that the suspect in some crime is weak, pathetic, individual which nobody really cares about, in hopes that they will offend the real suspect who will then self identify in defense of their honor. If you thought the Anonymous ring leader on the HBGary hack was some teenage guy then the best way to provoke a response would be to either call him gay or a girl it seems.
I wonder how well the E-book Ars put out is selling. And more importantly, if its really successful I wonder if these people who did this are comfortable with someone getting rich off their exploits?
You see? The twisted depths to which you go if you start down these paths. Sheesh.
> how the police sometimes "leak" that the suspect in some crime is weak, pathetic, individual
Except that the "you just got hacked by a 16-year old girl" taunt was apparently started in Anonymous circles soon sfter the attack. Not to say any of this is true or not fabricated, just that its not likely being fabricated from outside for those kinds of reasons.
I figure that such setups could employ a number of cron scripts to spread out actions and/or generate noise. E.g. every <random_range> minutes delete a random email out of a set of everything older than 24 hours. Adjust the constants to match the volume of information.
In light of recent Anon-related police raids, I would hope that anyone supposedly as savvy as "k" would rely on full-disk crypto as opposed to foolishly going the destruction of evidence route.
I've used FDE for many years simply out of precaution against theft.
I've never understood this. Wouldn't a competent security professional know of the existence of TrueCrypt, who would then ask a competent psychologist to determine if you were withholding information (I sure as hell wouldn't be able to keep a straight face), who would then ask a competent interrogator to get the real password from you?
I don't even think plausible deniability would hold in court -- claiming that a large blob of random data on your hard drive is just there for no reason at all is not plausible.
Sure it's plausible. The suggested _secure_ way of wiping a harddrive is to override it with random data (since a typical delete simply drops an entry from a table, making data retrieval trivial (in the current context)).
What I don't understand is that in a context of a court (and this group of competent professionals), password disclosure _should_ be considered self-incrimination (although there was at least one case in the UK where a judge came up with some loophole reasoning around that). Disclosure of multiple passwords ("we didn't like what we found, do you have any other passwords?") would certainly be obtained under great duress.
A large part of the design of Truecrypt is that nobody CAN prove there's an alternate partition. Or, you can decrypt your secondary alternate partition under duress to reveal your real hidden one. Maybe put some token warez on it or something.
To make sure that you can't distinguish free space from encrypted noise, you have to write random noise everywhere as part of the filesystem creation process.
The one thing Truecrypt is vulnerable to is that you can note what parts changed -- say they raid your house twice and image it between when you used it. Then they'll know that free space isn't really free.
Couldn't they just attempt to fill the "outside" partition up? I mean, let's say you have a 1TB partition with a 100GB hidden volume inside. What happens if somebody tries to write more than 900GB into the outside partition?
It will overwrite the hidden partition. The 'outside' partition doesn't know about the hidden one. When you are mounting the outside partition you do have an option to protect the hidden one by providing the password for the hidden one, but if you don't, you can end up overwriting it by filling up the outer partition.
A-ha, I think this is what I was missing. Thank you.
That said -- I would think that a random blob of data sitting around on the hard drive is still highly suspect. Aren't hard drives zeroed from the factory? And wouldn't any true "garbage" data be decidedly not random? (Even if it's compressed... you would still expect to find headers etc. somewhere.)
The OS has absolutely no knowledge of the hidden partition - as far as it knows, that area is just empty space on the disk. TrueCrypt runs from a bootloader (which you can have on a separate CD!), prompting you for a password. It uses that password to attempt to decrypt the (encrypted) volume headers - note the rest of the disk is encrypted too. Unless you install TrueCrypt the software application, there is no indication that was the tool you used.
The point is that the hidden partition is marked as free space on the disk, and the free space is filled with statistically random noise. Some portion of it will be the encrypted hidden partition, which is also statistically random. It is mathematically impossible to prove that any of that random data is actually an encrypted hidden disk. The only way to open it is to use the correct key, which is indistinguishable from the other key which simply unlocks the normal, clean partition, which is also encrypted.
When the police demand the key from you, you give them the one that unlocks the clean partition. Now, at this point it doesn't matter if they don't believe you, it doesn't matter if they know all about truecrypt and hidden partitions, there is no way for them to prove in a court of law or otherwise that there is a hidden partition there. You can just keep telling them "I gave you the password! I just wipe my free space with noise every night! It's just noise!" and you have plausible deniability.
As far as I'm aware this is only in theory. I'm not aware of any case of this actually being tested in court. But mathematically, it is apparently sound.
I wonder what wiping of a web account exactly involves. Email, FB? Sounds like something a journalist would say without really knowing what they are talking about.
Is the phrase "Windows Opcodes" (from the article) a subtle troll on the part of "k" or a journalistic goof? I'm no programmer by any stretch, but that phrase jumped out at me as phony. I know there are system calls for operating systems, and opcodes are processor instructions, so this use of the term raised my b.s. meter a notch.
Not sure I see your point. Sure, the URL has "opcode" in it, but the page clearly says "Windows System Call Table" -- nowhere is the word "opcode" mentioned on that page.
I'm not particularly close to this issue, but the sexism I'm seeing here is pretty astounding. If this were a 16 year old guy, no one would bat an eyelid. Seriously.
Look at Mafiaboy back in 2000 -- he took down Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. I'm not even sure that he was 16 yet (I don't have his age offhand).
Is this a crazy and possibly fake story? Of course. Does that mean that it can't be true? Not by a long shot.
I work in information security, and at 16 knew a hell of a lot about SQL injection, buffer overflows, cross site scripting and oodles of other vulnerability classes. This girl didn't work alone, but part of a hacker group -- to me, it seems totally feasible.
I'm not saying that we should take every word an anonymous "16 year old girl" says on the Internet as absolute fact, but discounting this attack because it seems like a girl couldn't pull it off seems sexist and wrong. Again, if this were some pimply-faced male high schooler, no one would bat an eye.
Nobody's saying that it can't be real because girls don't grok tech and 16-year-olds are stupid. They're saying it's unlikely to be realy because statistically, the number of 16-year-old girl hackers is very small (relative to 25-year-old male hackers), there's a huge history of fake personas in hacking (and especially around Anonymous), and a 16-year-old girl is a very useful persona to get attention.
You bring up a great point - which is actually contradictory in the story. She said was hassled for being so young. I know a lot of hackers and most got started very young like you point out, and all were welcomed into the hacker community without any issues - female or not.
I'm not sure what sexism you mean specifically, but my skepticism has nothing to do with the specifics of the persona. Of course there are 16-year-old girl hackers. My wife once was one.
I doubt that the character is really a 16-year-old girl because she's telling Forbes she's a 16-year-old girl.
If 'k said he were a 16-year-old boy, I'd doubt he were a 16-year-old boy.
If 'k said she were a 33-year-old quant on Wall St., I'd doubt she were a 33-year-old quant. Etc.
I just seriously doubt that this character is giving any real identifiable information to Forbes.
I'm female last time I checked, and a paste from my blog makes gender guesser thinks I'm weak male and gender genie says I'm male. Doesn't mean anything, but worth noting.
Grepped this, which ars technica claims is a real chat log. She says just under 200 words on this log, and it comes up as weak male again on Gender Guesser and male on Gender Genie. Her username of `k is removed for the analysis. http://pastebin.com/x69Akp5L
Genre: Formal Female = 509 Male = 971 Difference = 462; 65.6% Verdict: MALE
Computing represents a pretty specialized topic, and most of the sample data with computing-related discussion will be from men. It would be pretty tough for any simple Bayesian analysis to account for this.
Perhaps you should use... fewer ellipses? There are several grammatical patterns females use more than males (and vice versa). I assume that's how the test works, anyway.
This is Anonymous we're talking about. Isn't "16 year old girl" a well-known colloquialism on 4chan, normally used to convey the stereotype of a middle-aged, balding geek still living in his parent's basement who likes to use fake online personas? Forbes got trolled in a monumental fashion.
Kayla first asks for root password using two passwords that she already has but might not necessarily be the root one. She also already knows that remote root isn't allowed. This way:
1) She'd get the root password e-mailed to her if it wasn't one of those two. "No, it's not those, it's '<password>'."
so she goes to extraordinary lengths to coverup her online activity, but grants an interview to a national news outlet where she divulges a large part of her personal history?
If the government is going after these people it should be for one reason only - to hire them.
Maybe with this kind of talent working together we could find out where rogues like OBL are hiding.
IRL, it's thought by many that AQ stopped using electronic communication to relay important messages and only rely on inperson communication / messengers.
I think the reason people keep saying she is fake is because they don't want to believe someone so young is capable of doing what she did. I've spoken to her via email and she said she doesn't care what people think about her, shes going to do what she does regardless and she has my full support.
Maybe instead of asking questions about her here, you ask her like i did?
kayla@anonleaks.ch
If she really is who she said she is that's one smart kid!
Soon you are not going to know if anyone that you interact with online is who they say they are. The Pentagon has awarded a contract to a Silicon Valley company to develop software that creates fake personas that can then influence the "conversation" by spreading US propaganda. Each operator will be able to create up to 10 "personas". A friend just sent me a link about the Pentagon's decidedly Orwellian "sock puppet" software:
If you're going to pick a fake identity would you pick one that would get you attention like this? Seems like a fake identity but not sure it's the best one.
> In December 2008, she wrought havoc on one of the most famous forums of all, 4chan’s notorious /b/ channel, finding and exploited an SQL injection bug on its content management system, hacking in and causing mayhem on the forum for a few hours.
I don't remember any such exploit. You could produce that image by posting a lot.
Since the girl is a person and not a thing, it should be "... girl who hacked hbgary". r11t copied the mistake from Forbes-- How do national magazines make grammatical errors like this? Don't these people have editors who at least earned a passing grade in middle school English?
Shakespeare wrote in the Merchant of Venice of "the man that hath no music in himself". Mark Twain wrote a short story titled "The Man that Corrupted Hadleyburg". Ira Gershwin wrote a popular song titled "The Man that Got Away". These are just the examples easily available on Wikipedia.
Your complaint does not represent majority usage in English, let alone modern usage.
Middle school English teachers love to invent simple rules of the language that don't reflect actual usage very well. The choice between "that" and "who" as relativisers is subtle, and the animacy constraint doesn't explain the facts of how people speak.
1. Using same computer that connects via phone, wireless, etc
and than using any email service.
2. Machine characteristics since they cannot get the machine ID they go for the next best digital finger print ..ie
operator grammar/typos..cpu speed, ram size, etc.
3. Websites have visitor logs..the track back to you eventually gets fleshed out.
This girl might not exist; but because we all really really want a 16 year old girl to be the hacker the discrepancies are glossed over (the art of a good lie is not giving too much detail and letting other people's imagination fill the gaps).
On the other hand the personality strikes me strongly as female, so if it is an facade it is a very well constructed one, which the imposter empathises with.
But, on the whole, the setup "feels" wrong (and I tend to trust my instincts in such matters).