 organizational and personal stressors. So she is basically the psychologist of the group. Did I get that right? Okay. We also have John Dodge, professor of the School of Commerce and Administration at Laurentian University, partner of the management consulting firm and he usually talks on e-commerce and organizational strategy issues. We also have Steve Mitzazos. He is a partner of the law firm, so he's the lawyer in the group and he has practiced commercial lawyer with IT in the IT field for the last 12 years acting counsel to both multinational technology companies and various small software startups. So and Steve is also affiliated with Laurentian University. What these three have done is a three-year study of hackers and whether they get a bum rap and I think you will all be pleased with their results, so here they are. Thank you very much. Hacking of America and as it's also titled in the thing that was put out by DevCon is organizations employee hackers and we think that these are related because maybe I should give you a little bit of background. We are both Bertie and I are academics. We've undertaken a study that we have funded through a very small research budget of our own. The university gives us a bit of money and we can commit it to whatever project we run without the interference so we decided to go ahead and do this. We've also dipped into our pockets a little bit to cover additional costs because we did not want to seek outside finance or to seek proposals so the research that we've done has been completely independent. You may not or may not result. It's very defensible and we think very independent. I just want to get that very clear in the initial stages. We, Bertie and I, worked together at Laurentian University and the School of Commerce and now Bertie has gone on to be dean at a new university in Toronto and we saw the loser there but we're very happy to work with on this project. The thing that we found here is that we were funded, we were interested in the research area and that we really were helped by a number of students, particularly Kevin Ellis and Yana Lahaki that were really instrumental in helping us coax on the data. We came to H2K two years ago in DevCon and we had a booth set up in the vendors area where people came around and actually committed quite a bit of time, at least a half an hour to fill out self-reporting questionnaires. So we think it's quite reasonable to present you with some of the data and some of the background material that we found. So moving on I'll ask Bertie to go to the next slide. One of the motivations of this study is that there's a lot of myths out there in the community and society in general are hackers, for the most part, criminals that should be feared or either feared and of course that they are feared some may by society. The question is are we terrorists? As a hacker are they considered like terrorists? In fact some people would classify hackers in the same group and fearing some kind of interventional or some other catastrophic event. The other thing is that if we gave hackers clinically derived psychological inventories, what would their answers be? Say about their dangerousness. So we wanted to actually find out how dangerous our hackers. Enough of the myths so we said let's move on from the myths and try to find out the reality check. We defined hackers in this case that people, persons who spent all their time learning the details of computer systems and how to stretch their capabilities as well as those who have a number of items that I'm sure familiar with, gained unauthorized access to computers and so on. I don't think it's worthwhile to dwell on how a hacker is here. The instrument used was a 22 page questionnaire. It had five parts in it. The first part was on hacker demographics, basically sex, age, income levels, all of that kind of thing. One tidbit that you would like to hear maybe that's not included in our speech that hackers are well above the median income for those employed. A very successful financial group in general. The second part was on short term issues of mind body symptoms. Sometimes you might be under certain kind of stressors and that your body is reacting to that stress and we wanted to verify what amount was how those were linked in that short term. The other three parts were really long term personality issues here. The first one relates to routine behaviors and that reflects some of your personality. Your likes and dislikes and reused well recognized and accepted instruments for these. The third one was Rose leadership style index. We wanted to compare you to business people and how they manage. How do you solve problems and are they related to business managers? We wanted to compare you to business managers set. Item four was really personality issues relating to how you manage people or businesses. When you do research you've got to go back and say what's been written so far and what other research has been done. The best comparison base that we can find was done by Shaw Post and Ruby in 1999 and it was a study of convicted hackers that were working on the inside of organizations. This was a forensic study that basically went back and trapped the issue afterwards. Rather interesting is I thought they came up with some very good results. They didn't talk to any of the hackers themselves. This all came from evidence given a trial and other aspects so one has to wear it on the sources of that. What they did find is that they said that they're introverted, more comfortable in their own mental world, in a more emotional and non predictable social world. They have a history of significant family problems. These are the convicted inside hackers, especially in early childhood, leaving them with negative attitudes towards authority. So you can see that can happen and have online computer dependency that either fears or replaces social interactions and that are basically spending maybe a little too much time on the computer. More about the insiders, they have an ethical flexibility that allows them to justify any violation, that's rather typical, have a strong role to their computer specialty, in fact far more to their computer specialty than to their employers. And this you've got to remember was done in the context of an inside convicted hacker and so they would obviously violate that. They also had a sense of entitlement, thinking that they were special and our own recognition privileges or exemptions to more many rules governing our employees. Basically they should have special rules attached to them. We're not saying these are correct. All we're saying is this was what the best research we had to do to deal with, so we use that as our benchmark, as our comparison. Are these really true and can be verified? So we went on from there. The other one of course is they lack empathy towards work, to others at work, generally indicating that the social human reserve skills are not particularly strong. Just a quick brief profile here in our study, we had 216 participants in this study. They were 39% from H2K and 61% were from the Def Con 8 audience. Overall, 91% were male, obviously 9% female. The range range from 14 years to 61. The mode was 24 years, the median was 25, mean 27, so we're having a lot of work to do. So we're having a lot of work to do. We're having a lot of work to do. We're having a lot of work to do. That's really cool, right? That's the real thing. The more we've had to say from age group to university, we were having a lot of work to do. So at the age group, I had a lot of work to do to get, so I had a lot of work to do and I go through the area at the age group. I went to the So there was pretty good educational levels achieved. The other issue is that they just took a back of it. You can do it. Just go ahead now. You'll notice that we're using the Corel product. We just try to keep away from Microsoft. We know we all learned a lot of them. They're blaming it on Bernie there. The sample contained those charged with hacker-related crimes. It was 9% were charged with hacker-related crimes at over 216. And of those that served sentences for such was 32%. So basically a third of those charged were actually served harm. The sample also was rather interesting. It contained 18% had crimes of another nature, non-hacking related. And they served sentences 48%. So it's rather interesting the conviction rate was higher than the non-hacking than the hacking. But it also reflects the fact that they had more other activities going on that brushed with the law. The male hackers tended to be employed by larger companies. So they're not really large companies. They had about 4,200 employees. The hackers charged with hacking related crimes tended to work in small companies, probably about 56 employees. It's rather interesting that with larger companies they probably had more sophisticated human resource selection processes and people and human resources may not have wanted to take a risk on a hacker and immediately removed that from the list. But this is including everybody that was charged and not charged, by the way. The female hackers tended to work in smaller companies with about 1,400 employees. And I think now we move on to psychological aspects of the hacker and I'll turn that over to Dr. Bernie Schall here. Bernie? Hi, thanks a lot John. At any point in time if you don't understand some of the terms that you use just raise your hand and I'll try to explain more fully. And of course in our book we go through chapters and chapters explaining what each of these psychological items is all about. We'll start at the very beginning, again going back to the research of Eric Schall and his colleagues. I reported an early childhood traumatic series of events and when we asked the 216 people in our sample if they had experienced significant childhood trauma such as loss of a parent through divorce or death, the loss of a sibling, abuse of one form or another. Almost a third of the respondents said that they had experienced those sorts of traumatic events in early years. Probably of more importance to us, not just the percentage of respondents who came forward talking about these painful events, but the important assertion that over 60% of those who had experienced such events so that they had long term negative impacts on their thoughts and behaviors. And so we wanted to look more closely at the data to find out what exactly they were suggesting those long term impacts were. In terms of gender differences, female hackers in particular were more likely to admit experiencing childhood trauma. About what we found John and I when we did face to face interviews at H2K that once we got people to trust us with the interviews, well they would not initially admit that they had some traumatic events later on. They would talk about what had happened to them. I'm sorry? How does it compare to society? These reported rates of trauma in early childhood exceed the norm. Now we were also curious about the reporting of childhood trauma for those who had been charged versus those who had not been charged and for the younger versus older, and we didn't find any significant differences. We then move on to how the respondents said they were able to cope with distress over a two week period just before they completed the inventory. And we used the symptom checklist that was developed by George Addison and his colleagues 1974. And the scale that we used was a zero to three scale. Zero meant that over this two week period individuals weren't experiencing the usual symptoms of stress like nausea, difficulty concentrating, that sort of thing. And at the highland two or three meant that they were experiencing extreme bouts and extreme intensity. So what you have here for the 216 respondents mean scores on various clusters of stress symptomology. And the strongest short term measure in terms of clustering was around anger for the hackers, followed by interpersonal sensitivity and a fear of being rejected by the spouses and friends who were close to them. Followed by obsessive compulsiveness, which is the need to be perfect. And then we have somatization that basically is mind body disorder. So I might ask you are you feeling stressed out today and you might say no Bernie, I'm not. And then I'll say well, have you been experiencing any sorts of health issues? And you might say well, you know when I think about it my migraines have been worse the past couple of weeks. My arthritis has flared, my asthma is worse. These are all indicators of somatic outbursts of distress so that you may not verbally think or report that you're distressed but your body says otherwise. And finally we have anxiety just having this need to run away and to avoid what's going on in the world. Okay, now again we were curious about that long term impact of trauma on individuals. And what we found over and over again as we worked through the analyses that the hacker community really fears that they are going to lose their friends. They have difficulty with interpersonal relationships and they have a hard time processing interpersonal misunderstandings. And in fact we found that the strongest correlation with anger was this interpersonal sensitivity item. There was a gender difference here in terms of distress in the short term with women reporting significantly higher anxiety and somatization stress symptoms than the male counterparts. We then get into the underage 30 hackers versus the older over 30 hackers and the younger people were reporting significantly higher anxiety and depression. And I might add to a point that we would suggest that they were suffering from clinical depression. Then we went on to look at the degree of computer addiction that allegedly exists within this population. And we used as a basis Dr. Kimberly Young's research basically what she said is we know that we have someone who's online addicted when they spend over 30 hours online. And what we found for hackers that they reported spending on average 24.45 hours online, which does not qualify them at least with this indicator for computer addiction. Per week, yes. Again Dr. Young went on to say that if you are computer addicted, you will have a disrupted sleep cycle and meaning that you get fewer than six hours of sleep per cycle. And what we found was that our hackers didn't report that problem overall, but in fact they were getting on average 6.26 hours of sleep. The underage 30 group however did appear to be the most addicted to their computers. They did report engaging and hacking sessions lasting over eight hours. And they did report spending over 30 hours per week on online. We then looked at various personality indicators. I had addressed the same indicators and corporate leaders and learned about that in management in the mirror book. And I also looked at these predispositions in stalkers and wrote about those predispositions in the stalking book. Now we come to the hacking population and how they see themselves, their long-term routine behaviors over time. And the highest score that you could get on any one of these personality indicators is 10. Any score five or higher we consider to be a significant predisposition in individual's personality types. And what we found is contrary to the myth that hackers or the hacking community seem to be other destructive, we found that the majority, the number one trait was that hackers are self-healing. They're called self-healing type fours. They're balanced actually on their task needs and on their people-related needs. And that keeps them going over time just like the energizer battery. Funny. The next interesting point, the indicator that was over five for the hacking population was what we called the cancer-prone type five predisposition. This is what we would call a noise-in or a noise-denying lifestyle. And in fact it became clear to me that some of that trauma that was experienced in early childhood was repressed. And the style that these children, I guess, adopted in childhood to cope with what was going on in the home environment around them, traveled with them into adulthood. The long-term prognosis is that the longer one stays in a state of noise denial rather than working through whatever is bothering you constructively, puts you at risk for developing cancer. Just below the five level was another what we call the harmony-desiring cancer-prone type one predisposition. So what we have here, strong self-healing followed by noise-in and a cancer-prone prognosis over the long-term. We were interested in looking at the psychopathic-prone predisposition, and what we call the type three, considerably below the level five. So typically we wouldn't even worry about this for a population if the mean score is this far below five. Contrary again to what Dr. Kimberly Young says, that hackers are these computer-addicted cardiovascular-prone type A, or what we call type two types in this instrument. We just didn't find much evidence of that at all. And probably of more recent interest to the governments around the world since September 11th, as well as to researchers, what about the two as prone obsessive narcissistic type six predisposition and what we found for the majority extremely low. So our summary then, taking as a composite these hacker study findings for the sample size of 216 seem to support the assertions of two sets of academics in particular, shot from 1991 in Kagan and Dukat, 1985, which seemed to indicate that the hackers were more well balanced in nature, and our findings certainly did not support to any large degree the assertions of Dr. Young. Bottom line then, the hackers attending the H2K and DevCon 8 convention seem to have relatively relaxed and balanced temperaments rather than type A or type two task obsessed ones. We did, I admit, find a segment that seemed to suffer more and again was the underage 30 hackers who had significantly higher type A scores, those again are the cardiovascular prone scores compared to their age 30 and over count parts. They also had significantly higher narcissistic psychopathic prone type three scores. Also had higher antisocial type six scores, again, compared to their older counterparts. However, and I put this in both, all of these red flag scores were below a critical level of five. We then went on to assess the hackers' creativity levels, and Dubrin in 1995 created a test which we utilized a self-report test. The maximum score that anybody could get on that is 20, and the group of 216 respondents received a high mean score of 15.30. The cutoff point is 15 indicating extremely high creative potential. In fact, for these respondents, the medium was 16, the mode was 17, and 62% of the respondents actually had scores meeting or exceeding this critical level of 15. Then get into decision-making styles, and I'll let John speak to this. This is a decision-making style used by Ro and his colleagues, and I think there's over 100,000 people in business of this test that's been applied to, and what you do is you have four management styles. You have an analytical type style, a conceptual style, a directive style, and a behavioral style. Analytica obviously looks for information, crunches it out in an analytical way. Conceptual is looking at a broad spectrum of things, and somebody that can do detail may not look at the broad spectrum, and the other one is directive, very firm, directive style. Doers do that style, and the behavioral style would be highly organizational, HR kind of touchy-feely style to make it very simple. Very simply is that the hackers are cognitively complex and creative in their thinking, meaning they tend to have the analytical and conceptual mix. Rather interesting than that is this is the mix that you tend to see in CEOs and presidents at that high level. What was rather interesting looking at the main behavioral style is that the group is a whole or lower, meaning you probably wouldn't be human resource managers. So there's no surprise to that I'm sure as well. Moving on, I'll hand it over to Steve and we'll take a look at some of the legal implications of our study. Thanks John. This presentation will focus more on the economic, social and political context of anti-cacking laws as opposed to black letter law. One on not a U.S. letter and two the anti-cacking laws are changing by the day. So I think in order to put this into a better context it's more important for us to understand what's shaping and motivating these laws. And although it's no longer fashionable to cast debates in an ideological context since the end of the Cold War, I think in order to properly understand this debate you have to look at it from an ideological perspective. And to that extent what we see here is that the criminalization of rate-head hacking represents a struggle between two competing paradigms over the control of information and knowledge. On the one hand there exists what we refer to as the property rights or property paradigm and that contains certain fundamental tenets of property rights that deserve the protection of the law to paint a very broad brush. As in most industrialized nations moving to a post-industrial phase information technology has become more important and the protection of individual intangible property rights and their security of electronic infrastructures is critical. Now the proponents of the property rights paradigm are in many instances its individuals trying to protect artistic creations, their privacy but it's also institutions like government and corporations concerned about national security security of infrastructure or the security of e-commerce transactions for example. In terms of who's driving the property rights or property paradigm agenda it's primarily corporations and state entities that have taken the lead in advancing the property rights paradigm and you see that in criminal prosecutions that you are familiar with and as well increasingly now in the civil action context one example would be the Napster litigation. Now from the competing perspective and competing ideology what we have is what we call the hacker paradigm which really encapsulates this idea that there should be a free flow of information. The hacker paradigm itself has a sound very sound ideological base it's a fundamental tenant of our society as well that in order to advance knowledge information should be shared and I think it could be argued that it may have even a stronger base. Examples of this would be the recent announcement by MIT to have open courseware and the manifestation of the hacker paradigm arguably is in the hacker attack itself. In order to try to understand what's happening in the legal context we try to look for some analogies and these are not analogies that we've necessarily come up with I mean people talk about it all the time the electronic frontier and the electronic frontier has a lot in common with the old frontier being the wild west we're here in Las Vegas which is quite fitting I suppose and the parallels with the old west are very striking both from a practical level and a legal level. What you have is you have new technologies allowing communications travel work exploration the older west it was the railway now it's the internet you have huge fortunes being made innovation risk taking or being rewarded on a scale previously unimaginable. People and technology finds itself ahead of the law the frontier attacks attracts all sorts of people good people bad people the ugly and monopolies are created antitrust challenges results. Some results is what we characterize as a disorder to order equilibrium and as the frontier becomes increasingly disorderly and as in the frontier in the old west it was that there's a lot of good real estate resources and the value of the electronic frontier is obvious. The need there is a need to be impetus for the state is to create instruments of justice and you get the common notion of what we call frontier justice we need to make there's a scramble to establish new laws and law enforcement agencies to deal with these issues now in order to assess the reasonableness of any law called and I think that's the case with the electronic frontier I think most observers would argue that there's probably been an overreaction in terms of the legal response and we're going to look at what the lawyers are about basically we perceive the three main drivers for anti-hacking laws one being national well-being which is obvious secure electronic infrastructure is critical to the health of our economy and our society the second driver would be a lack of understanding for the most part I think lawmakers law enforcement although they have an understanding of this area as well as perhaps you do or maybe none of us really understand exactly what we're dealing with and the third driver which drives from lack of understanding is fear and this essentially drives this overreaction and as a result you have the criminalization of many light-hat-hacking activities oh it's okay look around my thunder Bernie the slide said basically no justice without knowledge part of the concept of justice in order to have an informed debate about what law is reasonable people, society lawmakers have to have a very clear and unfettered understanding of what the issues are we see this in debates that are occurring in our society where the issues are fairly clearly understood legalization of marijuana, abortion capital punishment these are issues which most people understand and even there we have a real difficulty in striking a fair balance so in a situation like hacking unfortunately there's not this clear understanding that people are being motivated in many instances by fear so our hope is by undertaking this study that we'll be able to shed some light on the hacker community in particular the differences between the light hats and the black hats and this should we hope influence lawmakers and law enforcement in a positive direction Ben I'll pass it back to you okay so our bottom line that you will be seeing if you read a book is that hackers are getting a bad rap and that's unfortunate because society does cover hacker skills you have a lot of the talent that we seek in industry today I guess in recent weeks accounts have been taking a tough rap themselves we go into detail in the book about is the verification of the hacker community justified we have a book filled with all sorts of cases colleagues of yours I'm sure that you're familiar with who we're going to share and then we have analyses of those details and try to relate those analyses to our data and we address in the book this key question should organizations employ hackers and I guess if we told you our answer to that you'd never buy the book now I must say that we had fully intended to launch a book here as John had mentioned earlier at DevCon 10 and in fact if it weren't for Burn Yes and Dark Tangent we never would have gotten as far in our data collections we had and we complained to a publisher that we really wanted to launch the book here at DevCon 10 what could they do to help those of you who might be interested and so we've agreed to give a 20% discount to anyone attending here and we have hundreds of sheets to distribute to you if you have interest in what it is we have to say and I guess that pretty well is our presentation for today so if you have any particular questions that you'd like to ask us please feel free to come up and I'm going to turn the mic over to John Any particular questions? The book title is The Hacking of America Who's Doing It Why and How Questions? Yes we do speak to a large degree about the differences we looked at younger versus older those charged of hacking related crimes versus not and then gender differences I'm now doing a study on women in IT so this is the next path and I'm walking down to anything else? Go ahead the question was is there any studies of non-U.S. hackers and in fact this study could be considered international we actually had respondents from Canada from most of the European countries so it's and we found nothing significantly different between the groups that we interviewed anyway for the sample size that we started with Anything to add to that? Any other questions? There's one over here and then one over there I'm not sure if I heard the question properly but the question is it's a self reporting survey that represents the total group there's always a question in research whether you're representing the population we had people volunteer from two separate groups and they filled it out and they spent a significant amount of time a half hour if anybody here did that it's not an easy questionnaire to do we had people so we think it fairly represents the group that filled out the questionnaire and that's the best available information that you can apply against the population but until some other data collection management can be done there was another question I'd be able to hear and then we'll move over No I didn't think so and there was another question here here yes the question is I believe it relates to is 216 adequate enough to give a valid response to the numbers that end the statistical side generally you get your errors down reasonably on these kinds of instruments that are well tested if they're anywhere over 100 so probably 200 is not a bad sample size we allowed it to be quite open we would have been happy to get more it took a while to administer the study and so it's and it was detailed we might take slices of it again and make it sometime get a wider distribution but this was a very detailed questionnaire and of course people reluctant to take the time to fill it out so can you repeat the question I believe the question is would the results have been different or better if you had observed people operating a computer then from filling in a questionnaire is that correct or interviewed in the process when they were on the computer I think that what I was doing I had the interview with people I made my observations at that point in time and John did as well and I don't have any reason to believe that people were faking the responses and we certainly have ways of looking for that in the data and I'm sorry I guess the question was would they show different personality traits when they're off the computer we don't know because we didn't do it I don't have any indicators to suggest that that's the case that's a wonderful thing about research you never end academic pursuits is there a question from the back I guess yes there's a question of the rules we use on addiction I guess related to the number of hours and whether it was online at work as well as on hours and I'll turn that over to Bernie I think it was Young's it really doesn't matter Young doesn't make that distinction although the way we asked the survey we were able to tease out whether people were answering strictly as an off employment point of view or on the job as well so we had a series of questions I guess what I'm trying to say that got at that issue and in the book we comment that computer addiction from several different angles any additional questions thank you very much and I'm glad to hear again