 We're going to give our attention to Helen Thackray. She's not Australian. She's a Ph.D. student from Bournemouth University in the UK and she finds humans and computers fascinating. She'll now attempt to explain some of the psychological group factors behind why hackers are always going to hack. Her theme is, hackers going to hack, but do they know why? Let's give her attention. Hello. Yeah, I'm very definitely English if the accent doesn't give it away for you. I just wanted to say when I found out in the schedule that I was following Chris, I was slightly nervous and then following that, good lord. But I just wanted to say that's an amazing project and I just want to give another round of applause for it because I think it's such a worthwhile thought. So onto a much lighter topic, hackers going to hack. Obviously you guys have some vague interest in this, otherwise you wouldn't be at DEF CON. I have to say this is slightly surreal for me because last year I was here, it was my first DEF CON, came to the social engineering village and it just blew me away. It was awesome and I really love the emphasis on education, helping people and coming here today and listening to Chris's talk again, it just emphasises what I do in part of my research, which is looking at the other side of hacking, not just the stereotypes, the black cats, the cyber criminals, but looking at what hackers can do that people don't realise what goes on behind the scenes. So yeah, my name is Helen Thackray, I'm from Bournemouth University, I've got my main supervisor John McElaney in the audience. If you speak to him, he's a lovely, softly spoken Scottish man, sometimes I don't always understand what he's saying, but we muddle through. So just briefly about me, because I'm pretty sure no one's heard of me. I'm a PhD student, I'm at the end of my second year of research, I've got funding for another year and I hope to finish in that time because otherwise it's going to get really expensive. I'm from a small, well I'm not from, but I study at a small town on the southern coast called Bournemouth, I drew a red arrow to help you. It's not particularly exciting, but the university makes up for it. If you don't like the C word cover your ears, because I'm in the field of cyber psychology, I didn't name it, it's not my fault. I also work with cyber security, so I'm in psychology and computing. Brief shout out to the Cyber Security Research Group, headed by Dr Shamal Fahley who helped with funding for this. Other than that, I've got no external connections or funding, it's the university funding this project. So just quickly, I realized I was quite flippant in my bio on the SEO, the social engineering website. Everyone else was listing all their qualifications and years of experience and I made a joke about the fact that university pays me to go on the internet. I do have a bit of an odd background. I'm very much the social science and humanities. My first degree was joined in Italian and politics. The Italian didn't stick so much, but the politics, I got really into political identity, social identity, why people choose the politics they do, what unites political parties and the whole personality of it. With political parties, there's a lot about the identity of the leader, how they present themselves. I thought that was really interesting. From that, I moved into contemporary identity and sociology and on a slightly different note, I looked at identity in cancer patients because you can exist, you have your whole self, you define yourself and then suddenly you get a diagnosis and then you get a diagnosis which completely changes your world and how do you deal with that? How do you deal with people treating you differently? That was really fascinating. I had some wonderful participants, but it led me to still enjoy social identity and what it is that people believe makes them them, how they choose, what they choose, what they do if they can't choose. How that came about to me studying the internet or people on the internet, I have always been a very curious child. My mother told me the story when I was about five coming back from school, kindergarten. There was a house, a door was open to a house on the street, we were walking down and I decided I wanted to go in it and my mother said you can't just go into people's houses and I said, but mum, I'm a very rude and nosy child, I'm going in and to five-year-old me, that was perfect logic. I've become less rude about it, but I'm still incredibly nosy, I want to know the answers to things. I also quite like watching people from a safe distance, which sociology, internet research, perfect. Also, I really like lurking on online forums. It's a terrible habit, I've been doing it since I was about 13. Weirdly, on an air gun forum was where I started and if anyone here is British you will know how peculiar that is. The UK has very strict gun laws, air rifles are allowed for hunting, pest control and target practice. As a 12-year-old vegetarian who loved her pet rabbit, I did not have a lot in common with the people on the air gun sites, but I had a neighbour who got into it, there were jokes going on, someone had stolen his team mascot and sending photos, sending it around the world, it was hilarious and I loved it, the jokes, so I started hanging out on this air gun forum, obviously not talking about air guns ever, but I loved getting to know the characters, the people, the in jokes, how they talked about representing themselves as a whole and without actually realising it, I was doing sort of ethnographic research on this community, I was sitting there reading about them, learning about them and to be honest, ever since I've been finding online communities to do the same things to you, I'm kind of creepy. So my talk today, basically I'm going to talk about a little bit about social psychology, social identity and then I'm going to look more at group processes, so everyone knows that you act in a certain way, depending on who you're around, like if you're with your mother or your father, maybe you swear less than you would with your friends, if you're with your partner you'll be a little bit more sensitive than you would with maybe your brother, it all depends, so basically social psychology boils down to all human behaviour is influenced by the presence of others, whether it's real or imagined, so for example standing in a lift by yourself, you might act completely as you want to, you could fart, pick your nose, whatever, then you remember that there's a security camera in the top corner and then you think, ah, someone will have seen that, you will modify your behaviour because you think someone will be able to watch me, and I think one thing that gets forgotten is that when it comes to infosec and cyber security is that this is all coming from behavioural actions, there is always a wider social context, it doesn't matter what end of the line you are, there are always people behind the computers and people are fallible and open to influence, so one thing that I do find interesting when I talk about my research is that the group processes that I'm going to go through, they're applicable to hackers and people in hacking communities, but they're also applicable to infosec practitioners, there are a lot of similarities, even if you have a very different viewpoint you've got a lot of the same skill sets, coding, finding access, having imaginative creative ways of thinking, finding and fixing a problem, not to mention that curiosity, so social identity, basically the world is chaotic and confusing, we make it a lot easier for ourselves by categorising everything, some things we put a lot of thought into, other things we just go with, well that looks similar to that, so we want the mental shortcuts, we don't want to use all our energy up, basically analysing and categorising every single thing we see, it's too difficult, the human brain just gets exhausted, so we put ourselves and others into groups, and these are called identity groups, so you might choose to identify yourself, for example there's a joke that I'm not Australian, I'm not quite sure where that jokes come from but I'm not Australian, I'm British, I'm also European, I'm also, yeah, sod Brexit, I'm also English, I'm a female, I'm quite posh sounding, I don't like sports, I think my hobbies are just lurking on the internet actually, which is a great hobby, I fully recommend it, but yes, we all have these different ways that we categorise, looking at me, you guys will have mentally categorise me somehow, and yes I do like tea, it's a wonderful drink, I don't understand why you guys haven't embraced it fully, I hear there was something about Boston and a party and it went wrong, good to know, thank you, so the identity groups that we put ourselves in, they're important to us, we get a sense of pride, a sense of self-esteem, if our group looks bad it reflects badly on us, the choices that we make, we ascribe to our group and we want people in our groups to have similarities to us, whether this is true or not, this is what we tell ourselves so our self-image is related to the reputation of the group, going back to Human Factors and InfoSec, one of the tropes that really bugs me is people like to say people are the weakest link, now I can't say that's actually wrong, because you know what everyone has a bad day, everyone makes a mistake, I remember last year when I was listening to Chris talk he told the story of how he actually fell for a phishing scam, an Amazon link because it came at the right time in the right place when he was stressed and busy and getting organized for DEF CON and he'd ordered things from Amazon, he was expecting emails from Amazon, he got an email from Amazon and he fell for it, it doesn't matter how well informed you are, how much you're expecting it, all it needs is the wrong moment, something to go wrong, you can be having a bad day, it doesn't mean that you're not smart to understand, so although people are the weakest link and some people really, really do need more education on it, we need to give ourselves more credit as a species, we've done quite a lot with technology, I mean even just coming to DEF CON, you can see people being so inventive and creative, basically I'm just being a little cheerleader for the human race, it's not all terrible, one thing that's emphasized in InfoSec and when thinking about human factors is the fact that there are very different ways of thinking, so there is the stereotype that computing likes to be more logical, calculated, analytical and you know, psychology is a bit sort of fluffy and it's all about emotions and talking about how you feel, I have to be honest I don't really want to know how any of you feel, but I think you can't have just one to make a good security, you need a team of both and as my slide shows I feel that Kirk and Spock are a good example of this, I know it's slightly flawed because Spock is half human, but go with it. So in terms of having the logic, you can have the most logical tool, you can create a perfect program, but as a comparison, what if people decided to make a hammer round instead of with a straight handle, because that way it's more efficient, you use more of the tree because you've got a hammer that a person can't use, that's not a useful tool, so although it may be less efficient in use of wood for the tree, a straight handle means more people can use it, more people are going to hit the nail on the head and that's what you want, so when you're making a good tool, it has to be understood that it's for human beings, and I think this is something that's coming to the front more and more in inflate sec discussions, I've been talking about this for years and things like that, and more and more they're driving home, you have to think about the people, it's the human element that needs to be worked on really. So this might be a little controversial, I fully understand that there are very different definitions and everyone has their own interpretations, but for the point of this talk and for simplicity, when I say hacker, I'm referring to a computer hacker to access a computer system without permission, without admission, they can find their way around, they can be creative. I put hacktivists there as well because I think it's a separate thing, political, social dissatisfaction means that they're using computers for a purpose related to that, they're not just doing it for the curiosity, they're not just doing it to get access, they have a different motive. Other thing, I definitely feel that a hacker is not the same as a cyber criminal, people that are doing their scams in order to get money, that's not a hacker. So when it comes to the hacker's social identity, it's quite a difficult thing to define because of course everyone has their own interpretation, there are so many different subcategories, black hat, white hat, gray hat, ethical skid, elite, there are some people that say that ethical hackers don't exist, there are some people that don't exist, it all gets very subjective. So hackers are an imagined community, this is a sociological term, it was coined by I want to say Benedict Anderson in Australia when he was talking about nationalism, because there were people all across Australia that were united in the idea that they were Australian, even if they were from different ethnic backgrounds, different political views, what it meant to be Australian, so there was no physical or geographical connection, it was a targeted community and it's created through the strong choice of interest and identity and if that doesn't fit to hacking, I don't know what does. And as you can see from being a part of this, hackers create groups, they give expertise, support, training, guidance, encouragement, so much to help people get further, which I think is amazing. So just briefly this is someone else's diagram, but I really like it, so I use it. He broke up into five basic categories, this does not cover all definitions, all possibilities, all motivations, but bear with me, breaking it up into these five basic categories, you can see the different reasons why people might get involved in hacking, those are in the brackets around the outside, the more sophisticated the level is, the closer to the edge of the circle and the type is by the dots, so for example if you hack for prestige, you're a coder, you're not doing it for any particular reason apart from to show that you are the best of the best, you're doing it to prove that you can. And it doesn't matter what the general public think, what the noobs think, you're doing it to show other people that you know who have the skills that you can do it to. Recreation, people that are just playing, doing it for fun. Revenge, there's crowd sources inside of threats, things like that. Profit, in my mind that's the most boring category, because it tends to just be the criminals, although I feel there should be some sort of sub-category for people who are in the business of information security, but there you go. And then ideology, you've got the hacktivist cyber warriors, people fighting for a cause. So, back to the social psychology of individuals and groups. I just thought this quote was quite apt from Men in Black, Agent K saying to Jay, a person is smart. People are dumb, panicky, dangerous animals, and you know it. I don't think that's the entire truth, but I think it can be agreed that people behave very differently by themselves versus in a big group. When it comes to the panic, I'm not going to be discussing mass panic behavior changes in that, because that's a fairly different thing. But you bring people together in a group, it changes things. So, for example, I'm going to say you guys a group A, you guys a group B. I'm going to come back to that. So, one of the things, more common things that you might have heard of when it comes to group changes is group think from the 1970s. And basically, it's a psychological need to have consensus. It doesn't matter if you have to suppress disagreement, it doesn't matter if you have to ignore individuals' opinions. You don't look at all the information, but you want consensus. You want agreement. Symptoms of it are the group thinks that they're invulnerable, regardless of the reality. They collectively rationalize their decisions. Even if there is evidence to the contrary, they, you know, disregard that. They have stereotyped views of different groups, rather than, you know, looking at what they're actually made up of. There is the group pressure to conform and people tend to self-censorship. So even if they don't agree, they will suppress their own views. No one else has to say anything to you them, but to stay in the group, they will stay quiet. Group thinks been found to be more common when the groups are tightly bonded, more cohesive, especially in a high-pressure situation. If there's a lot of pressure on, they need a decision quickly. Group think emerges. However, group think also reduces the possibility of success. So they come to a conclusion it's more likely to be wrong. And the pressure for agreement makes people think more rationally, it makes them vulnerable. It's just generally not a good thing. Informational influence. So this is the desire to be correct. No one wants to be wrong. No one wants to stand up in front of a crowd like this and say the wrong thing. This is why I have names and dates in there. So I can say it wasn't me that said this. This is the study. The sources are important. We instinctively look to other people to see how we should behave, what is acceptable, what is the norm. So, for example, if you go to the UK and you see people queuing, you queue properly. Not that that's a pet peeve or anything. You get the information and news from the group. You tend to believe it because you assume the judgment of other peoples is going to be more reliable than your own. Therefore, the group view is the correct view. You don't want to be excluded from the group. You don't want to be the old one out. You don't want to be the difficult one. You want to be accepted as part of a group. Therefore, you behave as they would want you to. Similarly, you've got the normative influence. Pressure conform to the norms. So, for example, online, you have this by obeying the laws of a forum. I don't know if anyone's actually set down and read them, but I go on a lot of hacking forums. I read all the rules. They're very similar. All of them saying, don't do this. Don't do this. It's illegal. No money. No anything else. And then everyone ignores it, obviously. But they say it. That's not how they behave, though. So they have the written rules and then they have the norms. So even if an individual doesn't agree with the norm of the group, they still won't speak up because they want to stay in the group. It's also been found that if people express an opinion and other people say, yeah, no, I agree, then that will encourage the person to give a stronger opinion, a more polarized opinion. And there are links to group think and the conflict between groups. Also, a very important factor as to whether or not people conform to the norm, which rhymes, is whether or not they're being watched by a larger group. You behave better if you think there are security cameras around. This is why people have fake cameras. Yeah. So it's interesting how we can ascribe certain behaviors to other people because that's who they are. But ourselves, no, we're different. We're better. We know our motives. We judge others by their actions, ourselves by our intentions. And I love this cartoon, XKCD, for those that don't know but you probably do. Because, yeah, everyone might be thinking exactly the same thing as you. Why is no one saying anything? But you don't. Why don't you? So you're in this group. You want to stay in this group. You belong to this group. Because you belong to the group, you want to feel good about being in this group. So group A, you guys are some snappy dresses. You're all looking good there. That's very nice. So you find good things about the group. But then you have to also discriminate and find negative things about the other group. No offence, guys. I love the bunny ears. That becomes a them versus us. Just social categorization. So by putting you in two groups and saying slightly different things, you might feel more like a group than you would if I'd just left you all alone and not said anything about it. But just by putting people into a group, they assume the group identity. If I'd said all blue-eyed people go to the left, all brown-eyed people go to the right, they would be a bigger group. They would be the majority. The minority might feel that it's not so fair. Everyone in the brown-eyed group could have a chair, but all the blue-eyes have to stand. That's not fair. Why would you do that? You can create tensions and rivalry and competitiveness that doesn't need to be there just by arbitrarily grouping and categorizing people. Stereotyping also exaggerates the difference. It can also make you think you're more in common with another group than you actually have. So groups, as with giving a stronger opinion because you're in a group, they become more polarized. So you can go to more of an extreme. I think politics is a great example of this. But I'm not going to go into politics. So when you're in a group, especially online, how do you know if you're in a group or not? There's no list where you sign up your name, there's no... You can actually register for forums and you can be a group member in that sense. But for example, 4chan, triforcing, they've come up with a way to signal whether you are in or out. And I quite like this as an example because I think it's quite clever. So the triforce, I'm sure most people are familiar with, it's from a video game and it's basically placing those three little red triangles correctly. If you copy and paste it, it will come out incorrectly. So what they like to do is someone starts the thread with the triforce, someone copies and pastes, it looks correct until they hit Submit, then it comes out wonky. Everyone can see that they don't know how to triforce. It's a way of outing yourself. Not that it particularly matters on 4chan because everyone's called anonymous. But in this picture, in this example, someone had said, oh, here's one that you can copy and paste. Another person did the correct triforcing to make it seem believable. Then someone tried to copy and paste, got it wrong, everyone laughed. So there's subtle ways that you show whether you're in the group or not. People that are wearing Def Con t-shirts from previous years, they're saying I've been coming to here for years. People with loads of badges around their neck, I'm involved in all these different villages and I've been to all these different talks, I've done these different challenges. There's ways that you are telling people you are part of the group. When it comes to conflict within groups, why does it happen? You've got a big happy group A, why would you guys all fall out? You could disagree about what's acceptable. You could say, sitting there playing on your phone, that's not what group A does. You need to go to group B if you want to do that. I'm not sure I'm not sure you should start doing that. This is the conflict within groups. We've done that against groups. People can have different motivations, different goals when it came to 4chan merging into becoming anonymous because the hacktivist group anonymous it started on 4chan, started out people trolling and pranking and generally having a good time. Some people were like, hey, let's use this for a cause. Let's do this to wind up people that we don't like, like Scientology, Church of Scientology. It got to a point where the original prankers were like I don't want to be doing this for a good cause. I just wanted to be a nuisance. They had to split between the people that wanted to prank and the people that wanted to have a good cause. When a group gets too big and too diverse it's natural that it falls apart to a degree. There's only so many resources around and cooperation can turn into competition. It's also especially in the hacking situation it's interesting how people divide along what isn't acceptable in order to achieve the goals. So it's black hat hackers versus white hat hackers how real it is can be hard to tell from my point of view. One of the other things that a group process that affects people is impression management. Groups want to control how they're seen. They have a brand. They have a reputation and they have to maintain it. They have to control the information that goes out and the perception that other people have. The use of this in online media is really interesting. Twitter's great for it. Some people are very careful about what they tweet. It has to be approved. Others, Donald Trump, not so careful. Not so... I know, sorry I said I wouldn't do politics but it's hilarious. So even when you're just coming to DEFCON presenting yourself you are presenting yourself. There is no two ways about it. Also when you come to these groups, trust. It's an interesting one in hacking communities. Oh, I've got so much fun with this. Trust requires the individual to relinquish control. You put yourself in the hands of another somehow. So for example, if you got the plane here you put yourself in the trust of the pilot. You trusted that the airline had checked that he was qualified. He'd actually done the test. He could actually fly. Everyone made it as we know, so that's looking good. There is also the expectation that others will reciprocate. So for example, getting on the airplane they expect that you will behave as a good airplane passenger and not get really drunk and harass flight attendants. Online, you don't get the visual cues of trust. You can't see how a person is standing, how they're talking, if they're doing shifty eye movements. All you have is what they give you. It might be a photo, it might be text but it can be manipulated so much more easily. And it's really interesting looking at what does and doesn't encourage trust online. One of the things is reciprocation of information. So if you're sat there talking to a stranger on a chat and you're telling them all about your life and they're just responding like, yep, okay, alright. At some point you're going to think well either they're not interested or this is just a really weird interaction. If they start telling you things about their life you feel a lot closer to them. You feel that there's more of a bond, there's more trust. And this is how people can be manipulated so easily. I think in the UK at least there's been a big rise in dating scams because people are looking for these sort of connections for friendships and they trust. One of the sad things about social engineering is that I mean a lot of people I really like here that they emphasise that it's not the person's fault. It's that they're not taught or prepared well enough but there is an element of taking advantage of someone's naivety and good nature and their trust and it's quite sad. But going back to hacking, group membership is a strong predictor of trust behaviour. If you belong to the same group as someone else you are more likely to trust them. So for example, walking around Las Vegas if you see people with their DEF CON badge you might be more inclined to start a conversation with them say hey you're at DEF CON, watch your background, what do you do? Is DEF CON, some people will be a little bit more wary of what they say but there's still the element of we are in this same group this group within the wider group of all tourists and workers in Las Vegas. So the fact that you are all here at DEF CON means that you already have something here in common. What's been interesting in the research I've been doing and interviews I've been doing when I ask about trust everyone immediately says don't trust on the internet no trust, don't trust anyone there could be a dog but how far does that actually go? How far can you actually get interacting with other people if you have literally zero trust? When I've pointed this out to them and given examples it's been quite interesting how they found that very hard to reconcile with their idea of I don't trust anyone. There was one person I was talking to who had created their own forum and it was towards the darker side and he was quite openly talking with me and I said so do you run it all yourself like 24 hours a day he said no no I have admin but you said you don't trust anyone he was like no I don't trust them but do you check what they're doing all the time and he said no no okay yeah I trust them to do the admin so where does the line of trust stop you trust them with your website what you have created you trust that they will uphold the rules and the norms so what don't you trust them with and if it comes down to you know your personal identity well you wouldn't trust most people on the internet with that so it's interesting trust is tricky so how is this relevant to why hackers are going to hack basically I just wondered how many of you were really aware of all the different things that might be influencing you without you actually thinking about it so for example what you've chosen to wear today if you're wearing a deaf con t-shirt like I said before maybe you want to tell others previously you know what you're doing if you're wearing a company t-shirt you're saying yep I'm a part of this company I support what they do if you're wearing I don't know a sports brand then maybe you're saying you're sporty I'm not sure why did you choose the talks that you went to if you've come to this talk then hopefully you've got some vague interest in social engineering or social psychology human factors if you've gone to one of the really technical ones then you're saying that you're technical because your friends wanted to go or the people that you're with or you just didn't want to go sit in a room by yourself you wanted to be with other people so you let them influence your decision have you had any disagreements with the people that you came here with if you didn't come here with anyone you have so much freedom it's wonderful if you did there's peer pressure what if you don't want to go out and party what if you want to go sleep because let's be honest it's tiring I disagree with that which also there's disagreement so there's all these different things what keeps you coming back to DEF CON in the different days is it's that you want to be a part of this social identity is it the curiosity you want to find out you want to learn is it the sense of community that you want to be a part of there are all these different group factors that keep people coming back to hacking and that's it's one of the things that my research really aims to get into so again how does this affect you well when it comes to trust would you trust the person next to you not for example with your home address or your mother's maiden name which I've never understood because my surname is my mother's maiden name but would you give them your wallet and go to the toilet the person who said yes so you sat next to someone you know okay well that's married to trusting your wallet with your wife that's anyway before I get before I start a domestic so when you're talking to other people at DEF CON how much do you tell them about yourself about where you're from about what you're doing I have to say I'm always a little bit wary telling people about what I do because mostly because I have to say yeah I'm here to study you I get a mixed response to that but how you present yourself is also important so group influence is it good is it bad I'm going to give a very psychological answer it depends it can be it depends cybersecurity they'd say it depends on what the group is doing if they're encouraging you to do naughty bad things then they are bad but more importantly regardless of whether you're doing good or bad can you recognize when you're being influenced do you actually think critically when your friends are trying to persuade you to do something that you don't want to do do you stop and think maybe this isn't a great idea maybe I should just go and do what I want to do and I think this is especially important in the whole error of fake news and social media tunnel vision don't dismiss information from other groups in fact sometimes it's really useful to look at information from other groups to see where they're coming from you might not agree but you get a better overall perspective so little bit of self-promotion briefly my research so as I said I'm in the second year of a three-year studentship at Bournemouth University I have no qualifications in psychology or computing but I'm actually doing alright at this I'm so glad this is being recorded so my research is on the psychological influence of group processes online all the things I've been talking about I want to see how far they go from offline to online because that's something that we really are not understanding at the moment how psychology changes when people go online how the human behavior changes there's things like online disinhibition people behave differently because they think they're protected by anonymity because they're behind a computer screen you can become a keyboard warrior or in the instance of that famous YouTube comment Navy Seal Commando the other thing is what is the hacker identity there is a lot of different opinion misconceptions people do think a hacker is a cyber criminal it's not the case, some people can hack without actually breaking the law I don't know if they enjoy it but they do you don't have to accept the negative stereotypes as fact the hooded figure crouching over a keyboard you know what, lots of people wear hoodies they're damned comfortable so what's the point of my research I want to inform and educate not just the general public because they do need it but also people that are involved in these communities people that might be vulnerable to influence people that come looking for a sense of belonging and then are at risk of manipulation they had it in Anonymous where there were people that got prosecuted for taking part in the DDoS attacks they later said they were told to download the software, click the button they didn't really understand what they were doing I mean partly that's their fault because don't trust people in the internet but there is also an element of they were being manipulated they wanted to be a part of a cause they wanted to do something worthwhile they wanted to help and people took advantage of this to use them basically as cannon fodder I also think we're raising a generation of coding there's so much emphasis on computer science learning, all of these things we also need to teach the younger generation responsibility for online behavior and your online actions it's not disconnected from the real world there are consequences you can end up in jail for something you tweet I think it's also really important to emphasize human factors in cyber security it's not just about the programs it's about people I think there's a definite need for informing policy and legislation possibly this is me just being cynical but I don't like the idea that governments and corporations would be in charge of the internet because as we all know he who controls the internet controls the universe and I think that research such as this it's you can go with evidence and say you know you think that all the bad people are doing this here's what they're actually doing they're creating things to help locate and find people that are trafficking children they're doing good things it's the biggest evil just because you don't understand it the last latest thing to really annoy me was Theresa May's words about encryption and how she wanted to backdoor and I think you just don't understand you know there is no backdoor that only lets in the good guys and finally I think it's really important for cyber sociological knowledge to be expanded it's new it's interesting I'm sorry but you guys are a really fascinating community to do it with so how does the internet change the behaviour I've already been able to write a paper on how to go about this sort of research how to expand it it's bizarre but that this is such a new area how am I doing my research well I work on forums a lot I don't know if I've mentioned that I observe I come to conferences like this I talk I watch I make notes always anonymous never write down names dates or anything like that I do online surveys I ask people to fill in things and I'm currently doing interviews so and when I'm doing all these things what I'm looking for is examples of trust decision making risk taking looking for similarities differences patterns in behaviour one thing that I really feel that is important in my research is the privacy and anonymity of hackers I want to know how far they are aware of the group processes I'm very aware of the possibility of low participation and being trolled in one of my early surveys I had someone respond that they identified as a dolphin and when asked why they use the internet it was to hide their flippers someone else also gave their sexual identity as a jar of mayonnaise I could be behind with the times I don't know there's also the potential risk of backlash I'm standing up here with these opinions people might not like it they could decide to prank me dox me whatever so far it hasn't happened abuse on the forums yes there has been some of that I have been referred to with various four letter words and some people have said quite mean things about my mum but she has assured me that they are not true the data I'm collecting has been through online surveys I've got really good responses from them I've asked questions about it they want to know about the ethics why I'm doing the research what it's going to be used for some people obviously very cynical that my research can be used to infiltrate groups by agencies and law enforcement and things like that the trouble with research is once it's out there it's available to everyone it's not my intention I don't like the surveillance state but it's a risk just briefly I'm going to share some of my initial results that I've got so far I did an online survey across 30 websites and subreddits I had over 150 responses which I thought was pretty good considering that not everyone wants to tell a researcher everything they do online four forums banned me entirely but they were forums related to cracking so I get the feeling that they didn't really care about anything that I might want to say surprisingly the majority were male 6% female 2% transgender the age range was 16 to 63 which I thought was a pretty good spread one thing that I think is often overlooked is that there is an older generation of hackers hacking and computers have been around for 30, 40 years some people don't stop some people just get older, have families, children legitimate jobs they can still enjoy hacking so the stereotype of teenagers messing around in their room is pretty true but I think it's missing the point the average age of all the people that took my survey was 30 so I don't know what that tells you millennials so hopefully you can see this alright one of the questions that I asked was do you consider yourself a hacker bearing in mind every single forum or subreddit I posted this on I had found through searching for hacking, cracking, coding white hat, black hat, skids all these different things, as many different variables as I could think of everything was related in some way to hacking over 150 did the survey 52% said that they would say that they were a hacker just over half I found that really interesting on these websites specifically for hacking most of the people just under half the people didn't think that they were a hacker so of the people that said yes 52% I asked them to categorise themselves further so grey hat, white hat cyberpunk, hacktivist, other I disagree black hat, script kitty, elite and cracker to be honest I thought I disagree would have more responses just to say they could select more than one option so please don't try and make sense of the percentages it's the percentages of that participants not of so obviously a lot of people categorise themselves as a grey hat as well as other things that's kind of fascinating for me because that's such an ill-defined thing black hat, yes, you can say black you do nefarious things dark, white hat, you have to be ethical pure, everything else grey it could be anywhere in between you could be bang in the middle you could be just a shade lighter you could be categorising themselves as so I also did a couple of questions on privacy anonymity, shockingly people in hacking communities think that privacy is important and it should be protected and they take precautions with it the same with anonymity anonymity is an important feature of the internet it should be protected and they take steps to make sure that they are anonymous online then it got a bit more interesting online security should take priority over personal privacy there was a mixed feeling about this and then I asked if people try and find flaws and weaknesses and a lot of people said yes now this next slide, when I presented this to the computing side they had more of a surprised reaction so I don't know how well you can see but the blue lines are that the weaknesses and flaws should be exposed the green lines are that they should be exploited bearing in mind the idea that all hackers are bad and evil and do bad things it's very surprising that actually a lot of them, the majority say that they should be exposed but exploited there's not a strong agreement there it's obviously not as black and white as people would like to believe which ties in nicely with the grey hats category so what am I doing next I'm conducting interviews with volunteers if anyone would like to volunteer then that would be super if you think I've said something really ridiculous tell me but tell me why don't just send me messages saying that you think I'm an idiot that's rude and I've been taught not to be rude my next surveys are going to focus more on trust, decision making how people work in groups but tell me I can only do better research which will go out to the general public if people help me and of course I'm always going to lurk more so my conclusion for my research so far hackers are actually interested in informed groups people want to share their thoughts people want to improve the internet and security I worry about where the internet is going I like that there are people that take an active interest in making sure it goes in a fair and equal direction being a hacker being aware of security, being aware of the risks it doesn't make you infallible to the influence being aware of the group processes you can still be vulnerable I think it's important to highlight the significance of social psychology especially in online communities and social engineering it's right there and just to bear in mind that you can have different identities but ultimately we're all in the same social space thank you very much for listening four minutes left does anyone have any questions yes? naughty you just said one more time you can't then say another naughty so did everyone hear that what are the differences between groups are there any interesting results so far when people have categorized themselves they tend to be dismissive of the other groups which fits with the traditional I like my group I don't like anyone that's not in my group the easiest obvious most obvious one of that is black hats versus white hats it's interesting actually there's quite a lot of derision towards script kiddies in forums that's often used in a derogative term but people still identify themselves as script kiddies which is kind of interesting I mean it's not supposed to be something that you aspire to but they're still saying yep that's me so I'm sure there's a lot more to come okay yeah at what point are you comparing contrast how the behaviors are going different there's the aim to mostly I'm using social psychological theory to see if the behaviors match in terms of comparing it's quite difficult to think of scenarios where it would be I mean I've had people there's a forensic psychologist at my university who started talking to me about criminology and how you compare hacking communities and crime gangs and I was like that's not that's not quite what we're doing here so I think there's definitely research area there but you've got to be careful with it because you could go down the wrong track do you cross check your data that you got from surveys with non-survey based data and be less objective the trouble is there isn't a whole lot of data about hackers you guys are kind of secretive I am I am trying and there are various other studies out there there was a paper from a few years back where people had done data collection here at DEF CON it's a terrible paper I'm not going to say what it is actually because I'm still being recorded but no I disagree with their methodology I disagree with their conclusions I think the whole thing was very poorly thought through and that's the trouble even when you can find other data is that it might not actually have been as well done as it could have been one more question but I ask about offline extensions and I treat it as such so I ask how they got into it whether they were introduced by an offline connection or if they made the offline connections through the online so I try and find it out that way I think that's it if anyone has any other questions feel free to come find me all my contact details are up there and I love getting messages thank you