Defense in Depth

(Credit: Robert Vamosi/CNET Networks)

SAN FRANCISCO--Global warming is real, and new evidence shows it may be worse than we previously thought, former Vice President Al Gore said during an RSA keynote address on emerging green technologies Friday.

The talk, which ran 45 minutes and closed the conference here, updated the presentation used in his Academy Award-winning documentary An Inconvenient Truth.

Friday's talk was similar to one Gore delivered in February at the annual TED conference, but without the slides. During the speech here, the 2007 Nobel Laureate was interrupted by hecklers three times; each was removed by security.

In an arrangement with RSA, Gore specifically requested that members of the press not be allowed inside the talk. And throughout the speech, security guards did their best to keep people from holding up cell phones and other photographic equipment, although no one was asked to leave for taking a picture.

Individual attendees of RSA are allowed to blog their personal experiences, and RSA also allows them to photograph almost anything they want in exchange for being photographed by the conference for future marketing use.

Gore arrived to a standing ovation. He thanked the audience, and said he had respect for the people sitting in the auditorium and for the conference itself. He then opened with a joke about he and wife, Tipper, buying and running a franchise fast-food restaurant.

He drew a quick comparison between computer security and the global threat presented by global warming. He said most computer network threats are silent threats, like carbon dioxide. He said to make CO2 visible, he'd like governments to stop taxing employees and instead tax companies for their carbon footprint.

Gore then launched into new research on global warming. As a senator, he said, he specialized in nuclear warfare and had occasion to talk with military generals. He said he learned that each level of conflict--local, regional, and the rare global--required "a different allocation of resources, a different mix of tactics and strategies, a different way of conceiving the overall problem."

The environmental challenge is roughly the same, he said. Most of us have to deal with local problems such as clean water. Then there are regional problems, such as acid rain. And finally there are global concerns, such as global warming.

Gore then talked about a tale of two planets, Venus and Earth. He said that Venus wasn't 877 degrees Fahrenheit just because it's closer to the sun; he said it's because it's covered in carbon dioxide gas, which absorbs infrared radiation. "It's not complicated; it's physics," he said. In all of human existence, carbon dioxide never went above 300 parts per million. "This year," he said, "it's 385 parts per million."

Gore talked about Antarctica, and the effect of all that new carbon dioxide. He said the north polar icecap is normally the size of the lower 48 states, "give or take an Arizona." He said that in the summer of 2005, we lost the equivalent mass equal to the entire region east of the Mississippi river. Then in 2007, another large chunk broke off, or, as the scientists explained to Gore, "it fell off a cliff." He said that some scientists he's talked to now believe that within the next five years, the north polar ice cap will cease to exist during the summers.

Protesters make their voices heard
After talking for about 20 minutes, the first of three hecklers stood. A young woman started challenging Gore to admit he wanted to depopulate the Earth. She stood, taunting for about a minute before several security guards arrived to escort her out. As she was removed, a young man and a young woman toward the back stood up and began singing loudly. They, too, were removed. Then, after several minutes of silence from the audience, a middle-aged man stood up and started yelling that Gore was lying to the audience. He got the boot, as well.

Focusing on technology's role, Gore said that we have automated the process of converting carbon into CO2. "Most of it is waste." He said the amount of energy we actually use from carbon is a very small amount, "which posses a great challenge and a great opportunity."

Gore cited his friend Amory Lovins of the Rocky Mountain Institute, a nonprofit energy policy institute, who told him that people often assume that when we change technology there will be a loss.

Gore then recounted a business example. He talked about how a company in Canada was using environmental unfriendly chemicals to clean circuit boards and wanted to phase out the use of these chemicals in its business. The company first asked, "what alternatives are there?" and pursued that line of thinking for a while. Then one day an engineer asked a new question: "How do the circuit boards get dirty in the first place?" That question, and the resulting answer, created a new type of circuit board that has proved immensely profitable to the Canadian company.

Returning to his reason for speaking at RSA, Gore said that "because CO2 is invisible, we need information technology to track it." Specifically, Gore said we need to track the efficiency of technology we already use.

Citing Lovins again, Gore said the Colorado-based scientist had looked at how much energy was useful in a gallon of gasoline. Lovins found that only 1 percent is useful in moving a car from point A to point B. The rest, 99 percent, is waste, according to Lovins, "because the process, which is more than 100 years old, is incredibly inefficient," Gore said.

Learning to ask the right questions
Gore asked the audience, "How can we change old technologies to be more efficient?" The answer, he said, is in learning to ask the right question. "Most of the productive questions are going to be in the second or third order of asking."

Gore said that if we look at the true cost of carbon, we're going to find that new technologies (such as solar energy) "are going to be much more useful to us now than they have been in the past."

He then left the audience with a question: "How will future generations look back on us at the turn of the 21st century?" He said they could ask, "What were they thinking?" But, Gore, being Gore, said he was confident that instead they would ask, "How did they find the moral courage to do what they did?"

Gore left the stage to thundering applause.

On Thursday morning, at this year's RSA conference in San Francisco, Chris Boyd of Facetime and I will present a talk "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday we learned who the Echo Generation are. Wednesday we saw how they use online social media for hacks. Today, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.

Known as the Sherlock Holmes of France, famed criminologist Edmond Locard once said that every contact between two items leaves a trace, and that's also true when talking about online crimes. IP addresses are left behind with every site we visit. Posts to newsgroups remain accessible via Google long after the initial discussion has ceased to have relevance. And there's also that embarrassing MySpace page that was started but abandoned years ago that's still active. So when a person suddenly decides to commit an online crime, all that prior online history follows them, and that's a good thing for Chris Boyd, director of malware research at Facetime Security Labs.

Boyd says that using these little bits and pieces from social data and forums really does pay off. He says his research into Echo Boomer hacker sites is almost stream of consciousness as he drifts from one Web page to another until he finds something really interesting.

My name is Ribut
In one of his investigations, Boyd ran across a 20-year-old girl from Malaysia. On a forum he was surfing, she mentioned in a post that in a past life her online name was Ribut. (He said she uses a different name now.) So he started looking around for Ribut, and quickly found a MySpace phishing page.

Boyd got the one MySpace phishing page taken down, but that only lead him to find more pages by Ribut. To speed the process, he says he created a Google search string that ferreted out obvious phishing pages--looking for "ribut/myspace.php," for example, will produce a number of MySpace-related phishing pages. After running the search, he found more pages associated with Ribut on one server. Boyd says that when they took down this server, they also took down several other phishing pages as well.

YouTube as an investigative tool
From the MySpace phishing pages he took offline, Boyd says he had more unique usernames that he could use to trace back to the forums, social network profiles, and e-mail accounts set up for hacking and cracking. He then began the process of getting all those sites shut down as well. Often his work turns into an investigative maze of associations that lead him to nascent online criminals.

The site Hacking Hotmail Passwords is another example where Boyd was able to arrange strange bits of data to track down users. It's a fake Hotmail hacking program site with a YouTube video. Boyd says he wasn't interested in the video, or the contents of the video. Instead he clicked down to a feature of YouTube that reveals sites linking to the video. It's a list of referrers, showing anyone who embeds a video on their page. "If you start looking around any of these hacking and cracking videos," says Boyd, "instead of paying attention to the content, see what links are associated with the video, and you can unlock many hacking sites and forums, even hacker home pages.

John of Hartford aka YoGangsta50

(Credit: FaceTime Security Labs)

Hunt for YoGangsta50
Wednesday we talked about YoGangsta50, who posted a virus-laden URL on a YouTube video. A lot of people fake information in their YouTube accounts, but Boyd decided to take the information available on the Hood Life GTA mod as fact: someone named "YoGangsta50" had uploaded the file.

Comments to the post mention that the person using the name YoGangsta50 had previously hacked the 50 Cent forum, but soon had a falling out with the forum. It's from these forum posts that Boyd discovered a geographic location for YoGangsta50: Hartford, Conn. In reviewing other online postings, Boyd uncovered a reoccurring theme with YoGangsta50: an obsession with the comic strip and cartoon The Boondocks. Elsewhere Boyd learned a first name--John--and that John may be black.

Gotcha
Using a different search engine, Boyd next found a Bolt.com profile page, then a Xanga.com profile, the latter containing a reference to yet another social-networking page going up soon. On all of these pages there were references to The Boondocks, age 19, and Connecticut--consistent with the details Boyd had learned elsewhere. He concluded in one of his VitalSecurity.org blog posts: "How many black youths do you think are aged between 16 and 19, are living in Hartford, Conn., with a supposed real name of 'John,' are into The Boondocks (and spend every other moment telling you about it online), and also just happen to be called YoGangsta50?"

Apparently YoGangsta50 was reading Boyd's blog posts. In his own blog post, YoGangsta50 wrote, "you all can say goodbye to me. maybe the internet was not for me! I Dont want to do this anymore. Somebody help me!" He goes on to explain how to remove the virus he created--go into Safe Mode in Windows, find C:\\Program Files\GTA Hoodlife, then click and run the Unins000 file to delete the virus." He further pulled the video and further attempted to erase his existence from the Internet.

Running Skype search on "hacker"

(Credit: FaceTime Security Labs)

Using Skype
In addition to Google and YouTube, Boyd uses Skype. He says there's a recent feature that allows you to hook your Skype account off to your MySpace site and it essentially changes your Skype display picture to the one used on your MySpace page. It's fairly innocent. But if you do a search for people in Skype, as Boyd does, it also returns a bunch of MySpace pages, which can be very useful.

For example, when Boyd uses the Skype feature to look for the keyword "hacker," he finds several MySpace pages created by supposed hackers. He also searches for "spyware" and "phishing" and other key words. That's valuable, Boyd says, because you might recognize a name you've seen on a hacker forum page, and now you have more information about that individual.

Shame
As with the case of YoGangsta50, the individuals themselves shut down their operations on their own, sparing Boyd the difficultly of tracking down their service provider. "I use the process of public attention," Boyd says. John from Hartford (YoGangsta50) in his goodbye to the Internet wrote, "How does it feel to see your name all over the Internet!!!! i could not sleep for 2 days. i have been crying all day. am so sorry that i did those things. i learned my lesson." Boyd hopes that's true.

For many still in the prime of their youthful hacking abilities, however, it isn't so easy. A few have already figured out which hosts to work with, and if they get their friends to open up reseller hosting accounts, they may remain online for a long time. But more often, though, they are sloppy, and sometimes they expose their former criminal identities within a unrelated forum post (as with Ribut) or their YouTube profile (as with Hackerboy, aka Balloon boy).

Limited time
Unfortunately the real-world law enforcement doesn't yet know what to make of online crimes or their perpetrators. "The police are overstretched already," says Boyd, "so you can't expect them to do an awful lot with something like this." The Connecticut police declined to investigate John from Hartford any further. "Since some of these people are too young to prosecute," Boyd says, "this method of publicly tracking them down, it does actually work and it does get results."

So Boyd stays at it. "You got a limited time span if they get going at age 12 or 13," says Boyd. "Based on the evidence I've seen on these kids' activities in forums, you've got until they are probably 15 or 16, before they start to think that using this username, or putting my photographs online is not a good idea."

On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk called "How to Adapt to the Echo Generation's Social-Media Hacking Game." The following is a preview of that talk, presented in three parts. Yesterday, we saw who the Echo Generation are. Today, we're looking at how they use online social media for hacks. Tomorrow, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.

For the last few years, Chris Boyd, director of malware research at Facetime Security Labs, has been researching how the Echo Boomers use the Internet and how a certain subset of that generation has gotten into computer hacking. Yesterday, we looked at the generation in particular, trends and the possible motivations behind some of these kids. Today, we'll look at what these kids are doing online.

Boyd sees a lot of forum posts from 11- and 12-year-olds, bragging about their own phishing kits and botnet kits, but mostly game mods. He says a lot of the programs on the sites themselves are fake, a mere lure to get people to check out the site. Once there, there are usually music CDs with stolen music creation software. Boyd says one kid was even selling T-shirts with his (online) name on them. The forums used to promote these sites are interesting too; often, they're run by teenagers.

Dubious hosts
Boyd says it's common for him to see 11- or 12-year-old kids running their own reseller Web-hosting accounts. The sites typically feature completely fake data, providing no contact details on the Web site. And yet people are signing up for these things. "This growing trend for young kids running reseller accounts--those seem to be on the increase, from what I see."

They get word of mouth from the older kids, the places to go, the places to host your site. And the Echo Boom hackers tend to gravitate toward specific Web hosts that they know people will have trouble getting taken down. Some aren't very smart, and they'll host all over the place. A lot of those sites can be taken down quite easily. "One thing I have seen is that a lot these kids that run their own forums will attempt to phish their own forum members, which is quite bizarre."

If you're not phished, then you run the risk of "crapflooding." Crapflodding is the practice of disrupting discussions on forums with nonsensical postings, such as repeating you are hacker god over and over. It takes a little bit of knowledge, since many sites have Captcha systems designed to prevent automated scripts.

Helgib
Although most aren't, some of these kids are making quite a bit of cash. One example is the Helgib kid, based in Iceland. According to Boyd, he was selling his own music and videos, and he had his own store that is happily advertised in his MySpace profile. Helgib was quite shameless, too, Boyd says, noting that the boy's photographs were all over the place.

Boyd says Helgib managed to stay in business for a while because he found a safe harbor with an incredibly dubious Web host based in the United States. Every time Boyd got Helgib's site shut down, it would just come back to life elsewhere.

Helgib is fascinated with Helgib. On YouTube, his profile read, "I'm a computer nerd, programmer, musician, and a famous hacker." At one point, Boyd says, Helgib tried to write his personal details onto the Wikipedia entry for famous hackers. Boyd, despite being challenged, thought it was all quite humorous.

YoGangasta revealed

(Credit: FaceTime Security Labs)

The fall of YoGangsta50
Last summer, Boyd found another example on YouTube. The video (no longer available) promotes a mod called Hood Life for the popular game Grand Theft Auto. The malicious content didn't involve the actual YouTube video itself; it's the URL at the end that's the problem. The site contained a malicious file, and if you linked to it, the file would download onto your desktop.

Boyd, an avid gamer, was livid that 54 people did, or had the potential to, download the malicious file after viewing the video, and in his blog, he railed against the inferior graphics and the overall shoddy work. But there are armies of fanboys who are completely obsessed with these characters, who spend at lot of time crawling, crawling up to them, trying to get in favor with them. There's a definite structure at work.

Boyd likens what is going on online to real-world street gangs, in which you have older boys enlisting the younger ones to do their dirty work. If the younger kids get caught, so be it; they're juveniles and most likely will be set free. Meanwhile, the older kids are free to recruit others.

Hackerboy a.k.a. "Balloon boy"

(Credit: FaceTime Security Labs)

The strange double life of Hackerboy
Then there's the secret double life of a notorious teenage hacker. By day, he's "Hackerboy," but, as Boyd discovered, he's also "balloon boy" in an embarrassing YouTube video. Boyd says he stumbled across this post from a guy who claimed to be a "leet" hacker, a "h4xor god." He's so good that he posted screenshots of his anonymous ownership of a few school networks. Not so anonymous, is he? Not too bright, Boyd says.

The boy, Hackerboy, even bothered to put a photo of himself on the forum profile page with the supposedly anonymous hacks. So Boyd wondered what other profile pages this kid might have. And that's when he found the YouTube video of HackerBoy sucking helium out of a balloon and running around his local town square being, well, a very silly little kid.

Boyd says Hackerboy tried to delete the video from YouTube but, Boyd writes in his blog, "I already had it open and have decided never to close the page down. In this way, my laptop will serve as an eternal monument of shame and lulz for all time."

But the fall of Balloon wasn't yet complete. Boyd went on to write, "Take one Balloon boy. Throw in a pinch of hacked sites, a smattering of photographs, and a dash of complete stupidity. Bring to the boil, then throw in a dozen or so e-mails from a number of people located in various parts of the globe to his school," and the kid is suddenly offline.

Boyd suspects that the kid did get busted and will soon erase all evidence of himself from the various forums and sites. At the least the YouTube video is finally gone.

Real-world gaming connection
In one of his investigations, Boyd found an example where the online world reached out to the real world. In this case, a scam involving World of Warcraft operated like this: In the real world, to access a multiplayer game, you need to purchase a time card. The scammers would go into electronics stores, where the time cards weren't sealed, and insert a fake beta trail card.

He said that in the United Kingdom, they're sealed with plastic wrap but that certain stores in the United States do not seal them. He said they'd wait until the shop clerks weren't looking, then slip the fake cards into the time cards.

When you get home, the card would fall out and invite you to sign up for a free 15-day trial for World of Warcraft or whatever. On the site, you type in all your login details for your real account, credit card, and phone numbers. And you've just been phished.

Boyd says he was able to warn Electronics Boutique in the U.S. that this activity was going on. He doesn't know if any action was taken, but when he went back to the scammer's forum page, the topic no longer existed; it had been pulled down.

Dangerous game
There are also sites where kids are asked to "show your latest hack." One kid, says Boyd, had a Trojan horse sitting on a desktop somewhere in the world and could see what the desktop owner was looking at on his screen. It so happened that the owner was viewing child pornography. So the kid, says Boyd, thinking this is cool, takes a screenshot of it and posts it on the "show us your" forum for all to see.

Boyd said, "The kid's probably thinking ha, ha, we got a pedophile looking at child porn," but now he's put child porn on all the desktops that are viewing the "show us your" forum--which isn't very smart, should law enforcement look at the browser cache or hard drive of any of those viewers' desktops. Then again, some of these pedophile sites are run by people Boyd says you really don't want to be tangling with. "You start having these dialogues with complete psychopaths, and you don't really know who they are or what they're capable of."

Boyd says that if he had a site full of illegal material and found that it was suddenly splashed across some hacker forum, he'd be tempted to start looking in the real world for them. "They could pretend to be the same age of the kids," Boyd says. "There's a whole wealth of weird and creepy scenarios that could come out of such a thing."

Tomorrow, we'll look at how Chris uses features of social networks and Web 2.0 to shut these kids down.

Click here for more stories on RSA 2008.

On Tuesday, the creators of the Diffie-Hellman key exchange, a cryptographic protocol, and two of the creators of EMC security division RSA gathered onstage for the annual cryptographers' panel at RSA 2008 in San Francisco.

First, panel members offered their perspectives on the state of security since last year, then they answered questions posed by a moderator. The panel included: Whitfield Diffie, chief security officer at Sun Microsystems; Martin Hellman, professor emeritus of electrical engineering at Stanford University; Ronald Rivest, professor of electrical engineering and computer science at MIT; and Adi Shamir, professor of computer science at the Weizmann Institute of Science in Israel. The moderator was by Burt Kaliski, founding scientist at RSA Laboratories.

Diffie began the discussion, saying that after 80 years, "we've gotten cryptography to a fairly good point," but added that "the Internet's a mess." He said that on the Internet, "defense--pure defense--simply doesn't work." He said that where it takes us months and years to secure something, it takes the opponent only hours. "They can run rings around us." He then mentioned that some in the government are starting to talk about going to where the opponents live and using a variety of means to shut them down.

Hellman showed a photograph of a glider flying over a runway. Himself a pilot, he said the greatest risk was executing a maneuver that most people consider 99.9 percent safe. Hellman said that "humans are not good in judging low-probability events," and cautioned against complacency. He said he hoped that the non-security world would reach a tipping point and start taking security seriously. (Malcolm Gladwell, author of The Tipping Point, is an RSA keynote speaker on Thursday.)

Rivest briefly mentioned Alan Turing, to whom this year's RSA conference is dedicated. Turing is best known for the Turing Test, a process that determines a machine's ability to demonstrate intelligence. What Rivest really wanted to talk about, however, was electronic voting. He said cryptography is relevant to creating end-to-end security. He's part of a group that has released a public proposal on voting system standards. One of the key parts is the definition of "dependent" and "independent" software on a voting system. He said software dependent is a category where a bug or a flaw could easily change the end result; this is along the lines of work done recently by Professor Ed Felten and his grad students at Princeton. Software independent is where the system doesn't entirely depend on the software and uses paper or some other means of capturing the vote. He favors voting systems that are software independent.

Shamir gave a short recitation of hacks within the last year or so on various cryptographic systems, mentioning in particular recent attacks on various municipal transit systems, such as Boston's Charlie Card and London's Oyster Card. Most curious, however, were his final comments about the adoption of Blu-Ray DVD discs by Warner Bros. He said he'd wondered about the tipping point in the Blu-Ray vs. HD DVD battle, and said he'd heard a rumor--and stressed it was only a rumor--that Blu-Ray had better security overall than HD DVD. If true, he said, security is finally starting to become a factor in consumer electronics.

John W. Thompson, chairman and CEO of Symantec, used part of his keynote address Tuesday at RSA 2008 to announce the merger of the Cyber Security Industry Alliance and the Information Technology Association of America.

CSIA includes the top security providers and seeks to influence security policy in the U.S. and the European Union; ITAA is a much larger policy group. He said "this will give CSIA a bigger platform and a stronger voice on these critical public policy issues and the ability to work with governments and key stakeholders around the world."

In a press release, ITAA president and CEO Phil Bond said, "The global reach of CSIA, with its Brussels office, will bring valuable new perspective and resources to ITAA's own Information Security program and complement our work with the World Information Technology and Services Alliance (WITSA)."

Predicting the future for technology and business is never easy, yet Symantec CEO John Thompson ventured into that Tuesday morning in his keynote speech at RSA 2008.

On the future, Thompson predicted three things: that malicious software will outnumber legitimate software, increasing the need for so-called white listing; that identity management will grow beyond the enterprise and start to include every customer in the world; and digital rights management will be become a reality for all content, not just music and video.

Symantec CEO John Thompson takes the stage at RSA 2008.

(Credit: Corinne Schulze/CNET Networks)

He said businesses need to start thinking about these things now. "I believe this starts with a fundamental shift toward an information-centric view of security," he said. He described this information-centric view of security as taking a risk-based approach to protecting confidential information. Instead of securing all the data, secure only the most important data, he said, adding, "Once you gain insight into how your information is being used, you can begin to set policies that help you mitigate your risks."

Thompson mentioned the growth of mobile devices and stressed the need to become content aware, that just guarding the corporate perimeter isn't enough anymore.

"Ultimately," Thompson concluded, "the work of protecting business information is everybody's job--not just IT's. It's a challenge all of us must tackle in order for our businesses to thrive--to become more agile and high-performing--and to realize the full promise of the connected world."

On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk, "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday, we're looking at who are the Echo Generation hackers. Wednesday , we'll look at how they use online social media for hacks. And on Thursday, we'll talk about how Chris uses features of social networks and Web 2.0 to shut these kids down.

It's a world of fake hacks and stolen Habbo Hotel and World of Warcraft gaming accounts. Sometimes there's money associated with it, but most often the scams and the pranks are just for prestige.

Welcome to the next generation of computer hackers, the teenybopper edition, where the kids, ages 11 to 16, don't consider YouTube, MySpace.com, Facebook, and Xanga to be social-networking sites. They call them "social engineering sites."

They're the geek subset of the so-called Echo Boomers, a generation defined as children born between 1982 and 1995; they are also sometimes called "Generation Y" or "Millennials." The Echo Boomer name is a direct reference to the Baby Boomers, born some 30 years before, and many in fact children of Baby Boomers. According to CBS News, Echo Boomers already spend $170 billion a year of their own and their parents' money, so from a marketing perspective they're significant.

They're the first generation to experience the growth of the Internet at a very early age. Some are early adopters of cutting-edge Web 2.0 applications and services such as video streaming and social networking. Some of these kids have begun to dabble in computer hacking, but unlike previous generations of computer hackers, it's not about discovery, it's all about them.

Neo hackers
According to Chris Boyd, director of malware research at Facetime Security Labs, Echo Boomer computer hackers "don't seem to be as wise to the risks as older generations were." They leap from social-networking site to social-networking site. And they are quite happy to post photographs of themselves on sites selling stolen credit cards. They're non-anonymous on the Internet, he says, often keeping the same username, which makes them easy to shut down.

But keeping one username in particular is behavior that is not necessarily true of all mainstream teenage users, suggests Danah Boyd (no relation to Chris Boyd). As a Ph.D. candidate at the University of California at Berkeley and a fellow at Harvard Law School's Berkman Center for Internet and Society, her graduate work has focused on how people manage their presentation of self in online environments. Her subsequent research has found anecdotal evidence of teenagers who create a throw-away e-mail account for the sole purpose of creating a new social site page. Then, over time, if they lose their password to the site or to the e-mail account, they simply create a new account and a new profile page.

Where the teens are
In January 2007, the Pew Internet & American Life Project released a study of 935 mainstream U.S.-based youth aged 12 to 17 years old. Overall, 41 percent of the youths aged 12 to 13 had social site profiles, while 61 percent of the youths aged 14 to 17 did. But by gender, the differences are clear. Seventy percent of girls aged 15 to 17 have a social site profile compared with only 50 percent for boys the same age.

In the study, the mainstream teens said the social network they updated most was MySpace (85 percent), with Facebook (7 percent) and Xanga (1 percent) far behind. A quarter of the teens surveyed said they visited their site once a day, with another 20 percent saying they visited more often. Another 20 percent said they visit once every two weeks. Not surprisingly, use of the social-network site changed with computer access. Youths who accessed the Internet at home accessed social sites more often--58 percent as opposed to 42 percent who accessed the Internet from school or some other public terminal.

The importance of these social-network profile sites in the lives of mainstream Echo Boomers varied among those surveyed. Ninety percent said they use the sites to stay in touch with friends they see often, and 82 percent said they stay in touch with those they do not see as often. A majority use the sites for making social plans. But when it comes to making new friends, the teens were evenly split. And as for flirting, 83 percent (male and female) said they did not do that. Sixty percent of the youths surveyed reported limiting access to their site profiles.

Why they're online
In one paper, Danah Boyd likens online social networks to radio and mass media in past generations, except that social networks allow interaction as opposed to being fed information from the mass media. Echo Boomers may be the first generation to interactively define who they are. She adds, "this is highly beneficial for marginalized youth, but its effect on mainstream youth is unknown."

"Because the digital world requires people to write themselves into being," she writes, "profiles provide an opportunity to craft the intended expression through language, imagery and media. Explicit reactions to their online presence offers valuable feedback. The goal is to look cool and receive peer validation."

She added, "for those seeking attention, writing comments and being visible on popular people's pages is very important and this can be a motivation to comment on others' profiles."

Same name
This is consistent with Chris Boyd's research into Echo Boomer hackers that create one username and see how it plays on the social networks. "This is more of a lifestyle statement to a lot of these kids. A lot of it is about fame and fortune," he said.

Teenage hackers are using YouTube.

(Credit: FaceTime Security Labs)

He said in his research that he sees kids starting between the ages of 11 and 13 on online gaming sites. "A lot of these kids mature on to Habbo Hotel,.Runescape, and things like that. From there they start to learn about the basic hacks and cracks and patches." Some start to run their own forums. That's when, he said, they start to get a bit more adventurous; then they start looking into the phish pages, the fake account stealer programs that you get for Runescape. He said there's a strong link between gaming communities and teenage computer hacking although he doesn't know if anyone's ever actually set down some hard statistics.

One example
He cites an example of a kid on a forum who posted that his YouTube account had been shut down. The kid wanted others on the forum to launch a campaign to get his username reinstated. "Rather than recreate the username with a one or a two on the end," Boyd said, "he was so obsessed with his own particular username, with the uniqueness of it and all that, that, in his own words, he'd rather retire from the hacking scene than lose his username."

Additional research suggests that teens of a certain age have "settled," and are therefore much more protective of their nascent identities online. They're individuating from their parents; they're trying a version of themselves out in the real world, so their usernames take on additional value and weight. So when they cross the line into criminal hacking, in many ways it is just as personal as though they themselves were engaged in petty crime on the streets. And that is an important intersection for teenagers who dabble in writing malicious software.

Gotcha
By keeping the same username across Xanga, Facebook, and MySpace, Chris Boyd expects to find a paper trail online. And he does. He has tracked many offenders across numerous sites, some going back a few years, and done so in about 10 minutes or less using Google. "It's weird," he says. "Now when you hear about hackers it's all profit motivated--they're not doing it for hacking kudos anymore; they're not in it for the fame; they're in it for the money. There was a time when (hacking) was all about exploration, being notorious or well-known or a famous hacker. It's almost that a lot of these kids have reverted back to that way of thinking."

Except they don't see any reason to hide.

Boyd goes on to say a lot of what he's seen online is like an American Idol sort of hacker fame. Rather than having any sort of real standing of fame within the hacking community, a lot of the hacks are quite facile--a lot are fleeting. "It's because they haven't got a concept of the consequences of it all. It's almost like a fad--and it's a pretty dangerous fad, I think."

On Wednesday, we'll look at exactly what these Echo Boomer hackers are doing online.

At RSA 2008 on Monday, Hitachi announced its acquisition of M-Tech. Since last Wednesday, the Canadian ID management company has been using its new name, Hitachi ID Systems.

Forrester Research predicts that the ID and access management market space will grow from $2.6 billion in 2006 to $12.3 billion in 2014, and Hitachi, long known for its security electronics, wants to be a player in the enterprise security market by offering a complete package.

Hitachi currently offers advanced IT authentication with its finger vein biometric devices. Finger vein biometric authentication is used in 80 percent of Japanese ATMs using biometric authentication.

The technology behind finger vein pattern recognition.

(Credit: Hitachi)

Unlike fingerprint scanners or palm-reading biometrics, finger vein biometric devices represent a subset of hand geometry biometrics in that they look for unique vascular patterns in the customer's finger tip.

Vascular pattern recognition (VPR) uses near-infrared light generated from a bank of LEDs projected through the skin. The pattern recorded it then compared with the pattern on file.

With the acquisition, Hitachi now has ID management software to go along with its authentication hardware. Customers include Wells Fargo, Wyeth, Best Buy, Cingular, Wendys, Cisco, Sony, and Pfizer.

Hitachi is hoping to grow the software products it has acquired from M-Tech with joint offerings of its existing biometric, RFID, and smart-card security products.

Want to cause trouble at RSA? Register with any of a number of special characters in your name or business name and watch the badge printer issue blanks. That's what happened to me.

Monday morning when I registered for RSA 2008 (where I'll be speaking with Chris Boyd of FaceTime), I thought maybe I'd get a little VIP service. (Our talk on "How to Adapt to the Echo Generation's Social Media Hacking Game" is at 9:10 a.m. PDT on Thursday.) Instead, I was stuck in various registration lines for more than half an hour until the lone IT guy realized the system wasn't handling special characters in my company's name. In other words, the registration at RSA could be vulnerable to SQL injections, where special characters cause the database system to behave differently.

After typing in my name and confirming my registration at the little kiosk near the door, I walked over to the printer desk, where I should have had my badge waiting. Instead, the first badge came out blank. As did the next, and the next after that. For the next 20 minutes, as different desk clerks tried to help me, there were about a dozen attempts to print out my badge--all blank. Apparently there's only one IT guy and he immediately realized that whoever registered me as a speaker used the pipe character in CNET, a style we stopped using years ago. The pipe character in most SQL systems is used to indicate a concatenation.

But I'm not alone. Security researcher Adam J. O'Donnell reports that even the apostrophe in his last name caused the system to bonk. O'Donnell humorously (or maybe not) adds that "RSA is attempting to segregate out the Irish without posting an 'Irish Need Not Apply' sign."

Are there any other special character examples from RSA 2008 attendees? Post a note below.