Select Page

How about “ass hats”

Yesterday in a computer security blog piece (which was taken down overnight), a writer referred to the person who launched malicious code as an “ass hat.” I kind of liked that. It’s a bit opinionated, but probably sums up what everybody thinks of them.

Every security writer struggles with the problem of what to call the “bad guys.” The struggle reflects the very wide and massively complicated field we work in. “Bad guys” is imprecise and informal, though. There are a lot of flavors of “bad guys.”

“Criminals” seems to cut through a lot of the linguistic haze. In a string search through all my blog pieces since 2009, I see that I’ve used that more than any other word. “Bad guys” came in second and “malicious operator” third.

The “white hat/black hat” distinction is useful in big, generalized discussions of computer security issues too. It captures the strange boundary that exists between activities like penetration testing and hacking a system for theft or malicious purposes. They both involve pretty much the same skill set and same work.

Another good phrase that’s useful in discussions of the big picture is “the dark side.” That’s got great Gnostic, philosophical sound to it. If the criminals are the “dark side” that means those of us in the security community are fighting on the side of “the forces of light.” (We need tee shirts!)

“Malcode writer/distributor” is a good, precise handle for people who do that. Malcode writing kits have been around for a while and the specialization in the world of organized crime, however, mean that the one distributing malcode may not be the one who created it.

“Botnet operator” describes people who run botnets. Again, they may or may not be the actual people who write the malicious bot code since crime-ware kits can automate that.

“Malicious operator” isn’t that great, but, hey, you have to call them something and sometimes nothing else really works.

“Spammers” are, well, the original ass hats in most people’s thinking. Again, they’re specialized, although there’s a cross-over with “botnet operators.”

A former colleague of mine, who began his career as an Army security officer, often used “miscreant” and “actor.” Both are great English words, but they seem a bit formal.

“Intruder” works when you’re talking about somebody exploiting vulnerabilities and running code on somebody else’s machine or downloading data from a poorly secured network or machine. “Intruder” also sidesteps the huge controversy over the word “hacker,” which you simply can’t use any more.

“Hacker” is waaaaay too loaded to use in any circumstance. It began life years ago with a wonderful idealistic, romantic aura. For a while, “hackers” were smart, clever and tireless young explorers who tracked down the arcane details of those new computers. Every kid who learned Basic wanted to be one. There were movies that portrayed them as picaresque heroes, bringing down the hostile alien space craft by hacking its network (which inferred 1. bad password security even in outer space and 2. a strange compatibility between Mac laptops and the AlienOS.)

That romantic image crashed suddenly. I remember the day when the above-mentioned colleague, wrote about the discovery that “hackers” were working with organized crime groups, largely in Eastern Europe, to make money. He wrote something like “hacking is no longer for fun, it’s for money. Hacker = criminal. Get over it.” It was a sad end-of-innocence moment but a lot of people want to cling to that romantic image. So, it’s best to simply not use the word.

Decent kids interested in computer security and on their way to CISSP certifications are still “hacking” of course, but the name was tarnished beyond all recognition. We can just hope that more join the forces of light than join the forces of darkness.

Tom Kelchner