[ErrantX]

This could very likely be a carefully (and cleverly constructed) identity.

This girl might not exist; but because we all really really want a 16 year old girl to be the hacker the discrepancies are glossed over (the art of a good lie is not giving too much detail and letting other people's imagination fill the gaps).

On the other hand the personality strikes me strongly as female, so if it is an facade it is a very well constructed one, which the imposter empathises with.

But, on the whole, the setup "feels" wrong (and I tend to trust my instincts in such matters).

[noahc]

When I had a lot more time, I would go into Yahoo chat and basically phish for pedophiles usernames/passwords. I can tell you that a "hehe" after anything will set the hook.

I could on average phish about an account a minute and I was never figured out. I only fell out of character once to warn an 18 year old kid, that talking to 14 year old girls sexually online wasn't the best use of his time. He freaked out and thought I was a cop!

It's relatively trivial to do this, most people will ignore minor slip ups provided you have the right context. I would set context by doing the following:

1. I would set my profile to the geolocation of the room I intended to work. I would then find a school and neighborhood to say I was from.

2. I would suggest I was home sick (and thus alone).

3. I would use an innocent, although, sexual name in my username like "booty"

4. I would use emoticons and "hehe" on probably 75% of all messages sent.

5. I would let them contact me first. If you contact them they get scared. If they contact you, they feel like they are in control.

For example, I could tell them the wrong name and many wouldn't notice, or if they did simply saying, "Oh, that's my middle name" is usually sufficient.

With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?

[lsb]

Welcome to the internet, where the men are men, the women are men, and the kids are cops.

http://news.ycombinator.com/item?id=1546789

[pyre]

That phrase is older than Hacker News. I could have sworn that it used to be on bash.org, but the best reference I can find is:

http://www.urbandictionary.com/define.php?term=kids+are+the+...

I'm pretty sure the phrase even predates 4chan though... Mostly likely originates from USENET or IRC.

[nostrademons]

Definitely older than Hacker News. I got it from Reddit, and I think Reddit got it from UseNet (possibly via 4chan or IRC).

I paraphrased though, and the grandparent post must have a better memory (or better Google skills) than me, which is probably why you can't find an exact match...

[jacobolus]

The oldest versions I've heard went something like “Welcome to the internet, where the men are men, the women are men, and the children are FBI agents.”

Example from 2001: http://www.bash.org/?2832

Pretty sure the line goes back further than that though.

My guess is that it’s a parody of A Prairie Home Companion’s line about “Lake Wobegone, where all the women are strong, all the men are good looking, and all the children are above average.” Though that might itself be playing on some earlier such line?

[danohuiginn]

I think of the hitch-hikers guide to the galaxy (from the 70s?): "Where men are real men, women are real women and small furry creatures from Alpha Centori are real small furry creatures from Alpha Centori."

Which is presumably itself a parody, I'd guess of some standard line from a Western. But I couldn't pin it down to exactly where.

[lsb]

That the internet has been thus for a long time is disappointing, but not surprising.

I've studied oral-formulaic poetry, and one of the interesting aspects of it is that everyone tells the same stories over and over, and what makes one retelling superior is not the actual content, but the way it's delivered. I may well have seen it before. But long line lengths and easy Verdana text make HN good for memorable one-liners, and your retelling had punctuation, capitalization, and pithiness.

[aidenn0]

Here's the bash.org quote you're thinking of:

http://bash.org/?2832

[eli]

That is... pretty creepy.

[awj]

> With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?

See if Chris Hansen is hiring?

[gaelian]

Going back about 10 years, there was a community that made a pseudo-sport out of this kind of activity and similar online masquerades, it was called baiting.org. The site is still up, though inactive.

[dhughes]

Finding one in Yahoo! Chat in the 90s wasn't very hard it was tough trying to find someone, anyone to chat with who wasn't a pedophile, those chatrooms were insane! ...and the webcams too!

[noahc]

For the record, I believe this would have been between 2000 and 2004ish.

[nyellin]

Interesting. What was your motivation?

[noahc]

I'm big on systems and testing and generally more interested in people than the technical nature of technology. I just wanted to see if it would work. I did this off and on from the time I was 14 to 17 or so. I lived literally in the middle of nowhere, where the nearest town had about 27 people. It was an interesting way to spend time in high school.

To me it was a big experiment to maximize conversion and minimize detectability.

The biggest take away from this is that I realized that social interactions have formulas and you can take advantage of those formulas. You can also find shortcuts to the formula or make certain parts of the formula more important or less important based on context.

[shuaib]

I am hoping you are hinting that this story is an exact replica of that behavior... pulling off a social formula, on a slightly bigger scale. Even if you are not, having gone through a similar phase back in early years with that exact same motivation, I am!

This is a text book usage of social engineer. Putting in divorced parents, single child getting all the attention from the engineer dad making the kid an above average amongst his/her peers, and then putting in a girl, so to make you focus less on the flaws in the story and drool over the hot-geek image more... evergreen combination.

I would doubt though that Forbes came up with this on their own. Rather, it could very much be someone from anon, just having little more fun.

[noahc]

Thanks for making that explicit. My point was that the context (story) she used makes it so we want to believe her. In the same way I could setup a context that makes you want to believe and ignore irregularities.

I would expect that the journalist as a filter makes this even more likely. The journalist would then ignore irregularities or dull them in the story presenting the most consistent pieces in the story, not the least.

I would say one advantage that I had, is I could test responses, over and over again. But that is always what allowed me to basically have a formula that would result in 95%+ conversion on the phishing attacks. The other 5% often times where do gooders trying to tell me not to be in chat rooms or to warn me about pedos.

[nyellin]

Thanks for the explanation. I suspect most people downvoted you because they didn't understand your motivation.

I particularly liked your comment about finding formulas for social interactions. Have you tried looking for work at a social startup? From what I have heard of Facebook's culture, you would fit right in.

[catshirt]

i didn't downvote, but regardless of the motivation it's still just a little creepy

[Jarred]

This sounds like Transactional Analysis, it's an interesting read on Wikipedia

I think the link is just http://en.wikipedia.org/wiki/transactional_analysis if that's wrong I apologize, I'm typing this from my phone

[roel_v]

Have you analyzed and documented the formulas you mention? This would be a first step into formalizing and eventually monetizing your experiences.

[noahc]

I don't have the logs, so it would be based more on memory than anything else. It'd be less than scientific, and I went into Yahoo Chat rooms 6 months ago to see if they had changed and it is much less fruitful now with the population being mostly made up of bots.

[gridspy]

This would be a great answer to the "Real life hacking" YC question, especially with your mention of the formula behind human interaction you discuss in another reply.

[noahc]

That was always my thought too.

[noahc]

Previous comment here related to multiple down votes I received. I jumped the gun and lesson learned.

[sorbus]

You're at +6 right now, so the number of people (including me) who think that your comment was interesting and useful to the conversation outweigh the number of people who objected to it. HN is generally self-correcting; I would say that not asking about downvotes for at least two hours or until you get down to -4 or below is probably a good rule of thumb, as I expect that HN's tendency to self-correct is lessened past either of those points (because of fewer people reading the thread or because people won't bother reading the comment), assuming that you can't see why it's been downvoted. That's just my advice, though, as I most often see comments asking about downvotes following comments which have a positive votecount.

[_b8r0]

On a more technical note regarding the described background, "Kayla" apparently started by learning how to break software and exploit bugs by her dad and grew up learning about the Linux Kernel... then moved to SQL injection.

That last bit makes absolutely no sense. It's easier to learn SQL injection than the many, many different ways that memory management can go wrong. References to her memorising Windows Opcodes sound like a random phrase thrown in for credibility (you do after a while remember certain functions - 11 years after writing my first ARM shellcode I still remember it, even though I'll probably never use it).

The whole description of how she progressed just doesn't sound right. You can be up and running with SQL injection in less than an hour, learning buffer overflows and understanding them properly probably takes about a day and a bit at best (and that's assuming that you know C, how to use a debugger and how a compiler works). The Micro-SD strategy also seems a little extreme (but is viable, our testing gets done under a VM, there's no reason why that couldn't go on a micro SD card).

I'm calling BS on Kayla being a girl, mainly because the story just doesn't fit right compared to the application of Occam's Razor - that this is someone else trying to cover their tracks.

[sophacles]

When you have an expert parent (or other adult influence) you can, and frequently do, learn things in a "weird" order. Further study after study from teaching land shows that "the natural order" to learn things is not nearly as fixed as one would think, the order you learned in is not the only way. The order you were taught in is not the only alternative way.

I remember I started learning in C, reading security and working on perl all the same time. I didn't even know about SQL for a couple years after that. This was in the late 90's and early 00's tho, things were a bit different, but it isn't improbable nor impractical to have this learning curve in a semi-self taught way. It is even less improbably given that her dad probably taught what he knew best, C and Kernel stuff.

When I was a kid, my grandfather was an electrician. I grew up learning about house wiring, and how to do it properly and quickly. I learned how to solder and do stuff with wires long before I ever did basic electronic theory stuff. It never occurred to me that 120VAC was any more dangerous than a small fire. Imagine my surprise when in college I first encountered these professors who were terrified of wall current ('of course it will hurt you, just don't be stupid' is still how i think of both fire and electricity, the stuff isn't magic). I was confused when we went over stupid "this is how a dpdt switch works" and annoyed that we never played with any circuits more advanced than I grew up doing for over a year. I had never had any basic electronic theory at that point.

So: do you disbelieve me because I didn't learn in some natural progression as an electrician apprentice would? Because I didn't learn in the order the courses laid out in college?

tl; dr -- the idea of a "natural progression" in learning is just bunk.

[redthrowaway]

I've hung out in the anonops irc quite a bit, and `k certainly comes across as female. I hadn't linked her to the Kayla > YOU spam before, but that was almost 3 years ago, now. If it is a constructed identity, then it's been carefully cultivated.

It is an awesome story, though. Regardless of whether it's true or not, it's effective at both rallying the neckbeards and shaming opponents. It's funny to see how much deference is paid to her on IRC, although I only started going there after news of the HBGary incident broke, so she already had quite a lot of cred.

`k may or may not be a 16 year old girl, but it's a hell of a troll if she isn't. I'm not aware of many anons who could pull something like that off for so long. There were a few back in the day who had managed to become trusted enough at anontalk to get promoted to wiseguys, but that took a couple months, not a couple years. For that reason, as well as her general demeanor, I'm inclined to believe her.

[weego]

Indeed, and there are 2 references in the various tales of a good understanding and practice of social engineering, and anyone with that understanding would not go around telling the press genuine background stories that could start to be pieced together.

But then of course the smartest ones are the people no one will ever hear about, so who knows.

[noonespecial]

Oh.. I know this one. It turns out to be Kevin Spacey in the end.

[bballbackus]

I fail to pickup on how the personality in the interview seemed strongly female. Could you give an example?

[ErrantX]

Not just from this piece, I did a little more digging and my impression was that this person comes across as female (based on the sort of language used, areas of interest etc.).

[deadmansshoes]

Sorts of language used like "Perl, Python and PHP"? Areas of interest including x86 assembly and the Linux kernel? Yep, all girly..

[famousactress]

Yeah, it's interesting to guess.. There are mild grammar errors in each longer sentence she's quoted with.. and two of them conflict strangely (she uses 'into' correctly once, but not again). I'm just playing detective, but either smells like someone young.. or like someone intentionally peppering grammar issues to sound it. I dunno. If I had to vote I'd call BS. I think it's someone older.

[Estragon]

Not to mention, it must be humiliating for HBGary to be thought of the world as hackable by a 16 year-old girl.

[jrockway]

Why? Kids are smart and have time. 16 is not that young. I knew how to do SQL injection and buffer overflow exploitation at that age, although I also knew not to use those skills against someone who didn't ask for it.

Basically, everyone is excited because she's a girl.

[chc]

As one or two articles have pointed out, that kind of skill is generally lacking in girls in our culture. So it is somewhat noteworthy, I guess.

[nostrademons]

Her father is a software engineer, though. It's much easier to learn pretty high-level skills in a field when you're young if you have a parent in that field.

[nkassis]

Hiding in plain sight is also a good trick. She might be what we think she is or not, doubt gives her/him some protection.