Tags: #MarcusHutchins #WannaCry #Kronos #Cybercrime #Cybercriminal #OffenderProfiling #CybercriminalPsychology #MyersBriggs #MBTI
In early March 2018, Reeves Wiedeman wrote an interesting story for New York Magazine titled Gray Hat based on interviews with Marcus Hutchins. Wiedeman wrote, “Hutchins is a self-described introvert and pessimist. (“I don’t really like people,” he [Hutchins] deadpanned.)” This deadpanned statement stuck in my head as I continued to read the story. It stuck in my head as I looked over the voluminous MalwareTech blog posts. It also stuck in my head as I scrolled through thousands and thousands of his tweets. It struck me as interesting that this self-professed introvert really seemed to enjoy a lot of extroverted activities. I wanted to know if Hutchins was telling the truth or was he simply lying to Wiedeman in an effort to portray the mysterious rogue hacker with a hoodie stereotype and salvage a reputation amongst his peers? Of course, it could be neither, both, or something completely different.
The first step I took to understand Hutchins was to extract the crumbs of directly attributable data points from the Wiedeman story that I could assign to a personality trait. I came up with 58 individual data points. I now needed a personality spectrum to which to align my data points. For this, I chose the Myers-Briggs Type Indicator® (MBTI®).
Below are the 58 data points I extracted and the mapping I came up with.
Again, I'm not an MBTI professional so this should be considered a rudimentary attempt. I have been trying to engage an MBTI-certified resource to help with a more reliable mapping but to date none of those I have contacted have been willing to help.
STORY EXTRACTS MAPPED TO MBTI TABLE (BELOW)
• By his own estimate, there are only five people in the world — “I know of three, but five is a round number” — with his particular expertise.
The above quote was clarified by Hutchins on Twitter where he said, “People keep asking me about this quote. It’s a little out of context, the actual question was how many people I personally know of who do botnet tracking. I said a bunch of companies but I only know of about 3 -5 individuals who've built their own.
• He was annoyed at those who defended him by saying he wasn’t skilled enough to have made Kronos in the first place. “I don’t know what hurts more,” Hutchins said. “That people think I’m a shitty person or that people think I’m that bad at programming.”
• competitive swimmer
• “Surf Life Saving” — lifeguarding as a sport
• Hutchins started learning to code when he was 12.
• By high school, his skills were advanced enough that administrators blamed him for an attack that took down the school’s servers. (Hutchins maintains his innocence.)
• He went on to a local technical school for two years,
• where he found the computer-science offerings primitive.
• In 2013, he started a blog.
• detailed his amateur explorations into “reverse engineering,” a critical cybersecurity job in which researchers dissect malware to figure out how it works.
• Post titled “Coding Malware for Fun and Not for Profit (Because That Would Be Illegal),” Hutchins declared that he was “so bored” with the malware being produced
• that he had made some himself,
• assuring readers that, “before you get on the phone to your friendly neighborhood FBI agent,” he had designed the malware so it couldn’t be deployed.
• applied to GCHQ, the British equivalent of the NSA —
• his résumé included links to his blog and a childhood swimming certification
• he’d become interested in tracking botnets - “I was never trying to make a career out of it,” Hutchins said. “I was just kind of bored.”
• Suddenly, at 22, Hutchins had a six-figure salary, two employees reporting to him, and the ability to work remotely from three computer monitors in his bedroom on his own schedule. (“My first question upon waking up and seeing the clock said 9:30 was ‘a.m. or p.m.?’ #DreamJob.”)
• quickly developed a reputation in the world of “InfoSec,” or information security, as being an unusually generous member of the community - A researcher in Bulgaria said Hutchins helped him track a botnet there for free.
• In 2017, he was invited into an initiative run by the U.K.’s National Cyber Security Centre to recruit “the best and the brightest” in cybersecurity to collaborate with the government. Hutchins maintained a hacker’s natural skepticism of authority but came to believe that public and private cooperation is essential to securing the internet
• The sense of power that comes with such connections could also be exhilarating: If Hutchins had information to share or a question to ask, he could quickly get in touch with British intelligence or someone at the FBI.
• Wannacry ransomware outbreak - “I picked a hell of a fucking week to take off work,” Hutchins said on Twitter.
• Hutchins got a sample of WannaCry from a friend and began picking it apart.
• He quickly noticed that the code included a seemingly random domain name —iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — that was unregistered.
• the code suggested that WannaCry was regularly pinging the domain; if he registered it, he thought he might be able to direct the traffic to a “sinkhole,” which would allow him to monitor the attack.
• After a quick conversation with Neino, Hutchins bought the domain on NameCheap.com for $10.69.
• Two days later, a friend called to tell Hutchins his picture was in the Daily Mail. Hutchins had given interviews pseudonymously, as MalwareTech, but he feared reprisal from the WannaCry hackers
• and had taken great pains to maintain his “OpSec,” hacker shorthand for operational security.
• Most of his friends in Ilfracombe didn’t know what he did for work, partly because he couldn’t talk about it,
• and most of his InfoSec friends didn’t know his real name.
• Hutchins had tried to keep pictures and information about himself off the internet, avoiding services that asked for his physical address
• With journalists staking out his home, Hutchins hid inside, slipping out once by leaping over a wall in the back, wearing a hoodie, to go to his favorite fish-and-chips shop.
• Eventually, he granted an interview to the Associated Press; when the reporters asked Hutchins to spell his last name, he was so nervous he left out the n.
• His Twitter following quintupled, which was cool, though he tried to remain detached about it, posting a photo of the ocean with a digital-age koan: “50k new followers won’t bring you happiness, but the sea will.”
• Hutchins delivered the keynote at a conference in Copenhagen, and at another event, when he started talking to a girl he thought was cute, he was bombarded by so many people asking him for photos that she got fed up and left.
• In July, during an interview with a cybersecurity website, he was asked whether black hats could make as much money “by coming to the ‘good’ side.” Hutchins pointed out that the hackers behind WannaCry, one of the largest cyberattacks ever, had made off with just $135,503 — roughly what a malware researcher like him made as a salary without “the risk of being caught.” But Hutchins had also expressed doubt that many would switch teams.
• Hutchins declared on Twitter, “Bad guys who come to the good side rarely become good guys, remember that.”
• In addition to creating the malware,
• Hutchins was accused of conspiring to sell Kronos to cybercriminals for $2,000 and advertising it on AlphaBay, a dark-web marketplace the FBI has since shut down.
• Hutchins had worked with law enforcement many times, including during WannaCry, when he publicly thanked the FBI for its help.
• Hutchins also sent a curious tweet in 2014 — “Anyone got a kronos sample?” — that suggested he had learned about Kronos along with the rest of the security community (or was trying to distance himself from his handiwork).
• Around the time Hutchins was allegedly coding Kronos, he was also on Twitter trying to figure out how to get a job, asking about résumé formatting and whether to join LinkedIn.
• Having once done things he shouldn’t have, he had realized that doing good was more rewarding, financially and otherwise, than doing bad. “We can fit in a car the number of people who do this for fun — the defenders of the internet,” Tentler, Hutchins’s InfoSec friend
• A few days after we met for beers, Hutchins and I took a walk along Venice Beach.
• When we had parted ways the other night, Hutchins had told me he was going to meet some friends and “get so drunk I don’t remember anything.” He said he’d invite me along, but he wasn’t sure the others would be okay with it. “It’s a bunch of InfoSec people,” he said. “They’re all paranoid.”
• While Hutchins objected to parts of the Krebs article, he admitted that “I think everyone can see I have some shady things in my past.” But he didn’t think this was so unusual. “Most of cybersecurity has done something they shouldn’t at some point,” he said.
• “We only talk about the people who get caught.”
• Hutchins said he knew of one cybercriminal who masquerades as a white hat and is sometimes quoted as an upstanding security expert in the press. And, he said, other cybercriminals would sometimes disappear from forums and then pop up months later working for the government.
• After we’d been on the boardwalk for half an hour, Hutchins paused and looked toward the sea. “All this time, I’ve never actually just walked on the sand,” he said.
• He had gone to the waves and back to surf, but he’d never thought to just take a stroll.
• As we walked along the water, still wearing our shoes,
• Hutchins said that he’d previously felt little desire to leave Ilfracombe. His friends were there, real estate was cheap —
• he’d been planning to use his savings and his bitcoin earnings to pay $400,000 in cash for a large house
• and there seemed to be no professional point in moving to London or San Francisco when he could stop a global cyberattack from his bedroom.
• Most of all, Hutchins was bored, and he wanted to work again. “Not having access to my botnet-monitoring stuff is depressing,” he said.
• he feared the damage was already done. Cybersecurity is a business based in trust, and he worried that the allegations alone made him unemployable. (He had recently noticed a number of Twitter bots commenting on his case with anti-American bents, which he speculated could be someone trying to use his case to divide the American cybersecurity community.)
• As we walked up to the Santa Monica Pier, Hutchins grew wistful, thinking back to moments that could have led him anyplace but here.
• He was convinced, for instance, that he had become a target after WannaCry
• The world has never been more dependent on people like Hutchins, with their deep mastery of the digital systems undergirding things the rest of us take for granted. He seemed to realize this could be both a privilege and a burden. “I liked the connections and the power,” Hutchins said as a violinist played “Tale As Old As Time” on the pier. “Now I’m not sure it was worth it.”
STORY EXTRACTS NOT MAPPED TO MBTI – GENERAL HACKER REFERENCES
• Researchers who worked with Hutchins were spooked. “This is bad,” wrote one member of a cybersecurity forum. “We need to assume for the period he was among us, any and all traffic was compromised and could be, along with our names etc., in the hands of various adversaries.”
• “A lot of people do have criminal pasts — or criminal presents — but we also have a lot of experience with people getting arrested for no good reason,” said Robert Graham, a security researcher.
• InfoSec community’s distrust of the Computer Fraud and Abuse Act, a 32-year-old law that is behind many cybercrime prosecutions in America, including the case against Hutchins. Both law enforcement and the security community generally agree the law is antiquated — its definition of a computer cites typewriters and handheld calculators — and it has produced several questionable prosecutions.
• One issue has been figuring out how to handle young hackers whose intentions are not always clear. In 2010, Stephen Watt, a former programmer at Morgan Stanley, was convicted of writing code used in a credit-card-theft ring called “Operation Get Rich or Die Tryin.” Watt hadn’t actually deployed the malware, received no money, and claimed not to know what it was being used for. Judge Nancy Gertner, who heard Watt’s case, told me she found herself in a difficult position when it came to sentencing — prosecutors argued for five years in prison, the defense wanted probation — and settled on a two-year prison sentence. “People lost money, and he deserved to be punished, but he was also a kid,” Gertner said.
• While the teenage exploits that Brian Krebs uncovered were troubling, many security researchers saw themselves in the allegations. “How does someone like Marcus become so talented?” Neino, his boss, said. “The best security researchers need to expose themselves to real threats. A lot of researchers hang out in underground forums and befriend criminals.”
• Cybersecurity also has a long history of bad guys who become good. Kevin Mitnick spent five years in prison for various cybercrimes in the ’90s but now runs a security company that consults with the FBI.
• Amit Serper, who is now 31 and helped stop a major Russian cyberattack last summer, told me that he and many others in the field had done things as a teenager that “could be counted as illegal.”
• Nearly everyone I spoke to from the InfoSec world cited research suggesting the human brain doesn’t fully form until people reach their mid-20s. Many of the most talented cybersecurity experts, they point out, honed their skills by testing boundaries as teens. “I call this period the Age of Rage,” Moussouris told me. “It might be about feeling important for the first time in your life and being recognized as powerful. It’s the first time you taste that feeling we all yearn for — significance.”
• (James Comey irritated the community in 2014 when he said the FBI struggled to hire people because “some of those kids want to smoke weed on the way to the interview.”) Some security researchers said they would stop sharing information with the government in protest. “It just gives people in the community a feeling of persecution,” Jennifer Granick, who works on cybersecurity for the ACLU, said.
• the DOJ is hosting a panel at South by Southwest this month about teaching ethics to hackers
• relatively little is being done to nudge talented young people toward the light, which could leave someone with Hutchins’s skills and a still-developing moral compass feeling adrift
Extroversion | Introversion MBTI Mapping
Sensing | INtuition MBTI Mapping
Thinking | Feeling MBTI Mapping
Judgment | Perception MBTI Mapping
Comments