In late 2008 Raoul Chiesa, Stefania Ducci, and Silvio Ciappi published an interesting book called Profiling Hackers (Amazon). The idea behind this book is simple: Police officers use profiling to find criminals. Hackers often do illegal things. Police officers therefore need to profile hackers. Most police officers do not have a clue about hackers though. On 240 pages divided into seven chapters this book tries to help them by explaining what Hackers are like.
The first chapter is quite short. Only 12 pages. It is called "Introduction to Criminal Profiling" and gives examples of traditional crimes where profiling helped the police to find criminals. A theoretical introduction to different profiling techniques is given too. This is actually very interesting for people like me who are not aware of the theories behind profiling.
The second chapter, "Introducing Cybercrime" is a bit longer. 20 pages. The authors assume that the average police profiler does not know a lot about crimes committed by hackers. It is therefore necessary to familiarize them with some terms like exploit, vulnerability, DDoS, Sniffer, and so on. Brief histories of various cybercrimes (when did they first pop up; what famous or interesting crimes were committed in the past) are given too.
Chapter three is where the good stuff starts. It is called "To be, to think, and live as a hacker". The reader is told about a few methods to classify hackers (or how they classify themselves). First, hackers are classified according to what motivates them (black hat, gray hat, white hat). Second, they are classified according to their skills. Hacker ethics and a brief history of hacking/hackers are given too. Other less popular classification schemes are mentioned.
The fourth chapter is my favorite chapter. It is called "The HPP Project". The HPP Project (Hackers Profiling Project) is introduced and its relation to the UNICRI (United Nations Interregional Crime and Justice Research Institute) is described. The authors detail what they hope to achieve with the HPP and how they plan to achieve it. Furthermore a timeline is given that shows the roadmap for future research topics of the HPP. Unfortunately this chapter also produced the first letdown. The book is actually written prematurely. The HPP project is not complete. Far from it. Only half of the eight phases of the HPP have been finished so far. That means the book covers the phases called "Theoretical Data Collection", "Observation", "Archiving", and "'Live' Data Collection" while the phases called "Gap and Correlation Analysis", "'Live' Assessment", "Final Profiling", and "Dissemination of the model" are not covered. This is very unfortunate. The last four phases sound significantly more interesting than the first four phases.
Anyway, just to make this clear. What the HPP has done so far is to hand out questionnaires to hackers and to collect the results. Furthermore they travelled to hacking conferences to talk to hackers in person. Then they did a simple statistical analysis ala "X% of hackers live in cities with more 500,000 people" followed by a minimum of correlation analysis (remember, proper correlation analysis is part of phase five). Then they wrote a book.
The rest of the chapter is spent listing the results of the questionnaires. 30% of the questionnaires were filled out by people between 21 and 25, 21% hack for more than 12 hours a day, 44% use only one nick name, and so on. For like 15 pages. This is actually more interesting to read than I expected. The funniest part of the chapter are clearly the following two sentences.
The first question obviously specifies the gender of the subjects but is also necessary to explode one of the many false myths about the hacking world: that there are no females. In reality, at the moment of writing, 6% of the total responses received from this question (567) came from 32 girls and women who operate daily in the underground scene and are involved with hacking, while 94% (535 individuals) are males.
Now maybe I am wrong here but I always thought when people say things like "there are no female hackers" they do not mean that there is not a single female hacker in the whole wide world. I am pretty sure they mean that women are far outnumbered by men, maybe something like 94% to 6%.
Anyway, let's get to the next chapter. It's called "Who are Hackers? Part 1". This chapter is followed by one called "Who are Hackers? Part 2". These two chapters have the same structure and there is no obvious reason why these two chapters were not turned into one so I'll cover them both at once. Both chapters are basically continuations of the previous chapter. Instead of presenting raw results of their questionnaire, the authors now go into story mode. For more than 100 pages you are told stories about hackers. Sounds amusing at first, but this is unfortunately a turn for the worse. Here is why:
At first the authors give up their raw data. They have collected a few hundred questionnaires and yet this data is barely mentioned at all in these two chapters. The story mode description of their results, probably the result of the authors talking to hackers directly, is unfortunately indistinguishable from what I expect to find in hacker books that do not have any statistical data to back up the claims made by hackers in person. I can not understand why the authors did this instead of sticking to the collected data.
Another thing that really annoyed me in these two chapters is the constant proselytizing for the Hacker Ethic. Real hackers do not commit crimes. Real hackers follow the hacker ethic. People who damage computer systems are not really hackers. I did not count how often the authors stressed this point but it must have been at least half a dozen times. It certainly felt like more than 100 times and after a while I started reading "No real hacker" as "No true Scotsman" just to get over these parts without rolling my eyes too hard. No matter what you think about the Hacker Ethic, a book with an empirical and analytical pretense is not the right place to keep pushing for it.
The book ends with a two-pages chapter called "Conclusion" that is not worth describing.
So what am I thinking? I am thinking that this book could have been so much more than what it actually is. It started out well. The authors did their research. The data they collected is awesome. Unfortunately the book came too early. Maybe the HPP people should have finished their project first. Then they would have a wealth of statistical results for the collected data. With this additional data the story mode part would have been unnecessary. They could have stuck to the empirical aspects of their work. It is also not clear how the book is supposed to help police profilers. A chapter that explains how to connect the stories presented in the book with actual police work would have been interesting.
Just to clear this up though. I liked the book. Maybe this is why it pains me so much that it could have been so much better. I hope the HPP can be finished as planned and the authors write another book that covers all eight phases of the HPP.
Pro-Tip: On the HPP website you can find the questionnaire that was used to collect the data and PDF slides that are basically a summary of the book.