WDDinc Web Security Blog

Insight from the leader in secure application development

Help – I Think my Kid is a Script Kiddie

Untitled

As a security guy I sometimes have friends and relatives asking me for professional advice, like “I lost my iPhone, can you help me look for it?” or “How do I delete my browser history, you know, in case my wife checks up on me?”. It’s not easy being a technical wizard amongst the masses.

The other day the mother of one of my daughter’s friends confessed her concern about her son being one of those Anonymous hackers. Well, she may not have asked it that way; I think she may have said something about having a computer at home. She (the mom) was young and cute, and even as a shy, geeky kid I tended to make up conversations in my head with girls (and now women) that are way out of my league.

In any case, I was thinking that if I could meet Jennifer (that’s the name of the cute mom) at school and give her a few hacker identification guidelines she might not have so many places to go when I see her– she always seems so busy.

After months of intensive research (well, maybe a few hours of intensive Googling), I think I’ve got this hacker profiling thing nailed; in fact I even have a name, script kiddies (or skiddie, skid, script bunny, and script kitty).

The first thing I picked up on is the fact that no one likes or respects script kiddies, except maybe other script kiddies. Phrases like “… little or no personal knowledge of hacking …”, “… giving hackers a bad name …”, and “… immature forms of vandalism …” continued to be repeated over and over again (wiseGeek).

I was lucky enough to find a July, 2000 article by Robert Lemos (ZDNet) where his interviews of several script kiddies produced some very enlightening quotes from the kids themselves:

“It’s a way to escape a lot of the bullsh*t that I get in real life,” … “Because I don’t have that much going on in my life.”

“My dad just said, ‘now’ … that’s when I gotta get leaving.”

“The world we live (in) … everything is the same, so incredibly boring. I feel if I deface, at least, I’m making some kind of difference.”

“I’ll continue defacing, not as much as I used to, but I will be around.”

“Never deface any site in your own country or give information about yourself over the Internet.”

“Be nice, always, so no one will hate you.”

The kids in these interviews appeared to be young (still living at home?), bored and seemingly without a solid direction or purpose in their lives.

One of the more interesting script kiddie characteristics that I found was their apparent need to gain recognitions amongst their peers by ‘tagging’ websites they had hacked. Tagging comes in the form of either pointless defacing of the site itself (inserting an obnoxious page into the site) or secretly inserting ‘graffiti’ text into the website code in places where only other script kiddies will come across it (this is called ‘web cracking’). Like legitimate video game players, script kiddies keep track of points ‘won’ with each website successfully breached.

While script kiddies have not gotten any more sophisticated over the years, the tools they use for hacking certainly have.  Even with these very powerful tools it is good to note the majority of the distain that ‘real’ hackers have for script kiddies is the fact that they use these ‘canned’ tools in perfunctory ways, without skill or creativity.

The use of these easy to use tools brings up another script kiddie obsession – the building of large botnets that can be used for malicious purposes.  Botnets are complex systems of zombie computers – PCs that have been hacked and infected with silent robot (bot) programs.

A bored script kiddie might take his botnet army of hundreds or thousands of bots and launch a Distributed Denial of Service (DDoS) on an unsuspecting commercial or government website, just for the glory it might grant her. Any commercial damage to the site would just be collateral damage that resulted from the botnet joy ride.

While I couldn’t find any documented correlation between script kiddies and hard-core video gamers, I couldn’t help but draw my own, uneducated comparisons. It is not unreasonable to think of the Internet as one heck of a computer game; one where the stakes were higher (arrest perhaps) and the rules far more fluid – just the thing for a bored kid with access to the Internet.

Like any well-established sub-culture, the world of script kiddies is fascinating to watch, difficult to fully understand from the outside and obviously intriguing to those within that world.

Given her obvious limited attention span, I don’t think Jennifer (remember, the cute mom) would have the time to discuss my script kiddie research. But (and this will impress her) all I need to do is ask if her son is a Facebook user. In the world of hackers, I have no doubt that Facebook users are even further down the respectability tree than even Script Kiddies.

Finally, I need to confess to a bit of literary license. I’m happy to say I am very married to a wonderful woman who is way out of my league (even geeks get lucky), and there are no Jennifer’s in my life. I’m just as happy to say that my daughter spends endless hours on Facebook, and is not a script kiddie.

Leave a Reply