This girl might not exist; but because we all really really want a 16 year old girl to be the hacker the discrepancies are glossed over (the art of a good lie is not giving too much detail and letting other people's imagination fill the gaps).
On the other hand the personality strikes me strongly as female, so if it is an facade it is a very well constructed one, which the imposter empathises with.
But, on the whole, the setup "feels" wrong (and I tend to trust my instincts in such matters).
I could on average phish about an account a minute and I was never figured out. I only fell out of character once to warn an 18 year old kid, that talking to 14 year old girls sexually online wasn't the best use of his time. He freaked out and thought I was a cop!
It's relatively trivial to do this, most people will ignore minor slip ups provided you have the right context. I would set context by doing the following:
1. I would set my profile to the geolocation of the room I intended to work. I would then find a school and neighborhood to say I was from.
2. I would suggest I was home sick (and thus alone).
3. I would use an innocent, although, sexual name in my username like "booty"
4. I would use emoticons and "hehe" on probably 75% of all messages sent.
5. I would let them contact me first. If you contact them they get scared. If they contact you, they feel like they are in control.
For example, I could tell them the wrong name and many wouldn't notice, or if they did simply saying, "Oh, that's my middle name" is usually sufficient.
With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?
See if Chris Hansen is hiring?
That last bit makes absolutely no sense. It's easier to learn SQL injection than the many, many different ways that memory management can go wrong. References to her memorising Windows Opcodes sound like a random phrase thrown in for credibility (you do after a while remember certain functions - 11 years after writing my first ARM shellcode I still remember it, even though I'll probably never use it).
The whole description of how she progressed just doesn't sound right. You can be up and running with SQL injection in less than an hour, learning buffer overflows and understanding them properly probably takes about a day and a bit at best (and that's assuming that you know C, how to use a debugger and how a compiler works). The Micro-SD strategy also seems a little extreme (but is viable, our testing gets done under a VM, there's no reason why that couldn't go on a micro SD card).
I'm calling BS on Kayla being a girl, mainly because the story just doesn't fit right compared to the application of Occam's Razor - that this is someone else trying to cover their tracks.
I remember I started learning in C, reading security and working on perl all the same time. I didn't even know about SQL for a couple years after that. This was in the late 90's and early 00's tho, things were a bit different, but it isn't improbable nor impractical to have this learning curve in a semi-self taught way. It is even less improbably given that her dad probably taught what he knew best, C and Kernel stuff.
When I was a kid, my grandfather was an electrician. I grew up learning about house wiring, and how to do it properly and quickly. I learned how to solder and do stuff with wires long before I ever did basic electronic theory stuff. It never occurred to me that 120VAC was any more dangerous than a small fire. Imagine my surprise when in college I first encountered these professors who were terrified of wall current ('of course it will hurt you, just don't be stupid' is still how i think of both fire and electricity, the stuff isn't magic). I was confused when we went over stupid "this is how a dpdt switch works" and annoyed that we never played with any circuits more advanced than I grew up doing for over a year. I had never had any basic electronic theory at that point.
So: do you disbelieve me because I didn't learn in some natural progression as an electrician apprentice would? Because I didn't learn in the order the courses laid out in college?
tl; dr -- the idea of a "natural progression" in learning is just bunk.
It is an awesome story, though. Regardless of whether it's true or not, it's effective at both rallying the neckbeards and shaming opponents. It's funny to see how much deference is paid to her on IRC, although I only started going there after news of the HBGary incident broke, so she already had quite a lot of cred.
`k may or may not be a 16 year old girl, but it's a hell of a troll if she isn't. I'm not aware of many anons who could pull something like that off for so long. There were a few back in the day who had managed to become trusted enough at anontalk to get promoted to wiseguys, but that took a couple months, not a couple years. For that reason, as well as her general demeanor, I'm inclined to believe her.
But then of course the smartest ones are the people no one will ever hear about, so who knows.
Basically, everyone is excited because she's a girl.
"Meanwhile she refuses to be chained to her computer, limiting herself to a few hours a night online. She rarely visits online forums "they’re boring"and a few days a week takes a course in college to further her goal of being a teacher. She lives in an English-speaking country not the U.K.but won’t say more about it"
So the previous paragraph stated she was "memorizing Windows Opcodes and scouring source code for exploitable bugs", but then suddenly she only spends a few hours online? Not likely. Most hardcore hackers I know don't just drop off the radar. The hunt to break into systems is like a drug. I have yet to read about, or know any hacker who simply spends a few hours online a day. At the speed internet security moves, this person's knowledge would be useless inside of 6 months.
Also, how does this person maintain her expert hacker knowledge with a few cursory hours a day on the internet? Literally impossible. Add in the admission she deletes all her emails and wipes all her drives clean? Really? Does this person memorize every line of code she uses then?
My conclusion? A carefully crafted profile of an Anon personality. Although I have no doubt this person probably exists, it certainly is not a 16 year old girl, and a majority of the information in the article is total BS. When you apply some very basic logic, the story just falls apart.
I agree that the persona is bullshit and that 'she' is a probably a mid-to-late 20s male but...
Where does it say that she/he deletes wipes all her drives clean? It only says that (s)he wipes her web accounts. From reading the article, (s)he keeps her personal files/documents on a MicroSD card; quite a smart and disposable solution really.
Perhaps the personal files are encrypted also? It's interesting to imagine what other steps you could take to protect your privacy, it probably wouldn't be too difficult to do alternating sharding at the bits and bytes level over SSH with off-site storage (Half on MicroSD, half off-site), does any tool do something similar currently? You could even put a self-destruct timer on the offsite storage (if last_login > 5 days ago: format hard drive with 40-pass erase) or maybe a kill-switch containing sensitive informatoin (ala Wikileaks).
Some of the other discrepancies, though, look more suspicious. The very notion that a security-conscious person who has just committed a federal crime would spill so much about his/her life in a random newspaper article reeks of BS.
I've always known C was just a gateway to the dangerous stuff.
And people call me paranoid. :)
If that is true, online account operators, email providers could link this type of behavior to one of their members quite quickly.
For 5+ years, I've been downloading my email with fetchmail, which deletes the message on the server. Once a minute. I don't like the thought of my emails sitting in the cloud for too long.
And then I was thinking about how the police sometimes "leak" that the suspect in some crime is weak, pathetic, individual which nobody really cares about, in hopes that they will offend the real suspect who will then self identify in defense of their honor. If you thought the Anonymous ring leader on the HBGary hack was some teenage guy then the best way to provoke a response would be to either call him gay or a girl it seems.
I wonder how well the E-book Ars put out is selling. And more importantly, if its really successful I wonder if these people who did this are comfortable with someone getting rich off their exploits?
You see? The twisted depths to which you go if you start down these paths. Sheesh.
I've used FDE for many years simply out of precaution against theft.
Look at Mafiaboy back in 2000 -- he took down Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. I'm not even sure that he was 16 yet (I don't have his age offhand).
Is this a crazy and possibly fake story? Of course. Does that mean that it can't be true? Not by a long shot.
I work in information security, and at 16 knew a hell of a lot about SQL injection, buffer overflows, cross site scripting and oodles of other vulnerability classes. This girl didn't work alone, but part of a hacker group -- to me, it seems totally feasible.
I'm not saying that we should take every word an anonymous "16 year old girl" says on the Internet as absolute fact, but discounting this attack because it seems like a girl couldn't pull it off seems sexist and wrong. Again, if this were some pimply-faced male high schooler, no one would bat an eye.
I doubt that the character is really a 16-year-old girl because she's telling Forbes she's a 16-year-old girl.
If 'k said he were a 16-year-old boy, I'd doubt he were a 16-year-old boy.
If 'k said she were a 33-year-old quant on Wall St., I'd doubt she were a 33-year-old quant. Etc.
I just seriously doubt that this character is giving any real identifiable information to Forbes.
From http://www.hackerfactor.com/GenderGuesser.php
Genre: Informal Female = 171 Male = 182 Difference = 11; 51.55% Verdict: Weak MALE
Weak emphasis could indicate European.
From http://bookblog.net/gender/analysis.php
Female Score: 94 Male Score: 133
The Gender Genie thinks the author of this passage is: male!
Grepped this, which ars technica claims is a real chat log. She says just under 200 words on this log, and it comes up as weak male again on Gender Guesser and male on Gender Genie. Her username of `k is removed for the analysis. http://pastebin.com/x69Akp5L
Here's the article where Ars Technica links to that pastebin http://arstechnica.com/tech-policy/news/2011/02/how-one-secu...
Genre: Formal Female = 509 Male = 971 Difference = 462; 65.6% Verdict: MALE
Computing represents a pretty specialized topic, and most of the sample data with computing-related discussion will be from men. It would be pretty tough for any simple Bayesian analysis to account for this.
(Using a gender guesser is genius though)
Kayla first asks for root password using two passwords that she already has but might not necessarily be the root one. She also already knows that remote root isn't allowed. This way:
1) She'd get the root password e-mailed to her if it wasn't one of those two. "No, it's not those, it's '<password>'."
2) She sets up her point of entry.
Great stuff.
obvious troll is obvious
Maybe instead of asking questions about her here, you ask her like i did?
kayla@anonleaks.ch
If she really is who she said she is that's one smart kid!
http://www.guardian.co.uk/technology/2011/mar/17/us-spy-oper...
FML, I have a CS degree and still can't program ASM.
I don't remember any such exploit. You could produce that image by posting a lot.
Your complaint does not represent majority usage in English, let alone modern usage.
http://ngrams.googlelabs.com/graph?content=girl+that,girl+wh...
Middle school English teachers love to invent simple rules of the language that don't reflect actual usage very well. The choice between "that" and "who" as relativisers is subtle, and the animacy constraint doesn't explain the facts of how people speak.
1) usage is disputed at a level beyond middle school English.
2) "that" is often preferred for restrictive clauses.
Oh the horror.
1. Using same computer that connects via phone, wireless, etc and than using any email service. 2. Machine characteristics since they cannot get the machine ID they go for the next best digital finger print ..ie operator grammar/typos..cpu speed, ram size, etc. 3. Websites have visitor logs..the track back to you eventually gets fleshed out.
I think the Forbes article writer got played..
