
Is This The Girl That Hacked HBGary? - r11t
http://blogs.forbes.com/parmyolson/2011/03/16/is-this-the-girl-that-hacked-hbgary/
======
ErrantX
This could very likely be a carefully (and cleverly constructed) identity.

This girl might not exist; but because we all really really want a _16 year
old girl_ to be the hacker the discrepancies are glossed over (the art of a
good lie is not giving too much detail and letting other people's imagination
fill the gaps).

On the other hand the personality strikes me strongly as female, so if it is
an facade it is a very well constructed one, which the imposter empathises
with.

But, on the whole, the setup "feels" wrong (and I tend to trust my instincts
in such matters).

~~~
noahc
When I had a lot more time, I would go into Yahoo chat and basically phish for
pedophiles usernames/passwords. I can tell you that a "hehe" after anything
will set the hook.

I could on average phish about an account a minute and I was never figured
out. I only fell out of character once to warn an 18 year old kid, that
talking to 14 year old girls sexually online wasn't the best use of his time.
He freaked out and thought I was a cop!

It's relatively trivial to do this, most people will ignore minor slip ups
provided you have the right context. I would set context by doing the
following:

1\. I would set my profile to the geolocation of the room I intended to work.
I would then find a school and neighborhood to say I was from.

2\. I would suggest I was home sick (and thus alone).

3\. I would use an innocent, although, sexual name in my username like "booty"

4\. I would use emoticons and "hehe" on probably 75% of all messages sent.

5\. I would let them contact me first. If you contact them they get scared. If
they contact you, they feel like they are in control.

For example, I could tell them the wrong name and many wouldn't notice, or if
they did simply saying, "Oh, that's my middle name" is usually sufficient.

With all that said, anyone know of a way I could use my experiences and
ability at social engineering online in a legit manner?

~~~
lsb
Welcome to the internet, where the men are men, the women are men, and the
kids are cops.

<http://news.ycombinator.com/item?id=1546789>

~~~
pyre
That phrase is older than Hacker News. I could have sworn that it used to be
on bash.org, but the best reference I can find is:

[http://www.urbandictionary.com/define.php?term=kids+are+the+...](http://www.urbandictionary.com/define.php?term=kids+are+the+fbi)

I'm pretty sure the phrase even predates 4chan though... Mostly likely
originates from USENET or IRC.

~~~
nostrademons
Definitely older than Hacker News. I got it from Reddit, and I think Reddit
got it from UseNet (possibly via 4chan or IRC).

I paraphrased though, and the grandparent post must have a better memory (or
better Google skills) than me, which is probably why you can't find an exact
match...

~~~
jacobolus
The oldest versions I've heard went something like “Welcome to the internet,
where the men are men, the women are men, and the children are FBI agents.”

Example from 2001: <http://www.bash.org/?2832>

Pretty sure the line goes back further than that though.

My guess is that it’s a parody of A Prairie Home Companion’s line about “Lake
Wobegone, where all the women are strong, all the men are good looking, and
all the children are above average.” Though that might itself be playing on
some earlier such line?

~~~
danohuiginn
I think of the hitch-hikers guide to the galaxy (from the 70s?): "Where men
are real men, women are real women and small furry creatures from Alpha
Centori are real small furry creatures from Alpha Centori."

Which is presumably itself a parody, I'd guess of some standard line from a
Western. But I couldn't pin it down to exactly where.

------
darksaga
My bs meter was high for a number of reasons. This paragraph was the most
notable:

"Meanwhile she refuses to be chained to her computer, limiting herself to a
few hours a night online. She rarely visits online forums "they’re boring"and
a few days a week takes a course in college to further her goal of being a
teacher. She lives in an English-speaking country not the U.K.but won’t say
more about it"

So the previous paragraph stated she was "memorizing Windows Opcodes and
scouring source code for exploitable bugs", but then suddenly she only spends
a few hours online? Not likely. Most hardcore hackers I know don't just drop
off the radar. The hunt to break into systems is like a drug. I have yet to
read about, or know any hacker who simply spends a few hours online a day. At
the speed internet security moves, this person's knowledge would be useless
inside of 6 months.

Also, how does this person maintain her expert hacker knowledge with a few
cursory hours a day on the internet? Literally impossible. Add in the
admission she deletes all her emails and wipes all her drives clean? Really?
Does this person memorize every line of code she uses then?

My conclusion? A carefully crafted profile of an Anon personality. Although I
have no doubt this person probably exists, it certainly is not a 16 year old
girl, and a majority of the information in the article is total BS. When you
apply some very basic logic, the story just falls apart.

~~~
davej
> Add in the admission she deletes all her emails and wipes all her drives
> clean? Really? Does this person memorize every line of code she uses then?

I agree that the persona is bullshit and that 'she' is a probably a mid-to-
late 20s male but...

Where does it say that she/he deletes wipes all her drives clean? It only says
that (s)he wipes her web accounts. From reading the article, (s)he keeps her
personal files/documents on a MicroSD card; quite a smart and disposable
solution really.

Perhaps the personal files are encrypted also? It's interesting to imagine
what other steps you could take to protect your privacy, it probably wouldn't
be too difficult to do alternating sharding at the bits and bytes level over
SSH with off-site storage (Half on MicroSD, half off-site), does any tool do
something similar currently? You could even put a self-destruct timer on the
offsite storage (if last_login > 5 days ago: format hard drive with 40-pass
erase) or maybe a kill-switch containing sensitive informatoin (ala
Wikileaks).

~~~
cakeface
_She has no physical hard drive and boots her computer from a microSD card. "I
could hide this card anywhere or chew into a million pieces in a few seconds,"
she says by e-mail._

------
Vivtek
_Dad allegedly showed her how to find bugs in C source code and exploit them.
It was all harmless and Kayla had only been using the Internet to talk to
friends on MSN. But she began looking into hacking, and learned scripting
languages like Perl..._

I've always known C was just a gateway to the dangerous stuff.

~~~
ewan
Everywhere I've lived public service announcements say that "E" is the gateway
to dangerous stuff

------
aphyr
_Each night she wipes every one of her web accounts and deletes every email in
her inbox. She has no physical hard drive and boots her computer from a
microSD card. “I could hide this card anywhere or chew into a million pieces
in a few seconds,” she says by e-mail. She keeps her operating system on a USB
stick and uses a virtual machine (VM) to carry out her online shenanigans._

And people call _me_ paranoid. :)

~~~
wildmXranat
>Each night she wipes every one of her web accounts and deletes every email in
her inbox ...

If that is true, online account operators, email providers could link this
type of behavior to one of their members quite quickly.

~~~
storborg
Not to mention that she gave a lot of personal history surrounding her parents
and family history. That might not uniquely identify her, but it does narrow
the search considerably. My guess: if he/she is even a single real person,
much of this is fabricated.

~~~
antihero
I think it reeks of fabrication. It's probably some geek living out their
alter ego or something.

~~~
jackolas
Though getting it into Forbes is quite brilliant especially if it all revolves
around a real person.

~~~
JanezStupar
Someone is having quite a blast at the moment, unless Forbes made the whole
thing up.

------
arkitaip
Wait, Forbes actually linked to <http://encyclopediadramatica.com/Lulz> ? HAH.

~~~
rikthevik
I'd really like to see the look on the face of the average Forbes reader after
clicking on an ED link.

~~~
mishmash
And "ED" likely means something entirely different to what I imagine the
typical Forbes reader to be.

------
SageRaven
Is the phrase "Windows Opcodes" (from the article) a subtle troll on the part
of "k" or a journalistic goof? I'm no programmer by any stretch, but that
phrase jumped out at me as phony. I know there are system calls for operating
systems, and opcodes are processor instructions, so this use of the term
raised my b.s. meter a notch.

~~~
dguido
Hate to break it to you but that actually means something. The technical
details are surprisingly on target for being written by a tech journalist.

Ex. <http://www.metasploit.com/users/opcode/syscalls.html>

~~~
SageRaven
Not sure I see your point. Sure, the URL has "opcode" in it, but the page
clearly says "Windows System Call Table" -- nowhere is the word "opcode"
mentioned on that page.

------
david_shaw
I'm not particularly close to this issue, but the sexism I'm seeing here is
pretty astounding. If this were a 16 year old guy, no one would bat an eyelid.
Seriously.

Look at Mafiaboy back in 2000 -- he took down Yahoo!, Amazon.com, Dell, Inc.,
E*TRADE, eBay, and CNN. I'm not even sure that he was 16 yet (I don't have his
age offhand).

Is this a crazy and possibly fake story? Of course. Does that mean that it
can't be true? Not by a long shot.

I work in information security, and at 16 knew a hell of a lot about SQL
injection, buffer overflows, cross site scripting and oodles of other
vulnerability classes. This girl didn't work alone, but part of a hacker group
-- to me, it seems totally feasible.

I'm not saying that we should take every word an anonymous "16 year old girl"
says on the Internet as absolute fact, but discounting this attack because it
seems like a girl couldn't pull it off seems sexist and wrong. Again, if this
were some pimply-faced male high schooler, no one would bat an eye.

~~~
brazzy
Nobody's saying that it _can't_ be real because girls don't grok tech and
16-year-olds are stupid. They're saying it's _unlikely_ to be realy because
statistically, the number of 16-year-old girl hackers is very small (relative
to 25-year-old male hackers), there's a huge history of fake personas in
hacking (and especially around Anonymous), and a 16-year-old girl is a very
useful persona to get attention.

------
nrkn
Using the quotes from the article, however too few words to analyze properly,
so inconclusive, but still...

From <http://www.hackerfactor.com/GenderGuesser.php>

Genre: Informal Female = 171 Male = 182 Difference = 11; 51.55% Verdict: Weak
MALE

Weak emphasis could indicate European.

From <http://bookblog.net/gender/analysis.php>

Female Score: 94 Male Score: 133

The Gender Genie thinks the author of this passage is: male!

~~~
citricsquid
Everything I write comes out as female and I'm... not. I wouldn't trust that
(or maybe I should question my gender...)

~~~
jamesgeck0
Perhaps you should use... fewer ellipses? There are several grammatical
patterns females use more than males (and vice versa). I assume that's how the
test works, anyway.

------
Udo
This is Anonymous we're talking about. Isn't "16 year old girl" a well-known
colloquialism on 4chan, normally used to convey the stereotype of a middle-
aged, balding geek still living in his parent's basement who likes to use fake
online personas? Forbes got trolled in a monumental fashion.

~~~
socillion
It's a synonym for attention whore.

------
makmanalp
Whoever it is, they are a genius of deception. Check this out:
<http://pastebin.com/tSiQevxe>

Kayla first asks for root password using two passwords that she already has
but might not necessarily be the root one. She also already knows that remote
root isn't allowed. This way:

1) She'd get the root password e-mailed to her if it wasn't one of those two.
"No, it's not those, it's '<password>'."

2) She sets up her point of entry.

Great stuff.

------
bl4k
so she goes to extraordinary lengths to coverup her online activity, but
grants an interview to a national news outlet where she divulges a large part
of her personal history?

obvious troll is obvious

------
pinguar
This story reminds me Hit-Girl and Big Daddy from Kick-Ass movie.

~~~
Cococabasa
I heard there is excessive camp in this movie, but I'll check it out.

~~~
btipling
No, no there isn't. There is just awesomeness.

------
dr_
If the government is going after these people it should be for one reason only
- to hire them. Maybe with this kind of talent working together we could find
out where rogues like OBL are hiding.

~~~
dexen
Work offer for a hacker is sometimes feared to be just a bait of a trap. The
trap is said to spring once the hacker admits taking part in the hack.

Compare <http://news.ycombinator.com/item?id=2245786>

------
samfax
I think the reason people keep saying she is fake is because they don't want
to believe someone so young is capable of doing what she did. I've spoken to
her via email and she said she doesn't care what people think about her, shes
going to do what she does regardless and she has my full support.

Maybe instead of asking questions about her here, you ask her like i did?

kayla@anonleaks.ch

If she really is who she said she is that's one smart kid!

------
defroost
Soon you are not going to know if anyone that you interact with online is who
they say they are. The Pentagon has awarded a contract to a Silicon Valley
company to develop software that creates fake personas that can then influence
the "conversation" by spreading US propaganda. Each operator will be able to
create up to 10 "personas". A friend just sent me a link about the Pentagon's
decidedly Orwellian "sock puppet" software:

[http://www.guardian.co.uk/technology/2011/mar/17/us-spy-
oper...](http://www.guardian.co.uk/technology/2011/mar/17/us-spy-operation-
social-networks)

------
pippy
>By the time Kayla was 14 she could fully program C and x86 assembly.

FML, I have a CS degree and still can't program ASM.

------
nkassis
If you're going to pick a fake identity would you pick one that would get you
attention like this? Seems like a fake identity but not sure it's the best
one.

~~~
tomjen3
The best fake identity is a real one that everybody believes is fake.

~~~
famousactress
.. and one that everyone wants to be real.

------
astrange
> In December 2008, she wrought havoc on one of the most famous forums of all,
> 4chan’s notorious /b/ channel, finding and exploited an SQL injection bug on
> its content management system, hacking in and causing mayhem on the forum
> for a few hours.

I don't remember any such exploit. You could produce that image by posting a
lot.

------
dkasper
Forbes is being trolled.

~~~
personalcompute
I don't think they care. Forbes is full of yellow journalism and fake stories
drive hits just as much as real stories.

------
andyv
Since the girl is a person and not a thing, it should be "... girl _who_
hacked hbgary". r11t copied the mistake from Forbes-- How do national
magazines make grammatical errors like this? Don't these people have editors
who at least earned a passing grade in middle school English?

~~~
jemfinch
Shakespeare wrote in the Merchant of Venice of "the man that hath no music in
himself". Mark Twain wrote a short story titled "The Man that Corrupted
Hadleyburg". Ira Gershwin wrote a popular song titled "The Man that Got Away".
These are just the examples easily available on Wikipedia.

Your complaint does not represent _majority_ usage in English, let alone
modern usage.

------
shareme
Ways they track you:

1\. Using same computer that connects via phone, wireless, etc and than using
any email service. 2\. Machine characteristics since they cannot get the
machine ID they go for the next best digital finger print ..ie operator
grammar/typos..cpu speed, ram size, etc. 3\. Websites have visitor logs..the
track back to you eventually gets fleshed out.

I think the Forbes article writer got played..

------
calvinfroedge
If this is true lol, it makes me feel small haha. Kudos to omg@ Kayla (if she
exists lol) = D lol hehe rofl omg

