T3 Blog - Security & Privacy

Hacker Mentality and the INTP (Jack of All Trades) personality

nospam@example.com (Tom Johnson) — Thu, 17 Dec 2009 00:41:38 -0700

A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity. - Bruce Schneier

In the rather well-known, at least among certain circles, "How to become a Hacker", Eric S. Raymond lists the five attitudes that make up the hacker mindset (listed below). Eric expounds on the items at the link given, but I have also come across a commentary on this list over at SunTzu blog.

ESR's 5 attitudes

The world is full of fascinating problems waiting to be solved.

No problem should ever have to be solved twice.

Boredom and drudgery are evil.

Freedom is good.

Attitude is no substitute for competence.

Hacker vs. Cracker

One thing that Eric Raymond as well as many others have tried to do is distinguish the word "hacker" from the word "cracker." For quite some time I also tried to correct people regarding this particular distinction in the English language, but for the most part I've given up on it. It still tends to be a pet peeve of mine as I think it's simpler and more meaningful than the "black hat"/"white hat"/"grey hat" thing which doesn't seem to get used much other than in computer security circles. The general usage and understanding of the term "hacker" has become mostly that which the media has portrayed it as, at least among the general population. In the field of computer professionals it's a little more blurry, since it could mean anything from the traditional definition found in the Jargon File to the most diabolical media portrayal or anything in between depending on who's talking. At this point I pretty much agree with Bruce Schneier's view on the whole thing.

For years I have refused to play the semantic "hacker" vs. "cracker" game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. "Hacker" is a mindset and a skill set; what you do with it is a different issue. - Bruce Schneier

What is the typical personality type of a hacker?

In terms of Myers-Briggs and equivalent psychometric systems, hackerdom appears to concentrate the relatively rare INTJ and INTP types; that is, introverted, intuitive, and thinker types (as opposed to the extroverted-sensate personalities that predominate in the mainstream culture). ENT[JP] types are also concentrated among hackers but are in a minority. - excerpt from: A Portrait of J Random Hacker

Some info on INTP types

My own MBTI personality type is INTP, which is a type estimated to comprise only 1-3% of the population, depending on the source. It is considered to be one of the rarest personality types. The most in-depth profile of this personality type that I have seen can be found at
http://www.intp.org/intprofile.html

A short highlights version from another source:

INTPs are open ended, logical, analytical; focused on exploring possibilities

Systems thinkers; see and create complex models and frameworks

Flexible, resourceful and independent; seek freedom of action

Summarize, integrate, and identify key issues and zero in on root causes of problems

INTPs conceptualize and initiate long-term strategic solutions and opportunities

excerpt from Introduction to Type® and Communication, p 40 by Donna Dunning
Published by CPP Inc, ©Copyright 2003

The INTP individual is commonly referred to as a Jack of all trades, master of none. However, as an INTP, based on my own personal experience and observation it should be more like '...master of some' or somewhat along the lines of what is considered the complete quote "Jack of all trades, master of none, though oft times better than master of one!” which I have so far been unable to find the origin of.
Anyway, the love of gaining new knowledge, applying logic, and constantly solving complex theoretical problems combined with the general dislike of the boring, mundane, and repetitive tends to result in the general lack of mastery among subjects. On the other hand, being rather perfectionist and self-critical an INTP type will usually have areas where there is not just competence but proficiency as long as there is enough personal interest or opportunity for continual learning to warrant being a specialist. Something else I've noticed is that many times what is considered competence to an INTP tends to be closer to mastery than just plain adequacy which is frequently the insinuation behind "Jack of all trades, master of none." This is where the important subtle difference between competence and proficiency comes in.

If an INTP decides to learn a skill, then it is very important for him that he reaches a sufficient level so that basic errors can be avoided. Errors made by others are to be expected and can be criticised. But errors made by oneself attack the very root of the person, which is ultimately about rationality, logic and truth. INTPs hate to think of themselves being in any way inadequate, at least in areas that are important to them. So, as soon as he puts himself behind some task, then he must achieve competency. But that is as far as it goes. Refined competency requires too much effort and has little attraction. It would require practice and that usually bores an INTP. Hence, it is common to see INTPs dabbling at many things, achieving competency, just enough to prove to themselves that they could become more proficient if they wished, but rarely actually bothering to refine their skills further. - intp.org

And here is where I had planned on going into some thoughts on expertise, but I think that starts diverting a bit from this particular topic so I'll continue in another post.

Hushmail not secure as advertised

nospam@example.com (Tom Johnson) — Fri, 30 Nov 2007 20:14:40 -0700

This just came to my attention. I don't keep as up to date with Slashdot news as I used to.

http://www.itnews.com.au/News/65213,hushmail-turns-out-to-be-anything-but.aspx

Hushmail uses PGP encyption but apparently what allowed such a thing to become a news issue is in the way their system works, and the fact that a court order was involved.

Phil Zimmerman defends Hushmail in their actions, see: http://blog.wired.com/27bstroke6/2007/11/pgp-creator-def.html

This also does not indicate a vulnerability in PGP. I have seen it stated that Hushmail had the private keys which enabled the snooping and that the Java process used puts the correspondence to the server side in unencrytped form. I don't know really what process allowed it, but one would think that any implementation of PGP that was not fully in control of the user could be compromised in a way such as this.

Using PGP (or some similar method) for private, secure, trusted ID's

nospam@example.com (Tom Johnson) — Tue, 27 Nov 2007 02:23:00 -0700

I actually started thinking about this sort of thing about a week or two ago and a post on the Maryland Shooter's Forum about the proposed Real ID and RFID guidelines brought it up again.

I was thinking of keeping this hush and actually developing a system for this and obtaining relevant patents. However, searching through patents and the whole application process can be rather costly and consuming, not to mention the difficulties in enforcing patents. Besides, I tend to agree with the philosophies of Open Source Software and Creative Commons licensing of works. There's some discussion on this over at the instructables.com forums that covers this topic as it relates to patentable works. So since I've posted my idea to the MD Shooter's forum, I figure I'll also post it here with some more details.

Based on my brief research I have concluded that this is overall an original idea, though pieces, or general concepts, may have been previously proposed. So, if this idea, in whole or in part, is stolen and shows up on the market before I get around to fully developing it and selling/marketing it myself, I expect to be credited, consulted and receive fair compensation. I still have the opportunity to apply for patents and if anyone sees any of this in a patent application let me know. In the recent past I had an idea that I believe very well may have been stolen from me which I'll get into another time.

On with the show...
Some of this is related to security/privacy policy which I think should be implemented regardless, but the system would require it.

All databases are to be devoid of personal identifying information.
There may be certain exceptions to this based on reasonably justified need, but any personal ID information should be kept out of all database systems to the greatest extent possible such that it cannot be used for things such as ID theft or other nefarious purposes. This would make the data relatively useless if compromised by crackers or to any unscrupulous employee or other person that normally is allowed access to the data.

I'll go off on a little side tangent here and throw in that SSN's should only be found in databases at the SSA, they don't belong anywhere else (well the IRS hijacked SSN's as TIN's but that's another story), they make bad database keys, and are completely useless and unreliable for identification purposes (it even says so right on the card). I'll leave my arguments and opinions on why SS shouldn't exist at all for another time. The misuse of SSN's by companies and, probably to a lesser extent due to pertinent laws, government agencies has become so common that now it's finally being realized how vulnerable to abuse this practice is. For too many reasons, an SSN cannot be trusted for verifying or authenticating a person's ID.

In place of this should be something like a PGP public key. The only way to get the personal info is directly from the individual. An alternative is to encrypt the stored data with the public PGP key, but this could make for some messy and/or more resource intensive database systems.

The individual whose personal information is stored controls their own personal ID information and decides who can access what pieces of it.

How it Works
The system requests the info from say an RFID chip (I'm not sure these would really be suitable for this application, but possibly as RFIDsec has come up with secure RFID devices with privacy features which I haven't fully looked into).
My first thoughts were of something like a USB memory stick, such as the SecureStix, (but not a Sony product) with a fingerprint reader to represent the passphrase for the private key, though something a little more sophisticated may be necessary.

Anyway, the request is encrypted with the public key on file and signed with the requester's key, the individual accepts the request with their passphrase (fingerprint?) and the allowed data for that particular requester is provided to them encrypted with their public key and signed by the individual's key. The pertinent data shows up on the requester's screen but does not get stored in any way. This could still potentially be abused, I haven't thought through all of the details far enough yet, but the system would work something like this. Maybe some reliable auditing certification could be part of ensuring that the ID data is secure, but it should be possible to do this within the program. It would have to verify that the OS isn't compromised in such a way as to allow for grabbing the data as it's routed from post-decryption to the video display. Hmmm... there's of course other issues as well.

Trust of the ID
As long as the individual's key is signed by some acceptable authority it is considered to be trusted valid information (ie. the person is who they say they are), no need to worry about what two or three forms of ID are acceptable for which entity that requires ID because the ID info for that key has already been verified either by that entity itself or a valid third party (eg. the local courthouse, state police, State Dept., etc.). Additionally, the key/passphrase info is almost impossible to forge and the primary ID (ie. name) is tied to the PGP key and cannot be changed. Some good info on PGP and the web of trust theory, which I haven't bothered to get into, can be found at David Ross's site and of course at GNUPG and PGP.com.

There are still some points that need a little work in this idea, and the .gov would probably never adopt such a system fully without it's own exceptions (there's still too many control-freak--nanny-state--power-trip politicians in office), but with wide usage it could certainly cut down, or eliminate for the most part, ID theft, and many other crimes which are facilitated by the improper use of personal data. Plus maybe it could restore some sense of privacy and security in a world where there isn't much left without removing oneself from at least most of civilization and technology.

Maybe I've watched "The Net," "Enemy of The State," and similar movies too many times, or maybe I've just been involved in computer networking and security too long.