'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them

Irina Ford; Ananta Soneji; Faris Bugra Kokulu; Jayakrishna Vadayath; Zion Leonahenahe Basque; Gaurav Vipat; Adam Doupé; Ruoyu Wang; Gail Joon Ahn; Tiffany Bao; Yan Shoshitaishvili

doi:10.1109/SP54263.2024.00202

'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them

Irina Ford, Ananta Soneji, Faris Bugra Kokulu, Jayakrishna Vadayath, Zion Leonahenahe Basque, Gaurav Vipat, Adam Doupé, Ruoyu Wang, Gail Joon Ahn, Tiffany Bao, Yan Shoshitaishvili

Engineering, Ira A. Fulton Schools of (IAFSE)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Scopus citations

Abstract

The complex and diverse nature of software systems necessitates a careful manual approach to unveil vulnerabilities, involving deep analysis, creative problem-solving, and specialized expertise. Like all complex tasks, it's susceptible to mistakes stemming from cognitive limitations and behavioral factors that hinder optimal performance. Although there are significant research efforts focused on vulnerability discovery, little attention has been given to comprehending mistakes within the process. Understanding these mistakes could pave the way for better-designed education programs and automated tools, aiming to mitigate and prevent potential mistakes and enhance the efficiency of vulnerability research.In this paper, we leverage social media, specifically YouTube, to examine mistakes made by security content creators exploiting vulnerabilities in CTF-style challenges. Analyzing 30 screencasts from 11 hackers, we identified 124 distinct issues and investigated their types, underlying causes, and time investments. Additionally, we delved into the cognitive and behavioral aspects associated with these issues.

Original language	English (US)
Title of host publication	Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	350-368
Number of pages	19
ISBN (Electronic)	9798350331301
DOIs	https://doi.org/10.1109/SP54263.2024.00202
State	Published - 2024
Event	45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States Duration: May 20 2024 → May 23 2024

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011

Conference

Conference	45th IEEE Symposium on Security and Privacy, SP 2024
Country/Territory	United States
City	San Francisco
Period	5/20/24 → 5/23/24

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Access to Document

10.1109/SP54263.2024.00202

Cite this

Ford, I., Soneji, A., Kokulu, F. B., Vadayath, J., Basque, Z. L., Vipat, G., Doupé, A., Wang, R., Ahn, G. J., Bao, T., & Shoshitaishvili, Y. (2024). 'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them. In Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024 (pp. 350-368). (Proceedings - IEEE Symposium on Security and Privacy). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP54263.2024.00202

'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them. / Ford, Irina; Soneji, Ananta; Kokulu, Faris Bugra et al.
Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024. Institute of Electrical and Electronics Engineers Inc., 2024. p. 350-368 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ford, I, Soneji, A, Kokulu, FB, Vadayath, J, Basque, ZL, Vipat, G, Doupé, A , Wang, R , Ahn, GJ , Bao, T & Shoshitaishvili, Y 2024, 'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them. in Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024. Proceedings - IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers Inc., pp. 350-368, 45th IEEE Symposium on Security and Privacy, SP 2024, San Francisco, United States, 5/20/24. https://doi.org/10.1109/SP54263.2024.00202

Ford I, Soneji A, Kokulu FB, Vadayath J, Basque ZL, Vipat G et al. 'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them. In Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024. Institute of Electrical and Electronics Engineers Inc. 2024. p. 350-368. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP54263.2024.00202

@inproceedings{6809f53ed28f43a9a99e211dbe26d499,

title = "'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them",

abstract = "The complex and diverse nature of software systems necessitates a careful manual approach to unveil vulnerabilities, involving deep analysis, creative problem-solving, and specialized expertise. Like all complex tasks, it's susceptible to mistakes stemming from cognitive limitations and behavioral factors that hinder optimal performance. Although there are significant research efforts focused on vulnerability discovery, little attention has been given to comprehending mistakes within the process. Understanding these mistakes could pave the way for better-designed education programs and automated tools, aiming to mitigate and prevent potential mistakes and enhance the efficiency of vulnerability research.In this paper, we leverage social media, specifically YouTube, to examine mistakes made by security content creators exploiting vulnerabilities in CTF-style challenges. Analyzing 30 screencasts from 11 hackers, we identified 124 distinct issues and investigated their types, underlying causes, and time investments. Additionally, we delved into the cognitive and behavioral aspects associated with these issues.",

author = "Irina Ford and Ananta Soneji and Kokulu, {Faris Bugra} and Jayakrishna Vadayath and Basque, {Zion Leonahenahe} and Gaurav Vipat and Adam Doup{\'e} and Ruoyu Wang and Ahn, {Gail Joon} and Tiffany Bao and Yan Shoshitaishvili",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 45th IEEE Symposium on Security and Privacy, SP 2024 ; Conference date: 20-05-2024 Through 23-05-2024",

year = "2024",

doi = "10.1109/SP54263.2024.00202",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "350--368",

booktitle = "Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024",

}

TY - GEN

T1 - 'Watching over the shoulder of a professional'

T2 - 45th IEEE Symposium on Security and Privacy, SP 2024

AU - Ford, Irina

AU - Soneji, Ananta

AU - Kokulu, Faris Bugra

AU - Vadayath, Jayakrishna

AU - Basque, Zion Leonahenahe

AU - Vipat, Gaurav

AU - Doupé, Adam

AU - Wang, Ruoyu

AU - Ahn, Gail Joon

AU - Bao, Tiffany

AU - Shoshitaishvili, Yan

PY - 2024

Y1 - 2024

N2 - The complex and diverse nature of software systems necessitates a careful manual approach to unveil vulnerabilities, involving deep analysis, creative problem-solving, and specialized expertise. Like all complex tasks, it's susceptible to mistakes stemming from cognitive limitations and behavioral factors that hinder optimal performance. Although there are significant research efforts focused on vulnerability discovery, little attention has been given to comprehending mistakes within the process. Understanding these mistakes could pave the way for better-designed education programs and automated tools, aiming to mitigate and prevent potential mistakes and enhance the efficiency of vulnerability research.In this paper, we leverage social media, specifically YouTube, to examine mistakes made by security content creators exploiting vulnerabilities in CTF-style challenges. Analyzing 30 screencasts from 11 hackers, we identified 124 distinct issues and investigated their types, underlying causes, and time investments. Additionally, we delved into the cognitive and behavioral aspects associated with these issues.

AB - The complex and diverse nature of software systems necessitates a careful manual approach to unveil vulnerabilities, involving deep analysis, creative problem-solving, and specialized expertise. Like all complex tasks, it's susceptible to mistakes stemming from cognitive limitations and behavioral factors that hinder optimal performance. Although there are significant research efforts focused on vulnerability discovery, little attention has been given to comprehending mistakes within the process. Understanding these mistakes could pave the way for better-designed education programs and automated tools, aiming to mitigate and prevent potential mistakes and enhance the efficiency of vulnerability research.In this paper, we leverage social media, specifically YouTube, to examine mistakes made by security content creators exploiting vulnerabilities in CTF-style challenges. Analyzing 30 screencasts from 11 hackers, we identified 124 distinct issues and investigated their types, underlying causes, and time investments. Additionally, we delved into the cognitive and behavioral aspects associated with these issues.

UR - http://www.scopus.com/inward/record.url?scp=85204057529&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85204057529&partnerID=8YFLogxK

U2 - 10.1109/SP54263.2024.00202

DO - 10.1109/SP54263.2024.00202

M3 - Conference contribution

AN - SCOPUS:85204057529

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 350

EP - 368

BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 20 May 2024 through 23 May 2024

ER -

'Watching over the shoulder of a professional': Why Hackers Make Mistakes and How They Fix Them

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this