Security Experts:

Help! I Think my Kid is a Script Kiddie

As a security guy I sometimes have friends and relatives asking me for professional advice, like “I lost my iPhone, can you help me look for it?” or “How do I delete my browser history, you know, in case my wife checks up on me?” It’s not easy being a technical wizard amongst the masses.

The other day the mother of one of my daughter’s friends confessed her concern about her son being “one of those Anonymous hackers”. She mentioned that her son was very much an introvert, a habitual gamer and hung around with other kids (all guys) who seemed to be just as geeky.

Script Kiddies HackingAfter some additional questions, I was thinking her kid was probably a simple script kiddie (or skiddie, skid, script bunny, and script kitty) instead of a serious hacker.

Having made the mom feel a bit better, I found myself wandering the Internet to see if I could dig up some thoughts and impressions on script kiddies.

My first stop was Wikipedia: "A script kiddie … is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites."

No One Likes a Script Kiddie

There seemed to be a lot of agreement with Wikipedia on the fact that no one likes or respects script kiddies, except maybe other script kiddies. Phrases like “… little or no personal knowledge of hacking …”, “… giving hackers a bad name …”, and “… immature forms of vandalism …” continued to be repeated over and over again (wiseGeek).

I was lucky enough to find a July, 2000 article by Robert Lemos where interviews of several script kiddies produced some very enlightening quotes from the kids themselves:

"It's a way to escape a lot of the bullsh*t that I get in real life," ... "Because I don't have that much going on in my life."


"My dad just said, 'now' ... that's when I gotta get leaving."


"The world we live (in) ... everything is the same, so incredibly boring. I feel if I deface, at least, I'm making some kind of difference."


"I'll continue defacing, not as much as I used to, but I will be around."


“Never deface any site in your own country or give information about yourself over the Internet.”


“Be nice, always, so no one will hate you.”

The kids in these interviews appeared to be young (still living at home?), bored and seemingly without a solid direction in their lives.

Website Tagging – An Internet Game

One of the more interesting script kiddie characteristics I found was their apparent need to gain recognition amongst their peers by ‘tagging’ websites they hacked. Tagging comes in the form of either pointless defacing of the site itself (inserting an obnoxious page into the site) or secretly inserting ‘graffiti’ text into the website code in places where only other script kiddies will come across it (this is called ‘web cracking’). Like legitimate video game players, script kiddies keep track of points “won” with each website successfully breached.

Botnets for Fun and Profit

While script kiddies have not gotten any more sophisticated over the years, the tools they use for hacking certainly have. Even with these very powerful tools it is good to note the majority of the disdain that ‘real’ hackers have for script kiddies is the fact that they use these ‘canned’ tools in perfunctory ways, without skill or creativity.

The use of these easy to use tools brings up another script kiddie obsession – the building of large botnets that can be used for malicious purposes. Botnets are complex systems of zombie computers – PCs that have been hacked and infected with silent robot (bot) programs.

A bored script kiddie might take his botnet army of hundreds or thousands of bots and launch a Distributed Denial of Service (DDoS) on an unsuspecting commercial or government website, just for the glory it might grant him or her. Any commercial damage to the site would just be collateral damage that resulted from the botnet joy ride.

Script Kiddie Training Ground

It seems the best place for a script kiddie to learn the trade of Web hacking is from the Web itself. A simple Google search on ‘web cracking’ turned up a large number of sites whose only goal is to teach script kiddies how to use tools and techniques for cracking.

One of the best training sites was The Crack Hack Forum. Its many forms are written in a DIY style – with obvious titles like:

• Web Cracking Tools: Need a certain tool to crack a file hosting or web login? Check here, we might have it.

• Web Cracking Tutorials: Trying to learn how to crack? Check out our big section of tutorials where we teach how to use tools to crack file hosting and other web logins.

Another site, calling itself the Computer Security Group, is an obvious play on the very prominent, real Computer Security Group that produces tools to fend off web attacks. Among other features, the hacker version of the Computer Security Group site contains a blog that features information for the script kiddie looking for an education:

• How to Hack Facebook

• Webbackdoors, Attack, Evasion and Detection

• 2011 – Best Password Hacking Breaking Tools

You can also sign up for the Computer Security Group newsletter, ‘Subscribe & Don’t Miss a Free Hacking Course’.

If all of these training sites weren’t enough, script kiddies can always turn to YouTube. Not only do newbies get a hacking education, but the pros get to promote themselves to the top of the hacker pecking order. Just a few of the many videos would include:

• Cracking Wireless Networks: 2,119,260 views

• How To Get Into Locked Wifi Without A Password: 880,593 views

Note the sheer number of people who found these videos interesting.

Heroes of the Script Kiddie Underworld

No sub-culture is without its heroes. Two of the more infamous members of script kiddie history gained their notoriety by the massive impact they had on the Internet as well as the fact that they used tools and examples created by real hackers.

• Michael Calce (aka Mafia Boy) – Calce was a Canadian high school student when arrested for causing an estimated $1.2 billion in damage to sites such as Yahoo!, Dell, eBay, and CNN. Calce’s expensive pranks were done using downloaded tools to launch Denial of Service (DoS) attacks.

• Jeffrey Lee Parson (aka T33kid) – Parson, 18-year-old high school student from Minnesota, was arrested in 2005 and the cause of the infamous Blaster computer worm. All Parson did was make a few modifications on an existing computer worm program with a simple hex editor.

While I couldn’t find any documented correlation between script kiddies and hard-core video gamers, I couldn’t help but draw my own, uneducated comparisons. It is not unreasonable to think of the Internet as one heck of a computer game; one where the stakes are higher (arrest perhaps) and the rules far more fluid – just the thing for a bored kid with access to the Internet.

Like any well-established sub-culture, the world of script kiddies is fascinating to watch, difficult to fully understand from the outside and obviously intriguing to those within that world.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.