SoylentNews is people
SoylentNews
Wired is reporting on a presentation given at Def Con 26 by Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, entitled Even Anonymous Coders Leave Fingerprints. Stylistic expression is uniquely identifiable and not anonymous, that includes code especially. There are privacy implications for many developers because as few as 50 metrics are needed to distinguish one coder from another.
The researchers don't rely on low-level features, like how code was formatted. Instead, they create "abstract syntax trees," which reflect code's underlying structure, rather than its arbitrary components. Their technique is akin to prioritizing someone's sentence structure, instead of whether they indent each line in a paragraph.
(Score: 4, Interesting) by Hyperturtle on Monday August 13 2018, @02:55PM (1 child)
As a network engineer, I have known this for years.
For the devices with CLIs, and often, the ticketing systems in the organization with the hardware -- you can get a feel for who wrote what and what to expect when you go to look at that engineer's results.
I expect it's no different with programming or technical writing or master thesis statements. It also means that it becomes easy to tell who ran the wizard, copied from the internet, or shamelessly took someone else's work and used it as their own without so much as removing inadvertant metadata because the copier didn't understand what was going on.
This presents good and bad things to any individual -- if you are a fraud, it is easier to spot without necessarily having those checking really understand the work. And if you are not a fraud, you are more easily identified because of it.
And if you use the wizard and then copy the wizards configs to make it look like you know what you are doing, that is also easy to spot... it's like that kids song "one of these things is not like the others, one of these things is not the same..." who can spot the generic wizard auto-script hidden in the 'custom configuration'?
That's another good way to identify who claims to be an expert but isn't, or who leverages tools available to them without unnecessarily reinventing the wheel.
(and for those of us saving time and money, try to remember to remove the references to example.com before you blame the network... some network engineers CAN sniff the traffic and see that it doesn't work because the default domains in the example were not changed to reflect the business requirements!!)
Anyway the takeaway for me is that it's always been possible to determine who is writing what--given enough time and examples. Eventually, their style, or lack of one--comes through. This helps immensely in determining who is really writing their code (as opposed to everyone's favorite that outsourced his job and is just collecting the checks), who is struggling, who's a wizard and who's not, etc...
If this is alarming, then try to take the proper opsec to make sure you are harder to identify. Soylent also makes a great practice ground for your opsec training... Given enough examples, I am sure we can identify anyone that writes profilically and then tries to pass as anonymous coward... try to find the hidden Hyperturtle or Runaway or whoever! (Not that we would ever do that...)
(Score: 4, Insightful) by Runaway1956 on Monday August 13 2018, @03:34PM
I think there is a nuance here, that you may or may not be seeing. Sure, an expert in any given field can spot subtle differences between the work of his peers, or the work of his subordinates. He has the knowledge and experience, he can perform whatever task at hand in a dozen different ways. He KNOWS his field, and can quickly come to know the people in his field.
These people seem to be promising a new tool to managers and law enforcement, that will enable non-experts to determine who has done what, and how they did it. Plug and play script kiddies using an AI to figure out who the "good guy" and the "bad guy" is.
When you tell your supervisor that "Bob didn't write this, it's over his head, and none of the writing matches his work", that is treated like an opinion, and weighted according to a purely subjective point of view. If the computer tells them the same thing, well, "THAT'S SCIENCE!!" Expect to see this introduced into a court of law as evidence, one day soon. Even before that, expect to see it in the hands of an HR drone, justifying one person getting a raise, and another person being fired.
On a sidenote - my handwriting is very distinctive. It's ugly, it's large, and I write with the same brand, style, and size of bold black pen all the time. To boot, I sign or initial pretty much every piece of paper I touch. Recently, one of the managers who sees my handwriting all the time and should know better, accused first me, then a couple other people of hanging a red tag on a piece of equipment. No signature, written with a cheap blue pen, in small, precise cursive letters. It almost, but didn't quite, convince me that it was a woman's handwriting.
Oftentimes, the very people who should know, have the fewest clues to work with. My immediate supervisor had to tell the wannabe-manager that none of the people he accused could have done it. One of the persons accused is not even literate in English!! (From all accounts, he's very good in Spanish, but I couldn't verify that with my limited vocabulary!)