Hackers: Taking a Byte
Out of Computer Crime
by Wade Roush
In the early 1980s, researchers at MIT's Architecture Machine Group-forerunner to
the present-day Media Lab-devised an elegant way to discourage potential mischief makers
from crashing the group's computer system. Any user, from an undergraduate assistant to
the most senior scientist, could erase other researchers' files simply by typing the
command "crash." The method was so obvious that it took all the fun out of
hacking the system, and it worked. Causing a shutdown was a challenge unworthy of a true
hacker's skills, so no one even bothered to try.
The scheme's effectiveness, of course, rested on the fact that the group was a closed
community with "a certain amount of trust between members," says Simson
Garfinkel, a computer security expert and journalist who was a student in the group at the
time. This ap-proach, he notes, "doesn't work if there are people on the outside who
can get in."
In the present networked era, when a computer system's "outside" includes
virtually anyone with a PC and a modem, trust would indeed seem to be a thing of the
distant past. Well-publicized episodes, like the 1986 infiltration of U.S. government
computers by a group of KGB-employed West German hackers and the 1988 Internet worm (a
self-replicating program that clogged academic computer systems across the nation), have
taught system administrators the importance of protecting users' passwords and trying to
eliminate possible "back doors" into their systems. Nervous about exposing
themselves to roving data thieves, many corporations are refusing to join their local
networks to the Internet, while others are spending millions installing
"firewalls"-gatekeeping computers that filter out all but a few authorized forms
of data exchange. And needless to say, at today's Media Lab and most other research
centers, access to commands that affect other users' accounts is closely guarded.
Partly because of such improved security measures as well as the threat of
imprisonment, most of the elite young hackers whose clubs became media staples during the
1980s-the 414 Gang, Legion of Doom, Masters of Deception-have matured, gotten jobs, or
been scared off. But a few of their number have gone even deeper underground, selling
their skills as high-tech bandits in the age-old trade in secret information.
"The days of playful hacking, when any teenager with a modem could access a bank's
UNIX machine, are gone forever," says Forkboy, a 21-year-old desktop publishing
expert in Cleveland. As a teenager, Forkboy hacked his way into computers owned by
universities, credit agencies, and long-distance phone companies (like most of the hackers
and former hackers interviewed for this article, he asked not to be quoted except under
his "handle"). But while this kind of hacking has become less common,
"cracking"-programmers' jargon for malicious computer meddling-is on the rise.
Under these conditions, a circumscribed kind of cooperation between information
security managers and hackers who eschew theft, revenge, and other clearly criminal
motives is starting to take shape.
Hacking's Brief Heyday
In its original technological sense, the word "hacker," coined at MIT in the
1960s, simply connoted a computer virtuoso. That's still the meaning enshrined in the 1994
edition of the New Hacker's Dictionary, which defines such a person as someone "who
enjoys exploring the details of programmable systems and how to stretch their
capabilities; one who programs enthusiastically, even obsessively."
But beginning in the 1970s, almost as soon as there were such things as modems and
computer networks, "hackers" also came to describe people who hungered to know
off-limits details about big computer systems-and who were willing to use devious and even
illegal means to satisfy this curiosity. Penetrating corporate and academic computer
systems required not just technical aptitude but also the social skills necessary to
sweet-talk office workers out of their computer passwords, the persistence to spend hours
"dumpster diving" in search of proprietary computer manuals and other crucial
scraps of inside information, and a streak of rebellious, macho nihilism. Thus endowed,
hackers set out to see how far down the Establishment's electronic corridors they could
creep before anyone would take notice.
At first, it was pretty far. "When I started out, most 'sysadmins' [system
administrators] were not even aware of hackers," Forkboy recalls. "They were
utterly clueless about security. The companies selling operating-system software told them
'Don't worry, you're fine,' and they believed it." Breaking into a system was often
as easy as guessing someone's poorly chosen password, then exploiting known bugs in common
mailing or editing programs to relabel computer files or transfer their ownership, thereby
gaining "superuser" status. Hackers could rewrite system software, create dummy
accounts, and leave behind "logic bombs" or "Trojan horses," hidden
programs designed to execute automatically under certain conditions or to allow access to
the system later.
As illicit as it was, hacking was rarely a lone pursuit. In the hacker
"crews" of major urban centers, in endless conference calls pirated from
long-distance companies by "phone phreaks," and on dozens of underground
electronic bulletin-board systems, hobbyists shared war stories and exchanged information
about the latest security holes.
The common badge among these young computer outlaws was a sense of superiority to the
bureaucrats whose systems they could so easily infiltrate. "All of my close hacker
friends have nil respect for 'the Man,'" says Quinn, a 23-year-old West Virginian who
was arrested five years ago for dialing into a local power-company computer. It wasn't the
content of such institutions' files so much as the thrill of unearthing them that fired
hackers' ambitions, earning them, in Quinn's words, "warrior's stripes, another skull
on their belt."
Yet many hackers, sensing the chaos their intrusions could cause, also set strict
personal limits for their on-line adventures. Forkboy says he never stole tangible goods
or money and that he viewed acquaintances who did with "disapproving apathy."
Julia, a Boston teenager, says she stopped hacking more than a year ago because "I
was so nervous that I would do something bad to a system and really screw it up by
mistake. People who go and delete entire files so that they completely collapse the system
are not respected at all in the hacker community."
At least one hacker, the Knightmare, a 22-year-old software developer, is using the
printed word to spread an ethic of more mature, "responsible" hacking. In his
recent book, Secrets of a Super Hacker, which has sold over 40,000 copies (including many
to computer-crime squads across the nation), he shares his "set of ideals":
- Never harm, alter, or damage any computer, software, system, or person in any way.
- If damage has been done, do what is necessary to correct that damage, and to prevent it
from occurring in the future.
- Do not let yourself or others profit unfairly from a hack. Inform computer managers
about lapses in their security.
- Teach when you are asked to teach, share when you have knowledge to spread. This isn't
necessary, it is politeness.
- Be aware of your potential vulnerability in all computing environments, including the
secret ones you will enter as a hacker. Act discreetly.
- Persevere but don't be stupid and don't take greedy risks.
A true hacker, the Knightmare insists, has the ability to steal money, information,
software, and hardware and to commit sabotage and espionage, but chooses to do none of
these things.
The hackers' heyday was inevitably brief, ended by a combination of technological and
social changes. One was the growth of the Internet and electronic mail as means of
communication. "The development of networking was a big blow to hackers, because it
meant that if two or three sysadmins found out about an operating-system hole or a common
system weakness, pretty soon everyone who cared knew about it and plugged it,"
Forkboy explains. The explosion in access also filled the formerly elite hangouts, like
private bulletin-board systems, Internet Relay Chat (a live online communication system),
and Usenet newsgroups, with naive hacker-wannabes. "The culture began to die out when
it got popular, when you could read about it in magazines, when they started holding
hacker conferences at huge hotels," says a disillusioned Asrock, a 22-year-old former
hacker who was arrested in 1987 for hijacking sections of a corporate voice-mail system
for use by other hackers and who now works as a software engineer at a Boston-area
technology firm. The hacker community, Julia summarizes, got overrun.
At the same time, law-enforcement crackdowns proved a strong deterrent to committed
hackers. In 1989 and 1990 the federal Computer Fraud and Abuse Task Force, Arizona's
Organized Crime and Racketeering Unit, the U.S. Secret Service, the FBI, and other
agencies closed in on a small network of hackers who had circulated a purloined BellSouth
technical file describing the 911 emergency telephone system. Suspecting- incorrectly, as
it turned out-that hackers had precipitated the January 15, 1990, nationwide crash of
AT&T's long-distance switching system, investigators arrested a dozen well-known
figures in the hacker underground and impounded their computers. The only trial to result
from the raids, that of a St. Louis hacker-newsletter editor known as Knight Lightning,
fell apart when the defense demonstrated that the information in the 911 document was
publicly available through a phone-company catalog. The arrests nevertheless had a
chilling effect on the hacker community. "I was still active then, and it scared the
hell out of me," says Forkboy. "We all got pretty paranoid after that."
Meanwhile, the thrill of hacking was wearing off for many. The generation of hackers
who began as young teenagers in the early 1980s, when the personal-computer revolution was
first taking hold and the influential 1983 film War Games portrayed young hackers as
ingenious heroes, has left high school or college and graduated to more real-life
concerns. "It's just so dangerous nowadays," says Julia. "There are a lot
of great former hackers out there who are married with kids and who don't have time to go
to jail."
The New Computer Intruders
But if the ranks of old-school hackers have thinned, the volume of computer intrusions
has not. The departure of so many hackers from the field means that a growing proportion
of computer intruders are genuinely malicious. At the same time, the population of
network-literate citizens from which a criminal few may emerge is multiplying. Garfinkel,
coauthor of the Practical UNIX Security guide, points out that "there is always a
certain small percentage of people who are unreasonable. And there's an even smaller
percentage who are destructively unreasonable. As more people come on the Net, more and
more of these very destructive people come into the community. So even though it's a small
percentage, the absolute number of malicious hackers is increasing."
Statistics on the exact size of this "cracker" population or the frequency
and cost of attacks on U.S. corporate, educational, and government computers are hard to
come by. One reason is that "even if a company has been attacked, officers generally
won't talk about it," says Paul Strassmann, former chief information officer for
General Foods, Kraft, and Xerox and a former deputy assistant secretary for information
systems at the Department of Defense. "You feel dirty after a hacker attack or a
computer virus infection, like you've done something wrong," adds David Stang,
president of Norman Data Defense Systems, a Virginia information security consulting firm.
"You don't want to tell anybody, which winds up affecting the reporting of
incidents."
Scattered indications of the rise in cracker attacks are available, however. A 1992
study by USA Research Inc., a Portland (Ore.)-based technology consulting firm, found that
the number of unauthorized intrusions detected in U.S. workplace computers grew from
339,000 in 1989 to 684,000 in 1991. Intruders altered or destroyed data or software in 42
percent of the cases the company studied, at a cost of $82 million in 1989 and $164
million in 1991. L. Dain Gary, manager of the Pittsburgh-based Computer Emergency Response
Team-formed by the Defense Advanced Research Projects Agency in 1988 to coordinate
responses to crises like the Internet worm-says the team received reports of some 130
incidents in 1990, 800 in 1992, 1,300 in 1993, and 2,300 in 1994. Twenty percent of a
group of 1,271 companies of various sizes surveyed in 1994 by the Cleveland consulting
firm Ernst & Young reported financial losses from unauthorized computer break-ins by
hackers, competitors, or employees. Also in 1994, more than a million secret passwords
were intercepted by "sniffer" programs planted in computers at dozens of
Internet hubs.
But as Stang points out, the difficulty of determining whether computer data have been
copied or altered means that the actual number of such break-ins is likely far higher than
the number detected. And since, in Strassmann's words, "you have a big multiple of
the gross national product today spinning on magnetic disks," the actual financial
stakes in computer crime are far higher than the losses so far uncovered.
The pirating of secret codes allowing access to voice-mail services and long-distance
telephone connections alone has been estimated to cost companies more than $1 billion per
year. Last October, Secret Service agents charged Ivy James Lay, an engineer at MCI
Telecommunications, with intercepting 60,000 calling-card numbers over a period of several
months using a sophisticated Trojan horse program planted in a phone-line switching
station in Charlotte, N.C. Lay, known to some in the hacker community as Knightshadow,
sold the numbers for $3 to $5 each, according to the Secret Service, which has
jurisdiction over interstate telephone fraud. Resold to electronic bulletin-board
operators around the United States and Europe, the numbers were eventually used to charge
more than $50 million in illicit long-distance service.
Incentives for computer crime are not limited to money alone, and motivations like
vengeance and politics can cause far more damage. The admission last July by the Defense
Information Systems Agency that crackers had penetrated "major portions" of the
Pentagon's unclassified networks, "adversely affecting" the nation's military
strength, suggests the potential for harm. Thus Strassmann, who teaches students at the
National Defense University how to defend against "data warfare," adds that
"the people who are doing the attacks are not just crackers. They are information
terrorists. Their purpose is to damage the economic and defensive capabilities of the
United States." In a 1994 report on global organized crime, the Center for Strategic
and International Studies, an independent research center formerly associated with
Georgetown University, asserted that "a despot armed with a computer and a small
squad of expert hackers can be as dangerous and disruptive as any adversary we have faced
since World War II."
The New Detente
Because computer-related crime is growing more sophisticated, more varied, and more
costly to American society, information-security experts and law-enforcement agencies have
begun to enlist hackers in the battle for safety and order in the digital realm. Both
system administrators and hackers acknowledge that the unchecked growth of computer crime
could lead to a bleak future in which the average user's access to computing resources is
so tightly monitored that the freedom to explore, communicate, and innovate on the
electronic frontier is sacrificed.
Many active or former interlopers, fed up with their criminal cousins for giving all
hackers a bad name, are therefore applying their skills as software developers, security
consultants, and pamphleteers for responsible hacking. "Computer security is a way
for us to continue what we've always done in a good, safe, legal way," says Asrock.
The main obstacle to greater cooperation between the two groups, of course, is their
mutual suspicion. But cultural changes under way in both camps-including growing
recognition of a common enemy-are making room for a cautious truce and even an alliance of
sorts.
Phillip King, president of Data Integrity Services, a Kansas City-based security
consulting firm, says, "I make my living trying to stop hackers from breaking into
systems, so it sounds kind of funny for me to say this, but most of them are pretty good
guys." A former computer analyst with Air Force Intelligence who now advises banks,
utilities, and insurance companies on how to reduce their risks from computer crime, King
says his goal "is not to catch hackers and put them away. It's to understand them and
to use that knowledge to stop the truly malicious vandals." The Knightmare insists
that "hackers love and respect computers. They want computers to stay healthy. So
it's in hackers' best interest for the people in charge of computers to know how to
maintain good security."
Hackers love a challenge above all else, so discovering lax security measures pains
them in the same way that playing a novice at chess would exasperate a grand master. It's
not uncommon, for example, for administrators arriving at work in the morning to receive
e-mail from solicitous hackers who may have romped through the system the night before
thanks to some previously undiscovered security hole, but who would like to ensure that
the drawbridge is raised after them. This kind of public spiritedness "does work
against you if you're trying to break in again," admits the Knightmare, "but if
you've found a hole, then you already have broken in, and there's essentially an infinite
number of systems to hack."
In this way the hacker presence constantly pushes forward the limits of computer
security techniques. There can be no real test of a security system's reliability, many
professionals say, until some wily hacker attempts to break it.
As members of "tiger teams" hired to test computer security or develop better
password or encryption systems to keep out un-authorized users, ex-hackers are often
better grounded in the real-world challenges of keeping information secure than are most
of the former law enforcement agents, inventors of new security devices, and academics who
have traditionally made up the information-security profession. "To understand a
hacker certainly requires a bit of the hacker's mentality," says Stang. "Those
kinds of people make good security officers."
One unlikely beneficiary of this kind of expertise is James V. Christy II, director of
computer crime investigations for the Office of Special Investigations at Bolling Air
Force Base in Washington, D.C. Christy tells of a young Washington-area hacker who had
pleaded guilty to breaking into a Pentagon computer system. "We asked him to help us
out," Christy says. "I sat him down in an office at Bolling and had him go in
and attack as many Air Force systems as he could get into. We wired this kid up so that
everything he did was recorded. Within 15 seconds he broke into the same computer at the
Pentagon that he was convicted for, because its administrators still had not fixed its
vulnerabilities. I had to go back the next day and tell the emperor he still had no
clothes."
The unorthodox operation continued for three weeks. "During that time he broke
into over 200 Air Force systems," Christy recounts. "Zero victims reported that
they had been hacked into. Not one." Christy used these embarrassing results to press
information-security officers throughout the Air Force to patch over long-neglected
security holes.
Other government agencies, as well as firms like American Express, Dun &
Bradstreet, and Monsanto, have also hired tiger teams to probe their systems'
vulnerabilities. Former hacker Ian Murphy founded and led the Pennsylvania firm IAM/Secure
Data Systems from 1986 to 1993, which performed such services as breaking into the
headquarters of banks and insurance companies, logging onto their computer systems, then
submitting detailed reports on how the penetration was accomplished. Murphy told
InformationWeek magazine that he and his employeesÑall convicted computer felonsÑnetted
a peak $500,000 per year for their services. Lawrence Livermore National Laboratory's
Computer Security Technology Center, which tries to stay one step ahead of cracker
intrusions at the Department of Energy and other agencies, has occasionally called on
former hackers to lend their expertise as "subcontractors," says staff member
Allan Van Lehn.
The most prominent hacker crossover success-and failure-was that of Comsec Data
Security, a Houston consulting firm founded in 1991 by three former members of the Legion
of Doom. Though the firm quickly built a client list that included several Fortune 500
companies, "media hysteria" and "blackballing" by competing
Establishment firms cost the firm those same commissions and forced it out of business in
1992, says cofounder and former president Christopher Goggans. "There are a large
number of people who would kill to do nothing but get paid to hack legitimately, so
everybody in the hacker community was watching Comsec," says Goggans. "From the
treatment we got, you can expect that hackers who want to sell their skills as information
security consultants in the future are going to have to hide their backgrounds."
But Goggans himself has been an exception to that prediction. He has a job as an
engineer for a major U.S. software firm, but he says his "career" is in
freelance information-security consulting. In 1994 he led a three-day training seminar for
13 member nations of NATO at the Allied European Command Center at the Hague, and there
are "financial institutions that want to fly me out at a moment's notice," he
says. Other organizations' resistance to working with former hackers, Goggans suggests,
stems from "fear of the unknown. But it takes only a few minutes of earnest dialogue
before people realize that those like myself are not of a mindset to do any kind of damage
to any company."
If hackers have found it difficult to market their skills openly, there are less direct
ways they can aid in the fight against computer crime. Information security consultants,
including King, Stang, and experts at SRI International Inc., admit that they gather most
of their information about computer-system weaknesses by frequenting underground
bulletin-board systems and talking with hackers. "All of the good vendors in one way
or another absolutely do that," says Stang. "There are some hackers who believe
in 'full disclosure,' " notes Richard Feingold, project leader of CSTC's Secure
Systems Services division, which helps government and corporate clients evaluate and
reduce their risk from hacker attacks. "As soon as there is a new security
vulnerability or technique out there, they will publish it on the Net. That's where a lot
of our own techniques come from."
University of Dayton law student Jeff Moss-known to his former hacker compatriots as
Dark Tangent-chips away at the wall of suspicion between hackers and security officials by
inviting both to the "Def Con" hacker conventions he organizes annually in Las
Vegas. The 300 attendees at 1994's meeting included such luminaries as Phillip Zimmerman,
inventor of the Pretty Good Privacy encryption system, and Gail Thackeray, a Phoenix
district attorney who helped organize the 1990 hacker crackdown of Arizona's Organized
Crime and Racketeering Unit. "A lot of time was spent in substantive
presentations," says Thackeray, including seminars on search-and-seizure laws, hacker
ethics, and technical hacking methods.
There is still some forbidden territory on both sides. Hackers are not yet lining up at
the employment offices of the FBI or the Secret Service-their underground pasts would
disqualify them from government service, in any event-and these agencies continue to
gather all the evidence they can against hacker hobbyists, hoping eventually to bring
security and predictability to cyberspace. But law-and-order forceshavebegun to recognize
that the typical hacker's mentality and motivations differ crucially from those of the
rare computer aficionado who is seduced by the Dark Side. "The predominating idea is
that hackers are out there to steal data, but they are primarily out there for the thrill
of the chase," says King. A greater threat by far to corporate information security,
he says, comes from disgruntled or financially struggling employees.
Still, while hackers and their pursuers are coming together based on mutual interests,
the two camps have only just begun to explore common ground. "Cooperation" is
therefore not quite the right word for the new relationship emerging between those
battering at the Net's electronic fortresses and those still trying to bar the doors.
"Detente," an easing of tensions, is closer.
Wade Roush uses his powers, computer and otherwise, in noncriminal ways. Formerly a
contributing writer at Technology Review, he is now a reporter at Science. He recently
received a PhD in the history and social study of technology from MIT's Program in
Science, Technology, and Society.
|
