Hacker 2

home *** CD-ROM | disk | FTP | other *** search

/ Hacker 2 / HACKER2.mdf / cud / cud509a.txt < prev next >

Wrap

Text File | 1995-01-03 | 8KB | 139 lines

Date: Tue, 12 Jan 93 12:20:21 EDT From: Jerry Leichter <leichter@LRW.COM> Subject: 1--Media hype goes both ways (in re: Forbes article) In Cu Digest, #4.66, Jim Thomas reviews article from the 21 December 1992 Forbes Magazine, and grants it CuD's 1992 MEDIA HYPE award. I read the article before reading Thomas's comments, and was considering posting a very different summary. Did we read the same words? Let me briefly summarize what I got out of the article, and then go over some of Thomas's points. The article claims that we are seeing a new kind of computer miscreant. Let me call such people "crims", a word I've just invented; according to the article, they identify themselves as hackers (to the extent they identify themselves at all), so the article also calls them hackers (sometimes, "hacker hoods"), thus raising many irrelevant emotional issues. Unlike old-style hackers, who were in it for what they could build; or new-style hackers, who are nominally in it for what they can learn; crims are in it for what they can steal. The article does NOT claim that the same people who've been hackers have now turned to real crime; rather, as I read it it claims that the crims have taken the techniques developed by the hackers and gone on to different things. Just look at the title of the article: "The Playground Bullies are Learning how to Type". The crims are the people who a few years ago might be burglars or jewel thieves; today, they are learning how to go after money and other valuable commodities (like trade or military secrets) in their new, electronic form. Thomas's criticism begins with a long attack on Brigid McMenamin, one of the reporters on the piece. He is upset that she keeps "bugging" people for information. Reporters do that; it's not their most endearing quality, but it's essential to their job, especially when dealing with people who don't particularly want to talk to them. He is upset that she kept asking about "illegal stuff" and "was oblivious to facts or issues that did not bear upon hackers-as-criminals." Given the article she was writing - exactly focusing on the crims - that's exactly what I would have expected her to do. Just because Thomas is interested in the non-criminal side of hacking doesn't mean McMenamin is under any obligation to be. Thomas reports that in his own conversations with McMenamin "Her questions suggested that she did not understand the culture about which she was writing." Again, Thomas presumes that she was writing about the people *Thomas* is interested in. In general, Thomas's criticisms of McMemanim reveal him to be so personally involved with the "hacker culture" that he studies that he's protective of it - and blind to the possibility that the world may be bigger and nastier than he would like. Thomas then summarizes "The Story". He criticizes it for not presenting a "coherent and factual story about the types of computer crime", but rather for making "hackers" the focal point and taking on a narrative structure. Well, I didn't particularly see "hackers" as the focal point, and considering the nature of the material being covered - it's all recent, and the crims are hardly likely to be interested in making themselves available to reporters - a narrative structure is probably inevitable. Perhaps Thomas will write the definitive study of the types of computer crime; I doubt any working reporter will do so for a magazine. Len Rose's story is told with a reasonable slant. None of us know ALL the facts, but at least Rose is pictured as a relatively innocent victim, chosen pretty much at random to bear the weight of actions taken by many people. In fact, that's just what a prosecutor interviewed in this piece of the story says: Because of the nature of the crimes, such as they are, the people caught and punished are often not the ones who actually did much of anything. He doesn't indicate that he LIKES this - just the opposite. He reports on facts about the real world. Thomas then says that the article describes a salami-slicing attack, alleged to have taken place at Citibank. He criticizes the article for lack of evidence. He's right, but after all, this was a criminal enterprise, and the criminals weren't caught. Just what evidence would he expect? He then goes on with a comment that makes no sense at all: Has anybody calculated how many accounts one would have to "skim" a few pennies from before obtaining $200,000? At a dime apiece, that's over 2 million. If I'm figuring correctly, at one minute per account, 60 accounts per minute non-stop for 24 hours a day all year, it would take nearly 4 straight years of on-line computer work for an out-sider. According to the story, it took only 3 months. At 20 cents an account, that's over a million accounts. Why would anyone even imagine that an attack of this nature would be under-taken on an account-at-a-time basis? The only way it makes sense is for the attack to have modified the software. If the criminals had a way to directly siphon money out of an account, they would have made one big killing and disappeared. Citibank has many thousands of accounts with much more than $200,000 in them; it probably has many thousands of accounts for which a $200,000 discrepancy wouldn't be noticed until the end of the quarter. A salami-slice attack only makes sense when the attacker intends to remain undetected, so that the attack continues to operate indefinitely. The romantic picture of the hacker sitting at his terminal, day in and day out, moving a few pennies here and there, may have a lot of appeal, but it's not reality. The crux of the Thomas's critique is: "Contrary to billing, there was no evidence in the story, other than questionable rumor, of `hacker' connection to organized crime." But, again, that isn't the point of the story, which to me seemed to do a fairly reasonable (though imperfect) job of distinguishing between the innocents who "just want to hack" and the new "crims". The article does, however, warn that the crims will have no compunctions about using the hackers, whether by just showing up at hacker conventions to learn the latest tricks - like every group, hackers think they can identify the "true" group members who believe in the group's ideals, when in fact it's always been trivially easy for those who are willing to lie to sneak in - or by hiring hackers, with money, drugs, or whatever. I don't know to what degree the rumors of the spread of the crims are true. It makes SENSE that they would be true, and in certain cases (particularly cellular telephone fraud) we have strong evidence. It's naive to think that the hacker community or the hacker ethic is somehow immune to the influence of criminal minds. There was an explicit warning from some prosecuter quoted in the article. What he said was that people are upset by the crimes, and government is responding harshly, often against the wrong targets. No one would be so stupid as to walk into a bank carrying a toy gun and try to get money from a teller, intending to leave it at the door, "just to test security". Yet hackers seem to believe that they can do the same thing with a bank's computers. If there were no such thing as real bank robbers, the toy gun game would be just fine; in the real world, that's an excellent way to get shot - or sent to prison for many years. As the crims become more active - and even if the current stories are all baseless, they inevitably will, and sooner rather than later - any hackers who don't adjust to the new reality will find themselves in big trouble. Many's the idealist who's been lead by the nose to help the dishonest - and it's usually the idealist who gets stuck with the bills. Downloaded From P-80 International Information Systems 304-744-2253