Outlaws on the Cyberprairie / Recent crackdowns on computer criminals have
galvanized debate about the ethics of hacking. But not even hackers agree about
what's right or wrong.
LAURA EVENSON, MICHELLE QUINN, Chronicle Staff Writers
Near a row of pay phones in an Embarcadero Center plaza, the early
birds are hovering over white picnic tables wedged between a Mrs.
Fields and a wine bar.
Mostly young men, they wear the grunge fashions of plaid shirts, ski
caps and baggy pants. They show off cellular phones, hand out copies
of pirated software and swap stories about how to add value to a BART
card without paying. A few older men sport survivalist wear -- army
fatigues and fly-fishing jackets. The men with natty blazers and
polished shoes are computer security specialists.
The meeting is so low-profile that there's only way to find it: the
back page of "2600: The Hacker's Quarterly," an offbeat newsletter
published in Long Island, N.Y. The newsletter posts the numbers and
locations of public phones around the country where hackers hold
meetings each month. (Any hacker knows better than to make risky calls
and computer connections from home.) Today's meeting is at (415)
398-9805 and (415) 398-9806 in 4 Embarcadero Center.
In keeping with the anarchic hacker ethos, the meeting has no agenda.
Conversation among the 25 hackers turns to one of their own who made
it to the front page of the New York Times: Kevin Mitnick, the reputed
"Billy the Kid" of the Internet, arrested in February for skipping out
on parole and allegedly stealing 20,000 credit card numbers from
network computers.
The arrest of Mitnick, depicted by the media as a renegade on the
cyberprairie, has sparked a national debate about what laws rule the
wilderness of bits and bytes, hackers say. Was Mitnick simply a
curious hacker out to satisfy his intellectual curiosity? Or was the
high school dropout a mischievous cracker, a technowhiz out to profit
from digital skulduggery? Mitnick's arrest has triggered intense
discussions about what constitutes right and wrong in cyberspace, even
what is legal or illegal, and who will make the rules.
There's no consensus on any of these issues. But hackers agree on one
thing: There's a witchhunt to persecute people like Mitnick who
explore computer and phone networks for the challenge and thrill.
"They're going to crucify him," says Tom Farley, an intense man in a
Patagonia jacket and jeans who drove up from Carmichael. He publishes
a journal on the minutia of telephone systems. "If they had a cross
they would nail him to it."
The hoopla surrounding the February 15 arrest of Mitnick, an
overweight and bespeckled 31-year- old, is a signal that the stakes
have soared on the high-tech frontier as its population explodes. More
than 35 million people log on to the Internet, which over the past 26
years has mutated from a creation of the Defense Department to a
plaything with mass appeal, as well as a channel for commerce.
Computer break-ins have skyrocketed, from 132 in 1989 to 2,341 last
year, said Terry McGillen, a spokesman for the Computer Emergency
Response Team (CERT), a group of security experts at Carnegie Mellon
University in Pittsburgh. Either more people are hacking into systems,
or more are getting caught, or both, McGillen said.
Hackers define themselves as people who can figure out what makes a
computer network tick.
"We are the type of people who like taking clocks apart, says Rich
Adams, a computer security expert for Chevron dressed in a fly-fishing
jacket and hat. He rode BART from San Ramon to join the group. "We
don't like reading manuals but figuring it out on our own. We're the
people who built the Internet."
As commerce and crime explode on the Internet, veteran hackers fear
the public won't tolerate their freewheeling culture. They call
Mitnick a "cracker" -- a criminal hacker.
The law doesn't distinguish a hacker from a cracker, said Marc
Rotenberg, director of the Electronic Privacy Information Center, a
pro-privacy public interest group.
"Trespassing is entering onto someone else's property, and that's what
hackers do," he said. But a cracker is different. "Burglary is taking
from someone's property, and arson is burning down someone else's
property. The problem is that if you treat trespassers like arsonists,
you'll probably have fewer intrusions and many more fires." Rotenberg
fears that draconian penalties for unauthorized forays into computer
networks may discourage some benign hackers while goading others into
malicious acts.
Laws governing computer break-ins are murky. For example, federal law
makes it illegal for anyone to steal other users' computer passwords.
However, prosecutors can pursue only those crackers who have stolen
more than 15 passwords or who use a password to commit fraud. The law
forgives a pilfered password here or there.
"Just because a hacker illegally obtains one credit card number
doesn't mean you charge him with anything unless he starts using it
and defrauding you," said David Schindler, an assistant U.S. attorney
in Los Angeles who is prosecuting Mitnick.
Mitnick, who on court order has spent time at a Los Angeles treatment
center for his "addiction" to computer hacking, isn't the only cracker
demonstrating the vulnerabilities of the online world recently.
Convicted cracker Kevin Poulsen, 29, will be sentenced April 10 for
using his computer expertise and intimate knowledge of telephone
operations to seize control of phone lines leading to various Los
Angeles area radio stations. He used that knowledge to win two
Porsches and $50,000 in cash. Poulsen also pleaded guilty to breaking
into a computer to get the names of undercover businesses operated by
the FBI.
In May, Poulsen's accomplice Justin Tanner Petersen, 34, will be
sentenced for his role in the radio contest scam. Petersen's been
around -- he pleaded guilty to tapping a credit card information
bureau and illegally transferring $150,000 from a Glendale financial
institution to an account held by a co-conspirator at another bank. In
between crimes, he worked for the FBI to track down a few hackers.
Why did Mitnick get so much attention, the hackers ask.
Some accuse the press of turning Mitnick's case into a circus and
Tsutomu Shimomura, the hacker who tracked down Mitnick, into a hero. A
few question the motives of York Times reporter John Markoff, who
broke the Mitnick story. They see Markoff and other reporters as
carpetbaggers who overdramatize Mitnick's case for the sake of a good
yarn and perhaps a few extra bucks in book and movie rights.
Several suggest Markoff set the trap for Mitnick months earlier by
writing about mysterious break- ins on the Internet and profiling the
straight-talking pursuer, Shimomura. They theorize that the two knew
the high-profile coverage would provoke Mitnick to take more risks.
"Some of the incidents looked too convenient," says a hacker named
Cliff, a security expert for a Silicon Valley company.
Markoff, who co-wrote the 1991 book "Cyberpunks" that featured
Mitnick, denied he had any role in the investigation. Four days before
the arrest, he discovered Mitnick had been reading his electronic
mail, a fact left out of the original New York Times stories. "I don't
think it affected my reporting in anyway," he said. "I didn't
sensationalize anything."
Markoff and Shimomura are now negotiating book and movie deals.
The hackers themselves quarrel over Mitnick. Some defend him, saying
he simply fed intellectual hunger and never used the credit card
numbers he allegedly "borrowed." In fact, they say, the online service
Netcom, where Mitnick pilfered the credit card numbers, should thank
him for pointing out their high-tech Achilles' heel.
Others are less sure of Mitnick's merits.
Mitnick had a near-pathological addiction to computers and had no use
for school, degrees or authority figures, points out Ken Kumasawa, a
telecommunications security expert with TeleDesign Management Inc. in
Burlingame who attends the hacker meetings to pick up tips on how to
keep intruders out of his clients' telephone systems. Kumasawa
believes Mitnick profited from his technological expertise. "How do
you think he survived on the lam for two years?" said Kumasawa. "How
do you think he got his money?"
Speaking for many others, one 16-year-old from Pacific Heights who
would not give his name said that Mitnick "was doing stupid things on
a large scale."
Regardless of their opinions, hackers are uncomfortable with the
attention they're getting in the wake of Mitnick's arrest. They both
wallow in the media's limelight and try to deflect its glare. As
freely as they chant their mantra that "information wants to be free,"
the hackers guard their own privacy. Few give out their full, real
names. Most use either a first name only or pseudonyms such as Nana
Second and Argus. Notoriety is OK; interference is not.
Despite their disdain for the press at large, the hackers are
downright friendly to the reporters who attend their meeting, offering
seats, cookies and anonymous E-mail accounts. They revel in the chance
to show off their talents and rhapsodize about the "free flow of
information in cyberspace."
An hour into the hackers meeting, the information begins to flow like
beer at a keg party with little concern for legality or ethics -- or
whether a cop mingles with the throng. A high-tech show-and-tell
begins spontaneously. Some refer to textbooks they've brought along:
"Introduction to Computing" and "Cellular Phone Principles and
Design." Security experts trade information with young hackers.
"I have a trick for all of you," says Peter Shipley, a pony-tailed
security expert from Berkeley dressed in black leather a la Mel Gibson
in "The Road Warrior."
With a magician's flourish, he places a cellular phone on the table.
"A Motorola 950 standard," he announces. Speaking in the brisk,
machine-gun patter typical of hackers, he adds, "I can turn this into
a scanner. Just a piece of foil puts it in diagnostic mode."
He punches in a few numbers and passes the phone around. The receiver
emits the voice of a woman engaged in a juicy gossip.
But Shipley's trick bores the crowd. Such phone conversations are
dull; one hacker yawns.
Asked a few questions about right and wrong, the hackers emit a
cacophony of responses.
"We're standing up for what we believe in," says an older man who
identifies himself as Argus. "What about the reporters who looked at
Tonya Harding's e-mail?" asks another hacker. "Aren't the telephone
companies ripping us off?" is a common reply.
"There's a potential for maliciousness," said a 34-year-old wearing a
suit under a rain coat and tapping on a laptop computer. "It's cool to
share your knowledge. It's a question of being responsible. It's the
responsibility of the group to police itself."
Many hackers believe the rules they play by in cyberspace differ from
the rules governing the real world. There's a difference between
getting a few free phone calls and making money selling phone calls at
a public telephone; there's a difference between poking around in
someone's computer without disturbing anything and actually copying a
file.
Dan Farmer, who developed software to diagnose security holes in
computer networks, criticizes the cyberspace culture that has evolved.
"Many of these people believe they should be allowed to roam freely
into other peoples' files," said Farmer, reached at his home by phone.
"But if you start talking about looking at their own medical
histories, love letters or personal correspondence, they get
outraged."
Farmer, 32, lost his job at Silicon Graphics recently because he plans
to release on the Internet a free program to give hackers and
corporations alike a quick view of security weaknesses in a computer
network. The company and Farmer had a philosophical disagreement over
the ethics of Farmer's freelance program.
"People who spend an enormous amount of time on computers haven't had
time to become socially (adjusted) or to mature in a lot of ways, and
so their online interactions have become very different from what is
acceptable in real life," Farmer said.
Eager to justify their tricks at the meeting are hackers like "Alex,"
a 15-year-old from Russia fluent in American slang. But Alex tied
himself into ethical pretzels to justify his pranks.
Pulling out a Phillips head screw driver, the young man hovers over a
small metal box with a few wires that he bought at Radio Shack for
$10. The contraption can make a dial tone, he boasts.
"It's not illegal if you do it and you don't use it," he says. "We're
not calling Egypt. We make a dozen local calls, not very much . . . I
mean we're not doing anything for profit -- that's the difference."
But law enforcement officials don't see it that way. They say it's
illegal to make unauthorized free phone calls of any kind, or to break
into any computer.
Even supposedly victimless crimes can cause damage, said Scott
Charney, chief of the computer crime unit for the criminal division at
the U.S. Department of Justice. Charney told how a man recently broke
into a Seattle court via a computer at Boeing. Although the hacker was
only passing through Boeing's network, the airplane builder had to
shell out $75,000 to make sure no damage was done to its computer
systems.
"People who browse the system are not as dangerous as people who steal
information," Charney said. "But it's really important to understand
that that kind of browsing is not victimless."
Attempts to safeguard computer systems by providing some form of
encryption -- coding that makes it more difficult for an intruder to
break into a computer -- have run into resistance. Last year, the
Clinton Administration proposed the so-called Clipper Chip, touted as
an encryption standard that offers consumers privacy but lets the FBI
and police conduct authorized electronic surveillance. But the gadget
makes the civil libertarians and the electronics industry squirm
because the government will keep "keys" to the codes.
For now, nationalized encryption is on the back burner. Hackers at the
Embarcadero Center meeting boast that they make their own encryption.
It's a tough world out there, they say. If they get broken into, it's
their fault for poor encryption, not the criminals'.
At the end of the hackers meeting, a few head out to Harry Denton's
for post-meeting drinks. Others go home to parents for dinner or to
their bedroom computer to try a few new tricks.As they bade each other
farewell, an Embarcadero security guard in a brown uniform cleaned up
the litter of milk cartons and cigarette butts.
Older hackers point to two things that ended their electronic
delinquency. In some cases, it was a friendly telephone call from
someone identifying himself as an FBI agent or police officer. For
others, it was a technical job, specifically in security, that gave
them the intellectual challenge they craved, along with a paycheck.
The younger, smarter hackers may grow into future security experts. At
the moment, they dabble in digital delinquency. Instead of breaking
windows, they pick electronic locks. And a few real ones.
"Watch out for the security on newspaper boxes," one kid yells to
departing reporters.
_________________________________________________________________
A GLOSSARY OF HACKERSPEAK
Hacker: Someone fascinated with the workings of technology who takes
pleasure in exploring how to stretch the capabilities of computers and
other programmable systems.
Cracker: A person who commits illegal acts with technology, such as
illicitly entering businesses' computer systems, stealing property or
making free phone calls.
Phone phreak: Someone who enjoys figuring out how the phone system
works in order to make free phone calls. Originally a semirespectable
activity among hackers, who saw it as a form of legitimate
intellectual exploration, phreaking lost its respectability in the
1980s as techniques were disseminated widely.
Social engineering: Calling up a business and pretending to be someone
important in order to get confidential information such as computer
codes or passwords.
Trojan horse: A program that runs undetected on a computer, disguised
as something benign such as a game or a directory list, that secretly
spies on the user. It can also pick up passwords and even damage a
computer system.
Virus: A cracker program that searches out other programs and embeds
itself in them. Once that program is executed, the embedded virus
comes alive to infect other programs in the system. Sometimes the
program may do nothing but propagate itself and allow a system to run
normally. Usually, however, viruses start playing tricks on a display,
writing cute messages and even destroying files. Infected programs
pass the virus to other programs.
Encryption: Encoding data for security purposes by converting it into
secret code.
Sniffing: Similar to a wire tap, a program hidden on a network that
records log-ons and passwords, which then are stored in a secret file.
Within days, this file can divulge hundreds of user names and their
associated passwords.
Spoofing: Gaining access to a different computer system by forging the
Internet address of a trusted machine.
Firewalls: Security barriers that look for the identity of the
computer user before letting the user pass on to a bigger network.
_________________________________________________________________
DAY: MONDAY
DATE: 4/2/95
PAGE: 1/Z1
�4/2/95 , San Francisco Chronicle, All Rights Reserved, All
Unauthorized Duplication Prohibited