hackers who break into computer systems.txt

1000 HOWTOs for various needs [WINDOWS]

systems, work in groups, write, and teach others.  One hacker said
that he belongs to a study group with the mission of churning out
files of information and learning as much as possible.  Within the
group, people specialize, collaborate on research project, share
information and news, write articles, and teach other about their
areas of specialization.  Hackers have set up a private system of
education that engages them, teaches them to think, and allows them
to apply their knowledge in purposeful, if not always legal,
activity.   Ironically, many of our nation's classrooms have been
criticized for providing a poor learning environment that seems to
emphasize memorization rather than thinking and reasoning.  One hacker
reported that through volunteer work with a local high school, he
was trying to get students turned on to learning.
 
Many hackers say that the legitimate computer access they have through
their home and school computers do not meet their needs.  One student
told me that his high school did not offer anything beyond elementary
courses in BASIC and PASCAL, and that he was bored by these.  Hans
Huebner, a hacker in Germany who goes by the name Pengo, wrote in
a note to the RISKS Forum [Huebner89] : ``I was just interested in
computers, not in the data which has been kept on their disks. As
I was going to school at that time, I didn't even have the money
to buy [my] own computer.  Since CP/M (which was the most sophisticated
OS I could use on machines which I had legal access to) didn't turn
me on anymore, I enjoyed the lax security of the systems I had access
to by using X.25 networks.  You might point out that I should have
been patient and wait[ed] until I could go to the university and
use their machines.  Some of you might understand that waiting was
just not the thing I was keen on in those days.''
 
Brian Harvey, in his position paper [Harvey86] for the ACM Panel on
Hacking, claims that the computer medium available to students, e.g.,
BASIC and floppy disks, is inadequate for challenging intellectual
work.  His recommendation is that students be given access to real
computing power, and that they be taught how to use that power
responsibly.  He describes a program he created at a public high school
in Massachusetts during the period 1979-1982.  They installed a
PDP-11/70 and let students and teachers carry out the administration
of the system.  Harvey assessed that putting the burden of dealing
with the problems of malicious users on the students themselves was
a powerful educational force.  He also noted that the students who
had the skill and interest to be password hackers were discouraged
from this activity because they also wanted to keep the trust of
their colleagues in order that they could acquire ``superuser'' status
on the system.
 
Harvey also makes an interesting analogy between teaching computing
and teaching karate.  In karate instruction, students are introduced
to the real, adult community.  They are given access to a powerful,
deadly weapon, and at the same time are taught discipline and to
not abuse the art.  Harvey speculates that the reason that students
do not misuse their power is that they know they are being trusted
with something important, and they want to live up to that trust.
Harvey applied this principle when he set up the school system.
 
The ACM panel endorsed Harvey's recommendation, proposing a
three-tiered computing environment with local, district-wide, and
nation-wide networks.  They recommended that computer professionals
participate in this effort as mentors and role models.   They also
recommended that outside of schools, government and industry be
encouraged to establish regional computing centers using donated
or re-cycled equipment; that students be apprenticed to local companies
either part-time on a continuing basis or on a periodic basis; and,
following a suggestion from Felsenstein [Felsenstein86] for a
``Hacker's League,'' that a league analogous to the Amateur Radio
Relay League be established to make contributed resources available
for educational purposes.
 
Drake said he liked these recommendations.  He said that if hackers
were given access to powerful systems through a public account system,
they would supervise themselves.  He also suggested that Computer
Resource Centers be established in low-income areas in order to help
the poor get access to information.  Perhaps hackers could help run
the centers and teach the members of the community how to use the
facilities.  One of my colleagues suggested cynically that the hackers
would only use this to teach the poor how to hack rich people's
systems.  A hacker responded by saying this was ridiculous; hackers
would not teach people how to break into systems, but rather how
to use computers effectively and not be afraid of them.
In addition, the hackers I spoke with who had given up illegal
activities said they stopped doing so when they got engaged in other
work.
 
Geoff Goodfellow and Richard Stallman have reported that they have
given hackers accounts on systems that they manage, and that the
hackers have not misused the trust granted to them.  Perhaps
universities could consider providing accounts to pre-college students
on the basis of recommendations from their teachers or parents.
The students might be challenged to work on the same homework problems
assigned in courses or to explore their own interests.  Students
who strongly dislike the inflexibility of classroom learning might
excel in an environment that allows them to learn on their own, in
much the way that hackers have done.
 
 
4.  Thrill, Excitement, and Challenge
 
One hacker wrote that ``Hackers understand something basic about
computers, and that is that they can be enjoyed.  I know none who
hack for money, or hack to frighten the company, or hack for anything
but fun.''
 
In the words of another hacker, ``Hacking was the ultimate cerebral
buzz for me.  I would come home from another dull day at school,
turn my computer on, and become a member of the hacker elite.  It
was a whole different world where there were no condescending adults
and you were judged only by your talent.  I would first check in
to the private Bulletin Boards where other people who were like me
would hang out, see what the news was in the community, and trade
some info with people across the country.  Then I would start actually
hacking.  My brain would be going a million miles an hour and I'd
basically completely forget about my body as I would jump from one
computer to another trying to find a path into my target.  It was
the rush of working on a puzzle coupled with the high of discovery
many magnitudes intensified.  To go along with the adrenaline rush
was the illicit thrill of doing something illegal. Every step I made
could be the one that would bring the authorities crashing down on
me.  I was on the edge of technology and exploring past it, spelunking
into electronic caves where I wasn't supposed to be.''
 
The other hackers I spoke with made similar statements about the
fun and challenge of hacking.  In SPIN magazine [Dibbel90], reporter
Julian Dibbell speculated that much of the thrill comes from the
dangers associated with the activity, writing that ``the technology
just lends itself to cloak-and-dagger drama,'' and that ``hackers
were already living in a world in which covert action was nothing
more than a game children played.''
 
Eric Corley [Corley89] characterizes hacking as an evolved form of
mountain climbing.  In describing an effort to construct a list of
active mailboxes on a Voice Messaging System, he writes ``I suppose
the main reason I'm wasting my time pushing all these buttons is
simply so that I can make a list of something that I'm not supposed
to have and be the first person to accomplish this.''  He said that
he was not interested in obtaining an account of his own on the system.
Gordon Meyer says he found this to be a recurring theme: ``We aren't
supposed to be able to do this, but we can'' -- so they do.
 
One hacker said he was now working on anti-viral programming.  He
said it was almost as much fun as breaking into systems, and that
it was an intellectual battle against the virus author.
 
 
5.  Ethics and Avoiding Damage
 
All of the hackers I spoke with said that malicious hacking was morally
wrong.  They said that most hackers are not intentionally malicious,
and that they themselves are concerned about causing accidental
damage.  When I asked Drake about the responsibility of a person
with a PC and modem, his reply included not erasing or modifying
anyone else's data, and not causing a legitimate user on a system
any problems.  Hackers say they are outraged when other hackers cause
damage or use resources that would be missed, even if the results
are unintentional and due to incompetence.  One hacker wrote ``I
have ALWAYS strived to do NO damage, and inconvenience as few people
as possible.  I NEVER, EVER, EVER DELETE A FILE.  One of the first
commands I do on a new system is disable the delete file command.''
Some hackers say that it is unethical to give passwords and similar
security-related information to persons who might do damage.  In
the recent incident where a hacker broke into Bell South and downloaded
a text file on the emergency 911 service, hackers say that there
was no intention to use this knowledge to break into or sabotage
the 911 system.  According to Emmanuel Goldstein [Goldstein90], the
file did not even contain information about how to break into the
911 system.
 
The hackers also said that some break-ins were unethical, e.g.,
breaking into hospital systems, and that it is wrong to read
confidential information about individuals or steal classified
information.  All said it was wrong to commit fraud for personal
profit.
 
Although we as computer security professionals often disagree with
hackers about what constitutes damage, the ethical standards listed
sound much like our own.  Where the hackers' ethics differs from
the standards adopted by most in the computer security community
is that hackers say it is not unethical to break into many systems,
use idle computer and communications resources, and download system
files in order to learn.  Goldstein says that hacking is not wrong:
it is not the same as stealing, and uncovers design flaws and security
deficiencies [Goldstein89].
 
Brian Reid speculates that a hacker's ethics may come from not being
raised properly as a civilized member of society, and not appreciating
the rules of living in society.  One hacker responded to this with
``What does `being brought up properly' mean?  Some would say that
it is `good' to keep to yourself, mind your own business.  Others
might argue that it is healthy to explore, take risks, be curious
and discover.'' Brian Harvey [Harvey86] notes that many hackers are
adolescents, and that adolescents are at a less developed stage of
moral development than adults, where they might not see how the effects
of their actions hurt others.  Larry Martin [Martin89] claims that
parents, teachers, the press, and others in society are not aware
of their responsibility to contribute to instilling ethical values
associated with computer use.  This could be the consequence of the
youth of the computing field; many people are still computer illiterate
and cultural norms may be lagging behind advances in technology and
the growing dependency on that technology by businesses and society.
Hollinger and Lanza-Kaduce speculate that the cultural normative
messages about the use and abuse of computer technology have been
driven by the adaption of criminal laws [HollingerLanza-Kaduce88],
which have been mainly in the last decade.  They also speculate that
hacking may be encouraged during the process of becoming computer
literate.  Some of my colleagues say that hackers are irresponsible.
One hacker responded ``I think it's a strong indication of the amount
of responsibility shown that so FEW actually DAMAGING incidents are
known.''
 
But we must not overlook that the differences in ethics also reflect
a difference in philosophy about information and information handling
resources; whereas hackers advocate sharing, we seem to be advocating
ownership as property.  The differences also represent an opportunity
to examine our own ethical behavior and our practices for information
sharing and protection.  For example, one hacker wrote ``I will accept
that it is morally wrong to copy some proprietary software, however,
I think that it is morally wrong to charge $6000 for a program that
is only around 25K long.''  Hence, I shall go into a few of the ethical
points raised by hackers more closely.  It is not a simple case of
good or mature (us) against bad or immature (hackers), or of teaching
hackers a list of rules.
 
Many computer professionals argue the moral questions by analogy,
e.g., see Martin [Martin89].  The analogies are then used to justify
their judgement of a hacker's actions as unethical.  Breaking into
a system is compared with breaking into a house, and downloading
information and using computer and telecommunications services is
compared with stealing tangible goods.  But, say hackers, the
situations are not the same.  When someone breaks into a house, the
objective is to steal goods, which are often irreplaceable, and
property is often damaged in the process.  By contrast, when a hacker
breaks into a system, the objective is to learn and avoid causing
damage.  Downloaded information is copied, not stolen, and still
exists on the original system.  Moreover, as noted earlier, information
has not been traditionally regarded as property.  Dibbel [Dibbel90]
says that when the software industries and phone companies claim
losses of billions of dollars to piracy, they are not talking about
goods that disappear from the shelves and could have been sold.
 
We often say that breaking into a system implies a lack of caring
for the system's owner and authorized users.  But, one hacker says
that the ease of breaking into a system reveals a lack of caring
on the part of the system manager to protect user and company assets,
or failure on the part of vendors to warn managers about the
vulnerabilities of their systems.  He estimated his success rate
of getting in at 10-15%, and that is without spending more than an
hour on any one target system.  Another hacker says that he sees
messages from vendors notifying the managers, but that the managers
fail to take action.
 
Richard Pethia of CERT (Computer Emergency Response Team) reports
that they seldom see cases of malicious damage caused by hackers,
but that the break-ins are nevertheless disruptive because system
users and administrators want to be sure that nothing was damaged.
(CERT suggests that sites reload system software from secure backups
and change all user passwords in order to protect against possible
back doors and Trojan Horses that might have been planted by the
hacker.  Pethia also noted that prosecutors are generally called
for government sites, and are being called for non-government sites
with increasing frequency.)  Pethia says that break-ins also generate
a loss of trust in the computing environment, and may lead to adoption
of new policies that are formulated in a panic or management edicts
that severely restrict connectivity to outside systems.   Brian Harvey
says that hackers cause damage by increasing the amount of paranoia,
which in turn leads to tighter security controls that diminish the
quality of life for the users.  Hackers respond to these points by
saying they are the scapegoats for systems that are not adequately
protected.  They say that the paranoia is generated by ill-founded
fears and media distortions (I will return to this point later),
and that security need not be oppressive to keep hackers out; it
is mainly making sure that passwords and system defaults are
well-chosen.
 
Pethia says that some intruders seem to be disruptive to prove a
point, such as that the systems are vulnerable, the security personnel