hackers who break into computer systems.txt

1000 HOWTOs for various needs [WINDOWS]

are incompetent, or ``it's not nice to say bad things about hackers.''
In the N.Y. Times, John Markoff [Markoff90] wrote that the hacker
who claimed to have broken into Cliff Stoll's system said he was
upset by Stoll's portrayal of hackers in ``The Cuckoo's Egg''
[Stoll90].   Markoff reported that the caller said: ``He [Stoll]
was going on about how he hates all hackers, and he gave pretty much
of a one-sided view of who hackers are.''
 
``The Cuckoo's Egg'' captures much of the popular stereotypes of
hackers.  Criminologist Jim Thomas criticizes it for presenting a
simplified view of the world, one where everything springs from the
forces of light (us) or of darkness (hackers) [Thomas90].  He claims
that Stoll fails to see the similarities between his own activities
(e.g., monitoring communications, ``borrowing'' monitors without
authorization, shutting off network access without warning, and lying
to get information he wants) and those of hackers.  He points out
Stoll's use of pejorative words such as ``varmint'' to describe
hackers, and Stoll's quote of a colleague: ``They're technically
skilled but ethically bankrupt programmers without any respect for
others' work -- or privacy.  They're not destroying one or two
programs.  They're trying to wreck the cooperation that builds our
networks.'' [Stoll90, p. 159]  Thomas writes ``at an intellectual
level,  [Stoll] provides a persuasive, but simplistic, moral imagery
of the nature of right and wrong, and provides what -- to a lay reader
-- would seem a compelling justification for more statutes and severe
penalties against the computer underground.  This is troublesome
for two reasons.  First, it leads to a mentality of social control
by law enforcement during a social phase when some would argue we
are already over-controlled.  Second, it invokes a punishment model
that assumes we can stamp out behaviors to which we object if only
we apprehend and convict a sufficient number of violators. ...  There
is little evidence that punishment will in the long run reduce any
given offense, and the research of Gordon Meyer and I suggests that
criminalization may, in fact, contribute to the growth of the computer
underground.''
 
 
6. Public Image and Treatment
 
Hackers express concern about their negative public image and
identity.  As noted earlier, hackers are often portrayed as being
irresponsible and immoral.  One hacker said that ``government
propaganda is spreading an image of our being at best, sub-human,
depraved, criminally inclined, morally corrupt, low life.  We need
to prove that the activities that we are accused of (crashing systems,
interfering with life support equipment, robbing banks, and jamming
911 lines) are as morally abhorent to us as they are to the general
public.''
 
The public identity of an individual or group is generated in part
by the actions of the group interacting with the standards of the
community observing those actions.  What then accounts for the
difference between the hacker's public image and what they say about
themselves?  One explanation may be the different standards.  Outside
the hacking community, the simple act of breaking into systems is
regarded as unethical by many.  The use of pejorative words like
``vandal'' and ``varmint'' reflect this discrepency in ethics.  Even
the word ``criminal'' carries with it connotations of someone evil;
hackers say they are not criminal in this sense.  Katie Hafner notes
that Robert Morris, who was convicted of launching the Internet worm,
was likened to a terrorist even though the worm did not destroy data
[Hafner90].
 
Distortions of events and references to potential threats also create
an image of persons who are dangerous.  Regarding the 911 incident
where a hacker downloaded a file from Bell South, Goldstein reported
``Quickly, headlines screamed that hackers had broken into the 911
system and were interfering with emergency telephone calls to the
police.  One newspaper report said there were no indications that
anyone had died or been injured as a result of the intrusions.  What
a relief.  Too bad it wasn't true.'' [Goldstein90]  In fact, the
hackers involved with the 911 text file had not broken into the 911
system.  The dollar losses attributed to hacking incidents also are
often highly inflated.
 
Thomas and Meyer [ThomasMeyer90] say that the rhetoric depicting
hackers as a dangerous evil contributes to a ``witch hunt'' mentality,
wherein a group is first labeled as dangerous, and then enforcement
agents are mobilized to exorcise the alleged social evil.  They see
the current sweeps against hackers as part of a reaction to a broader
fear of change, rather than to the actual crimes committed.
 
Hackers say they are particularly concerned that computer security
professionals and system managers do not appear to understand hackers
or be interested in their concerns.  Hackers say that system managers
treat them like enemies and criminals, rather than as potential helpers
in their task of making their systems secure.  This may reflect
managers' fears about hackers, as well as their responsibilities
to protect the information on their systems.  Stallman says that
the strangers he encounters using his account are more likely to
have a chip on their shoulder than in the past; he attributes this
to a harsh enforcer mentality adopted by the establishment.  He says
that network system managers start out with too little trust and
a hostile attitude toward strangers that few of the strangers deserve.
One hacker said that system managers show a lack of openness to those
who want to learn.
 
Stallman also says that the laws make the hacker scared to communicate
with anyone even slightly ``official,'' because that person might
try to track the hacker down and have him or her arrested.  Drake
raised the issue of whether the laws could differentiate between
malicious and nonmalicious hacking, in support of a ``kinder, gentler''
relationship between hackers and computer security people.  In fact,
many states such as California initially passed computer crime laws
that excluded malicious hacking; it was only later that these laws
were amended to include nonmalicious actions [HollingerLanza-Kaduce88].
Hollinger and Lanza-Kaduce speculate that these amendments and other
new laws were catalyzed mainly by media events, especially the reports
on the ``414 hackers'' and the movie ``War Games,'' which created
a perception of hacking as extremely dangerous, even if that perception
was not based on facts.
 
Hackers say they want to help system managers make their systems
more secure.  They would like managers to recognize and use their
knowledge about design flaws and the outsider threat problem.
Landreth [Landreth89] suggests ways in which system managers can
approach hackers in order to turn them into colleagues, and Goodfellow
also suggests befriending hackers [Goodfellow83].  John Draper (Cap'n
Crunch) says it would help if system managers and the operators of
phone companies and switches could coopererate in tracing a hacker
without bringing in law enforcement authorities.
 
Drake suggests giving hackers free access in exchange for helping
with security, a suggestion that I also heard from several hackers.
Drake says that the current attitude of treating hackers as enemies
is not very conducive to a solution, and by belittling them, we only
cause ourselves problems.
 
I asked some of the hackers whether they'd be interested in breaking
into systems if the rules of the ``game'' were changed so that instead
of being threatened by prosecution, they were invited to leave a
``calling card'' giving their name, phone number, and method of
breaking in.  In exchange, they would get recognition and points
for each vulnerability they discovered.  Most were interested in
playing; one hacker said he would prefer monetary reward since he
was supporting himself.  Any system manager interested in trying
this out could post a welcome message inviting hackers to leave their
cards.  This approach could have the advantage of not only letting
the hackers contribute to the security of the system, but of allowing
the managers to quickly recognize the potentially malicious hackers,
since they are unlikely to leave their cards.  Perhaps if hackers
are given the opportunity to make contributions outside the
underground, this will dampen their desire to pursue illegal activities.
 
Several hackers said that they would like to be able to pursue their
activities legally and for income.  They like breaking into systems,
doing research on computer security, and figuring out how to protect
against vulnerabilities.  They say they would like to be in a position
where they have permission to hack systems.  Goodfellow suggests
hiring hackers to work on tiger teams that are commissioned to locate
vulnerabilities in systems through penetration testing.  Baird
Info-Systems Safeguards, Inc., a security consulting firm, reports
that they have employed hackers on several assignments [Baird87].
They say the hackers did not violate their trust or the trust of
their clients, and performed in an outstanding manner.  Baird believes
that system vulnerabilities can be better identified by employing
people who have exploited systems.
 
One hacker suggested setting up a clearinghouse that would match
hackers with companies that could use their expertise, while
maintaining anonymity of the hackers and ensuring confidentiality
of all records.  Another hacker, in describing an incident where
he discovered a privileged account without a password, said ``What
I (and others) wish for is a way that hackers can give information
like this to a responsible source, AND HAVE HACKERS GIVEN CREDIT
FOR HELPING! As it is, if someone told them that `I'm a hacker, and
I REALLY think you should know...' they would freak out, and run
screaming to the SS [Secret Service] or the FBI. Eventually, the
person who found it would be caught, and hauled away on some crazy
charge.  If they could only just ACCEPT that the hacker was trying
to help!''  The clearinghouse could also provide this type of service.
 
Hackers are also interested in security policy issues.  Drake expressed
concern over how we handle information about computer security
vulnerabilities.  He argues that it is better to make this information
public than cover it up and pretend that it does not exist, and cites
the CERT to illustrate how this approach can be workable.  Other
hackers, however, argue for restricting initial dissemination of
flaws to customers and users.  Drake also expressed concern about
the role of the government, particularly the military, in
cryptography.  He argues that NSA's opinion on a cryptographic standard
should be taken with a large grain of salt because of their code
breaking role.
 
Some security specialists are opposed to hiring hackers for security
work, and Eugene Spafford has urged people not to do business with
any company that hires a convicted hacker to work in the security
area [ACM90].  He says that ``This is like having a known arsonist
install a fire alarm.''   But, the laws are such that a person can
be convicted for having done nothing other than break into a system;
no serious damage (i.e., no ``computer arson'') is necessary.  Many
of our colleagues admit to having broken into systems in the past,
e.g., Geoff Goodfellow [Goodfellow83] and Brian Reid [Frenkel87];
Reid is quoted as saying that because of the knowledge he gained
breaking into systems as a kid, he was frequently called in to help
catch people who break in.  Spafford says that times have changed,
and that this method of entering the field is no longer socially
acceptable, and fails to provide adequate training in computer science
and computer engineering [Spafford89].  However, from what I have
observed, many hackers do have considerable knowledge about
telecommunications, data security, operating systems, programming
languages, networks, and cryptography.  But, I am not challenging
a policy to hire competent people of sound character.  Rather, I am
challenging a strict policy that uses economic pressure to close
a field of activity to all persons convicted of breaking into
systems.   It is enough that a company is responsible for the behavior
of its employees.  Each hacker can be considered for employment based
on his or her own competency and character.
 
Some people have called for stricter penalties for hackers, including
prison terms, in order to send a strong deterrent message to hackers.
John Draper, who was incarcerated for his activities in the 1970's,
argues that in practice this will only make the problem worse.  He
told me that he was forced under threat to teach other inmates his
knowledge of communications systems.  He believes that prison sentences
will serve only to spread hacker's knowledge to career criminals.
He said he was never approached by criminals outside the prison,
but that inside the prison they had control over him.
 
One hacker said that by clamping down on the hobbyist underground,
we will only be left with the criminal underground.  He said that
without hackers to uncover system vulnerabilities, the holes will
be left undiscovered, to be utilized by those likely to cause real
damage.
 
Goldstein argues that the existing penalties are already way out
of proportion to the acts committed, and that the reason is because
of computers [Goldstein89].  He says that if Kevin Mitnick had
committed crimes similar to those he committed but without a computer,
he would have been classified as a mischief maker and maybe fined
$100 for trespassing; instead, he was put in jail without bail
[Goldstein89].  Craig Neidorf, a publisher and editor of the electronic
newsletter ``Phrack,'' faces up to 31 years and a fine of $122,000
for receiving, editing, and transmitting the downloaded text file
on the 911 system [Goldstein90].
 
 
7.  Privacy and the First and Fourth Amendments
 
The hackers I spoke with advocated privacy protection for sensitive
information about individuals.   They said they are not interested
in invading people's privacy, and that they limited their hacking
activities to acquiring information about computer systems or how
to break into them.  There are, of course, hackers who break into
systems such as the TRW credit database.  Emanuel Goldstein argues
that such invasions of privacy took place before the hacker arrived
[Harpers90].  Referring to credit reports, government files, motor
vehicle records, and the ``megabytes of data piling up about each
of us,'' he says that thousands of people legally can see and use
this data, much of it erroneous.  He claims that the public has been
misinformed about the databases, and that hackers have become
scapegoats for the holes in the systems.  One hacker questioned the
practice of storing sensitive personal information on open systems
with dial-up access, the accrual of the information, the methods
used to acquire it, and the purposes to which it is put.  Another
hacker questioned the inclusion of religion and race in credit records.
 
Drake told me that he was concerned about the increasing amount of
information about individuals that is stored in large data banks,
and the inability of the individual to have much control over the
use of that information.  He suggests that the individual might be
co-owner of information collected about him or her, with control
over the use of that information.  He also says that an individual
should be free to withhold personal information, of course paying
the consequences of doing so (e.g., not getting a drivers license
or credit card).  (In fact, all Federal Government forms are required
to contain a Privacy Act Statement that states how the information
being collected will be used and, in some cases, giving the option
of withholding the information.)
 
Goldstein has also challenged the practices of law enforcement agencies
in their attempt to crack down on hackers [Goldstein90].  He said
that all incoming and outgoing electronic mail used by ``Phrack''
was monitored before the newsletter was shutdown by authorities.