The Hacker Chronicles - A Tour of the Computer Underground

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker Chronicles - A…the Computer Underground / The Hacker Chronicles - A Tour of the Computer Underground (P-80 Systems).iso / phrk4 / phrack40.12 < prev next >

Wrap

Text File | 1992-10-02 | 51KB | 939 lines

==Phrack Inc.== Volume Four, Issue Forty, File 12 of 14 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue 40 / Part 1 of 3 PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Scantronics BBS Seized By San Diego Police Department July 1, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Knight Lightning and The Gatsby Special Thanks to Bruce Bigelo (San Diego Union-Tribune) "Multiplexor and The Crypt Keeper Spill Guts" A lot of stories have been circulating in the press over the past two months about hordes of credit card stealing computer hackers that were disrupting the economy of the United States. It all began with rumors about Multiplexor, a small time hacker that was thought to have spent some time in Long Island, New York and supposedly is from Indiana. The story was that Multiplexor had carded a plane ticket to San Diego to see a girl or meet some friends, but when he landed, he was met by the police instead. Where that information or the supposed "1,000 member hacker ring" theory came from, we might never know, but we know do know the facts in this case thanks to police reports and warrant affidavits supplied by the court and acquired by The Gatsby with help. That information and more is now available. For purposes of understanding the following, "SEMENICK" and "MARCOV" are both the same person. You might know him better under the names of Multiplexor or The Prisoner. Later in this file, you will see references to a person named Kevin Marcus who is better known to some as The Crypt Keeper. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SAN DIEGO POLICE DEPARTMENT Investigators Follow-Up Report CASE NUMBER: N/A DATE: March 23, 1992 TIME: 1300 Hours SUBJECT: Damage Assessment of and Intelligence gathering on Illegal entry (Hacking) Computer Systems and the Illegal use of Credit Cards. SUSPECT: SEMENICK, John Edward AKA: MARCOV, Eric Edward VICTIM: Zales Jewelry Store LOCATION: 4465 La Jolla Village Drive, San Diego, CA DETECTIVE: Dennis W. Sadler (I.D.# 2486) On March 31, 1992, I received a ARJIS 4 form from Officer Smyth (I.D.# 3871) regarding some papers found by a Mr. Maurice Osborne at his residence. Mr. Osborne had asked an individual by the name of Eric MARCOV, who had rented a room from him, to leave. After MARCOV left the house, Mr. Osborne discovered some papers with what appeared to be credit card information on them. Mr. Osborne called the police and reported what he found. Officer Smyth collected the papers and wrote the attached report. After reviewing these papers, I learned that they did in fact contain some personal information on individuals which included the person's name, address, credit card number, card expiration date, and social security number. It appeared that the person who wrote these notes was possibly using this credit card information illegally. I contacted Mr. Osborne by phone on March 31st. He verified the contents of the report and he stated that he feels MARCOV may still be in town. On April 2nd, I was contacted by Mr. Osborne who learned that MARCOV was staying at a motel in the beach area named Sleepy Time. On April 2, 1992, while in the beach area, I came across the Sleepy Time Motel. I contacted the motel manager, William Gainok. I asked Mr. Gainok if he had a person registered there by the name of Eric MARCOV. He said that he did and that Marcov was in room number 108. At approximately 8:40 am, I knocked on the door to room number 108. A white male answered the door. I asked him if he was Eric MARCOV. He said yes. I identified myself as a San Diego Police Detective and told him that I needed to talk to him about some questionable credit card activity. As he opened the motel room door, I saw more papers like <those> given to me by Mr. Osborne laying on the floor near the door with more credit card information on them. After being invited into the motel room, I asked MARCOV if he knew why I was here. He said I think so. I asked MARCOV why he thought so. He said the credit cards. At this point, I was only interviewing MARCOV regarding the papers found at Mr. Osborne's residence. I had no active case or any evidence indicating that MARCOV was involved in, or a suspect of any criminal or illegal activity. I asked MARCOV if he had any I.D. on him. He said that he did not. MARCOV gave me the following information; Eric Edward MARCOV, DOB 05-15-74, then changed the year to 73. He said he was 18 going on 19. He did not know his social security number. When asked if he had a drivers' license, he said that he has never had one. MARCOV appeared to be between the age of 17 to 19 years old. While asking him about papers, he started talking about computers and gaining information from various systems. He talked for about 10 minutes. After that, I decided to call the FBI because hacking was involved in obtaining the credit card information and numbers, plus the information was coming from out of state. MARCOV also sounded like he knew a lot about computer hacking and was involved in it himself. At 8:58 am, I called the local office of the FBI and told them what I had and asked if they would be interested in talking with MARCOV. I asked MARCOV prior to calling the FBI, if he would be willing to talk with them about his computer activities. He agreed to talk with them. A short later Special Agent Keith Moses called me back at the motel. I explained to him what I had and what MARCOV was willing to talk about. After going over the case with Moses, he agreed to come out and talk with MARCOV. Both Moses and I interviewed MARCOV regarding his hacking activities and knowledge. MARCOV was extensively involved in the hacking community during the last four years and had some superior knowledge about what was happening in the hacker world. We later learned that he had been arrested for computer crimes in early 1991 in Indianapolis. We attempted to contact the investigators that worked that case, but we never received any calls back after numerous attempts. During the interview, I attempted to confirm MARCOV's true identity. I asked him for his parents' information. He said he did not remember their home phone numbers, but they had a phone. He also could not remember their home addresses. I asked him for his parents' employment information. He said that his father worked for a local (his home town) turbine company. I called the information number for the local phone company and then called the company to verify this information. However, the company's personnel office could not locate any employee matching the name given to me by MARCOV. MARCOV also gave me the school and year he graduated. I called the local school district's administrative office and discovered they had no record of MARCOV attending or graduating from their school system. I confronted him with this information and he finally gave me his true information. His true name was John Edward SEMENICK, DOB 05-15-75. I located his father's work number and contacted him. He was very uninterested about his son's whereabouts or condition. When asked if he would supply an airline or bus ticket for transportation home, he said he would not. His father further stated that when his son decided to come home, he'll have to find his own way. SEMENICK's parents are divorced and he lives with his father. However, we learned that his mother had filed a runaway report with the local sheriff's office. I contacted his mother and she seemed a little more concerned, but said she would not provide a ticket or funds for his return. I asked both parents if while John was in San Diego would they have any problems if their son assisted us in our investigation. I explained to them that he was not facing any known criminal charges at that point and that the information he would be giving us would be for damage assessment and intelligence gathering purposes on hackers Both parents stated that they had no problem with him assisting us if he was not being charged. Because SEMENICK was a juvenile and a runaway report was filed on him, we contacted the U.S. Attorney's office, the District Attorney's Juvenile Division, and the Juvenile Hall Probation Intake Officer for advice. They advised us that their was no problem with him giving us information. SEMENICK was booked into Juvenile hall as a runaway and then released to a halfway home for the evening. The intake officer explained to us that because his parents would not send for him, they would only keep him for one evening and then he would be let go on his own again the next day. After SEMENICK went through the runaway process and was being released, we picked him back up. The FBI agreed and furnished the fund's to put SEMENICK up in a hotel, give him living expenses, and then provide transportation for him home. SEMENICK was put up in a suite at the Mission Valley Marriott. He was allowed to do what he wanted while staying at the hotel and to see his friends at any time. During SEMENICK's stay at the Marriott, either myself or Agent Moses stayed in the hotel room next to SEMENICK's. During the three day stay at the hotel, SEMENICK was able to provide us with some very useful information and intelligence. It was not enough to make any arrest, but we obtained some very valuable information. We were not able to independently verify the information by another source. During the period of April 3rd to April 5th, 1992, SEMENICK contacted numerous persons by phone who were involved in computer hacking. SEMENICK willingly and voluntarily signed an FBI consent form giving us permission to record his phone calls during the course of our investigation. There were numerous tape recorded phone conversations involving at least 4 separate individuals. During this same period of time, information in data format was also downloaded from another individual's computer located on the East Coast to the computer we had set up. The information we received during the download was current credit records just obtained from CBI credit reporting company by this person, a CBI manual written in part by "Kludge" a San Diego hacker, and numerous other files/documents involving illegal activity such as "carding." "Carding" is a term used by the hacker community regarding the illegal or fraudulent use of credit cards or credit card numbers by hackers nationwide. SEMENICK stated that he had been a member of a local BBS called Scantronics when he was an active hacker. He stated that the board is run by a guy named "KLUDGE" and contains hundreds of files and documents. He said that most of these files and documents contained on "KLUDGE's" computer are "how to" manuals. This means that they instruct the person who obtains them through Scantronics BBS on how to do various things both legal and illegal. Some of the illegal activities that are covered on this BBS is carding, phone hacking, ATM fraud, and credit bureau information. We obtained three documents written by or put out by either "KLUDGE" or Scantronics BBS. THIS INVESTIGATION IS ONGOING AT THIS TIME AND FURTHER INFORMATION AND EVIDENCE WILL BE ADDED. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SAN DIEGO POLICE DEPARTMENT Investigators Follow-Up Report CASE NUMBER: N/A DATE: April 30, 1992 TIME: 0700 Hours SUBJECT: Computer Hacking SUSPECT: N/A VICTIM: N/A LOCATION: N/A DETECTIVE: Dennis W. Sadler (I.D.# 2486) On April 16, 1992, I was contacted by Kevin Marcus. Marcus learned that we were investigating individuals who were illegally logging (hacking) into various computer systems nationwide. Marcus runs a local computer bulletin board system (BBS) called The Programmer's Paradise. Marcus was concerned about the illegal activities had had seen on various local BBSs and contacted me. Marcus also said that he had received computer messages from a person who goes by the name (handle) of Knight Lightning in New York who asked him if he heard anything about our investigation. Knight Lightning told Marcus that on April 3rd a reporter from San Diego by the name of Bigelo had contacted and talked to him about our ongoing investigation. -- -- -- -- -- -- -- -- Enclosure 1: Date: Fri, 10 Apr 1992 18:14:11 -500 To: knight@eff.org From: Craig Neidorf <knight@eff.org> Subject: Runaway Teen Hacker Picked Up? I was just contacted by a reporter in San Diego about a hacker case. Apparently there is a teenage hacker from Indiana who ran away from home to California to see some girl there. The local police and the FBI supposedly picked him up on April 3rd and he remains in their custody uncharged while he is telling them all sorts of information on hacker rings across the nation. Does anyone have any clues as to who this kid is or what's going on? :Knight Lightning -- -- -- -- -- -- -- -- Enclosure 2: Date: Thu, 16 Apr 1992 22:25:17 -0400 From: Craig Neidorf <knight@eff.org> To: tck@netlink.cts.com Subject: Re: Hi. Bruce Bigelo, Union Tribune. Left his number at the office. Nothing going on, but I understand that you called him. Craig -- -- -- -- -- -- -- -- Marcus offered to assist us. I asked if he knew of a BBS called Scantronics. He said that he did and that he had been a member of that BBS and view the files on that board in the past to see what the board carried. Marcus is a computer science major at a local college and is doing research in the anti- virus field. Marcus stated that the board carried a lot of technical data, but had nothing regarding his subject. Marcus also belongs to other local and out- of-state BBSs where he talks with other individuals with his same interest. Marcus stated that he was last on Scantronics BBS about a month ago and he had seen numerous computer files that involved CBI and carding. Carding is a term used by hackers who are involved in the illegal or fraudulent use of credit cards and their numbers. These credit card numbers are obtained from credit reporting companies such as CBI and TRW, by illegally accessing (hacking) their way into those company computers and reading or copying private individuals credit reports and information. Most copies of credit reports from these companies will show a person's name, current and previous addresses, social security number, employer, salary, and all current credit history including all credit cards and their account numbers. They <the hackers> then use these credit card numbers to obtain goods. If one of the hackers used an account number he found on a credit report that he illegally pulled from the credit reporting company, the victim would most likely not find out that their card had been illegally used until the next billing cycle which could be as much as 45 days after the illegal transaction took place. According to the credit card industry, this is one of the most risk free and safest way to commit credit card fraud. Marcus said that the person's name who ran this BBS was Jeremy. He did not know his last name, but the handle he is known by is "KLUDGE." I asked if he knew the phone number to this BBS and he gave me 423-4852. The BBS phone number, the operator's first name, and <the operator's> handle matched the information we had learned earlier. Marcus also gave me two disks <that> contained some files which had been downloaded (left on his BBS) by other persons on his system. He regularly checks his board and removes or deletes files regarding questionable or illegal activity such as carding. I viewed both of these disks and they contained some very interesting files. These files included various topics <such as> an auto theft manual, CBI manual, TRW manual, American Express card info, and many other files which if downloaded or copied by another person, that person could easily gain illegal access to various credit reporting companies and commit various other illegal types of activity. I told Marcus if he came across any further information regarding this type of activity or further information about the BBS called Scantronics to please contact me. On April 17, 1992, I met Marcus and he said that he had logged onto Scantronics last night by using an access number a friend gave him. This same friend had let him use his access number to gain access to this BBS on many prior occasions. He did this on his own, without any direction whatsoever from me or any other law enforcement official. Marcus handed me a 5 1/4" computer disk and said that it contained some file listings and a list of all validated users. Marcus also stated that the disk contained a copy of the messages that were sent to him through his BBS by the person in New York regarding our investigation [those messages displayed above from Knight Lightning]. He asked me if I wanted him to log on and see for myself what was on "KLUDGE's" BBS. I told him that I would have to consult with the D.A.'s office first. However, I was unable to get a hold of our D.A. liaison. I told <Marcus> that I'd get back with him later. After talking to D.A. Mike Carlton, I advised Marcus not to go into Scantronics BBS unless it was for his own information. However he said that if he came across any further information during his normal course of running his own BBS, he would notify me. -- -- -- -- -- -- -- -- [The police report also contained 60 pages of printouts of postings and text files found on Scantronics BBS. It is also made very clear that Kevin Marcus (aka The Crypt Keeper) accessed Scantronics BBS by using the password and account number of The Gatsby. Files include: - "Credit Bureau Information" which sounds harmless enough to begin with and turns out is actually a reprint of an article from the September 27, 1992 issue of Business Week Magazine - "Advanced Carding" by The Disk Jockey, which dates back to 1987. - "The Complete CBI Manual of Operations" by Video Vindicator and Kludge, dated October 10, 1991. Aftermath ~~~~~~~~~ On April 23, 1992, a search warrant was issued in the municipal court of the State of California in the county of San Diego which authorized the seizure of: A. All telephone company subscriber information to include service start date, copy of most current billing statement, current credit information, and location of telephone service to the following telephone numbers; (619)XXX-XXXX and (619)XXX-XXXX and any other telephone number information in any chain of call forwarding, to or from the listed phone numbers. B. All telephone company records which includes subscriber information, service start date, copy of most current billing statement, current credit information, and location of telephone service phone numbers to which calls are being forwarded to or from, from the listed phone numbers. CERTIFICATION TO DEFER NOTIFICATION TO SUBSCRIBER The Court finds there is substantial probable cause to believe notification to the subscriber whose activities are recorded in the records described above would impede or destroy this investigation. Accordingly, the court certifies the request of the San Diego Police Department that notification to the subscriber be deferred pending further order of this court. On April 30, 1992, a search warrant was issued in the municipal court of the State of California in the county of San Diego which authorized the search of Kludge's residence and the seizure of: All computer equipment and paraphernalia use in computer hacking, or apart of the BBS known as Scantronics which includes, but is not limited to monitor(s), keyboard(s), CPU(s), which may or may not contain hard disk drive(s), floppy drive(s), tape drive(s), CD rom drive(s), modem(s), fax/modem(s), all hard copies (paper copies) of any computer files which have been stored or currently stored on/in a computer system, all documents whether in hard or data form which show how to operate any computer program or computer file, all memory storage devices which may include hard disk drive(s), 5 1/4" and 3 1/2" computer memory storage disks, all computer memory storage and computer back up tapes, and all computer CD rom disks capable of computer data storage; and, documents and effects which tend to show dominion and control over said premises and computer system, including fingerprints, records, handwritings, documents and effects which bear a form of identification such as a person's name, photograph, social security number, or driver's license number and keys. The warrant was used immediately and Scantronics BBS and much more was seized. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Crypt Keeper Responds ~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 17 Jun 92 09:13:50 PDT From: tck@bend.UCSD.EDU (Kevin Marcus) To: knight@eff.org Subject: Hmm. I'll start at the beginning... On April 3rd, I arrived at my workplace (a computer store) around 3 pm. Multiplexor is sitting in the back with some FBI agent and Detective Dennis Sadler. The reason they chose my store for technical support is because Dennis and one of my managers are very good friends. I saw what was happening, and I saw Multiplexor call up Kludge's board and try to log on, but alas he was not validated. Nonetheless, that same day I told Gatsby and Kludge what was up, because they are/were my friends and I didn't want something bad to happen to them. A few days later, my boss suggested that I tell Dennis that I was on Kludge's board awhile ago, but that I was not anymore because they might have found something on me. So the next time I saw him (he comes in about once a week, still), I told him that I was on the board awhile ago, but that I wasn't anymore. He asked a few stupid questions and I didn't really say a whole bunch about. He eventually found out that I had warned Kludge about his board. I am not really sure how, I sure as heck didn't tell him. He then told me that I nearly blew their investigation and for interfering with an investigation the maximum penalty was like 5 years or something like that. He was getting ready to arrest me and take me down to the county courthouse when my boss was able to convince him that I was a good kid, not looking for trouble, and that I would get him something to re-strengthen. So, even though Dennis didn't tell me specifically to get something from Kludge's board, he told me that what he needed to get his case back up to par was an idea of what was on the board, like a buffering of his system. That night I called up Gatsby and got his password from him. I called and buffered. The next time that I saw him [Sadler], I told him what I had done. He wanted to know how I got on Kludge's board, and I told him through a friend's account. He asked me which friend, and I said "The Gatsby." He then started asking me a bunch of questions about Gatsby such as, "What is his real name?" And, at first I said that I didn't want to tell him, and then he said that I was withholding evidence and he could bust me on that alone. So I told him his name and that he lived in XXXXX (a suburb of San Diego). They already had him and Kludge in phone conversations over Kludge's line since it was taped for a while so they knew who he was in the first place. If Sadler didn't have anything hanging over my head, such as interfering with an investigation, and/or withholding evidence, then I would not have said jack, more than likely. My first contact with him was on suggestion of my boss, who is a good friend of his, and he might have told my boss something which made him worry and think that I would be arrested for something, I do not know. Now, if I was a nark, then I can assure you that a LOT more people would have gone down. I have a plethora of information on who is who, who is where, who does what, etc. and, even though it's old, I bet a lot of it is true. If I wanted there to be another Operation Sun-Devil, then I would have given all of that information to him. But I didn't, because that is not at all what I had wanted. I didn't want anyone to get busted (including myself) for anything. If I were a nark, then I would probably have given him a lot more information, wouldn't you think? I sure do. I am not asking anyone to forget about it. I know that I screwed up, but there is not a whole bunch about it that I can do right now. When Sadler was here asking me questions, it didn't pop into my mind that I should tell him to wait and then go and call my attorney, and then a few minutes later come back and tell him whatever my lawyer said. I was scared. _______________________________________________________________________________ Hackers Aren't The Real Enemy June 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Chris Goggans (ComputerWorld)(Page 37) (Goggans is a 23-year old hacker who is currently seeking employment with anyone who won't make him cut his hair.) For years articles have been published about people who call themselves "hackers." These have been written by people who have investigated hackers, who have been the targets of hackers, who secure systems against hackers and who claim to know hackers. As a member of the so-called "computer underground," I would like to present the hacker's point of view. I hope you will put aside any personal bias you may have toward people who call themselves hackers because it is probably based on media reports rather than real contact. I also hope you won't refuse to read this because you have a problem with my ethics. Over the past 11 years, operating under the pseudonym Erik Bloodaxe, I had opportunities to become rich beyond the dreams of avarice and wreak great havoc on the world's computer networks. Yet I have done neither. I have looked behind doors that were marked "employees only" but have never disrupted the operation of business. Voyeurism is a far cry from rape. Illegal, but not criminal Undeniably, the actions of some hackers are illegal, but they are still hardly criminal in nature. The intention of most of these individuals is not to destroy or exploit systems but merely to learn in minute detail how they are used and what they are used for. The quest is purely intellectual, but the drive to learn is so overwhelming that any obstacle blocking its course will be circumvented. Unfortunately, the obstacles are usually state and federal laws on unauthorized computer access. The overwhelming difference between today's hackers and their 1960s MIT namesakes is that many of my contemporaries began their endeavors too young to have ready access to computer systems. Few 13-year-olds find themselves with system privileges on a VAX through normal channels. My own first system was an Atari 8-bit computer with 16K of memory. I soon realized that the potential of such a machine was extremely limited. With the purchase of a modem, however, I was able to branch out and suddenly found myself backed by state-of-the-art computing power at remote sites across the globe. Often, I was given access by merely talking to administrators about the weak points in their systems, but most often my only access was whatever account I may have stumbled across. Many people find it hard to understand why anyone would risk prosecution just to explore a computer system. I have asked myself that same question many times and cannot come up with a definitive answer. I do know that it is an addiction so strong that it can, if not balanced with other activities, lead to total obsession. Every hacker I know has spent days without sleep combing the recesses of a computer network, testing utilities and reading files. Many times I have become so involved in a project that I have forgotten to eat. Hackers share almost no demographic similarities: They are of all income levels, races, colors and religions and come from almost every country. There are some shared characteristics, however. Obsessive-compulsive behavior (drug or alcohol abuse, gambling, shoplifting) is one. Others have a history of divorce in their families, intelligence scores in the gifted to genius level, poor study habits and a distrust of any authority figure. Most hackers also combine inherent paranoia and a flair for the romantic -- which is apparent in the colorful pseudonyms in use throughout the hacker community. In most cases, however, once hackers reach college age -- or, at minimum, the age of legal employment -- access to the systems they desire is more readily available through traditional means, and the need to break a law to learn is curtailed. Popular media has contributed greatly to the negative use of the word "hacker." Any person found abusing a long-distance calling card or other credit card is referred to as a hacker. Anyone found to have breached computer security on a system is likewise referred to as a hacker and heralded as a computer whiz, despite the fact that even those with the most basic computer literacy can breach computer security if they put their minds to it. Although the media would have you believe otherwise, all statistics show that hackers have never been more than a drop in the bucket when it comes to serious computer crime. In fact, hackers are rarely more than a temporary nuisance, if they are discovered at all. The real danger lies in the fact that their methods are easily duplicated by people whose motives are far more sinister. Text files and other information that hackers write on computer systems can be used by any would-be corporate spy to help form his plan of attack on a company. Given that almost everyone is aware of the existence and capabilities of hackers -- and aware of how others can go through the doors hackers open -- the total lack of security in the world's computers is shocking. Points of entry The primary problem is poor systems administration. Users are allowed to select easily guessed passwords. Directory permissions are poorly set. Proper process accounting is neglected. Utilities to counter these problems exist for every operating system, yet they are not widely used. Many systems administrators are not provided with current information to help them secure their systems. There is a terrible lack of communication between vendors and customers and inside the corporate community as a whole. Rather than inform everyone of problems when they are discovered, vendors keep information in secret security databases or channel it to a select few through electronic-mail lists. This does little to help the situation, and, in fact, it only makes matters worse because many hackers have access to these databases and to archives of the information sent in these mailing lists. Another major problem in system security comes from telecommunications equipment. The various Bell operating companies have long been the targets of hackers, and many hackers know how to operate both corporate and central office systems better than the technicians who do so for a living. Increased use of computer networks has added a whole new dimension of insecurity. If a computer is allowed to communicate with another on the same network, every computer in the link must be impenetrable or the security of all sites is in jeopardy. The most stunning examples of this occur on the Internet. With such a wide variety of problems and so little information available to remedy them, the field of computer security consulting is growing rapidly. Unfortunately, what companies are buying is a false sense of security. The main players seem to be the national accounting firms. Their high-cost audits are most often procedural in nature, however, and are rarely conducted by individuals with enough technical expertise to make recommendations that will have a real and lasting effect. Ultimately, it is the responsibility of the systems administrators to ensure that they have the proper tools to secure their sites against intrusion. Acquiring the necessary information can be difficult, but if outsiders can get their hands on this information, so can the people who are paid to do the job. _______________________________________________________________________________ THE GREAT DEBATE Phiber Optik v. Donn Parker Cyberpunk Meets Mr. Security June 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Jonathan Littman (PC Computing Magazine)(Page 288) The boy cautiously approached the table and asked the tall, distinguished bald gentleman in the gray suit if he could join him. The boy's conference name tag read Phiber Optik; the gentleman's read Donn Parker. One was a member of the Legion of Doom, the infamous sect of teenage hackers charged with fraud, conspiracy, and illegal computer access in 1990; the other was a legendary security expert. The unlikely pair had been brought together by an unusual gathering, the nation's first Computers, Freedom, and Privacy conference, held in the San Francisco Bay Area on the last weekend of March 1991. They were part of an eclectic mix of G-men, Secret Service agents, prosecutors, privacy advocates, and hackers who had come to see the other side up close. Only weeks before, Optik's laptop computer had been seized by state police in an investigation begun by the Secret Service. Optik and fellow hackers Acid Phreak and Scorpion were among the first to come under the scrutiny of the Secret Service in the days of Operation Sun Devil, a 14-city sweep in the spring of 1990 that resulted in 42 seized computers, 23,000 confiscated disks, and four arrests. The criminal charges brought against Optik and his cohort included illegal computer access and trading in stolen access codes. Optik, a juvenile at the time of his initial questioning, spent a day in jail and was later convicted of a misdemeanor for theft of services. Parker knew the story well. Over the last two decades, the former Lutheran Sunday school teacher has interviewed dozens of criminals to whom computers were simply the tools of the trade. Along the way, he earned a worldwide reputation as the bald eagle of computer crime. Parker speaks frequently to law-enforcement agencies and corporations as a consultant to SRI International, a leading research and management firm based in Menlo Park, California. His books Fighting Computer Crime and Crime by Computer, countless articles, and a large Justice Department study on computer ethics have established him as the foremost authority on the hacker psyche. PARKER: How do you view the ethics of getting into someone's computer system? OPTIK: I know what your point of view is because I've read your papers and I've listened to you talk. I know that you think any entry, you know, any unauthorized entry, is criminal. I can't say I agree with that. I do agree that anyone who's an impressionable teenager, who's on the scene and wants to break into as many computers as is humanly possible to prove a point, has the potential to do damage, because they're juveniles and have no idea what they're doing, and they're messing around in places that they have no business being. At the time, I was 17 years old and still a minor. There was no way I was going to be able to buy a Unix, a VAX, my own switching system. These are the things I'm interested in learning how to program. It would not have been possible to access this type of computer development environment had I not learned how to break into systems. That's the way I see it. PARKER: What are you doing at this conference? What's your purpose? OPTIK: Basically I want to be exposed to as many people as possible and hear as many people's views as I can. PARKER: What's your ultimate purpose then-what would you like to do as far as a career? Do you think this is a way for you to get into a career? OPTIK: Well, of course, I hope to enter the computer industry. Just by being here, I hope to talk to people like you, the many people who are professionals in the field, hear their views, have them hear my views. See, the thing I regret the most is that there is this communication gap, a lack of dialogue between people who proclaim themselves to be hackers and people who are computer professionals. I think if there were a better dialogue among the more respectable type of hackers and the computer professionals, then it would be a lot more productive. PARKER: How do you tell the difference between a more responsible type of hacker? OPTIK: I realize that its a very big problem. I can see that it's pretty impossible to tell, and I can clearly understand how you come to the conclusions that you initially state in your paper about how hackers have been known to cheat, lie, and exaggerate. I experienced that firsthand all the time. I mean, these people are generally like that. Just keep in mind that a large number of them aren't really hardcore hackers -- they're impressionable teenagers hanging out. Its just that the medium they're using to hang out is computers. I don't consider myself part of that crowd at all. I got into computers early on. Like when I was entering junior high school. I was really young, it must have been preteen years. I'm talking about 12 or 13 years old when I got a computer for Christmas. I didn't immediately go online. I'm not one of these kids today that get a Commodore 64 with a modem for Christmas because they got good grades on their report card. The reason I would have called myself a hacker is, I was hacking in the sense of exploring the world inside my computer, as far as assembly language, machine language, electronics tinkering, and things of that nature. That truly interested me. The whole social online thing I could really do without because that's where these ideas come from. You know, this whole negative, this bad aftertaste I get in my mouth when I hear people put down the whole hacking scene. Its because of what they're hearing, and the reason they're hearing this is because of the more outspoken people in this "computer underground" and the twisted coverage in the media, which is using this whole big hype to sell papers. And the people who are paying the price for it are people like me; and the people who are getting a twisted view of things are the professionals, because they're only hearing the most vocal people. It's another reason why I'm here, to represent people like myself, who want other people to know there are such things as respectable hackers. You know hacking goes beyond impressionable young teenage delinquents. PARKER: How would you define hacking? OPTIK: It's this overall wanting to understand technology, to be able to communicate with a machine on a very low level, to be able to program it. Like when I come upon a computer, it's like my brain wants to talk to its microprocessor. That's basically my philosophy. PARKER. And does it matter to you who actually owns the computer? OPTIK: Usually it does. Oh, at first it didn't matter. The mere fact of getting into Unix, and learning Unix, was important enough to warrant me wanting to be on the system. Not because of information that was in there. I really don't care what the information is. You know there's that whole Cyberpunk genre that believes information should be free. I believe in computer privacy wholly. I mean if someone wants something to be private, by all means let it be private. I mean, information is not meant for everyone to see if you design it as being private. That's why there is such a thing as security. If someone wants to keep something private, I'm not going to try to read it. It doesn't interest me. I couldn't care less what people are saying to each other on electronic mail. I'm there because I'm interested in the hardware. PARKER: How is anyone else going to know that you're not interested in reading their private mail? OPTIK: That's a problem I have to deal with. There's not a real solution in the same way that there's no way that you're really going to be able to tell whether someone's malicious or not. Hackers do brag, cheat, and exaggerate. They might tell you one thing and then stab you in the back and say something else. PARKER: I've interviewed over 120 so-called computer criminals. OPTIK: Right. PARKER: I've interviewed a lot of hackers, and I've also interviewed a lot of people engaged in all kinds of white-collar crime. OPTIK: Yeah. PARKER: And it seems to me that the people I have talked with that have been convicted of malicious hacking and have overcome and outgrown that whole thing have gone into legitimate systems programming jobs where there is great challenge, and they're very successful. They are not engaged in malicious hacking or criminal activity, and they're making a career for themselves in technology that they love. OPTIK: Right. PARKER: Why couldn't you go that route? Why couldn't you get your credentials by going to school like I did and like everybody else did who functions as a professional in the computer field, and get a challenging job in computer technology? OPTIK: I certainly hope to get a challenging job in computer technology. But I just feel that where I live, and the way the school system is where I am, it doesn't cater to my needs of wanting to learn as much about technology as fast as I want to learn. PARKER: Yeah, but one of the things you have to learn, I guess, is patience, and you have to be willing to work hard and learn the technology as it's presented. OPTIK: You know, you just have to remember that by being able to go places that people shouldn't, I'm able to learn things about technology that schools don't teach. It's just that programs in local colleges where I am, they couldn't even begin to grasp things that I've experienced. PARKER: OK, so you want instant gratification then. OPTIK: It's not so much gratification . . . PARKER: You're not willing to spend four years in a-- OPTIK: I certainly am willing to go to college. PARKER: Uh huh. OPTIK: I definitely intend to go to college; I just don't expect to learn very much concerning technology. I do expect to learn some things about technology I probably didn't know, but I don't expect to be exposed to such a diverse amount of technology as in my teenage years. PARKER: OK, well, I can see impatience and a lack of opportunity to do all that stuff very quickly, but-- OPTIK: I wouldn't go so far as to call it impatience. I'd call it an eagerness to learn. PARKER: Eagerness to learn can be applied in the establishment process of education in all kinds of ways. You can excel in school. OPTIK: I was never Mr. Academia, I can tell you that right off the bat. I don't find much of interest in school. Usually I make up for it by reading technology manuals instead. PARKER: How are you going to spend four years in school if you've already decided you're really not suited to be in school? OPTIK: Well, it's not so much school as it is that I feel constrained being in high school and having to go through junior high school and high school because of the way the educational program are tailored to like, you know -- PARKER: Well, if you hold this direction that you're going right now, you could very well end up as a technician repairing equipment, maintaining computers, and you could very well end up in a dead-end job. In order to break into a higher level of work, you need a ticket, you need a degree, you have to prove that you have been able to go to school and get acceptable grades. The route that you're going doesn't seem to me to lead to that. Now there are some people who have managed to overcome that, OK -- Geoff Goodfellow. Steve Wozniak. But those people are 1 out of 100,000. All the other 99,000-odd people are technicians. They're leading reasonable lives, making a reasonable income, but they're not doing very big things. They're keeping equipment running. OPTIK: Yeah. PARKER: And if you have all this curiosity and all this drive and this energy (which is what it takes), and you go a route that gets you to a position where you can do real, exciting, advanced research . . . I mean, I've talked to a lot of hackers. I'm thinking of one in Washington, D.C., who was convicted of a computer crime. He went back to school, he's got his degree, and he has a very top systems programming job. He said he finally reached a point where he decided he had to change the way he was going about this, because the way things were going, the future for him was pretty bleak. And it seems to me, hopefully, you may come to a realization that to do important things, exciting things, ultimately you've got to learn the computer-science way of presenting operating systems, and how to write programs of a very large, complex nature. Have you ever done that, have you ever written a really big computer program? OPTIK: I've written this . . . PARKER: There's a discipline involved that has to do with learning how to be an engineer. It takes a tremendous amount of education and discipline. And it sounds to me like you lack the discipline. You want instant gratification, you want to be an expert now. And you end up being an expert all right, but in a very narrow range of technology. You learn the Novell LAN, you learn some other aspect, you learn about a telephone company's switching system. That doesn't lead to a career in designing and developing systems. That leads to a career in maintaining the kind of hardware that you've been hacking. And it seems to me you've got to go back and learn the principles. What are the basic principles of an operating system? What are the basic principles of access control? Until you've gone back and learned those basics, you're flying by the seat of your pants, and just picking up odds and ends of stuff that you can grab quickly. OPTIK: I don't see it so much as grabbing things quickly. I've put a lot of time into studying very detailed things. It's not so much popping in and popping out and whatever I find I'm glad I found it. I do spend a lot of time studying manuals and things. PARKER: Manuals are not going to do it. All you do in learning a manual is learn the current equipment and how it works. If you studied Donald Kanuth's volumes on computer science programming and computer sciences, you would learn the theory of computer programming, you would learn the operating system theory, you would learn the theory that is the foundation on which all of these systems are built. OPTIK: But that's the thing I guess I don't do. I was never much concerned with theory of operation. I was always concerned with how things work, and how I can use them. Like how to program. I'll admit I was never much into theory. It never interested me. Like with what I do-theory really doesn't play any role at the present time. Of course, that's subject to change at any time. I'm rather young . . . A FRIEND WHISPERED in Optik's ear that it was time to go. Still locked in debate, the hacker and the security man left the table and walked together toward the escalator. In profile, at the bottom of the moving stairs, they were an odd couple: Optik with his shiny, jet black hair, Parker with his shiny dome. Parker was speaking calmly, warning Optik that one day hacking wouldn't seem so boundless, that one day his opportunities wouldn't seem quite so vast. Optik fidgeted, glancing away. Conference attendees filed up the escalator. "I don't want to be a hacker forever," blurted Optik. The next afternoon the bank of hotel phones was crowded with business people and conference attendees punching in to get their messages and make their calls. There was Optik, wedged between the suits, acoustic coupler slipped over the phone receiver, a laptop screen flickering before his eyes, his hands flitting over the keys. He was still young. _______________________________________________________________________________ Downloaded From P-80 International Information Systems 304-744-2253 12yrs+