Hackers - the plague of the net?

"Hacking crimes," said Judge Stanton "constitute a real threat to the expanding information highway."
The Prisoner: Phiber Optik Goes Directly to Jail
by Julian Dibbell
(First published in The Village Voice, January 12, 1994)
http://www.levity.com/julian/phiber.html


And there's a saying in the computer underground: If you're a good hacker,
everyone knows your name. If you're a great hacker, no one knows who you are.

It is quite common nowadays to see articles in the news and papers about the hackers causing trouble to the newly developed internet commerce. Who are they and why they do such things? Has it always been like this?

I am going to write about the cyberpunk, which is a sort of the underground of the cyberculture. Cyberculture exist solely in the cyberspace, a concept first probably used by William Gibson in his book Neuromancer (1984). There are lot of writings on the history of the internet in the net. Thus I am not going to go into writing about the first programmer, who happened to be a lady, about the early hackers, born into the cyberspace even before it existed back in the end of the 1800's, about the first cracker, who was an Englishman called Alan Mathison Turing or about the early days of the ARPANET back in the 1960's. You can find plenty of information of those from any of the search engines available in the net.

Using links in a paper published in the net seems like a good idea until the links expire. I have visited enough many web sites with extremely interesting looking but unfortunately outdated links to learn to hate them. That is why I try to limit the number of the links pointing outside this page. I have included some links of importance, but if they don't link, remember that given the amount of the links with an "expiration date", even God would have outdated links on his homepage. I have collected some links to a page dealing with the cyberpunk movement, hackers, crackers, legal issues etc. There is also a short glossary of the most commonly used terms in the writing linked to the site. I invite you also to read more of the history and development of the cyberspace in the internet. For example Howard Rheingold's site is a good one.

What is a hacker?

The first "hackers" were born in 1878 alongside of The Bell Telephone Company. They were just teenage boys, who were hired to run the swichboards of the company, doing practical jokes, misconnecting calls etc. No wonder the company hired female operators from there on.

The theory of a digital computer was published in 1936 and in the forties came the first tube computers. The first real computer hackers appeared in the 1960's. The meaning of the word "hack" was originally a programming shortcut used to make the slow computers complete tasks faster. Some of the hacks were actually better than the original programs they were written to aid. "Hacker" meant a person who writes computer programs. That was in the 1960's.

In the 70's the cyber frontiers were explored with unprecedented enthusiasm. In 1970 John Draper, also known by his handle Cap'n Crush, introduced the techniques of making free phone calls. Although he is widely credited for discovering the 2600 Hz tone necessary to authorize a call, he states in his own homesite (given that the site was not a fraud) that he actually did not himself invent it, but some blind kids, who had known about it for quite some time, taught him the technique. The phreakers were born and started to investigate the tecnologies connected to the telephones. Hacking practises expanded from computer programming to figuring out the grammar of the wired world. There was always something new to be learned and explored. It was the times of the wild wired west.

In 1978 Randy Seuss and Ward Christiansen, both originating from Chicago created the first personal-computer bulletin-board system (BBS). It has been in operation even in the late 1990's. This made possible the frequent meetings of the habitants of the cybercommunity. One could regard this also as the real beginning of the cyberspace. There was for the first time a common medium for the hackers to meet.

In 1981 International Business Machines, better known as IBM announced a new computer, they called it personal computer. As the decade advanced the Arpanet morphed into the internet and bulletin-board system proved to be a huge success.

The government had been following the progress in the cyberspace already in the 1980's. In 1986 the Federal Computer Fraud and Abuse Act passed by Congress was enacted. The first person to be sentenced under this law was Robert Morris, who in 1988 caused the crashing of 6 000 computers hooked onto the internet with his internet worm.

Also hacker groups were formed in the early years of the 1980's. The 414's, Legion of Doom (LOD), and Masters of Deception (MOD) were the better known for their criminal activity. Two of the latter engaged in a hacker war against each other in 1990-1992 jamming phone lines, monitoring calls, and tresspassing in each other's private computers. In the end the authorities ended the war. The leading figure of MOD, called Phiber Optik (also known as Mark Abene), was sentenced to one year in Federal Prison alongside four other members of the group. It has been called an end of an era.

In the 1990's there were more hackers sentenced to prison. Kevin Mitnick and Kevin Poulsen were the more prominent ones. The power of a skillfull hacker terrified the regular net users. As the internet started to develop into a market place its users started to demand more protection. The hackers were seen as criminals. Someone wrote that it meant the end of the frontier. No more wild, wild west. The anarchy started to fade away and was replaced by laws regulating the use of the internet.

Where are the hackers at the moment? On could write that they are all over the place. The fools are caught and sentenced, the crafty ones may still be surfing and hacking into the systems learning more and keeping the original spirit of hacking alive. There has been a change in thinking concerning hacking in general though. If the online outlaws were once seen as romantic cowboy figures, it may not be so cool anymore. The most obvious reason for this developement is that the hackers have caused problems not only to big giant corporations, but to the ordinary net user as well, by messing up credit card information.

On the other hand there are signs that the internet is been used by far more sophisticated groups trying to advance different causes. Any modern company will suffer losses from a well organized net attack, let alone the companies operating solely in the internet. These operations are likely to become more powerful and vicious as the transnational corporations claim even more power over the governments and countries as well. I found in the net a site of a group who calls itself the Electrohippies. They define their goal in the following paragraph:

[T]his site is all about taking action, and undertaking civil disobedience, using the core of modern society - it's electronic information and communications infrastructure. Why? Because technology enables a lot of the destruction that takes place in the world, but like most technology it is not innately bad - it's just the people who are in charge of it. Technology also allows people to have anonymity because their communications and planning are kept remote from the public arena.
What we're out to do is change all that by extending the philosophy of activism and direct action into the 'virtual' world of electronic information exchange and communications. Of course, in the scale of things we can't hope to be more effecting than an annoying mosquito. But we can let them know that the[y] can't use technology as a veil to obscure the public's concern about the future of the planet. http://www.gn.apc.org/pmhp/ehippies/backgnd.htm

The potential of the net for terrorizing activities continues to rise as the western world relies to even greater extent on the net. As the core functions of a city -- for example the daily groceries -- is operated in the net, the possibilities are endless. Think about the chaos caused in the cities by an abrupt break in the food distributions chain. The effects of a well-designed net attack does not stop at causing financial damage to few isolated corporations.

The internet has already been used to aid waging wars. Mexico and Kosovo were the more recent examples. In the future a war between two industrialized countries would definitely also mean an information war: which party can better damage the enemy's internet services? Maybe the future wars are waged entirely in the electronic environment. Although this sounds like a clean and peaceful way of fighting, the damages to the society make it possibly even more cruel than the oldfashioned wars.

The philosophy of hacking

True hackers don't learn from books. They work with very little information and go out and find things on their own, instead of learning it from someone. This applies to computers as well.
John T. Draper
http://www.webcrunchers.com/crunch/FAQ.html

There is a unwritten hacker's ethic: "You can smell the flowers, but do not pick them up. As long as nothing is damaged there is nothing to regret."
Hacks, a documentary
by Christine Bader
http://defcon.org/html/defcon-media-archives.html

The first of the above quotes from one of the early phreaks, John Draper, defines well the essence of a hacker. The Jargon File, a compendium of hacker slang started by Raphael Finkel of Stanford's Artificial Intelligence Lab back in 1975 states that a hacker is "a person who enjoys exploring the details of programmable systems", but also "a malicious meddler who tries to discover sensitive information by poking around". Even though some hackers in the 1980's tried to introduce word "cracker" to discribe a person intruding a system with malicious goals, the press has adopted the word "hacker" in widespread use.

There are different ethical codes concerning the hackers. They can be divided to two groups much the same way the above quoted Jargon File defines. First there is the school of old hackers, who keep it sacred that the hacker never erases the system or causes any trouble. Old hackers have great respect for the systems they hack. They never steal information or intentionally do damage to the system. They only try to learn more about the functions of the net and computers. Read more on the original hackers ethic.

Secondly there is a large group of hackers, anything from those who have some kind of ethical code to those who do not have any. There are hackers who believe and claim that they are not doing anything illegal. The second quote speaks about this view. On the other hand one does not have to define oneself a hacker in order to accomplish crimes in the net:


An on-line travel-services firm recently found a gaping security hole on a competitor's Web site. It exploited the weakness by copying customers' credit card numbers from its competitor's site. Then the firm sought to discredit its competitor by showing that information to a corporation that both travel companies were wooing as a partner, according to David Rhoades, a computer security expert familiar with the January incident. "Just another drive-by shooting on the information superhighway," said Rhoades, of Security Group in Atlanta, hired by the victimized firm to close the hole.
http://chicagotribune.com/tech/economy/article/0,2669,ART-41907,FF.html
Security gaps dot Internet landscape
by Frank James
Chicago Tribune, February 12, 2000

Hackers can be seen connected on the one side to criminal and vandalizing activities and to anarchaic thinking and eastern philosophy on the other. The old school of hackers identifies to the latter, whereas the newer breed of hackers might lack the philosophical thinking of the older ones. It is good to see that there are several kinds of hackers in the net.

It seems that there are thousands of hackers all over the net. This is probably connected to the fact that movies like "Wargames" made computer wizardry look like a cool thing. There is a feeling of omnipotence present in the computer world. Many people do not understand anything of the field and think that the ones who do must be very intelligent and gifted. This is not so any more as Tim Wilson writes:

The idea that hackers must be exceptionally bright or experienced also is largely outmoded. Many hackers now use simple, Web-downloadable scripts to gain system access. What does that prove about the hacker's skills or intelligence?
Hackers' Best Days Are Behind Them
by Tim Wilson
www.infowar.com (Hacker Musings)

Of course there are always those who do know a thing or two more than the others. Being able to overpower one's peers can seem very appealing to an insecure teenager. One can play God in the net. In our world where normally people read books and learn things many more know already. In the hackers world many things are not written. It is still possible to find out things by oneself in the wired world.

What is the meaning of the hacking of all the different cybersurfers for the present and the future of the internet? Does a hacker do more damage or good to the internet than a cool graffiti kid with a spray to a city? Are these two cases even comparable? And can one write "damage the internet" without defining on whose point of view has the damage been done? There are heavy commecial interest laid on the internet, but not all net users are happy about the recent developments. Some seem to think that the net should not be left to the corporations to roam free and make as much commercial use of it as possible. On the other hand the stock holders would probably very much like to see the net be turned into a giant virtual money making machine. Now in between these to views there are other ideas about the future of the internet, possibly wanting to incorporate all possible ventures into it.

There seem to be contrasting views on what is legal and good behavior in the net. Some of the hackers think that breaking into a computer system does not harm anyone if no data is lost or stolen. The security advisors most likely disagree on that. Some hackers suggest that their action is beneficial to the internet society, since they discover new ways to exploit the net and the programs thus forcing the security providers to crank up their software. Some of the hackers now do work in the internet security business.

Many things can be said about the outcomes of different kinds of hacking and cracking. The final results vary also depending on whether the cracker has had some financial interests in the first place or has he been wandering around just to learn more. First a hacker who claims that he fights the system is actually digging his own grave in the net. The system benefits partly from the hackers work (and discovering exploits is very slow and hard work) by getting very valuable information of the security problems of the software used in the net. Normally a company pays big bucks to some security professionals who operate on commercial basis in order to find out about these things. In some cases when a hacker breaks into a system the company gets the information for free. Of course, if widely published, such incident can harm the reputation and the prospects for an internet commerce boom of the company especially if it operates mainly in the internet. This is why many incidents are left unreported, as Frank James reports.

Where is this process leading us to? Are there going to be an internet underground in the future? Maybe that is already some sort of reality at the present.

The phone phreakers did not consider making free phone calls harmful to anyone, since they came from an unlimited reservoir. But there are always limited number of phone lines available, and someone using a line for free does cause financial harm to the company by pushing it to expand the capacity when there is no real need for that. Of course at night when the lines are not crowded, the harm cannot be seen in the accounts of the company. The same way there is a thinking that breaking into a system does not cause any harm if no files are damaged or stolen. But for a company it is crucial that their secret information stays secret. There is the question of credibility. Nonetheless this has been one manifestation of the spirit of the cyberpunk throughout the decades. "If you do not cause any harm, you are ok." On the other hand some hackers, who refer to themselves sometimes as ethical hackers, admit that what they do is illegal.

There is an interesting writing on the legal side of hacking. Chandra Batra sites the so-called Callisti manifesto by Jon Callisti. It is partly quoted below:

After all, one would not leave a succulent apple pie in front of a doghouse and criminally charge the dog for eating it. So to if one leaves one's network open they should expect the Digital Coyotes to do no less than their four legged brothers. Additionally, does walking through an obviously open door and cleaning up, washing and ironing rumpled clothes and then leaving make one a criminal. So why would doing the same on a network be considered a felony? So in the end what is criminal and what is legal are by no means a cut and dry propositions.

Only problem with this thinking is that all the laws operate in the same way. Along the same logic raping a good looking lonely scantily clad woman in the darkness of the Central Park, N.Y. should be legal because it is obvious to happen anyway. I would not thing that Chandra Batra (or Jon Callisti) would agree on legalizing rape of good looking women who are stupid enough to walk alone in the Central Park at night. Also there is present the well advertised and discussed idea that hackers actually benefit the internet. They only work for free. Similar idea would be making it legal to open the good old letters and correcting the grammar for free. Of course it might be hard to understand that the companies do not want others to see their maximum security documents. Especially that is the case if the intruders never make notice of the content of the sites they hack or do any kind of damage to the site.

The next quote from drazQ carries a well thought out argument against all kinds of hacking however benevolent in essence:

Visualize yourself walking down the street on a sunny day. A lot of people are walking in the opposite direction of you this fine day, but there is one person that you particularly notice. It's a young man, probably in his mid 20's. He looks like a nice guy - if he was your neighbor he'd probably be one of your friends. He is wearing a suit, so he has probably got a good job. Maybe he is walking home to his wife and kids right now. That is what you thought as he came closer. The second he was close enough you punch his nose in! He falls backwards on the asphalt, reaching for his bleeding nose. It probably hurts a lot. You see a weird mixture of surprised confusion and fear in his eyes. Then you run.

The man whose nose you broke is called Tommy. He had a couple of weeks with pain after your meaningless and violent assault, and months - yes maybe even years later - he will ask himself: "Why?" "Why did he do it?". The answer is that you had no reason, you're simply one of those people who like to punch people in their noses. Maybe to see their reaction, or just because it feels good. It's just something you do.

Now visualize yourself sitting in front of your computer late a Saturday night. You're hacking some company on the Internet - no special reason - their box just had bugs so you exploited them. Or maybe you even have a reason, a reason that justifies what you're doing. Anyway, you feel pretty comfortable with it. The next morning the company's security expert has to write a report to his boss about the hack. This is the third time he's writing a report like this, so he has a very bad feeling about it. After receiving the report, his boss decides to fire the security expert - he's not doing his job well enough. The former security expert is Tommy. What do you think Tommy thinks is worst? Getting his nose punched in, or losing his job? Probably the last.

You would never punch someones nose in for no reason, cause that would be wrong. You've been raised that way. The crime of hacking however, you commit all the time. Fully aware of that the consequences of your hacking could be much worse than the consequences of a physical assault on someone. The consequences for your victims that is. The consequences for you however, is a completely different chapter. It's a much bigger chance of getting caught for breaking someones nose in broad daylight, than it is of getting caught for hacking. Maybe that is why you do it?
http://www.attrition.org/~modify/texts/ethics/hacker.ethics.html

Even though this sounds like sound reasoning, there are flaws in it, just like there always are in an internet security. In the bigger picture, the company of the story is far better off to be hacked by an ethical hacker, fire "Tommy", who is incompetent for the job, and hire a security expert who knows what to do with the security holes. There is always a "Tommy" who is fired for incompetency. On the other hand one can ask are the hackers always a step or two ahead of the security experts? The security hole might be caused by a lack of action on the bosses side. Or by a mistake of a third person slipping his handle and password to a hacker by accident. At the moment the biggest problems in the internet security systems lay in the personnel, not the software. The world is not just fair enough for the "Tommies" out there.

From this point of view, a hacker at best could be thought as a burglar, who enters a house and leaves detailed information how he got in and what security measures the owner should take in order to prevent any unwanted visitors in the future. I would not like to return to my flat seeing a report signed by an ethical burglar, but I must admit that I prefer that by far to the other alternative. As we can see, the question is not as simple as it seems to be.

One of my friends once said, that he is only partly a hacker, since he does not even commit any criminal hacks. According to him the true hacker never respects the law, if there is knowledge to be gained or a challenging hack in sight.

There are writings in the net claiming that there are many who claim to be hackers but are not, because they do not meet the standards. True hacker seeks knowledge, not answers. ReDragon puts the problem in the form of a quiz:

Are You a Hacker? Take a little quiz for me today. Tell me if you fit this description. You got your net account several months ago. You have been surfing the net, and you laugh at those media reports of the information superhighway. You have a red box, you don't have to pay for phone calls. You have crackerjack, and you have run it on the password file at a unix you got an account on. Everyone at your school is impressed by your computer knowledge, you are the one the teachers ask for help. Does this sound like you? You are not a hacker. There are thousands of you out there. You buy 2600 and you ask questions. You read phrack and you ask questions. You join #hack and you ask questions. You ask all of these questions, and you ask what is wrong with that? After all, to be a hacker is to question things, is it not? But, you do not want knowledge. You want answers. You do not want to learn how things work. You want answers. You do not want to explore. All you want to know is the answer to your damn questions. You are not a hacker.

Hacking is not about answers. Hacking is about the path you take to find the answers. If you want help, don't ask for answers, ask for a pointer to the path you need to take to find out those answers for yourself. Because it is not the people with the answers that are the hackers, it is the people that are travelling along the path.
ReDragon
http://www.attrition.org/~modify/texts/ethics/are.you.a.hacker.html

There is a kind of philosophy related to some eastern thinking and religions visible in the ReDragons writing. The seeker follows the path. The point is to travel along the path. Getting the answers is not as important as the journey, because the learned information is not used for boasting about the knowledge to friend and classmates, but for continuing the travel.

The US Government's top Y2K adviser, President's Council on Year 2000 Conversion chairman John Koskinen, said --- some Americans regarded hacking the Government's networks to report security loopholes to be a patriotic duty.
http://www.it.fairfax.com.au/breaking/19991215/A40135-1999Dec15.html

The previous quote carries the essence of hacking as some understand it. I do not know whether a hacker from the 60's would think that way, but some hackers do, who started hacking in the 90's. There is quite a bit of naivity in some writings, but as well a lot of highly idealistic attitude towards the true meaning of hacking and the role (ethical) hackers play in the internet.

The conservative point of view is that, if one really wants to save the world by hacking and finding out about new exploits, one would get a job in an internet security provider. Many former hackers have done that, but there is a philosophical and maybe also psychological problem in the issue. If you are an anachist, maybe you do not want to get an ordinary bourgeoise job, however well paid. Or on the other hand if you get your kicks from criminal activities, or are afraid that the nice hobby does not entertain you anymore after you get paid, there is no easy way out from the illegal hacking activities.

Of the control issue

Who will control the internet? That might be the most important question of the future of the internet. At the moment the control is near nil. But if the commercial applications will not work one can expect demands from the industry and corporations to limit the access to those who have money and who do not cause trouble. The world has already seen the expansion of the corporate powers. To quote the famous comic book Calvin and Hobbes by Bill Watterson:

- You know what the problem is with the universe?
- Um...
- There's no toll-free customer
service hot line for complaints!
That's why things don't get fixed!
If the universe had any decent
management, we'd get a full refund
if we weren't completely satisfied!
- But the place is free.
- See, that's another thing.
They should have a cover charge
and keep out the riffraff.
Homicidal Psycho jungle cat, p. 37

The crucial question is how can anyone expect to keep out the riffraff from the internet. How would this be achieved. And most importantly of all, who has the right to decide who is riffraff and who is not. It seems impossible in a democratic society to prevent certain people or group from accessing the internet. Even under a totalitarian rule some people find their way past the official restrictions. Most definitely I assume that the western world would never accept the situation were some of the basic rights - owning a telephone or a computer - would be denied to someone on any basis.

Let's look at the present situation. Who are the riffraff of the world wide web? Can it even be called such? Or should we change the name to Westernized World Web instead? At the moment, it seems already that the markets have decided some things for us. First of all the third world countries in general are riffraff. They do not have by far as many net users as have the western countries. Secondly most of the poor people in the west do not have access to the net. Third, the ones who do not read and write English cannot benefit so much from using the net. It seems that the financial sector has been doing some important desicion for us already. Do we want that or would it be time to decide for ourselves? And how can this be accomplished?

If Ethiopians, for example, have trouble getting enough food for themselves, what kind of use could they possibly have with an internet access. That does not of course mean that they should not get access to the internet, but they do have more urgent problems to be solved first. In many third world countries the infrastructure is a big problem. There are very few phone lines available. It has been said that the third world will go wireless because it will be cheaper, but still the question remains who pays the bill.

And finally...

There is the question whether the hackers are the plague of the net. Are the hackers really something more than juvenile criminals or old hippies, who are a bit lost from the mainstream of the society? It is true that some computer criminals, who call themselves hackers have caused and still are causing a lot of trouble for the internet community. On the other hand many of the mishandling possibilities have been discovered by the community of hackers. Without them there might be a lot less knowledge freely available of the security flaws of the internet.

Hacking might be thought to be a lot less harmfull back in the early 1980's when the internet was not yet really a place where large scale financial operations were made. Especially the possibility of doing a purchase in the internet using the credit cards has changed the situation dramatically. As in the wild west in the beginning of the 20th century there seems to be a lot less free space to roam in the net now at the dawn of the 21st century. The unexplored areas are slowly covered and made more difficult to access without authorisation. However it seems that the internet will be for a long time to come remain a frontier where the security experts have full employment:

The size of the company doesn't always determine the sophistication of its Internet security. Scores of companies in financial services and manufacturing, including some that pride themselves on having installed sophisticated defenses, have asked Spectria InfoSec Labs, a computer security company based in Playa del Rey, Calif., to attempt to penetrate their barriers. "So far, none of the systems we
have been asked to test have prevented us from getting into their internal networks," said Cobb, Spectria's vice president of research and education. Furthermore, the skill level needed to break in, on a scale of 1 to 5, was just a 2, Cobb said. And InfoSec Labs evaluators used only legal methods to accomplish their penetrations. Criminals and hackers have many more choices. "So far, we're undefeated," Cobb said. "Those are facts, and people need to realize that."
http://chicagotribune.com/tech/economy/article/0,2669,ART-41907,FF.html
Security gaps dot Internet landscape
by Frank James
Chicago Tribune, February 12, 2000

The net was designed to be a place where information is easily shared, not secured. Frank James comments that the lack of time on many programming projects everywhere is a problem. Although it is possible to do many things to make the sites more secure, there just does not seem to be time for it. Companies have to make enormous profits in order to stay in business, thus money invested in programming security features is not very popular, partly because the importance of that side of the project is not always fully understood by the project managers. Also many software companies think that security is not as important as are the features and functionability of a program.

There will probably always be sites where a crafty hacker can access without authorisation. Maybe the presence of the hacking community promises the internet users that the security problems shall one day be taken seriously by all doing business in the net.