Line 1: |
Line 1: |
− | <pre>
| |
− |
| |
| To be presented at the 13th National Computer Security Conference, | | To be presented at the 13th National Computer Security Conference, |
| Washington, D.C., Oct. 1-4, 1990. | | Washington, D.C., Oct. 1-4, 1990. |
| | | |
− |
| + | <pre> |
| Concerning Hackers Who Break into Computer Systems | | Concerning Hackers Who Break into Computer Systems |
| | | |
Line 11: |
Line 9: |
| 130 Lytton Ave., Palo Alto, CA 94301 | | 130 Lytton Ave., Palo Alto, CA 94301 |
| | | |
− |
| + | </pre> |
| | | |
| Abstract | | Abstract |
| | | |
− | A diffuse group of people often called ``hackers'' has been | + | A diffuse group of people often called "hackers" has been |
| characterized as unethical, irresponsible, and a serious danger to | | characterized as unethical, irresponsible, and a serious danger to |
| society for actions related to breaking into computer systems. This | | society for actions related to breaking into computer systems. This |
Line 32: |
Line 30: |
| I recommend that we work closely with hackers, and suggest several | | I recommend that we work closely with hackers, and suggest several |
| actions that might be taken. | | actions that might be taken. |
− |
| + | |
− |
| + | |
| 1. Introduction | | 1. Introduction |
| | | |
Line 45: |
Line 43: |
| firmament of networks. Stories about attacks, breakins, disruptions, | | firmament of networks. Stories about attacks, breakins, disruptions, |
| theft of information, modification of files, and the like appear | | theft of information, modification of files, and the like appear |
− | frequently in the newspapers. A diffuse group called ``hackers'' | + | frequently in the newspapers. A diffuse group called "hackers" |
| is often the target of scorn and blame for these actions. Why are | | is often the target of scorn and blame for these actions. Why are |
| computer networks any different from other vulnerable public networks? | | computer networks any different from other vulnerable public networks? |
Line 88: |
Line 86: |
| The interview was conducted electronically. I quickly discovered | | The interview was conducted electronically. I quickly discovered |
| that I had much more to learn from Drake's questions than to teach. | | that I had much more to learn from Drake's questions than to teach. |
− | For example, he asked: ``Is providing computer security for large | + | For example, he asked: "Is providing computer security for large |
| databases that collect information on us a real service? How do | | databases that collect information on us a real service? How do |
− | you balance the individual's privacy vs. the corporations?'' This | + | you balance the individual's privacy vs. the corporations?" This |
| question surprised me. Nothing that I had read about hackers ever | | question surprised me. Nothing that I had read about hackers ever |
− | suggested that they might care about privacy. He also asked: ``What | + | suggested that they might care about privacy. He also asked: "What |
| has [the DES] taught us about what the government's (especially NSA's) | | has [the DES] taught us about what the government's (especially NSA's) |
− | role in cryptography should be?'' Again, I was surprised to discover | + | role in cryptography should be?" Again, I was surprised to discover |
| a concern for the role of the government in computer security. I | | a concern for the role of the government in computer security. I |
| did not know at the time that I would later discover considerable | | did not know at the time that I would later discover considerable |
Line 103: |
Line 101: |
| meeting, we continued our dialog electronically with me interviewing | | meeting, we continued our dialog electronically with me interviewing |
| him. This gave me the opportunity to explore his views in greater | | him. This gave me the opportunity to explore his views in greater |
− | depth. Both interviews appear in ``Computers Under Attack,'' | + | depth. Both interviews appear in "Computers Under Attack," |
| edited by Peter Denning [DenningP90]. | | edited by Peter Denning [DenningP90]. |
| | | |
Line 111: |
Line 109: |
| from 17 to 28. | | from 17 to 28. |
| | | |
− | The word ``hacker'' has taken on many different meanings ranging | + | The word "hacker" has taken on many different meanings ranging |
− | from 1) ``a person who enjoys learning the details of computer systems | + | from 1) "a person who enjoys learning the details of computer systems |
− | and how to stretch their capabilities'' to 2) ``a malicious or | + | and how to stretch their capabilities" to 2) "a malicious or |
| inquisitive meddler who tries to discover information by poking around | | inquisitive meddler who tries to discover information by poking around |
− | .. possibly by deceptive or illegal means ...'' [Steele83] The | + | .. possibly by deceptive or illegal means ..." [Steele83] The |
| hackers described in this paper satisfy both of these definitions, | | hackers described in this paper satisfy both of these definitions, |
| although all of the hackers I spoke with said they did not engage | | although all of the hackers I spoke with said they did not engage |
Line 124: |
Line 122: |
| businesses, or about people who use stolen credit cards to purchase | | businesses, or about people who use stolen credit cards to purchase |
| goods. The characteristics of many of the hackers I am writing about | | goods. The characteristics of many of the hackers I am writing about |
− | are summed up in the words of one of the hackers: ``A hacker is someone | + | are summed up in the words of one of the hackers: "A hacker is someone |
| that experiments with systems... [Hacking] is playing with systems | | that experiments with systems... [Hacking] is playing with systems |
| and making them do what they were never intended to do. Breaking | | and making them do what they were never intended to do. Breaking |
Line 131: |
Line 129: |
| able to find out anything. There is also the David and Goliath side | | able to find out anything. There is also the David and Goliath side |
| of it, the underdog vs. the system, and the ethic of being a folk | | of it, the underdog vs. the system, and the ethic of being a folk |
− | hero, albeit a minor one.'' | + | hero, albeit a minor one." |
| | | |
| Richard Stallman, founder of the Free Software Foundation who calls | | Richard Stallman, founder of the Free Software Foundation who calls |
| himself a hacker according to the first sense of the word above, | | himself a hacker according to the first sense of the word above, |
− | recommends calling security-breaking hackers ``crackers'' | + | recommends calling security-breaking hackers "crackers" |
| [Stallman84]. While this description may be more accurate, I shall | | [Stallman84]. While this description may be more accurate, I shall |
− | use the term ``hacker'' since the people I am writing about call | + | use the term "hacker" since the people I am writing about call |
| themselves hackers and all are interested in learning about computer | | themselves hackers and all are interested in learning about computer |
| and communication systems. However, there are many people like | | and communication systems. However, there are many people like |
Line 149: |
Line 147: |
| networks, and Meyer and Thomas [MeyerThomas90] for an interesting | | networks, and Meyer and Thomas [MeyerThomas90] for an interesting |
| interpretation of the computer underground as a postmodernist rejection | | interpretation of the computer underground as a postmodernist rejection |
− | of conventional culture that substitutes ``rational technological | + | of conventional culture that substitutes "rational technological |
− | control of the present for an anarchic and playful future.'' | + | control of the present for an anarchic and playful future." |
| | | |
| I do not pretend to know all the concerns that hackers have, nor | | I do not pretend to know all the concerns that hackers have, nor |
Line 190: |
Line 188: |
| 3. Access to Computers and Information for Learning | | 3. Access to Computers and Information for Learning |
| | | |
− | Although Levy's book ``Hackers'' [Levy84] is not about today's | + | Although Levy's book "Hackers" [Levy84] is not about today's |
− | security-breaking hackers, it articulates and interprets a ``hacker | + | security-breaking hackers, it articulates and interprets a "hacker |
− | ethic'' that is shared by many of these hackers. The ethic includes | + | ethic" that is shared by many of these hackers. The ethic includes |
| two key principles that were formulated in the early days of the | | two key principles that were formulated in the early days of the |
− | AI Lab at MIT: ``Access to computers -- and anything which might | + | AI Lab at MIT: "Access to computers -- and anything which might |
| teach you something about the way the world works -- should be | | teach you something about the way the world works -- should be |
− | unlimited and total,'' and ``All information should be free.'' In | + | unlimited and total," and "All information should be free." In |
| the context in which these principles were formulated, the computers | | the context in which these principles were formulated, the computers |
| of interest were research machines and the information was software | | of interest were research machines and the information was software |
Line 203: |
Line 201: |
| Since Stallman is a leading advocate of open systems and freedom | | Since Stallman is a leading advocate of open systems and freedom |
| of information, especially software, I asked him what he means by | | of information, especially software, I asked him what he means by |
− | this. He said: ``I believe that all generally useful information | + | this. He said: "I believe that all generally useful information |
− | should be free. By `free' I am not referring to price, but rather | + | should be free. By `free` I am not referring to price, but rather |
| to the freedom to copy the information and to adapt it to one's own | | to the freedom to copy the information and to adapt it to one's own |
− | uses.'' By ``generally useful'' he does not include confidential | + | uses." By "generally useful" he does not include confidential |
| information about individuals or credit card information, for example. | | information about individuals or credit card information, for example. |
− | He further writes: ``When information is generally useful, | + | He further writes: "When information is generally useful, |
| redistributing it makes humanity wealthier no matter who is | | redistributing it makes humanity wealthier no matter who is |
− | distributing and no matter who is receiving.'' Stallman has argued | + | distributing and no matter who is receiving." Stallman has argued |
| strongly against user interface copyright, claiming that it does | | strongly against user interface copyright, claiming that it does |
| not serve the users or promote the evolutionary process [Stallman90]. | | not serve the users or promote the evolutionary process [Stallman90]. |
Line 228: |
Line 226: |
| These views of information sharing seem to go back at least as far | | These views of information sharing seem to go back at least as far |
| as the 17th and 18th Centuries. Samuelson [Samuelson89] notes that | | as the 17th and 18th Centuries. Samuelson [Samuelson89] notes that |
− | ``The drafters of the Constitution, educated in the Enlightenment
| + | "The drafters of the Constitution, educated in the Enlightenment |
| tradition, shared that era's legacy of faith in the enabling powers | | tradition, shared that era's legacy of faith in the enabling powers |
− | of knowledge for society as well as the individual.'' She writes | + | of knowledge for society as well as the individual." She writes |
| that our current copyright laws, which protect the expression of | | that our current copyright laws, which protect the expression of |
| information, but not the information itself, are based on the belief | | information, but not the information itself, are based on the belief |
Line 266: |
Line 264: |
| locks and other security mechanisms on systems; their background | | locks and other security mechanisms on systems; their background |
| in systems and programming varies considerably. One hacker wrote | | in systems and programming varies considerably. One hacker wrote |
− | ``A hacker sees a security hole and takes advantage of it because
| + | "A hacker sees a security hole and takes advantage of it because |
| it is there, not to destroy information or steal. I think our | | it is there, not to destroy information or steal. I think our |
| activities would be analogous to someone discovering methods of | | activities would be analogous to someone discovering methods of |
| acquiring information in a library and becoming excited and perhaps | | acquiring information in a library and becoming excited and perhaps |
− | engrossed.'' | + | engrossed." |
| | | |
| We should not underestimate the effectiveness of the networks in | | We should not underestimate the effectiveness of the networks in |
Line 293: |
Line 291: |
| courses in BASIC and PASCAL, and that he was bored by these. Hans | | courses in BASIC and PASCAL, and that he was bored by these. Hans |
| Huebner, a hacker in Germany who goes by the name Pengo, wrote in | | Huebner, a hacker in Germany who goes by the name Pengo, wrote in |
− | a note to the RISKS Forum [Huebner89] : ``I was just interested in | + | a note to the RISKS Forum [Huebner89] : "I was just interested in |
| computers, not in the data which has been kept on their disks. As | | computers, not in the data which has been kept on their disks. As |
| I was going to school at that time, I didn't even have the money | | I was going to school at that time, I didn't even have the money |
Line 302: |
Line 300: |
| been patient and wait[ed] until I could go to the university and | | been patient and wait[ed] until I could go to the university and |
| use their machines. Some of you might understand that waiting was | | use their machines. Some of you might understand that waiting was |
− | just not the thing I was keen on in those days.'' | + | just not the thing I was keen on in those days." |
| | | |
| Brian Harvey, in his position paper [Harvey86] for the ACM Panel on | | Brian Harvey, in his position paper [Harvey86] for the ACM Panel on |
Line 317: |
Line 315: |
| had the skill and interest to be password hackers were discouraged | | had the skill and interest to be password hackers were discouraged |
| from this activity because they also wanted to keep the trust of | | from this activity because they also wanted to keep the trust of |
− | their colleagues in order that they could acquire ``superuser'' status | + | their colleagues in order that they could acquire "superuser" status |
| on the system. | | on the system. |
| | | |
Line 338: |
Line 336: |
| either part-time on a continuing basis or on a periodic basis; and, | | either part-time on a continuing basis or on a periodic basis; and, |
| following a suggestion from Felsenstein [Felsenstein86] for a | | following a suggestion from Felsenstein [Felsenstein86] for a |
− | ``Hacker's League,'' that a league analogous to the Amateur Radio
| + | "Hacker's League," that a league analogous to the Amateur Radio |
| Relay League be established to make contributed resources available | | Relay League be established to make contributed resources available |
| for educational purposes. | | for educational purposes. |
Line 371: |
Line 369: |
| 4. Thrill, Excitement, and Challenge | | 4. Thrill, Excitement, and Challenge |
| | | |
− | One hacker wrote that ``Hackers understand something basic about | + | One hacker wrote that "Hackers understand something basic about |
| computers, and that is that they can be enjoyed. I know none who | | computers, and that is that they can be enjoyed. I know none who |
| hack for money, or hack to frighten the company, or hack for anything | | hack for money, or hack to frighten the company, or hack for anything |
− | but fun.'' | + | but fun." |
| | | |
− | In the words of another hacker, ``Hacking was the ultimate cerebral | + | In the words of another hacker, "Hacking was the ultimate cerebral |
| buzz for me. I would come home from another dull day at school, | | buzz for me. I would come home from another dull day at school, |
| turn my computer on, and become a member of the hacker elite. It | | turn my computer on, and become a member of the hacker elite. It |
Line 392: |
Line 390: |
| could be the one that would bring the authorities crashing down on | | could be the one that would bring the authorities crashing down on |
| me. I was on the edge of technology and exploring past it, spelunking | | me. I was on the edge of technology and exploring past it, spelunking |
− | into electronic caves where I wasn't supposed to be.'' | + | into electronic caves where I wasn't supposed to be." |
| | | |
| The other hackers I spoke with made similar statements about the | | The other hackers I spoke with made similar statements about the |
| fun and challenge of hacking. In SPIN magazine [Dibbel90], reporter | | fun and challenge of hacking. In SPIN magazine [Dibbel90], reporter |
| Julian Dibbell speculated that much of the thrill comes from the | | Julian Dibbell speculated that much of the thrill comes from the |
− | dangers associated with the activity, writing that ``the technology | + | dangers associated with the activity, writing that "the technology |
− | just lends itself to cloak-and-dagger drama,'' and that ``hackers | + | just lends itself to cloak-and-dagger drama," and that "hackers |
| were already living in a world in which covert action was nothing | | were already living in a world in which covert action was nothing |
− | more than a game children played.'' | + | more than a game children played." |
| | | |
| Eric Corley [Corley89] characterizes hacking as an evolved form of | | Eric Corley [Corley89] characterizes hacking as an evolved form of |
| mountain climbing. In describing an effort to construct a list of | | mountain climbing. In describing an effort to construct a list of |
− | active mailboxes on a Voice Messaging System, he writes ``I suppose | + | active mailboxes on a Voice Messaging System, he writes "I suppose |
| the main reason I'm wasting my time pushing all these buttons is | | the main reason I'm wasting my time pushing all these buttons is |
| simply so that I can make a list of something that I'm not supposed | | simply so that I can make a list of something that I'm not supposed |
− | to have and be the first person to accomplish this.'' He said that | + | to have and be the first person to accomplish this." He said that |
| he was not interested in obtaining an account of his own on the system. | | he was not interested in obtaining an account of his own on the system. |
− | Gordon Meyer says he found this to be a recurring theme: ``We aren't | + | Gordon Meyer says he found this to be a recurring theme: "We aren't |
− | supposed to be able to do this, but we can'' -- so they do. | + | supposed to be able to do this, but we can" -- so they do. |
| | | |
| One hacker said he was now working on anti-viral programming. He | | One hacker said he was now working on anti-viral programming. He |
Line 427: |
Line 425: |
| any problems. Hackers say they are outraged when other hackers cause | | any problems. Hackers say they are outraged when other hackers cause |
| damage or use resources that would be missed, even if the results | | damage or use resources that would be missed, even if the results |
− | are unintentional and due to incompetence. One hacker wrote ``I | + | are unintentional and due to incompetence. One hacker wrote "I |
| have ALWAYS strived to do NO damage, and inconvenience as few people | | have ALWAYS strived to do NO damage, and inconvenience as few people |
| as possible. I NEVER, EVER, EVER DELETE A FILE. One of the first | | as possible. I NEVER, EVER, EVER DELETE A FILE. One of the first |
− | commands I do on a new system is disable the delete file command.'' | + | commands I do on a new system is disable the delete file command." |
| Some hackers say that it is unethical to give passwords and similar | | Some hackers say that it is unethical to give passwords and similar |
| security-related information to persons who might do damage. In | | security-related information to persons who might do damage. In |
Line 459: |
Line 457: |
| raised properly as a civilized member of society, and not appreciating | | raised properly as a civilized member of society, and not appreciating |
| the rules of living in society. One hacker responded to this with | | the rules of living in society. One hacker responded to this with |
− | ``What does `being brought up properly' mean? Some would say that
| + | "What does `being brought up properly` mean? Some would say that |
− | it is `good' to keep to yourself, mind your own business. Others | + | it is `good` to keep to yourself, mind your own business. Others |
| might argue that it is healthy to explore, take risks, be curious | | might argue that it is healthy to explore, take risks, be curious |
− | and discover.'' Brian Harvey [Harvey86] notes that many hackers are | + | and discover." Brian Harvey [Harvey86] notes that many hackers are |
| adolescents, and that adolescents are at a less developed stage of | | adolescents, and that adolescents are at a less developed stage of |
| moral development than adults, where they might not see how the effects | | moral development than adults, where they might not see how the effects |
Line 478: |
Line 476: |
| hacking may be encouraged during the process of becoming computer | | hacking may be encouraged during the process of becoming computer |
| literate. Some of my colleagues say that hackers are irresponsible. | | literate. Some of my colleagues say that hackers are irresponsible. |
− | One hacker responded ``I think it's a strong indication of the amount | + | One hacker responded "I think it's a strong indication of the amount |
| of responsibility shown that so FEW actually DAMAGING incidents are | | of responsibility shown that so FEW actually DAMAGING incidents are |
− | known.'' | + | known." |
| | | |
| But we must not overlook that the differences in ethics also reflect | | But we must not overlook that the differences in ethics also reflect |
Line 487: |
Line 485: |
| ownership as property. The differences also represent an opportunity | | ownership as property. The differences also represent an opportunity |
| to examine our own ethical behavior and our practices for information | | to examine our own ethical behavior and our practices for information |
− | sharing and protection. For example, one hacker wrote ``I will accept | + | sharing and protection. For example, one hacker wrote "I will accept |
| that it is morally wrong to copy some proprietary software, however, | | that it is morally wrong to copy some proprietary software, however, |
| I think that it is morally wrong to charge $6000 for a program that | | I think that it is morally wrong to charge $6000 for a program that |
− | is only around 25K long.'' Hence, I shall go into a few of the ethical | + | is only around 25K long." Hence, I shall go into a few of the ethical |
| points raised by hackers more closely. It is not a simple case of | | points raised by hackers more closely. It is not a simple case of |
| good or mature (us) against bad or immature (hackers), or of teaching | | good or mature (us) against bad or immature (hackers), or of teaching |
Line 548: |
Line 546: |
| Pethia says that some intruders seem to be disruptive to prove a | | Pethia says that some intruders seem to be disruptive to prove a |
| point, such as that the systems are vulnerable, the security personnel | | point, such as that the systems are vulnerable, the security personnel |
− | are incompetent, or ``it's not nice to say bad things about hackers.'' | + | are incompetent, or "it's not nice to say bad things about hackers." |
| In the N.Y. Times, John Markoff [Markoff90] wrote that the hacker | | In the N.Y. Times, John Markoff [Markoff90] wrote that the hacker |
| who claimed to have broken into Cliff Stoll's system said he was | | who claimed to have broken into Cliff Stoll's system said he was |
− | upset by Stoll's portrayal of hackers in ``The Cuckoo's Egg'' | + | upset by Stoll's portrayal of hackers in "The Cuckoo's Egg" |
− | [Stoll90]. Markoff reported that the caller said: ``He [Stoll] | + | [Stoll90]. Markoff reported that the caller said: "He [Stoll] |
| was going on about how he hates all hackers, and he gave pretty much | | was going on about how he hates all hackers, and he gave pretty much |
− | of a one-sided view of who hackers are.'' | + | of a one-sided view of who hackers are." |
| | | |
− | ``The Cuckoo's Egg'' captures much of the popular stereotypes of
| + | "The Cuckoo's Egg" captures much of the popular stereotypes of |
| hackers. Criminologist Jim Thomas criticizes it for presenting a | | hackers. Criminologist Jim Thomas criticizes it for presenting a |
| simplified view of the world, one where everything springs from the | | simplified view of the world, one where everything springs from the |
| forces of light (us) or of darkness (hackers) [Thomas90]. He claims | | forces of light (us) or of darkness (hackers) [Thomas90]. He claims |
| that Stoll fails to see the similarities between his own activities | | that Stoll fails to see the similarities between his own activities |
− | (e.g., monitoring communications, ``borrowing'' monitors without | + | (e.g., monitoring communications, "borrowing" monitors without |
| authorization, shutting off network access without warning, and lying | | authorization, shutting off network access without warning, and lying |
| to get information he wants) and those of hackers. He points out | | to get information he wants) and those of hackers. He points out |
− | Stoll's use of pejorative words such as ``varmint'' to describe | + | Stoll's use of pejorative words such as "varmint" to describe |
− | hackers, and Stoll's quote of a colleague: ``They're technically | + | hackers, and Stoll's quote of a colleague: "They're technically |
| skilled but ethically bankrupt programmers without any respect for | | skilled but ethically bankrupt programmers without any respect for |
| others' work -- or privacy. They're not destroying one or two | | others' work -- or privacy. They're not destroying one or two |
| programs. They're trying to wreck the cooperation that builds our | | programs. They're trying to wreck the cooperation that builds our |
− | networks.'' [Stoll90, p. 159] Thomas writes ``at an intellectual | + | networks." [Stoll90, p. 159] Thomas writes "at an intellectual |
| level, [Stoll] provides a persuasive, but simplistic, moral imagery | | level, [Stoll] provides a persuasive, but simplistic, moral imagery |
| of the nature of right and wrong, and provides what -- to a lay reader | | of the nature of right and wrong, and provides what -- to a lay reader |
Line 582: |
Line 580: |
| given offense, and the research of Gordon Meyer and I suggests that | | given offense, and the research of Gordon Meyer and I suggests that |
| criminalization may, in fact, contribute to the growth of the computer | | criminalization may, in fact, contribute to the growth of the computer |
− | underground.'' | + | underground." |
| | | |
| | | |
Line 589: |
Line 587: |
| Hackers express concern about their negative public image and | | Hackers express concern about their negative public image and |
| identity. As noted earlier, hackers are often portrayed as being | | identity. As noted earlier, hackers are often portrayed as being |
− | irresponsible and immoral. One hacker said that ``government | + | irresponsible and immoral. One hacker said that "government |
| propaganda is spreading an image of our being at best, sub-human, | | propaganda is spreading an image of our being at best, sub-human, |
| depraved, criminally inclined, morally corrupt, low life. We need | | depraved, criminally inclined, morally corrupt, low life. We need |
Line 595: |
Line 593: |
| interfering with life support equipment, robbing banks, and jamming | | interfering with life support equipment, robbing banks, and jamming |
| 911 lines) are as morally abhorent to us as they are to the general | | 911 lines) are as morally abhorent to us as they are to the general |
− | public.'' | + | public." |
| | | |
| The public identity of an individual or group is generated in part | | The public identity of an individual or group is generated in part |
Line 604: |
Line 602: |
| the hacking community, the simple act of breaking into systems is | | the hacking community, the simple act of breaking into systems is |
| regarded as unethical by many. The use of pejorative words like | | regarded as unethical by many. The use of pejorative words like |
− | ``vandal'' and ``varmint'' reflect this discrepency in ethics. Even
| + | "vandal" and "varmint" reflect this discrepency in ethics. Even |
− | the word ``criminal'' carries with it connotations of someone evil; | + | the word "criminal" carries with it connotations of someone evil; |
| hackers say they are not criminal in this sense. Katie Hafner notes | | hackers say they are not criminal in this sense. Katie Hafner notes |
| that Robert Morris, who was convicted of launching the Internet worm, | | that Robert Morris, who was convicted of launching the Internet worm, |
Line 614: |
Line 612: |
| an image of persons who are dangerous. Regarding the 911 incident | | an image of persons who are dangerous. Regarding the 911 incident |
| where a hacker downloaded a file from Bell South, Goldstein reported | | where a hacker downloaded a file from Bell South, Goldstein reported |
− | ``Quickly, headlines screamed that hackers had broken into the 911
| + | "Quickly, headlines screamed that hackers had broken into the 911 |
| system and were interfering with emergency telephone calls to the | | system and were interfering with emergency telephone calls to the |
| police. One newspaper report said there were no indications that | | police. One newspaper report said there were no indications that |
| anyone had died or been injured as a result of the intrusions. What | | anyone had died or been injured as a result of the intrusions. What |
− | a relief. Too bad it wasn't true.'' [Goldstein90] In fact, the | + | a relief. Too bad it wasn't true." [Goldstein90] In fact, the |
| hackers involved with the 911 text file had not broken into the 911 | | hackers involved with the 911 text file had not broken into the 911 |
| system. The dollar losses attributed to hacking incidents also are | | system. The dollar losses attributed to hacking incidents also are |
Line 624: |
Line 622: |
| | | |
| Thomas and Meyer [ThomasMeyer90] say that the rhetoric depicting | | Thomas and Meyer [ThomasMeyer90] say that the rhetoric depicting |
− | hackers as a dangerous evil contributes to a ``witch hunt'' mentality, | + | hackers as a dangerous evil contributes to a "witch hunt" mentality, |
| wherein a group is first labeled as dangerous, and then enforcement | | wherein a group is first labeled as dangerous, and then enforcement |
| agents are mobilized to exorcise the alleged social evil. They see | | agents are mobilized to exorcise the alleged social evil. They see |
Line 646: |
Line 644: |
| | | |
| Stallman also says that the laws make the hacker scared to communicate | | Stallman also says that the laws make the hacker scared to communicate |
− | with anyone even slightly ``official,'' because that person might | + | with anyone even slightly "official," because that person might |
| try to track the hacker down and have him or her arrested. Drake | | try to track the hacker down and have him or her arrested. Drake |
| raised the issue of whether the laws could differentiate between | | raised the issue of whether the laws could differentiate between |
− | malicious and nonmalicious hacking, in support of a ``kinder, gentler'' | + | malicious and nonmalicious hacking, in support of a "kinder, gentler" |
| relationship between hackers and computer security people. In fact, | | relationship between hackers and computer security people. In fact, |
| many states such as California initially passed computer crime laws | | many states such as California initially passed computer crime laws |
Line 656: |
Line 654: |
| Hollinger and Lanza-Kaduce speculate that these amendments and other | | Hollinger and Lanza-Kaduce speculate that these amendments and other |
| new laws were catalyzed mainly by media events, especially the reports | | new laws were catalyzed mainly by media events, especially the reports |
− | on the ``414 hackers'' and the movie ``War Games,'' which created | + | on the "414 hackers" and the movie "War Games," which created |
| a perception of hacking as extremely dangerous, even if that perception | | a perception of hacking as extremely dangerous, even if that perception |
| was not based on facts. | | was not based on facts. |
Line 677: |
Line 675: |
| | | |
| I asked some of the hackers whether they'd be interested in breaking | | I asked some of the hackers whether they'd be interested in breaking |
− | into systems if the rules of the ``game'' were changed so that instead | + | into systems if the rules of the "game" were changed so that instead |
| of being threatened by prosecution, they were invited to leave a | | of being threatened by prosecution, they were invited to leave a |
− | ``calling card'' giving their name, phone number, and method of
| + | "calling card" giving their name, phone number, and method of |
| breaking in. In exchange, they would get recognition and points | | breaking in. In exchange, they would get recognition and points |
| for each vulnerability they discovered. Most were interested in | | for each vulnerability they discovered. Most were interested in |
Line 710: |
Line 708: |
| maintaining anonymity of the hackers and ensuring confidentiality | | maintaining anonymity of the hackers and ensuring confidentiality |
| of all records. Another hacker, in describing an incident where | | of all records. Another hacker, in describing an incident where |
− | he discovered a privileged account without a password, said ``What | + | he discovered a privileged account without a password, said "What |
| I (and others) wish for is a way that hackers can give information | | I (and others) wish for is a way that hackers can give information |
| like this to a responsible source, AND HAVE HACKERS GIVEN CREDIT | | like this to a responsible source, AND HAVE HACKERS GIVEN CREDIT |
| FOR HELPING! As it is, if someone told them that `I'm a hacker, and | | FOR HELPING! As it is, if someone told them that `I'm a hacker, and |
− | I REALLY think you should know...' they would freak out, and run | + | I REALLY think you should know...` they would freak out, and run |
| screaming to the SS [Secret Service] or the FBI. Eventually, the | | screaming to the SS [Secret Service] or the FBI. Eventually, the |
| person who found it would be caught, and hauled away on some crazy | | person who found it would be caught, and hauled away on some crazy |
| charge. If they could only just ACCEPT that the hacker was trying | | charge. If they could only just ACCEPT that the hacker was trying |
− | to help!'' The clearinghouse could also provide this type of service. | + | to help!" The clearinghouse could also provide this type of service. |
| | | |
| Hackers are also interested in security policy issues. Drake expressed | | Hackers are also interested in security policy issues. Drake expressed |
Line 735: |
Line 733: |
| work, and Eugene Spafford has urged people not to do business with | | work, and Eugene Spafford has urged people not to do business with |
| any company that hires a convicted hacker to work in the security | | any company that hires a convicted hacker to work in the security |
− | area [ACM90]. He says that ``This is like having a known arsonist | + | area [ACM90]. He says that "This is like having a known arsonist |
− | install a fire alarm.'' But, the laws are such that a person can | + | install a fire alarm." But, the laws are such that a person can |
| be convicted for having done nothing other than break into a system; | | be convicted for having done nothing other than break into a system; |
− | no serious damage (i.e., no ``computer arson'') is necessary. Many | + | no serious damage (i.e., no "computer arson") is necessary. Many |
| of our colleagues admit to having broken into systems in the past, | | of our colleagues admit to having broken into systems in the past, |
| e.g., Geoff Goodfellow [Goodfellow83] and Brian Reid [Frenkel87]; | | e.g., Geoff Goodfellow [Goodfellow83] and Brian Reid [Frenkel87]; |
Line 780: |
Line 778: |
| $100 for trespassing; instead, he was put in jail without bail | | $100 for trespassing; instead, he was put in jail without bail |
| [Goldstein89]. Craig Neidorf, a publisher and editor of the electronic | | [Goldstein89]. Craig Neidorf, a publisher and editor of the electronic |
− | newsletter ``Phrack,'' faces up to 31 years and a fine of $122,000 | + | newsletter "Phrack," faces up to 31 years and a fine of $122,000 |
| for receiving, editing, and transmitting the downloaded text file | | for receiving, editing, and transmitting the downloaded text file |
| on the 911 system [Goldstein90]. | | on the 911 system [Goldstein90]. |
Line 795: |
Line 793: |
| that such invasions of privacy took place before the hacker arrived | | that such invasions of privacy took place before the hacker arrived |
| [Harpers90]. Referring to credit reports, government files, motor | | [Harpers90]. Referring to credit reports, government files, motor |
− | vehicle records, and the ``megabytes of data piling up about each | + | vehicle records, and the "megabytes of data piling up about each |
− | of us,'' he says that thousands of people legally can see and use | + | of us," he says that thousands of people legally can see and use |
| this data, much of it erroneous. He claims that the public has been | | this data, much of it erroneous. He claims that the public has been |
| misinformed about the databases, and that hackers have become | | misinformed about the databases, and that hackers have become |
Line 820: |
Line 818: |
| Goldstein has also challenged the practices of law enforcement agencies | | Goldstein has also challenged the practices of law enforcement agencies |
| in their attempt to crack down on hackers [Goldstein90]. He said | | in their attempt to crack down on hackers [Goldstein90]. He said |
− | that all incoming and outgoing electronic mail used by ``Phrack'' | + | that all incoming and outgoing electronic mail used by "Phrack" |
| was monitored before the newsletter was shutdown by authorities. | | was monitored before the newsletter was shutdown by authorities. |
− | ``Had a printed magazine been shut down in this fashion after having
| + | "Had a printed magazine been shut down in this fashion after having |
| all of their mail opened and read, even the most thick-headed | | all of their mail opened and read, even the most thick-headed |
| sensationalist media types would have caught on: hey, isn't that | | sensationalist media types would have caught on: hey, isn't that |
− | a violation of the First Amendment?'' He also cites the shutdown | + | a violation of the First Amendment?" He also cites the shutdown |
| of several bulletin boards as part of Operation Sun Devil, and quotes | | of several bulletin boards as part of Operation Sun Devil, and quotes |
− | the administrator of the bulletin board Zygot as saying ``Should | + | the administrator of the bulletin board Zygot as saying "Should |
| I start reading my users' mail to make sure they aren't saying anything | | I start reading my users' mail to make sure they aren't saying anything |
| naughty? Should I snoop through all the files to make sure everyone | | naughty? Should I snoop through all the files to make sure everyone |
− | is being good? This whole affair is rather chilling.'' The | + | is being good? This whole affair is rather chilling." The |
− | administrator for the public system The Point wrote ``Today, there | + | administrator for the public system The Point wrote "Today, there |
| is no law or precedent which affords me ... the same legal rights | | is no law or precedent which affords me ... the same legal rights |
| that other common carriers have against prosecution should some other | | that other common carriers have against prosecution should some other |
| party (you) use my property (The Point) for illegal activities. | | party (you) use my property (The Point) for illegal activities. |
− | That worries me ...'' | + | That worries me ..." |
| | | |
| About 40 personal computer systems and 23,000 data disks were seized | | About 40 personal computer systems and 23,000 data disks were seized |
Line 847: |
Line 845: |
| that they challenge freedom of speech under the First Amendment and | | that they challenge freedom of speech under the First Amendment and |
| protection against searches and seizures under the Fourth Amendment. | | protection against searches and seizures under the Fourth Amendment. |
− | Markoff asks: ``Will fear of hackers bring oppression?'' | + | Markoff asks: "Will fear of hackers bring oppression?" |
| | | |
− | John Barlow writes ``The Secret Service may actually have done a | + | John Barlow writes "The Secret Service may actually have done a |
| service for those of us who love liberty. They have provided us | | service for those of us who love liberty. They have provided us |
| with a devil. And devils, among their other galvanizing virtues, | | with a devil. And devils, among their other galvanizing virtues, |
| are just great for clarifying the issues and putting iron in your | | are just great for clarifying the issues and putting iron in your |
− | spine.'' [Barlow90] Some of the questions that Barlow says need | + | spine." [Barlow90] Some of the questions that Barlow says need |
− | to be addressed include ``What are data and what is free speech? | + | to be addressed include "What are data and what is free speech? |
| How does one treat property which has no physical form and can be | | How does one treat property which has no physical form and can be |
− | infinitely reproduced? Is a computer the same as a printing press?'' | + | infinitely reproduced? Is a computer the same as a printing press?" |
| Barlow urges those of us who understand the technology to address | | Barlow urges those of us who understand the technology to address |
| these questions, lest the answers be given to us by law makers and | | these questions, lest the answers be given to us by law makers and |
| law enforcers who do not. Barlow and Kapor are constituting the | | law enforcers who do not. Barlow and Kapor are constituting the |
− | Computer Liberty Foundation to ``raise and disburse funds for | + | Computer Liberty Foundation to "raise and disburse funds for |
| education, lobbying, and litigation in the areas relating to digital | | education, lobbying, and litigation in the areas relating to digital |
− | speech and the extension of the Constitution into Cyberspace.'' | + | speech and the extension of the Constitution into Cyberspace." |
| | | |
| 8. Conclusions | | 8. Conclusions |
Line 870: |
Line 868: |
| crimes. This ethic of resource and information sharing contrasts | | crimes. This ethic of resource and information sharing contrasts |
| sharply with computer security policies that are based on authorization | | sharply with computer security policies that are based on authorization |
− | and ``need to know.'' This discrepancy raises an interesting question: | + | and "need to know." This discrepancy raises an interesting question: |
| Does the hacker ethic reflects a growing force in society that stands | | Does the hacker ethic reflects a growing force in society that stands |
| for greater sharing of resources and information -- a reaffirmation | | for greater sharing of resources and information -- a reaffirmation |
Line 881: |
Line 879: |
| | | |
| The sentiment for greater information sharing is not restricted to | | The sentiment for greater information sharing is not restricted to |
− | hackers. In the best seller ``Thriving on Chaos,'' Tom Peters | + | hackers. In the best seller "Thriving on Chaos," Tom Peters |
− | [Peters87] writes about sharing within organizations: ``Information | + | [Peters87] writes about sharing within organizations: "Information |
| hoarding, especially by politically motivated, power-seeking staffs, | | hoarding, especially by politically motivated, power-seeking staffs, |
| has been commonplace throughout American industry, service and | | has been commonplace throughout American industry, service and |
| manufacturing alike. It will be an impossible millstone around the | | manufacturing alike. It will be an impossible millstone around the |
− | neck of tomorrow's organizations. Sharing is a must.'' Peters argues | + | neck of tomorrow's organizations. Sharing is a must." Peters argues |
| that information flow and sharing is fundamental to innovation and | | that information flow and sharing is fundamental to innovation and |
| competetiveness. On a broader scale, Peter Drucker [Drucker89] says | | competetiveness. On a broader scale, Peter Drucker [Drucker89] says |
− | that the ``control of information by government is no longer possible. | + | that the "control of information by government is no longer possible. |
| Indeed, information is now transnational. Like money, it has no | | Indeed, information is now transnational. Like money, it has no |
− | `fatherland.' '' | + | `fatherland.` " |
| | | |
| Nor is the sentiment restricted to people outside the computer security | | Nor is the sentiment restricted to people outside the computer security |
Line 897: |
Line 895: |
| share information, and that we are suspicious of organizations and | | share information, and that we are suspicious of organizations and |
| individuals who are secretive. He says that information is exchanged | | individuals who are secretive. He says that information is exchanged |
− | out of ``want to know'' and mutual accommodation rather than ``need | + | out of "want to know" and mutual accommodation rather than "need |
− | to know.'' If this is so, then some of our security policies are | + | to know." If this is so, then some of our security policies are |
| out of step with the way people work. Peter Denning [DenningP89] | | out of step with the way people work. Peter Denning [DenningP89] |
| says that information sharing will be widespread in the emerging | | says that information sharing will be widespread in the emerging |
− | worldwide networks of computers and that we need to focus on ``immune | + | worldwide networks of computers and that we need to focus on "immune |
− | systems'' that protect against mistakes in our designs and recover | + | systems" that protect against mistakes in our designs and recover |
| from damage. | | from damage. |
| | | |
Line 915: |
Line 913: |
| information as property and the Englightenment tradition of sharing | | information as property and the Englightenment tradition of sharing |
| and disseminating information? Is it controlling access based on | | and disseminating information? Is it controlling access based on |
− | ``need to know,'' as determined by the information provider, vs.
| + | "need to know," as determined by the information provider, vs. |
− | ``want to know,'' as determined by the person desiring access?
| + | "want to know," as determined by the person desiring access? |
| Is it law enforcement vs. freedoms granted under the First and Fourth | | Is it law enforcement vs. freedoms granted under the First and Fourth |
| Amendments? The answers to these questions, as well as those raised | | Amendments? The answers to these questions, as well as those raised |
Line 939: |
Line 937: |
| of the people mentioned above or of Digital Equipment Corporation. | | of the people mentioned above or of Digital Equipment Corporation. |
| | | |
− |
| + | <pre> |
| References | | References |
| | | |
Line 1,091: |
Line 1,089: |
| DeKalb, IL, 1990; see also the Computer Underground Digest, Vol. | | DeKalb, IL, 1990; see also the Computer Underground Digest, Vol. |
| 1, Issue 11, June 16, 1990. | | 1, Issue 11, June 16, 1990. |
− |
| |
| </pre> | | </pre> |
| | | |
| [[Category:Security]][[Category:Essays]] | | [[Category:Security]][[Category:Essays]] |
| + | [[Category:1990]] |