Title : PWN/Part 2
Author : Datastream Cowboy
==Phrack Inc.==
Volume Four, Issue Forty-One, File 12 of 13
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue 41 / Part 2 of 3 PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Government Cracks Down On Hacker November 2, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Donald Clark (The San Francisco Chronicle)(Page C1)
"Civil Libertarians Take Keen Interest In Kevin Poulsen Case"
Breaking new ground in the war on computer crime, the Justice Department plans
to accuse Silicon Valley's most notorious hacker of espionage.
Kevin Lee Poulsen, 27, touched off a 17-month manhunt before being arrested on
charges of telecommunications and computer fraud in April 1991. A federal
grand jury soon will be asked to issue a new indictment charging Poulsen with
violating a law against willfully sharing classified information with
unauthorized persons, assistant U.S. attorney Robert Crowe confirmed.
A 1988 search of Poulsen's Menlo Park storage locker uncovered a set of secret
orders from a military exercise, plus evidence that Poulsen may have tried to
log onto an Army data network and eavesdropped on a confidential investigation
of former Philippine President Ferdinand Marcos. It is not clear whether the
new charge stems from these or other acts.
Poulsen did not hand secrets to a foreign power, a more serious crime, Crowe
noted. But by using an espionage statute against a U.S. hacker for the first
time, prosecutors raise the odds of a record jail sentence that could be used
to deter other electronic break-ins.
They could use a stronger deterrent. Using personal computers connected to
telephone lines, cadres of so-called cyberpunks have made a sport of tapping
into confidential databases and voicemail systems at government agencies and
corporations. Though there is no reliable way to tally the damage, a 1989
survey indicated that computer crimes may cost U.S. business $500 million a
year, according to the Santa Cruz-based National Center for Computer Crime
Data.
Telephone companies, whose computers and switching systems have long been among
hackers' most inviting targets, are among those most anxious to tighten
security. Poulsen allegedly roamed at will through the networks of Pacific
Bell, for example, changing records and even intercepting calls between Pac
Bell security personnel who were on his trail.
The San Francisco-based utility has been intimately involved in his
prosecution; Poulsen was actually captured in part because one of the company's
investigators staked out a suburban Los Angeles supermarket where the fugitive
shopped.
"Virtually everything we do these days is done in a computer --your credit
cards, your phone bills," said Kurt von Brauch, a Pac Bell security officer who
tracked Poulsen, in an interview last year. "He had the knowledge to go in
there and alter them."
BROAD LEGAL IMPACT
Poulsen's case could have broad impact because of several controversial legal
issues involved. Some civil libertarians, for example, question the Justice
Department's use of the espionage statute, which carries a maximum 10-year
penalty and is treated severely under federal sentencing guidelines. They
doubt the law matches the actions of Poulsen, who seems to have been motivated
more by curiosity than any desire to hurt national security.
"Everything we know about this guy is that he was hacking around systems for
his own purposes," said Mike Godwin, staff counsel for the Electronic Frontier
Foundation, a public-interest group that has tracked Poulsen's prosecution. He
termed the attempt to use the statute against Poulsen "brain-damaged."
Poulsen, now in federal prison in Pleasanton, has already served 18 months in
jail without being tried for a crime, much less convicted. Though federal
rules are supposed to ensure a speedy trial, federal judges can grant extended
time to allow pretrial preparation in cases of complex evidence or novel legal
issues.
Both are involved here. After he fled to Los Angeles to avoid prosecution,
for example, Poulsen used a special scrambling scheme on one computer to make
his data files unintelligible to others. It has taken months to decode that
data, and the job isn't done yet, Crowe said. That PC was only found because
authorities intercepted one of Poulsen's phone conversations from jail, other
sources said.
CHARGES LABELED ABSURD
Poulsen declined requests for interviews. His attorney, Paul Meltzer, terms
the espionage charge absurd. He is also mounting several unusual attacks on
parts of the government's original indictment against Poulsen, filed in 1989.
He complains, for example, that the entire defense team is being subjected to
15-year background checks to obtain security clearances before key documents
can be examined.
"The legal issues are fascinating," Meltzer said. "The court will be forced to
make law."
Poulsen's enthusiasm for exploring forbidden computer systems became known to
authorities in 1983. The 17-year-old North Hollywood resident, then using the
handle Dark Dante, allegedly teamed up with an older hacker to break into
ARPAnet, a Pentagon-organized computer network that links researchers and
defense contractors around the country. He was not charged with a crime because
of his age.
Despite those exploits, Poulsen was later hired by SRI International, a Menlo
Park-based think tank and government contractor, and given an assistant
programming job with a security clearance. Though SRI won't comment, one
source said Poulsen's job involved testing whether a public data network, by
means of scrambling devices, could be used to confidentially link classified
government networks.
But Poulsen apparently had other sidelines. Between 1985 and 1988, the Justice
Department charges, Poulsen burglarized or used phony identification to sneak
into several Bay Area phone company offices to steal equipment and confidential
access codes that helped him monitor calls and change records in Pac Bell
computers, prosecutors say.
CACHE OF PHONE GEAR
The alleged activities came to light because Poulsen did not pay a bill at the
Menlo/Atherton Storage Facility. The owner snipped off a padlock on a storage
locker and found an extraordinary cache of telephone paraphernalia. A 19-count
indictment, which also named two of Poulsen's associates, included charges of
theft of government property, possession of wire-tapping devices and phony
identification.
One of Poulsen's alleged accomplices, Robert Gilligan, last year pleaded guilty
to one charge of illegally obtaining Pac Bell access codes. Under a plea
bargain, Gilligan received three years of probation, a $25,000 fine, and agreed
to help authorities in the Poulsen prosecution. Poulsen's former roommate,
Mark Lottor, is still awaiting trial.
A key issue in Poulsen's case concerns CPX Caber Dragon, a code name for a
military exercise in Fort Bragg, North Carolina. In late 1987 or early 1988,
the government charges, Poulsen illegally obtained classified orders for the
exercise. But Meltzer insists that the orders had been declassified by the
time they were seized, and were reclassified after the fact to prosecute
Poulsen. Crowe said Meltzer has his facts wrong. "That's the same as saying
we're framing Poulsen," Crowe said. "That's the worst sort of accusation I can
imagine."
Another dispute focuses on the charge of unauthorized access to government
computers. FBI agents found an electronic copy of the banner that a computer
user sees on first dialing up an Army network called MASNET, which includes a
warning against unauthorized use of the computer system. Meltzer says Poulsen
never got beyond this computer equivalent of a "No Trespassing" sign.
Furthermore, Meltzer argues that the law is unconstitutional because it does
not sufficiently define whether merely dialing up a computer qualifies as
illegal "access."
Meltzer also denies that Poulsen could eavesdrop on calls. The indictment
accuses him of illegally owning a device called a direct access test unit,
which it says is "primarily useful" for surreptitiously intercepting
communications. But Meltzer cites an equipment manual showing that the system
is specifically designed to garble conversations, though it allows phone
company technicians to tell that a line is in use.
Crowe said he will soon file written rebuttals to Meltzer's motions. In
addition to the new indictment he is seeking, federal prosecutors in Los
Angeles are believed to be investigating Poulsen's activities while a fugitive.
Among other things, Poulsen reportedly taunted FBI agents on computer bulletin
boards frequented by hackers.
PHONE COMPANIES WORRIED
Poulsen's prosecution is important to the government -- and phone companies --
because of their mixed record so far in getting convictions in hacker cases.
In one of the most embarrassing stumbles, a 19-year-old University of Missouri
student named Craig Neidorf was indicted in February 1990 on felony charges for
publishing a memorandum on the emergency 911 system of Bell South. The case
collapsed when the phone company information -- which the government said was
worth $79,940 -- was shown by the defense to be available from another Bell
system for just $13.50.
Author Bruce Sterling, whose "The Hacker Crackdown" surveys recent high-tech
crime and punishment, thinks the phone company overstates the dangers from
young hackers. On the other hand, a Toronto high school student electronically
tampered with that city's emergency telephone dispatching system and was
arrested, he noted.
Because systems that affect public safety are involved, law enforcement
officials are particularly anxious to win convictions and long jail sentences
for the likes of Poulsen.
"It's very bad when the government goes out on a case and loses," said one
computer-security expert who asked not to be identified. "They are desperately
trying to find something to hang him on."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Hacker Charged With Stealing Military Secrets December 8, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taken from the Associated Press
SAN FRANCISCO -- A computer hacker has been charged with stealing Air Force
secrets that allegedly included a list of planned targets in a hypothetical
war.
Former Silicon Valley computer whiz Kevin Poulsen, who was accused in the early
1980s as part of a major hacking case, was named in a 14-count indictment
issued Monday.
He and an alleged accomplice already face lesser charges of unlawful use of
telephone access devices, illegal wiretapping and conspiracy.
Poulsen, 27, of Los Angeles, faces 7-to-10 years in prison if convicted of the
new charge of gathering defense information, double the sentence he faced
previously.
His lawyer, Paul Meltzer, says the information was not militarily sensitive and
that it was reclassified by government officials just so they could prosecute
Poulsen on a greater charge.
A judge is scheduled to rule February 1 on Meltzer's motion to dismiss the
charge.
In the early 1980s, Poulsen and another hacker going by the monicker Dark Dante
were accused of breaking into UCLA's computer network in one of the first
prosecutions of computer hacking.
He escaped prosecution because he was then a juvenile and went to work at Sun
Microsystems in Mountain View.
While working for Sun, Poulsen illegally obtained a computer tape containing a
1987 order concerning a military exercise code-named Caber Dragon 88, the
government said in court papers. The order is classified secret and contains
names of military targets, the government said.
In 1989, Poulsen and two other men were charged with stealing telephone access
codes from a Pacific Bell office, accessing Pacific Bell computers, obtaining
unpublished phone numbers for the Soviet Consulate in San Francisco; dealing in
stolen telephone access codes; and eavesdropping on two telephone company
investigators.
Poulsen remained at large until a television show elicited a tip that led to
his capture in April 1991.
He and Mark Lottor, 27, of Menlo Park, are scheduled to be tried in March. The
third defendant, Robert Gilligan, has pleaded guilty and agreed to pay Pacific
Bell $25,000. He is scheduled to testify against Lottor and Poulsen as part of
a plea bargain.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CA Computer Whiz Is First Hacker Charged With Espionage December 10, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by John Enders (The Associated Press)
SAN JOSE, California -- A 28-year-old computer whiz who reportedly once tested
Department of Defense security procedures has become the first alleged computer
hacker to be charged with espionage.
The government says Kevin Lee Poulsen stole classified military secrets and
should go to prison. But his lawyer calls him "an intellectually curious
computer nerd."
Poulsen, of Menlo Park, California, worked in the mid-1980s as a consultant
testing Pentagon computer security. Because of prosecution delays, he was held
without bail in a San Jose jail for 20 months before being charged this week.
His attorney, Paul Meltzer, says that Poulsen did not knowingly possess
classified information. The military information had been declassified by the
time prosecutors say Poulsen obtained it, Meltzer said.
"They are attempting to make him look like Julius Rosenberg," Meltzer said of
the man executed in 1953 for passing nuclear-bomb secrets to the Soviet Union.
"It's just ridiculous."
Poulsen was arrested in 1988 on lesser but related hacking charges. He
disappeared before he was indicted and was re-arrested in Los Angeles in April
1991. Under an amended indictment, he was charged with illegal possession of
classified government secrets.
Poulsen also is charged with 13 additional counts, including eavesdropping on
private telephone conversations and stealing telephone company equipment.
If convicted on all counts, he faces up to 85 years in prison and fines
totaling $3.5 million, said Assistant U.S. Attorney Robert Crowe in San
Francisco.
On Monday (12/7), Poulsen pleaded innocent to all charges. He was handed over
to U.S. Marshals in San Jose on Wednesday (12/9) and was being held at a
federal center in Pleasanton near San Francisco.
He hasn't been available for comment, but in an earlier letter from prison,
Poulsen called the charges "ludicrous" and said the government is taking
computer hacking too seriously.
U.S. Attorney John A. Mendez said Wednesday (12/9) that Poulsen is not
suspected of turning any classified or non-classified information over to a
foreign power, but he said Poulsen's alleged activities are being taken very
seriously.
"He's unique. He's the first computer hacker charged with this type of
violation -- unlawful gathering of defense information," Mendez said.
Assistant U.S. Attorney Robert Crowe said the espionage charge was entered only
after approval from the Justice Department's internal security section in
Washington.
The indictment alleges that Poulsen:
- Tapped into the Pacific Bell Co.'s computer and collected unpublished
telephone numbers and employee lists for the Soviet Consulate in San
Francisco.
- Stole expensive telephone switching and other equipment.
- Retrieved records of phone company security personnel and checked records of
their own calls to see if they were following him.
- Eavesdropped on telephone calls and computer electronic mail between phone
company investigators and some of his acquaintances.
- Tapped into an unclassified military computer network known as Masnet.
- Obtained a classified document on flight orders for a military exercise
involving thousands of paratroopers at the Army's Fort Bragg in North
Carolina.
The offenses allegedly took place between 1986 and 1988.
In 1985, the Palo Alto, California, think tank SRI International hired Poulsen
to work on military contracts, including a sensitive experiment to test
Pentagon computer security, according to published reports. SRI has declined
to comment on the case.
_______________________________________________________________________________
Hacker For Hire October 19, 1992
~~~~~~~~~~~~~~~
by Mark Goodman and Allison Lynn (People)(Page 151)
"Real-life Sneaker Ian Murphy puts the byte on corporate spies."
THERE'S NO PRIVACY THESE DAYS," says Ian Murphy. "Just imagine going into GM's
or IBM's accounts and wiping them out. You can bring about economic collapse
by dropping in a virus without them even knowing it." Scoff at your peril,
Corporate America. Captain Zap -- as Murphy is known in the electronic
underworld of computer hackers -- claims there's no computer system he can't
crack, and hence no mechanical mischief he can't wreak on corporations or
governments. And Murphy, 35, has the track record -- not to mention the
criminal record -- to back up his boasts.
Murphy's fame in his subterranean world is such that he worked as a consultant
for Sneakers, the hit film about a gang of computer-driven spies (Robert
Redford, Sidney Poitier, Dan Aykroyd) lured into doing some high-risk
undercover work for what they believe is the National Security Agency.
Murphy loved the way the movie turned out. "It's like a training film for
hackers," he says, adding that he saw much of himself in the Aykroyd character,
a pudgy, paranoid fantasist named Mother who, like Murphy, plows through
people's trash for clues. In fact when Aykroyd walked onscreen covered with
trash, Murphy recalls, "My friends turned to me and said, 'Wow, that's you!'"
If that sounds like a nerd's fantasy, then check out Captain Zap's credentials.
Among the first Americans to be convicted of a crime involving computer break-
ins, he served only some easy community-service time in 1983 before heading
down the semistraight, not necessarily narrow, path of a corporate spy.
Today, Murphy, 35, is president of IAM Secure Data Systems, a security
consultant group he formed in 1982. For a fee of $5,000 a day plus expenses,
Murphy has dressed up as a phone-company employee and cracked a bank's security
system, he has aided a murder investigation for a drug dealer's court defense,
and he has conducted a terrorism study for a major airline. His specialty,
though, is breaking into company security systems -- an expertise he applied
illegally in his outlaw hacker days and now, legally, by helping companies
guard against such potential break-ins. Much of his work lately, he says,
involves countersurveillance -- that is, finding out if a corporation's
competitors are searching its computer systems for useful information. "It's
industrial spying," Murphy says, "and it's happening all over the place."
Murphy came by his cloak-and-daggerish calling early. He grew up in Gladwyne,
Pennsylvania, on Philadelphia's Main Line, the son of Daniel Murphy, a retired
owner of a stevedoring business, and his wife, Mary Ann, an advertising
executive. Ian recalls, "As a kid, I was bored. In science I did wonderfully.
The rest of it sucked. And social skills weren't my thing."
Neither was college. Ian had already begun playing around with computers at
Archbishop Carroll High School; after graduation he joined the Navy. He got an
early discharge in 1975 when the Navy didn't assign him to radio school as
promised, and he returned home to start hacking with a few pals. In his
heyday, he claims, he broke into White House and Pentagon computers. "In the
Pentagon," he says, "we were playing in the missile department, finding out
about the new little toys they were developing and trying to mess with their
information. None of our break-ins had major consequences, but it woke them the
hell up because they [had] all claimed it couldn't be done."
Major consequences came later. Murphy and his buddies created dummy
corporations with Triple-A credit ratings and ordered thousands of dollars'
worth of computer equipment. Two years later the authorities knocked at
Murphy's door. His mother listened politely to the charges, then earnestly
replied, "You have the wrong person. He doesn't know anything about
computers."
Right. Murphy was arrested and convicted of receiving stolen property in 1982.
But because there were no federal computer-crime laws at that time, he got off
with a third-degree felony count. He was fined $1,000, ordered to provide
1,000 hours of community service (he worked in a homeless shelter) and placed
on probation for 2 1/2 years. "I got off easy," he concedes.
Too easy, by his own mother's standards. A past president of Republican Women
of the Main Line, Mary Ann sought out her Congressman, Larry Coughlin, and put
the question to him: "How would you like it if the next time you ran for
office, some young person decided he was going to change all of your files?"
Coughlin decided he wouldn't like it and raised the issue on the floor of
Congress in 1983. The following year, Congress passed a national computer-
crime law, making it illegal to use a computer in a manner not authorized by
the owner.
Meanwhile, Murphy, divorced in 1977 after a brief marriage, had married Carol
Adrienne, a documentary film producer, in 1982. Marriage evidently helped set
Murphy straight, and he formed his company -- now with a staff of 12 that
includes a bomb expert and a hostage expert. Countersurveillance has been
profitable (he's making more than $250,000 a year and is moving out of his
parents' house), but it has left him little time to work on his social skills -
- or for that matter his health. At 5 ft.6 in. and 180 lbs., wearing jeans,
sneakers and a baseball cap, Murphy looks like a Hollywood notion of himself.
He has suffered four heart attacks since 1986 but unregenerately smokes a pack
of cigarettes a day and drinks Scotch long before the sun falls over the
yardarm.
He and Carol divorced in April 1991, after 10 years of marriage. "She got
ethics and didn't like the work I did," he says. These days Murphy dates --
but not until he thoroughly "checks" the women he goes out with. "I want to
know who I'm dealing with because I could be dealing with plants," he explains.
"The Secret Service plays games with hackers."
Murphy does retain a code of honor. He will work for corporations, helping to
keep down the corporate crime rate, he says, but he won't help gather evidence
to prosecute fellow hackers. Indeed his rogue image makes it prudent for him
to stay in the background. Says Reginald Branham, 23, president of Cyberlock
Consulting, with whom Murphy recently developed a comprehensive antiviral
system: "I prefer not to take Ian to meetings with CEOs. They're going to
listen to him and say, 'This guy is going to tear us apart.'" And yet Captain
Zap, for all his errant ways, maintains a certain peculiar charm. "I'm like
the Darth Vader of the computer world," he insists. "In the end I turn out to
be the good guy."
(Photograph 1 = Ian Murphy)
(Photograph 2 = River Phoenix, Robert Redford, Dan Aykroyd, and Sidney Poitier)
(Photograph 3 = Mary Ann Murphy <Ian's mom>)
_______________________________________________________________________________
Yacking With A Hack August 1992
~~~~~~~~~~~~~~~~~~~
by Barbara Herman (Teleconnect)(Page 60)
"Phone phreaking for fun, profit & politics."
Ed is an intelligent, articulate 18 year old. He's also a hacker, a self-
professed "phreak" -- the term that's developed in a subculture of usually
young, middle-class computer whizzes.
I called him at his favorite phone booth.
Although he explained how he hacks as well as what kinds of hacking he has been
involved in, I was especially interested in why he hacks.
First off, Ed wanted to make it clear he doesn't consider himself a
"professional" who's in it only for the money. He kept emphasizing that
"hacking is not only an action, it's a state of mind."
Phreaks even have an acronym-based motto that hints at their overblown opinions
of themselves. PHAC. It describes what they do: "phreaking," "hacking,"
"anarchy" and "carding." In other words, they get into systems over the
telecom network (phreaking), gain access (hacking), disrupt the systems
(political anarchy) and use peoples' calling/credit cards for their personal
use.
Throughout our talk, Ed showed no remorse for hacking. Actually, he had
contempt for those he hacked. Companies were "stupid" because their systems'
were so easy to crack. They deserved it.
As if they should have been thankful for his mercy, he asked me to imagine what
would have happened if he really hacked one railway company's system (he merely
left a warning note), changing schedules and causing trains to collide.
He also had a lot of disgust for the "system," which apparently includes big
business (he is especially venomous toward AT&T), government, the FBI, known as
"the Gestapo" in phreak circles, and the secret service, whose "intelligence
reflects what their real jobs should be, secret service station attendants."
He doesn't really believe any one is losing money on remote access toll fraud.
He figures the carriers are angry not about money lost but rather hypothetical
money, the money they could have charged for the free calls the hackers made,
which he thinks are overpriced to begin with.
He's also convinced (wrongly) that companies usually don't foot the bill for
the free calls hackers rack up on their phone systems. "And, besides, if some
multi-million dollar corporation has to pay, I'm certainly not going to cry for
them."
I know. A twisted kid. Weird. But besides his skewed ethics, there's also a
bunch of contradictions.
He has scorn for companies who can't keep him out, even though he piously warns
them to try.
He dismisses my suggestion that the "little guy" is in fact paying the bills
instead of the carrier. And yet he says AT&T is overcharging them for the
"vital" right to communicate with each other.
He also contradicted his stance of being for the underdog by calling the
railway company "stupid" for not being more careful with their information.
Maybe a railway company is not necessarily the "little guy," but it hardly
seems deserving of the insults Ed hurled at it. When I mentioned that a
hospital in New York was taken for $100,000 by hackers, he defended the hackers
by irrelevantly making the claim that doctors easily make $100,000 a year.
Since when did doctors pay hospital phone bills?
What Ed is good at is rationalizing. He lessens his crimes by raising them to
the status of political statements, and yet in the same breath, for example, he
talks about getting insider info on the stock market and investing once he
knows how the stock is doing. He knows it's morally wrong, he told me, but
urged me to examine this society that "believes in making a buck any way you
can. It's not a moral society."
Amazingly enough, the hacker society to which Ed belongs, if I can
unstatistically use him as a representative of the whole community, is just as
tangled in the contradictions of capitalism as the "system" they supposedly
loathe. In fact, they are perhaps more deluded and hypocritical because they
take a political stance rather than recognizing their crimes for what they are.
How can Ed or anyone else in the "phreaking" community take seriously their
claims of being against big business and evil capitalism when they steal
people's credit-card and calling-card numbers and use them for their own
profit?
The conversation winded down after Ed rhapsodized about the plight of the
martyred hacker who is left unfairly stigmatized after he is caught, or "taken
down."
One time the Feds caught his friend hacking ID codes, had several phone
companies and police search his house, and had his computer taken away. Even
though charges were not filed, Ed complained, "It's not fair."
That's right, phreak. They should have thrown him in prison.
_______________________________________________________________________________
Computer Hacker On Side Of Law September 23, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Shelby Grad (Los Angeles Times)(Page B3)
COSTA MESA, CA -- Philip Bettencourt's formal title is photo lab supervisor for
the Costa Mesa Police Department. But on Tuesday afternoon, he served as the
department's official computer hacker.
Bettencourt, pounding the keyboard excitedly as other officers looked on, was
determined to find information within a stolen computer's vast memory that
would link the machine to its owner.
So far, he had made matches for all but two of the 26 computers recovered
earlier this month by police as part of a countywide investigation of stolen
office equipment. This would be number 25.
First, he checked the hard drive's directory, searching for a word-processing
program that might include a form letter or fax cover sheet containing the
owner's name, address or phone number.
When that failed, he tapped into an accounting program, checking for clues on
the accounts payable menu.
"Bingo!" Bettencourt yelled a few minutes into his work. He found an invoice
account number to a Fountain Valley cement company that might reveal the
owner's identity. Seconds later, he came across the owner's bank credit-card
number.
And less than a minute after that, Bettencourt hit pay dirt: The name of a
Santa Ana building company that, when contacted, revealed that it had indeed
been the victim of a recent computer burglary.
"This is great," said Bettencourt, who has been interested in computers for
nearly two decades now, ever since Radio Shack put its first model on the
market. "I love doing this. This is hacking, but it's in a good sense, not
trying to hurt someone. This is helping people."
Few computer owners who were reunited with their equipment would contest that.
When Costa Mesa police recovered $250,000 worth of computers, fax machines,
telephones and other office gadgets, detectives were faced with the difficult
task of matching machines bearing few helpful identifying marks to their
owners, said investigator Bob Fate.
Enter Bettencourt, who tapped into the computers' hard drives, attempting to
find the documents that would reveal from whom the machines were taken.
As of Tuesday, all but $50,000 worth of equipment was back in owners' hands.
Investigators suggested that people who recently lost office equipment call the
station to determine if some of the recovered gadgetry belongs to them.
Ironically, the alleged burglars tripped themselves up by not erasing the data
from the computers before reselling the machines, authorities said. A college
student who purchased one of the stolen computers found data from the previous
owner, whom he contacted. Police were then called in, and a second "buy" was
scheduled in which several suspects were arrested, Fate said.
Three people were arrested September 15 and charged with receiving and
possessing stolen property. Police are still searching for the burglars.
The office equipment was recovered from an apartment and storage facility in
Santa Ana.
Bettencourt matched the final stolen computer to its owner before sundown
Tuesday.
_______________________________________________________________________________
CuD's 1992 MEDIA HYPE Award To FORBES MAGAZINE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Jim Thomas (Computer Underground Digest)
In recent years, media depiction of "hackers" has been criticized for
inaccurate and slanted reporting that exaggerates the public dangers of the
dread "hacker menace." As a result, CuD annually recognizes the year's most
egregious example of media hype.
The 1992 annual CuD GERALDO RIVERA MEDIA HYPE award goes to WILLIAM G. FLANAGAN
AND BRIGID McMENAMIN for their article "The Playground Bullies are Learning how
to Type" in the 21 December issue of Forbes (pp 184-189). The authors improved
upon last year's winner, Geraldo himself, in inflammatory rhetoric and
distorted narrative that seems more appropriate for a segment of "Inside
Edition" during sweeps week than for a mainstream conservative periodical.
The Forbes piece is the hands-down winner for two reasons. First, one reporter
of the story, Brigid McMenamin, was exceptionally successful in creating for
herself an image as clueless and obnoxious. Second, the story itself was based
on faulty logic, rumors, and some impressive leaps of induction. Consider the
following.
The Reporter: Brigid McMenamin
It's not only the story's gross errors, hyperbole, and irresponsible distortion
that deserve commendation/condemnation, but the way that Forbes reporter Brigid
McMenamin tried to sell herself to solicit information.
One individual contacted by Brigid McM claimed she called him several times
"bugging" him for information, asking for names, and complaining because
"hackers" never called her back. He reports that she explicitly stated that
her interest was limited to the "illegal stuff" and the "crime aspect" and was
oblivious to facts or issues that did not bear upon hackers-as-criminals.
Some persons present at the November 2600 meeting at Citicorp, which she
attended, suggested the possibility that she used another reporter as a
credibility prop, followed some of the participants to dinner after the
meeting, and was interested in talking only about illegal activities. One
observer indicated that those who were willing to talk to her might not be the
most credible informants. Perhaps this is one reason for her curious language
in describing the 2600 meeting.
Another person she contacted indicated that she called him wanting names of
people to talk to and indicated that because Forbes is a business magazine, it
only publishes the "truth." Yet, she seemed not so much interested in "truth,"
but in finding "evidence" to fit a story. He reports that he attempted to
explain that hackers generally are interested in Unix and she asked if she
could make free phone calls if she knew Unix. Although the reporter stated to
me several times that she had done her homework, my own conversation with her
contradicted her claims, and if the reports of others are accurate, here claims
of preparation seem disturbingly exaggerated.
I also had a rather unpleasant exchange with Ms. McM. She was rude, abrasive,
and was interested in obtaining the names of "hackers" who worked for or as
"criminals." Her "angle" was clearly the hacker-as-demon. Her questions
suggested that she did not understand the culture about which she was writing.
She would ask questions and then argue about the answer, and was resistant to
any "facts" or responses that failed to focus on "the hacker criminal." She
dropped Emmanuel Goldstein's name in a way that I interpreted as indicating a
closer relationship than she had--an incidental sentence, but one not without
import -- which I later discovered was either an inadvertently misleading
choice of words or a deliberate attempt to deceptively establish credentials.
She claimed she was an avowed civil libertarian. I asked why, then, she didn't
incorporate some of those issues. She invoked publisher pressure. Forbes is a
business magazine, she said, and the story should be of interest to readers.
She indicated that civil liberties weren't related to "business." She struck
me as exceptionally ill-informed and not particularly good at soliciting
information. She also left a post on Mindvox inviting "hackers" who had been
contacted by "criminals" for services to contact her.
>Post: 150 of 161
>Subject: Hacking for Profit?
>From: forbes (Forbes Reporter)
>Date: Tue, 17 Nov 92 13:17:34 EST
>
>Hacking for Profit? Has anyone ever offered to pay you (or
>a friend) to get into a certain system and alter, destroy or
>retrieve information? Can you earn money hacking credit
>card numbers, access codes or other information? Do you know
>where to sell it? Then I'd like to hear from you. I'm
>doing research for a magazine article. We don't need you
>name. But I do want to hear your story. Please contact me
>[email protected].
However, apparently she wasn't over-zealous about following up her post or
reading the Mindvox conferences. When I finally agreed to send her some
information about CuD, she insisted it be faxed rather than sent to Mindvox
because she was rarely on it. Logs indicate that she made only six calls to
the board, none of which occurred after November 24.
My own experience with the Forbes reporter was consistent with those of others.
She emphasized "truth" and "fact-checkers," but the story seems short on both.
She emphasized explicitly that her story would *not* be sensationalistic. She
implied that she wanted to focus on criminals and that the story would have the
effect of presenting the distinction between "hackers" and real criminals.
Another of her contacts also appeared to have the same impression. After our
less-than-cordial discussion, she reported it to the contact, and he attempted
to intercede on her behalf in the belief that her intent was to dispel many of
the media inaccuracies about "hacking." If his interpretation is correct, then
she deceived him as well, because her portrayal of him in the story was
unfavorably misleading.
In CuD 4.45 (File #3), we ran Mike Godwin's article on "How to Talk to the
Press," which should be required reading. His guidelines included:
1) TRY TO THINK LIKE THE REPORTER YOU'RE TALKING TO.
2) IF YOU'RE GOING TO MEET THE REPORTER IN PERSON, TRY TO
BRING SOMETHING ON PAPER.
3) GIVE THE REPORTER OTHER PEOPLE TO TALK TO, IF POSSIBLE.
4) DON'T ASSUME THAT THE REPORTER WILL COVER THE STORY THE WAY
YOU'D LIKE HER TO.
Other experienced observers contend that discussing "hacking" with the press
should be avoided unless one knows the reporter well or if the reporter has
established sufficient credentials as accurate and non-sensationalist. Using
these criteria, it will probably be a long while before any competent
cybernaught again speaks to Brigid McMenamin.
The Story
Rather than present a coherent and factual story about the types of computer
crime, the authors instead make "hackers" the focal point and use a narrative
strategy that conflates all computer crime with "hackers."
The story implies that Len Rose is part of the "hacker hood" crowd. The lead
reports Rose's prison experience and relates his feeling that he was "made an
example of" by federal prosecutors. But, asks the narrative, if this is so,
then why is the government cracking down? Whatever else one might think of Len
Rose, no one ever has implied that he as a "playground bully" or "hacker hood."
The story also states that 2600 Magazine editor Emmanuel Goldstein "hands
copies <of 2600> out free of charge to kids. Then they get arrested." (p. 188-
-a quote attributed to Don Delaney), and distorts (or fabricates) facts to fit
the slant:
According to one knowledgeable source, another hacker brags
that he recently found a way to get into Citibank's
computers. For three months he says he quietly skimmed off a
penny or so from each account. Once he had $200,000, he quit.
Citibank says it has no evidence of this incident and we
cannot confirm the hacker's story. But, says computer crime
expert Donn Parker of consultants SRI International: "Such a
'salami attack' is definitely possible, especially for an
insider" (p. 186).
Has anybody calculated how many accounts one would have to "skim" a few pennies
from before obtaining $200,000? At a dime apiece, that's over 2 million. If
I'm figuring correctly, at one minute per account, 60 accounts per minute non-
stop for 24 hours a day all year, it would take nearly 4 straight years of on-
line computer work for an out-sider. According to the story, it took only 3
months. At 20 cents an account, that's over a million accounts.
Although no names or evidence are given, the story quotes Donn Parker of SRI as
saying that the story is a "definite possibility." Over the years, there have
been cases of skimming, but as I remember the various incidents, all have been
inside jobs and few, if any, involved hackers. The story is suspiciously
reminiscent of the infamous "bank cracking" article published in Phrack as a
spoof several years ago.
The basis for the claim that "hacker hoods" (former "playground bullies") are
now dangerous is based on a series of second and third-hand rumors and myths.
The authors then list from "generally reliable press reports" a half-dozen or
so non-hacker fraud cases that, in context, would seem to the casual reader to
be part of the "hacker menace." I counted in the article at least 24 instances
of half-truths, inaccuracies, distortions, questionable/spurious links, or
misleading claims that are reminiscent of 80s media hype. For example, the
article attributes to Phiber Optik counts in the MOD indictment that do not
include him, misleads on the Len Rose indictment and guilty plea, uses second
and third hand information as "fact" without checking the reliability, and
presents facts out of context (such as attributing the Morris Internet worm to
"hackers).
Featured as a key "hacker hood" is "Kimble," a German hacker said by some to be
sufficiently media-hungry and self-serving that he is ostracized by other
German hackers. His major crime reported in the story is hacking into PBXes.
While clearly wrong, his "crime" hardly qualifies him for the "hacker
hood/organized crime" danger that's the focus of the story. Perhaps he is
engaged in other activities unreported by the authors, but it appears he is
simply a run-of-the-mill petty rip-off artist. In fact, the authors do not make
much of his crimes. Instead, they leap to the conclusion that "hackers" do the
same thing and sell the numbers "increasingly" to criminals without a shred of
evidence for the leap. To be sure the reader understands the menace, the
authors also invoke unsubstantiated images of a hacker/Turkish Mafia connection
and suggest that during the Gulf war, one hacker was paid "millions" to invade
a Pentagon computer and retrieve information from a spy satellite (p. 186).
Criminals use computers for crime. Some criminals may purchase numbers from
others. But the story paints a broader picture, and equates all computer crime
with "hacking." The authors' logic seems to be that if a crime is committed
with a computer, it's a hacking crime, and therefore computer crime and
"hackers" are synonymous. The story ignores the fact that most computer crime
is an "inside job" and it says nothing about the problem of security and how
the greatest danger to computer systems is careless users.
One short paragraph near the end mentions the concerns about civil liberties,
and the next paragraph mentions that EFF was formed to address these concerns.
However, nothing in the article articulates the bases for these concerns.
Instead, the piece promotes the "hacker as demon" mystique quite creatively.
The use of terms such as "new hoods on the block," "playground bullies," and
"hacker hoods" suggests that the purpose of the story was to find facts to fit
a slant.
In one sense, the authors might be able to claim that some of their "facts"
were accurate. For example, the "playground bullies" phrase is attributed to
Cheshire Catalyst. "Gee, *we* didn't say it!" But, they don't identify
whether it's the original CC or not. The phrase sounds like a term used in
recent internecine "hacker group" bickering, and if this was the context, it
hardly describes any new "hacker culture." Even so, the use of the phrase
would be akin to a critic of the Forbes article referring to it as the product
of "media whores who are now getting paid for doing what they used to do for
free," and then applying the term "whores" to the authors because, hey, I
didn't make up the term, somebody else did, and I'm just reporting (and using
it as my central metaphor) just the way it was told to me. However, I suspect
that neither Forbes' author would take kindly to being called a whore because
of the perception that they prostituted journalistic integrity for the pay-off
of a sexy story. And this is what's wrong with the article: The authors take
rumors and catch-phrases, "merely report" the phrases, but then construct
premises around the phrases *as if* they were true with little (if any)
evidence. They take an unconfirmed "truth" (where are fact checkers when you
need them) or an unrelated "fact" (such as an example of insider fraud) and
generalize from a discrete fact to a larger population. The article is an
excellent bit of creative writing.
Why Does It All Matter?
Computer crime is serious, costly, and must not be tolerated. Rip-off is no
joke. But, it helps to understand a problem before it can be solved, and lack
of understanding can lead to policies and laws that are not only ineffective,
but also a threat to civil liberties. The public should be accurately informed
of the dangers of computer crime and how it can be prevented. However, little
will be served by creating demons and falsely attributing to them the sins of
others. It is bad enough that the meaning" of the term "hacker" has been used
to apply both to both computer delinquents and creative explorers without also
having the label extended to include all other forms of computer criminals as
well.
CPSR, the EFF, CuD, and many, many others have worked, with some success, to
educate the media about both dangers of computer crime and the dangers of
inaccurately reporting it and attributing it to "hackers." Some, perhaps most,
reporters take their work seriously, let the facts speak to them, and at least
make a good-faith effort not to fit their "facts" into a narrative that--by one
authors' indication at least -- seems to have been predetermined.
Contrary to billing, there was no evidence in the story, other than
questionable rumor, of "hacker" connection to organized crime. Yet, this type
of article has been used by legislators and some law enforcement agents to
justify a "crackdown" on conventional hackers as if they were the ultimate
menace to society. Forbes, with a paid circulation of over 735,000 (compared
to CuDs unpaid circulation of only 40,000), reaches a significant and
influential population. Hysterical stories create hysterical images, and these
create hysteria-based laws that threaten the rights of law-abiding users. When
a problem is defined by irresponsibly produced images and then fed to the
public, it becomes more difficult to overcome policies and laws that restrict
rights in cyberspace.
The issue is not whether "hackers" are or are not portrayed favorably. Rather,
the issue is whether images reinforce a witch-hunt mentality that leads to the
excesses of Operation Sun Devil, the Steve Jackson Games fiasco, or excessive
sentences for those who are either law-abiding or are set up as scapegoats.
The danger of the Forbes article is that it contributes to the persecution of
those who are stigmatized not so much for their acts, but rather for the signs
they bear.