💾 Archived View for aphrack.org › issues › phrack40 › 12.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

                                ==Phrack Inc.==

                    Volume Four, Issue Forty, File 12 of 14

              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
              PWN                                             PWN
              PWN              Phrack World News              PWN
              PWN                                             PWN
              PWN           Issue 40 / Part 1 of 3            PWN
              PWN                                             PWN
              PWN        Compiled by Datastream Cowboy        PWN
              PWN                                             PWN
              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN


 Scantronics BBS Seized By San Diego Police Department             July 1, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Knight Lightning and The Gatsby
 Special Thanks to Bruce Bigelo (San Diego Union-Tribune)

                 "Multiplexor and The Crypt Keeper Spill Guts"

A lot of stories have been circulating in the press over the past two months
about hordes of credit card stealing computer hackers that were disrupting
the economy of the United States.  It all began with rumors about Multiplexor,
a small time hacker that was thought to have spent some time in Long Island,
New York and supposedly is from Indiana.  The story was that Multiplexor had
carded a plane ticket to San Diego to see a girl or meet some friends, but
when he landed, he was met by the police instead.

Where that information or the supposed "1,000 member hacker ring" theory came
from, we might never know, but we know do know the facts in this case thanks
to police reports and warrant affidavits supplied by the court and acquired by
The Gatsby with help.

That information and more is now available.

For purposes of understanding the following, "SEMENICK" and "MARCOV" are both
the same person.  You might know him better under the names of Multiplexor or
The Prisoner.  Later in this file, you will see references to a person named
Kevin Marcus who is better known to some as The Crypt Keeper.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                          SAN DIEGO POLICE DEPARTMENT
                         Investigators Follow-Up Report

CASE NUMBER:  N/A
DATE:         March 23, 1992
TIME:         1300 Hours
SUBJECT:      Damage Assessment of and Intelligence gathering on Illegal entry
              (Hacking) Computer Systems and the Illegal use of Credit Cards.
SUSPECT:      SEMENICK, John Edward        AKA: MARCOV, Eric Edward
VICTIM:       Zales Jewelry Store
LOCATION:     4465 La Jolla Village Drive, San Diego, CA
DETECTIVE:    Dennis W. Sadler (I.D.# 2486)

On March 31, 1992, I received a ARJIS 4 form from Officer Smyth (I.D.# 3871)
regarding some papers found by a Mr. Maurice Osborne at his residence.

Mr. Osborne had asked an individual by the name of Eric MARCOV, who had rented
a room from him, to leave.  After MARCOV left the house, Mr. Osborne discovered
some papers with what appeared to be credit card information on them.  Mr.
Osborne called the police and reported what he found.

Officer Smyth collected the papers and wrote the attached report.  After
reviewing these papers, I learned that they did in fact contain some personal
information on individuals which included the person's name, address, credit
card number, card expiration date, and social security number.  It appeared
that the person who wrote these notes was possibly using this credit card
information illegally.

I contacted Mr. Osborne by phone on March 31st.  He verified the contents of
the report and he stated that he feels MARCOV may still be in town.  On April
2nd, I was contacted by Mr. Osborne who learned that MARCOV was staying at a
motel in the beach area named Sleepy Time.

On April 2, 1992, while in the beach area, I came across the Sleepy Time Motel.
I contacted the motel manager, William Gainok.  I asked Mr. Gainok if he had
a person registered there by the name of Eric MARCOV.  He said that he did and
that Marcov was in room number 108.

At approximately 8:40 am, I knocked on the door to room number 108.  A white
male answered the door.  I asked him if he was Eric MARCOV.  He said yes.  I
identified myself as a San Diego Police Detective and told him that I needed
to talk to him about some questionable credit card activity.

As he opened the motel room door, I saw more papers like <those> given to me by
Mr. Osborne laying on the floor near the door with more credit card information
on them.  After being invited into the motel room, I asked MARCOV if he knew
why I was here.  He said I think so.  I asked MARCOV why he thought so.  He
said the credit cards.

At this point, I was only interviewing MARCOV regarding the papers found at Mr.
Osborne's residence.  I had no active case or any evidence indicating that
MARCOV was involved in, or a suspect of any criminal or illegal activity.

I asked MARCOV if he had any I.D. on him.  He said that he did not.  MARCOV
gave me the following information; Eric Edward MARCOV, DOB 05-15-74, then
changed the year to 73.  He said he was 18 going on 19.  He did not know his
social security number.  When asked if he had a drivers' license, he said that
he has never had one.  MARCOV appeared to be between the age of 17 to 19 years
old.

While asking him about papers, he started talking about computers and gaining
information from various systems.  He talked for about 10 minutes.  After that,
I decided to call the FBI because hacking was involved in obtaining the credit
card information and numbers, plus the information was coming from out of
state.  MARCOV also sounded like he knew a lot about computer hacking and was
involved in it himself.

At 8:58 am, I called the local office of the FBI and told them what I had and
asked if they would be interested in talking with MARCOV.  I asked MARCOV prior
to calling the FBI, if he would be willing to talk with them about his computer
activities.  He agreed to talk with them.

A short later Special Agent Keith Moses called me back at the motel.  I
explained to him what I had and what MARCOV was willing to talk about.  After
going over the case with Moses, he agreed to come out and talk with MARCOV.

Both Moses and I interviewed MARCOV regarding his hacking activities and
knowledge.  MARCOV was extensively involved in the hacking community during
the last four years and had some superior knowledge about what was happening in
the hacker world.  We later learned that he had been arrested for computer
crimes in early 1991 in Indianapolis.  We attempted to contact the
investigators that worked that case, but we never received any calls back after
numerous attempts.

During the interview, I attempted to confirm MARCOV's true identity.  I asked
him for his parents' information.  He said he did not remember their home phone
numbers, but they had a phone.  He also could not remember their home
addresses.  I asked him for his parents' employment information.  He said that
his father worked for a local (his home town) turbine company.

I called the information number for the local phone company and then called the
company to verify this information.  However, the company's personnel office
could not locate any employee matching the name given to me by MARCOV.  MARCOV
also gave me the school and year he graduated.  I called the local school
district's administrative office and discovered they had no record of MARCOV
attending or graduating from their school system.

I confronted him with this information and he finally gave me his true
information.  His true name was John Edward SEMENICK, DOB 05-15-75.  I located
his father's work number and contacted him.  He was very uninterested about his
son's whereabouts or condition.  When asked if he would supply an airline or
bus ticket for transportation home, he said he would not.  His father further
stated that when his son decided to come home, he'll have to find his own way.
SEMENICK's parents are divorced and he lives with his father.  However, we
learned that his mother had filed a runaway report with the local sheriff's
office.

I contacted his mother and she seemed a little more concerned, but said she
would not provide a ticket or funds for his return.  I asked both parents if
while John was in San Diego would they have any problems if their son assisted
us in our investigation.  I explained to them that he was not facing any known
criminal charges at that point and that the information he would be giving us
would be for damage assessment and intelligence gathering purposes on hackers

Both parents stated that they had no problem with him assisting us if he was
not being charged.  Because SEMENICK was a juvenile and a runaway report was
filed on him, we contacted the U.S. Attorney's office, the District Attorney's
Juvenile Division, and the Juvenile Hall Probation Intake Officer for advice.

They advised us that their was no problem with him giving us information.
SEMENICK was booked into Juvenile hall as a runaway and then released to a
halfway home for the evening.  The intake officer explained to us that because
his parents would not send for him, they would only keep him for one evening
and then he would be let go on his own again the next day.

After SEMENICK went through the runaway process and was being released, we
picked him back up.  The FBI agreed and furnished the fund's to put SEMENICK up
in a hotel, give him living expenses, and then provide transportation for him
home.  SEMENICK was put up in a suite at the Mission Valley Marriott.  He was
allowed to do what he wanted while staying at the hotel and to see his friends
at any time.

During SEMENICK's stay at the Marriott, either myself or Agent Moses stayed in
the hotel room next to SEMENICK's.  During the three day stay at the hotel,
SEMENICK was able to provide us with some very useful information and
intelligence.  It was not enough to make any arrest, but we obtained some very
valuable information.  We were not able to independently verify the information
by another source.

During the period of April 3rd to April 5th, 1992, SEMENICK contacted numerous
persons by phone who were involved in computer hacking.  SEMENICK willingly and
voluntarily signed an FBI consent form giving us permission to record his phone
calls during the course of our investigation.  There were numerous tape
recorded phone conversations involving at least 4 separate individuals.

During this same period of time, information in data format was also downloaded
from another individual's computer located on the East Coast to the computer
we had set up.  The information we received during the download was current
credit records just obtained from CBI credit reporting company by this person,
a CBI manual written in part by "Kludge" a San Diego hacker, and numerous
other files/documents involving illegal activity such as "carding."  "Carding"
is a term used by the hacker community regarding the illegal or fraudulent use
of credit cards or credit card numbers by hackers nationwide.

SEMENICK stated that he had been a member of a local BBS called Scantronics
when he was an active hacker.  He stated that the board is run by a guy named
"KLUDGE" and contains hundreds of files and documents.  He said that most of
these files and documents contained on "KLUDGE's" computer are "how to"
manuals.  This means that they instruct the person who obtains them through
Scantronics BBS on how to do various things both legal and illegal.  Some of
the illegal activities that are covered on this BBS is carding, phone hacking,
ATM fraud, and credit bureau information.

We obtained three documents written by or put out by either "KLUDGE" or
Scantronics BBS.

THIS INVESTIGATION IS ONGOING AT THIS TIME AND FURTHER INFORMATION AND EVIDENCE
WILL BE ADDED.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                          SAN DIEGO POLICE DEPARTMENT
                         Investigators Follow-Up Report

CASE NUMBER:  N/A
DATE:         April 30, 1992
TIME:         0700 Hours
SUBJECT:      Computer Hacking
SUSPECT:      N/A
VICTIM:       N/A
LOCATION:     N/A
DETECTIVE:    Dennis W. Sadler (I.D.# 2486)

On April 16, 1992, I was contacted by Kevin Marcus.  Marcus learned that we
were investigating individuals who were illegally logging (hacking) into
various computer systems nationwide.  Marcus runs a local computer bulletin
board system (BBS) called The Programmer's Paradise.  Marcus was concerned
about the illegal activities had had seen on various local BBSs and contacted
me.

Marcus also said that he had received computer messages from a person who goes
by the name (handle) of Knight Lightning in New York who asked him if he heard
anything about our investigation.  Knight Lightning told Marcus that on April
3rd a reporter from San Diego by the name of Bigelo had contacted and talked to
him about our ongoing investigation.

--  --  --  --  --  --  --  --
Enclosure 1:

Date: Fri, 10 Apr 1992 18:14:11 -500
To: knight@eff.org
From: Craig Neidorf <knight@eff.org>
Subject: Runaway Teen Hacker Picked Up?

I was just contacted by a reporter in San Diego about a hacker case.

Apparently there is a teenage hacker from Indiana who ran away from home to
California to see some girl there.  The local police and the FBI supposedly
picked him up on April 3rd and he remains in their custody uncharged while he
is telling them all sorts of information on hacker rings across the nation.

Does anyone have any clues as to who this kid is or what's going on?

:Knight Lightning

--  --  --  --  --  --  --  --

Enclosure 2:

Date: Thu, 16 Apr 1992 22:25:17 -0400
From: Craig Neidorf <knight@eff.org>
To: tck@netlink.cts.com
Subject: Re: Hi.

Bruce Bigelo, Union Tribune.  Left his number at the office.  Nothing going on,
but I understand that you called him.

Craig

--  --  --  --  --  --  --  --

Marcus offered to assist us.  I asked if he knew of a BBS called Scantronics.
He said that he did and that he had been a member of that BBS and view the
files on that board in the past to see what the board carried.  Marcus is a
computer science major at a local college and is doing research in the anti-
virus field.  Marcus stated that the board carried a lot of technical data, but
had nothing regarding his subject.  Marcus also belongs to other local and out-
of-state BBSs where he talks with other individuals with his same interest.

Marcus stated that he was last on Scantronics BBS about a month ago and he had
seen numerous computer files that involved CBI and carding.  Carding is a term
used by hackers who are involved in the illegal or fraudulent use of credit
cards and their numbers.  These credit card numbers are obtained from credit
reporting companies such as CBI and TRW, by illegally accessing (hacking) their
way into those company computers and reading or copying private individuals
credit reports and information.

Most copies of credit reports from these companies will show a person's name,
current and previous addresses, social security number, employer, salary, and
all current credit history including all credit cards and their account
numbers.  They <the hackers> then use these credit card numbers to obtain
goods.

If one of the hackers used an account number he found on a credit report that
he illegally pulled from the credit reporting company, the victim would most
likely not find out that their card had been illegally used until the next
billing cycle which could be as much as 45 days after the illegal transaction
took place.  According to the credit card industry, this is one of the most
risk free and safest way to commit credit card fraud.

Marcus said that the person's name who ran this BBS was Jeremy.  He did not
know his last name, but the handle he is known by is "KLUDGE."  I asked if he
knew the phone number to this BBS and he gave me 423-4852.  The BBS phone
number, the operator's first name, and <the operator's> handle matched the
information we had learned earlier.

Marcus also gave me two disks <that> contained some files which had been
downloaded (left on his BBS) by other persons on his system.  He regularly
checks his board and removes or deletes files regarding questionable or illegal
activity such as carding.

I viewed both of these disks and they contained some very interesting files.
These files included various topics <such as> an auto theft manual, CBI manual,
TRW manual, American Express card info, and many other files which if
downloaded or copied by another person, that person could easily gain illegal
access to various credit reporting companies and commit various other illegal
types of activity.

I told Marcus if he came across any further information regarding this type of
activity or further information about the BBS called Scantronics to please
contact me.

On April 17, 1992, I met Marcus and he said that he had logged onto Scantronics
last night by using an access number a friend gave him.  This same friend had
let him use his access number to gain access to this BBS on many prior
occasions.  He did this on his own, without any direction whatsoever from me or
any other law enforcement official.

Marcus handed me a 5 1/4" computer disk and said that it contained some file
listings and a list of all validated users.  Marcus also stated that the disk
contained a copy of the messages that were sent to him through his BBS by the
person in New York regarding our investigation [those messages displayed above
from Knight Lightning].

He asked me if I wanted him to log on and see for myself what was on "KLUDGE's"
BBS.  I told him that I would have to consult with the D.A.'s office first.
However, I was unable to get a hold of our D.A. liaison.  I told <Marcus> that
I'd get back with him later.

After talking to D.A. Mike Carlton, I advised Marcus not to go into Scantronics
BBS unless it was for his own information.  However he said that if he came
across any further information during his normal course of running his own BBS,
he would notify me.

--  --  --  --  --  --  --  --

[The police report also contained 60 pages of printouts of postings and text
files found on Scantronics BBS.  It is also made very clear that Kevin Marcus
(aka The Crypt Keeper) accessed Scantronics BBS by using the password and
account number of The Gatsby.  Files include:

-  "Credit Bureau Information" which sounds harmless enough to begin with and
    turns out is actually a reprint of an article from the September 27, 1992
    issue of Business Week Magazine

-  "Advanced Carding" by The Disk Jockey, which dates back to 1987.

-  "The Complete CBI Manual of Operations" by Video Vindicator and Kludge,
    dated October 10, 1991.

 Aftermath
 ~~~~~~~~~
On April 23, 1992, a search warrant was issued in the municipal court of the State of California in the county of San Diego which authorized the seizure of:

A.  All telephone company subscriber information to include service start date,
    copy of most current billing statement, current credit information, and
    location of telephone service to the following telephone numbers;
    (619)XXX-XXXX and (619)XXX-XXXX and any other telephone number information
    in any chain of call forwarding, to or from the listed phone numbers.

B.  All telephone company records which includes subscriber information,
    service start date, copy of most current billing statement, current credit
    information, and location of telephone service phone numbers to which calls
    are being forwarded to or from, from the listed phone numbers.

               CERTIFICATION TO DEFER NOTIFICATION TO SUBSCRIBER

     The Court finds there is substantial probable cause to believe
     notification to the subscriber whose activities are recorded in the
     records described above would impede or destroy this investigation.
     Accordingly, the court certifies the request of the San Diego Police
     Department that notification to the subscriber be deferred pending
     further order of this court.


On April 30, 1992, a search warrant was issued in the municipal court of the
State of California in the county of San Diego which authorized the search of
Kludge's residence and the seizure of:

     All computer equipment and paraphernalia use in computer hacking, or apart
     of the BBS known as Scantronics which includes, but is not limited to
     monitor(s), keyboard(s), CPU(s), which may or may not contain hard disk
     drive(s), floppy drive(s), tape drive(s), CD rom drive(s), modem(s),
     fax/modem(s), all hard copies (paper copies) of any computer files which
     have been stored or currently stored on/in a computer system, all
     documents whether in hard or data form which show how to operate any
     computer program or computer file, all memory storage devices which may
     include hard disk drive(s), 5 1/4" and 3 1/2" computer memory storage
     disks, all computer memory storage and computer back up tapes, and all
     computer CD rom disks capable of computer data storage; and, documents and
     effects which tend to show dominion and control over said premises and
     computer system, including fingerprints, records, handwritings, documents
     and effects which bear a form of identification such as a person's name,
     photograph, social security number, or driver's license number and keys.

The warrant was used immediately and Scantronics BBS and much more was seized.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 The Crypt Keeper Responds
 ~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 17 Jun 92 09:13:50 PDT
From: tck@bend.UCSD.EDU (Kevin Marcus)
To: knight@eff.org
Subject: Hmm.

I'll start at the beginning...

On April 3rd, I arrived at my workplace (a computer store) around 3 pm.
Multiplexor is sitting in the back with some FBI agent and Detective Dennis
Sadler.  The reason they chose my store for technical support is because Dennis
and one of my managers are very good friends.

I saw what was happening, and I saw Multiplexor call up Kludge's board and try
to log on, but alas he was not validated.  Nonetheless, that same day I told
Gatsby and Kludge what was up, because they are/were my friends and I didn't
want something bad to happen to them.

A few days later, my boss suggested that I tell Dennis that I was on Kludge's
board awhile ago, but that I was not anymore because they might have found
something on me.  So the next time I saw him (he comes in about once a week,
still), I told him that I was on the board awhile ago, but that I wasn't
anymore.  He asked a few stupid questions and I didn't really say a whole bunch
about.

He eventually found out that I had warned Kludge about his board.  I am not
really sure how, I sure as heck didn't tell him.  He then told me that I
nearly blew their investigation and for interfering with an investigation the
maximum penalty was like 5 years or something like that.  He was getting ready
to arrest me and take me down to the county courthouse when my boss was able to
convince him that I was a good kid, not looking for trouble, and that I would
get him something to re-strengthen.  So, even though Dennis didn't tell me
specifically to get something from Kludge's board, he told me that what he
needed to get his case back up to par was an idea of what was on the board,
like a buffering of his system.

That night I called up Gatsby and got his password from him.  I called and
buffered.  The next time that I saw him [Sadler], I told him what I had done.
He wanted to know how I got on Kludge's board, and I told him through a
friend's account.  He asked me which friend, and I said "The Gatsby."  He then
started asking me a bunch of questions about Gatsby such as, "What is his real
name?"  And, at first I said that I didn't want to tell him, and then he said
that I was withholding evidence and he could bust me on that alone.  So I told
him his name and that he lived in XXXXX (a suburb of San Diego).  They already
had him and Kludge in phone conversations over Kludge's line since it was taped
for a while so they knew who he was in the first place.

If Sadler didn't have anything hanging over my head, such as interfering with
an investigation, and/or withholding evidence, then I would not have said jack,
more than likely.  My first contact with him was on suggestion of my boss, who
is a good friend of his, and he might have told my boss something which made
him worry and think that I would be arrested for something, I do not know.

Now, if I was a nark, then I can assure you that a LOT more people would have
gone down.  I have a plethora of information on who is who, who is where, who
does what, etc. and, even though it's old, I bet a lot of it is true.  If I
wanted there to be another Operation Sun-Devil, then I would have given all of
that information to him.  But I didn't, because that is not at all what I had
wanted.  I didn't want anyone to get busted (including myself) for anything.

If I were a nark, then I would probably have given him a lot more information,
wouldn't you think?

I sure do.

I am not asking anyone to forget about it.  I know that I screwed up, but there
is not a whole bunch about it that I can do right now.

When Sadler was here asking me questions, it didn't pop into my mind that I
should tell him to wait and then go and call my attorney, and then a few
minutes later come back and tell him whatever my lawyer said.  I was scared.
_______________________________________________________________________________

 Hackers Aren't The Real Enemy                                     June 8, 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Chris Goggans (ComputerWorld)(Page 37)

(Goggans is a 23-year old hacker who is currently seeking employment with
anyone who won't make him cut his hair.)

For years articles have been published about people who call themselves
"hackers."  These have been written by people who have investigated hackers,
who have been the targets of hackers, who secure systems against hackers and
who claim to know hackers.  As a member of the so-called "computer
underground," I would like to present the hacker's point of view.

I hope you will put aside any personal bias you may have toward people who call
themselves  hackers  because it is probably based on media reports rather than
real contact.

I also hope you won't refuse to read this because you have a problem with my
ethics.  Over the past 11 years, operating under the pseudonym Erik Bloodaxe, I
had opportunities to become rich beyond the dreams of avarice and wreak great
havoc on the world's computer networks.  Yet I have done neither.  I have
looked behind doors that were marked "employees only" but have never disrupted
the operation of business.  Voyeurism is a far cry from rape.

Illegal, but not criminal

Undeniably, the actions of some hackers are illegal, but they are still hardly
criminal in nature.  The intention of most of these individuals is not to
destroy or exploit systems but merely to learn in minute detail how they are
used and what they are used for.  The quest is purely intellectual, but the
drive to learn is so overwhelming that any obstacle blocking its course will be
circumvented.  Unfortunately, the obstacles are usually state and federal laws
on unauthorized computer access.

The overwhelming difference between today's hackers and their 1960s MIT
namesakes is that many of my contemporaries began their endeavors too young to
have ready access to computer systems.  Few 13-year-olds find themselves with
system privileges on a VAX through normal channels.

My own first system was an Atari 8-bit computer with 16K of memory.  I soon
realized that the potential of such a machine was extremely limited. With the
purchase of a modem, however, I was able to branch out and suddenly found
myself backed by state-of-the-art computing power at remote sites across the
globe.  Often, I was given access by merely talking to administrators about the
weak points in their systems, but most often my only access was whatever
account I may have stumbled across.

Many people find it hard to understand why anyone would risk prosecution just
to explore a computer system.  I have asked myself that same question many
times and cannot come up with a definitive answer.  I do know that it is an
addiction so strong that it can, if not balanced with other activities, lead to
total obsession.  Every hacker I know has spent days without sleep combing the
recesses of a computer network, testing utilities and reading files.  Many
times I have become so involved in a project that I have forgotten to eat.

Hackers share almost no demographic similarities:  They are of all income
levels, races, colors and religions and come from almost every country.  There
are some shared characteristics, however.  Obsessive-compulsive behavior (drug
or alcohol abuse, gambling, shoplifting) is one.  Others have a history of
divorce in their families, intelligence scores in the gifted to genius level,
poor study habits and a distrust of any authority figure.  Most hackers also
combine inherent paranoia and a flair for the romantic -- which is apparent in
the colorful pseudonyms in use throughout the hacker community.

In most cases, however, once hackers reach college age -- or, at minimum, the
age of legal employment -- access to the systems they desire is more readily
available through traditional means, and the need to break a law to learn is
curtailed.

Popular media has contributed greatly to the negative use of the word "hacker."
Any person found abusing a long-distance calling card or other credit card is
referred to as a hacker.  Anyone found to have breached computer security on a
system is likewise referred to as a hacker and heralded as a computer whiz,
despite the fact that even those with the most basic computer literacy can
breach computer security if they put their minds to it.

Although the media would have you believe otherwise, all statistics show that
hackers have never been more than a drop in the bucket when it comes to serious
computer crime.  In fact, hackers are rarely more than a temporary nuisance, if
they are discovered at all.  The real danger lies in the fact that their
methods are easily duplicated by people whose motives are far more sinister.
Text files and other information that hackers write on computer systems can be
used by any would-be corporate spy to help form his plan of attack on a
company.

Given that almost everyone is aware of the existence and capabilities of
hackers -- and aware of how others can go through the doors hackers open -- the
total lack of security in the world's computers is shocking.

Points of entry

The primary problem is poor systems administration.  Users are allowed to
select easily guessed passwords.  Directory permissions are poorly set.  Proper
process accounting is neglected.  Utilities to counter these problems exist for
every operating system, yet they are not widely used.

Many systems administrators are not provided with current information to help
them secure their systems.  There is a terrible lack of communication between
vendors and customers and inside the corporate community as a whole.

Rather than inform everyone of problems when they are discovered, vendors keep
information in secret security databases or channel it to a select few through
electronic-mail lists.  This does little to help the situation, and, in fact,
it only makes matters worse because many hackers have access to these databases
and to archives of the information sent in these mailing lists.

Another major problem in system security comes from telecommunications
equipment.  The various Bell operating companies have long been the targets of
hackers, and many hackers know how to operate both corporate and central office
systems better than the technicians who do so for a living.

Increased use of computer networks has added a whole new dimension of
insecurity.  If a computer is allowed to communicate with another on the same
network, every computer in the link must be impenetrable or the security of all
sites is in jeopardy.  The most stunning examples of this occur on the
Internet.  With such a wide variety of problems and so little information
available to remedy them, the field of computer security consulting is growing
rapidly.  Unfortunately, what companies are buying is a false sense of
security.  The main players seem to be the national accounting firms.  Their
high-cost audits are most often procedural in nature, however, and are rarely
conducted by individuals with enough technical expertise to make
recommendations that will have a real and lasting effect.

Ultimately, it is the responsibility of the systems administrators to ensure
that they have the proper tools to secure their sites against intrusion.
Acquiring the necessary information can be difficult, but if outsiders can get
their hands on this information, so can the people who are paid to do the job.
_______________________________________________________________________________

                               THE GREAT DEBATE

                          Phiber Optik v. Donn Parker

 Cyberpunk Meets Mr. Security                                         June 1992
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 By Jonathan Littman (PC Computing Magazine)(Page 288)

The boy cautiously approached the table and asked the tall, distinguished bald
gentleman in the gray suit if he could join him.  The boy's conference name tag
read Phiber Optik; the gentleman's read Donn Parker.  One was a member of the
Legion of Doom, the infamous sect of teenage hackers charged with fraud,
conspiracy, and illegal computer access in 1990; the other was a legendary
security expert.

The unlikely pair had been brought together by an unusual gathering, the
nation's first Computers, Freedom, and Privacy conference, held in the San
Francisco Bay Area on the last weekend of March 1991.  They were part of an
eclectic mix of G-men, Secret Service agents, prosecutors, privacy advocates,
and hackers who had come to see the other side up close.

Only weeks before, Optik's laptop computer had been seized by state police in
an investigation begun by the Secret Service.  Optik and fellow hackers Acid
Phreak and Scorpion were among the first to come under the scrutiny of the
Secret Service in the days of Operation Sun Devil, a 14-city sweep in the
spring of 1990 that resulted in 42 seized computers, 23,000 confiscated disks,
and four arrests.

The criminal charges brought against Optik and his cohort included illegal
computer access and trading in stolen access codes.  Optik, a juvenile at the
time of his initial questioning, spent a day in jail and was later convicted of
a misdemeanor for theft of services.

Parker knew the story well.  Over the last two decades, the former Lutheran
Sunday school teacher has interviewed dozens of criminals to whom computers
were simply the tools of the trade.  Along the way, he earned a worldwide
reputation as the bald eagle of computer crime.  Parker speaks frequently to
law-enforcement agencies and corporations as a consultant to SRI International,
a leading research and management firm based in Menlo Park, California.  His
books Fighting Computer Crime and Crime by Computer, countless articles, and a
large Justice Department study on computer ethics have established him as the
foremost authority on the hacker psyche.

PARKER: How do you view the ethics of getting into someone's computer system?

OPTIK:  I know what your point of view is because I've read your papers and
        I've listened to you talk.  I know that you think any entry, you know,
        any unauthorized entry, is criminal.

        I can't say I agree with that.  I do agree that anyone who's an
        impressionable teenager, who's on the scene and wants to break into as
        many computers as is humanly possible to prove a point, has the
        potential to do damage, because they're juveniles and have no idea what
        they're doing, and they're messing around in places that they have no
        business being.

        At the time, I was 17 years old and still a minor.  There was no way I
        was going to be able to buy a Unix, a VAX, my own switching system.
        These are the things I'm interested in learning how to program.  It
        would not have been possible to access this type of computer
        development environment had I not learned how to break into systems.
        That's the way I see it.

PARKER: What are you doing at this conference?  What's your purpose?

OPTIK:  Basically I want to be exposed to as many people as possible and hear
        as many people's views as I can.

PARKER: What's your ultimate purpose then-what would you like to do as far as
        a career?  Do you think this is a way for you to get into a career?

OPTIK:  Well, of course, I hope to enter the computer industry.  Just by being
        here, I hope to talk to people like you, the many people who are
        professionals in the field, hear their views, have them hear my views.

        See, the thing I regret the most is that there is this communication
        gap, a lack of dialogue between people who proclaim themselves to be
        hackers and people who are computer professionals.  I think if there
        were a better dialogue among the more respectable type of hackers and
        the computer professionals, then it would be a lot more productive.

PARKER: How do you tell the difference between a more responsible type of
        hacker? 

OPTIK:  I realize that its a very big problem.  I can see that it's pretty
        impossible to tell, and I can clearly understand how you come to the
        conclusions that you initially state in your paper about how hackers
        have been known to cheat, lie, and exaggerate.  I experienced that
        firsthand all the time.  I mean, these people are generally like that.
        Just keep in mind that a large number of them aren't really hardcore
        hackers -- they're impressionable teenagers hanging out.  Its just that
        the medium they're using to hang out is computers.

        I don't consider myself part of that crowd at all.  I got into
        computers early on. Like when I was entering junior high school.  I was
        really young, it must have been preteen years.  I'm talking about 12 or
        13 years old when I got a computer for Christmas.

        I didn't immediately go online.  I'm not one of these kids today that
        get a Commodore 64 with a modem for Christmas because they got good
        grades on their report card.  The reason I would have called myself a
        hacker is, I was hacking in the sense of exploring the world inside my
        computer, as far as assembly language, machine language, electronics
        tinkering, and things of that nature.  That truly interested me.

        The whole social online thing I could really do without because that's
        where these ideas come from.  You know, this whole negative, this bad
        aftertaste I get in my mouth when I hear people put down the whole
        hacking scene.  Its because of what they're hearing, and the reason
        they're hearing this is because of the more outspoken people in this
        "computer underground" and the twisted coverage in the media, which is
        using this whole big hype to sell papers.

        And the people who are paying the price for it are people like me; and
        the people who are getting a twisted view of things are the
        professionals, because they're only hearing the most vocal people.
        It's another reason why I'm here, to represent people like myself, who
        want other people to know there are such things as respectable hackers.
        You know hacking goes beyond impressionable young teenage delinquents.

PARKER: How would you define hacking?

OPTIK:  It's this overall wanting to understand technology, to be able to
        communicate with a machine on a very low level, to be able to program
        it.  Like when I come upon a computer, it's like my brain wants to talk
        to its microprocessor.  That's basically my philosophy.

PARKER. And does it matter to you who actually owns the computer?

OPTIK:  Usually it does.  Oh, at first it didn't matter.  The mere fact of
        getting into Unix, and learning Unix, was important enough to warrant
        me wanting to be on the system.  Not because of information that was in
        there. I really don't care what the information is.

        You know there's that whole Cyberpunk genre that believes information
        should be free.  I believe in computer privacy wholly.  I mean if
        someone wants something to be private, by all means let it be private.
        I mean, information is not meant for everyone to see if you design it
        as being private.  That's why there is such a thing as security.

        If someone wants to keep something private, I'm not going to try to
        read it.  It doesn't interest me. I couldn't care less what people are
        saying to each other on electronic mail.  I'm there because I'm
        interested in the hardware.

PARKER: How is anyone else going to know that you're not interested in reading
        their private mail?

OPTIK:  That's a problem I have to deal with.  There's not a real solution in
        the same way that there's no way that you're really going to be able
        to tell whether someone's malicious or not.  Hackers do brag, cheat,
        and exaggerate.  They might tell you one thing and then stab you in the
        back and say something else.

PARKER: I've interviewed over 120 so-called computer criminals.

OPTIK:  Right.

PARKER: I've interviewed a lot of hackers, and I've also interviewed a lot of
        people engaged in all kinds of white-collar crime.

OPTIK:  Yeah.

PARKER: And it seems to me that the people I have talked with that have been
        convicted of malicious hacking and have overcome and outgrown that
        whole thing have gone into legitimate systems programming jobs where
        there is great challenge, and they're very successful.  They are not
        engaged in malicious hacking or criminal activity, and they're making a
        career for themselves in technology that they love.

OPTIK:  Right.

PARKER: Why couldn't you go that route?  Why couldn't you get your credentials
        by going to school like I did and like everybody else did who functions
        as a professional in the computer field, and get a challenging job in
        computer technology?

OPTIK:  I certainly hope to get a challenging job in computer technology.  But
        I just feel that where I live, and the way the school system is where I
        am, it doesn't cater to my needs of wanting to learn as much about
        technology as fast as I want to learn.

PARKER: Yeah, but one of the things you have to learn, I guess, is patience,
        and you have to be willing to work hard and learn the technology as
        it's presented.

OPTIK:  You know, you just have to remember that by being able to go places
        that people shouldn't, I'm able to learn things about technology that
        schools don't teach.  It's just that programs in local colleges where I
        am, they couldn't even begin to grasp things that I've experienced.

PARKER: OK, so you want instant gratification then.

OPTIK:  It's not so much gratification . . .

PARKER: You're not willing to spend four years in a--

OPTIK:  I certainly am willing to go to college.

PARKER: Uh huh.

OPTIK:  I definitely intend to go to college; I just don't expect to learn very
        much concerning technology. I do expect to learn some things about
        technology I probably didn't know, but I don't expect to be exposed to
        such a diverse amount of technology as in my teenage years.

PARKER: OK, well, I can see impatience and a lack of opportunity to do all
        that stuff very quickly, but--

OPTIK:  I wouldn't go so far as to call it impatience.  I'd call it an
        eagerness to learn.

PARKER: Eagerness to learn can be applied in the establishment process of
        education in all kinds of ways.  You can excel in school.

OPTIK:  I was never Mr. Academia, I can tell you that right off the bat.  I
        don't find much of interest in school.  Usually I make up for it by
        reading technology manuals instead.

PARKER: How are you going to spend four years in school if you've already
        decided you're really not suited to be in school?

OPTIK:  Well, it's not so much school as it is that I feel constrained being in
        high school and having to go through junior high school and high school
        because of the way the educational program are tailored to like, you
        know --

PARKER: Well, if you hold this direction that you're going right now, you could
        very well end up as a technician repairing equipment, maintaining
        computers, and you could very well end up in a dead-end job.

        In order to break into a higher level of work, you need a ticket, you
        need a degree, you have to prove that you have been able to go to
        school and get acceptable grades.  The route that you're going doesn't
        seem to me to lead to that.

        Now there are some people who have managed to overcome that, OK --
        Geoff Goodfellow.  Steve Wozniak.  But those people are 1 out of
        100,000.  All the other 99,000-odd people are technicians.  They're
        leading reasonable lives, making a reasonable income, but they're not
        doing very big things.  They're keeping equipment running.

OPTIK:  Yeah.

PARKER: And if you have all this curiosity and all this drive and this energy
        (which is what it takes), and you go a route that gets you to a
        position where you can do real, exciting, advanced research . . .  I
        mean, I've talked to a lot of hackers.  I'm thinking of one in
        Washington, D.C., who was convicted of a computer crime.  He went back
        to school, he's got his degree, and he has a very top systems
        programming job.  He said he finally reached a point where he decided
        he had to change the way he was going about this, because the way
        things were going, the future for him was pretty bleak.

        And it seems to me, hopefully, you may come to a realization that to
        do important things, exciting things, ultimately you've got to learn
        the computer-science way of presenting operating systems, and how to
        write programs of a very large, complex nature.

        Have you ever done that, have you ever written a really big computer
        program?

OPTIK:  I've written this . . .

PARKER: There's a discipline involved that has to do with learning how to be an
        engineer.  It takes a tremendous amount of education and discipline.
        And it sounds to me like you lack the discipline.  You want instant
        gratification, you want to be an expert now.  And you end up being an
        expert all right, but in a very narrow range of technology.

        You learn the Novell LAN, you learn some other aspect, you learn about
        a telephone company's switching system.  That doesn't lead to a career
        in designing and developing systems.  That leads to a career in
        maintaining the kind of hardware that you've been hacking.

        And it seems to me you've got to go back and learn the principles.
        What are the basic principles of an operating system?  What are the
        basic principles of access control?  Until you've gone back and learned
        those basics, you're flying by the seat of your pants, and just picking
        up odds and ends of stuff that you can grab quickly.

OPTIK:  I don't see it so much as grabbing things quickly.  I've put a lot of
        time into studying very detailed things.  It's not so much popping in
        and popping out and whatever I find I'm glad I found it.  I do spend a
        lot of time studying manuals and things.

PARKER: Manuals are not going to do it.  All you do in learning a manual is
        learn the current equipment and how it works.  If you studied Donald
        Kanuth's volumes on computer science programming and computer sciences,
        you would learn the theory of computer programming, you would learn
        the operating system theory, you would learn the theory that is the
        foundation on which all of these systems are built.

OPTIK:  But that's the thing I guess I don't do. I was never much concerned
        with theory of operation.  I was always concerned with how things work,
        and how I can use them.  Like how to program.  I'll admit I was never
        much into theory.  It never interested me.  Like with what I do-theory
        really doesn't play any role at the present time.  Of course, that's
        subject to change at any time.  I'm rather young . . .

A FRIEND WHISPERED in Optik's ear that it was time to go.  Still locked in
debate, the hacker and the security man left the table and walked together
toward the escalator.  In profile, at the bottom of the moving stairs, they
were an odd couple:  Optik with his shiny, jet black hair, Parker with his
shiny dome.

Parker was speaking calmly, warning Optik that one day hacking wouldn't seem
so boundless, that one day his opportunities wouldn't seem quite so vast.
Optik fidgeted, glancing away.  Conference attendees filed up the escalator.

"I don't want to be a hacker forever," blurted Optik.

The next afternoon the bank of hotel phones was crowded with business people
and conference attendees punching in to get their messages and make their
calls.  There was Optik, wedged between the suits, acoustic coupler slipped
over the phone receiver, a laptop screen flickering before his eyes, his hands
flitting over the keys.

He was still young.