💾 Archived View for aphrack.org › issues › phrack32 › 7.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

                              ==Phrack Classic==

                     Volume Three, Issue 32, File #7 of 12


13th Annual National Computer Security Conference
October 1-4, 1990
Omni Shoreham Hotel
Washington, D.C.
A "Knight Lightning" Perspective
by Craig M. Neidorf

Dr. Dorothy Denning first hinted at inviting me to take part on her panel
"Hackers:  Who Are They?" in May 1990 when we first came into contact while
preparing for my trial.  At the time I did not feel that it was a very good
idea since no one knew what would happen to me over the next few months.  At
the conclusion of my trial I agreed to participate and surprisingly, my
attorney, Sheldon Zenner (of Katten, Muchin, & Zavis), accepted an invitation
to speak as well.

A few weeks later there was some dissension to the idea of having me appear at
the conference from some professionals in the field of computer security.  They
felt that my presence at such a conference undermined what they stood for and
would be observed by computer "hackers" as a reward of sorts for my notoriety
in the hacker community.  Fortunately Dr. Denning stuck to her personal values
and did not exclude me from speaking.

Unlike Gordon Meyer, I was unable to attend Dr. Denning's presentation
"Concerning Hackers Who Break Into Computer Systems" and the ethics sessions,
although I was informed upon my arrival of the intense interest from the
conference participants and the reactions to my now very well known article
announcing the "Phoenix Project."

Not wishing to miss any more class than absolutely necessary, I arrived in
Washington D.C. late in the day on Wednesday, October 4th.  By some bizarre
coincidence I ended up on the same flight with Sheldon Zenner.

I had attended similar conventions before such as the Zeta Beta Tau National
Convention in Baltimore the previous year, but there was something different
about this one.  I suppose considering what I have been through it was only
natural for me to be a little uneasy when surrounded by computer security
professionals, but oddly enough this feeling soon passed as I began to
encounter friends both old and new.

Zenner and I met up with Dorothy and Peter Denning and soon after I met Terry
Gross, an attorney hired by the Electronic Frontier Foundation who had helped
with my case in reference to the First Amendment issues.  Emmanuel Goldstein,
editor of 2600 Magazine and probably the chief person responsible for spreading
the news and concern about my indictment last Spring, and Frank Drake, editor
of W.O.R.M. showed up.  I had met Drake once before.  Finally I ran into Gordon
Meyer.

So for a while we all exchanged stories about different events surrounding our
lives and how things had changed over the years only to be interrupted once by
a odd gentleman from Germany who inquired if we were members of the Chaos
Computer Club.  At the banquet that evening, I was introduced to Peter Neumann
(who among many other things is the moderator of the Internet Digest known as
"RISKS") and Marc Rotenberg (Computer Professionals for Social Responsibility).

Because of the great interest in the ethics sessions and comments I had heard
from people who had attended, I felt a strange irony come into play.  I've
hosted and attended numerous "hacker" conventions over the years, the most
notable being "SummerCon".  At these conventions one of the main time consuming
activities has always been to play detective and attempt to solve the mystery
of which one of the guests or other people at the hotel were there to spy on us
(whether they were government agents or some other form of security personnel).

So where at SummerCon the youthful hackers were all racing around looking for
the "feds," at the NCSC I wondered if the security professionals were reacting
in an inverse capacity... Who Are The Hackers?  Despite this attitude or maybe
because of it, I and the other panelists, wore our nametags proudly with a
feeling of excitement surrounding us.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

October 4, 1990

Dorothy Denning had gathered the speakers for an early morning brunch and I
finally got a chance to meet Katie Hafner in person.  The panelists discussed
some possibilities of discussion questions to start off the presentation and
before I knew it, it was time to meet the public.

As we gathered in the front of the conference room, I was dismayed to find that
the people in charge of the setting up the nameboards (that would sit in front
of each panelist) had attended the Cook school of spelling and labeled me as
"Neirdorf."  Zenner thought this was hysterical.  Luckily they were able to
correct the error before we began.

                            Hackers:  Who Are They?

Dr. Denning started the presentation by briefly introducing each panelist and
asking them a couple of questions.

Katie Hafner disputed the notion that her work has caused a glorification
of hacking because of the severe hardships the people she interviewed had to
endure.  I found myself sympathizing with her as I knew what it was like to
be in their positions.  Many people commented later that her defense of Mitnick
seemed a little insincere as he had indeed committed some serious acts.  Not
knowing all of the details surrounding Mitnick's case and not relying on the
general newsmedia as a basis for opinion I withheld any sort of judgment.

Emmanuel Goldstein and Frank Drake appeared to take on the mantle of being the
spokespersons for the hackers, although I'm unsure if they would agree with
this characterization.  Drake's main point of view dealt with the idea that
young hackers seek to be able to use resources that they are otherwise excluded
from.  He claimed to once have been a system intruder, but now that he is in
college and has ample computing resources available to him, he no longer sees a
need to "hack."

Goldstein on the other hand sought to justify hacking as being beneficial to
society because the hackers are finding security holes and alerting security to
fix these problems before something catastrophic occurs.

Gordon Meyer tried to explain the hacker mind-set and how the average hackers
does not see using corporate resources as having a real financial burden to
today's companies.  Some people misunderstood his remarks to be speaking from a
factual position and took offense, stating that the costs are great indeed.
He also explained the differences between Phrack and the Computer Underground
Digest.  Most notable is that CuD does not print tutorials about computer
systems.

Sheldon Zenner focused on the freedom of the speech and press issues.  He also
spoke about technical details of the U.S. v. Neidorf case and the court rulings
that resulted from it.  One major point of interest was his quite reasonable
belief that the courts will soon be holding companies financially liable for
damages that may occur because of illegal intrusion into their systems.  This
was not to suggest that a criminal defense strategy could be that a company did
not do enough to keep an intruder out, but instead that the company could be
held civilly liable by outside parties.

Zenner and Denning alike discussed the nature of Phrack's articles.  They found
that the articles appearing in Phrack contained the same types of material
found publicly in other computer and security magazines, but with one
significant difference.  The tone of the articles.  An article named "How to
Hack Unix" in Phrack usually contained very similar information to an article
you might see in Communications of the ACM only to be named "Securing Unix
Systems."  But the differences were more extreme than just the titles.  Some
articles in Phrack seemed to suggest exploiting security holes while the
Communications of the ACM concentrated more on fixing the problem.  The
information in both articles would be comparable, but the audiences reading and
writing these articles were often very different.

I explained the concept and operation of Phrack and wandered into a discussion
about lack of privacy concerning electronic mail on the Internet from
government officials, system managers, and possibly even by hackers.  I went on
to remark that the security professionals were missing the point and the
problem.  The college and high-school students while perhaps doing some
exploration and causing some slight disturbances are not the place to be
focusing their efforts.  The real danger comes from career criminals and
company insiders who know the systems very well from being a part of it.  These
people are the source of computer crime in this country and are the ones who
need to be dealt with.  Catching a teenage hacker may be an easier task, but
ultimately will change nothing.  To this point I agreed that a hacker gaining
entry and exposing holes on computer systems may be a service to some degree,
but unlike Goldstein, I could not maintain that such activity should bring
prosecutorial immunity to the hacker. This is a matter of discretion for
security personnel and prosecutors to take into consideration.  I hope they do.

To a large degree I was rather silent on stage.  Perhaps because I was cut off
more than once or maybe even a little stagefright, but largely because many of
the questions posed by the audience were wrong on their face for me to answer.
I was not going to stand and defend hacking for its own sake nor was I there to
explain the activities of every hacker in existence.

So I let Goldstein and Drake handle questions geared to be answered by a system
intruder and I primarily only spoke out concerning the First Amendment and
Phrack distribution.  In one instance a man upset both by Drake's comments
about how the hackers just want to use resources they can't get elsewhere and
by Goldstein's presentation of the Operation Sun-Devil raids and the attack on
"Zod" in New York spoke up and accused us of being viciously one sided.

He said that none of us (and he singled me out specifically) look to be age 14
(he said he could believe I was 18) and that "our" statement that its ok for
hackers to gain access to systems simply because they lacked the resources
elsewhere meant it was ok for kids to steal money to buy drugs.

I responded by asking him if he was suggesting that if these "kids" were rich
and did not steal the money, it would be ok to purchase drugs?  I was sure that
it was just a bad analogy so I changed the topic afterwards.  He was right to a
certain extent, all of the hackers are not age 14 or even in highschool or
college, but is this really all that important of a distinction?

The activities of the Secret Service agents and other law enforcement officials
in Operation Sun-Devil and other investigations have been overwhelming and very
careless.  True this is just their standard way of doing business and they may
not have even singled out the hackers as a group to focus excess zeal, but
recognizing that the hackers are in a worst case scenario "white-collar
offenders," shouldn't they alter their technique?  Something that might be
important to make clear is that in truth my indictment and the indictments on
members of the Legion of Doom in Atlanta had absolutely nothing to do with
Operation Sun-Devil despite the general media creation.

Another interesting point that was brought out at the convention was that there
was so much activity and the Secret Service kept so busy in the state of
Arizona (possibly by some state official) concerning the hacker "problem" that
perhaps this is the reason the government did not catch on to the great Savings
& Loan multi-Billion dollar loss.

One gentleman spoke about his son being in a hospital where all his treatments
were being run by computer.  He added that a system intruder might quite by
accident disrupt the system inadvertently endangering his son's life.  Isn't
this bad?  Obviously yes it is bad, but what was worse is that a critical
hospital computer system would be hooked up to a phoneline anyway.  The main
reason for treatment in a hospital is so that the doctors are *there* to
monitor and assist patients.  Could you imagine a doctor dialing in from home
with a modem to make his rounds?

There was some discussion about an editor's responsibility to inform
corporations if a hacker were to drop off material that he/she had breached
their security.  I was not entirely in opposition to the idea, but the way I
would propose to do it was probably in the pages of a news article.  This may
seem a little roundabout, but when you stop and consider all of the private
security consultants out there, they do not run around providing information to
corporations for free.  They charge enormous fees for their services.  There
are some organizations that do perform services for free (CERT comes to mind),
but that is the reason they were established and they receive funding from the
government which allows them to be more generous.

It is my belief that if a hacker were to give me some tips about security holes
and I in turn reported this information to a potential victim corporation, the
corporation would be more concerned with how and from whom I got the
information than with fixing the problem.

One of the government's expert witnesses from U.S. v. Neidorf attended this
session and he prodded Zenner and I with questions about the First Amendment
that were not made clear from the trial.  Zenner did an excellent job of
clarifying the issues and presenting the truth where this Bellcore employee
sought to show us in a poor light.

During the commentary on the First Amendment, Hafner, Zenner, and I discussed a
July 22, 1988 article containing a Pacific Bell telephone document copied by a
hacker and sent to John Markoff that appeared on the front page of the New York
Times.  A member of the audience said that this was ok, but the Phrack article
containing the E911 material was not because Phrack was only sent to hackers.
Zenner went on to explain that this was far from true since private security,
government employees, legal scholars, reporters, and telecom security personnel
all received Phrack without discrimination.  There really is a lot that both
the hackers and security professionals have to learn about each other.

It began to get late and we were forced to end our session.  I guess what
surprised me the most were all of the people that stayed behind to speak with
us.  There were representatives from NASA, U.S. Sprint, Ford Aerospace, the
Department of Defense, a United States Army Lt. Colonel who all thanked us
for coming to speak.  It was a truly unique experience in that a year ago I
would have presumed these people to be fighting against me and now it seems
that they are reasonable, decent people, with an interest in trying to learn
and help end the problems.  I also met Mrs. Gail Meyer for the first time in
person as well.

I was swamped with people asking me how they could get Phrack and for the most
part I referred them to Gordon Meyer and CuD (and the CuD ftp).  Just before we
went to lunch I met Donn Parker and Art Brodsky, an editor from Communications
Daily.  So many interesting people to speak with and so little time.  I spent a
couple hours at the National Gallery of Art with Emmanuel Goldstein, flew back
to St. Louis, and returned to school.

It was definitely an enLightening experience.

++++++++++++++++++++++++++++++

A very special thank you goes to Dorothy Denning, a dear friend who made it
possible for me to attend the conference.

:Craig M. Neidorf a/k/a Knight Lightning

 C483307 @ UMCVMB.MISSOURI.EDU
 C483307 @ UMCVMB.BITNET
_______________________________________________________________________________