Approaching Zero, Paul Mungo [good summer reads TXT] 📗
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero, Paul Mungo [good summer reads TXT] 📗». Author Paul Mungo
the main computers regulating the network to mainframes at the Pentagon, air
force, and army installations and research centers. “It was like going through
an electronic road map, trying to get somewhere, without knowing where,” he
says. Pat talks in vague terms about downloading information from the computers
he accessed, but is evasive about what he did with it. He says that some of it
was sold, although what he sold and to whom and for how much remains unclear.
It is more likely that selling the data was of secondary concern; he was merely
“fascinated” by the intricacies of the new technology - “This is the information
age,” he says. “Knowing about
computers made me feel more intelligent. Very few people had access to them,
and even fewer understood them.”
At about the time that he was first hacking into ARPANET, a new program called
Super Zap appeared which could bypass copy protection on IBM PC-type software.
Pat thought that its function mirrored his own activities, so he decided to
call himself Captain Zap.
By 1980 Captain Zap was becoming more and more adventurous. He had learned the
dial-ups for the White House computer network, which he accessed regularly over
the next year, and had also dialed directly into the Pentagon. He was going for
prestige hacks.
He used to download information from the White House, reams and reams of
computer paper, and bring it home to his wife. “Look what I’ve found!” he would
shout, but she was less interested in what he had found than in the fact he
could get caught. And whatever it was that he had discovered, he himself can’t
remember. “There was all sorts of bullshit,” he says. Some of it was encrypted,
some not, but none of it seems to have been very memorable.
There was another use for the White House phone number, however. He would
sometimes call the central operator number—a voice number, not a dial-up—and
in his best bureaucratic style say something like, “This is Mr. McNamara, admin
counsel. I need a secure line to the American embassy in Germany.” He swears
that the operators would patch him through, and that once connected to the
American embassy—on a secure line, from the White House—he could request
another secure line to whatever local number he wanted to call. He claims that
Mr. McNamara was just a name that he had made up, and that whether or not there
was such a person, the operators never turned him down.
Captain Zap was a believer in “knowing the lingo”—the lingo being the language
necessary, whether computer-speak, telcospeak, or even bureaucratese—to obtain
information or to persuade people to help you. This practice, known as social
engineering, is a by-product of hacking, simply getting information from
someone by pretending to be someone else.
It works like this. Say you need the dial-up for a particular computer. You
call the voice number of the target company and ask to speak to the computer
operator. When you get through, you put on your best telco repairman’s accent
and say, “We’re doing a few repairs on the computer lines in your area. Have
you been having trouble with your terminal?” The answer is invariably yes.
“Yeah, I thought so,” you say. “Look, we need to check the line. Can you start
up your system and run me through it? What’s your dial-up?” And so on. In most
cases the operator will volunteer not only the dial-up, but the log-in and
password as well.
Social engineering takes a lot of the hassle out of hacking, And for adolescent
hackers it has an additional attraction: it gives them a chance to put one
over on an adult. Deceiving grown-ups has always been a youthful pastime;
social engineerg demands it.
While Captain Zap was hacking the White House and the Pentagon, he was also
putting his skills to a more profitable se—theft. He and his friend, Doctor
Diode, had learned how to rack the sales and invoicing systems of a number of
large comuter companies and equipment wholesalers. The system they had worked
out was surprisingly simple. First they would create dummy corporations by
hacking into a credit agency, listing their company on the register, and giving
it a “triple-A” credit rating—the highest. Then they would hack into a
supplier’s computer and create a real-paper trail: they would connect
themselves to the sales department and cut an order, jump to the accounts
department and “pay” the invoice, then skip over to shipping and write out a
delivery manifest. The delivery address would be a mail drop the address of an
answering service, say, which would also receive all documentation from the
target company. From the supplier’s point of view the paper trail was complete:
they had an order, a paid invoice, and a delivery manifest. The paperwork made
sense. If they checked with the credit agency, they would find that the buyer
had a triple-A credit rating. Of course the company didn’t actually have the
money to cover the equipment it had just delivered, but that wouldn’t be
discovered until they tried to balance their books.
The supplies that Captain Zap and his friend ordered included
portable terminals, a Hewlett-Packard computer, peripherals, cameras,
walkie-talkies, and other supplies. According to the authorities, the total
amount of goods stolen in the scam amounted to over $500,000.
Pat insists that hacking into the supplier’s computers was simple: “There was
no security,” he says. Using guesswork and knowledge of the default settings,
they could make their way past the log-in and password prompts. For more
recalcitrant computers they rigged up an adapted “war-dialing” system that
would keep pounding at the door with one ID and password combination after the
other until they got in. Even if a computer operator has assiduously removed
default codes, there are still common combinations that people use over and
over. There are said to be just a few of these combinations—such as name and
surname, or company name and department—that, in a large system, someone will
use. Knowing the names of employees and where they work greatly speeds up the
process of hacking. People pick simple combinations for an obvious reason: they
need to remember them. Choosing something completely off-the-wall increases the
chance of forgetting the ID or password just as the prompt is flashing. And
writing them down defeats the object.
The surveillance of Captain Zap began in May 1981. Pat knew he was being
watched because he noticed a van with two men in it outside his apartment. By
then his unorthodox buying spree had gone on for almost two years. Though each
“order” was relatively small, the companies that had been robbed had been able
to isolate the accounts that appeared to be paid but for which there was no
corresponding check. Then they called the police.
There was a trail of connections the authorities could follow, which led from
the companies that had sold the goods to the mail drops, and from there to Pat
and the others he worked with. The bust came at ten A.M. on July 2, 1981.
Agents from the FBI accompanied by state police from the White Collar Crime
Unit, Bell Security representatives and two military policemen raided Pat’s
parents’ home. The maid answered the door.
He lived in one of the wealthiest suburbs of Philadelphia; the homes are
substantial, the residents well established. Pat’s father owned and managed one
of the largest and oldest shipping companies on the East Coast. When the
newspapers carried the story, Pat and his friends would be castigated as
“children of privilege.”
The FBI presented Pat’s mother with a thirty-seven-page document. “We have a
search warrant,” they said.
“For what?”
“For Pat. He’s accused of computer fraud.”
His mother looked aghast. “He couldn’t pass mathematics. You’re telling me he’s
a computer genius?”
The agents proceeded to tear apart Pat’s room. They packed up alll the computers,
modems, and communications gear they could find. They went through the files,
stuffing them in boxes. When Pat came home that night, he found that all of
his equipment had been taken away.
Pat was indicted on September 21 in both Harrisburg, Pennsylvania, and
Washington, D.C., for a number of offenses, including theft of equipment—the
$500,000 worth of computers and supplies—and theft of telephone services. He
was twenty-four years old at the time. In 1981 there was no comprehensive
computerfraud law, so Pat was “shoehorned”—his expression—into the existing
criminal statutes.
There are advantages to being a child of privilege. Though Pat’s colleagues
were also arrested (there were five arrests in total, including Pat and Doctor
Diode) and some turned state’s evidence in exchange for a light sentence,
Pat’s father’s money bought him the services of two of Philadelphia’s biggest
law firms. After looking at the evidence, one of the lawyers turned to Pat and
said, “No jury will ever understand what you did and no jury will ever convict
you for ripping off the phone company.”
The lawyer’s words were not put to the test. The charges against Pat were
plea-bargained down to a $1,000 fine and two and a half years’ “phone
probation”—meaning that Pat had to
report to his probation officer by calling in. He still finds it ironic that a
convicted phreaker and hacker was required to report in by telephone.
In the wake of the Captain Zap case the American authorities quickly woke up to
the threat of computer hacking. By the mid 1980S almost every state had
criminalized “theft by browsing”—that is, hacking into computers to see what’s
there. The first federal law on computer crime, the Computer Fraud and Abuse
Act, was passed in 1986.
The contrast between the leniency shown Captain Zap in the U.S. courts for what
was, in the end, hacking for profit, and the judgment given to Nick Whiteley in
England for schoolboyish pranks nine years later is illustrative of the changes
in the authorities’ perception of hacking over the decade. In 1981, when Captain Zap was arrested, his lawyer was probably correct in assuming that no jury
would have understood the prosecution’s case. In 1990, however, Nick was almost
certainly right in saying the courts were determined to throw the book at him.
Over the course of a decade, both the authorities’ awareness of hacking and the
technological underground that committed this crime had grown. Hacking—though
probably only dimly understood by most of the public—had become a fashionable
threat, explained in long, analytical newspaper articles and described in
detail by stylish magazines. Computer security experts (and some hackers) were
invited onto TV talk shows to paint the threats to computer security in lurid
terms. The sense of impending technological apocalypse was heightened by a
number of well-publicized hacking cases during the 1980S, of which the best
known was probably the Kevin Mitnick affair.
Mitnick was said to be obsessed with computers. In 1979 he and a friend had
successfully hacked into the NORAD (North American Air Defense command)
mainframe in Colorado Springs. Mitnick has since said that they didn’t tamper
with anything, but simply entered the system, looked around, and got out. He
first ran afoul of the law in 1981, when he and three friends were arrested for
stealing technical manuals from the Pacific Telephone Company: he was convicted
and served six months. In 1983 he was caught by the University of Southern
California while trying to hack one of their computers. Later, he was accused
of breaking into a TRW computer (the TRW Credit Information Corporation holds
data on 80 million Americans nationwide). In 1987 he was arrested for stealing
software from a southern California company and sentenced to thirty-six months’
probation.
Mitnick belonged to a group of Los Angeles-area hackers called the Roscoe Gang.
He and the gang allegedly used PCs to
Comments (0)