Approaching Zero, Paul Mungo [good summer reads TXT] 📗

accessing everything from

the main computers regulating the network to mainframes at the Pentagon, air

force, and army installations and research centers. “It was like going through

an electronic road map, trying to get somewhere, without knowing where,” he

says. Pat talks in vague terms about downloading information from the computers

he accessed, but is evasive about what he did with it. He says that some of it

was sold, although what he sold and to whom and for how much remains unclear.

 

It is more likely that selling the data was of secondary concern; he was merely

“fascinated” by the intricacies of the new technology - “This is the information

age,” he says. “Knowing about

computers made me feel more intelligent. Very few people had access to them,

and even fewer understood them.”

 

At about the time that he was first hacking into ARPANET, a new program called

Super Zap appeared which could bypass copy protection on IBM PC-type software.

 

Pat thought that its function mirrored his own activities, so he decided to

call himself Captain Zap.

 

By 1980 Captain Zap was becoming more and more adventurous. He had learned the

dial-ups for the White House computer network, which he accessed regularly over

the next year, and had also dialed directly into the Pentagon. He was going for

prestige hacks.

 

He used to download information from the White House, reams and reams of

computer paper, and bring it home to his wife. “Look what I’ve found!” he would

shout, but she was less interested in what he had found than in the fact he

could get caught. And whatever it was that he had discovered, he himself can’t

remember. “There was all sorts of bullshit,” he says. Some of it was encrypted,

some not, but none of it seems to have been very memorable.

 

There was another use for the White House phone number, however. He would

sometimes call the central operator number—a voice number, not a dial-up—and

in his best bureaucratic style say something like, “This is Mr. McNamara, admin

counsel. I need a secure line to the American embassy in Germany.” He swears

that the operators would patch him through, and that once connected to the

American embassy—on a secure line, from the White House—he could request

another secure line to whatever local number he wanted to call. He claims that

Mr. McNamara was just a name that he had made up, and that whether or not there

was such a person, the operators never turned him down.

 

Captain Zap was a believer in “knowing the lingo”—the lingo being the language

necessary, whether computer-speak, telcospeak, or even bureaucratese—to obtain

information or to persuade people to help you. This practice, known as social

engineering, is a by-product of hacking, simply getting information from

someone by pretending to be someone else.

 

It works like this. Say you need the dial-up for a particular computer. You

call the voice number of the target company and ask to speak to the computer

operator. When you get through, you put on your best telco repairman’s accent

and say, “We’re doing a few repairs on the computer lines in your area. Have

you been having trouble with your terminal?” The answer is invariably yes.

“Yeah, I thought so,” you say. “Look, we need to check the line. Can you start

up your system and run me through it? What’s your dial-up?” And so on. In most

cases the operator will volunteer not only the dial-up, but the log-in and

password as well.

 

Social engineering takes a lot of the hassle out of hacking, And for adolescent

hackers it has an additional attraction: it gives them a chance to put one

over on an adult. Deceiving grown-ups has always been a youthful pastime;

social engineerg demands it.

 

While Captain Zap was hacking the White House and the Pentagon, he was also

putting his skills to a more profitable se—theft. He and his friend, Doctor

Diode, had learned how to rack the sales and invoicing systems of a number of

large comuter companies and equipment wholesalers. The system they had worked

out was surprisingly simple. First they would create dummy corporations by

hacking into a credit agency, listing their company on the register, and giving

it a “triple-A” credit rating—the highest. Then they would hack into a

supplier’s computer and create a real-paper trail: they would connect

themselves to the sales department and cut an order, jump to the accounts

department and “pay” the invoice, then skip over to shipping and write out a

delivery manifest. The delivery address would be a mail drop the address of an

answering service, say, which would also receive all documentation from the

target company. From the supplier’s point of view the paper trail was complete:

they had an order, a paid invoice, and a delivery manifest. The paperwork made

sense. If they checked with the credit agency, they would find that the buyer

had a triple-A credit rating. Of course the company didn’t actually have the

money to cover the equipment it had just delivered, but that wouldn’t be

discovered until they tried to balance their books.

 

The supplies that Captain Zap and his friend ordered included

portable terminals, a Hewlett-Packard computer, peripherals, cameras,

walkie-talkies, and other supplies. According to the authorities, the total

amount of goods stolen in the scam amounted to over $500,000.

 

Pat insists that hacking into the supplier’s computers was simple: “There was

no security,” he says. Using guesswork and knowledge of the default settings,

they could make their way past the log-in and password prompts. For more

recalcitrant computers they rigged up an adapted “war-dialing” system that

would keep pounding at the door with one ID and password combination after the

other until they got in. Even if a computer operator has assiduously removed

default codes, there are still common combinations that people use over and

over. There are said to be just a few of these combinations—such as name and

surname, or company name and department—that, in a large system, someone will

use. Knowing the names of employees and where they work greatly speeds up the

process of hacking. People pick simple combinations for an obvious reason: they

need to remember them. Choosing something completely off-the-wall increases the

chance of forgetting the ID or password just as the prompt is flashing. And

writing them down defeats the object.

 

The surveillance of Captain Zap began in May 1981. Pat knew he was being

watched because he noticed a van with two men in it outside his apartment. By

then his unorthodox buying spree had gone on for almost two years. Though each

“order” was relatively small, the companies that had been robbed had been able

to isolate the accounts that appeared to be paid but for which there was no

corresponding check. Then they called the police.

 

There was a trail of connections the authorities could follow, which led from

the companies that had sold the goods to the mail drops, and from there to Pat

and the others he worked with. The bust came at ten A.M. on July 2, 1981.

Agents from the FBI accompanied by state police from the White Collar Crime

Unit, Bell Security representatives and two military policemen raided Pat’s

parents’ home. The maid answered the door.

 

He lived in one of the wealthiest suburbs of Philadelphia; the homes are

substantial, the residents well established. Pat’s father owned and managed one

of the largest and oldest shipping companies on the East Coast. When the

newspapers carried the story, Pat and his friends would be castigated as

“children of privilege.”

 

The FBI presented Pat’s mother with a thirty-seven-page document. “We have a

search warrant,” they said.

 

“For what?”

 

“For Pat. He’s accused of computer fraud.”

 

His mother looked aghast. “He couldn’t pass mathematics. You’re telling me he’s

a computer genius?”

 

The agents proceeded to tear apart Pat’s room. They packed up alll the computers,

modems, and communications gear they could find. They went through the files,

stuffing them in boxes. When Pat came home that night, he found that all of

his equipment had been taken away.

 

Pat was indicted on September 21 in both Harrisburg, Pennsylvania, and

Washington, D.C., for a number of offenses, including theft of equipment—the

$500,000 worth of computers and supplies—and theft of telephone services. He

was twenty-four years old at the time. In 1981 there was no comprehensive

computerfraud law, so Pat was “shoehorned”—his expression—into the existing

criminal statutes.

 

There are advantages to being a child of privilege. Though Pat’s colleagues

were also arrested (there were five arrests in total, including Pat and Doctor

Diode) and some turned state’s evidence in exchange for a light sentence,

Pat’s father’s money bought him the services of two of Philadelphia’s biggest

law firms. After looking at the evidence, one of the lawyers turned to Pat and

said, “No jury will ever understand what you did and no jury will ever convict

you for ripping off the phone company.”

 

The lawyer’s words were not put to the test. The charges against Pat were

plea-bargained down to a $1,000 fine and two and a half years’ “phone

probation”—meaning that Pat had to

report to his probation officer by calling in. He still finds it ironic that a

convicted phreaker and hacker was required to report in by telephone.

 

In the wake of the Captain Zap case the American authorities quickly woke up to

the threat of computer hacking. By the mid 1980S almost every state had

criminalized “theft by browsing”—that is, hacking into computers to see what’s

there. The first federal law on computer crime, the Computer Fraud and Abuse

Act, was passed in 1986.

 

The contrast between the leniency shown Captain Zap in the U.S. courts for what

was, in the end, hacking for profit, and the judgment given to Nick Whiteley in

England for schoolboyish pranks nine years later is illustrative of the changes

in the authorities’ perception of hacking over the decade. In 1981, when Captain Zap was arrested, his lawyer was probably correct in assuming that no jury

would have understood the prosecution’s case. In 1990, however, Nick was almost

certainly right in saying the courts were determined to throw the book at him.

 

Over the course of a decade, both the authorities’ awareness of hacking and the

technological underground that committed this crime had grown. Hacking—though

probably only dimly understood by most of the public—had become a fashionable

threat, explained in long, analytical newspaper articles and described in

detail by stylish magazines. Computer security experts (and some hackers) were

invited onto TV talk shows to paint the threats to computer security in lurid

terms. The sense of impending technological apocalypse was heightened by a

number of well-publicized hacking cases during the 1980S, of which the best

known was probably the Kevin Mitnick affair.

 

Mitnick was said to be obsessed with computers. In 1979 he and a friend had

successfully hacked into the NORAD (North American Air Defense command)

mainframe in Colorado Springs. Mitnick has since said that they didn’t tamper

with anything, but simply entered the system, looked around, and got out. He

first ran afoul of the law in 1981, when he and three friends were arrested for

stealing technical manuals from the Pacific Telephone Company: he was convicted

and served six months. In 1983 he was caught by the University of Southern

California while trying to hack one of their computers. Later, he was accused

of breaking into a TRW computer (the TRW Credit Information Corporation holds

data on 80 million Americans nationwide). In 1987 he was arrested for stealing

software from a southern California company and sentenced to thirty-six months’

probation.

 

Mitnick belonged to a group of Los Angeles-area hackers called the Roscoe Gang.

 

He and the gang allegedly used PCs to