Approaching Zero, Paul Mungo [good summer reads TXT] 📗

switches in Florida. In the first incident, on June 16th, an intruder had

hacked into the switch and rerouted calls for the city offices of Miramar,

Florida, to a long-distance information number. On the next day the same hacker

(or so it was assumed) had also rerouted calls intended for the Delray Beach

probation office. This time the hacker demonstrated an impish sense of humor:

callers to the probation office instead found themselves connected to a

Dial-a-Porn service in New York State.

As a result of the two incidents, BellSouth had stepped up the monitoring of

its switches. On June 21st, security agents were told that the monitors had

detected a hacker loose in one of its computers.

The carrier put a trace on the call, following it back through a series of

loops around the country. The hacker had tried to disguise his entry point into

the system by first dialing into his local exchange, jumping to a connected

switch on another network, then skipping from there to yet another network, and

so on. Each time a loop was made through a network, it had to be traced to the

entry switch. But the precautions must have given the hacker a false sense of

security, because he stayed in the system too long, allowing the trace to be

followed all the way through, from network to network, right back to a phone

number in Indiana.

BellSouth passed the number they had traced on to Bellcore, which began

monitoring all outgoing and incoming calls. The telephone company agents had

discovered a hard-core hacker: they watched as their target looped calls around

the country, from system to system; they recorded him breaking into a credit

agency computer in Delaware belonging to CSA; and they listened as he had money

wired to Paducah, Kentucky, on a credit card number.

Their target, of course, was Fry Guy, the fifteen-year-old Indiana hacker who

had spent months perfecting his credit card scam.

With evidence that the young hacker was committing fraud, the telco agents

turned the details over to the Secret Service, which included him on the

Atlanta Three’s DNR request. The inclusion was mostly a matter of convenience,

but the agents had noted a geographic coincidence that intrigued them: Fry Guy

lived in Indiana, as did the recipient of the anonymous telephone call warning

of the computer bombs in the switches; Fry Guy also knew his way around

BellSouth, where one of the bombs had been planted—indeed, other hackers

regarded it as his “sphere of influence.”

In mid-July the Secret Service recorded Fry Guy charging $500 to a stolen

credit card number. With that piece of evidence (previous telco monitors had

not been court-approved and therefore could not be used as evidence), the

Secret Service was also able to include Fry Guy in the Atlanta Three search

warrant.

The house in Elmwood, Indiana, was raided the same day the three addresses in

Atlanta were busted. Fry Guy awoke from his summer-long haze to find that he

was suspected of the two Florida incidents, the anonymous telephone call to

Indiana Bell’s security manager, planting the computer bombs, and credit card

fraud.

Hackers are often victims of their own hype. The LoD was the principal target

of the crackdown because it promoted itself as the biggest and meanest gang in

Cyberspace—and because the authorities believed them.

The computer underworld is a hall of mirrors. Reality becomes bent, the truth

shrunken. The authorities who organized Operation Sundevil and its related

investigations believed they were dealing with a nationwide conspiracy

involving $50 million in telecommunications fraud alone. And that, they said,

was only the tip of the iceberg.

What they got in the end, notwithstanding the Atlanta Three’s guilty pleas,

were some relatively minor convictions. After the barrage of criticism from

John Perry Barlow’s Electronic Frontier Foundation, the investigators began to

pull back. The Phoenix officials, such as Gail Thackeray, are now keen to

distance both themselves and Operation Sundevil from the other antihacker

actions that year. The wilder suggestions—that the AT&T incident had been

caused by Acid Phreak; that hackers were looting banks; that hospital records

were being altered, and patients put at risk—have been dropped. The word

conspiracy is used less and less, and the computer bombs, the specific

catalyst for the whole crackdown, have been quietly forgotten. No one has been

officially charged with planting the bombs, and it is unlikely that anyone ever

will be. Everyone in the underworld’s hall of mirrors claims to know who did

it, but they all finger different people.

As for Fry Guy, he denies any responsibility for the bombs: “They’re just

pointless destruction. I can’t understand why anyone would do it. I’m not

malicious or destructive: I only do things for gain.”

That was Fry Guy’s downfall: he operated for gain. When he was raided, the

Secret Service found more than a hundred “access devices” in his possession—

credit card numbers and telephone calling cards. He could never be charged with

planting the bombs, and no one was able to pin the Florida incidents on him,

but he was caught red-handed on the credit card fraud. Following his arrest, it

was estimated that his little scam had netted him $6,000 that year. He is now

on probation, his equipment confiscated, but if you ask him why he hacked, he

still sighs: “It’s the greatest thing in the world.”

New technology requires new approaches. The reactions of the authorities to the

computer underworld show a dependence on old ideas. Hacking becomes “breaking

and entering”; role-playing games become “conspiracies”; exploration becomes

“espionage.” The dated terms obliterate the difference between the “bad”

hackers and the “good” hackers.

And there is a difference. Society might tolerate some activities of the

computer underground. Hackers are mostly explorers exercising intellectual

curiosity. Undoubtedly, they will break into computers, sometimes causing

ancillary damage or taking up system time, and they probably will exploit the

telecom systems to do so. But their intent, for the most part, is not

malicious.

On the other hand, the black arts of virus writing or hacking to steal money

are unjustifiable. Virus writers are electronic vandals; hackers who rob are

high-tech thieves.

The difference between the good and the bad is often blurred. The distinction

is one of motive: the malicious and the criminal should be viewed differently

from the merely clever or curious.

Someday it may be possible to get a clearer picture of what the activities of

the computer underground actually cost industry and telecom companies. Present

estimates vary so widely as to be worthless. Figures seem to be plucked from

the air: it is utterly impossible to verify whether the true cost in the United

States is around $550 million each year (the Computerworld estimate), or

whether total losses could actually amount to as much as $5 billion (as was

estimated at a security conference in 1991). These exaggerations are compounded

by the hackers themselves—who are only too willing to embellish their

accomplishments. With both sides expounding fanciful stories and ever wilder

claims, truth is lost in the telling.

What is ironic is that the activities of the hackers are leading to a situation

they would decry. Security managers have a clear responsibility to protect

their sites from electronic intrusion. As hackers become bolder, security is

becoming tightened, threatening the very “freedom of information” that hacking,

in its benign form, is said to promote.

Hackers are an engaging bunch, even the “bad” ones: bright, curious,

technically gifted, passionate, prone to harmless boasting, and more than a

little obsessed. They are usually creative, probing, and impatient with rules

and restrictions. In character, they closely resemble the first-generation

hackers.

Computing has always gained from the activities of those who look beyond what

is there, to think of what there might be. The final irony for the computer

industry is that the hackers who are being shut out today will be the

programmers, managers, and even security experts of tomorrow.