[Update: many of the prominent hackers now work in highly-paid computer security jobs.]
Hackers are scary, aren’t they? What sort of person spends their time fiddling around with long bits of code, raiding telecom company rubbish skips and scribbling over the Department of Defence’s home pages? Still, it keeps them off the streets. And if any of you know how to get free international calls, send me the details immediately. Some of the things hackers claim to have done include: releasing prisoners early from jail; compromising anonymous remailing services; installing fake ATM machines; stealing credit card information; interrupting phone services; obtaining unlisted numbers of celebrities from credit bureau reports by sweet-talking a person at the phone company or tracking down the artist’s manager and looking through their phone records; and hardcore hacking on Iranian computer systems (but, of course, they’re never arrested for doing that). Hackers are also encouraged with huge rewards if they can crack international servers and change corporate Web pages so companies can discover security weaknesses.
But there are still some nasties around. So what if you’re individually attacked by a hacker? Just how much damage can they actually do?
Jonathan Littman (http://www.well.com/user/jlittman/) is a journalist who’s renowned as being respected and trusted by hackers, and used to have regular contact with the world’s most famous hacker, Kevin Mitnick, while he was on the run from the FBI. “I actually wasn’t looking for Kevin Mitnick,” Littman says. “I was chasing up a story about another hacker, Kevin Poulsen, to write a book about him. As I was researching, I met an associate who mentioned he was in touch with Mitnick, who was on the run from the FBI. I’d written a couple of stories about hackers already, including one for the Los Angeles Times, so he knew my reputation. By the second meeting, I’d gained his trust and he said he’d give my details to Mitnick. About a month later I got a call from a woman, late at night, who just said: `Take a walk’ and hung up. I knew this meant I should walk to the nearest payphone, and I was so excited, I ran down to the phone at the library and after a while it rang and it was Kevin Mitnick. It was clear as he talked that he knew what he was on about. He used to get me to move to different payphones during the middle of a conversation. It was pretty exciting. I did have a few technical difficulties – it was hard taking scribbling down notes for hours in the dark. Sometimes the conversations would last for three hours. Once, I was sitting on the cold sidewalk at 2am and I’d been taking notes for ages. A police officer was curious and finally interrupted and asked if I was alright. `Everything’s just fine, officer. Thanks for your help,’ I said. It’s a friendly neighbourhood, and he went away. I told Mitnick about it and he laughed.”
Littman ended up writing a book, The Fugitive Game, that told Mitnick’s side of the story. Now he gets collect calls from hackers, often from prison, and fugitives, during the early hours of the morning. However, after he recently finished a book, The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen (Little, Brown), the response wasn’t so positive. Earlier this year on Valentine’s Day, he received a threatening anonymous email, saying: “I promise you will be held accountable and I will dedicate every fiber of my being towards retribution. My actions will be far beyond what you will expect and there will be nothing you can do about it.” Littman’s a middle-aged family man with a young daughter, and has a lot at stake. He also has a Touchstone Pictures movie option on his Poulsen story. “The email was written in the style of a character from the Watchman book, and it was aimed at me, personally,” Littman says. “I’m sure it wasn’t Kevin Poulsen. I sent him a copy of the book before it came out and he said it was very entertaining and he stayed up all night reading it. Later he criticised it, but that doesn’t bother me one bit. I’ve encouraged the people mentioned in it to say what they think. Most of the major characters have publicly vented and I hope others will choose that route too. I have suspicions as to who it might be, but it’s very difficult to connect an attack with a specific person.”
In the meantime, he’s hoping the attacker’s anger will wane. “I just hope it blows over. There were other people mentioned in the story who are `traditional’ criminals and use weapons – they’re the ones I’m concerned about. I’m taking this threat very seriously and have taken some precautions, which I obviously can’t discuss. I think it was intentional that the message was sent on Valentine’s Day.”
For starters, Littman had his Web site taken down, his email blocked and the page that promoted his book removed on several occasions. So what’s all the fuss about? Hacker Kevin Poulsen is a colourful character who, among other hacking activities, rigged radio contests to win two Porsches and used his computer to place wiretaps on phone lines. He was also featured on a national television program, Unsolved Mysteries, as “Dark Dante” and blocked the phone lines so noone could ring in with information.
“At times I’ve been tough on Poulsen and other times very fair,” Littman says. “It’s just that some hackers don’t want you to be tough at all. They want an authorised biography. The fact is that Poulsen did commit some crimes.”
While researching the book, Poulsen called Littman collect from prison over two and a half years. “It’s hard to know the real Kevin Poulsen. He always keeps a certain distance. He never wanted to talk about his hard years in jail. I often asked him about it, but he’d just say: `I played chess today’, or `I played ping pong’. He had a lot of power to watch over anyone – lots of control. He felt he could control the FBI – he was able to watch them as they discussed their plans to catch him. He knew in advance about wiretaps. But he couldn’t control me. At least his objections certify the book’s independent. I spoke to the FBI, prosecutors and fellow criminals, and obviously some of them told me things about Poulsen he wouldn’t have liked.”
Such as Poulsen’s involvement with prostitution. “Many prostitution phone lines had been turned off by the police and he switched them back on and forwarded the details to the pimps and got a bit of money. This was a moral choice for him. The thing is, he’s incredibly gifted and began crossing certain lines and he doesn’t recognise this fact. He took one step at a time and ended up in a place where doing an amusing hack to win a Porsche just seemed like a joke, but it’s a crime.”
Poulsen was sentenced in 1995 to five years in prison for his hacking offences, but was released in January 1997. Littman says he thinks the sentence was “incredibly harsh. You can kill someone and get eight years.”
Being threatened isn’t unusual for Littman. Though he humbly began writing for PC Week and Mac Week during the early 1980s, he had a breakthrough in 1990 with a major hacker story about the creator of the Internet worm, Robert Morris. In 1991, he wrote an expose of Indian gambling and a series of unsolved murders at the Cabazon reservation and he was called up to testify before Congress about what he knew. “That was really scary,” Littman recalls. “There were quite a few people killed, and none of the murders had been accidental. I received a threat and moved out of my apartment. One of the individuals who could have been seeking retribution had already notched up a previous murder conviction. The newspaper offered to put us up in a hotel, but I thought it would be safer staying with relatives. It was a chilling experience, but gave me the confidence to write about hackers.” As for future stories, Littman says he’d like to write about fictional characters. “I may still cover hackers – I think they’re fascinating. As a journalist I’ve enjoyed covering their stories – it’s a challenge and adventure.”
I contacted hacker Kevin Poulsen via snail mail [letter] about the threats against Littman. Poulsen’s phone number is unlisted and he’s banned from using computer equipment during his three years’ probation. He replied with a fax saying it’s “common knowledge who the culprit [harassing Littman] is. It’s just a question of proving it. He is not a friend of mine.” Poulsen is on parole and living with his Mum and Dad. For his humorous viewpoint on the book, look at http://www.catalog.com/kevin. Although he wrote the critique on the Web page (in the form of a question and answer game), he’s not allowed to use the Web himself, so the site was constructed by a friend. As to how far a hacker can go, Poulsen wrote: “It depends largely on the hacker’s resources, both in time and money. Any system can be compromised with enough resources; a computer is secure if the cost of penetrating it surpasses the value of the data or capabilities it can bestow (Poulsen’s Law).” He succinctly told me he survived prison life “one day at a time”. As to his likelihood of contesting the contents of The Watchman, Poulsen says: “Littman’s publishers are protected by the First Amendment. To win a defamation case I’d have to prove that his book damaged my reputation, and that damage caused me financial harm. As an ex-con, it’s unlikely that a jury would find my reputation to have had any value to begin with. In any case, I feel the best way to address something like this is by getting out the truth myself, as I do on my Web site.”
Some of the strict conditions of his three-year parole include:
* His parents had to get rid of a recently purchased IBM-compatible computer before Poulsen could move back in with them, even though they didn’t have a modem.
* Poulsen can never be in possession of computer equipment or software or any form of identification, such as a driver’s licence or social-security card.
* He can’t even be in the same room as a computer and has to find a job with an employer who has no computer equipment on the premises.
* Somehow, he has to earn enough money to pay back $65,000 in restitution within the next three years.
* He asked for permission to retrain and gain a Bachelor’s degree at university, but this request was turned down because there are computers on campus.
And his motive for hacking? As outlined in a letter to the judge hearing his case in 1995, Poulsen says he became fascintated with the telephone network when he was about 12, and “the attraction was almost spiritual”. “To me, a phone line was a connection to something omnipresent and eternal. Exploring a telephone switching center, immersed in the sights and sounds of rooms full of equipment, was a kind of transcendence for me.”
Another high-profile hacking victim is author, Joshua Quittner, of The Netly News (http://netlynews.com) who gave up writing about this subject after he was attacked. He’d co-written a book about the rivalry between a gang of computer hackers called Masters of Deception and the Legion of Doom. On Thanksgiving Day 1996, his phone number was reprogrammed to forward calls to a long-distance phone number and his answering machine message was changed so relatives who rang up were greeted by foul obscenities. “What’s really strange is that my Mum and editor both phoned up and thought nothing about the weird message. They just left messages and hung up,” Quittner says. Then he was mail-bombed and received 7,000 messages daily. The attacker had hacked into three companies’ computers (IBM, Sprint and internet service provider Pipeline), and installed a program that sent off emails every couple of seconds. The messages railed on about “corporate capitalist pigs” turning the Net into an “overflowing cesspool of greed” and was signed by the Internet Liberation Front. It also threatened that hackers would pillage big businesses’ data and cause financial ruin. “The harassment lasted for a year – my home number was repeatedly rerouted – once to a phone-sex number and once to 1-800-EAT-SHIT. I went through half a dozen unlisted numbers and a squad of phone-company security guys with phone taps before the problem disappeared. I won’t even mention the lawsuit. Write another hacker book? I’d rather take on the Scientologists”.
Time magazine senior science editor Philip Elmer-DeWitt, wrote a notorious Time cover story, entitled “Cyberporn”, which triggered hysteria among non-Net users and anger from the online community. He was attacked by the Unamailer, a moniker derived from the Unabomber tag. The Unamailer began a vandalistic campaign after learning how to write a script that automatically subscribed victims to thousands of mailing lists. Many victims had to cancel their email accounts. The problem escalated when accounts such as US President Bill Clinton’s, which has an automated-reply program that answers every incoming email, started sending out millions of form letters to targetted Net users.
Elmer-DeWitt was the first target of two mailbombing attacks within a year. “After the Cyberporn cover, which featured an inaccurate survey, word spread that I was the worst journalist on the Internet,” he explains. “We were hoodwinked. The man who did the survey was a con artist. My reputation was ruined and I really was the most hated man on the Net. I was demonised and it’s hard to write about a beat where everyone hates you.” During the first attack in March, the first sign that something was wrong happened on a Sunday afternoon. “I logged on to check my email address at WELL, which I’ve had for 12 years, and found that someone had enrolled me in a Barry Manilow fan club, a Mercedes-owners discussion group, a Fiji Islands-appreciation society and 103 other Internet mailing lists I’d never heard of. I painstakingly unsubscribed from all 106, only to log on Monday morning and discover I’d been subscribed overnight to 1,700 more.” His file of unread email swelled to 16 megabytes, and was growing by the minute. “I’d never experienced anything like this. The email was pouring in at the rate of four a minute, 240 an hour, 5,760 a day.”
Elmer-DeWitt says he learnt “the hard way” how to clear up his account. “I had to get help from my local Internet Service Provider who unplugged me for a while and I learnt some tricks.”
During the second attack five months later, his AOL account was jammed while he was away on holiday for several weeks. “By the time I’d got back it had been cleared up,” he recalls. “The Unamailer phoned me after the first attack and promised he wouldn’t hit me again, so I was irritated. He then rang back later and apologised.” Now Elmer-DeWitt’s no longer involved in Net writing, as he was moved to the position of senior science editor after the cyberporn furore.
A veteran hacker reporter who has been attacked on innumerable occasions, is Netta Gilboa, 39, the publisher and editor of Gray Areas magazine (http://www.gti.net/grayarea). She was sensationally described in the US media last year as being involved in a “cyberspace Bonnie and Clyde”-style hacking scenario. “Except this Clyde has acne and this Bonnie ain’t no Faye Dunaway,” the press claimed. The case concerned Christopher Schanot, 19, who was accused of causing $500,000 damage when he hacked into computers at Southwestern Bell, Bell Communications Research, Sprint and SRI International. After he graduated from high school as a honours student, Schanot travelled interstate, moved in with Gilboa and worked on the Gray Areas site as a Web page designer. Eventually the FBI arrested him and Gilboa was portrayed, but never charged, as harbouring a fugitive. Schanot was convicted and is now on supervised release. Of course, Gilboa’s phone number is unlisted, she doesn’t return unsolicited calls, and when I sent emails, they bounced back. After a lot of perserverance, and sending off a snail mail letter, I finally made online contact. “Our Compuserve account was destroyed by a Net bomb which involved a hacker subscribing us to over 10,000 newsgroup mailing lists,” Gilboa wrote. “This is our email address for however long it lasts.”
Her continued involvement with hackers is amazing, considering an article she wrote in the Wired Women book published last year (Seal Press) which described her vivid regret at ever having been introduced to the computer underground by a friend. “If I’d had any idea of what I was walking into, I would never have ventured in,” she wrote. When I asked her for an update on this quote, she replied: “I still love and care for some hackers. I treat them as individuals, but there are more bad eggs than good. Today I live with a former hacker I fell in love with on #hack. Virtually everyone who writes about hackers gets screwed by them, often before they’ve had a chance to write a word. It’s interesting how hackers want rights for themselves but wish to silence others, eh?”
She has experienced many forms of harassment. It first began on IRC when she entered the #hack channel. Because people use “handles” (nicknames) on IRC to communicate, newcomers don’t have any idea of who they’re talking to. Also, a hacker can use several different handles during one session. “I’ve had people send me messages privately as a friend and then this same person uses another handle to be cruel to me in public,” Bilboa recalls. “IRC and the Net offer forums where people can be anonymous while obtaining large amounts of info about those who visit honestly, using their real ID. Most of us tell different things to different people, so it’s no surprise that if I wouldn’t talk to someone or tell them something, they would create alternative logins and try again as someone else. Unfortunately it takes a certain amount of net savvy to realise this is being done, so I was `socially engineered’ very easily.” She entered the #hack channel with the handle “grayarea” and her real name visible. Because she was new, other hackers were suspicious she might be an FBI agent, so they read her email and shared it around with other hackers. “The reality is that for all their paranoia about the Feds, 90 per cent or more of them happily inform on their peers when visited by the Feds and never even need to be arrested. Some hackers crave fame and are nice to journalists, but most simply want them gone. They want the right to steal information but they want to keep others from the right to free speech. Sad.”
Then she was locked out from #hack for weeks and “killed” [had her login go dead so she had to keep joining IRC from scratch]. “It’s very easy to lock someone out of a channel. All you need to do is get operator status and change the channel mode to `invite only’. Then they kicked me off the channel and set a ban on the site. People like me who used legal accounts to enter would be out of luck. Real hackers who owned thousands of passwords and sites could simply come back at any time from a new place and with a new name.”
Some of the hackers also tried to get to know Bilboa better. “Most hackers can read your credit card numbers and call in fake authorisations to tie up the credit for a few days but it is very difficult now to actually alter information on your credit report. Still, it is uncomfortable to be taunted by some anonymous person you can’t find who can call you for free at all hours of the night and day and make threats. Where hackers have more power is in turning off your phone, charging fraudulant calls to it and sending your calls elsewhere.
“Another thing hackers can easily do is hack your net accounts and delete incoming mail selectively. This is most annoying and drastically affects my business when people send articles that never arrive or customers email me address changes and get angry that I haven’t processed them. They also forged my email address and sent mail to order things and breakup personal relationships. What boggles my mind is that all of the major computer trade magazines now do subscription renewals by email and simply won’t accept the fact that I’ve been hacked and that I don’t want to do business with them via email. So I get billed for magazines I’ve never ordered. One hacker also subscribed our CompuServe account to over 10,000 internet usegroups, forcing us to close the account, as CompuServe would not help us unsubscribe and the account only stores 100 pieces of mail at a time. This meant there was no way CompuServe could find out which newsgroups we were subscribed to in the first place.”
Hackers stole her trash, looked at her credit reports and teased her about the contents. “They hacked my accounts so all I did and said was watched; they pretended to be salesmen to see if I would give them credit card numbers, to see whom I lived with, what hours I kept, or just hear my voice. They forwarded my phone number and then disconnected it as well as repeatedly putting a `maintenance busy’ signal on my parents’ phone line. I attracted the wrath of a group of phreaks who used the Gray Areas phone number as an example of how to charge your calls to someone else. They hacked my main net account and launched a fake electronic version of Gray Areas.They also set up `bots’ [remotely controlled IRC scripts that make it appear as though you are talking to live users] who befriended me on IRC, while the real users were laughing. They conference-called my answering machine with insults and threats.”
But still she returned to #hack. “I got my teeth kicked in on an hourly basis. One hacker, who works for a large net provider, banned me from the #hack channel, calling me a child molester, prostitute, drug dealer and other lies, and picked a fight with me in real life at a hacker convention. I even cried in public when I spoke at PumpCon 1993 [hackers' convention] and said the harassment had got so bad I might turn to the FBI for help.”
This show of `weakness’ and the threat to `narc’ turned more hackers against her. “Many of my problems have occurred partly because I’m a journalist and a woman. Women have further problems as many hackers hack because they have never had a relationship with a woman or because they prefer not to have one. Some hackers routinely lie to women. There are very few women in the hack scene, and they tend to be girfriends of hackers, journalists or groupies. I was also much older than most of them and in some cases they saw me as part of their rebellion. I was their parents’ age.”
It seems incomprehensible that she kept returning to #hack for more abuse. “I went back despite the actions of some people, because I had many friends and who were fun to speak with and who did *not* harass me. Also, I was gonna be damned if I went and damned if I didn’t. My problems were always worse just after I stopped logging in than when I was there all the time. Plus, this was my job and I felt I needed to understand what I was writing about.”
She says Gray Areas’ magazine sales weren’t markedly increased by stories about hackers. “The most popular piece we ever did was the one on smart drugs, but hackers were probably the second most popular topic.” Gilboa says noone has yet been killed by a hacker, but people should note they often have macho hobbies. “Some are smart enough to realise it’s likely they will end up serving jail time, so they familiarise themselves with keeping in shape, handguns and martial arts. Most hackers have extremely large egos and seek power over others when they hack, so being interested in other things such as collecting guns or bodybuilding seems natural, as these also increase personal power. Many hackers are interested in stocks since wealth is a means of power and they can often obtain insider information about which stocks might increase imminently since they have illegal access to the email of companies which are discussing mergers.
“I am less concerned about my personal security than I once was, as I have learned how to insulate myself from little pests. At this point I am well aware of who most of the skilled hackers are and I have good relationships with quite a few of them. If a hacker picks on me, I can simply tell other hackers I know what has happened. They police themselves fairly well.”
She says most men refuse to teach women how to hack. “This raises interesting problems across the board in the computer field since hackers who don’t get arrested tend to become sysadmins, programmers and credible professionals in the industry. Remember that the founders of Apple made the money to do so by selling illegal phone boxes. Most people who worry about hackers probably don’t realise the Net services they buy are being run by a former hacker.”
==================
How can you avoid data rape and online assaults? Here’s some answers to common questions:
Can hackers get inside my computer, leave nasty messages, steal information and damage my hard drive?
The only computers that can be hacked into are ones that are permanently connected to the Net, 24 hours a day, such as those owned by your Internet Service Provider. But when you use your modem to dial out, this is a closed communication function, and you’re not opening up your computer to a mass invasion.
What should I do if I receive email bombs?
Notify your Internet Service Provider immediately. At worst, you may have to change your email address.
Will vindictive rascals send virus-infected email that will scar my PC forever and ruin my life?
Install an anti-virus package – choose one from your local computer store and buy regular updates.
I want to completely avoid any online harassment. Forever.
Well, there are no guarantees, but for a start there are several precautions you can take:
1. Switch off your computer. Don’t ever turn it on again.
2. Carefully choose your online name. Use your initials when you register an Internet Service Provider (ISP) account and choose a gender-neutral user name. Ask your ISP whether it’s possible to edit your registration file so you can prevent the phone number and address being accessed by a stalker.
3. If you get a depraved message, save it on your hard disk, then report it to your Internet Service Provider and the police. If you’re continually harassed you may have to change your screen name or open a new email account.
4. Use your email program’s kill file – these filter out unwanted messages from a harasser before it arrives in your mailbox.
5. Being online can seem like a very cosseted way of communicating, and before you know it, you’re revealing all sorts of intimate details. Think before you type.
