Hacking is fun. Hell, it's exhilarating. But it's also illegal, sometimes immoral, and usually punishable. Even if what you're doing is perfectly inno-cent you'll be hard pressed to find an acceptable ex-cuse for it in court. The very least that might happen is the security holes you utilized the first time around might get patched up.
More serious pun-ishments inflicted by the courts can include com-munity service, fines and even prison, as we've seen. Informal punishments include the unofficial destruction of your equipment by law enforcement officers, and being blacklisted from tech-related jobs.
Consequently, the prudent hacker has two goals in mind while hacking. Number one: don't get caught. Number two: if you do, don't make it count. This chapter will present strategies the care-ful hacker will follow to ensure both situations are true.
Hacking - to use one's curiosity about corn-puters to push them beyond their limits - involves not just techrrical knowledge but also the hacker's mindset. Part of the mindset must deal with keep-ing oneself safe, or else the rest of it has been all for naught. Accordingly, the strategies here should not just be known rotely and followed, but expanded upon to apply to new situations. Remember, there have been many computer criminals who've been sent to prison. True, some have even hacked while in prison. Some even learned to hack in prison. But you don't want to go to prison. So when you're on-line, in public, in private, or just living through your life, make sure you apply these guidelines.
In Researching
There may be local ordinances in your area forbidding machines or people to continuously dial up numbers and disconnect, as with an autodialer program which searches for dial-in lines. If you make the calls yourself it's better to say a simple, "Sorry, wrong number," than just hanging up and annoying all those people.
Remember the 'Itpers-prosit rule: The more people you get angry at you, the more likely it is you'll be persecuted, and the more likely it is you'll be prosecuted.
In Social Engineering
Some social engineering and most reverse engi-neering requires authorized user contact over the telephone or through the mail. This is obviously risky since you are giving out your address or tele-phone number to people whom you are about to defraud. Hackers have utilized several ingenious methods to overcome this problem.
Once I found a small business with a technical-sounding name that would be closed for a few weeks over the summer. By doing some hacking, some research, and rubbing my lucky rabbit's foot I was able to come up with the code that released messages left on their answering machine. That gave me a way to have people
contact me without them knowing who I was.
I put up some phony advertising for a com-puter network, instructing people to call and leave their name and vital data. I could call up the ma-chine whenever I wanted, punch in the magic code and listen to those messages. When the store reopened, I called them up, saying I was from the phone company. I told the store
owner that some lines got crossed, so they n-dght get some weird calls.
Some hackers will simply change a pay phone to residential status and work out of there.
In order to work a social engineer through the mails, you could rent a private mail box or mail drop. One hacker found a cheaper solution. He noticed that the P.O. Box underneath his in the college mail room was always empty. Apparently it was unassigned. The mailboxes are open in the back so workers can stuff the mail into them. This hacker took an unbent clothes hanger and a metal clip, fashioned them together into a grabber that he could slide into his box and go fishing into the mailbox below his. Later I showed him how to de-termine the combination of the box, so he wouldn't have to do all that. For a long while the box re-mained unused, and he was able to get all the se-cret mail he wanted sent there.
Dialing In
"If you don't want it known, don't use the phone."
- Nelson Rockefeller
When you're new it may be okay to dial up re-mote computers from your house, but once you've been around a while you'll never know if your phone is being tapped or your computer usage be-ing monitored. So when you're past your hacking childhood, make sure to never make an illicit call from your own house, or
from any number that can be traced to you.
Even when you are new to hacking, you could be in trouble. Imagine if you become a regular on the TECHRIME-USA BBS, right about the time an FBI officer is planning to bust the sysops for con-ducting illegal business on their board! You don't want to get involved with that, especially if you haven't done anything illegal. Even scarier than that are serni-reliable rumors which have been cir-culating through
branches of the technical under-ground which imply that the phone companies routinely monitor and record modern conversations which pass through their lines. This is supposedly done automatically by detectors which listen for modem tones, and will then turn on a recording device to keep a record of the call. Even if the
gos-sip turns out to be false, consider this: (1) We obviously have the technology to do such a thing and, (2) it is well known that the NSA records many, many phone calls.
So... If you must associate with known com-puter culprits, or with established hackers, do so as covertly as possible. Not calling from your house means calling from someplace else. That means you may want to splurge for a portable laptop computer. While you're at it, buy an acoustic coupler and an external modem to go with it. All this should run you about one or two thousand dollars - a lot less than the cost of retaining an attorney to defend you in court.
The acoustic coupler is necessary because not every place you hack will have a telephone jack to plug into. The external modem is needed to plug the coupler into. While many laptops come with mo-dems included, they are generally internal models, and so can not be coupled to a telephone handset. Now that you have your equipment, where should you take it? There are plenty of places. At night and over the weekend you can sneak into many big office buildings and, if the right door happens to be unlocked, sit yourself down at a cu-bicle and chug away.
Two summers ago, I was walking past my local municipal center a little past 9 p.m., and I noticed that every office had their windows open. Every of-fice - at night! Their air conditioner must have malfunctioned during the day, as it had been incredibly hot. Needless to say, if I'd been in the hacking mood I would've scrambled
through a window and hooked up my portable to a tele-phone. I could have been making illegal computer B & Es while making a physical B & E, all just a few doors down from a bustling police station - and with no one being the wiser.
If you have money laying around, or if you have a hacking expense account, you can always hole up in a hotel or motel to do your hacking.
The money problem is one which gets to hackers in other ways. Phone bills add up fast, which is why most serious hackers are phreaks too. A phreak is someone who hacks the telephone net-works. One of the major aspects of phreaking is the producing of code tones which signal the telephone system to perform special
functions, such as place long distance calls for free. Phreaking is definitely a major area for hackers to investigate, and the tele-phone system - and especially the computers which run the system - is something which all hackers should become intimately familiar with.
Many hackers will say that any hacking other than hacking the computers which run the telephone system is child's play. This is true to some extent. The telephone computer networks are incredibly large, sprawling, wonderful masses of intricate functions, enormous databases, technical operations and blinding wizardry which makes hacking anything less look pitiful.
Once the phone line leaves your house it goes to a local switching center. This center controls all phones in your neighborhood, which may mean as many as 15,000 telephone lines. Each neighborhood switch is managed by its own computer. These computers are the essential targets of the phone company hacker; if you can access the computer, you can access every phone that it switches. You can turn phones on and off, reroute calls, change numbers. You could, if you were not a hacker, wreak quite a lot of havoc.
There are also switched networks which con-nect the computers that run switches. From there you can go to regional maintenance systems such as COSMOS (which sends out instructions to create and HI phone numbers among other things) and MIZAR (the local MIZAR actually does the work that COSMOS sets up).
Once you've gotten familiar with the intricacies of these telephone computers, you can use them in ways to protect yourself. For instance, you know you probably don't want to place hacking phone calls from your house. What you can do is connect to a neighborhood switching computer, take the phone numbers of some
local pay phones, and de-activate their need for coins. You then use the pay phones to call or hack any place in the world.
Or you can use a MIZAR - which, as far as is known, does not keep records of its activities, unlike COSMOS - to temporarily change your pre-sent phone number to that of a nearby church. If your call gets traced, you'll be sending the feds on a wild goose chase.
I want to make the point that dialing in to a re-mote computer is not as safe as it feels. Communi-cating through a telephone or through a computer sometimes gives you a false feeling of protection, especially when you become good at hacking and phreaking, and turn from confident to cocky. Don't let that happen to you.
Remember to always follow these safety rules.
Don't set up patterns of behavior. Always call from a different place, at different times of day.
When is a good time to call? Ask hackers this and each one will give you a different answer. Late night is good because system administrators will probably have gone home already - but then, so too have most valid users, so you'll stand out like a clown at a funeral. You can try hiding yourself within the bustle of heavy usage
times, like mid-morning and afternoon, but then the main-frames will be at their slowest, your activity can easily still be noticed, and the account you've hacked may be unavailable for your usage. There really isn't any perfect time to call. Some research into how the company structures its computer guard duty may help.
Time how long you're on the phone with a ma-chine. A phone trace is instantaneous if you're lo-cal, and takes just a half a tweak longer if you're calling from far away. But it's still not wise to stay on a single line half the day. Move around a lot, calling from different phone numbers, to different access numbers. If your target has multiple dial-in lines, randomly choose from all of them.
Laptop Hints
Since you'll be calling from who-knows-where on your portable laptop, here are some suggestions to help you get connected.
When in unfamiliar domain, such as an office, hotel, schoolroom after hours, or otherwise, your laptop is of infinite value - so long as you can get it to work. Never plug your modem into an unfa-miliar phone setup until you've verified that doing so won't bum out your equipment. Many offices have installed their own electronic
phone systems, called PBXs, to facilitate special functions such as in-house dialing and phone menus, or to block certain phones from making long distance calls. Some of these PBXs place a current into the telephone wires that is powerful enough to damage your delicate modem. To see if the line you have in mind is safe, try plugging in a really cheap phone first. If it works, your modem should, too.
PBX-networked phones may not work with your modem because of special audible or numeric codes used in local routing procedures. If you get a dial tone on your cheap test phone but your mo-dem won't work, you can assume that it's the PBX system at fault.
To correct the problem you have to plug the modem into the phone jack, and connect the room phone (not your cheap one) to the modem (you may need a special double port for this). To use the modem you place the call using the room tele-p . hone, and when you hear remote computer ringing, turn your modem online
and hang up.
Alternatively, devices can be bought to process signals as they go between the telephone handset and the modem. The device converts ordinary mo-dem signals so they will work on digital systems such as a PBX. This may be a more suitable alter-native if you find yourself having to bypass PBX phones a lot.
Sometimes you can find yourself in a place with a telephone, but no plug-in jack for your modem. For instance, if you are using the phone from a public fax or automatic teller machine. In these cases, unscrew or pry Off the mouthpiece of the phone and use a cable with attached alligator clips to connect the red and green
wires from your modem wire to the two silver mouthpiece contacts in-side the telephone handset. This can easily generate a poor signal, so if you have the actual telephone (not just the handset) available for vandalism, take apart the entire case and clip your red/green mo-dem wires to the red and green cable leads from the
telephone's transformer. You will then have to hold down the switchhook on the telephone to place the call.
Your On-The-Road Kit
Make sure you have this stuff with you when you go hacking on the road:
• A laptop, or otherwise portable, computer. Must have a modem. Preferably two: an internal, and an
external with acoustic coupling cups.
• One small, cheap, reliable telephone for testing line voltages. You can use a commercial tester for this, but
the phone comes in handy in places like motels, where you may want to connect to a telephone but the
acoustic coupler won't fit on the phone they supplied.
• An extra phone cord, with an RJ-11 modular clip at one end (the standard, square telephone plug-in
thingy) and with alligator clips at the other end.
Wire cutters, screwdrivers, and assorted coil cords with various size ports.
System Tiptoeing
Even the best intentioned, the most honorable and nondestructive of hackers are thought of as evil by the managerial population. This means that if you're caught breaking into computers that don't belong to you, expect some trouble. Even if the hacking you were doing is completely benign you are likely to be punished in some way. I've seen re-Ports that estimate the cost of computer crime per year is $3 billion to $5 billion dollars - and that's on the low end. Other sources list figures as high as $100 billion.
Even the $3 billion figure, to me, seems pumped up for insurance purposes, but the people who run businesses and government don't see it that way. Government and industry people will realize that most computer crimes go unreported, and so the true cost is likely to be much higher than the official estimate. Even if these dollar amounts are bogus, that's what people believe, and so they will be even more inclined to prosecute someone who they believe is contributing to that multi-billion loss every year.
Let's take a brief interlude here and examine the case of the Greenwood Family Hospital BBS.
"Pretty Theft" is the name of a hacker I used to communicate with infrequently. One day she sent me a message on a BBS asking if I knew how to get into the computers of a certain hospital that was in my area. I was puzzled, because that hospital was the easiest thing in the world to get into - in fact, it was one of my
earliest successful hacks.
When you logged onto the system, you were greeted with this informative message (names and numbers are fictitious, of course).
Welcome to GFH-NET!
300-2400 baud (123)456-7890
GREENWOOD FAMILY HOSPITAL
GFH-NET IS MAINTAINED BY ROGER CORNWALL AND HAROLD LIPNICK QUESTIONS
OR COMMENTS? E-MAIL TO THEM!!!
WHAT IS YOUR NAME? TYPE IN FIRST AND LAST:
WHAT IS YOUR PASSWORD? TYPE <RETURN> ON A
BLANK LINE IF YOU DON'T HAVE ONE:
A few months after I began actively hacking, I was using my computer and watching the evening news when a story came on about the governor breaking his arm and being rushed by helicopter to a hospital. I thought to myself, "Hey, hospitals must use computers, right? I can probably get into one!" So I got the supposedly private number for the Greenwood Family Hospital Network, and I called up, and I got that welcoming screen. Guess what I did next? It's not too hard to figure out what I did! Natu-rally, I typed in ROGER CORNWALL for my name. Unfortunately, the real Roger Cornwall had a password of some sort; pressing Return on a blank Me just got me an error message. So I tried HAROLD LIPNICK. Again, no go.
I went into the kitchen, got out the phone book, looked up the telephone number of
Greenwood Family Hospital, and I called it. A woman an-swered:
"Greenwood, may I help you?"
"Yes, please," I said, "Is Tom there?"
'Who?"
"Uhm.... There's some guy there I spoke with earlier... Your supervisor or somebody?"
"Lee Brown., you mean?" she asked.
"Oh yeah, I guess that's it. I don't know where I got Tom from. Uh, is he there?"
"Nope. Lee left at five."
"All right, thanks."
"Bye-bye."
I went back to my computer and called back GFH-NET and tried LEE BROWN for the name. Once again, I was out of luck. However, after a few more phone calls to the various numbers listed for the hospital, I came up with a guy (a resident) who had not bothered with a password.
GFH-NET turned out to be nothing special after all. It had nothing to do with hospital billing, pa-tient records, or anything else pertaining to the ac-tual running of the place. Mostly it was like a doc-tor BBS. From what I could make of it, it was medi-cal students discussing problems with the doctors on the system. No file
transfers or anything; just a very simple messaging system. It was no big deal, but it was fun to get into.
The next day I looked through the doctors in the yellow pages, and I found about eight listed who had Greenwood Hospital addresses. Out of those names, three had no password.
So anyway, I was puzzled as to why Pretty Theft couldn't get on there. I called it up for the first time in years, and to my surprise found this nasty logon screen awaiting me:
USE OF THIS SYSTEM IS
RESTRICTED
TO AUTHORIZED PERSONNEL
ONLY!
EVERYONE ELSE MUST HANG UP
NOW!
All useful information was gone! AU that re-mained was an angry note and a nonuseful arrow prompt.
I tried some of the old names I'd figured out way-back-when, and found that all of them had passwords now. I tried some more social engineer-ing, but everyone I spoke to kept their mouths shut about everything. (Later I was able to get onto the real hospital system with the help of some nice re-ceptionists in the administration
department.)
I e-mailed a letter back to Pretty Theft. I asked her what had happened there. The next day I got her reply:
Last month a friend of mine was in the hospital, so I wanted to see if I could change his bill. I remembered you giving me the number two years ago or something, so I looked it up in my book and I was surprised I still had it. I knew the name of my friend's doctor, and when I was there visiting him, I got the names of lots more
from the paging system (you know, "Calling Dr. Bower...") and from charts on the walls. Then I went on the system and was try-ing all these names, when the sysop came on and threw me off. Every time I tried getting on after that he kicked me off. Next morning at about 8:00, 1 finally got on. One of the doctor's names I tried
had the name as a password too. Well as I guess you know, I couldn't change my friend's hospital bill, but I couldn't do any-thing much else either... after giving my name and password, it just froze. That night I tried it again, and there was a message before it asked for your name. It said, MOST OF THE IM-PORTANT FILES HAVE BEEN DELETED BY SOMEONE OR SOMETHING. THE SYSTEM WILL BE DOWN
FOR A WHILE - ROGER. A week later I tried it again, and the phone just rung. I didn't do anything to it, but I guess the sysop thought I or someone else deleted the files. A few days ago I called back for no reason, and, well, you know. I guess they got smart?
Yes, Pretty Theft was right. They had gotten smart, and because of it, security was tightened. It is for this reason that hackers should not announce their arrival to a system, nor do anything to attract anyone's attention. There is only one case, really, when you would want to show yourself to the system operator, and that is when you've found out everything there is to know about a system and are never going to call back again.
Incidentally, Roger and Harold had gotten smart in some respects, but remained dumb in oth-ers. Through continued perseverance I was able to get onto GFH-NET again. As it turns out, I'd gotten smarter too; the medical conversations between doctors and students seemed a lot more compre-hensible than they had been just two years before. Maybe it was the students getting dumber?
There was also an old bulletin posted from one of the sysops. It explained as much as he knew about what had happened (which wasn't much). mostly it said that certain files were deleted, and many of the bulletins were replaced with obscene musings on female anatomy. From what he said, it sounded like the files could
have been erased by either a clumsy system operator, or perhaps a ma-lignant hacker. I did a little investigating, and found that although it was not listed in the main menu, pressing 'T" brought me to a defunct file transfer system. With a few minutes of thinking, it was easy to see how someone could've uploaded a program that would delete whatever files were in the root directory after a rebooting of the system.
The next day I typed up a long letter to the sy-sops at the hospital, explaining everything, what they could do to correct the problem, and how other security breaches could be curtailed. I signed it, "Sincerely, Polly Wanza Hacker." Then I called back the BBS and uploaded it to them. Soon after, I got this message from
Pretty Theft:
"There's a new logon screen at the hospital. It says: "THANX POLLY! - SIGNED R.C.
& H.L."
I couldn't have been happier.
Lessons From The Hospital
You already know system operators don't want you on their system. That's why you have to hack in the first place. But if you make it known that you're there, you will compound your difficultiesconsiderably. On GFH-NET, the sysops went crazy when they realized their computers were being abused, and they made it a lot harder to get into. On a little BBS like that, you might not care whether or not you get in, but if you're dealing with something big - like some government agency - you don't want to start messing around. If you do show yourself in any way - like by a million log entries of "USER FAILED LOGON PROCEDURE" from when you tried every word in the dictionary as a password - the sysops are go-ing to get concerned, at the very least. Concerned sysops mean no information will be given out over the phone. It may mean changing every legitimate user's password, or cleaning up dead accounts that might otherwise facilitate entry.
Alternately, if you have a nice feeling about a certain system, and don't want to see it get hurt (and you don't mind possibly eliminating your chances of ever getting back on it), you would be wise to consider informing the system operators about all the little quirks you know about their precious system.
Many times, they won't believe you. They won't even bother trying what you suggest they try, either because they have a huge ego that can't be wrong, or because they think it's some kind of a trick, or god knows why else. But if they do believe you, and they take your advice, they will be quite grateful and, if you ask,
might give you a low-level account on the system, or some handy tips. Tell them you'll be their unofficial security advisor. Some of them can be quite good about it, though others will think you're up to no good no matter what.
BBS Protection
This section deals with the two issues of secu rity for the hacker involved with BBSs: hacker as -user, and hacker as sysop. These are actually inter-twined issues, as sysops of one BBS will generally be users of other BBSs. You should take these safety precautions on all BBSs you use and run, and should not hang around
systems which do not employ a high degree of hacker security.
Do not post messages concerning illegal activi-ties on any BBS where you don't feel completely se-cure. This means it's bad practice to brag about your hacking exploits in private e-mail as well as public message bases. If you are actively involved with BBSing, by all means become good friends with non-deviant systems, if only to maintain a balanced perspective of your computorial existence. But make sure that what you say on those boards does not implicate you in any way with any crime.
Don't get me wrong. I don't want to imply that posting messages about hacking on a hacker BBS guarantees safety, because it doesn't, of course. When you start sharing secrets on a hacker BBS, you'd better make sure the sysop takes all of the following safety precautions: user screenings, a false front and hidden back boards, double blind anonymity, encryption, and affidavits of intent.
The most important aspect of any hacker group, club, or BBS, is secrecy. A true hacker BBS will not advertise, because it does not need new members. A hacker BBS will seem to be a very homey, fam-ily-style BBS up front, but type a code word from off the menu, enter a password or two, and you en-ter the hidden realm. Hacker BBSs should further protect themselves by only allowing specified users to enter the secret parts of its domain, to prevent unauthorized hackers or pseudohackers from breaking in to your meeting place.
Any hacker BBS which does not take this mini-mal precaution of pretending to be legitimate, is ju-venile, dangerous, and not something you want to be a part of. Going up the scale of stupidity just a bit, I've seen plenty of "hacker" BBSs which allow access to the hidden part by entering words like "DEATH" and, yes, even "PASSWORD" as passwords. Need-less to say, the information found on such boards is very low content, and usually consists of the vari-ous users calling each other dickheads.
No new users should be allowed on a hacker BBS unless one or several existing members can verify that the potential user is not a cop, will abide by the club's law of conduct, has information to share, and will not be a big blabbermouth. As a sysop, you will enjoy composing the list of rules that govern the way the BBS takes in
new members. Remember, any new member should not even know that the BBS exists until the time when he or she is accepted into it. That will keep out law enforcement people, and keep in only the best hackers available.
Once a member has been verified as clean, his or her private information should be destroyed from the computer records. In fact, think about the BBSs on which you are a current member. Are there any which are likely to be busted in a raid? Even if you aren't doing anything wrong on the system even if nobody on the system is doing anything illegal you know very well how mixed-up the feds get when it comes to computers. You don't want your name brought into a computer crime trial, even if the case is thrown out of court before it begins. So if you're a member of any subculture BBS, tell the sysop, to replace your personal infor-mation (name, address, phone number) with false-hoods.
If you ever register with a BBS but decide not to call back, make sure to inform the sysop that you want your information deleted. (Verifying that such information has been altered or deleted is one legitimate reason for hacking a BBS. Legitimate, that is, from a hacker's ethical point of view.) It is important to do all this, because
there are impos-tors out there who are very good at catching hack-ers when they least expect to be caught. In June of 1987, an AT&T security official logged onto a Texas BBS and found messages from a hacker boasting about how he'd gotten into a certain company's computer system. This led to the hacker's arrest.
Note that since the hacker undoubtedly used a handle on the BBS, and it was a hacker board, the official might have hacked himself to get the hacker's real name. In any case, make sure your real name, address and other identifying data never stray to unsafe waters.
Before we start talking more about what you can do as the sysop of a hacker BBS, let's conclude with a real life example of what happens when hackers DON'T follow the advice I've listed above. In 1986 a BBS called simply and arrogantly, "The Board," came into being in Detroit. The Board was run off an HP2000 computer,
and attracted hackers and crackers (and would-be hackers and wannabe crackers) from all over. On August 20, the follow-ing ominous message appeared on The Board when oneloggedin:
Welcome to MIKE WENDLAND'S I-TEAM
sting board!
(Computer Services Provided by BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours.
Three (3) lines = no busy signals!
Rotary hunting on 313-XXX-XXXX
If you called up that day and read the newest messages posted, you would have been surprised to find these little darlings staring you in the face:
Board: General Information & BBS's
Message: 41
Title: YOU'VE BEEN HAD!!!
To: ALL
From: HIGH TECH
Posted: 8/20/86 @ 12.08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the WDIV-TV I-Team. The purpose? To demon-strate and document the extent of criminal and potentially illegal hacking and telephone fraud activity by the so-called "hacking community."
Thanks for your cooperation. In the past month and a half, we've received all sorts of in-formation from you implicating many of you in credit card fraud, telephone billing fraud, vandalism, and possible break-ins to govern-ment or public safety computers. And the beauty of this is we have your posts, your E-Mail and - most importantly - your REAL names and addresses.
What are we going to do with it? Stay timed to News 4. 1 plan a special series of reports about our experiences with THE BOARD, which saw users check in from coast-to-coast and Canada, users ranging in age from 12 to 48. For our regular users, I have been known as High Tech, among other IDs. John Maxfield of Boardscan served as our consultant and pro-vided the HP2000 that this "sting" ran on. Through call forwarding and other conven-iences made possible by telephone technology, the BBS operated remotely here in the Detroit area.
When will our reports be ready? In a few weeks. We now will be contacting many of you directly, talking with law enforcement and se-curity agents from credit card companies and the telephone services.
It should be a hell of a series. Thanks for your help. And don't bother trying any harassment. Remember, we've got YOUR real names.
Mike Wendland
The I-team
WDIV, Detroit, MI.
Board: General Information & BBS's
Message: 42
Title: BOARDSCAN
To: ALL
From: THE REAPER
Posted: 8/20/86 @ 3.31 hours
This is John Maxfield of Boardscanl. Welcome! Please address all letter bombs to Mike Wend-land at WDIV-TV Detroit. This board was his idea.
The Reaper (a.k.a. Cable Pair)
Is any comment required?
You can see from this that the people who come after hackers - the people who will be coming af-ter YOU - are not all Keystone Cops. Maxfield knew enough to pick '1001" handles like The Reaper and Cable Pair. The newuser password to get into The Board was HEL-N555,Elite,3 - a quite hip password considering its origin. Maxfield, and others like him, are as into hacking as we are. They are knowledgeable of the culture and the lingo and the way we think. This last is particularly hurtful, and it means you can't allow yourself to think like everyone else. You won't become an elite hacker without the strength of your entire common
sense working for you. When you call up BBSs, be sure and exercise that strength. Now let's talk about exercising First Amend-ment rights.
We do have the right to run our own BBS, and to exchange information on it. On a hacker board, that information is likely not going to be the kind of thing you'd read to your mother.
Disclaimers, such as, "This BBS will not tolerate any unlawful discussion of blah blah blah..." are Boardscan is a company headed by John Maxfield, which seeks out and destroys hackers and their ilk.
worthless, but you may want to throw them around anyway to complement my next sugges-tion: Many of the traditional laws which hackers get nailed on have to do with "harmful intent." That is, can it be shown that the hacker or cracker will-ingly caused damage to a computer?
If you are running a hacker BBS or club, you might then consider having members sign an affidavit which makes their good intentions known. Members should sign an agreement stating that they would never willfully damage another's computer or its contents, that any information ex-changed on the BBS was for knowledge
value only and that none of the illegal activities discussed will be actively pursued, etc. Basically this should be a way to let the members feel they are actively participating in your code of ethical hacker conduct which should be prominently displayed upon login to the BBS. Signing such a goody-two-shoes affi-davit may
not get you out of legal trouble, but it will do two things. It will stress the point that a member who does not follow the agreement is un-worthy to be a part of your hacker BBS or club. And to a jury, it will help convince them that you all are just a bunch of innocent hobbyists being persecuted by the Big Bad System.
It has been suggested that sysops should have their members sign an agreement that, in the event of a raid by law enforcement officials, users would join a lawsuit against the officials to win back mo-nies to pay for destroyed equipment, lost time, false arrests, the hassle, and everything else that goes along with being persecuted by Big Brother.
Current e-mail should always be kept on-hand, so that you can use the terms of the Electronic Communication Privacy Act to your favor. The ECPA ensures that electronic mail that was sent within the past 180 days is private and requires a warrant for an official to search and read it. Note that individual warrants are required for each user who has e-mail stored on your BBS, thus increasing the amount of paperwork required by The Law in going after you and your gang of happy hackers.
So, if your users have signed an agreement, and sample e-mail is stored for each user (it may be fudged e-mail whose time and date of origination gets automatically updated every 180 days), you want to make all of this known to invading offi-cials. Make a message such as the following available to all users when they log in for the first time, and every time they use the system:
A SPECIAL MESSAGE TO ALL
LAW ENFORCEMENT AGENTS:
Some of the material on this computer system is being prepared for public dissemination and is therefore "work product material" protected under The First Amendment Privacy Protec-tion Act of 1980 (USC 42, Section 2000aa).
Violation of this statute by law enforcement agents is very likely to result in a civil suit as provided under Section 2000aa-6. Each and every person who has such "work product ma-terial" stored on this system is entitled to re-cover at least minimum damages of $1000 plus all legal expenses. Agents in some states may
NOT be protected from personal civil liability if they violate this statute.
In addition, there is e-mail which has been in storage on this system for less than 180 days. Such stored electronic communications, as de-fined by the Electronic Communication Pri-vacy Act (ECPA), are protected by the ECPA from unauthorized accesses - such as seizure by government officials - without warrants specific to each person's e-mail. Seizing the computer where this BBS resides would represent
such an unauthorized access. There are civil actions which may be taken against law enforcement agents under provisions of the Act. You can find them in USC 18, Section 2707. On this system you can expect up to X people to have stored e-mail. Each of them is entitled to collect a minimum of $1000 plus all legal
expenses for violations of Section 2700 and 2703. Note that all users of this system have already agreed in writing that their pri-vacy is well worth the hassles of court. We will sue YOU.
Perhaps the agency you work for might pay your legal fees and judgments against you, but why take chances? If you feel the need to go af-ter our private and legally protected e-mail, or take actions which would deny e-mail access to our users (such as seizing our hardware), get appropriate warrants.
It is the policy of the sysop of this system to cooperate with law enforcement agents -though we will not be involved in entrap-ments, and will not respond to idle threats. Please bring it to my attention if you discover illegal activities on this board, because as cura-tor of this museum I will not tolerate it.
"Hacking the hacker is the ultimate hack," John Maxfield has said. Maxfield is a computer security consultant well known as a hacker tracker, and the one who helped organize The Board sting de-scribed above. John scans BBSs looking for hacker activity, and when he finds it, he informs the com-pany that is being hacked
about the problem. You know how insecure computers can be, and when you post messages or send e-mail on a BBS you are in effect opening yourself up for the world to see. Don't let some hacker tracker see something about you that you'd rather keep private. When you roam around cyberspace, do so discreetly.
