Many hackers and non-hackers have given their versions of the "Hacker's Ethic." The versions are all pretty much the same. What's different is the de-gree to which the ethic is followed. Smart people, like many hackers, start out by following the rules, the moral codes - the Ethic - but then they get sidetracked. They begin to get the feeling that be-cause they know about the law, they have the authority to break it: "It's not like we're blindly acting without discretion." That's what smart people do - because they know they're smart, and be-cause of it, they forget that even smart people, even smart hackers, are often very, very dumb.
What I'm about to do is give my own version of the Hacker's Ethic. This is a set of beliefs that I have about the world of computers. It may not be what you believe, but that's all right. Hacking has to do with independence.
However, I urge you to understand why it's important that you formulate a hacker's code of ethics and live by them. Having a code of ethics will help keep you out of trouble. Now, I'm not saying that if you're caught, a judge and jury are going to base their verdict on whether or not you behaved according to your beliefs -
especially since some of your beliefs likely involve illegal activities.
What I'm saying is, I like to think that if you have formulated a moral code, and it is well known that you abide by that code, and if all members of your hacker's circle sign affidavits testifying to their loyalty to the code, then in some instances it may allow a judge or jury to honestly say to themselves, "Gee, he meant no harm by it -the damage was not intentional." If you remember our previous discussions of law, many offenses require that, for a criminal action to have occurred, the suspect's conduct must have been intentionally criminal. Well, I would like to think that's the way it would turn out. In real life one can't count on others seeing things from
your point of view.
At the very least, one would hope that by providing a code of ethics, you could more easily weed out undesirables from your group, and keep your members safe and happy. More importantly, I feel there is some indescribable underlying goodness about having a code to guide you. If I sound preachy, fine. I'm done.
This is my Hacker's Ethic. These are my beliefs about computers and hacking, as I attempt to live them.
My Code Of Ethics
Computers have enabled a great deal of infor-mation to be available to anyone, and quicker and cheaper than ever before. The free flow of informa-tion is good, but not when it violates human rights. There are two kinds of human rights. There are rights which pertain to individual humans, and rights which pertain to humanity as
a group.
All of humanity should have the ability to access virtually any known information. There should be a free flow of information, and informa-tion and technology should be used in moral ways. People should know how things work, if they choose to know, and such information should not be kept from them. New ideas should be heard, and there should be the capability for ideas to be discussed, and questions answered, from multiple viewpoints. People should be made aware that all this knowledge exists, and can be brought to them. Technology should be used to this end, not for profiteering or political gain.
Individually, people should have the right not to have data pertaining to them available for use in ways which are adverse to them. People should have the right to be notified when information about them is added to a database, when and to whom it is sold or given. Because it is their own personal information, individuals
should have the right to control how information about them is dis-tributed. A person should have the right to examine in-formation about him or herself in a computer file or database, and should be able to do so easily. The person should have the right to easily correct inac-curacies in that data, and to remove information that is offensive to that person. People should be guaranteed that all makers and suppliers of data-bases will enable these rights to be granted, in a timely fashion.
All of this is what should be the case, and in some situations these rights are currently acknowl-edged. However, most of these rights are almost unanimously ignored. Therefore it is necessary to hack. Hacking is using computers (or whatever) to live according to these ideals. Hackers have these ideals about individuals in general and humanity in general, and I have a set of ideals which I personally follow so that the general ideals may be carried out:
• Never harm, alter or damage any computer, software, system, or person in any way.
• If damage has been done, do what is necessary to correct that damage, and to prevent it from occurring in
the future.
• Do not let yourself or others profit unfairly from a hack.
• Warm computer managers about lapses in their security.
• Teach when you are asked to teach, share when you have knowledge to spread.
This isn't neces-sary, it is politeness.
• Be aware of your potential vulnerability in all computing environments, including the secret ones you will
enter as a hacker. Act discreetly.
• Persevere but don't be stupid and don't take greedy risks.
I am not suggesting that following a code of ethical conduct of this sort makes my hacking moral or right. But I'm also not saying that my hacking is immoral. Don't even raise any argu-ments along those lines with me because I simply do not care about them. We know what's legal and what- isn't. Hacking is something that I am going to do regardless of how I feel about its morality. It is pointless to raise the issue of "Do you honestly think you can justify snooping with your loopy code of ethics?" because if you must consider that issue, you must not have hacking in your blood.
Combining Principles
Throughout this book I've tried to offer general guidelines on the various topics that will prepare you for any computing situation you happen to find yourself in. When it comes to so broad an undertaking as "hacking," there can obviously be no one specific set of steps to follow to achieve one's objectives. Rather, one must call
upon a vari-ety of general ideas, overlay them when appropri-ate, and just hack away until something comes of it.
From knowing what to expect you should know how to react to a new challenge - and your ability to hack will improve.
I want to tell you one final story. This is a story which demonstrates many of the principles you have learned from this book: research, scavenging, shoulder surfing, persistence and logical reasoning, programming methods, brute force, general computing knowledge, social engineering, reverse social engineering, screen analysis, system simula-tors. It shows how each is played off the other for the final triumphant result of a successful hack.
My One-Person Tiger Team
Recently I was given the opportunity to try my hand at hacking into a newly set up computer system at a special library. The library director was concerned because they had recently transferred to this new system which, unlike previous ones, allowed dial-up access from outside lines. The director wanted to know if it was
possible to break out of the search facility, into the restricted areas hav-ing to do with overdue fines, patron names and addresses. Or would it be possible to escape en-tirely from the library program to the operating system and perhaps do some damage?
I told him I would be happy to look into the matter.
Now, he offered to give me one of the dial-in numbers, but I told him there was no need for that. I was a hacker after all! (Actually, I was acting cocky to impress him - I already knew the phone number from watching him give me a demonstration of how the public part of the system worked.)
I called up the system from my home and explored every inch of it. It was a command-run system. The opening screen allowed one to select a function by entering commands such as CAT to search the library catalog, or HOL to place a hold on an item. The proper way to end a session was with the END command. I
tried other, unlisted commands to see if any would work. More than you nught realize, this is a very common practice on computer setups where part of the system is public and part is private. Almost always the public part of the system will have at least one secret command to allow entry into the private side. So I tested a whole slew of key words: EXIT, BYE,LATER, START, LEAVE, LOGIN, QUIT, USER, PASS, LOG, LOGI, CIRC, and the like. Some of these I have seen used in actual applications. (For example, CIRC is often used to enter the part of a li-brary program that takes care of circulating mate-rials. I discovered LEAVE on a computer that was situated in a museum - typing it in allowed one to exit the menu arrd enter a special area for museum curators and employees.) None of these, no any of the other words I tried, worked.
Since it was a brand spanking new system, I was sure there would be lots of bugs hanging around that I could exploit. Indeed, when I spoke to the director, he bemoaned the fact that certain function keys on the terminals had not been set up yet, and that pressing them would exit one to an incomprehensible programmer's
environment. Aha! This is what I needed! But when you're calling in over the phone lines, you don't have access to the function keys that are available on the computers in the company offices.
I thought perhaps the function keys were mac-ros for commands which a user would otherwise have to type in by hand, but I didn't know what those commands were. I was doing nightly excavatings of the building's garbage bins to see if anything would turn up, and finally something did - a badly mangled reference card
from the com-pany which had supplied the software package. I painstakingly searched every last inch of the trash that night, but could only come up with half of the card.
At home, I saw that among the things listed on the card were indeed the names of commands mapped to the function keys. Only two of them were legible, and the rest were either torn off or smeared beyond readability, but those two turned out to be enough.
What was immediately apparent was that I had made a wrong assumption - not ALL the commands were standard English words or abbrevia-tions of words, like CAT or END. There were two-letter commands and dot commands, too. When you input a dot command you type a period (.) followed by an alphanumeric
command. They are often used in applications where entering the alphanumeric command by itself would be misinterpreted as inputted data. For example, let's say you're using this library system, and at the prompt where it asks for an author to search for, you decide to search for books by title instead. So you type the TITLE command. What's going to happen? The computer thinks that "Title" is the name of the author
you want, and starts a search for someone with that name. To get around that sort of problem, this system allows a period to be typed before a command. Now if you type ".TITLE" at the author prompt, the system sees the leading period and recognizes that what follows should be treated as a command.
Programs often use a period before the com-mand because a period is a small, undistracting character and is also very easy to type. But occasionally you will run into "dot" commands which use other characters, most notably, slashses (/ or or an apostrophe (').
Anyway, the reference card told me that press-ing function key F1 was akin to the QUIT com-mand, and F2 was the HELP command. Both seemed promising -.QUIT because it might allow me access to the nether regions, and HELP because since this was a newly set up system, help was very likely not yet implemented - and might be one of those functions which the director was complain-mg would crash the system if someone used it.
I was dialing in to the computer from the out-side world, and there really isn't any way to transmit a function key press through a modem (function keys are not in the ASCII lineup), so I had to hope that either QUIT or HELP would work. Of course I had tried their undotted counterparts be-fore to no avail, but maybe, just maybe, one of them with the dot would work....
Nope!
.QUIT simply terminated my session and dis-connected me. When I typed HELP, the screen cleared, and the following line was printed:
<EOF \txt\hlp\help000>
I presumed this meant that the End Of File helpOOO in the \txt\hlp directory had been reached; in other words, the file existed but was blank. I was temporarily licked, I thought, though it was interesting that now I knew about a \txt direc-tory which apparently contained various text files, and a \hIp directory within it which held help files. Something else I noticed: every time the screen was redrawn, a line at the top was displayed which read something like this:
<<< J. Smith Co Special Library On-Line >>>
(000)U/SYS v55.6
The three digits in parentheses changed de-pending on which part of the program I was using. "(000)" presumably signified the opening screen, where I was attempting to launch these unlisted commands. If I tried the HELP command at, let's say, screen number (013), 1 figured the system should then search for the file
`\txt\h1p\he1p013.` Indeed, that is exactly what happened.
Now, every program has its own style of input and output. One of the things this system used to take input was a cornmand followed by a number. For example, if a search turned up fifty books, you might type "BR12" to see a brief citation for book number 12. 1 wondered if the same format would apply to the help command as well. I tried ".HELP99999," hoping that 99999 would be a num-ber too big for the system to handle (certainly there was no screen that high). What happened was I got a message informing me that the command was not valid. I tried other variations, such as ".HELP 99999" and ".HELP < 99999" but none of them were valid either. Finally I gave ".HELP99999" one last try and this time it worked! I guess I had made a typo when I tried it the first time, perhaps inserting a space between the "P" and the "9," or whatever. The system crashed, and I found myself launched into the programmer's debugging environment.
It was like a mini-editing system for the text and batch files that the database used. I fooled around a bit with it and came up with nothing much of value except for a copyright notice that gave the initials of the company that made the program. I looked through various directories of soft-ware companies, trying to come up with
actual words to go with the initials, and finally I found two that fit. I called up the first and found out that they were the ones who had written the program I was interested in. I asked about obtaining replacement documentation for the package. They said sure - all I had to do was supply the serial number that came with my software and they would send me the book for a nominal fee. I tried some bull-shitting: "Well, I don't know the serial number because I don't have the instructions." No good; the receptionist informed me that the serial number could be found on a label stuck to the original disks. "I don't have the disks near me right now -I'm calling from my car phone. I'm sure I sent in my registration card, perhaps you could check that? My name is Jonathan Smith from J. Smith Co..." I prayed that the real J. Smith had sent in his card. He had not. I thanked the receptionist and told her I would call back the next day.
I figured the company library must have the documentation, but I couldn't just show up there and ask the director if I could peruse it for a while. Besides, I wanted to do this whole thing as if I were an outside hacker, unconnected with the company, trying to get in; special favors were out of the ques-tion.
That meant it was time for some serious social engineering. The only person at the library who really knew anything important about the system was the director himself, and he was out of the question since he would recognize my voice. Anyway, all I needed was this serial number. I called up the library reierence desk, and
made up a story about how I was a programmer from the company that had installed the new computer system and I was wondering if they had version 8 of the program? Naturally she didn't know, but I kindly ex-plained to her that to find out she would have to look for some disks with labels stuck to the front of them.... She found the disks in the director's office, and told me that the number eight wasn't printed any-where, just one long serial number. I had her read it to me, and one of the twelve digits was an eight, so I told her yes, everything was fine, that I just wanted to make sure she had the newest version, and that I would send her version nine if we ever got around to releasing it. She couldn't have cared less.
Anyway, I paid extra for overnight delivery of the debugger documentation, and got it late the next day. Poring through it I found out how to move around in the programming environment and - more importantly for my purposes - to exit from it.
(All the important commands were ab-struse things like KLOO and EE61. This editor was clearly a rush job, created by programmers, for pro-grammers.) Exiting the debugger got me to a login prompt. I quickly found that typing in "circ" at this prompt, and "JSC" at the following password prompt, would bring me one step
closer inside. (Here JSC stands for J. Smith Co. Of course that is a fictitious name.) After entering the password correctly I was brought to a second level of security - apparently the circ/JSC was a general login combination thatanyone with legitimate access to the system knew. I know how to put in "your personal 9-digit ID code." Okay, well we know what nine digits means - a social security number!
I knew that the director had been born and raised in Kentucky, so I knew the first three digits of his social security number. I wrote up a program to continuously spit out possibilities for the last six digits, and it wasn't too long before I found one that worked. When it did, I was greeted with, "Good evening Jane Thombuckle! Please enter your personal password." Jane Thombuckle was not the library director. Now I needed Jane's password. I went back to brute forcing for a while, looking for Thombuckle's personal password by trying out the obvious possibilities, until I got sick of it.
I didn't know who Jane Thornbuckle was, but one of the things I had pulled from the garbage was a stack of discarded company newsletters. Buried deep in the stack was the answer: Thornbuckle was a figure in the company's Management Information Services Department (i.e., a computer programmer). I did some more
hacking away at her password, but that was fruitless. Finally I restarted my program to try social security numbers, and eventually came up with the library director's. Hacking his password by chance was, like Thornbuckle's, getting me nowhere.
I decided to look back at what I already knew. The programmer's environment was an interesting thing, and I played around with it awhile until I had learned enough about it to use it to edit files to my liking, as well as a few other tricks. I was able to use one of the debugger's find commands to locate every occurrence of the
word "circ" in the system files. One of these files contained a bunch of gibberish, the word "minicirc," some more gibber-ish, and then "cirOt followed by more gibberish. I tried analyzing the gibberish after the second circ to see if it could be unencrypted to read "JSC." If it could, then I would be able to use the same procedure on the gibberish following "minicirc." This tactic was to no avail.
Back I went back to that initial login prompt and tried typing "minicirc" with various passwords. The problem was I didn't know what the "mini" part meant. My best guess was that it was some sort of small version of the actual library system - a simulator or training module. I was trying passwords like TRAIN, MINI, MCIRC,
MINICIRC, TUTOR, LEARN, and after a lot of trouble, finally came up with T.CIRC1. This got me
to my favorite little message: "Please enter your personal 9-digit ID code." Within a few seconds I had discovered that the number "555555555" worked like a charm on this mini circulation system. The screen cleared.
"Good morning New User!" my glowing computer screen exclaimed - it must have been three or four in the morning. "Please enter your personal password." This was, I hoped, the last level of security. Yes it was: a few moments later I was in the minicirc under the password "TRAIN." I was proud of myself. I had managed to get out of the public side of the dialup system and into the behind-the-scenes area. But my journey was not over yet, because I still had not gotten into the ac-tual circulation system - just the simulated one used for training purposes.
The minicirc was helpful, but it lacked certain features which, if I were an industrial spy, I would have liked to have had access to. I could use minicirc to check out books to patrons, register new patrons, search the databases, etc., but the database contained only imaginary names and addresses. Many of the other features of the system were unimplemented, but just knowledge of their presence helped me. There was a bulletin board service, which would display messages after log-ging in. A few standard messages had been left by the installers: "Hi, welcome to the system...... From examining these messages carefully, I came up with some
important tidbits of information.
Each message began by listing who had sent the message, and who could receive it. Part of the sender data included the word "minicirc," which implied that it was possible to send messages from the minicirc to the circ and vice versa (otherwise, why would they bother putting that in there?). The second important fact was that
although messages were apparently sent by default to all users, one could specify a particular user who would be the only one to read a posted message.
I used the editor to write a letter and send it to myself. Then I logged off, called back and broke out to the programming environment as I had been doing. Pushing the debugger to its limits, I was able to use its file editors to find the letter I had written, and alter its contents. Instead of being directed to me on the minicirc, I
changed it to be sent to the library director. And where originally the file had stored my own name - "New User" - I altered it to say that it came from some fictitious rep-resentative from the database company that had written the software. The bulletin instructed the di-rector to call this person about some new improvements that could be gotten for free now that version nine had been released (reverse engineer-ing!). I supplied a phone number to call. The num-ber I gave him was that of a friend of mine, a fellow hacker named Morriskat, whom I had thoroughly briefed on how to act when the library director called. We set up Morriskat's answering machine so that if the director called when he wasn't there, a convincing song-and-dance would tell about the new products this company was offering at the time.
When the director did make the call, Morriskat talked about some upcoming features, then asked him some technical questions about the particular way the software had been installed for his library. The director didn't know the answers but, he said, he had a terminal right in front of him - he could log on... "Perfect," Morriskat said. "Just go through your usual stuff. Circ. JSC. Uhm, Social Security Number 402-66-0123. Are you still using the personal pass-word we originally set you up with?"
"Yeah, 'Firebird.'Okay I'm in......
Knowing three out of the four security controls, projecting an air of omniscience, and having the spoofed e-mail as support, getting that final pass-word was easy as pie.
For the last phase of the project, Morriskat and I sat down to see what we could do with the library director's system access. It turns out we could do plenty. We made up new superlevel accounts for ourselves. We were able to toggle access to virtually every aspect of the software to any other user. And we could print out
personal information about every employee at the company - because every employee, whether they ever stepped into the company library or not, had a record in the library's computer. We knew what materials they had borrowed, their home and office phone numbers and addresses, and year of birth. Exiting from this level to the network server was simple to do, and from there we could login to one of the host computers using the library direc-tor's name and his password "firebird."
As the coup de grace, and to prove conclusively that I had done what I had set out to do, I used the programmer's interactive debugger editor to alter the library program's opening screen so that in-stead of giving an explanation of commands, it told a dirty joke. Then I left a file inside the library di-rector's directory which explained how I had bro-ken in. This story as I've told it here is pretty much that file, although here I've expanded more on the hackerish side of things. Principles Combined If you are to be a truly successful hacker, one who can hack on demand like this, then you must be a hack-of-all-trades.
It's not enough to be a spontaneous and smooth-talking social engineer. It's not enough to be a programming genius. It's not enough to have the perseverance of a marathon runner. You must have all of it and an imaginative, goal-oriented mindset as well. And the ethic. I truly believe that a hacker who lacks the hacker's
ethic will be going nowhere fast, because if you don't show an honesty and compassion in what you do, others will not act kindly toward you and that quickly leads to trouble.
Did I display the hacker's ethic when I carried out the hack I've just described? Yeah - I had done nothing more than rename the file that contained the system's opening screen, and put the dirty joke in a new file with the old name. And I showed the library director how to go about switching them back. Later the two of us, along with members of the computing staff of the company held a meeting to discuss what actions would be taken to close up the security holes I had found. And, I should add, they have done so.
Concluding Thoughts
Ask any enlightened sage about the purpose for the existence of our universe - or ask any burning, age-old philosophic question of the kind - and the response will invariably be something like this:
"I can not say it in words. I know the answer -I can feel it, and I can feel myself knowing it. But to simply use words to describe an indescribable sen-sation is impossible."
Your natural reaction to this bull is, "What a phony!" And of course, he is a phony.
But he's also sincere. He truly believes he understands all the mysteries of the universe, and those many and varied teachings that make up the answers to those mysteries are things that must be experienced first hand. Things can be explained to you, but they can't be felt unless you yourself have felt them. So here is your passport to the world of hacking outside this book. You now know the ideas, the methods, the information and facts that will allow you to begin a hack in a systematic way, and you know what can be done to minimize mistakes and wasted effort, and reduce your chances of getting caught. But naturally, that is not enough. As with any hobby/game/education/occupation it takes trial and error, practice and experience, lots of time and patience and practice and more practice, before things work out as you would like
Thursday 15 December 2011
Other On-line Security Steps
In real life and detective fiction, the real enemies to a person's well being are patterns in that person's life. Having a regular schedule of activity may make life easier for you, but it also allows others to find you when you are trying to hide, and notice you when you are trying to remain inconspicuous.
As an example, consider the case of the oilman who would ask the system manager to mount tem-porary backup tapes every time he began a com-puting session. The oilman would then read from the tapes posted by the system manager before starting his work. The manager got suspicious fast: it was pretty evident that the
oilman was looking for data that others before him had backed-up onto those tapes. That industrial spy, like many other hackers and crackers, was caught because he followed a pattern.
Criminals (and hackers) like to formulate plans of action. But remember, any plan you conceive should have elements of randomness to it. Don't allow yourself to always call at a certain time, from the same workstations or telephones, because one day you will arrive at your favorite hacking loca-tion and find someone standing there with a pair of handcuffs.
Once I got a list of Social Security numbers from sitting in on a computer class on the first day: the professor handed around a sign-up sheet for stu-dents to list their name and number so that ac-counts could be made for them on the computer system. I waited until the accounts were made, then I had to go in and try them
out. But trying them all at one time would have been too suspi-cious. Instead, I tried a new one every few hours, a different name each time, so it would look as though different people were trying it out.
The system was secure in that it asked me to change my password upon first login. After doing so I was able to use the operating system's pass-word-changing command to go back to the Social Security number so the original user could get in.
But in each user's directory I left behind a hidden program that I could use for remote file viewing and playtime later on.
If you ever get into a situation where you can't change the password back to its original form, try re-entering the password as some variation on the Social Security number. For 123-45-6789 you might enter 123456789 or 123-45-6780 or 123-45- 67890, as if the typist's finger has slipped. If security precau-tions require a capital letter or something, use one that is close to the last digit in the ID.
It is equally important that your modus operandi change as you move from one hack to the next. As you know, once you're into a system you should do what you can to create a new account for yourself. But make sure you always use a different name and password, and make anything you input about your fictional persona as noncommittal as possible. It is a minor point, but one of the things investigators noticed when tracking down computer cracker Kevin Mitnick was that the words he used were often identifiable American vernacular, thus implying that he was in fact American (i.e., a spy from a Third World country probably wouldn't use the password "RENANDSTIMPY").
Security Logs
It is easy to get manufacturers of security prod-ucts to mail you everything you would ever want to know about the things they sell. Here I am con-cerned mostly with software which quietly moni-tors the activity on a system, audits the system re-sources for misuses and irregularities, and keeps a disk-based or printed log of
usage. Someone at the company takes a look at the log, then says to him-self, "Hey! Mr. Poultry has been logging on every night at three in the morning. That seems unusual... Better have a chat with him..." Suddenly you're in an unsafe position, and you never even knew it was coming.
From your research into a particular computer you are looking to hack, you will know which se-curity products are in force (by calling system op-erators feigning that you are a computer consult-ant, or by looking through the company's library of reference manuals). Get the descriptive literature from the manufacturer so you'll know what silent enemy you are up against.
Security logs - if they are in place and actually attended to - will alert administrators to any pat-terns which you create. Well, you're not going to create any patterns, but you're probably going to create some problems, and those too, will show up on the security log's report.
If you plan to stay on a given computer for any length of time, for instance if you plan to use that computer as a springboard from which to jump around through the network, you must discover the security auditor and render it useless.
Don't destroy the auditor, simply reprogram it to ignore you when you log on. Or find out how it keeps a record of events and see what can be done to eliminate your own tell-tale traces. This should be piece of cake, considering that if you're in the position to do these sorts of things, you most likely already have root access.
If you have been logging on in a similar way for a while, you might want to change previous log en-tries to reflect a more random login schedule. You may also be able to use a date or time setting cornmand to control how the security monitor judges your behavior.
There have been many, many instances of hackers carefully editing out personal sections of audit records, only to find to their horror that they've deleted more than they should have. Or hackers who were trying to be helpful by cleaning up a messy program or fixing a typo in a memo, and having some disaster occur. You know you should always keep backups. The backup rule applies every time you use a computer, especially computers which aren't yours. If you feel you must alter a file that doesn't belong to you, alter a backup of that file. When you're done, make certain your changes are perfect, delete the original file and then rename the
backup.
One simple task that most auditors and many secure operating systems will perform is the re-cording of unsuccessful login attempts. Again, re-search is needed to see how your particular target computer responds to inaccurate logon inputs. Some programs will let you try three or four user-name password combinations before resetting and saving the last attempt. In that case you would try to always make your last login attempt something innocuous. Or to be safer, don't type anything for your last allowed login attempt. Instead, press Con-trol-C or Control-Z or whatever it is you can use to break back to the previous level of interaction.
Auditing programs can be a nuisance if you're running a big job, such as a brute force password generator. If you're able, try to write these pro-grams so that they get around the security logs. Going directly to the hardware may be one solution to this problem. Another, depending on what kinds of things the log is keeping track of, would be to rename suspicious commands, so that the log either won't know to record those commands under their new name, or if the supervisor reads through the log printouts, he or she won't notice any question-able activity going on. Printed logs are a big problem. Any hacker worth his salt, can go in and fiddle with records which have been stored on a tape or disk. But what if the security monitor makes a real-time printout of events as they occur? Then, my friend, you are stuck. Once a deed is done, it is trapped on that page for life.
The thing to do is catch any mistakes before you make them. Limit the number of illegal or questionable activities you perform until you can find a way to disable the printer. You may be able to use software switches to program the printer to print everything in a nonexistent font, or if it's a multi-color printer, in a color that has no ink car-tridge or ribbon. Of course, since you're probably doing all this over the phone, you might not know what equipment is being used. However, it might be possible to reroute print jobs to an electronic storage medium, or to an unused port; that is, tell the computer to print stuff out on a printer that doesn't exist. At times it may even be possible to trick the computer into thinking it's printing to the printer when actually it's printing back through its own modem - and so you end up receiving re-Ports of your own activities as you go about your business.
A more troublesome form of paper log is some-times used by organizations to keep track of who does what, when, and why. Some companies insist that each employee enter telephone calls in a log. A monthly review and a comparison of the log with phone bills is done - and if anything doesn't match up, well, you can figure
out what happens next. If you sneak into an office to make long dis-tance calls, you can be easily trapped with such a log, since you probably won't know about it. Even if you're dialing in from home (or a phone booth), a log can trip you up. If you use a company's corn-puters to call other computers, that might be a toll call which would show up on the phone bill, but not in the employee log.
Companies may keep logs to verify employee comings and goings, and use of equipment. Stay on top of things because the littlest errors lead to the biggest downfalls.
In Public And On-Site
Doing any sort of hacking-related function in public or on-site - altering public access comput-ers (PACs) or public access terminals (PATs), sabo-taging for reverse social engineering (RSE), doing in-person social engineering (SE), using a university's computing facilities, or simply doing research at a library - is riskier
than doing the same sorts of things at home. Not only do you have all the threats that a home-based hacker has, you have the additional concerns of whether or not you will be recognized or apprehended.
Use proven burglar's techniques when selecting spot to do public hacking. When a burglar enters a house, the first thing he does is scope out all the exits. Don't sit down at a computer from where you won't be able to escape easily in more than one di-rection. And just as a burglar is always glad to see tall shrubbery to hide
behind, you should try to sit at computers that are hidden in some way; with people or objects sitting in front of you, and hope-fully a wall behind you, so no one can look over your shoulder.
Always be ready to leave a public hack at a moment's notice, and never get so involved with your work that you forget where you are. Remem-ber, that's what happens to regular users when shoulder surfing takes place - they forget where they are and they let people see the secret things they're doing. A hacker must always be more secu-rity-aware than a regular user.
Take care to have a decent story prepared if youre trespassing, or if your actions will seem fishy to a passer-by. Make sure you dress the part of your story. Regardless of your story, clean dressy clothes are always a plus.
Finally, one should always keep in mind that a computer room is very likely occupied by at least one hacker or cracker at any given moment. Be alert to shoulder surfers, and to other tricks of the trade. When I sit down at a public terminal I always press the Break key a few times, and log off several times before logging in - just in case someone has set up a simulation trap.
Be cautious, too, upon log out. Some terminals, such as the Tektronix 4207 and others, maintain a buffer of the screen display. Often that buffer is not cleated, even after log out. What that means is, some unsuspecting soul walks away from the ter-minal, but leaves behind a record of every action taken during his or her
session. Anyone can go over to that terminal now and access, read, even print out dozens or hundreds of screenfuls of data.
While Off-Line: Minimizing Losses
Okay, so what if all of this doesn't help you? What if you still get caught? It's good to be pre-pared for such an emergency so if the feds do catch up to you they at least won't have any evidence on which to base a trial.
Maintaining Your Computer
You should routinely look at the files stored on your computer and destroy those which you ille-gally acquired. When I say "destroy" I mean it -don't just delete those files: overwrite them with a single repeated character, encrypt them with the lengthiest, twistiest key you can fathom, and only then erase those files. You can use a "Wipefile" or "Wipedisk" program to write over data. That way you won't have compu-cops poking around in your secrets.
Also keep in mind that sometimes pieces of files get lost or unattached from the files to which they belong, or parts of files get duplicated elsewhere on your disks. It's a good idea to regularly check for these orphan text strings and eradicate them if they contain incriminating evidence.
Any computer file which you simply can't de-stroy must be encrypted and, ideally, hidden under an inconspicuous filename, such as PACMAN.EXE.
There are other matters to consider, other things about your computer that might not directly con-vict you, but can lead to evidence that will: termi-nal programs, autodialers, databases of modem numbers and account codes, lists of BBS numbers (especially pirate, phreak or hacking boards), and any other program that could
even remotely be linked with a crime.
To play it safe, I use physical locks on my com-puters along with software "locks." I programmed all my computers to check for a particular key be-ing pressed during the start up procedures. If the computer goes through its entire start up mode without detecting that key, it knows that something's wrong. It will then call a time-and-date sub-routine. The routine shows the correct time and date, and gives me the opportunity to correct them. I must input a certain time and date, otherwise the computer will display a "LOADING MENU"
mes-sage and remove the directory in which I keep all my naughty stuff. There is an opening menu too, which one can not enter or exit without inputting the proper password.
Luckily, I've never had my computers seized. If I ever do, I pity the untrained lummox who gets to go through my stuff; my systems are all booby trapped to destroy incriminating evidence. And even if he's prepared for that, he still won't know how to prevent it from happening!
Keeping Your Other Stuff
Once a law enforcement official has a warrant for your arrest, he or she can legally steal all of your computers and peripherals, blank disks and audio cassettes, commercial software and documentation, printouts and operating logs, telephones and answering machines, any piece of electronic equip-ment as well as any papers
indicating that you are the owner or user of that equipment, wires and loose parts, model rockets, disk boxes, radios, soldering irons, surge protectors, books, journals, magazines, et cetera. These things I've listed are all things that have been seized in past raids. Also, if the crimes which you are suspected of committing are related to a specific place or person, they will seize any papers or evidence with which a connec-tion may be made between that place or person and the crime. They purposely write their warrants to allow seizure of a wide range of items, and believe me - they will take all of it.
And don't expect to get any of it back in one piece, either. This is yet another reason why, as I said in the beginning, it may not be such a great idea for hackers to even own a computer. It's sad but true, and so you should do your best to hide anything when you're out of your house or not us-ing your equipment. If you have
printouts or notes lying around, keep them in folders marked "SCHOOL HOMEWORK" or "CHURCH GROUP". Make the marks big and visible, and innocuous, and maybe they'll overlook the folders' contents.
it is a myth commonly heard that computer printouts can not be used as evidence in court, since they are so easily forged. The truth is, a print-out is just as valid as any other piece of written evi-dence, as long as it can be shown to have been made at or near the time of the criminal act, or during preparation for the act. If a Secret Service thug, after taking your computer, makes a printout of a file contained on it, then that printout is invalid evidence, since he made it and not you. On the other hand, if there is in fact some accessible in-criminating evidence stored on your computer, the prosecuting attorneys will know how they can le-gally present it to the court (I presume by bringing your computer into the courtroom, plugging it in and firing away). On the other hand, the feds are so good at smashing up seized computer equipment that you probably have nothing to worry about!
It is important that when you hide stuff, you make it look as if the stuff has no connection with computers or electronics. Law enforcement officers are smart enough to get warrants that let them take anything even remotely connected to electricity. Let's look at a hypothetical example. Suppose un-derground information were routinely distributed on audio cassettes. Naturally we would resort to putting that information on store-bought tapes with legitimate names -Beatles, Grateful Dead, whatever. The cops would know that, and thus would want to get their hands on every tape we own, including ones that look as harmless as rock and roll.
As hackers, we do exchange information and keep records on disk. So if you have a box of disks containing all your hacker stuff, you can't simply label the disks with names like "Space War" and Pac Man." They will suspect either that the disks have been labeled misleadingly, or that the games themselves are real. (Think of Steve Jackson.) Be-sides, in their raid they won't stop to sort seemingly irrelevant belongings from the obviously illegal ones. So you'll have to hide the disks themselves, and hide them in a way that is unrelated to tech-nology. The same goes for your other electronics equipment, and anything else that might reasonably
be stolen by the feds. For example, I keep my backup disks in a graham cracker box. Am I being paranoid? I don't think so. I store my laptop in a big corn flakes box up in the closet - it's just as easy to keep it there as anywhere else, and doing so makes me feel more secure. You already know how companies leave help-ful information in their garbage bins, but you should realize that your garbage is just as helpful to someone investigating you for computer crime. Anything incriminating you want to discard should be destroyed beyond recoverability first, and discarded from somewhere other than your home. When I say "destroyed" I don't mean putting it through a shredder - I mean completely de-stroyed. If the Secret Service finds shredded paper in your trash, they WILL piece it back together.
Paper printouts should be soaked in water to wash away the lettering, and then shredded. Disk contents should be encrypted, then deleted. Disks should then be zapped with a strong magnet (bulk erasers, called degaussers, are available to do just that) and the disks themselves chopped up.<This behavior is not paranoid
enough for the US Department of Defense, which according to Lance Hoffman in his Modern Methods for Computer Security and Privacy (Prentice-Hall, Inc., Englewood Cliffs, NJ: 1977) "feels that there are techniques for electronically retrieving overwritten information and thus requires destruction of the recording
medium.">These items can be anonymously deposited in some public garbage can, or in the case of paper, a public re-cycling bin. I'm serious! You do this and you've just blown away any "theft of trade secrets" indictments they wanted to hang on you!
Conclusion: How To Get Caught
This is a book of methods after all, and so here is a list of methods NOT to follow. If you do these things, you will definitely get in trouble. Because, you see, there are five ways you, the hacker, can get caught hacking:
1. by traces or technical means,
2. by being finked on,
3. by getting many agencies ganged up against you,
4. by making a mistake, or
5. by being made (recognized).
You will get caught by phone line traces and other technical means, such as audit logs. So don't keep a routine. Switch the phones and computers you call from all the time.
You will get caught by getting ratted on. Maintain contacts with other hackers, but do so discreetly. Don't tell anyone who doesn't need to know about what you're up to. Above all, be nice to the people you come into contact with while sharing hacking tales, doing research, or while performing the hacking itself. Be nice to them, and hope-fully they will be nice to you.
You will get caught by getting many agencies ganged up against you. Don't steal or destroy or vandalize. These things make you look bad, and downgrade hacking in the eyes of those investigat-ing it. Hackers have a bad enough image as it is, mainly because hacking's most public practitioners are nerdish eighth grade heavy
metal pseudo-anarchists with skin problems. If you re-main true to hacking ethics, you will fare better than if you demolish what you hack - because fewer agencies will be willing to pursue you. Tiptoe.
You will get caught by making a mistake. It is a mistake not to take all of these precautions. Always think before you act. Never reveal anything about yourself. Remember to delete backup files. One of the things that tripped up Lt. Col. Oliver North -according to Donn B. Parker in his Computer Crime: Criminal justice
Resource Manual - was that he: did not understand that using the ERASE command in the White House Executive E-mail system merely removed the name and storage address of an E-mail message from the directory of messages; it did not destroy the contents of the message. In addition, frequent backup copies of all messages were made and stored for later retrieval in the event of a com-puter failure. As a result, much of his corre-spondence was retrieved as evidence of possi-ble wrongdoing. You need to be especially vigilant about timed backups which are made automatically, without your consent.
If you're careful, you will make few mistakes. But the most careful hacker can be tripped up by the mistake of assuming a course of action is infal-lible when there are, in fact, gaping holes in it. For example, in 1974 a criminal in Tokyo tried to use one of the fundamental properties of electronic transmission of data in his favor - the delay that comes about from data being shuffled through ca-bles or telephone lines.
The criminal opened a bank account using the false name S. Kobayashi, then proceeded to with-draw small amounts of cash from automatic teller machines (ATMs) scattered around Japan. Each time, after he withdrew some money, he would telephone the bank to find out the status of his ac-count. By doing so,
Kobayashi found that it took twenty minutes for the bank's central computer to register a withdrawal from a remote cash-dis-pensing machine.
Later, Kobayashi used this information after carrying out a kidnapping. He demanded a ransom of 5 million yen to be paid into his account, figur-ing he would have twenty minutes of getaway time while bank officials waited for the main computer to receive the information regarding from which dispenser the sum had been withdrawn. The plan backfired because of this one assumption. What Kobayashi didn't realize was that programmers at the bank were able to reprogram the central com-puter to immediately identify which machine the criminal was using. Police were stationed close by to each of the bank's 348 ATMs, and when the kid-napper retrieved the money, he was caught.
Look out for the unexpected twists in your plans, and remember that there probably are peo-ple on the other side trying to find ways to foil you. Finally, you will get caught by being recog-nized. In public places, make sure you stay unob-trusive.
The surest way to NOT get caught is to NOT start hacking. But then, the surest way not to die is to live an inactive life. Part of your life is computers and the things you can do with computers. Without hacking, all you have to do with computers is busi-ness stuff or school stuff, a little game playing, and possibly some programming.
But WITH hacking, you have instantaneous control of the world. Enough said. May we all have a good many peaceful, happy hacks!
As an example, consider the case of the oilman who would ask the system manager to mount tem-porary backup tapes every time he began a com-puting session. The oilman would then read from the tapes posted by the system manager before starting his work. The manager got suspicious fast: it was pretty evident that the
oilman was looking for data that others before him had backed-up onto those tapes. That industrial spy, like many other hackers and crackers, was caught because he followed a pattern.
Criminals (and hackers) like to formulate plans of action. But remember, any plan you conceive should have elements of randomness to it. Don't allow yourself to always call at a certain time, from the same workstations or telephones, because one day you will arrive at your favorite hacking loca-tion and find someone standing there with a pair of handcuffs.
Once I got a list of Social Security numbers from sitting in on a computer class on the first day: the professor handed around a sign-up sheet for stu-dents to list their name and number so that ac-counts could be made for them on the computer system. I waited until the accounts were made, then I had to go in and try them
out. But trying them all at one time would have been too suspi-cious. Instead, I tried a new one every few hours, a different name each time, so it would look as though different people were trying it out.
The system was secure in that it asked me to change my password upon first login. After doing so I was able to use the operating system's pass-word-changing command to go back to the Social Security number so the original user could get in.
But in each user's directory I left behind a hidden program that I could use for remote file viewing and playtime later on.
If you ever get into a situation where you can't change the password back to its original form, try re-entering the password as some variation on the Social Security number. For 123-45-6789 you might enter 123456789 or 123-45-6780 or 123-45- 67890, as if the typist's finger has slipped. If security precau-tions require a capital letter or something, use one that is close to the last digit in the ID.
It is equally important that your modus operandi change as you move from one hack to the next. As you know, once you're into a system you should do what you can to create a new account for yourself. But make sure you always use a different name and password, and make anything you input about your fictional persona as noncommittal as possible. It is a minor point, but one of the things investigators noticed when tracking down computer cracker Kevin Mitnick was that the words he used were often identifiable American vernacular, thus implying that he was in fact American (i.e., a spy from a Third World country probably wouldn't use the password "RENANDSTIMPY").
Security Logs
It is easy to get manufacturers of security prod-ucts to mail you everything you would ever want to know about the things they sell. Here I am con-cerned mostly with software which quietly moni-tors the activity on a system, audits the system re-sources for misuses and irregularities, and keeps a disk-based or printed log of
usage. Someone at the company takes a look at the log, then says to him-self, "Hey! Mr. Poultry has been logging on every night at three in the morning. That seems unusual... Better have a chat with him..." Suddenly you're in an unsafe position, and you never even knew it was coming.
From your research into a particular computer you are looking to hack, you will know which se-curity products are in force (by calling system op-erators feigning that you are a computer consult-ant, or by looking through the company's library of reference manuals). Get the descriptive literature from the manufacturer so you'll know what silent enemy you are up against.
Security logs - if they are in place and actually attended to - will alert administrators to any pat-terns which you create. Well, you're not going to create any patterns, but you're probably going to create some problems, and those too, will show up on the security log's report.
If you plan to stay on a given computer for any length of time, for instance if you plan to use that computer as a springboard from which to jump around through the network, you must discover the security auditor and render it useless.
Don't destroy the auditor, simply reprogram it to ignore you when you log on. Or find out how it keeps a record of events and see what can be done to eliminate your own tell-tale traces. This should be piece of cake, considering that if you're in the position to do these sorts of things, you most likely already have root access.
If you have been logging on in a similar way for a while, you might want to change previous log en-tries to reflect a more random login schedule. You may also be able to use a date or time setting cornmand to control how the security monitor judges your behavior.
WARNING!
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
There have been many, many instances of hackers carefully editing out personal sections of audit records, only to find to their horror that they've deleted more than they should have. Or hackers who were trying to be helpful by cleaning up a messy program or fixing a typo in a memo, and having some disaster occur. You know you should always keep backups. The backup rule applies every time you use a computer, especially computers which aren't yours. If you feel you must alter a file that doesn't belong to you, alter a backup of that file. When you're done, make certain your changes are perfect, delete the original file and then rename the
backup.
One simple task that most auditors and many secure operating systems will perform is the re-cording of unsuccessful login attempts. Again, re-search is needed to see how your particular target computer responds to inaccurate logon inputs. Some programs will let you try three or four user-name password combinations before resetting and saving the last attempt. In that case you would try to always make your last login attempt something innocuous. Or to be safer, don't type anything for your last allowed login attempt. Instead, press Con-trol-C or Control-Z or whatever it is you can use to break back to the previous level of interaction.
Auditing programs can be a nuisance if you're running a big job, such as a brute force password generator. If you're able, try to write these pro-grams so that they get around the security logs. Going directly to the hardware may be one solution to this problem. Another, depending on what kinds of things the log is keeping track of, would be to rename suspicious commands, so that the log either won't know to record those commands under their new name, or if the supervisor reads through the log printouts, he or she won't notice any question-able activity going on. Printed logs are a big problem. Any hacker worth his salt, can go in and fiddle with records which have been stored on a tape or disk. But what if the security monitor makes a real-time printout of events as they occur? Then, my friend, you are stuck. Once a deed is done, it is trapped on that page for life.
The thing to do is catch any mistakes before you make them. Limit the number of illegal or questionable activities you perform until you can find a way to disable the printer. You may be able to use software switches to program the printer to print everything in a nonexistent font, or if it's a multi-color printer, in a color that has no ink car-tridge or ribbon. Of course, since you're probably doing all this over the phone, you might not know what equipment is being used. However, it might be possible to reroute print jobs to an electronic storage medium, or to an unused port; that is, tell the computer to print stuff out on a printer that doesn't exist. At times it may even be possible to trick the computer into thinking it's printing to the printer when actually it's printing back through its own modem - and so you end up receiving re-Ports of your own activities as you go about your business.
A more troublesome form of paper log is some-times used by organizations to keep track of who does what, when, and why. Some companies insist that each employee enter telephone calls in a log. A monthly review and a comparison of the log with phone bills is done - and if anything doesn't match up, well, you can figure
out what happens next. If you sneak into an office to make long dis-tance calls, you can be easily trapped with such a log, since you probably won't know about it. Even if you're dialing in from home (or a phone booth), a log can trip you up. If you use a company's corn-puters to call other computers, that might be a toll call which would show up on the phone bill, but not in the employee log.
Companies may keep logs to verify employee comings and goings, and use of equipment. Stay on top of things because the littlest errors lead to the biggest downfalls.
In Public And On-Site
Doing any sort of hacking-related function in public or on-site - altering public access comput-ers (PACs) or public access terminals (PATs), sabo-taging for reverse social engineering (RSE), doing in-person social engineering (SE), using a university's computing facilities, or simply doing research at a library - is riskier
than doing the same sorts of things at home. Not only do you have all the threats that a home-based hacker has, you have the additional concerns of whether or not you will be recognized or apprehended.
Use proven burglar's techniques when selecting spot to do public hacking. When a burglar enters a house, the first thing he does is scope out all the exits. Don't sit down at a computer from where you won't be able to escape easily in more than one di-rection. And just as a burglar is always glad to see tall shrubbery to hide
behind, you should try to sit at computers that are hidden in some way; with people or objects sitting in front of you, and hope-fully a wall behind you, so no one can look over your shoulder.
Always be ready to leave a public hack at a moment's notice, and never get so involved with your work that you forget where you are. Remem-ber, that's what happens to regular users when shoulder surfing takes place - they forget where they are and they let people see the secret things they're doing. A hacker must always be more secu-rity-aware than a regular user.
Take care to have a decent story prepared if youre trespassing, or if your actions will seem fishy to a passer-by. Make sure you dress the part of your story. Regardless of your story, clean dressy clothes are always a plus.
Finally, one should always keep in mind that a computer room is very likely occupied by at least one hacker or cracker at any given moment. Be alert to shoulder surfers, and to other tricks of the trade. When I sit down at a public terminal I always press the Break key a few times, and log off several times before logging in - just in case someone has set up a simulation trap.
Be cautious, too, upon log out. Some terminals, such as the Tektronix 4207 and others, maintain a buffer of the screen display. Often that buffer is not cleated, even after log out. What that means is, some unsuspecting soul walks away from the ter-minal, but leaves behind a record of every action taken during his or her
session. Anyone can go over to that terminal now and access, read, even print out dozens or hundreds of screenfuls of data.
While Off-Line: Minimizing Losses
Okay, so what if all of this doesn't help you? What if you still get caught? It's good to be pre-pared for such an emergency so if the feds do catch up to you they at least won't have any evidence on which to base a trial.
Maintaining Your Computer
You should routinely look at the files stored on your computer and destroy those which you ille-gally acquired. When I say "destroy" I mean it -don't just delete those files: overwrite them with a single repeated character, encrypt them with the lengthiest, twistiest key you can fathom, and only then erase those files. You can use a "Wipefile" or "Wipedisk" program to write over data. That way you won't have compu-cops poking around in your secrets.
Also keep in mind that sometimes pieces of files get lost or unattached from the files to which they belong, or parts of files get duplicated elsewhere on your disks. It's a good idea to regularly check for these orphan text strings and eradicate them if they contain incriminating evidence.
Any computer file which you simply can't de-stroy must be encrypted and, ideally, hidden under an inconspicuous filename, such as PACMAN.EXE.
There are other matters to consider, other things about your computer that might not directly con-vict you, but can lead to evidence that will: termi-nal programs, autodialers, databases of modem numbers and account codes, lists of BBS numbers (especially pirate, phreak or hacking boards), and any other program that could
even remotely be linked with a crime.
To play it safe, I use physical locks on my com-puters along with software "locks." I programmed all my computers to check for a particular key be-ing pressed during the start up procedures. If the computer goes through its entire start up mode without detecting that key, it knows that something's wrong. It will then call a time-and-date sub-routine. The routine shows the correct time and date, and gives me the opportunity to correct them. I must input a certain time and date, otherwise the computer will display a "LOADING MENU"
mes-sage and remove the directory in which I keep all my naughty stuff. There is an opening menu too, which one can not enter or exit without inputting the proper password.
Luckily, I've never had my computers seized. If I ever do, I pity the untrained lummox who gets to go through my stuff; my systems are all booby trapped to destroy incriminating evidence. And even if he's prepared for that, he still won't know how to prevent it from happening!
Keeping Your Other Stuff
Once a law enforcement official has a warrant for your arrest, he or she can legally steal all of your computers and peripherals, blank disks and audio cassettes, commercial software and documentation, printouts and operating logs, telephones and answering machines, any piece of electronic equip-ment as well as any papers
indicating that you are the owner or user of that equipment, wires and loose parts, model rockets, disk boxes, radios, soldering irons, surge protectors, books, journals, magazines, et cetera. These things I've listed are all things that have been seized in past raids. Also, if the crimes which you are suspected of committing are related to a specific place or person, they will seize any papers or evidence with which a connec-tion may be made between that place or person and the crime. They purposely write their warrants to allow seizure of a wide range of items, and believe me - they will take all of it.
And don't expect to get any of it back in one piece, either. This is yet another reason why, as I said in the beginning, it may not be such a great idea for hackers to even own a computer. It's sad but true, and so you should do your best to hide anything when you're out of your house or not us-ing your equipment. If you have
printouts or notes lying around, keep them in folders marked "SCHOOL HOMEWORK" or "CHURCH GROUP". Make the marks big and visible, and innocuous, and maybe they'll overlook the folders' contents.
it is a myth commonly heard that computer printouts can not be used as evidence in court, since they are so easily forged. The truth is, a print-out is just as valid as any other piece of written evi-dence, as long as it can be shown to have been made at or near the time of the criminal act, or during preparation for the act. If a Secret Service thug, after taking your computer, makes a printout of a file contained on it, then that printout is invalid evidence, since he made it and not you. On the other hand, if there is in fact some accessible in-criminating evidence stored on your computer, the prosecuting attorneys will know how they can le-gally present it to the court (I presume by bringing your computer into the courtroom, plugging it in and firing away). On the other hand, the feds are so good at smashing up seized computer equipment that you probably have nothing to worry about!
It is important that when you hide stuff, you make it look as if the stuff has no connection with computers or electronics. Law enforcement officers are smart enough to get warrants that let them take anything even remotely connected to electricity. Let's look at a hypothetical example. Suppose un-derground information were routinely distributed on audio cassettes. Naturally we would resort to putting that information on store-bought tapes with legitimate names -Beatles, Grateful Dead, whatever. The cops would know that, and thus would want to get their hands on every tape we own, including ones that look as harmless as rock and roll.
As hackers, we do exchange information and keep records on disk. So if you have a box of disks containing all your hacker stuff, you can't simply label the disks with names like "Space War" and Pac Man." They will suspect either that the disks have been labeled misleadingly, or that the games themselves are real. (Think of Steve Jackson.) Be-sides, in their raid they won't stop to sort seemingly irrelevant belongings from the obviously illegal ones. So you'll have to hide the disks themselves, and hide them in a way that is unrelated to tech-nology. The same goes for your other electronics equipment, and anything else that might reasonably
be stolen by the feds. For example, I keep my backup disks in a graham cracker box. Am I being paranoid? I don't think so. I store my laptop in a big corn flakes box up in the closet - it's just as easy to keep it there as anywhere else, and doing so makes me feel more secure. You already know how companies leave help-ful information in their garbage bins, but you should realize that your garbage is just as helpful to someone investigating you for computer crime. Anything incriminating you want to discard should be destroyed beyond recoverability first, and discarded from somewhere other than your home. When I say "destroyed" I don't mean putting it through a shredder - I mean completely de-stroyed. If the Secret Service finds shredded paper in your trash, they WILL piece it back together.
Paper printouts should be soaked in water to wash away the lettering, and then shredded. Disk contents should be encrypted, then deleted. Disks should then be zapped with a strong magnet (bulk erasers, called degaussers, are available to do just that) and the disks themselves chopped up.<This behavior is not paranoid
enough for the US Department of Defense, which according to Lance Hoffman in his Modern Methods for Computer Security and Privacy (Prentice-Hall, Inc., Englewood Cliffs, NJ: 1977) "feels that there are techniques for electronically retrieving overwritten information and thus requires destruction of the recording
medium.">These items can be anonymously deposited in some public garbage can, or in the case of paper, a public re-cycling bin. I'm serious! You do this and you've just blown away any "theft of trade secrets" indictments they wanted to hang on you!
Conclusion: How To Get Caught
This is a book of methods after all, and so here is a list of methods NOT to follow. If you do these things, you will definitely get in trouble. Because, you see, there are five ways you, the hacker, can get caught hacking:
1. by traces or technical means,
2. by being finked on,
3. by getting many agencies ganged up against you,
4. by making a mistake, or
5. by being made (recognized).
You will get caught by phone line traces and other technical means, such as audit logs. So don't keep a routine. Switch the phones and computers you call from all the time.
You will get caught by getting ratted on. Maintain contacts with other hackers, but do so discreetly. Don't tell anyone who doesn't need to know about what you're up to. Above all, be nice to the people you come into contact with while sharing hacking tales, doing research, or while performing the hacking itself. Be nice to them, and hope-fully they will be nice to you.
You will get caught by getting many agencies ganged up against you. Don't steal or destroy or vandalize. These things make you look bad, and downgrade hacking in the eyes of those investigat-ing it. Hackers have a bad enough image as it is, mainly because hacking's most public practitioners are nerdish eighth grade heavy
metal pseudo-anarchists with skin problems. If you re-main true to hacking ethics, you will fare better than if you demolish what you hack - because fewer agencies will be willing to pursue you. Tiptoe.
You will get caught by making a mistake. It is a mistake not to take all of these precautions. Always think before you act. Never reveal anything about yourself. Remember to delete backup files. One of the things that tripped up Lt. Col. Oliver North -according to Donn B. Parker in his Computer Crime: Criminal justice
Resource Manual - was that he: did not understand that using the ERASE command in the White House Executive E-mail system merely removed the name and storage address of an E-mail message from the directory of messages; it did not destroy the contents of the message. In addition, frequent backup copies of all messages were made and stored for later retrieval in the event of a com-puter failure. As a result, much of his corre-spondence was retrieved as evidence of possi-ble wrongdoing. You need to be especially vigilant about timed backups which are made automatically, without your consent.
If you're careful, you will make few mistakes. But the most careful hacker can be tripped up by the mistake of assuming a course of action is infal-lible when there are, in fact, gaping holes in it. For example, in 1974 a criminal in Tokyo tried to use one of the fundamental properties of electronic transmission of data in his favor - the delay that comes about from data being shuffled through ca-bles or telephone lines.
The criminal opened a bank account using the false name S. Kobayashi, then proceeded to with-draw small amounts of cash from automatic teller machines (ATMs) scattered around Japan. Each time, after he withdrew some money, he would telephone the bank to find out the status of his ac-count. By doing so,
Kobayashi found that it took twenty minutes for the bank's central computer to register a withdrawal from a remote cash-dis-pensing machine.
Later, Kobayashi used this information after carrying out a kidnapping. He demanded a ransom of 5 million yen to be paid into his account, figur-ing he would have twenty minutes of getaway time while bank officials waited for the main computer to receive the information regarding from which dispenser the sum had been withdrawn. The plan backfired because of this one assumption. What Kobayashi didn't realize was that programmers at the bank were able to reprogram the central com-puter to immediately identify which machine the criminal was using. Police were stationed close by to each of the bank's 348 ATMs, and when the kid-napper retrieved the money, he was caught.
Look out for the unexpected twists in your plans, and remember that there probably are peo-ple on the other side trying to find ways to foil you. Finally, you will get caught by being recog-nized. In public places, make sure you stay unob-trusive.
The surest way to NOT get caught is to NOT start hacking. But then, the surest way not to die is to live an inactive life. Part of your life is computers and the things you can do with computers. Without hacking, all you have to do with computers is busi-ness stuff or school stuff, a little game playing, and possibly some programming.
But WITH hacking, you have instantaneous control of the world. Enough said. May we all have a good many peaceful, happy hacks!
Hacker Security: How To Keep From Getting Caught
Hacking is fun. Hell, it's exhilarating. But it's also illegal, sometimes immoral, and usually punishable. Even if what you're doing is perfectly inno-cent you'll be hard pressed to find an acceptable ex-cuse for it in court. The very least that might happen is the security holes you utilized the first time around might get patched up.
More serious pun-ishments inflicted by the courts can include com-munity service, fines and even prison, as we've seen. Informal punishments include the unofficial destruction of your equipment by law enforcement officers, and being blacklisted from tech-related jobs.
Consequently, the prudent hacker has two goals in mind while hacking. Number one: don't get caught. Number two: if you do, don't make it count. This chapter will present strategies the care-ful hacker will follow to ensure both situations are true.
Hacking - to use one's curiosity about corn-puters to push them beyond their limits - involves not just techrrical knowledge but also the hacker's mindset. Part of the mindset must deal with keep-ing oneself safe, or else the rest of it has been all for naught. Accordingly, the strategies here should not just be known rotely and followed, but expanded upon to apply to new situations. Remember, there have been many computer criminals who've been sent to prison. True, some have even hacked while in prison. Some even learned to hack in prison. But you don't want to go to prison. So when you're on-line, in public, in private, or just living through your life, make sure you apply these guidelines.
In Researching
There may be local ordinances in your area forbidding machines or people to continuously dial up numbers and disconnect, as with an autodialer program which searches for dial-in lines. If you make the calls yourself it's better to say a simple, "Sorry, wrong number," than just hanging up and annoying all those people.
Remember the 'Itpers-prosit rule: The more people you get angry at you, the more likely it is you'll be persecuted, and the more likely it is you'll be prosecuted.
In Social Engineering
Some social engineering and most reverse engi-neering requires authorized user contact over the telephone or through the mail. This is obviously risky since you are giving out your address or tele-phone number to people whom you are about to defraud. Hackers have utilized several ingenious methods to overcome this problem.
Once I found a small business with a technical-sounding name that would be closed for a few weeks over the summer. By doing some hacking, some research, and rubbing my lucky rabbit's foot I was able to come up with the code that released messages left on their answering machine. That gave me a way to have people
contact me without them knowing who I was.
I put up some phony advertising for a com-puter network, instructing people to call and leave their name and vital data. I could call up the ma-chine whenever I wanted, punch in the magic code and listen to those messages. When the store reopened, I called them up, saying I was from the phone company. I told the store
owner that some lines got crossed, so they n-dght get some weird calls.
Some hackers will simply change a pay phone to residential status and work out of there.
In order to work a social engineer through the mails, you could rent a private mail box or mail drop. One hacker found a cheaper solution. He noticed that the P.O. Box underneath his in the college mail room was always empty. Apparently it was unassigned. The mailboxes are open in the back so workers can stuff the mail into them. This hacker took an unbent clothes hanger and a metal clip, fashioned them together into a grabber that he could slide into his box and go fishing into the mailbox below his. Later I showed him how to de-termine the combination of the box, so he wouldn't have to do all that. For a long while the box re-mained unused, and he was able to get all the se-cret mail he wanted sent there.
Dialing In
"If you don't want it known, don't use the phone."
- Nelson Rockefeller
When you're new it may be okay to dial up re-mote computers from your house, but once you've been around a while you'll never know if your phone is being tapped or your computer usage be-ing monitored. So when you're past your hacking childhood, make sure to never make an illicit call from your own house, or
from any number that can be traced to you.
Even when you are new to hacking, you could be in trouble. Imagine if you become a regular on the TECHRIME-USA BBS, right about the time an FBI officer is planning to bust the sysops for con-ducting illegal business on their board! You don't want to get involved with that, especially if you haven't done anything illegal. Even scarier than that are serni-reliable rumors which have been cir-culating through
branches of the technical under-ground which imply that the phone companies routinely monitor and record modern conversations which pass through their lines. This is supposedly done automatically by detectors which listen for modem tones, and will then turn on a recording device to keep a record of the call. Even if the
gos-sip turns out to be false, consider this: (1) We obviously have the technology to do such a thing and, (2) it is well known that the NSA records many, many phone calls.
So... If you must associate with known com-puter culprits, or with established hackers, do so as covertly as possible. Not calling from your house means calling from someplace else. That means you may want to splurge for a portable laptop computer. While you're at it, buy an acoustic coupler and an external modem to go with it. All this should run you about one or two thousand dollars - a lot less than the cost of retaining an attorney to defend you in court.
The acoustic coupler is necessary because not every place you hack will have a telephone jack to plug into. The external modem is needed to plug the coupler into. While many laptops come with mo-dems included, they are generally internal models, and so can not be coupled to a telephone handset. Now that you have your equipment, where should you take it? There are plenty of places. At night and over the weekend you can sneak into many big office buildings and, if the right door happens to be unlocked, sit yourself down at a cu-bicle and chug away.
Two summers ago, I was walking past my local municipal center a little past 9 p.m., and I noticed that every office had their windows open. Every of-fice - at night! Their air conditioner must have malfunctioned during the day, as it had been incredibly hot. Needless to say, if I'd been in the hacking mood I would've scrambled
through a window and hooked up my portable to a tele-phone. I could have been making illegal computer B & Es while making a physical B & E, all just a few doors down from a bustling police station - and with no one being the wiser.
If you have money laying around, or if you have a hacking expense account, you can always hole up in a hotel or motel to do your hacking.
The money problem is one which gets to hackers in other ways. Phone bills add up fast, which is why most serious hackers are phreaks too. A phreak is someone who hacks the telephone net-works. One of the major aspects of phreaking is the producing of code tones which signal the telephone system to perform special
functions, such as place long distance calls for free. Phreaking is definitely a major area for hackers to investigate, and the tele-phone system - and especially the computers which run the system - is something which all hackers should become intimately familiar with.
Many hackers will say that any hacking other than hacking the computers which run the telephone system is child's play. This is true to some extent. The telephone computer networks are incredibly large, sprawling, wonderful masses of intricate functions, enormous databases, technical operations and blinding wizardry which makes hacking anything less look pitiful.
Once the phone line leaves your house it goes to a local switching center. This center controls all phones in your neighborhood, which may mean as many as 15,000 telephone lines. Each neighborhood switch is managed by its own computer. These computers are the essential targets of the phone company hacker; if you can access the computer, you can access every phone that it switches. You can turn phones on and off, reroute calls, change numbers. You could, if you were not a hacker, wreak quite a lot of havoc.
There are also switched networks which con-nect the computers that run switches. From there you can go to regional maintenance systems such as COSMOS (which sends out instructions to create and HI phone numbers among other things) and MIZAR (the local MIZAR actually does the work that COSMOS sets up).
Once you've gotten familiar with the intricacies of these telephone computers, you can use them in ways to protect yourself. For instance, you know you probably don't want to place hacking phone calls from your house. What you can do is connect to a neighborhood switching computer, take the phone numbers of some
local pay phones, and de-activate their need for coins. You then use the pay phones to call or hack any place in the world.
Or you can use a MIZAR - which, as far as is known, does not keep records of its activities, unlike COSMOS - to temporarily change your pre-sent phone number to that of a nearby church. If your call gets traced, you'll be sending the feds on a wild goose chase.
I want to make the point that dialing in to a re-mote computer is not as safe as it feels. Communi-cating through a telephone or through a computer sometimes gives you a false feeling of protection, especially when you become good at hacking and phreaking, and turn from confident to cocky. Don't let that happen to you.
Remember to always follow these safety rules.
Don't set up patterns of behavior. Always call from a different place, at different times of day.
When is a good time to call? Ask hackers this and each one will give you a different answer. Late night is good because system administrators will probably have gone home already - but then, so too have most valid users, so you'll stand out like a clown at a funeral. You can try hiding yourself within the bustle of heavy usage
times, like mid-morning and afternoon, but then the main-frames will be at their slowest, your activity can easily still be noticed, and the account you've hacked may be unavailable for your usage. There really isn't any perfect time to call. Some research into how the company structures its computer guard duty may help.
Time how long you're on the phone with a ma-chine. A phone trace is instantaneous if you're lo-cal, and takes just a half a tweak longer if you're calling from far away. But it's still not wise to stay on a single line half the day. Move around a lot, calling from different phone numbers, to different access numbers. If your target has multiple dial-in lines, randomly choose from all of them.
Laptop Hints
Since you'll be calling from who-knows-where on your portable laptop, here are some suggestions to help you get connected.
When in unfamiliar domain, such as an office, hotel, schoolroom after hours, or otherwise, your laptop is of infinite value - so long as you can get it to work. Never plug your modem into an unfa-miliar phone setup until you've verified that doing so won't bum out your equipment. Many offices have installed their own electronic
phone systems, called PBXs, to facilitate special functions such as in-house dialing and phone menus, or to block certain phones from making long distance calls. Some of these PBXs place a current into the telephone wires that is powerful enough to damage your delicate modem. To see if the line you have in mind is safe, try plugging in a really cheap phone first. If it works, your modem should, too.
PBX-networked phones may not work with your modem because of special audible or numeric codes used in local routing procedures. If you get a dial tone on your cheap test phone but your mo-dem won't work, you can assume that it's the PBX system at fault.
To correct the problem you have to plug the modem into the phone jack, and connect the room phone (not your cheap one) to the modem (you may need a special double port for this). To use the modem you place the call using the room tele-p . hone, and when you hear remote computer ringing, turn your modem online
and hang up.
Alternatively, devices can be bought to process signals as they go between the telephone handset and the modem. The device converts ordinary mo-dem signals so they will work on digital systems such as a PBX. This may be a more suitable alter-native if you find yourself having to bypass PBX phones a lot.
Sometimes you can find yourself in a place with a telephone, but no plug-in jack for your modem. For instance, if you are using the phone from a public fax or automatic teller machine. In these cases, unscrew or pry Off the mouthpiece of the phone and use a cable with attached alligator clips to connect the red and green
wires from your modem wire to the two silver mouthpiece contacts in-side the telephone handset. This can easily generate a poor signal, so if you have the actual telephone (not just the handset) available for vandalism, take apart the entire case and clip your red/green mo-dem wires to the red and green cable leads from the
telephone's transformer. You will then have to hold down the switchhook on the telephone to place the call.
Your On-The-Road Kit
Make sure you have this stuff with you when you go hacking on the road:
• A laptop, or otherwise portable, computer. Must have a modem. Preferably two: an internal, and an
external with acoustic coupling cups.
• One small, cheap, reliable telephone for testing line voltages. You can use a commercial tester for this, but
the phone comes in handy in places like motels, where you may want to connect to a telephone but the
acoustic coupler won't fit on the phone they supplied.
• An extra phone cord, with an RJ-11 modular clip at one end (the standard, square telephone plug-in
thingy) and with alligator clips at the other end.
Wire cutters, screwdrivers, and assorted coil cords with various size ports.
System Tiptoeing
Even the best intentioned, the most honorable and nondestructive of hackers are thought of as evil by the managerial population. This means that if you're caught breaking into computers that don't belong to you, expect some trouble. Even if the hacking you were doing is completely benign you are likely to be punished in some way. I've seen re-Ports that estimate the cost of computer crime per year is $3 billion to $5 billion dollars - and that's on the low end. Other sources list figures as high as $100 billion.
Even the $3 billion figure, to me, seems pumped up for insurance purposes, but the people who run businesses and government don't see it that way. Government and industry people will realize that most computer crimes go unreported, and so the true cost is likely to be much higher than the official estimate. Even if these dollar amounts are bogus, that's what people believe, and so they will be even more inclined to prosecute someone who they believe is contributing to that multi-billion loss every year.
Let's take a brief interlude here and examine the case of the Greenwood Family Hospital BBS.
"Pretty Theft" is the name of a hacker I used to communicate with infrequently. One day she sent me a message on a BBS asking if I knew how to get into the computers of a certain hospital that was in my area. I was puzzled, because that hospital was the easiest thing in the world to get into - in fact, it was one of my
earliest successful hacks.
When you logged onto the system, you were greeted with this informative message (names and numbers are fictitious, of course).
Welcome to GFH-NET!
300-2400 baud (123)456-7890
GREENWOOD FAMILY HOSPITAL
GFH-NET IS MAINTAINED BY ROGER CORNWALL AND HAROLD LIPNICK QUESTIONS
OR COMMENTS? E-MAIL TO THEM!!!
WHAT IS YOUR NAME? TYPE IN FIRST AND LAST:
WHAT IS YOUR PASSWORD? TYPE <RETURN> ON A
BLANK LINE IF YOU DON'T HAVE ONE:
A few months after I began actively hacking, I was using my computer and watching the evening news when a story came on about the governor breaking his arm and being rushed by helicopter to a hospital. I thought to myself, "Hey, hospitals must use computers, right? I can probably get into one!" So I got the supposedly private number for the Greenwood Family Hospital Network, and I called up, and I got that welcoming screen. Guess what I did next? It's not too hard to figure out what I did! Natu-rally, I typed in ROGER CORNWALL for my name. Unfortunately, the real Roger Cornwall had a password of some sort; pressing Return on a blank Me just got me an error message. So I tried HAROLD LIPNICK. Again, no go.
I went into the kitchen, got out the phone book, looked up the telephone number of
Greenwood Family Hospital, and I called it. A woman an-swered:
"Greenwood, may I help you?"
"Yes, please," I said, "Is Tom there?"
'Who?"
"Uhm.... There's some guy there I spoke with earlier... Your supervisor or somebody?"
"Lee Brown., you mean?" she asked.
"Oh yeah, I guess that's it. I don't know where I got Tom from. Uh, is he there?"
"Nope. Lee left at five."
"All right, thanks."
"Bye-bye."
I went back to my computer and called back GFH-NET and tried LEE BROWN for the name. Once again, I was out of luck. However, after a few more phone calls to the various numbers listed for the hospital, I came up with a guy (a resident) who had not bothered with a password.
GFH-NET turned out to be nothing special after all. It had nothing to do with hospital billing, pa-tient records, or anything else pertaining to the ac-tual running of the place. Mostly it was like a doc-tor BBS. From what I could make of it, it was medi-cal students discussing problems with the doctors on the system. No file
transfers or anything; just a very simple messaging system. It was no big deal, but it was fun to get into.
The next day I looked through the doctors in the yellow pages, and I found about eight listed who had Greenwood Hospital addresses. Out of those names, three had no password.
So anyway, I was puzzled as to why Pretty Theft couldn't get on there. I called it up for the first time in years, and to my surprise found this nasty logon screen awaiting me:
USE OF THIS SYSTEM IS
RESTRICTED
TO AUTHORIZED PERSONNEL
ONLY!
EVERYONE ELSE MUST HANG UP
NOW!
All useful information was gone! AU that re-mained was an angry note and a nonuseful arrow prompt.
I tried some of the old names I'd figured out way-back-when, and found that all of them had passwords now. I tried some more social engineer-ing, but everyone I spoke to kept their mouths shut about everything. (Later I was able to get onto the real hospital system with the help of some nice re-ceptionists in the administration
department.)
I e-mailed a letter back to Pretty Theft. I asked her what had happened there. The next day I got her reply:
Last month a friend of mine was in the hospital, so I wanted to see if I could change his bill. I remembered you giving me the number two years ago or something, so I looked it up in my book and I was surprised I still had it. I knew the name of my friend's doctor, and when I was there visiting him, I got the names of lots more
from the paging system (you know, "Calling Dr. Bower...") and from charts on the walls. Then I went on the system and was try-ing all these names, when the sysop came on and threw me off. Every time I tried getting on after that he kicked me off. Next morning at about 8:00, 1 finally got on. One of the doctor's names I tried
had the name as a password too. Well as I guess you know, I couldn't change my friend's hospital bill, but I couldn't do any-thing much else either... after giving my name and password, it just froze. That night I tried it again, and there was a message before it asked for your name. It said, MOST OF THE IM-PORTANT FILES HAVE BEEN DELETED BY SOMEONE OR SOMETHING. THE SYSTEM WILL BE DOWN
FOR A WHILE - ROGER. A week later I tried it again, and the phone just rung. I didn't do anything to it, but I guess the sysop thought I or someone else deleted the files. A few days ago I called back for no reason, and, well, you know. I guess they got smart?
Yes, Pretty Theft was right. They had gotten smart, and because of it, security was tightened. It is for this reason that hackers should not announce their arrival to a system, nor do anything to attract anyone's attention. There is only one case, really, when you would want to show yourself to the system operator, and that is when you've found out everything there is to know about a system and are never going to call back again.
Incidentally, Roger and Harold had gotten smart in some respects, but remained dumb in oth-ers. Through continued perseverance I was able to get onto GFH-NET again. As it turns out, I'd gotten smarter too; the medical conversations between doctors and students seemed a lot more compre-hensible than they had been just two years before. Maybe it was the students getting dumber?
There was also an old bulletin posted from one of the sysops. It explained as much as he knew about what had happened (which wasn't much). mostly it said that certain files were deleted, and many of the bulletins were replaced with obscene musings on female anatomy. From what he said, it sounded like the files could
have been erased by either a clumsy system operator, or perhaps a ma-lignant hacker. I did a little investigating, and found that although it was not listed in the main menu, pressing 'T" brought me to a defunct file transfer system. With a few minutes of thinking, it was easy to see how someone could've uploaded a program that would delete whatever files were in the root directory after a rebooting of the system.
The next day I typed up a long letter to the sy-sops at the hospital, explaining everything, what they could do to correct the problem, and how other security breaches could be curtailed. I signed it, "Sincerely, Polly Wanza Hacker." Then I called back the BBS and uploaded it to them. Soon after, I got this message from
Pretty Theft:
"There's a new logon screen at the hospital. It says: "THANX POLLY! - SIGNED R.C.
& H.L."
I couldn't have been happier.
Lessons From The Hospital
You already know system operators don't want you on their system. That's why you have to hack in the first place. But if you make it known that you're there, you will compound your difficultiesconsiderably. On GFH-NET, the sysops went crazy when they realized their computers were being abused, and they made it a lot harder to get into. On a little BBS like that, you might not care whether or not you get in, but if you're dealing with something big - like some government agency - you don't want to start messing around. If you do show yourself in any way - like by a million log entries of "USER FAILED LOGON PROCEDURE" from when you tried every word in the dictionary as a password - the sysops are go-ing to get concerned, at the very least. Concerned sysops mean no information will be given out over the phone. It may mean changing every legitimate user's password, or cleaning up dead accounts that might otherwise facilitate entry.
Alternately, if you have a nice feeling about a certain system, and don't want to see it get hurt (and you don't mind possibly eliminating your chances of ever getting back on it), you would be wise to consider informing the system operators about all the little quirks you know about their precious system.
Many times, they won't believe you. They won't even bother trying what you suggest they try, either because they have a huge ego that can't be wrong, or because they think it's some kind of a trick, or god knows why else. But if they do believe you, and they take your advice, they will be quite grateful and, if you ask,
might give you a low-level account on the system, or some handy tips. Tell them you'll be their unofficial security advisor. Some of them can be quite good about it, though others will think you're up to no good no matter what.
BBS Protection
This section deals with the two issues of secu rity for the hacker involved with BBSs: hacker as -user, and hacker as sysop. These are actually inter-twined issues, as sysops of one BBS will generally be users of other BBSs. You should take these safety precautions on all BBSs you use and run, and should not hang around
systems which do not employ a high degree of hacker security.
Do not post messages concerning illegal activi-ties on any BBS where you don't feel completely se-cure. This means it's bad practice to brag about your hacking exploits in private e-mail as well as public message bases. If you are actively involved with BBSing, by all means become good friends with non-deviant systems, if only to maintain a balanced perspective of your computorial existence. But make sure that what you say on those boards does not implicate you in any way with any crime.
Don't get me wrong. I don't want to imply that posting messages about hacking on a hacker BBS guarantees safety, because it doesn't, of course. When you start sharing secrets on a hacker BBS, you'd better make sure the sysop takes all of the following safety precautions: user screenings, a false front and hidden back boards, double blind anonymity, encryption, and affidavits of intent.
The most important aspect of any hacker group, club, or BBS, is secrecy. A true hacker BBS will not advertise, because it does not need new members. A hacker BBS will seem to be a very homey, fam-ily-style BBS up front, but type a code word from off the menu, enter a password or two, and you en-ter the hidden realm. Hacker BBSs should further protect themselves by only allowing specified users to enter the secret parts of its domain, to prevent unauthorized hackers or pseudohackers from breaking in to your meeting place.
Any hacker BBS which does not take this mini-mal precaution of pretending to be legitimate, is ju-venile, dangerous, and not something you want to be a part of. Going up the scale of stupidity just a bit, I've seen plenty of "hacker" BBSs which allow access to the hidden part by entering words like "DEATH" and, yes, even "PASSWORD" as passwords. Need-less to say, the information found on such boards is very low content, and usually consists of the vari-ous users calling each other dickheads.
No new users should be allowed on a hacker BBS unless one or several existing members can verify that the potential user is not a cop, will abide by the club's law of conduct, has information to share, and will not be a big blabbermouth. As a sysop, you will enjoy composing the list of rules that govern the way the BBS takes in
new members. Remember, any new member should not even know that the BBS exists until the time when he or she is accepted into it. That will keep out law enforcement people, and keep in only the best hackers available.
Once a member has been verified as clean, his or her private information should be destroyed from the computer records. In fact, think about the BBSs on which you are a current member. Are there any which are likely to be busted in a raid? Even if you aren't doing anything wrong on the system even if nobody on the system is doing anything illegal you know very well how mixed-up the feds get when it comes to computers. You don't want your name brought into a computer crime trial, even if the case is thrown out of court before it begins. So if you're a member of any subculture BBS, tell the sysop, to replace your personal infor-mation (name, address, phone number) with false-hoods.
If you ever register with a BBS but decide not to call back, make sure to inform the sysop that you want your information deleted. (Verifying that such information has been altered or deleted is one legitimate reason for hacking a BBS. Legitimate, that is, from a hacker's ethical point of view.) It is important to do all this, because
there are impos-tors out there who are very good at catching hack-ers when they least expect to be caught. In June of 1987, an AT&T security official logged onto a Texas BBS and found messages from a hacker boasting about how he'd gotten into a certain company's computer system. This led to the hacker's arrest.
Note that since the hacker undoubtedly used a handle on the BBS, and it was a hacker board, the official might have hacked himself to get the hacker's real name. In any case, make sure your real name, address and other identifying data never stray to unsafe waters.
Before we start talking more about what you can do as the sysop of a hacker BBS, let's conclude with a real life example of what happens when hackers DON'T follow the advice I've listed above. In 1986 a BBS called simply and arrogantly, "The Board," came into being in Detroit. The Board was run off an HP2000 computer,
and attracted hackers and crackers (and would-be hackers and wannabe crackers) from all over. On August 20, the follow-ing ominous message appeared on The Board when oneloggedin:
Welcome to MIKE WENDLAND'S I-TEAM
sting board!
(Computer Services Provided by BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours.
Three (3) lines = no busy signals!
Rotary hunting on 313-XXX-XXXX
If you called up that day and read the newest messages posted, you would have been surprised to find these little darlings staring you in the face:
Board: General Information & BBS's
Message: 41
Title: YOU'VE BEEN HAD!!!
To: ALL
From: HIGH TECH
Posted: 8/20/86 @ 12.08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the WDIV-TV I-Team. The purpose? To demon-strate and document the extent of criminal and potentially illegal hacking and telephone fraud activity by the so-called "hacking community."
Thanks for your cooperation. In the past month and a half, we've received all sorts of in-formation from you implicating many of you in credit card fraud, telephone billing fraud, vandalism, and possible break-ins to govern-ment or public safety computers. And the beauty of this is we have your posts, your E-Mail and - most importantly - your REAL names and addresses.
What are we going to do with it? Stay timed to News 4. 1 plan a special series of reports about our experiences with THE BOARD, which saw users check in from coast-to-coast and Canada, users ranging in age from 12 to 48. For our regular users, I have been known as High Tech, among other IDs. John Maxfield of Boardscan served as our consultant and pro-vided the HP2000 that this "sting" ran on. Through call forwarding and other conven-iences made possible by telephone technology, the BBS operated remotely here in the Detroit area.
When will our reports be ready? In a few weeks. We now will be contacting many of you directly, talking with law enforcement and se-curity agents from credit card companies and the telephone services.
It should be a hell of a series. Thanks for your help. And don't bother trying any harassment. Remember, we've got YOUR real names.
Mike Wendland
The I-team
WDIV, Detroit, MI.
Board: General Information & BBS's
Message: 42
Title: BOARDSCAN
To: ALL
From: THE REAPER
Posted: 8/20/86 @ 3.31 hours
This is John Maxfield of Boardscanl. Welcome! Please address all letter bombs to Mike Wend-land at WDIV-TV Detroit. This board was his idea.
The Reaper (a.k.a. Cable Pair)
Is any comment required?
You can see from this that the people who come after hackers - the people who will be coming af-ter YOU - are not all Keystone Cops. Maxfield knew enough to pick '1001" handles like The Reaper and Cable Pair. The newuser password to get into The Board was HEL-N555,Elite,3 - a quite hip password considering its origin. Maxfield, and others like him, are as into hacking as we are. They are knowledgeable of the culture and the lingo and the way we think. This last is particularly hurtful, and it means you can't allow yourself to think like everyone else. You won't become an elite hacker without the strength of your entire common
sense working for you. When you call up BBSs, be sure and exercise that strength. Now let's talk about exercising First Amend-ment rights.
We do have the right to run our own BBS, and to exchange information on it. On a hacker board, that information is likely not going to be the kind of thing you'd read to your mother.
Disclaimers, such as, "This BBS will not tolerate any unlawful discussion of blah blah blah..." are Boardscan is a company headed by John Maxfield, which seeks out and destroys hackers and their ilk.
worthless, but you may want to throw them around anyway to complement my next sugges-tion: Many of the traditional laws which hackers get nailed on have to do with "harmful intent." That is, can it be shown that the hacker or cracker will-ingly caused damage to a computer?
If you are running a hacker BBS or club, you might then consider having members sign an affidavit which makes their good intentions known. Members should sign an agreement stating that they would never willfully damage another's computer or its contents, that any information ex-changed on the BBS was for knowledge
value only and that none of the illegal activities discussed will be actively pursued, etc. Basically this should be a way to let the members feel they are actively participating in your code of ethical hacker conduct which should be prominently displayed upon login to the BBS. Signing such a goody-two-shoes affi-davit may
not get you out of legal trouble, but it will do two things. It will stress the point that a member who does not follow the agreement is un-worthy to be a part of your hacker BBS or club. And to a jury, it will help convince them that you all are just a bunch of innocent hobbyists being persecuted by the Big Bad System.
It has been suggested that sysops should have their members sign an agreement that, in the event of a raid by law enforcement officials, users would join a lawsuit against the officials to win back mo-nies to pay for destroyed equipment, lost time, false arrests, the hassle, and everything else that goes along with being persecuted by Big Brother.
Current e-mail should always be kept on-hand, so that you can use the terms of the Electronic Communication Privacy Act to your favor. The ECPA ensures that electronic mail that was sent within the past 180 days is private and requires a warrant for an official to search and read it. Note that individual warrants are required for each user who has e-mail stored on your BBS, thus increasing the amount of paperwork required by The Law in going after you and your gang of happy hackers.
So, if your users have signed an agreement, and sample e-mail is stored for each user (it may be fudged e-mail whose time and date of origination gets automatically updated every 180 days), you want to make all of this known to invading offi-cials. Make a message such as the following available to all users when they log in for the first time, and every time they use the system:
A SPECIAL MESSAGE TO ALL
LAW ENFORCEMENT AGENTS:
Some of the material on this computer system is being prepared for public dissemination and is therefore "work product material" protected under The First Amendment Privacy Protec-tion Act of 1980 (USC 42, Section 2000aa).
Violation of this statute by law enforcement agents is very likely to result in a civil suit as provided under Section 2000aa-6. Each and every person who has such "work product ma-terial" stored on this system is entitled to re-cover at least minimum damages of $1000 plus all legal expenses. Agents in some states may
NOT be protected from personal civil liability if they violate this statute.
In addition, there is e-mail which has been in storage on this system for less than 180 days. Such stored electronic communications, as de-fined by the Electronic Communication Pri-vacy Act (ECPA), are protected by the ECPA from unauthorized accesses - such as seizure by government officials - without warrants specific to each person's e-mail. Seizing the computer where this BBS resides would represent
such an unauthorized access. There are civil actions which may be taken against law enforcement agents under provisions of the Act. You can find them in USC 18, Section 2707. On this system you can expect up to X people to have stored e-mail. Each of them is entitled to collect a minimum of $1000 plus all legal
expenses for violations of Section 2700 and 2703. Note that all users of this system have already agreed in writing that their pri-vacy is well worth the hassles of court. We will sue YOU.
Perhaps the agency you work for might pay your legal fees and judgments against you, but why take chances? If you feel the need to go af-ter our private and legally protected e-mail, or take actions which would deny e-mail access to our users (such as seizing our hardware), get appropriate warrants.
It is the policy of the sysop of this system to cooperate with law enforcement agents -though we will not be involved in entrap-ments, and will not respond to idle threats. Please bring it to my attention if you discover illegal activities on this board, because as cura-tor of this museum I will not tolerate it.
"Hacking the hacker is the ultimate hack," John Maxfield has said. Maxfield is a computer security consultant well known as a hacker tracker, and the one who helped organize The Board sting de-scribed above. John scans BBSs looking for hacker activity, and when he finds it, he informs the com-pany that is being hacked
about the problem. You know how insecure computers can be, and when you post messages or send e-mail on a BBS you are in effect opening yourself up for the world to see. Don't let some hacker tracker see something about you that you'd rather keep private. When you roam around cyberspace, do so discreetly.
More serious pun-ishments inflicted by the courts can include com-munity service, fines and even prison, as we've seen. Informal punishments include the unofficial destruction of your equipment by law enforcement officers, and being blacklisted from tech-related jobs.
Consequently, the prudent hacker has two goals in mind while hacking. Number one: don't get caught. Number two: if you do, don't make it count. This chapter will present strategies the care-ful hacker will follow to ensure both situations are true.
Hacking - to use one's curiosity about corn-puters to push them beyond their limits - involves not just techrrical knowledge but also the hacker's mindset. Part of the mindset must deal with keep-ing oneself safe, or else the rest of it has been all for naught. Accordingly, the strategies here should not just be known rotely and followed, but expanded upon to apply to new situations. Remember, there have been many computer criminals who've been sent to prison. True, some have even hacked while in prison. Some even learned to hack in prison. But you don't want to go to prison. So when you're on-line, in public, in private, or just living through your life, make sure you apply these guidelines.
In Researching
There may be local ordinances in your area forbidding machines or people to continuously dial up numbers and disconnect, as with an autodialer program which searches for dial-in lines. If you make the calls yourself it's better to say a simple, "Sorry, wrong number," than just hanging up and annoying all those people.
Remember the 'Itpers-prosit rule: The more people you get angry at you, the more likely it is you'll be persecuted, and the more likely it is you'll be prosecuted.
In Social Engineering
Some social engineering and most reverse engi-neering requires authorized user contact over the telephone or through the mail. This is obviously risky since you are giving out your address or tele-phone number to people whom you are about to defraud. Hackers have utilized several ingenious methods to overcome this problem.
Once I found a small business with a technical-sounding name that would be closed for a few weeks over the summer. By doing some hacking, some research, and rubbing my lucky rabbit's foot I was able to come up with the code that released messages left on their answering machine. That gave me a way to have people
contact me without them knowing who I was.
I put up some phony advertising for a com-puter network, instructing people to call and leave their name and vital data. I could call up the ma-chine whenever I wanted, punch in the magic code and listen to those messages. When the store reopened, I called them up, saying I was from the phone company. I told the store
owner that some lines got crossed, so they n-dght get some weird calls.
Some hackers will simply change a pay phone to residential status and work out of there.
In order to work a social engineer through the mails, you could rent a private mail box or mail drop. One hacker found a cheaper solution. He noticed that the P.O. Box underneath his in the college mail room was always empty. Apparently it was unassigned. The mailboxes are open in the back so workers can stuff the mail into them. This hacker took an unbent clothes hanger and a metal clip, fashioned them together into a grabber that he could slide into his box and go fishing into the mailbox below his. Later I showed him how to de-termine the combination of the box, so he wouldn't have to do all that. For a long while the box re-mained unused, and he was able to get all the se-cret mail he wanted sent there.
Dialing In
"If you don't want it known, don't use the phone."
- Nelson Rockefeller
When you're new it may be okay to dial up re-mote computers from your house, but once you've been around a while you'll never know if your phone is being tapped or your computer usage be-ing monitored. So when you're past your hacking childhood, make sure to never make an illicit call from your own house, or
from any number that can be traced to you.
Even when you are new to hacking, you could be in trouble. Imagine if you become a regular on the TECHRIME-USA BBS, right about the time an FBI officer is planning to bust the sysops for con-ducting illegal business on their board! You don't want to get involved with that, especially if you haven't done anything illegal. Even scarier than that are serni-reliable rumors which have been cir-culating through
branches of the technical under-ground which imply that the phone companies routinely monitor and record modern conversations which pass through their lines. This is supposedly done automatically by detectors which listen for modem tones, and will then turn on a recording device to keep a record of the call. Even if the
gos-sip turns out to be false, consider this: (1) We obviously have the technology to do such a thing and, (2) it is well known that the NSA records many, many phone calls.
So... If you must associate with known com-puter culprits, or with established hackers, do so as covertly as possible. Not calling from your house means calling from someplace else. That means you may want to splurge for a portable laptop computer. While you're at it, buy an acoustic coupler and an external modem to go with it. All this should run you about one or two thousand dollars - a lot less than the cost of retaining an attorney to defend you in court.
The acoustic coupler is necessary because not every place you hack will have a telephone jack to plug into. The external modem is needed to plug the coupler into. While many laptops come with mo-dems included, they are generally internal models, and so can not be coupled to a telephone handset. Now that you have your equipment, where should you take it? There are plenty of places. At night and over the weekend you can sneak into many big office buildings and, if the right door happens to be unlocked, sit yourself down at a cu-bicle and chug away.
Two summers ago, I was walking past my local municipal center a little past 9 p.m., and I noticed that every office had their windows open. Every of-fice - at night! Their air conditioner must have malfunctioned during the day, as it had been incredibly hot. Needless to say, if I'd been in the hacking mood I would've scrambled
through a window and hooked up my portable to a tele-phone. I could have been making illegal computer B & Es while making a physical B & E, all just a few doors down from a bustling police station - and with no one being the wiser.
If you have money laying around, or if you have a hacking expense account, you can always hole up in a hotel or motel to do your hacking.
The money problem is one which gets to hackers in other ways. Phone bills add up fast, which is why most serious hackers are phreaks too. A phreak is someone who hacks the telephone net-works. One of the major aspects of phreaking is the producing of code tones which signal the telephone system to perform special
functions, such as place long distance calls for free. Phreaking is definitely a major area for hackers to investigate, and the tele-phone system - and especially the computers which run the system - is something which all hackers should become intimately familiar with.
Many hackers will say that any hacking other than hacking the computers which run the telephone system is child's play. This is true to some extent. The telephone computer networks are incredibly large, sprawling, wonderful masses of intricate functions, enormous databases, technical operations and blinding wizardry which makes hacking anything less look pitiful.
Once the phone line leaves your house it goes to a local switching center. This center controls all phones in your neighborhood, which may mean as many as 15,000 telephone lines. Each neighborhood switch is managed by its own computer. These computers are the essential targets of the phone company hacker; if you can access the computer, you can access every phone that it switches. You can turn phones on and off, reroute calls, change numbers. You could, if you were not a hacker, wreak quite a lot of havoc.
There are also switched networks which con-nect the computers that run switches. From there you can go to regional maintenance systems such as COSMOS (which sends out instructions to create and HI phone numbers among other things) and MIZAR (the local MIZAR actually does the work that COSMOS sets up).
Once you've gotten familiar with the intricacies of these telephone computers, you can use them in ways to protect yourself. For instance, you know you probably don't want to place hacking phone calls from your house. What you can do is connect to a neighborhood switching computer, take the phone numbers of some
local pay phones, and de-activate their need for coins. You then use the pay phones to call or hack any place in the world.
Or you can use a MIZAR - which, as far as is known, does not keep records of its activities, unlike COSMOS - to temporarily change your pre-sent phone number to that of a nearby church. If your call gets traced, you'll be sending the feds on a wild goose chase.
I want to make the point that dialing in to a re-mote computer is not as safe as it feels. Communi-cating through a telephone or through a computer sometimes gives you a false feeling of protection, especially when you become good at hacking and phreaking, and turn from confident to cocky. Don't let that happen to you.
Remember to always follow these safety rules.
Don't set up patterns of behavior. Always call from a different place, at different times of day.
When is a good time to call? Ask hackers this and each one will give you a different answer. Late night is good because system administrators will probably have gone home already - but then, so too have most valid users, so you'll stand out like a clown at a funeral. You can try hiding yourself within the bustle of heavy usage
times, like mid-morning and afternoon, but then the main-frames will be at their slowest, your activity can easily still be noticed, and the account you've hacked may be unavailable for your usage. There really isn't any perfect time to call. Some research into how the company structures its computer guard duty may help.
Time how long you're on the phone with a ma-chine. A phone trace is instantaneous if you're lo-cal, and takes just a half a tweak longer if you're calling from far away. But it's still not wise to stay on a single line half the day. Move around a lot, calling from different phone numbers, to different access numbers. If your target has multiple dial-in lines, randomly choose from all of them.
Laptop Hints
Since you'll be calling from who-knows-where on your portable laptop, here are some suggestions to help you get connected.
When in unfamiliar domain, such as an office, hotel, schoolroom after hours, or otherwise, your laptop is of infinite value - so long as you can get it to work. Never plug your modem into an unfa-miliar phone setup until you've verified that doing so won't bum out your equipment. Many offices have installed their own electronic
phone systems, called PBXs, to facilitate special functions such as in-house dialing and phone menus, or to block certain phones from making long distance calls. Some of these PBXs place a current into the telephone wires that is powerful enough to damage your delicate modem. To see if the line you have in mind is safe, try plugging in a really cheap phone first. If it works, your modem should, too.
PBX-networked phones may not work with your modem because of special audible or numeric codes used in local routing procedures. If you get a dial tone on your cheap test phone but your mo-dem won't work, you can assume that it's the PBX system at fault.
To correct the problem you have to plug the modem into the phone jack, and connect the room phone (not your cheap one) to the modem (you may need a special double port for this). To use the modem you place the call using the room tele-p . hone, and when you hear remote computer ringing, turn your modem online
and hang up.
Alternatively, devices can be bought to process signals as they go between the telephone handset and the modem. The device converts ordinary mo-dem signals so they will work on digital systems such as a PBX. This may be a more suitable alter-native if you find yourself having to bypass PBX phones a lot.
Sometimes you can find yourself in a place with a telephone, but no plug-in jack for your modem. For instance, if you are using the phone from a public fax or automatic teller machine. In these cases, unscrew or pry Off the mouthpiece of the phone and use a cable with attached alligator clips to connect the red and green
wires from your modem wire to the two silver mouthpiece contacts in-side the telephone handset. This can easily generate a poor signal, so if you have the actual telephone (not just the handset) available for vandalism, take apart the entire case and clip your red/green mo-dem wires to the red and green cable leads from the
telephone's transformer. You will then have to hold down the switchhook on the telephone to place the call.
Your On-The-Road Kit
Make sure you have this stuff with you when you go hacking on the road:
• A laptop, or otherwise portable, computer. Must have a modem. Preferably two: an internal, and an
external with acoustic coupling cups.
• One small, cheap, reliable telephone for testing line voltages. You can use a commercial tester for this, but
the phone comes in handy in places like motels, where you may want to connect to a telephone but the
acoustic coupler won't fit on the phone they supplied.
• An extra phone cord, with an RJ-11 modular clip at one end (the standard, square telephone plug-in
thingy) and with alligator clips at the other end.
Wire cutters, screwdrivers, and assorted coil cords with various size ports.
System Tiptoeing
Even the best intentioned, the most honorable and nondestructive of hackers are thought of as evil by the managerial population. This means that if you're caught breaking into computers that don't belong to you, expect some trouble. Even if the hacking you were doing is completely benign you are likely to be punished in some way. I've seen re-Ports that estimate the cost of computer crime per year is $3 billion to $5 billion dollars - and that's on the low end. Other sources list figures as high as $100 billion.
Even the $3 billion figure, to me, seems pumped up for insurance purposes, but the people who run businesses and government don't see it that way. Government and industry people will realize that most computer crimes go unreported, and so the true cost is likely to be much higher than the official estimate. Even if these dollar amounts are bogus, that's what people believe, and so they will be even more inclined to prosecute someone who they believe is contributing to that multi-billion loss every year.
Let's take a brief interlude here and examine the case of the Greenwood Family Hospital BBS.
"Pretty Theft" is the name of a hacker I used to communicate with infrequently. One day she sent me a message on a BBS asking if I knew how to get into the computers of a certain hospital that was in my area. I was puzzled, because that hospital was the easiest thing in the world to get into - in fact, it was one of my
earliest successful hacks.
When you logged onto the system, you were greeted with this informative message (names and numbers are fictitious, of course).
Welcome to GFH-NET!
300-2400 baud (123)456-7890
GREENWOOD FAMILY HOSPITAL
GFH-NET IS MAINTAINED BY ROGER CORNWALL AND HAROLD LIPNICK QUESTIONS
OR COMMENTS? E-MAIL TO THEM!!!
WHAT IS YOUR NAME? TYPE IN FIRST AND LAST:
WHAT IS YOUR PASSWORD? TYPE <RETURN> ON A
BLANK LINE IF YOU DON'T HAVE ONE:
A few months after I began actively hacking, I was using my computer and watching the evening news when a story came on about the governor breaking his arm and being rushed by helicopter to a hospital. I thought to myself, "Hey, hospitals must use computers, right? I can probably get into one!" So I got the supposedly private number for the Greenwood Family Hospital Network, and I called up, and I got that welcoming screen. Guess what I did next? It's not too hard to figure out what I did! Natu-rally, I typed in ROGER CORNWALL for my name. Unfortunately, the real Roger Cornwall had a password of some sort; pressing Return on a blank Me just got me an error message. So I tried HAROLD LIPNICK. Again, no go.
I went into the kitchen, got out the phone book, looked up the telephone number of
Greenwood Family Hospital, and I called it. A woman an-swered:
"Greenwood, may I help you?"
"Yes, please," I said, "Is Tom there?"
'Who?"
"Uhm.... There's some guy there I spoke with earlier... Your supervisor or somebody?"
"Lee Brown., you mean?" she asked.
"Oh yeah, I guess that's it. I don't know where I got Tom from. Uh, is he there?"
"Nope. Lee left at five."
"All right, thanks."
"Bye-bye."
I went back to my computer and called back GFH-NET and tried LEE BROWN for the name. Once again, I was out of luck. However, after a few more phone calls to the various numbers listed for the hospital, I came up with a guy (a resident) who had not bothered with a password.
GFH-NET turned out to be nothing special after all. It had nothing to do with hospital billing, pa-tient records, or anything else pertaining to the ac-tual running of the place. Mostly it was like a doc-tor BBS. From what I could make of it, it was medi-cal students discussing problems with the doctors on the system. No file
transfers or anything; just a very simple messaging system. It was no big deal, but it was fun to get into.
The next day I looked through the doctors in the yellow pages, and I found about eight listed who had Greenwood Hospital addresses. Out of those names, three had no password.
So anyway, I was puzzled as to why Pretty Theft couldn't get on there. I called it up for the first time in years, and to my surprise found this nasty logon screen awaiting me:
USE OF THIS SYSTEM IS
RESTRICTED
TO AUTHORIZED PERSONNEL
ONLY!
EVERYONE ELSE MUST HANG UP
NOW!
All useful information was gone! AU that re-mained was an angry note and a nonuseful arrow prompt.
I tried some of the old names I'd figured out way-back-when, and found that all of them had passwords now. I tried some more social engineer-ing, but everyone I spoke to kept their mouths shut about everything. (Later I was able to get onto the real hospital system with the help of some nice re-ceptionists in the administration
department.)
I e-mailed a letter back to Pretty Theft. I asked her what had happened there. The next day I got her reply:
Last month a friend of mine was in the hospital, so I wanted to see if I could change his bill. I remembered you giving me the number two years ago or something, so I looked it up in my book and I was surprised I still had it. I knew the name of my friend's doctor, and when I was there visiting him, I got the names of lots more
from the paging system (you know, "Calling Dr. Bower...") and from charts on the walls. Then I went on the system and was try-ing all these names, when the sysop came on and threw me off. Every time I tried getting on after that he kicked me off. Next morning at about 8:00, 1 finally got on. One of the doctor's names I tried
had the name as a password too. Well as I guess you know, I couldn't change my friend's hospital bill, but I couldn't do any-thing much else either... after giving my name and password, it just froze. That night I tried it again, and there was a message before it asked for your name. It said, MOST OF THE IM-PORTANT FILES HAVE BEEN DELETED BY SOMEONE OR SOMETHING. THE SYSTEM WILL BE DOWN
FOR A WHILE - ROGER. A week later I tried it again, and the phone just rung. I didn't do anything to it, but I guess the sysop thought I or someone else deleted the files. A few days ago I called back for no reason, and, well, you know. I guess they got smart?
Yes, Pretty Theft was right. They had gotten smart, and because of it, security was tightened. It is for this reason that hackers should not announce their arrival to a system, nor do anything to attract anyone's attention. There is only one case, really, when you would want to show yourself to the system operator, and that is when you've found out everything there is to know about a system and are never going to call back again.
Incidentally, Roger and Harold had gotten smart in some respects, but remained dumb in oth-ers. Through continued perseverance I was able to get onto GFH-NET again. As it turns out, I'd gotten smarter too; the medical conversations between doctors and students seemed a lot more compre-hensible than they had been just two years before. Maybe it was the students getting dumber?
There was also an old bulletin posted from one of the sysops. It explained as much as he knew about what had happened (which wasn't much). mostly it said that certain files were deleted, and many of the bulletins were replaced with obscene musings on female anatomy. From what he said, it sounded like the files could
have been erased by either a clumsy system operator, or perhaps a ma-lignant hacker. I did a little investigating, and found that although it was not listed in the main menu, pressing 'T" brought me to a defunct file transfer system. With a few minutes of thinking, it was easy to see how someone could've uploaded a program that would delete whatever files were in the root directory after a rebooting of the system.
The next day I typed up a long letter to the sy-sops at the hospital, explaining everything, what they could do to correct the problem, and how other security breaches could be curtailed. I signed it, "Sincerely, Polly Wanza Hacker." Then I called back the BBS and uploaded it to them. Soon after, I got this message from
Pretty Theft:
"There's a new logon screen at the hospital. It says: "THANX POLLY! - SIGNED R.C.
& H.L."
I couldn't have been happier.
Lessons From The Hospital
You already know system operators don't want you on their system. That's why you have to hack in the first place. But if you make it known that you're there, you will compound your difficultiesconsiderably. On GFH-NET, the sysops went crazy when they realized their computers were being abused, and they made it a lot harder to get into. On a little BBS like that, you might not care whether or not you get in, but if you're dealing with something big - like some government agency - you don't want to start messing around. If you do show yourself in any way - like by a million log entries of "USER FAILED LOGON PROCEDURE" from when you tried every word in the dictionary as a password - the sysops are go-ing to get concerned, at the very least. Concerned sysops mean no information will be given out over the phone. It may mean changing every legitimate user's password, or cleaning up dead accounts that might otherwise facilitate entry.
Alternately, if you have a nice feeling about a certain system, and don't want to see it get hurt (and you don't mind possibly eliminating your chances of ever getting back on it), you would be wise to consider informing the system operators about all the little quirks you know about their precious system.
Many times, they won't believe you. They won't even bother trying what you suggest they try, either because they have a huge ego that can't be wrong, or because they think it's some kind of a trick, or god knows why else. But if they do believe you, and they take your advice, they will be quite grateful and, if you ask,
might give you a low-level account on the system, or some handy tips. Tell them you'll be their unofficial security advisor. Some of them can be quite good about it, though others will think you're up to no good no matter what.
BBS Protection
This section deals with the two issues of secu rity for the hacker involved with BBSs: hacker as -user, and hacker as sysop. These are actually inter-twined issues, as sysops of one BBS will generally be users of other BBSs. You should take these safety precautions on all BBSs you use and run, and should not hang around
systems which do not employ a high degree of hacker security.
Do not post messages concerning illegal activi-ties on any BBS where you don't feel completely se-cure. This means it's bad practice to brag about your hacking exploits in private e-mail as well as public message bases. If you are actively involved with BBSing, by all means become good friends with non-deviant systems, if only to maintain a balanced perspective of your computorial existence. But make sure that what you say on those boards does not implicate you in any way with any crime.
Don't get me wrong. I don't want to imply that posting messages about hacking on a hacker BBS guarantees safety, because it doesn't, of course. When you start sharing secrets on a hacker BBS, you'd better make sure the sysop takes all of the following safety precautions: user screenings, a false front and hidden back boards, double blind anonymity, encryption, and affidavits of intent.
The most important aspect of any hacker group, club, or BBS, is secrecy. A true hacker BBS will not advertise, because it does not need new members. A hacker BBS will seem to be a very homey, fam-ily-style BBS up front, but type a code word from off the menu, enter a password or two, and you en-ter the hidden realm. Hacker BBSs should further protect themselves by only allowing specified users to enter the secret parts of its domain, to prevent unauthorized hackers or pseudohackers from breaking in to your meeting place.
Any hacker BBS which does not take this mini-mal precaution of pretending to be legitimate, is ju-venile, dangerous, and not something you want to be a part of. Going up the scale of stupidity just a bit, I've seen plenty of "hacker" BBSs which allow access to the hidden part by entering words like "DEATH" and, yes, even "PASSWORD" as passwords. Need-less to say, the information found on such boards is very low content, and usually consists of the vari-ous users calling each other dickheads.
No new users should be allowed on a hacker BBS unless one or several existing members can verify that the potential user is not a cop, will abide by the club's law of conduct, has information to share, and will not be a big blabbermouth. As a sysop, you will enjoy composing the list of rules that govern the way the BBS takes in
new members. Remember, any new member should not even know that the BBS exists until the time when he or she is accepted into it. That will keep out law enforcement people, and keep in only the best hackers available.
Once a member has been verified as clean, his or her private information should be destroyed from the computer records. In fact, think about the BBSs on which you are a current member. Are there any which are likely to be busted in a raid? Even if you aren't doing anything wrong on the system even if nobody on the system is doing anything illegal you know very well how mixed-up the feds get when it comes to computers. You don't want your name brought into a computer crime trial, even if the case is thrown out of court before it begins. So if you're a member of any subculture BBS, tell the sysop, to replace your personal infor-mation (name, address, phone number) with false-hoods.
If you ever register with a BBS but decide not to call back, make sure to inform the sysop that you want your information deleted. (Verifying that such information has been altered or deleted is one legitimate reason for hacking a BBS. Legitimate, that is, from a hacker's ethical point of view.) It is important to do all this, because
there are impos-tors out there who are very good at catching hack-ers when they least expect to be caught. In June of 1987, an AT&T security official logged onto a Texas BBS and found messages from a hacker boasting about how he'd gotten into a certain company's computer system. This led to the hacker's arrest.
Note that since the hacker undoubtedly used a handle on the BBS, and it was a hacker board, the official might have hacked himself to get the hacker's real name. In any case, make sure your real name, address and other identifying data never stray to unsafe waters.
Before we start talking more about what you can do as the sysop of a hacker BBS, let's conclude with a real life example of what happens when hackers DON'T follow the advice I've listed above. In 1986 a BBS called simply and arrogantly, "The Board," came into being in Detroit. The Board was run off an HP2000 computer,
and attracted hackers and crackers (and would-be hackers and wannabe crackers) from all over. On August 20, the follow-ing ominous message appeared on The Board when oneloggedin:
Welcome to MIKE WENDLAND'S I-TEAM
sting board!
(Computer Services Provided by BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours.
Three (3) lines = no busy signals!
Rotary hunting on 313-XXX-XXXX
If you called up that day and read the newest messages posted, you would have been surprised to find these little darlings staring you in the face:
Board: General Information & BBS's
Message: 41
Title: YOU'VE BEEN HAD!!!
To: ALL
From: HIGH TECH
Posted: 8/20/86 @ 12.08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the WDIV-TV I-Team. The purpose? To demon-strate and document the extent of criminal and potentially illegal hacking and telephone fraud activity by the so-called "hacking community."
Thanks for your cooperation. In the past month and a half, we've received all sorts of in-formation from you implicating many of you in credit card fraud, telephone billing fraud, vandalism, and possible break-ins to govern-ment or public safety computers. And the beauty of this is we have your posts, your E-Mail and - most importantly - your REAL names and addresses.
What are we going to do with it? Stay timed to News 4. 1 plan a special series of reports about our experiences with THE BOARD, which saw users check in from coast-to-coast and Canada, users ranging in age from 12 to 48. For our regular users, I have been known as High Tech, among other IDs. John Maxfield of Boardscan served as our consultant and pro-vided the HP2000 that this "sting" ran on. Through call forwarding and other conven-iences made possible by telephone technology, the BBS operated remotely here in the Detroit area.
When will our reports be ready? In a few weeks. We now will be contacting many of you directly, talking with law enforcement and se-curity agents from credit card companies and the telephone services.
It should be a hell of a series. Thanks for your help. And don't bother trying any harassment. Remember, we've got YOUR real names.
Mike Wendland
The I-team
WDIV, Detroit, MI.
Board: General Information & BBS's
Message: 42
Title: BOARDSCAN
To: ALL
From: THE REAPER
Posted: 8/20/86 @ 3.31 hours
This is John Maxfield of Boardscanl. Welcome! Please address all letter bombs to Mike Wend-land at WDIV-TV Detroit. This board was his idea.
The Reaper (a.k.a. Cable Pair)
Is any comment required?
You can see from this that the people who come after hackers - the people who will be coming af-ter YOU - are not all Keystone Cops. Maxfield knew enough to pick '1001" handles like The Reaper and Cable Pair. The newuser password to get into The Board was HEL-N555,Elite,3 - a quite hip password considering its origin. Maxfield, and others like him, are as into hacking as we are. They are knowledgeable of the culture and the lingo and the way we think. This last is particularly hurtful, and it means you can't allow yourself to think like everyone else. You won't become an elite hacker without the strength of your entire common
sense working for you. When you call up BBSs, be sure and exercise that strength. Now let's talk about exercising First Amend-ment rights.
We do have the right to run our own BBS, and to exchange information on it. On a hacker board, that information is likely not going to be the kind of thing you'd read to your mother.
Disclaimers, such as, "This BBS will not tolerate any unlawful discussion of blah blah blah..." are Boardscan is a company headed by John Maxfield, which seeks out and destroys hackers and their ilk.
worthless, but you may want to throw them around anyway to complement my next sugges-tion: Many of the traditional laws which hackers get nailed on have to do with "harmful intent." That is, can it be shown that the hacker or cracker will-ingly caused damage to a computer?
If you are running a hacker BBS or club, you might then consider having members sign an affidavit which makes their good intentions known. Members should sign an agreement stating that they would never willfully damage another's computer or its contents, that any information ex-changed on the BBS was for knowledge
value only and that none of the illegal activities discussed will be actively pursued, etc. Basically this should be a way to let the members feel they are actively participating in your code of ethical hacker conduct which should be prominently displayed upon login to the BBS. Signing such a goody-two-shoes affi-davit may
not get you out of legal trouble, but it will do two things. It will stress the point that a member who does not follow the agreement is un-worthy to be a part of your hacker BBS or club. And to a jury, it will help convince them that you all are just a bunch of innocent hobbyists being persecuted by the Big Bad System.
It has been suggested that sysops should have their members sign an agreement that, in the event of a raid by law enforcement officials, users would join a lawsuit against the officials to win back mo-nies to pay for destroyed equipment, lost time, false arrests, the hassle, and everything else that goes along with being persecuted by Big Brother.
Current e-mail should always be kept on-hand, so that you can use the terms of the Electronic Communication Privacy Act to your favor. The ECPA ensures that electronic mail that was sent within the past 180 days is private and requires a warrant for an official to search and read it. Note that individual warrants are required for each user who has e-mail stored on your BBS, thus increasing the amount of paperwork required by The Law in going after you and your gang of happy hackers.
So, if your users have signed an agreement, and sample e-mail is stored for each user (it may be fudged e-mail whose time and date of origination gets automatically updated every 180 days), you want to make all of this known to invading offi-cials. Make a message such as the following available to all users when they log in for the first time, and every time they use the system:
A SPECIAL MESSAGE TO ALL
LAW ENFORCEMENT AGENTS:
Some of the material on this computer system is being prepared for public dissemination and is therefore "work product material" protected under The First Amendment Privacy Protec-tion Act of 1980 (USC 42, Section 2000aa).
Violation of this statute by law enforcement agents is very likely to result in a civil suit as provided under Section 2000aa-6. Each and every person who has such "work product ma-terial" stored on this system is entitled to re-cover at least minimum damages of $1000 plus all legal expenses. Agents in some states may
NOT be protected from personal civil liability if they violate this statute.
In addition, there is e-mail which has been in storage on this system for less than 180 days. Such stored electronic communications, as de-fined by the Electronic Communication Pri-vacy Act (ECPA), are protected by the ECPA from unauthorized accesses - such as seizure by government officials - without warrants specific to each person's e-mail. Seizing the computer where this BBS resides would represent
such an unauthorized access. There are civil actions which may be taken against law enforcement agents under provisions of the Act. You can find them in USC 18, Section 2707. On this system you can expect up to X people to have stored e-mail. Each of them is entitled to collect a minimum of $1000 plus all legal
expenses for violations of Section 2700 and 2703. Note that all users of this system have already agreed in writing that their pri-vacy is well worth the hassles of court. We will sue YOU.
Perhaps the agency you work for might pay your legal fees and judgments against you, but why take chances? If you feel the need to go af-ter our private and legally protected e-mail, or take actions which would deny e-mail access to our users (such as seizing our hardware), get appropriate warrants.
It is the policy of the sysop of this system to cooperate with law enforcement agents -though we will not be involved in entrap-ments, and will not respond to idle threats. Please bring it to my attention if you discover illegal activities on this board, because as cura-tor of this museum I will not tolerate it.
"Hacking the hacker is the ultimate hack," John Maxfield has said. Maxfield is a computer security consultant well known as a hacker tracker, and the one who helped organize The Board sting de-scribed above. John scans BBSs looking for hacker activity, and when he finds it, he informs the com-pany that is being hacked
about the problem. You know how insecure computers can be, and when you post messages or send e-mail on a BBS you are in effect opening yourself up for the world to see. Don't let some hacker tracker see something about you that you'd rather keep private. When you roam around cyberspace, do so discreetly.
AFTER HACK
This Lawful Land
There are lots of fraud investigators, special agents, Secret Service people, FBI guys and all manner of local, state and federal enforcement officials roaming around cyberspace, waiting to trip you up. There are also private citizens who love hacking but don't love the idea of being criminals, so they hack the hackers, building up dossiers, which they then turn over to the authorities.
Getting caught can make you famous, maybe even throw some money your way. It can also take away a good part of your life, your money, your reputation, your computing equipment, and your hopes for the future. Let's take a look at the laws that cause this state of affairs.
State Computer Crime Laws
Every state except Vermont has explicit laws forbidding computer crime. They are all pretty much alike in that they start out by defining what a computer is, and defining various terms relating to computers and computer crime. Then they list the specific offenses the law prohibits, and the penal-ties associated with those illegal activities.
You can easily find out what the situation is for your state. just so you know what kind of things cops and lawyers are talking about when they talk about state computer crime laws, let's take a look at a typical anti-hack statute.
The Wisconsin statute on computer crimes ("Chapter 293, Laws of 1981, 943.70" for you law-book gurus) lists eight possible naughty things a person can do with a computer. The first six have to do with "computer data and programs," the sixth being the willful, knowing, and unauthorized disclosing of "restricted access codes or other restricted access information to unauthorized person[s]." The first five bits of software naughtiness detail the willful, knowing, and unauthorized modification, destruction, accession, possession, or copying of computer data, computer programs, or "supporting documentation."
The final offenses have to do with the hardware aspect. "Whoever willingly, knowingly and with-out authorization," either modifies, destroys, uses, takes or damages a computer, computer system, network, equipment or supplies related tocomput-ers, is guilty under this statute.
There are eight different penalties listed, depending on whether the act in question is considered a misdemeanor or a felony under the law. The magnitude of the crime is based on how much damage was caused money-wise, how much threat to others there was, and whether the hacker did the deed with intent to defraud or obtain property. Penalties range from life imprisonment (sheesh!) to various fines in the
$500410,000 range.
Traditional State Crime Laws
just because your state doesn't have a law that specifically forbids snooping around in someone else's computer, doesn't mean what you're doing is completely legal. Prosecutors will try to convict hackers on violations of any law, even if there's a large void between the hacker's actions and the original intent of the law. In some circumstances, the prosecutors may feel there is not a good enough case against a hacker using the computer laws. For other reasons - such as a rural jury - prosecutors will press the issue of guilt, but try to sidestep the technical aspect of it. They will charge a hacker with infractions of traditional crime laws, such as
malicious mischief, burglary, larceny, and what-ever other nasties they can squeeze into play.
There are problems applying traditional laws to modern "crimes," and the focus changes from whether Hacker X is guilty or innocent, to whether Hacker X is guilty of that particular crime. Can hacking be considered a kind of burglary? In a blue collar computer crime, such as the theft of the ac-tual hardware, there is no
question whether or not a law has been broken. On the other hand, if a hacker steals records from a database, do the bur-glary statutes still apply? What if the hacker didn't actually deprive anyone of their information, but only made a copy of it for him or herself? Is this a different issue?
These topics have been addressed differently in different court cases. If you are ever unfortunate enough to be tried for hacking-related offenses, the judge's decision will be based on the exact defini-tions of "software," 'burglary," and other key words for your particular state. If the state has no com-puter crime statutes,
then "software" may not be defined; in that case it is up to the judge entirely to decide what these terms mean.
Since we do have 50 states worth of laws to consider, in addition to federal laws, space constraints dictate that we not list every single statute and definition that might apply to a hacker's trial. For the specifics you will have to do your own research into your state's laws. Here is a generalized overview of traditional crimes, and how they can be applied to convict you of computer hacking. I want to stress this point of "generalizations." All the definitions of law to fol-low are simplifications of the laws throughout the land. Individual states add their own personal quirks and nuances to these laws - minutiae on which both surprise verdicts and legal loopholes are based.
Criminal Mischief
Also called malicious mischief, this is the will-ful destruction of someone else's property. You may say to yourself, "Gosh, as long as I don't pur-posely go around acting like a jerk, how can they convict me on that one?" Good question. To be able to say that malicious mischief has occurred, three things must be present: a real hu-man action, evidence that the action has caused damage to someone else's property, and that the damage is observable to a bystander. That's the traditional definition. Well, any bystander can see a smashed storefront window, but how many "average bystanders" can easily see how an algo-rithm has been changed in a program to allow ac-cess to anyone named "Borges"?
The thing is, a hacker may change software or password files to gain entry to a system, but it is often hard to determine whether or not such an action has caused "willful destruction" of that file. Indeed, the software may not actually have been altered to any detectable degree, and the hacker him-self may not have done any
noticeable actions at all. Can one then honestly say that criminal mischief has occurred? And yet, the hacker may have left the software in an altered, "destroyed" state.
The answers to such questions remain to be adequately determined.
Burglary
For most states, burglary is the unauthorized breaking and entering of the real property of an-other with intent to commit a crime. Again there is a problem, in that we have to decide whether or not to accept an operating
computer network as prop-erty. The act of entering one's usemame/password is often metaphorically associated with that of un-locking and opening a door to one's house, but does that analogy exist to such a degree that the unauthorized entry into a computer directory is committing a burglary?
It is generally conceded that the attempt to prosecute such an act under traditional burglary statutes becomes futile. It may become slightly less futile if there is a clear intent on the hacker's part to commit a crime. Again, make sure the world knows your intentions are benign, and be sure to follow that path. Of course, the physical breaking and entering of a building, with the intention of using the comput-ers there to hack, is a more clear-cut matter. Don't expect to wiggle out of that one on as many techni-calities.
Fraud
Fraud is easy to define: any sort of deception, cheating or unfair behavior that is used to cause injury to another person. Using someone else's password is fraud, since you are falsely represent-ing yourself, and the "injured person" (computer) reasonably believes you to be that person to the ex-tent that you are given
privileges you should not have received.
But to be convicted of fraud it must be shown that because of the deception, the victim had dam-age done to him or her. What happens in the case where a computer manager knows it's a hacker on the line, and yet the manager is unable to prevent damage from occurring? Since there is no deception, there is no fraud.
That may be intent to defraud, and perhaps not fraud itself.
Social engineering is clearly fraud if informa-tion gained from the exchange is used to enter a computer, and some injury can be proven. Actu-ally, fraud is universally cited in any instance of computer crime, no matter what methods were used or what the outcome of the "crime." You can see then the importance of not causing
"injury" to a computer. In all of these cases, it is essential that it can be established that no damage (or alteration) was done, and none was intended.
Larceny
Larceny occurs when two conditions hold true: A piece of property has been criminally taken and carried away from another person, and the inten-tion of so doing was to permanently deprive the owner of his or her property.
Again, problems arise when applying this to computer hacking. Think about a case where a hacker inserts a GOTO statement in a program to bypass the section where the program asks for login information. Has the hacker effectively deprived the administrators on that system of that section of code - that piece of property?
Addi-tionally there is the problem of determining if the intent was to leave the GOTO in permanently, and not only that, whether or not such an action consti-tutes "taking" away of property. After all, the in-termittent code is still there, only the access to it has been temporarily eliminated.
Larceny may be applied to the stealing of time on a computer, to stolen telephone service or elec-trical power. In these cases it would seem the law-yers are doing their best in a trying situation - a situation in which they realize the hacker has not done any harm, and yet they want to symbolically punish the hacker for invading their computers.
Theft Of Trade Secrets
Theft of trade secrets - also called "misappropriation" of trade secrets - may be contained in the larceny laws of the state if a trade se-cret is defined as a kind of property, or it may be the principal construct of its own statute. Misap-propriation of trade secrets might be the better of the two names, as it more accurately reflects
the na-ture of the law: either the physical taking of secrets, or the unauthorized copying of them, may be viewed as a violation.
So if a hacker has printouts of some top secret laboratory reports, that information has been misappropriated, copied by an individual unauthor-ized to do so. If this law is subsumed into the general larceny statute, a prosecuting complication might arise. We are then back to the question of whether or not it can be shown that the hacker intended to perma-nently deprive the owner of his property. We both know that computer hackers generally don't have any intention of deprivation - just learning. We know that, but we can't expect judges and juries to understand.
Finally, let's end this section on a good note. If the accused hacker leaves no trace of his or her entering a system, then it is typically the case that theft of trade secrets can not be seriously considered as having taken place. Thus, hackers should make certain that all files and printouts which contain data that one might
regard as trade secrets, are either purged, burned or hidden very well.
Receipt Of Stolen Property
Let's describe this one by mentioning its three parts: (1) The stolen property must have been re-ceived by (2) someone who knows or should rea-sonably suspect that the property was stolen, and (3) the receiving has been done with the intent of permanently depriving the owner of his property.
As with trade secret theft, ROSP may be in-cluded in the larceny laws, or it may have its very own statute to call its own. Regardless, ROSP is a good crime to catch hackers by. Here's w :
ROSP is applicable for almost any stolen prop-erty or "property," including trade secrets, infor-mation, goods and services, high credit ratings (been hacking TRW lately?), computer time, pass-words, and files. If you've got any of these, or anything else for that matter, you've got ROSP to deal with.
Theft Of Services Or Labor Under False Pretenses
Theft of Services Under... Boy, I thought I had to abbreviate when discussing Receipt of Stolen Property! TOSOLUFP is basically a form of larceny whereby you trick someone into letting you have something. For instance, TOSOLUFP might occur when a hacker gets access to an on-site computer by showing a guard a fake ID badge.
Similarly, any false representation of a fact with the intention of obtaining the property of another is TOSOLUFP. Additionally it must be shown that the victim's judgment relied on acceptance of that false representation and because of that reliance, suf-fered some injury - such as loss of computer time or monies which would be paid by a legal user of the system.
Interference With Use Statutes
If someone does something so another person can't use his or her property (with a resulting loss to the property owner) then it is said that an "interference with use" statute has been broken. In the hacking sense, if a cracker were to change password files so others couldn't log on, or tamper with a piece of source code, or
use another person's usemame and password, an IWUS may be said to have occurred. Sometimes these are called anti-tampering laws.
As we have seen with the other traditional laws as they apply to hacking, there are of course no clear ways to overlay centuries old terminology onto modem situations. An IWUS can apply even if there is no visible damage as a result of tampering. Even the installation of a back door may be pun-ishable, regardless of whether other users know this illegal mode of entry exists.
Traditional Federal Crime Laws
A crime may become a federal crime if it takes place on or involves federal property, or if there is a vested federal interest in the crime. There are federal laws which don't necessarily refer to computers, yet are acceptable for use in the prosecution (persecution?) of computer hackers. Note that these laws, as well as
the laws described in following sections, are applicable only when the computers you hack are related to the federal government in some way.
Conspiracy
Conspiracy (aka 18 USC #371, if you like numbers) takes place when two or more individuals combine to agree upon or plot an unlawful act, or to commit a lawful act in an unlawful manner. The law goes on to state it is unlawful for these two or more people to plan to defraud the US government, or any federal agency.
This means that a bunch of criminals who use hacker's techniques to make money appear in their checking accounts will be accused of conspiracy if the bank or financial institution involved is a mem-ber of the Federal Deposit Insurance Corporation.
In any case, if you are a member of any sort of group which discusses hacking, or if you've ever discussed hacking or other illegal activities with anyone, you are a potential victim of this law.
661, 2113, 641, 912, 1343, 1361, Etc.
Other federal laws may also apply in select cases of computer hacking. Applicability of these laws depends on the nature of the "crime," what computers were being hacked, where the hacking took place, and how the hacker went about break-ing in. For example, laws 18 USC 661 & 2113 have to do with thefts committed within a special maritime jurisdiction and burglary of a bank respectively. Other laws deal with post offices, fortifications, harbor-defense areas, and federal property in general. These are special laws that will apply only if you have, let's say, "burglarized" the information in a post office database, or committed some other special-area offense.
United States Code 641 applies to the theft of federal property (is information property?) or re-cords. USC 912 makes it unlawful to obtain "a thing of value" by impersonating a federal officer or employee. I would guess entering a federal employee's password is considered impersonation.
Number 1343 on the books says you can't use wire communications to execute or attempt to de-fraud or scheme to obtain property under false pre-tenses, when the message crosses state lines. 1361 prohibits malicious injury to federal property, and 2071 disallows the concealment, mutilation or re-moval of public records. All of which a computer cracker is likely to do, if on a federal computer.
There is law after statute after law, all dealing with specific issues like these. It doesn't seem worthwhile to go through every last one of them. Suffice it to say, if you get caught by the feds, they have a lot of legalese they can use to say why what you were doing was wrong. I'm not saying you should go out and memorize
every bill that's ever been passed that might have some remote connection to computer law. I'm saying you should realize that computer hacking can be a risky business. Use your head. Don't make the mistakes that others have made. If you're lucky, you'll be hacking with-out harm for as long as you want.
Federal Computer Crime Laws, Or:
It's 10:30, Do They Know
Where The Hackers Are?
Finally, there are the federal laws which specifi-cally relate to computer crime that one must be wary of. The Counterfeit Access Device and Com-puter Fraud Act of 1984 (18 USC 1030) was the first law that explicitly talked about computer crime. As you might expect, it is a law that can be applied to just about any government hack. It prohibits un-authorized access to data stored on any "federal in-terest computer," and specifically mentions finan-cial records and national secrets as info not to mess around with. This law allows for fines up to $10,000 or up to 10 years imprisonment if it's a first offense.
Two years later, two computer crime acts were passed by Congress. The Computer Fraud and Abuse Act of 1986 defined more situations in which hackers could be prosecuted, by talking more about financial houses and medical records, targeting computers involved with interstate crimes, com-puters belonging to certain financial institutions, and other federally owned computers. There are also provisions for the trafficking in passwords with intent to defraud computer owners. Most in-teresting to the hacker, I believe, is that The Com-puter Fraud and Abuse Act of 1986 makes it illegal to use other people's passwords, or even to use one's own password improperly - that's where the "fraud" part of the title comes from.
One sort of strange requirement that this law makes is that it can only be applied to crimes where the victim has lost $1,000 or more due to the crime. Since you are going to be hacking under a set of ethical constraints, this law doesn't apply to you at all then (i.e., no computer you hack will lose any-thing from your explorations).
This facet of the Act is made even more interesting when you realize that the Senate Judiciary Committee, in their report on the Act, explained that a cracker doesn't have to actually steal data to be prosecuted under the law he or she only has to read the data. Makes you wonder what they're thinking since it's beyond my comprehension how anyone can prove that reading some data caused $1,000 worth of damage. But then, I'm no lawyer. The Computer Security Act of 1987 is a do-nothing law that requires security standards to be developed for classified and unclassified federal data, and requires that security plans and periodic security training be implemented on federal computer systems containing sensitive information.
Conclusion
I was going to apologize to all the lawyers out there, for the way I've manhandled these descrip-tions of all the above laws. But really, why should I apologize to lawyers?
Now let's talk about what we as hackers can do to protect ourselves; then we won't have to worry about any of the above.
Subscribe to:
Posts (Atom)