==Phrack Inc.== Volume Four, Issue Forty-One, File 12 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue 41 / Part 2 of 3 PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Government Cracks Down On Hacker November 2, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Donald Clark (The San Francisco Chronicle)(Page C1) "Civil Libertarians Take Keen Interest In Kevin Poulsen Case" Breaking new ground in the war on computer crime, the Justice Department plans to accuse Silicon Valley's most notorious hacker of espionage. Kevin Lee Poulsen, 27, touched off a 17-month manhunt before being arrested on charges of telecommunications and computer fraud in April 1991. A federal grand jury soon will be asked to issue a new indictment charging Poulsen with violating a law against willfully sharing classified information with unauthorized persons, assistant U.S. attorney Robert Crowe confirmed. A 1988 search of Poulsen's Menlo Park storage locker uncovered a set of secret orders from a military exercise, plus evidence that Poulsen may have tried to log onto an Army data network and eavesdropped on a confidential investigation of former Philippine President Ferdinand Marcos. It is not clear whether the new charge stems from these or other acts. Poulsen did not hand secrets to a foreign power, a more serious crime, Crowe noted. But by using an espionage statute against a U.S. hacker for the first time, prosecutors raise the odds of a record jail sentence that could be used to deter other electronic break-ins. They could use a stronger deterrent. Using personal computers connected to telephone lines, cadres of so-called cyberpunks have made a sport of tapping into confidential databases and voicemail systems at government agencies and corporations. Though there is no reliable way to tally the damage, a 1989 survey indicated that computer crimes may cost U.S. business $500 million a year, according to the Santa Cruz-based National Center for Computer Crime Data. Telephone companies, whose computers and switching systems have long been among hackers' most inviting targets, are among those most anxious to tighten security. Poulsen allegedly roamed at will through the networks of Pacific Bell, for example, changing records and even intercepting calls between Pac Bell security personnel who were on his trail. The San Francisco-based utility has been intimately involved in his prosecution; Poulsen was actually captured in part because one of the company's investigators staked out a suburban Los Angeles supermarket where the fugitive shopped. "Virtually everything we do these days is done in a computer --your credit cards, your phone bills," said Kurt von Brauch, a Pac Bell security officer who tracked Poulsen, in an interview last year. "He had the knowledge to go in there and alter them." BROAD LEGAL IMPACT Poulsen's case could have broad impact because of several controversial legal issues involved. Some civil libertarians, for example, question the Justice Department's use of the espionage statute, which carries a maximum 10-year penalty and is treated severely under federal sentencing guidelines. They doubt the law matches the actions of Poulsen, who seems to have been motivated more by curiosity than any desire to hurt national security. "Everything we know about this guy is that he was hacking around systems for his own purposes," said Mike Godwin, staff counsel for the Electronic Frontier Foundation, a public-interest group that has tracked Poulsen's prosecution. He termed the attempt to use the statute against Poulsen "brain-damaged." Poulsen, now in federal prison in Pleasanton, has already served 18 months in jail without being tried for a crime, much less convicted. Though federal rules are supposed to ensure a speedy trial, federal judges can grant extended time to allow pretrial preparation in cases of complex evidence or novel legal issues. Both are involved here. After he fled to Los Angeles to avoid prosecution, for example, Poulsen used a special scrambling scheme on one computer to make his data files unintelligible to others. It has taken months to decode that data, and the job isn't done yet, Crowe said. That PC was only found because authorities intercepted one of Poulsen's phone conversations from jail, other sources said. CHARGES LABELED ABSURD Poulsen declined requests for interviews. His attorney, Paul Meltzer, terms the espionage charge absurd. He is also mounting several unusual attacks on parts of the government's original indictment against Poulsen, filed in 1989. He complains, for example, that the entire defense team is being subjected to 15-year background checks to obtain security clearances before key documents can be examined. "The legal issues are fascinating," Meltzer said. "The court will be forced to make law." Poulsen's enthusiasm for exploring forbidden computer systems became known to authorities in 1983. The 17-year-old North Hollywood resident, then using the handle Dark Dante, allegedly teamed up with an older hacker to break into ARPAnet, a Pentagon-organized computer network that links researchers and defense contractors around the country. He was not charged with a crime because of his age. Despite those exploits, Poulsen was later hired by SRI International, a Menlo Park-based think tank and government contractor, and given an assistant programming job with a security clearance. Though SRI won't comment, one source said Poulsen's job involved testing whether a public data network, by means of scrambling devices, could be used to confidentially link classified government networks. But Poulsen apparently had other sidelines. Between 1985 and 1988, the Justice Department charges, Poulsen burglarized or used phony identification to sneak into several Bay Area phone company offices to steal equipment and confidential access codes that helped him monitor calls and change records in Pac Bell computers, prosecutors say. CACHE OF PHONE GEAR The alleged activities came to light because Poulsen did not pay a bill at the Menlo/Atherton Storage Facility. The owner snipped off a padlock on a storage locker and found an extraordinary cache of telephone paraphernalia. A 19-count indictment, which also named two of Poulsen's associates, included charges of theft of government property, possession of wire-tapping devices and phony identification. One of Poulsen's alleged accomplices, Robert Gilligan, last year pleaded guilty to one charge of illegally obtaining Pac Bell access codes. Under a plea bargain, Gilligan received three years of probation, a $25,000 fine, and agreed to help authorities in the Poulsen prosecution. Poulsen's former roommate, Mark Lottor, is still awaiting trial. A key issue in Poulsen's case concerns CPX Caber Dragon, a code name for a military exercise in Fort Bragg, North Carolina. In late 1987 or early 1988, the government charges, Poulsen illegally obtained classified orders for the exercise. But Meltzer insists that the orders had been declassified by the time they were seized, and were reclassified after the fact to prosecute Poulsen. Crowe said Meltzer has his facts wrong. "That's the same as saying we're framing Poulsen," Crowe said. "That's the worst sort of accusation I can imagine." Another dispute focuses on the charge of unauthorized access to government computers. FBI agents found an electronic copy of the banner that a computer user sees on first dialing up an Army network called MASNET, which includes a warning against unauthorized use of the computer system. Meltzer says Poulsen never got beyond this computer equivalent of a "No Trespassing" sign. Furthermore, Meltzer argues that the law is unconstitutional because it does not sufficiently define whether merely dialing up a computer qualifies as illegal "access." Meltzer also denies that Poulsen could eavesdrop on calls. The indictment accuses him of illegally owning a device called a direct access test unit, which it says is "primarily useful" for surreptitiously intercepting communications. But Meltzer cites an equipment manual showing that the system is specifically designed to garble conversations, though it allows phone company technicians to tell that a line is in use. Crowe said he will soon file written rebuttals to Meltzer's motions. In addition to the new indictment he is seeking, federal prosecutors in Los Angeles are believed to be investigating Poulsen's activities while a fugitive. Among other things, Poulsen reportedly taunted FBI agents on computer bulletin boards frequented by hackers. PHONE COMPANIES WORRIED Poulsen's prosecution is important to the government -- and phone companies -- because of their mixed record so far in getting convictions in hacker cases. In one of the most embarrassing stumbles, a 19-year-old University of Missouri student named Craig Neidorf was indicted in February 1990 on felony charges for publishing a memorandum on the emergency 911 system of Bell South. The case collapsed when the phone company information -- which the government said was worth $79,940 -- was shown by the defense to be available from another Bell system for just $13.50. Author Bruce Sterling, whose "The Hacker Crackdown" surveys recent high-tech crime and punishment, thinks the phone company overstates the dangers from young hackers. On the other hand, a Toronto high school student electronically tampered with that city's emergency telephone dispatching system and was arrested, he noted. Because systems that affect public safety are involved, law enforcement officials are particularly anxious to win convictions and long jail sentences for the likes of Poulsen. "It's very bad when the government goes out on a case and loses," said one computer-security expert who asked not to be identified. "They are desperately trying to find something to hang him on." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Hacker Charged With Stealing Military Secrets December 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from the Associated Press SAN FRANCISCO -- A computer hacker has been charged with stealing Air Force secrets that allegedly included a list of planned targets in a hypothetical war. Former Silicon Valley computer whiz Kevin Poulsen, who was accused in the early 1980s as part of a major hacking case, was named in a 14-count indictment issued Monday. He and an alleged accomplice already face lesser charges of unlawful use of telephone access devices, illegal wiretapping and conspiracy. Poulsen, 27, of Los Angeles, faces 7-to-10 years in prison if convicted of the new charge of gathering defense information, double the sentence he faced previously. His lawyer, Paul Meltzer, says the information was not militarily sensitive and that it was reclassified by government officials just so they could prosecute Poulsen on a greater charge. A judge is scheduled to rule February 1 on Meltzer's motion to dismiss the charge. In the early 1980s, Poulsen and another hacker going by the monicker Dark Dante were accused of breaking into UCLA's computer network in one of the first prosecutions of computer hacking. He escaped prosecution because he was then a juvenile and went to work at Sun Microsystems in Mountain View. While working for Sun, Poulsen illegally obtained a computer tape containing a 1987 order concerning a military exercise code-named Caber Dragon 88, the government said in court papers. The order is classified secret and contains names of military targets, the government said. In 1989, Poulsen and two other men were charged with stealing telephone access codes from a Pacific Bell office, accessing Pacific Bell computers, obtaining unpublished phone numbers for the Soviet Consulate in San Francisco; dealing in stolen telephone access codes; and eavesdropping on two telephone company investigators. Poulsen remained at large until a television show elicited a tip that led to his capture in April 1991. He and Mark Lottor, 27, of Menlo Park, are scheduled to be tried in March. The third defendant, Robert Gilligan, has pleaded guilty and agreed to pay Pacific Bell $25,000. He is scheduled to testify against Lottor and Poulsen as part of a plea bargain. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CA Computer Whiz Is First Hacker Charged With Espionage December 10, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by John Enders (The Associated Press) SAN JOSE, California -- A 28-year-old computer whiz who reportedly once tested Department of Defense security procedures has become the first alleged computer hacker to be charged with espionage. The government says Kevin Lee Poulsen stole classified military secrets and should go to prison. But his lawyer calls him "an intellectually curious computer nerd." Poulsen, of Menlo Park, California, worked in the mid-1980s as a consultant testing Pentagon computer security. Because of prosecution delays, he was held without bail in a San Jose jail for 20 months before being charged this week. His attorney, Paul Meltzer, says that Poulsen did not knowingly possess classified information. The military information had been declassified by the time prosecutors say Poulsen obtained it, Meltzer said. "They are attempting to make him look like Julius Rosenberg," Meltzer said of the man executed in 1953 for passing nuclear-bomb secrets to the Soviet Union. "It's just ridiculous." Poulsen was arrested in 1988 on lesser but related hacking charges. He disappeared before he was indicted and was re-arrested in Los Angeles in April 1991. Under an amended indictment, he was charged with illegal possession of classified government secrets. Poulsen also is charged with 13 additional counts, including eavesdropping on private telephone conversations and stealing telephone company equipment. If convicted on all counts, he faces up to 85 years in prison and fines totaling $3.5 million, said Assistant U.S. Attorney Robert Crowe in San Francisco. On Monday (12/7), Poulsen pleaded innocent to all charges. He was handed over to U.S. Marshals in San Jose on Wednesday (12/9) and was being held at a federal center in Pleasanton near San Francisco. He hasn't been available for comment, but in an earlier letter from prison, Poulsen called the charges "ludicrous" and said the government is taking computer hacking too seriously. U.S. Attorney John A. Mendez said Wednesday (12/9) that Poulsen is not suspected of turning any classified or non-classified information over to a foreign power, but he said Poulsen's alleged activities are being taken very seriously. "He's unique. He's the first computer hacker charged with this type of violation -- unlawful gathering of defense information," Mendez said. Assistant U.S. Attorney Robert Crowe said the espionage charge was entered only after approval from the Justice Department's internal security section in Washington. The indictment alleges that Poulsen: - Tapped into the Pacific Bell Co.'s computer and collected unpublished telephone numbers and employee lists for the Soviet Consulate in San Francisco. - Stole expensive telephone switching and other equipment. - Retrieved records of phone company security personnel and checked records of their own calls to see if they were following him. - Eavesdropped on telephone calls and computer electronic mail between phone company investigators and some of his acquaintances. - Tapped into an unclassified military computer network known as Masnet. - Obtained a classified document on flight orders for a military exercise involving thousands of paratroopers at the Army's Fort Bragg in North Carolina. The offenses allegedly took place between 1986 and 1988. In 1985, the Palo Alto, California, think tank SRI International hired Poulsen to work on military contracts, including a sensitive experiment to test Pentagon computer security, according to published reports. SRI has declined to comment on the case. _______________________________________________________________________________ Hacker For Hire October 19, 1992 ~~~~~~~~~~~~~~~ by Mark Goodman and Allison Lynn (People)(Page 151) "Real-life Sneaker Ian Murphy puts the byte on corporate spies." THERE'S NO PRIVACY THESE DAYS," says Ian Murphy. "Just imagine going into GM's or IBM's accounts and wiping them out. You can bring about economic collapse by dropping in a virus without them even knowing it." Scoff at your peril, Corporate America. Captain Zap -- as Murphy is known in the electronic underworld of computer hackers -- claims there's no computer system he can't crack, and hence no mechanical mischief he can't wreak on corporations or governments. And Murphy, 35, has the track record -- not to mention the criminal record -- to back up his boasts. Murphy's fame in his subterranean world is such that he worked as a consultant for Sneakers, the hit film about a gang of computer-driven spies (Robert Redford, Sidney Poitier, Dan Aykroyd) lured into doing some high-risk undercover work for what they believe is the National Security Agency. Murphy loved the way the movie turned out. "It's like a training film for hackers," he says, adding that he saw much of himself in the Aykroyd character, a pudgy, paranoid fantasist named Mother who, like Murphy, plows through people's trash for clues. In fact when Aykroyd walked onscreen covered with trash, Murphy recalls, "My friends turned to me and said, 'Wow, that's you!'" If that sounds like a nerd's fantasy, then check out Captain Zap's credentials. Among the first Americans to be convicted of a crime involving computer break- ins, he served only some easy community-service time in 1983 before heading down the semistraight, not necessarily narrow, path of a corporate spy. Today, Murphy, 35, is president of IAM Secure Data Systems, a security consultant group he formed in 1982. For a fee of $5,000 a day plus expenses, Murphy has dressed up as a phone-company employee and cracked a bank's security system, he has aided a murder investigation for a drug dealer's court defense, and he has conducted a terrorism study for a major airline. His specialty, though, is breaking into company security systems -- an expertise he applied illegally in his outlaw hacker days and now, legally, by helping companies guard against such potential break-ins. Much of his work lately, he says, involves countersurveillance -- that is, finding out if a corporation's competitors are searching its computer systems for useful information. "It's industrial spying," Murphy says, "and it's happening all over the place." Murphy came by his cloak-and-daggerish calling early. He grew up in Gladwyne, Pennsylvania, on Philadelphia's Main Line, the son of Daniel Murphy, a retired owner of a stevedoring business, and his wife, Mary Ann, an advertising executive. Ian recalls, "As a kid, I was bored. In science I did wonderfully. The rest of it sucked. And social skills weren't my thing." Neither was college. Ian had already begun playing around with computers at Archbishop Carroll High School; after graduation he joined the Navy. He got an early discharge in 1975 when the Navy didn't assign him to radio school as promised, and he returned home to start hacking with a few pals. In his heyday, he claims, he broke into White House and Pentagon computers. "In the Pentagon," he says, "we were playing in the missile department, finding out about the new little toys they were developing and trying to mess with their information. None of our break-ins had major consequences, but it woke them the hell up because they [had] all claimed it couldn't be done." Major consequences came later. Murphy and his buddies created dummy corporations with Triple-A credit ratings and ordered thousands of dollars' worth of computer equipment. Two years later the authorities knocked at Murphy's door. His mother listened politely to the charges, then earnestly replied, "You have the wrong person. He doesn't know anything about computers." Right. Murphy was arrested and convicted of receiving stolen property in 1982. But because there were no federal computer-crime laws at that time, he got off with a third-degree felony count. He was fined $1,000, ordered to provide 1,000 hours of community service (he worked in a homeless shelter) and placed on probation for 2 1/2 years. "I got off easy," he concedes. Too easy, by his own mother's standards. A past president of Republican Women of the Main Line, Mary Ann sought out her Congressman, Larry Coughlin, and put the question to him: "How would you like it if the next time you ran for office, some young person decided he was going to change all of your files?" Coughlin decided he wouldn't like it and raised the issue on the floor of Congress in 1983. The following year, Congress passed a national computer- crime law, making it illegal to use a computer in a manner not authorized by the owner. Meanwhile, Murphy, divorced in 1977 after a brief marriage, had married Carol Adrienne, a documentary film producer, in 1982. Marriage evidently helped set Murphy straight, and he formed his company -- now with a staff of 12 that includes a bomb expert and a hostage expert. Countersurveillance has been profitable (he's making more than $250,000 a year and is moving out of his parents' house), but it has left him little time to work on his social skills - - or for that matter his health. At 5 ft.6 in. and 180 lbs., wearing jeans, sneakers and a baseball cap, Murphy looks like a Hollywood notion of himself. He has suffered four heart attacks since 1986 but unregenerately smokes a pack of cigarettes a day and drinks Scotch long before the sun falls over the yardarm. He and Carol divorced in April 1991, after 10 years of marriage. "She got ethics and didn't like the work I did," he says. These days Murphy dates -- but not until he thoroughly "checks" the women he goes out with. "I want to know who I'm dealing with because I could be dealing with plants," he explains. "The Secret Service plays games with hackers." Murphy does retain a code of honor. He will work for corporations, helping to keep down the corporate crime rate, he says, but he won't help gather evidence to prosecute fellow hackers. Indeed his rogue image makes it prudent for him to stay in the background. Says Reginald Branham, 23, president of Cyberlock Consulting, with whom Murphy recently developed a comprehensive antiviral system: "I prefer not to take Ian to meetings with CEOs. They're going to listen to him and say, 'This guy is going to tear us apart.'" And yet Captain Zap, for all his errant ways, maintains a certain peculiar charm. "I'm like the Darth Vader of the computer world," he insists. "In the end I turn out to be the good guy." (Photograph 1 = Ian Murphy) (Photograph 2 = River Phoenix, Robert Redford, Dan Aykroyd, and Sidney Poitier) (Photograph 3 = Mary Ann Murphy ) _______________________________________________________________________________ Yacking With A Hack August 1992 ~~~~~~~~~~~~~~~~~~~ by Barbara Herman (Teleconnect)(Page 60) "Phone phreaking for fun, profit & politics." Ed is an intelligent, articulate 18 year old. He's also a hacker, a self- professed "phreak" -- the term that's developed in a subculture of usually young, middle-class computer whizzes. I called him at his favorite phone booth. Although he explained how he hacks as well as what kinds of hacking he has been involved in, I was especially interested in why he hacks. First off, Ed wanted to make it clear he doesn't consider himself a "professional" who's in it only for the money. He kept emphasizing that "hacking is not only an action, it's a state of mind." Phreaks even have an acronym-based motto that hints at their overblown opinions of themselves. PHAC. It describes what they do: "phreaking," "hacking," "anarchy" and "carding." In other words, they get into systems over the telecom network (phreaking), gain access (hacking), disrupt the systems (political anarchy) and use peoples' calling/credit cards for their personal use. Throughout our talk, Ed showed no remorse for hacking. Actually, he had contempt for those he hacked. Companies were "stupid" because their systems' were so easy to crack. They deserved it. As if they should have been thankful for his mercy, he asked me to imagine what would have happened if he really hacked one railway company's system (he merely left a warning note), changing schedules and causing trains to collide. He also had a lot of disgust for the "system," which apparently includes big business (he is especially venomous toward AT&T), government, the FBI, known as "the Gestapo" in phreak circles, and the secret service, whose "intelligence reflects what their real jobs should be, secret service station attendants." He doesn't really believe any one is losing money on remote access toll fraud. He figures the carriers are angry not about money lost but rather hypothetical money, the money they could have charged for the free calls the hackers made, which he thinks are overpriced to begin with. He's also convinced (wrongly) that companies usually don't foot the bill for the free calls hackers rack up on their phone systems. "And, besides, if some multi-million dollar corporation has to pay, I'm certainly not going to cry for them." I know. A twisted kid. Weird. But besides his skewed ethics, there's also a bunch of contradictions. He has scorn for companies who can't keep him out, even though he piously warns them to try. He dismisses my suggestion that the "little guy" is in fact paying the bills instead of the carrier. And yet he says AT&T is overcharging them for the "vital" right to communicate with each other. He also contradicted his stance of being for the underdog by calling the railway company "stupid" for not being more careful with their information. Maybe a railway company is not necessarily the "little guy," but it hardly seems deserving of the insults Ed hurled at it. When I mentioned that a hospital in New York was taken for $100,000 by hackers, he defended the hackers by irrelevantly making the claim that doctors easily make $100,000 a year. Since when did doctors pay hospital phone bills? What Ed is good at is rationalizing. He lessens his crimes by raising them to the status of political statements, and yet in the same breath, for example, he talks about getting insider info on the stock market and investing once he knows how the stock is doing. He knows it's morally wrong, he told me, but urged me to examine this society that "believes in making a buck any way you can. It's not a moral society." Amazingly enough, the hacker society to which Ed belongs, if I can unstatistically use him as a representative of the whole community, is just as tangled in the contradictions of capitalism as the "system" they supposedly loathe. In fact, they are perhaps more deluded and hypocritical because they take a political stance rather than recognizing their crimes for what they are. How can Ed or anyone else in the "phreaking" community take seriously their claims of being against big business and evil capitalism when they steal people's credit-card and calling-card numbers and use them for their own profit? The conversation winded down after Ed rhapsodized about the plight of the martyred hacker who is left unfairly stigmatized after he is caught, or "taken down." One time the Feds caught his friend hacking ID codes, had several phone companies and police search his house, and had his computer taken away. Even though charges were not filed, Ed complained, "It's not fair." That's right, phreak. They should have thrown him in prison. _______________________________________________________________________________ Computer Hacker On Side Of Law September 23, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Shelby Grad (Los Angeles Times)(Page B3) COSTA MESA, CA -- Philip Bettencourt's formal title is photo lab supervisor for the Costa Mesa Police Department. But on Tuesday afternoon, he served as the department's official computer hacker. Bettencourt, pounding the keyboard excitedly as other officers looked on, was determined to find information within a stolen computer's vast memory that would link the machine to its owner. So far, he had made matches for all but two of the 26 computers recovered earlier this month by police as part of a countywide investigation of stolen office equipment. This would be number 25. First, he checked the hard drive's directory, searching for a word-processing program that might include a form letter or fax cover sheet containing the owner's name, address or phone number. When that failed, he tapped into an accounting program, checking for clues on the accounts payable menu. "Bingo!" Bettencourt yelled a few minutes into his work. He found an invoice account number to a Fountain Valley cement company that might reveal the owner's identity. Seconds later, he came across the owner's bank credit-card number. And less than a minute after that, Bettencourt hit pay dirt: The name of a Santa Ana building company that, when contacted, revealed that it had indeed been the victim of a recent computer burglary. "This is great," said Bettencourt, who has been interested in computers for nearly two decades now, ever since Radio Shack put its first model on the market. "I love doing this. This is hacking, but it's in a good sense, not trying to hurt someone. This is helping people." Few computer owners who were reunited with their equipment would contest that. When Costa Mesa police recovered $250,000 worth of computers, fax machines, telephones and other office gadgets, detectives were faced with the difficult task of matching machines bearing few helpful identifying marks to their owners, said investigator Bob Fate. Enter Bettencourt, who tapped into the computers' hard drives, attempting to find the documents that would reveal from whom the machines were taken. As of Tuesday, all but $50,000 worth of equipment was back in owners' hands. Investigators suggested that people who recently lost office equipment call the station to determine if some of the recovered gadgetry belongs to them. Ironically, the alleged burglars tripped themselves up by not erasing the data from the computers before reselling the machines, authorities said. A college student who purchased one of the stolen computers found data from the previous owner, whom he contacted. Police were then called in, and a second "buy" was scheduled in which several suspects were arrested, Fate said. Three people were arrested September 15 and charged with receiving and possessing stolen property. Police are still searching for the burglars. The office equipment was recovered from an apartment and storage facility in Santa Ana. Bettencourt matched the final stolen computer to its owner before sundown Tuesday. _______________________________________________________________________________ CuD's 1992 MEDIA HYPE Award To FORBES MAGAZINE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Jim Thomas (Computer Underground Digest) In recent years, media depiction of "hackers" has been criticized for inaccurate and slanted reporting that exaggerates the public dangers of the dread "hacker menace." As a result, CuD annually recognizes the year's most egregious example of media hype. The 1992 annual CuD GERALDO RIVERA MEDIA HYPE award goes to WILLIAM G. FLANAGAN AND BRIGID McMENAMIN for their article "The Playground Bullies are Learning how to Type" in the 21 December issue of Forbes (pp 184-189). The authors improved upon last year's winner, Geraldo himself, in inflammatory rhetoric and distorted narrative that seems more appropriate for a segment of "Inside Edition" during sweeps week than for a mainstream conservative periodical. The Forbes piece is the hands-down winner for two reasons. First, one reporter of the story, Brigid McMenamin, was exceptionally successful in creating for herself an image as clueless and obnoxious. Second, the story itself was based on faulty logic, rumors, and some impressive leaps of induction. Consider the following. The Reporter: Brigid McMenamin It's not only the story's gross errors, hyperbole, and irresponsible distortion that deserve commendation/condemnation, but the way that Forbes reporter Brigid McMenamin tried to sell herself to solicit information. One individual contacted by Brigid McM claimed she called him several times "bugging" him for information, asking for names, and complaining because "hackers" never called her back. He reports that she explicitly stated that her interest was limited to the "illegal stuff" and the "crime aspect" and was oblivious to facts or issues that did not bear upon hackers-as-criminals. Some persons present at the November 2600 meeting at Citicorp, which she attended, suggested the possibility that she used another reporter as a credibility prop, followed some of the participants to dinner after the meeting, and was interested in talking only about illegal activities. One observer indicated that those who were willing to talk to her might not be the most credible informants. Perhaps this is one reason for her curious language in describing the 2600 meeting. Another person she contacted indicated that she called him wanting names of people to talk to and indicated that because Forbes is a business magazine, it only publishes the "truth." Yet, she seemed not so much interested in "truth," but in finding "evidence" to fit a story. He reports that he attempted to explain that hackers generally are interested in Unix and she asked if she could make free phone calls if she knew Unix. Although the reporter stated to me several times that she had done her homework, my own conversation with her contradicted her claims, and if the reports of others are accurate, here claims of preparation seem disturbingly exaggerated. I also had a rather unpleasant exchange with Ms. McM. She was rude, abrasive, and was interested in obtaining the names of "hackers" who worked for or as "criminals." Her "angle" was clearly the hacker-as-demon. Her questions suggested that she did not understand the culture about which she was writing. She would ask questions and then argue about the answer, and was resistant to any "facts" or responses that failed to focus on "the hacker criminal." She dropped Emmanuel Goldstein's name in a way that I interpreted as indicating a closer relationship than she had--an incidental sentence, but one not without import -- which I later discovered was either an inadvertently misleading choice of words or a deliberate attempt to deceptively establish credentials. She claimed she was an avowed civil libertarian. I asked why, then, she didn't incorporate some of those issues. She invoked publisher pressure. Forbes is a business magazine, she said, and the story should be of interest to readers. She indicated that civil liberties weren't related to "business." She struck me as exceptionally ill-informed and not particularly good at soliciting information. She also left a post on Mindvox inviting "hackers" who had been contacted by "criminals" for services to contact her. >Post: 150 of 161 >Subject: Hacking for Profit? >From: forbes (Forbes Reporter) >Date: Tue, 17 Nov 92 13:17:34 EST > >Hacking for Profit? Has anyone ever offered to pay you (or >a friend) to get into a certain system and alter, destroy or >retrieve information? Can you earn money hacking credit >card numbers, access codes or other information? Do you know >where to sell it? Then I'd like to hear from you. I'm >doing research for a magazine article. We don't need you >name. But I do want to hear your story. Please contact me >Forbes@mindvox.phantom.com. However, apparently she wasn't over-zealous about following up her post or reading the Mindvox conferences. When I finally agreed to send her some information about CuD, she insisted it be faxed rather than sent to Mindvox because she was rarely on it. Logs indicate that she made only six calls to the board, none of which occurred after November 24. My own experience with the Forbes reporter was consistent with those of others. She emphasized "truth" and "fact-checkers," but the story seems short on both. She emphasized explicitly that her story would *not* be sensationalistic. She implied that she wanted to focus on criminals and that the story would have the effect of presenting the distinction between "hackers" and real criminals. Another of her contacts also appeared to have the same impression. After our less-than-cordial discussion, she reported it to the contact, and he attempted to intercede on her behalf in the belief that her intent was to dispel many of the media inaccuracies about "hacking." If his interpretation is correct, then she deceived him as well, because her portrayal of him in the story was unfavorably misleading. In CuD 4.45 (File #3), we ran Mike Godwin's article on "How to Talk to the Press," which should be required reading. His guidelines included: 1) TRY TO THINK LIKE THE REPORTER YOU'RE TALKING TO. 2) IF YOU'RE GOING TO MEET THE REPORTER IN PERSON, TRY TO BRING SOMETHING ON PAPER. 3) GIVE THE REPORTER OTHER PEOPLE TO TALK TO, IF POSSIBLE. 4) DON'T ASSUME THAT THE REPORTER WILL COVER THE STORY THE WAY YOU'D LIKE HER TO. Other experienced observers contend that discussing "hacking" with the press should be avoided unless one knows the reporter well or if the reporter has established sufficient credentials as accurate and non-sensationalist. Using these criteria, it will probably be a long while before any competent cybernaught again speaks to Brigid McMenamin. The Story Rather than present a coherent and factual story about the types of computer crime, the authors instead make "hackers" the focal point and use a narrative strategy that conflates all computer crime with "hackers." The story implies that Len Rose is part of the "hacker hood" crowd. The lead reports Rose's prison experience and relates his feeling that he was "made an example of" by federal prosecutors. But, asks the narrative, if this is so, then why is the government cracking down? Whatever else one might think of Len Rose, no one ever has implied that he as a "playground bully" or "hacker hood." The story also states that 2600 Magazine editor Emmanuel Goldstein "hands copies out free of charge to kids. Then they get arrested." (p. 188- -a quote attributed to Don Delaney), and distorts (or fabricates) facts to fit the slant: According to one knowledgeable source, another hacker brags that he recently found a way to get into Citibank's computers. For three months he says he quietly skimmed off a penny or so from each account. Once he had $200,000, he quit. Citibank says it has no evidence of this incident and we cannot confirm the hacker's story. But, says computer crime expert Donn Parker of consultants SRI International: "Such a 'salami attack' is definitely possible, especially for an insider" (p. 186). Has anybody calculated how many accounts one would have to "skim" a few pennies from before obtaining $200,000? At a dime apiece, that's over 2 million. If I'm figuring correctly, at one minute per account, 60 accounts per minute non- stop for 24 hours a day all year, it would take nearly 4 straight years of on- line computer work for an out-sider. According to the story, it took only 3 months. At 20 cents an account, that's over a million accounts. Although no names or evidence are given, the story quotes Donn Parker of SRI as saying that the story is a "definite possibility." Over the years, there have been cases of skimming, but as I remember the various incidents, all have been inside jobs and few, if any, involved hackers. The story is suspiciously reminiscent of the infamous "bank cracking" article published in Phrack as a spoof several years ago. The basis for the claim that "hacker hoods" (former "playground bullies") are now dangerous is based on a series of second and third-hand rumors and myths. The authors then list from "generally reliable press reports" a half-dozen or so non-hacker fraud cases that, in context, would seem to the casual reader to be part of the "hacker menace." I counted in the article at least 24 instances of half-truths, inaccuracies, distortions, questionable/spurious links, or misleading claims that are reminiscent of 80s media hype. For example, the article attributes to Phiber Optik counts in the MOD indictment that do not include him, misleads on the Len Rose indictment and guilty plea, uses second and third hand information as "fact" without checking the reliability, and presents facts out of context (such as attributing the Morris Internet worm to "hackers). Featured as a key "hacker hood" is "Kimble," a German hacker said by some to be sufficiently media-hungry and self-serving that he is ostracized by other German hackers. His major crime reported in the story is hacking into PBXes. While clearly wrong, his "crime" hardly qualifies him for the "hacker hood/organized crime" danger that's the focus of the story. Perhaps he is engaged in other activities unreported by the authors, but it appears he is simply a run-of-the-mill petty rip-off artist. In fact, the authors do not make much of his crimes. Instead, they leap to the conclusion that "hackers" do the same thing and sell the numbers "increasingly" to criminals without a shred of evidence for the leap. To be sure the reader understands the menace, the authors also invoke unsubstantiated images of a hacker/Turkish Mafia connection and suggest that during the Gulf war, one hacker was paid "millions" to invade a Pentagon computer and retrieve information from a spy satellite (p. 186). Criminals use computers for crime. Some criminals may purchase numbers from others. But the story paints a broader picture, and equates all computer crime with "hacking." The authors' logic seems to be that if a crime is committed with a computer, it's a hacking crime, and therefore computer crime and "hackers" are synonymous. The story ignores the fact that most computer crime is an "inside job" and it says nothing about the problem of security and how the greatest danger to computer systems is careless users. One short paragraph near the end mentions the concerns about civil liberties, and the next paragraph mentions that EFF was formed to address these concerns. However, nothing in the article articulates the bases for these concerns. Instead, the piece promotes the "hacker as demon" mystique quite creatively. The use of terms such as "new hoods on the block," "playground bullies," and "hacker hoods" suggests that the purpose of the story was to find facts to fit a slant. In one sense, the authors might be able to claim that some of their "facts" were accurate. For example, the "playground bullies" phrase is attributed to Cheshire Catalyst. "Gee, *we* didn't say it!" But, they don't identify whether it's the original CC or not. The phrase sounds like a term used in recent internecine "hacker group" bickering, and if this was the context, it hardly describes any new "hacker culture." Even so, the use of the phrase would be akin to a critic of the Forbes article referring to it as the product of "media whores who are now getting paid for doing what they used to do for free," and then applying the term "whores" to the authors because, hey, I didn't make up the term, somebody else did, and I'm just reporting (and using it as my central metaphor) just the way it was told to me. However, I suspect that neither Forbes' author would take kindly to being called a whore because of the perception that they prostituted journalistic integrity for the pay-off of a sexy story. And this is what's wrong with the article: The authors take rumors and catch-phrases, "merely report" the phrases, but then construct premises around the phrases *as if* they were true with little (if any) evidence. They take an unconfirmed "truth" (where are fact checkers when you need them) or an unrelated "fact" (such as an example of insider fraud) and generalize from a discrete fact to a larger population. The article is an excellent bit of creative writing. Why Does It All Matter? Computer crime is serious, costly, and must not be tolerated. Rip-off is no joke. But, it helps to understand a problem before it can be solved, and lack of understanding can lead to policies and laws that are not only ineffective, but also a threat to civil liberties. The public should be accurately informed of the dangers of computer crime and how it can be prevented. However, little will be served by creating demons and falsely attributing to them the sins of others. It is bad enough that the meaning" of the term "hacker" has been used to apply both to both computer delinquents and creative explorers without also having the label extended to include all other forms of computer criminals as well. CPSR, the EFF, CuD, and many, many others have worked, with some success, to educate the media about both dangers of computer crime and the dangers of inaccurately reporting it and attributing it to "hackers." Some, perhaps most, reporters take their work seriously, let the facts speak to them, and at least make a good-faith effort not to fit their "facts" into a narrative that--by one authors' indication at least -- seems to have been predetermined. Contrary to billing, there was no evidence in the story, other than questionable rumor, of "hacker" connection to organized crime. Yet, this type of article has been used by legislators and some law enforcement agents to justify a "crackdown" on conventional hackers as if they were the ultimate menace to society. Forbes, with a paid circulation of over 735,000 (compared to CuDs unpaid circulation of only 40,000), reaches a significant and influential population. Hysterical stories create hysterical images, and these create hysteria-based laws that threaten the rights of law-abiding users. When a problem is defined by irresponsibly produced images and then fed to the public, it becomes more difficult to overcome policies and laws that restrict rights in cyberspace. The issue is not whether "hackers" are or are not portrayed favorably. Rather, the issue is whether images reinforce a witch-hunt mentality that leads to the excesses of Operation Sun Devil, the Steve Jackson Games fiasco, or excessive sentences for those who are either law-abiding or are set up as scapegoats. The danger of the Forbes article is that it contributes to the persecution of those who are stigmatized not so much for their acts, but rather for the signs they bear.