Negative Feedback (Summer, 1990) -------------------------------- Bringing the Phrack story to the attention of the public was no easy task. But it would have been a lot harder were it not for the very thing that the whole case revolved around: the electronic transfer of text. By utilizing this technology, we were able to help the Phrack case become widely known and one of the more talked about subjects in conferences, electronic newsletters, and BBSs. As with anything controversial, not everyone agreed. We thought it would be interesting to print some of the pieces of mail (electronic and paper) from people who didn t like what we were doing. Keep in mind that (as far as we know) these people are not 2600 subscribers and, in all likelihood, have never even seen a copy. (Our replies appear in italics.) "I suppose you've had this discussion an infinite number of times. Nevertheless.... That old analogy of breaking into somebody's house and rummaging around is quite apt. Nowadays, there are virtually no computers on line that are not protected by password access. Doesn't that put you in the position of a person with knowledge of picking locks? Such knowledge is virtually useless to anybody but a thief; it rarely is of use even to the small community of locksmiths. While I agree that 30 years in the federal slams isn't a just punishment for picking a lock, I suspect that most people found guilty of breaking and entering get lighter sentences, which are probably equally justifiable for computer burglary or whatever criminal label you'd wish to assign to password hacking. Do hackers do a service? I don't see why. Any mechanical lock can be picked. Probably any electronic scheme can be defeated as well. Yet nobody argues that teenagers should set themselves up as freelance security analysts picking everybody's lock to see if it can be done. If hackers didn't already know they could probably get in, what would be the point? I see password hacking as a modestly criminal activity somewhere between vandalism, window peeping, and breaking and entering in seriousness, with deliberate destruction or screwing with information as a potentially serious offense depending on the type of information or system screwed with. Is it necessary to hack passwords in order to learn about computers? Hardly. The country is full of personal computers on which many valuable things may be learned. The cities are full of community colleges, night schools, and vo-tech institutes all clamoring to offer computer courses at reasonable rates. There are even federal assistance programs so the very poor have access to this knowledge. This means that it is unnecessary to commit socially irresponsible acts to obtain an education in computers. The subjects you learn when password hacking are not of use to professional computer people. None of the people I work with have to hack a password, and we are otherwise quite sophisticated. Privacy is a right held dear in the United States; it's wired into the Bill of Rights (search and seizure, due process, etc.) and into the common law. You will find that you can never convince people that hacking is harmless simply because it violates people's perceived privacy rights. It is one of the few computer crimes for which a clear realworld analogy can be made, and which juries understand in a personal way. That's why the balance has begun to tilt toward heavier and heavier sentences for hackers. They haven't heard society telling them to stop yet, so society is raising its voice. When the average hacker gets the same jail term as, say, the average second degree burglary or breaking and entering, and every hacker looks forward to that prospect, I suspect the incidence will taper off and hackers will find different windows to peep into." --- There is a common misconception here that hackers are logging into individuals computers, hence the walking through the front door analogy. You'll see it in the letters that follow as well. In actuality, hackers are not interested in violating privacy or stealing things of value, as someone who walks through your front door would be. Hackers are generally explorers who wander into huge organizations wondering just what is going on. They wander using the computers of these huge organizations, computers that often store large amounts of personal data on people without their knowledge. The data can be legally looked at by any of the hundreds or thousands of people with access to this computer. If there's a violation of privacy here, we don't think it's the hackers who are creating it. This letter raised an interesting point about the "right" way to learn, something many hackers have a real problem with. Learning by the book is okay for people with no imaginations. But most intelligent people will want to explore at some point, figuring things out as they go. Ironically, classrooms and textbooks often discourage people from learning because of their strict limitations. And it's common knowledge that the best programmers are those who are self-taught. As to the poor having easy access to high technology, this is simply not true. In this country, education is a commodity. And if you don't have the money, you're really out of luck. This is becoming increasingly true for the "middle class" as well. --- "Using the term 'hacker' to refer to people who break into systems owned by others, steal documents, computer time, and network bandwidth, and are 'very careful not to publish anything illegal (credit card numbers, passwords, Sprint codes)' is derogatory and insulting to the broad hacker community, which is working to make the world a better place for everyone." --- There has been an ongoing move afoot by older hackers to distance themselves from what they perceive to be the "evil hackers." Their way of doing this has been to refer to all of the "evil hackers" as crackers. While it s a fine tradition to create new labels for people, we think it s a big waste of time here. There is a well-defined line between hacking and criminal activity. Hackers explore without being malicious or seeking a profit. Criminals steal, vandalize, and do nasty things to innocent people. We do not defend people who use other people's credit card numbers to order huge amounts of merchandise. Why should we? What has that got to do with hacking? While we may find interest in their methods, we would be most turned off by their motivation. There seems to be a general set of values held by hackers of all ages. --- "I recently read a post to the Usenet (comp.risks) describing recent events related to the crackdown on hackers. While I feel strongly that federal agencies should be scrutinized and held accountable for their activities, the above mentioned post gave me reason for concern that I thought you should be made aware of. It seemed to me a great irony that the poster was concerned about the invasion of the privacy of BBS operators and users, and yet seemed willing to defend the (albeit non-destructive) invasion of privacy committed by hackers. I am a graduate student who recognizes the immense importance of inter-network telecommunications. Institutions such as Usenet are becoming vital for the expansion, dissemination, and utilization of creative thought. Any activity which breaches security in such networks, unless by organized design, is destabilizing and disruptive to the productive growth of these networks. My point is this: I am Joe grad student/scientist, one of the (as yet) few that is 'net aware.' I do not want Federal agencies reading my mail, but neither do I want curious hackers reading my mail. (Nor do I want anyone reading company XYZ's private text files. Privacy is privacy.) I agree that the time for lengthy discussion of such matters is past due, but please understand that I have little sympathy for anyone who commits or supports invasion of privacy." "I just finished reading your call to arms, originally published in the Spring 1990 edition. I was royally disgusted by the tone: you defend the actions of computer criminals, for which you misuse and sully the honorable term hacker by applying it to them, and wrap it all in the First Amendment in much the same way as George Bush wraps himself in the American flag. Bleech. Whatever the motivations of the cyberpunks (I like Clifford Stoll's term for them), their actions are unacceptable: they are breaking into computers where they're not wanted or normally allowed, and spreading the information around to their buddies. Their actions cause great damage to the trust that networks such as Usenet are built upon. They have caused innocent systems to be shut down because of their actions. In rare cases, they may do actual, physical damage without knowing it. Their excuse that 'the only crime is curiosity' just doesn't cut it. It is unacceptable for a burglar to break into a house by opening an unlocked door. It should be just as unacceptable for a cyberpunk to break into a system by exploiting a security hole. Do you give burglars the same support you give cyberpunks? The effort to stamp out cyberpunks and their break-ins is justified, and will have my unqualified support. I call upon your journal to 1) disavow any effort to enter a computer system without authorization, whatever the reason, and 2) stop misusing the term 'hacker' to describe those who perpetrate such electronic burglary." --- We respectfully decline to do either. --- "I just received the 2600 article on the raid of Steve Jackson Games, which was posted to the GMAST mailing list. It's worrying that the authorities in the U.S. can do this sort of thing I don't know what the laws on evidence are, but surely there's a case for theft? Taking someone's property without their permission, when they haven't committed a crime? My only quibble is that the 911 hackers are not innocent. Yes, they may well be innocent of computer vandalism, forgery, etc. (the only consistent truth about newspapers is that they couldn t get facts straight to save their lives) but they have still entered a system and looked at a private document (assuming I understood your article correctly apologies if I'm wrong). People should have a right to privacy, whether those people are ordinary users, hackers, or large companies, and it should not be abused by either hackers or the authorities. Consider the non-computer analogy: if someone broke into my house and started going through my things, I would be severely unhappy with them and I would not appreciate a suggestion that they had a right to do so because they happened to have a key that fit my door! What does the entire 911/Steve Jackson Games escapade tell us? Well, it's not all that new that the government (like most such things) requires careful watching, and I'm not too happy about how the last I'd heard, an agent had told SJ Games they wouldn't get all of their hardware back, even though no charges had been filed. (Can you say legalized thievery boys and girls? I knew you could.) But the main thing that moves me to write this missive is the indication from the published article that the authors, and thus quite likely also the party responsible for copying that document and circulating it still do not quite understand what the individual responsible did. Accordingly, and in the hopes that if this circulates widely enough he or she will see it, the following message: OK - all you did was get into Bell South s computer system (mostly proving that their security sucks rocks) to prove what a hotshot hacker you were, then made a copy of something harmless to prove it. Sheer innocence; nothing to get upset about, right? Want to know what you did wrong? Well, for starters, you scared the U.S. government and pointed it in the direction of computer hobbyists. There are enough control freaks in the government casting wary eyes on free enterprises like BBS systems without you having to give them ammunition like that. Bad move, friend, bad move. You see, the fact that you didn t damage anything, and only took a file that would do no harm to Bell South or the 911 system if it were spread all over the country is beside the point. What really counts is what you could have done. You know that you only took one file; Bell South only knows that one file from their system turned up all over the place. What else might have been taken from the same system, without their happening to see it? You know that you didn't damage their system (you think that you didn't damage their system); all Bell South knows is that somebody got into the system to swipe that file, and could have done any number of much nastier things. Result the entire computer you took that file from and its contents are compromised, and possibly anything else that was connected with that computer (we know it can be dialed into from another computer that's how you got on, after all!) is also compromised. And all of it has now got to be checked. Even if it's just a batch of text files never used on the 911 system itself, they all have to be investigated for modifications or deletions. Heck just bringing it down and reloading from backup from before you got in (if they know when you got in) even if no new things were added since would take a lot of time. If this is the sort of thing that $79,449 referred to, I think they were underestimating. You cost somebody a lot of time/money, you almost cost Steve Jackson Games their existence, you got several folks arrested for receiving stolen goods (in essence), you endangered a lot of bulletin boards and maybe even BBS nets in general. Please find some other way to prove how great you are, OK?" --- In other words, ignorance is bliss? Don't show the world how fragile and vulnerable all of this information is and somehow everything will work out in the end? We have a lot of trouble with that outlook. Incompetence and poor design are things that should be sought and uncovered, not protected. --- "I've just read the rather long article describing the investigations of BBS systems in the U.S. While the actions taken by the investigators sometimes seemed extreme, I would ask you to consider the following simple analogy: If you see the front door of someone's house standing open, do you feel it's appropriate to go inside? See, it's still a crime to be somewhere you're not supposed to be, whether damage is done or not. Wouldn't you be upset if you found a stranger lurking about your house? It's a violation of privacy, pure and simple. As to the argument that people are doing corporations a 'service' by finding security loopholes, rubbish. Again, would you appreciate a person who attempts to break into your house, checking to see if you've locked your windows, etc.? I think not. The whole issue is very easily summarized: it's not your property, so don't go near it. I have not sent along my phone number since there are a few people out there who would try to retaliate against my computer for what I am going to say. I have not read such unmitigated BS since the last promises of Daniel Ortega. You object to the 'coming through my front door and rummaging through my drawers' analogy by mentioning leaving the front door open. In the first place, by what right do you enter my house uninvited for any reason? That can be burglary, even if all you take is a used sanitary napkin. (By the way, in Texas, burglary of a habitation (house) is a first-degree felony 5 to 99 or life.) Burglary is defined as the entry of a building with the intent to commit a felony or theft. Entry of or remaining on property or in a building of another without the effective consent of the owner is criminal trespass and can get you up to a year in the county jail. When you go into someone's property, even electronically, you are asking for and deserving of punishment if you get caught. Is the nosy 14-year-old going to be any less dead if the householder sees him in the house at 3:00 am and puts both barrels of a 12-gauge shotgun through him? (Not knowing that the late 14-year-old was only there 'to learn'.) As to storming into a suspect s house with guns, etc., what the hell are they supposed to do? Take the chance that the individual is armed with an assault rifle? As to the Phrack case, I have read the indictments, and if the DOJ can prove its case, these individuals (one called by his own counsel 'a 20-year-old nebbish') deserve what they get. Neidorf had to know the material he published was private property, and the codefendant who cracked the Bell South files had to know he had no right to do so. The fact that much of the information was publicly available from other sources is both immaterial and irrelevant. Is it any less theft if you steal my encyclopedia rather than my silverware? But breaking into a computer is not walking through an unlocked door. Access by unauthorized people is only through an act which is illegal in itself. Whether the motive for the act is good, evil, or indifferent is of no consequence. You have no right to enter my computer without my authority than you do to enter my house! You seem to have the idea that if the entry is for experiment or fun and not for profit, then it is OK. BS and you know it. You say you've been hacked yourself and you blame the people who sold you the product or service, not the hacker. You would blame the Jews in the 40s, not the SS? Also, if someone breaks into my office and only reads the files of my clients doesn't take anything has he harmed them by seeing information that is none of his business? What we've got is one more expression of the 'spoiled brat syndrome.' 'I can do it, so I may do it and don't you dare punish me if I get caught.' Children, I have news for you! I catch you in my house at 3:00 am, I'll fill your behind so full of buckshot you'll walk like a duck for the rest of your life. I catch you in my computer, I'll have the Secret Service on you like ugly on an ape. A corporation has the same right to privacy as an individual. Due to business necessity, they may have to leave their computers on 24 hours a day. Where is it written that any asshole who can figure his way into the company's computer can do so with impunity? More fittingly, if he is caught, he should be publicly flogged, as I do not like the idea of supplying him with three hots and a cot for five to life. I might add that in Texas, any unauthorized entry to a computer is a crime and can be anything from a Class B misdemeanor to a third degree felony depending on the circumstances - that works out to anything from one day to ten years in jail. Some fun and games."