An Interview With Hugo Cornwall
by John Drake
Where did you get your alias from?
It was actually derived over a rather drunken lunch with the publisher, all that I had decided that it was to be a pseudonym, but I will explain genesis. Originally it was going to be Hugo Cornwell with an "E" rather than an "A" because David Cornwell is the real name of John le Carré, a spy writer who I rather admire - he has also got a number of talented brothers and sisters. So the original thought was that it was going to be, in order to mislead the public, yet another member of a very talented family.
But at the time a number of the elite hackers were operating under the name Pensanze, a SIG called Pensanze which had originally been called The Pirates of Pensanze for fairly obvious reasons. So Pensanze is in Cornwall, so that's how I came about. So we decided to call it Cornwall with an "A" and Hugo was chosen as a Christian name simply because I think it is one of the less likely names I could possibly have.
How did you start off as a hacker?
Not very deliberately. I got into communicating computers probably very early round about 1978 and I just got very curious about what was going on in big computers and liked to drop in and eavesdrop and no one particularly seemed to mind and I never thought of it particularly as naughty or illegal but if I picked up a phone number or a password then I simply carried on collecting it.
I ended up with a few sheets full of these things and I would pass them around to friends out of curiosity and it wasn't probably until 1982 or 1983 that I became aware that there were not just other people collecting [in a] similar sort of way but there was a proper culture outlet called Hacking and I said, "O.K., well I suppose I am a hacker."
What did you do previous to hacking - did you have any other interests that were along the same line?
I guess I have been interested in what I call in the book the larger area of tech phreaking. In other words, making technology misbehave in the nicest possible way. I got interested in that when I was an undergraduate at Oxford and everyone I knew was interested in phone phreaking and that in fact one of the best phone phreakers was one of the dons and in the primitive sort of phone system that operated there you could really do a lot. So I was interested in that.
I certainly got interested in what we over here in England called bunker hunting. In other words, trying to find out secret sites used by the government and also by the U.S. government. There was partly a political motive in that but it was really rather a lot of fun.
I got interested also in the brief illegal citizen band radio thing that was going on in this country. I got a radio amateur license and I got also very interested in those parts of the radio spectrum that are not terribly well advertised.
In most countries in the world, western world, you can buy books that tell you where all the various services lie. You can't in this country or you couldn't until very recently and I say [it] was great fun trying to work out the pattern of the allocation of the frequency bands and then using radio scanners [to] actually eavesdrop on them. You know although some of the stuff is now more widely known, there is a lot of the stuff that isn't known. There are a handful of people in this country who are really rather good at it.
How do the laws in the U.K. versus the U.S. encourage this type of investigation?
How do they encourage it? Well they discourage it really. It is done in two ways.
First of all there is a lot less published in this country. We have got much tougher about what we publish. We don't have a Freedom of Information Act. Anything that is generated by the government is deemed to be secret unless [it] has been specifically released for publication so there is a hell of a lot less information that is openly available. So there is that one aspect.
The other aspect is that a lot of our laws are all enveloping in theory though they're widely ignored in practice. There is a contrast to the United States in particular. I know less about Canada and that is if you look specifically at hacking there is no specific anti-hacking legislation.
You can be done for stealing telephone time if you look at telephone hacking, stealing electricity sometimes. You can be done for stealing CPU time on a computer and recently they have done to people for forgery which is basically using passwords to which they are not entitled and that case is going to appeal.
What was your motivation for writing "The Hacker's Handbook"?
The motivation was that I was asked to do it and it was very very easy.
The way it happened was a man who was a hacker by interest and a publisher by profession wrote/scrawled a note on a bulletin board saying does anyone want to write a book on hacking and I wrote back not very seriously, in effect saying [you] cannot be serious, it can't be done. He wrote back, said I don't know, call me back and we will have a chat about it. I rang up, said/listed all the obvious things, why all the obvious reasons shouldn't be published and he sort of had a debate with me and at the end of it I felt maybe it could be done.
I wrote him a synopsis within 24 hours. 24 hours afterwards he said it was terrific, would I mind waiting two or three days till he had his editorial meeting, but he wanted to do the book and at the end of all of that, you know within one week, beginning of the week I hadn't thought of writing the book, I hadn't thought of writing any book in fact and at the end of the week I actually had a contract.
So I would have never written a synopsis for the book, I would have never hawked it around publishers but since there was the opportunity and I had already thought about the synopsis, I thought, well why not and I did. There was no great burning desire, there was an opportunity... so I went ahead and did it.
What has been the public/business and media response to your book?
There was a great deal of interest, the book was for several weeks on The Sunday Times Best Seller List so it was competing with some pretty popular items. I think it got popular interest largely because a reporter on The Sunday Times rang up the head of The Computer Security Squad at Scotland Yard [and] asked his comments. The man hadn't read the book but said sufficient for her to be able to headline a story "Yard Condemns Hacker Book." This immediately made the book appear very very important and very very serious and after that it took on a life of its own and I was from my amenity the whole thing with a great degree of amusement.
Those people who knew anything about hacking decided that it was not a very interesting book and I never thought that it would do but it obviously excited a lot of other interest. I think people created the book for themselves - they badly wanted a book about hacking, they wanted to make hackers into some sort of modem myth and my book happened to be around to capture all of that interest. Though there was a great deal of luck in it.
One of the effects of the Scotland Yard condemnation is that the books that hadn't been very widely distributed up till then, the original print run was very small, disappeared very rapidly from the bookshops and it created a further myth that the book had been banned in some way so everyone was rushing around like mad to get hold of them until about a few weeks when the book trade had recovered, copies were there, people grabbed it like crazy for fear that it [was] really going to disappear.
About two weeks after the book was published, a couple of guys were arrested for hacking the Prestel system and the newspaper reporters decided that one of those people was me, so there were headlines saying "Hacker Author Arrested" and things like that and again it wasn't true but it all helped sales.
It was really quite a phenomena and I do say to all hackers the attention that the book got was somewhat undeserved and I feel a little bit apologetic among serious hackers for sort of getting lucky.
In the first book you had a schematic for the Black Box. In the sequel it wasn't there. What was British Telecom's response to the book and how did it influence you in a sequel?
Well, the decision to take it out wasn't mine, it was the publishers, in fact it went in three stages. It was in the first edition the schematic was there complete with values for the various components and then gradually everything disappeared. I don't know that British Telecom did anything very much other than to condemn [the book] and what the publishers decided not unreasonably that things were getting a little bit hot and they [anticipated] trouble and removed the stuff so that they could show that they were being responsible. I think that is the way it happened.
British Telecom said that they didn't approve of that sort of thing, that you know there are hackers on British Telecom's staff as you might expect so you know I think to answer to my certain knowledge a lot of people within British Telecom found it amusing and I also have reason to believe that some of the British Telecom security people were not displeased about the book because it made everyone a lot more alert about the use of passwords.
There is some evidence also to show that quite a few of the books were actually sold either to computer security people or sold by them to, if you like, their customers in essence to say, "Look how easy it all is, read this book and be aware."
How would you say that U.K. hackers would be different from U.S. hackers?
I think that the difference is of subtlety rather than of essence. I think there are two areas of difference. First of all my guess is that the majority of U.K. people, U.K. computer enthusiasts, that have modems probably acquired them about two or three years after the majority of U.S. equivalents.
That's really a question of how modems are sold. When I first got interested in computers, the only modems that were available were from British Telecom. You couldn't buy them over the counter in the shop and you had to buy them on rental and they were very expensive. If you had them, you either had fairly illicit ones, ones that had been modified from U.S. use and that was only of limited use or you had these very expensive ones which were registered with British Telecom.
So you got this two or three year gap. The second way I think is that again although it wasn't the case for me, most British enthusiasts, their first database they called into was going to be Prestel which is a Videotex system 75/1200 baud. The communication software that they had was for that as well. It meant that a lot of their tacking was either into Prestel or into systems which looked like it.
Of course there was the university situation in the states where people would tend to be looking at microl clue de grass teletype services 300/300. I suppose that American hobbyists would call into The Source or into a BBS. After Prestel had been going for a bit then in the early eighties you started to get the BBS which people used 300/300. I also think that because there were so many Videotex services, Prestel and type UH services to look at that on the whole British hackers weren't so much interested in big computer networks so it took them a bit longer to discover PSS and the various university networks like JANET (Joint Academic Network) and things like that.
In essence there is very little difference in the culture but a slight difference of preoccupation in terms of what they are looking for.
As a system, what do you think of Prestel?
You could go on and on and on about that. Prestel is extremely interesting as a matter of history. It had enormous ambitions, but its ambitions were all formed about the year 1975 which was eons before anyone visualized the home computer as being possible, so Prestel visualizes and suffers from it. People accessing computers via their television sets. Which is why you got a 40 by 24 character display, these rather curious graphics which was a function of the belief that memory was going to be unbelievably expensive and that 1k of display memory was really as far as you could go.
Also that the ordinary untrained person could never be expected to actually type words into a machine, you had to have all your commands being sole numbers. So you got this curious electronic card file type of structure and everything is available via pages or very simple numeric routing commands. Because Prestel is stuck with all of this sort of thing and if you like human knowledge about computers moved on fast, Prestel has to become more sophisticated, remain compatible with its 1975 format and a lot of the things you would want to be doing on a public access database, unbelievably clumsy.
For example, you can order things, all the shopping and what have you, but you have to do it via a system called a gateway which is essentially, the way it works is that the gateway opens to receive a command string from you and it closes, the command string is processed in the remote computer, the gateway opens to give you the answer and closes again so on and so forth. Any more slightly more complicated interaction is unbelievably slow.
You could run an online service with view data as the front end processor, but it looks ridiculous, it behaves in a ridiculous format, so for certain types of services I suppose it's not too bad, it's like retaining a horse and buggy type of system when everyone is going around in gas driven internal combustion engines.
Can you see Prestel evolving from what it is now?
I don't think it will do, they're trying to make it evolve but I think it is going to remain as a historic curiosity. It's fairly [acceptable] in one or two industries, particularly the travel trade; it's quite useful for fast moving financial data. It will make very, very small movements but it will be relying on its installed user base. The way people are using it now is via emulators on personal computers. On my personal computer I obviously got Videotex, Prestel in other words type software and it's no effort to call into Prestel or any of the other online services.
I just can't see any electronic publisher saying, "Christ Almighty, we're really going to have to use this thing, this is wonderful." In fact, most electronic publishers nowadays publish in a variety of formats, they publish in an online format, they publish in a Videotex format, and of course if their material is suitable they would also be thinking about publishing in a CD-ROM type format and anything else that becomes available. It's merely a format and the decision to publish in it is "Well, are there going to be enough people out there to make it worth my while?"
Electronic publishing in the form that you mentioned, how does it work over here, everything is online?
Well, you have a variety of systems, electronic publishing for the financial community, which is obviously the most lucrative area, is still very hardware bound in that if you want to get the service then the way the supplier wants to let you have it is that you have to buy his hardware and feed it down the leased line as well as getting the service.
That's the case with Reuters, they are under a lot of pressure to get rid of that and that is applied to most other services. You can hack into them because there is always exhibition/demonstration lines, dial-up lines available and then if you can fiddle with a personal computer system cleverly, you can get the services. Other forms are basically available online and you get it via PSS which is the British Telecom equivalent to Telenet or Tymnet.
There are also data-nets that use a Prestel like format but are not Prestel and you can get a number of services that way as well for example the equivalent to TRW for credit checking data is called CNN, that's available in the Videotex format. That doesn't come out via postal, it comes out via its own data network and there are other data networks with other services on them as well. So that's basically how it works.
Have you planned any future books on computer crime?
Well, I am writing a much more serious book at the moment called "Data Theft" which is intended for the chief executive officer of the CDO market and that is encouraging those people to the belief that they can't leave data security to a mere technical functionary. Though it is much more preoccupied with industrial espionage and fraud. It is not going to be in any way a tongue and cheek book.
Out of the Inner Circle was alleged to be a book on computer security, but is manifested for hackers. This is a book on computer security and it is intended for chief executive officers and I don't think hackers would find it of any direct interest though I hope they are going to read it.
One of the things I do want to get over is this notion that most computer crime is committed by insiders, computer criminals are normally employed by their victims. I want to talk a lot about police training or rather the lack of it and lack of responsive criminal code to cope with it. I still see that there is a lot of room for frolicking with technology and I really like to promote hacking to what I believe is its rightful place - something for a tiny, tiny minority to amuse themselves with, without actually causing any serious ham to anybody.
In the book The Rise of the Computer State the author put forward the premise that there is no defense against computer bureaucracy and having files built up on pretty well everybody, everything, and every move. Could you see hackers as a possible defense?
I have been asked this question in a slightly different form before. Not really, I think the mode of defense is that although these files can be built up, the files themselves are not necessarily terribly reliable.
One of the great problems with interpretive data is that they collect together so much information and so much gossip that although they can have it all on the screen in front of them they don't know whether it's terribly reliable. The value of the hacker I think is [a] somewhat dubious one in all of this. One of the reasons why I think there is so much room in people's hearts for the hacker is that they believe the hacker is going to provide that sort of defense which you were describing.
I actually wrote a piece for one of the papers about it [about] folk heroes arising, for example King Arthur is a very potent figure, Robin Hood is a very potent figure, and the potency of these things is that King Arthur is going to be [the] one and future king. Robin Hood, you know not a great deal is known about Robin Hood, but the great thing was that he stole from the rich to give to the poor and that probably is why he is remembered.
I think it is this idea that the hacker can somehow fight back, that's the reason why non-hackers admire them so much. I am afraid I don't believe that hackers are sufficiently good or sufficiently powerful or sufficiently able to combat that. I do think that every now and then though what a hacker can do is if he is very lucky, expose the stupidity [of] some of the power that is held on computers and maybe just enough that there is that element of defense that you're looking for.
But on the whole I would say the outlook for people/individuals in the computer age is not terribly good.