A Reader's Reply to Captain Zap
by The Rancid Grapefruit
Query: "What happens to inept computer criminals who get caught?"
Answer: "They open up 'security' companies and start preaching to an extremely gullible public - usually casting themselves as some kind of 'hacker expert' whereas the only thing they are 'experts' at is getting caught."
The opening comments have absolutely nothing to do with Captain Zap, whose reputation is impeccable, and we most certainly would not want people to misconstrue the comments as a vicious attack on his person. Lord, no...
Obviously, we disagree with Captain Zap's brilliant observations on the state of "Hacking and Phreaking." If we did agree with him, we'd hardly be writing this swell response, eh?
"The ongoing wave of computer crime that is being reported in the media around the world shows" the shallowness of the media's never ending quest for anything that will titillate a technology-ignorant public, and push up the ratings of whatever publication or feed happens to be catering to the public's fear of technology on that particular occasion.
"An Interpretation of Computer Hacking" is just that: Captain Zap's personal opinion on the subject. In the first several paragraphs, Zap essentially summarizes the opening chapter of almost any given "Beginner's Introduction to Computers" and somehow manages to pass off observations that have already been made a few hundred times as his own "ideas." The only real mystery to us is why he decides on "16 Megabytes of RAM" as an arbitrary amount of memory that "today's personal computers" are supposedly equipped with.
This leads into the "information is power" spiel, and the inevitable arrival of ISDN wherein phones and computers will become one glorious entity and live happily ever after.
All of this ends up with Zap giving you his opinion on "The Dawn of Phreaking," the usual mention of Draper and Blue Boxing, followed by a summary of the boxes that matches slang to function, and terminating with a simplified account of toll fraud where Zap babbles about the various OCC's for a while.
Although we were very impressed by the programming ingenuity of the supplied "WarGames dialer" listing, and find ourselves constantly looking to the first section of Zap's article when we feel lost or at a need for guidance, we will regrettably have to let it stand. Since aside from the ill-chosen "highlights of yesteryear" there is nothing there that hasn't been discussed or otherwise summarized too many times in the past. As such it would be a waste of our time to do so yet again.
Hacker Communications! Shhhhh! Secrets being exchanged!
While we don't dispute the fact that people do call each other, sometimes in large groups hooked together on a conference (without paying for it, gasp!), rarelyis the purpose of a conference to "pass information over to other hackers that can work on a problem and compare results and plan for more tactical attacks to the target system." The usual reason a conference starts is because one kid is bored and wants to talk to a bunch of his peers at the same time. What takes places on almost any given conference is a bunch of screaming kids harassing TSPS operators, calling pizza parlors in Europe, and in general pranking or annoying anyone they can think of at the moment.
"Attacks" placed on Bell System computers are usually the result of one kid - who is not some genius; rather he's quite often the friend or relative of somebody who understands the concepts involved, not only the commands - who thinks it would be a blast to turn off CAMA on a few switches, or disrupt COSMOS operations. All of this potential damage is made possible by the RBOCs themselves, which provide extremely minimal security that is more of a study in faulty security techniques and shoddy organization than any kind of obstacle to the potential hacker.
While "computing power" is now within reach of a vast number of people, almost all of that "vast number" are ignorant as to their system's potential. In fact, most never get beyond running their spreadsheet or doing taxes on that wonderful PC with "16 MB RAM." And if they ever do sink into the sordid depths of depravity and actually try something awful like making a bit copy of someone else's program and Xeroxing its manual, it's our personal belief that the world will in all probability not come to an end. Of course, we could be wrong.
Almost all potential hackers are little kids with a lot of time on their hands, and most of those kids will never get anywhere because they are not brilliant, or in any way gifted - regardless of what the public might think of them. The vast majority of people that the public views as computer geniuses are quite average teenagers whose only "skill" is calling up boards - with "better security than most large computer systems" - and blindly applying things they see posted on them, without understanding what they are doing. Granted this is a "threat," but it's the only threat that boards pose. And the only reason it's a problem to begin with is because the "threatened" organizations or companies have ridiculously bad security.
While it is true that more people now own personal computers than at any other time in history, the overall effect of this influx of new hackers is negligible. Instead of one kid annoying his local CO from information he found on some board, there are 10 kids using the same information from the same board to harass the same CO. In short, there is a deluge of "idiot savants" who are capable of doing no more damage than trained chimps.
The Bulletin Board Systems
Bulletin Board Systems (BBSes) pose a possible threat for the simple reason that the more highly skilled users will post potentially dangerous information in a place where the "idiot savants" can read it. The better-versed user's reason for posting it is ego gratification. Regardless of what he claims, the only incentive he has to post this information is an ego boost. He already knows that the "idiot savants" are going to do something stupid with the information, at worst simply making it valueless, at best flexing their muscles and showing their target how vulnerable they are to an outside attack.
Granted, if BBSes didn't exist, much of the trouble various people and companies now experience would vanish along with the "idiot savants." But the only thing the boards really do is provide a forum for the more intelligent users to bask in the adoration of fools. They are not some great organized crime wave of the future; they are simply used by several thousand bored kids, the great majority of them trying to live out some kind of power trip while the remaining minority congregates together because they like being surrounded by those they view as their peers.
In summary, boards are a social medium - not the forefront of some well-orchestrated, nationwide attack on loopholes in "the system." Just about any issue of Soldier of Fortune contains all the information you could possibly want about where to obtain books on plastic explosives, nerve gas, special weapons, electronic devices, and anything else that has been dreamed up. You hardly need a BBS in order to have access to that kind of knowledge.
In fact most of the information posted on the "death and destruction" subs of boards is a word-for-word copy of some article that originally appeared in one of these books. The only crime taking place is copyright infringement.
Specific Responses to Some of Zap's Statements
Let's cover Zap's statements one by one:
*) "Such information like dial-up port numbers, logons, and passwords are common information available to the main hacker population." No shit. It's also common information available to anyone who calls up any of the carriers and requests it. The logons and passwords are usually the end result of credit card fraud, and have nothing to do with the ingenuity of hacking into a system.
*) Zap's entire spiel on board security, the "select few", and the security of hacker boards takes place for the most part in his head and nowhere else. The only reason most people never move into these hallowed ranks is because they have somehow convinced themselves that this isn't possible. The only thing separating you from anything you want to access is ignorance of how the sysops' minds function and the reality of how security works, as opposed to the ridiculous fantasies presented by Zap.
Assuming a sysop had no life outside of his board, and he got paid by the hour to sift through all of those records of his potential users, all he'd accomplish would be to weed out people who didn't know how the system worked. Anyone who wanted access and understood the basics of how to falsify information would still gain entry, and the end result is a security breach. There is no such thing as perfect security. When anyone "builds a better mousetrap,' a few days later an inventive person will "build a better mouse."
In any case, the security examples presented by Zap do not exist on any private or "elite" phreak or hacker BBS now in existence. If the sysop claims that is what they do, it's simply meant to scare potential users into submitting valid information which the sysop doesn't bother to verify beyond the telephone number.
*) Disclaimers and Clauses: Whether Zap's comments originate from actual ignorance or simply a desire to knowingly misinform, is unknown to us.
A disclaimer, any disclaimer, will have very little value in any kind of legal situation. While the sysop might feel better if "it's not my fault" and "for information purposes only!" are splattered over every part of his board, it isn't going to make any difference to any judge in any court! Disclaimers are not legally binding. All they do is take up space and lull sysops into a false sense of security.
Thinking you're safe because you have a good disclaimer translates out to "ignorance is bliss." If you haven't had any trouble with law enforcement agencies to date, it only means that they don't know about your existence (buried as you are amongst 1,000 other quasi-legal BBSes), or that they know and don't care because you aren't doing anything that they're worried about.
*) Tele-Trial: I can't believe this! Zap, where ya been for the last three years? Tele-Trial was a ridiculous "electronic tribunal" started by King Blotto as a joke. For whatever reason, he started taking himself seriously and for a few months in 1985 "Tele-Trials" were being held, in which "electronic execution" took place and stupid kids cried about being thrown off Blottoland and being declared "uncool!" (The horror!)
It is impossible for anyone to enforce any "ruling" over anyone else in the modem community. The boards are not all interconnected and what one person, or group of people, declares as "law" on one system, or set of systems, is utterly meaningless to the hackers the next area code over. And even to the people involved with those specific systems, it only pertains to them if they want to play the game. There is nothing preventing an "exiled" person from picking up a new handle and starting over.
Aside from the complete impossibility of enforcing such "rulings" over anyone but the most brain-damaged kids, all of this is nothing more than a history lesson.
Tele-Trials have been over since the summer of 1985.
As for Richard Sandza, Tele-Trial still existed at the time of the publishing of his articles for Newsweek. The "Tele-Trial" he was put on was simply a conference of abusive kids who felt that he had given hackers unfair treatment. In retaliation they threatened him: a Captain Quieg posted his credit report and numerous kids ran up bills on his credit cards, sending assorted junk to his house.
Hackers cannot "perform the destruction" of anyone. All they can do is scare the shit out of "normal" people who are shocked that a bunch of kids can get their unlisted number, credit cards, and various other records, and abuse them.
In any case, Sandza is something of an exception since he managed to piss off a large percentage of people who were in a position to make life hard for him in return. Most people who disagree with him can write a complaint to Newsweek, but if you have the ability to bring your displeasure to his personal attention, in a way that will ensure he gives notice to it, wouldn't you do the same thing? After all, it isn't Newsweek you're mad at, it's Richard Sandza. Some of you probably wouldn't, but that's one of the fringe benefits of being a hacker. Instead of being bound by "the system's" rules and regulations, you can get around it and let your conscience be your guide (if you happen to have a conscience).
*) "And remember, the hacker can be the best prevention for computer security sickness and that a reformed hacker can make for the best data processing security person." Another token stab at self-promotion by Zap.
*) "The boards in general have been a major problem in the control of information due to the use of the boards by what some may call 'information junkies." What's wrong with people who want to collect information? Are you suggesting that arbitrary censorship would be an improvement?
*) "One of the major contributing factors involving computer abuse is the non-education of the users in ethics." While it makes for a nice sweeping generalization, this statement has little to do with reality.
Most "normal users" think no more of copying a piece of software than they think of taping a copy of an album, or Xeroxing a page out of a copyrighted publication. While all of these acts are illegal, there aren't many people that actually care. "Educating" people is not going to eradicate these problems.
As far as the phreaks and hackers are concerned, the statement is even more ludicrous. While a minority undoubtedly justify their actions to themselves as "curiosity" and thus set their consciences to rest, the greater percentage know that in the course of doing whatever it is that they happen to be doing at the moment, they are committing crimes. And they don't care.
Morality and ethics are subjects that cannot be "taught" to anyone. Each individual has to make his or her personal choices based upon whatever tenets or beliefs they happen to espouse. Very often people who function from a predominantly logical perspective come to the conclusion that "right and wrong" are relative to a given time and situation. As applied in our society they typically denote values that most of our present population subscribes to. Why should anyone do something just because everyone else is doing it?
Ethics will always be up to the individual, who will in many cases come to the logical conclusion that he doesn't care what the rest of society condones or accepts, and instead of blindly following their dictums he will choose to think for himself and perhaps arrive at conclusions that don't coincide with what society happens to find acceptable at that particular time.
*) Accessing government and military computers: Why it is that people come to the conclusion that government computers should be bastions of security we couldn't begin to guess. When you speak of the government and military, we presume you mean our government and military; you know, the one run by incompetents, bureaucrats, and other paper pushers that excel at nothing except wasting time and money.
For someone who cautions others against making "rash statements," Captain Zap has apparently written an entire article filled with statements that neatly ignore his own dictum.
Lastly, we'd like to bring up one relevant fact that most "security analysts" manage to ignore: hackers and phreaks (for the most part) are not criminals. At least that isn't the way they view themselves. While nobody lays awake nights worrying about the fact that today he's cost a few phone companies some money, and perhaps wasted system resources on unauthorized applications, a hacker or phreak's primary motivation is either a real hunger for knowledge, or ego gratification. In neither case does monetary gain enter the picture. The people you really have to worry about are career criminals. They aren't kids and they don't call boards. If a hacker is present in your system, then a criminal could easily gain entry to your system as well. If anything, you should view it as a blessing that the hacker has brought your lack of security to your attention.
The previous paragraph shouldn't be misconstrued as a moral judgment on criminals. Personally we couldn't care less how you make your living as long as you're good at what you do.