Hacker Myths

1. Encrypted files can't be cracked. p. 268.
2. Only hackers wiretap without court orders. p. 159-160.
3. Hackers can't crack National Security. p. 161; 163-164.
4. We're safe from hackers. p. 272.
5. The FBI doesn't want any new powers. p. 272.
6. Hackers are nerds. p. 112.
7. Joyriding isn't a crime.
8. Hackers are criminals.

The FBI set about decrypting Kevin Poulsen's computer files. Officially, the government would not comment on the attempt. The reason for secrecy was simple. Publicly, the government had maintained for many years that it was impossible to crack the Defense Encryption Standard.

A Department of Energy Cray super computer was used by the National Security Agency to perform a "brute force" attack on Kevin's encrypted files, blasting every possible key at the computer, one after another, a task that consumed several months at an estimated cost of hundreds of thousands of dollars. Though Kevin's key was not random, by encrypting his files several times, he had increased the difficulty of cracking the code.

Several months after the computers were seized in the fall of 1991, Rob Crowe was informed that the NSA had successfully decoded Kevin's files. Kevin had meticulously kept files documenting his activities, everything from the wiretaps he had discovered to the dossiers he kept on his enemies. The government printed out nearly ten thousand pages of material.

2. Only hackers wiretap without court orders. p. 159-160.

He knows there's nothing stopping Pac Bell from tapping dozens of lines on a moment's notice. Phone companies are the only entities in America that can wiretap with impunity, the only entities granted more power than the CIA, the NSA or the FBI. The federal statute states that it is "not unlawful" for "an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service" to use that same service to "intercept...that communication" in the "protection of the rights or property of the provider of that service..."

Somehow this doesn't make sense to Kevin. Other companies can't invade their customer's private conversations. Why shouldn't Pac Bell and other phone companies turn their fraud cases over to the proper law enforcement agencies, and let justice take its course, like other major corporations?

But Kevin knows that the taps are only the tip of the iceberg. The statute is silent to Pac Bell's right to perform traps and traces, and detailed analyses of a suspect's calling patterns. If Pac Bell wished to hide an investigation from the FBI or Secret Service, no court could force it to reveal the nature or target of its inquiry. Even the annual number of taps is secret. Does Pac Bell wiretap ten people a year, fifty or a thousand?

3. Hackers can't crack National Security. p. 161; 163-164.

What surprises Kevin is how easy the federal government makes it to crack their vaunted veil of security. Since the early days of Hoover, wiretaps have been the secret weapon of the FBI, powerful enough to ensnare gangsters and keep political enemies and presidents in check. Indeed, traditionally wiretaps have been what separates the government from the crooks. The idea that an ambitious hacker with a PC could expose federal taps is absurd. If that's all it takes then how well could the FBI be expected to investigate mobsters, corrupt politicians and spies?

#

Ron punches up South Africa in Nexis, and watches the stream of stories mentioning nuclear power leap from the screen. The two hackers are incredulous. They've stumbled onto real life, honest-to-God spy taps, the stuff of espionage and national security. Kevin and Ron can't possibly know whether the taps are authorized under the Foreign Intelligence Surveillance Act, by the Washington D.C., Federal court that grants taps to the CIA and other spy agencies. Unlike common FBI and state and local wiretaps, the court authorizations for spy taps have, according to the Justice Department, never made public. But what the hackers have uncovered stuns them. Pac Bell's own on-line, net accessible records provide irrefutable evidence the spy taps have been in place for several years.

It's just the beginning. Kevin finds ten more wiretaps that run back to the federal building, ten wiretaps in the Los Angeles consulate of our friendly ally Israel. And there's more. Incredibly, Kevin uncovers fourteen taps near an office of the American Civil Liberties Union around Wilshire and 6th street. Could one of the biggest FBI counter intelligence operations in Los Angeles be targeting the American Civil Liberties Union? Kevin checks all the businesses within the ACLU's building and finds one with five lines and another with two. There's no match so his hunch about the ACLU must be wrong. Only the Chinese consulate, three doors down the street from the ACLU has fourteen lines. And there's something else unusual. Instead of running back to the federal building like the other foreign taps, the Chinese taps loop, jumping up to another floor, and then dropping downstairs. Could the feds be listening to the Chinese from an upstairs office?

4. We're safe from hackers. p. 272.

Kevin's command of Pac Bell's computers seemed to dramatize the potential danger in placing that power in phone company software. If the FBI was proposing moving the entire wiretapping process directly onto the switch, what would stop hackers like Kevin from eavesdropping on the FBI and its targets?

From 1989 to 1991, Kevin had access to nearly every federal and national security wiretap in California. He had this extraordinary ability because he could hack the computers of Pac Bell, considered to be among the most secure in the telecommunications industry. Pac Bell, through its spokesman, "special" investigator John Von Brauch, confidently explained that the vulnerabilities Kevin had exploited had been closed. Physical security at the company's hundreds of buildings had been tightened, the number of dial-up lines had been greatly reduced, and a product called "SecureID" was being used to restrict unauthorized access. Pac Bell employees had to use the wallet card that contained a unique algorithm synchronized with a computer. Every 30 seconds the card would create a new random number, and if the number didn't match up with the computer, the holder was denied access.

But despite these improvements, other present and former Pac Bell employees told another story. In an age of fierce telecommunications competition, Pac Bell's security budget had been cut, and the number of investigators reduced. Kevin himself noted that since he got out of jail he had seen no evidence that Pac Bell had improved the physical security at its buildings. And there was something else that Kevin had told me years ago. He had stolen a manual to SecureID and hinted that for him the miracle card Pac Bell was counting on to protect its systems was no more than a difficult password, hardly a challenge for an elite hacker.

5. The FBI doesn't want any new powers. p. 272.

The political stakes in keeping secret the scope of Poulsen's intrusions were high. As the hacker's case was being played out in the courts, the FBI was waging a public battle to expand its wiretapping powers in the digital age. In the early 1990's, the FBI had begun lobbying for new, increased capabilities to monitor digital telephone and computer communications. The Bureau wanted to install software directly inside phone company switches to expand its eavesdropping powers. After one congressional rebuff, the proposal became law with the passing of the Digital Telephony Act in 1994. But when the Bureau's true plans became known, they sparked a public outcry. The FBI announced that it needed the extraordinary power to potentially wiretap one percent of the phones in major metropolitan areas.

* Postscript: The FBI recently announced it was reducing it's "1 percent" wiretapping request.

6. Hackers are nerds. p. 112.

Nearly every night after 10 p.m., Eric would pull up in his Porsche, step out with his steel tipped cane and toss his keys to the valet in the Rainbow Bar and Grill parking lot. He was a glamrock king. Shag hair with the Farah Fawcett highlights, a deft makeup job, long nails, cowboy boots, and depending on the evening, a linen suit or torn jeans. Eric would walk to the front of the dimly lit club, and make his rounds with Straus among the red naugahyde booths, pausing when they sensed a look, exchanging a high-five with a male rocker friend.

Eric's sexual prowess -- he claimed to be approaching a thousand conquests -- was not solely attributable to his stolen Porsche, technological mastery and physical makeover. He too had a system. Just as he had methodically wiretapped to gain his hacker access, he had diligently sought the secret to easy sex with strippers, mud wrestlers, call girls and porn stars. Eric picked up girls not only at the Rainbow and other Hollywood hangouts, but on their working nights at strip clubs. He'd sit in the back in his torn jeans with a calculated look of disinterest. His technique was irresistible, Eric figured, because strippers weren't accustomed to such indifference. Sometimes Eric had to pinch himself to remember that it was real. Had he hacked his way into Paradise?

7. Joyriding isn't a crime.

Just as Kevin has become a member of the computer security establishment, federal laws criminalizing hacking have finally come to pass. The Computer Fraud and Abuse Act of 1986 makes it a felony, punishable by five years in prison, to access or enter a "federal interest computer without authorization" and obtain "anything of value." Damaging or disabling a non-federal computer, network or program is a crime too.

"Access devices" have been rendered illegal too -- credit cards, codes, account numbers, electronic serial numbers and other keys to money or valuable services. It's a felony to steal $1,000 worth of access devices, or just to fraudulently possess fifteen of them. And penalties for access device or computer fraud offenses can reach as high as twenty years in prison.

Unauthorized computer access is now considered more serious than physical breaking and entering. A joy rider who accidentally impedes the use of a critical computer program could face a sentence of several years. Law enforcement has new powers in tracking crime too. The Electronic Communications Privacy Act authorizes eavesdropping on portable phones and certain pagers and requires telephone companies to hand over subscriber or toll records to the FBI without judicial review. So deeply is the FBI engaged in electronic surveillance that it is granted Congressional approval to hire independent contractors to intercept communications.

There's a war on and the enemies are hackers and digital thieves. The Secret Service estimates electronic funds fraud exceeds half a billion dollars a year and the Justice Department acknowledges widespread vulnerabilities. Meanwhile most banks continue to transmit their customer's secret account numbers over unprotected telephone lines that, according to USA Today, even a 12-year-old hacker could tap.

8. Hackers are criminals.

In 1984, hackers finally get some good press. Author Steven Levy celebrates the early hackers who launched the computer industry, and inspires a national outpouring of hacker pride with his runaway bestseller, "Hackers, Heroes of The Computer Revolution." Veteran hackers rise up and protest the bad rap they've been getting from newspapers and the government. Levy reminds the world that without hackers there would be no Apple Computer, no IBM PC, no revolution in computing. Embracing the good in hackers, acknowledging the criminal roots of many of the industry's legends, Levy cites the young protagonist in WarGames as an example of a "Third Generation hacker who, having no knowledge of the groundbreaking feats of Stew Nelson or Captain Crunch, broke into computer systems with the innocent wonder of their Hands-On Imperative." He ends his book reveling in how today's hackers defy authority, their "triumph of the individual over the collective dispirit." Levy is giving the kids of the 1980's a second chance, an opportunity to rise to their noble calling.

Kevin Poulsen, too, is getting a second chance to prove that like Jobs and Wozniak he merely flirted with illegal hacking. He hasn't been arrested. He's got a chance to go legitimate and create a new, positive identity. And so one day he shows up unannounced at the home of his childhood friend Sean Randol with the exciting news. A big Silicon Valley company has hired him to work as a computer programmer, and Kevin couldn't be more proud.