David Brumley sees a lot of loose talk on the Internet. Part of his job, as a computer-security officer at Stanford University, is to eavesdrop in chat rooms, just in case someone tips off a nasty bit of hacking. On February 8, Brumley stumbled onto a link to the newest boomlet in Internet monkey business. A number of people were exchanging messages in a chat room when one of them asked the others to name a Web site "they really hated." The answer came back: eBay.
About 30 minutes later, eBay crashed. No one knows for sure if this conversation led directly to the crash, or even if the discussion involved someone behind it, but Brumley says, "We have four or five pieces of independent evidence that are leading toward [that] one person."
Very likely, these were the first, small rumblings of an earthquake that over the next week would level some of the Web's most popular sites: Yahoo, eBay, Amazon, CNN. An anonymous hacking force had commandeered computers belonging to others and programmed these machines to bombard major sites with huge amounts of data and countless requests for service. As a result, the rush-hour volume of traffic on these branches of the information superhighway was brought temporarily to a bumper-to-bumper halt. And the world suddenly became very aware of the term used to describe this disruption: "denial of service."
For years, the term "hacker" has summoned up images of young men, sitting for long hours at their computers, rooting about in obscure corners of computer networks. And "hacking" has been thought of as mostly benign, with a few invasions of forbidden territory and no real damage. But now there are increasing indications that some of these people have nasty or greedy motives--leading to a distinction between "white hat" (or good guy) hackers and "black hat" (or bad guy) hackers. At a time when the Internet has become an important source of commerce, the blocking of a place like Amazon.com can represent a considerable financial loss. Worries over the unreliability of the Internet for sales purposes actually caused some high-tech stocks to lose value in late February.
VANDALS OR `HACKTIVISTS'?
No one claimed responsibility for the denial-of-service attacks, and the investigators assembled to track down the offenders had to slowly assemble possible names and motives. There was no ransom note, no electronic manifesto. No indication of whether the attacks were the work of "hacktivists"--the name given to the growing movement of cyber political activists who try to advance their causes by demonstrating on the Internet--or possibly teenagers engaged in what one security expert calls "the cyber-yuppie equivalent of keying a car." Several computer experts even suggested that the attacks were the work of a new breed of electronic criminal who steal information or make their money by manipulating electronic markets. "The problem is that if you're smart about this, there is no trail for law enforcement to follow," says Scott Charney, until recently the Justice Department's top computer-crime official and now a vice president at Price Waterhouse Coopers.
The world of the computer underground has always, for obvious reasons, been mysterious. No one knows with any precision who these people are, but computer-security experts have come up with a rough profile of the average hacker: a male between the ages of 16 and 25, living in the United States. He is a computer user, but not a programmer, who hacks with software written by others. His primary motivation is to gain access to Web sites and computer networks, not to profit financially.
Everyone assumes that hackers are young male computer geeks, and that description fits the most notorious hackers, going all the way back to the beginnings of the movement in the 1960s. The first ancestors of modern hackers were "phone phreaks," self-described hobbyists who tampered with telephone networks to get free long-distance calls, explore the technology, and play pranks on each other. Among the phone phreaks who transferred their obsessions to computers in the late 1970s and early 1980s were Steven Jobs and Stephen Wozniak, the co-founders of Apple Computer.
The first true computer hackers, however, were students at the Massachusetts Institute of Technology (MIT) who had a passion for taking things apart to understand better how they work. Only after the appearance of the movie Wargames in 1983, in which Matthew Broderick portrays a teenager with a modem who breaks into Defense Department computers and almost starts World War III, did the term come to mean someone who was a computer criminal.
As a Los Angeles high school student in the 1970s, Kevin Mitnick was arrested for breaking into a college computer network. Over the next two decades, he became notorious as he was arrested four more times for trespassing on computer networks and stealing software. Mitnick, now 36, was released from jail last month after serving almost five years in prison. David L. Smith, now 31, created the Melissa virus that jammed computers around the world. The New Jersey man, who worked as a free-lance programmer for AT&T by day and hacked by night, was arrested last year, pleaded guilty, and will be sentenced in May. (See "Hacker Hall of Fame," page 15.)
In the past year, hacking has taken a more ominous turn. An Eastern European hacker called Maxus stole the credit-card numbers of more than 300,000 customers of a music retailer on the Internet, CD Universe, and demanded $100,000. The theft dramatically highlighted the risks of e-commerce.
BLACK, WHITE, AND GRAY
The pressure to defend against intruders has complicated the ethical world of hacking. White-hat hackers are recruited to ward off black-hat hackers, and there are even gray-hat hackers, like the LOpht (pronounced "loft") collective in Boston, which searches for security flaws and then makes the information available to anyone.
The best example of a hacker who changed hats is Robert Tappan Morris, a Cornell University graduate student and the son of the former chief scientist for the government's super-secret spy organization, the National Security Agency. In 1988 Morris wrote the first Internet worm, a software program that hopped from computer to computer in a network, jamming everything in its path. Morris admitted that he had written the program and was fined and sentenced to community service. Since then he has finished graduate school in computer science at Harvard University, started a successful Internet company, and now, at 34, is a faculty member at MIT.
YOUNG AND DESTRUCTIVE
To some extent, the story of Morris's rehabilitation is the story of a generation that grew up. And security experts worry that the hacker torch has been passed to a group whose different ethical values might allow more destructive forms of behavior. "There has been a historical trend for the people with the blackest hats to be people who are the youngest," says Mark Seiden, who is a consultant with Securify, a Silicon Valley-based computer security firm. "They have the most time to risk."
The most dramatic example of the future of computer crime may have come in 1994, when Vladimir Levin, a 22-year-old-Russian, broke into American computers at Citibank and attempted to steal $12 million. The FBI caught him when an accomplice attempted to remove the money from a Citibank branch in San Francisco.
"Now we're looking at entrepreneurial [hacker] crime in the same way you would once look at drug dealing in the '60s and '70s among middle-class and upper-class kids," says Richard Power, an editor at the Computer Security Institute, a San Francisco publishing and consulting firm. In other words, we have yet to see what levels of inventiveness might be inspired by simple greed. The golden age of hacking--in more ways than one--may be about to begin.
RELATED ARTICLE: WILD TIMES IN THE COMPUTER UNDERGROUND
On a warm summer morning in 1998, Marc Maiffret, better known to the hacker underworld as Chameleon, woke up with the cold steel of a cop's gun pressed against his head. More than 20 federal and local law-enforcement agents had raided the 17-year-old's home in a quiet Southern California subdivision, pulling his mother screaming from the shower and wrestling him at gunpoint from his bed. "I was upset but I wasn't surprised," Maiffret remembers. "It was like, `OK, it's finally happening.'"
This was no ordinary hacker bust, but then Maiffret was no ordinary hacker. The cops were there because they thought he was endangering national security through his dealings with a suspected Pakistani terrorist. It was the beginning of the end of his life in the computer netherworld, an extraordinary odyssey that seems like a story taken from the pages of a spy novel.
Maiffret began his hacking career as a lonely boy in love with the machine in his bedroom. "Computers and hacking was my escape," he says. But at 16, Maiffret went from being a rather ordinary teen to something far more mysterious and sinister. He dropped out of school and traveled around the country, staying with fellow hackers.
A GANG CALLED NOID
While on the road, Maiffret joined a gang called Noid, whose members across the U.S., Canada, and Belgium had launched a series of high-profile invasions of Web sites for the American military and NASA. "I would never say what I was doing wasn't illegal, and I feel bad for the guy who got in trouble," Maiffret says. "But any site we hacked, we would help the administrator fix it."
Maiffret's secret life began to crash when some friends broke into military computers and downloaded software that controls the positioning of satellites. Although he claims that he never had the software himself, Maiffret took $1,000 in money orders from a man who identified himself as a foreign terrorist who wanted to buy the program.
When the program never arrived, Maiffret began to receive threatening e-mails from the man, whom authorities later identified as Khalid Ibrahim, a member of a Pakistani terrorist group linked to Osama bin Laden, who has been connected to the 1998 bombing of two American embassies in Africa. By this time, the FBI was monitoring Maiffret's every move, and a month after he had cashed the money orders, reality came crashing through his door.
After a seven-hour interrogation, his computers were confiscated and the agents left without charging Maiffret with a crime. It was the first known case of a foreign terrorist approaching an American teenager for illegally obtained programs. Maiffret now says, "I guess you could say I was lucky."
At that point, Maiffret turned his life around, swearing off illicit hacking and cofounding eEye, a network security firm. He gives lectures to organizations like NASA and has written a program, Retina, to help companies protect themselves from exactly the kind of person he once was.
Maiffret is still true to his nickname--his hair color jumps from blue to green to black. And he sees strong parallels between what he does now and what he did as a hacker. "I still get the same feeling I got when I was Chameleon--I would find holes and tell people how to fix them," he says. "The only difference now is I now get paid a lot more."
RELATED ARTICLE: REAL TIME FOR VIRTUAL CRIME
Let's say you're sitting around one night hacking the Department of Defense computer system. You've run an HTTP PHF Vulnerability Check and a Portscan Detection Attack with no luck. So you think, of course, to try a DNSH Info Request Decode. Bingo. You're in. But before programming that nuclear launch on Antarctica you've been dreaming about, think a minute. You might be in quite a bit of trouble here.
Warning: Hacking--the unauthorized intrusion into a computer network--is a felony punishable by up to five years in prison and a $250,000 fine.
Federal law also prohibits the planting of viruses and the launching of attacks like the ones that shut clown several Internet sites recently.
The law pretty much covers all forms of hacking. Even hacking a password to break into a system puts you at risk. "It's rare that you break in without violating the statute in some way," says Marc Swillinger, a trial attorney in the computer crime section of the Justice Department.
PENALTIES COULD DOUBLE
Hackers also face possible prosecution from states, many of which have their own anti-hacking statutes. In addition, hackers bent on theft can be prosecuted for business fraud or espionage under other federal statutes.
The law may get tougher, too. Congress is considering a bill that would double the penalties for hacking to 10 years for a first offense and 20 years for a second.
Critics say you needn't be. The FBI investigated 1,154 hacker attacks last year, about double the year before. But in 1999, the FBI closed the books on 912 hacker cases without finding enough evidence to prosecute. The number of hackers who have been prosecuted up to now has been minuscule.
Government critics say the problem is not with the law, but with the enforcement. "The hacking technology is sometimes two or three generations ahead," says Jay Valentine, president of InfoGlide Corp., an Internet security company. "The criminals are using machine guns, and the FBI is using slingshots."
RELATED ARTICLE: THE HACKER HALL OF FAME (OR SHAME)
In the hacker underground you aren't "elite," as top hackers are called, until the feds have busted down your door. Here's a short list of the world's most notorious hackers and the price they paid for their exploits. Of course, the real elite hackers are the ones you never hear about.
Kevin Mitnick, 36
HANDLE: The Condor
HOME: San Fernando Valley, Calif.
CLAIM TO FAME: World's most famous hacker. After spending more than four years in lockdown without the possibility of bail while awaiting trial, he pleaded guilty to stealing code from tech companies including Sun Microsystems. His downfall came when he messed with a bigtime San Diego computer expert, prompting front-page coverage and a dramatic manhunt that took the FBI across the country. Inspired two books and a Skeet Ulrich movie, Takedown, which has yet to be released.
SENTENCE: Released from prison in January 2000.
FUN FACT: In jail, became a martyr for thousands of hackers around the world, including a group called Hackers For Girlies, who posted obscenities and pictures of naked women on The New York Times Web site in retaliation for what it said was overblown coverage of Mitnick.
Kevin Poulsen, 34
HANDLE: Dark Dante
HOME: Los Angeles
CLAIM TO FAME: While on the lam from the FBI, Poulsen supported himself by rigging radio call-in contests, winning thousands of dollars, a Hawaii vacation, and a Porsche.
SENTENCE: Held without bail for 51 months, convicted on money-laundering and wire-fraud charges, then sentenced retroactively.
FUN FACT: Today, is a columnist on computer crime for ZDNet, a tech Web site.
Enud Tenebaum, 20
HANDLE: The Analyzer
CLAIM TO FAME: Israeli teenager, along with two teenage accomplices, orchestrated what was called the biggest break-in in Pentagon history in northern California. Also claims to have infiltrated computers at Harvard, Yale, MIT, NASA, and the U.S. Navy. Called "damn good" by then-Israeli Prime Minister Benjamin Netanyahu.
SENTENCE: After his California proteges were caught, Tenebaum threatened to take down the entire U.S. Department of Defense computer system if they were punished. He was caught a week later and indicted on charges of conspiracy and harming computer systems. His trial begins in the spring. His buddies got off with a slap on the wrist.
FUN FACT: Shortly after his arrest, was featured in ads for an Israeli computer company and then drafted into the Israeli army.
David L Smith, 31
HOME: Aberdeen, N.J.
CLAIM TO FAME: Mild-mannered New Jersey programmer developed one of the most aggressive computer viruses in history, called Melissa. Charged with causing $80 million worth of damage, calculated in time spent by administrators to fix problem.
SENTENCE: In December, pleaded guilty to state charge of computer-related theft and federal charge of transmitting a virus with intent to cause damage. Faces up to five years without parole on federal charge, and 10 years on the state charge. Sentencing in May.
FUN FACT: Named the virus after a stripper he had a crush on in Florida.
Eric Burns, 19
CLAIM TO FAME: Known as the "White House Hacker," he attacked computers controlling Web sites for NATO, a U.S. embassy, and Vice President Gore. Altered White House Web site to read "Your box [computer] was owned" and "Stop all the war," and posted shout-outs to hackers including himself.
SENTENCE: Facing 15 months in prison and $36,240 in damages. Won't be allowed to touch a computer for three years after his release.
FUN FACT: Led a hacker gang called Global Hell that declared "war" on the FBI, was raided soon after.
Justin Peterson, 38
HANDLE: Agent Steal
HOME: Los Angeles
CLAIM TO FAME: One-legged cyberpunk who hung out at Sunset Strip rock clubs and became a paid FBI informant. Helped bust other hackers, including Poulsen and Mitnick.
SENTENCE: Sentenced to 41 months for crimes including computer fraud, possession of a stolen vehicle transported across state lines, and illegally accessing TRW credit files. Arrested while planning a $150,000 bank heist.
FUN FACT: While on the lam, left a taunting message for police on his voicemail, saying "I'm gone, baby."
JOHN MARKOFF covers technology for The New York Times.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||the new breed of computer hackers|
|Publication:||New York Times Upfront|
|Date:||Mar 27, 2000|
|Previous Article:||Bringing Us to Our Census.|
|Next Article:||Rebels With a Cause.|