Hackers: Threat or Menace?

That's what the press, the security apparatus, and the hackers themselves want you to think. But think again. Wired attends Hackers on Planet Earth, the convention of phone phreak mag 2600, and discovers who Emmanuel Goldstein really is.

Charles Platt
Wired

November 1994

A mob of scruffy, geeky guys is milling around on the 18th floor of New York City's Hotel Pennsylvania, in a dowdy old ballroom where many of the lightbulbs in the brass chandeliers are burned out. A beat-up audio system is making scratchy sounds while bearded sysop types try to link a bizarre mix of antique computing equipment into some sort of network with Internet access. The hardware is scattered around on tables. There are no formal exhibits, no booths, no buffet, no coffee, no bar.

CNN and NBC are here, prowling like starved alley cats in search of some tasty leftovers. They cluster around a teenager wearing a black jumpsuit with flames hand-painted across his shoulders. He's soldering components onto a tiny piece of perf board. "What does it do?" a journalist asks, although there's a sense that his real interest may run a little deeper. Is the gadget illegal? Is it scary? Can it paralyze vast computer networks with a single pulse?

This is, after all, Hackers on Planet Earth, the so-called HOPE conference. There have been other hacker conventions, but this is the first to come right out and offer educational seminars to the general public on such subjects as:

Cracking the MetroCard, a magnetic-strip fare card recently introduced for the New York subway. "We will read the cards, duplicate them, and make every attempt to defeat the system," reads the conference program.
Lock-picking. "Everything from picks to rakes to electric drills to Simplex locks."
Boxing (i.e., free phone calls via blue or red boxes). "Contrary to popular belief, boxing is not dead. We will have some top phone phreaks on hand to show you what works, what doesn't, what used to work, what never did, and what probably might."
Cellular phones. "We will show how cloning is not just for criminals and how you can clone a phone on your own PC!"

It all sounds titillatingly wicked. So where's the action? Where are the devious, unprincipled hackers committing illegal acts? Where's the crime?

The conference was scheduled to start half an hour ago, but so far the only action is out in the lobby, where hundreds of would-be attendees are squished together, back-to-belly, waiting patiently for nifty customized photo-badges, each of which, unfortunately, takes about 60 seconds to come out of a laser printer. There are maybe 600 attendees, so at this rate it'll take 10 hours just to check everyone in.

A friendly Dutch hacker with long golden hair and a tie-dyed T-shirt devises an impromptu solution. He goes around selling red numbered pieces of paper as temporary badges, takes US$25 per person, and stuffs the cash in a brown paper bag. No one has any problem with this. No one questions the Dutch guy's authority or doubts that he'll pass the money to the organizers.

And so it seems that the "devious, unprincipled hackers" are showing an amazing degree of naïve trust.

This is the first paradox. There are more.

Here's a well-fed, tough-looking character wearing shiny black shoes and a suit and tie. Hairy teenagers in sneakers, T-shirts, and dirty jeans come clustering around him like zoo animals sniffing a new keeper who just walked into their cage. A film crew zeroes in. This dude exudes an air of authority as he starts spitting out sound bites on the subject of national security. "You can cripple a nation very easily with just a few individuals ... 13-year-old Pakistanis ... Wall Street is hiding major losses ... cyberspace is not safe right now ... we need a national information strategy."

I ask him what he means by the word "strategy." Who devises it? Who implements it? Should it be law?

"Legislation is part of it," he agrees. He mentions that he himself has drafted a National Information Strategy Act of 1994. His name is Robert David Steele. He worked on the clandestine side of the CIA for nine years and subsequently advised Marine Corps intelligence. Al Gore has quoted him. And now, he's here to give the opening address at Hackers On Planet Earth.

When the speech gets started, Steele paints a scary picture of terrorist info-criminals, businesses with no data security, and banking networks that could be gutted overnight. Then, switching smoothly to a kinder, gentler mode, he asks the audience to help him fight these threats. "Hacking is not a criminal act," he says. "You represent a critical national resource.... I think of you as law-abiding citizens who have immense potential to contribute to society."

The rumpled throng of misfit Netheads and rebel code crunchers seems oddly happy to hear this. They are generous with their applause. This is paradox Number Two: they smile upon this one-time agent, even when he mentions, in passing, "I used to persuade people to betray their countries for money, and I was very good at it."

The creator of the HOPE conference is Eric Corley, editor and publisher of 2600 magazine. (Its title harks back to days when a 2600 Hz tone worked like a can opener on the telephone system.) According to Corley, hacking is just a harmless expression of youthful curiosity. "I was brought up to ask questions," he told me in an interview before the conference. "This is all that hackers do. They just ask questions till they get an answer that's different. And I merely encourage that."

But in any issue of 2600, you'll find a lot more answers than questions. Would you like to crack Unix systems, devise computer viruses, listen in on cellular phone calls, or break into UPS mailboxes? No problem! In quick, easy lessons, Uncle Eric will tell you how! Likewise, if you browse through Corley's alt.2600 newsgroup on Usenet, you'll find enlightening discussions on topics such as how to steal cable TV, how to build a gadget to "bring Telco down to its knees," or how to monitor message traffic on an Ethernet. (A reader writes: "Some packets might contain, uhm, especially handy info that I might want to extract....")

Corley has been publishing 2600 for 10 years. Recently, however, the magazine has turned into a growth industry. With newsstand distribution, its sales have jumped by 50 percent during the past 12 months alone. There's even a bunch of "2600 franchises" up and running: local groups that meet simultaneously in 29 US cities and four foreign countries on the first Friday of every month, like a giant multinode Tupperware party for the naughty boys of cyberspace. Here you can find shifty-eyed teenagers hanging out, swapping secrets, and maybe spreading a little playful disinformation on the side.

Is this scary? Corley shrugs it off. His magazine merely repackages information that exists elsewhere, and, as for the HOPE conference, he says with straight-faced sincerity that it's a modern manifestation of "the spirit of Woodstock."

Publicly, Corley goes under the pseudonym "Emmanuel Goldstein," the name of a character in Orwell's 1984 who was the leader of an underground movement to overthrow Big Brother. So here we have a 30ish guy with shoulder-length curly black hair, wearing a 2600 T-shirt and a baseball cap, skulking around like the Phantom of the Opera, evading direct questions, and habitually glancing behind him as if he expects to be arrested at any moment. He implies that hacking is as harmless as ham radio, yet he names himself after a character who was Public Enemy Number One in the most famous totalitarian scare-novel of our time.

Paradox Number Three.

One thing is certain: system hacking, today, is entering a new era.

In the early 1970s, phone phreaks manipulated the long-distance system using blue boxes that they built from sketchy photocopied schematics that were often riddled with errors. Not many had the skill to do this. Phreaking was restricted to a select few.

By 1980, hacking was done using Apple II computers and modems driven by home-grown assembly-language programs. Once again, few people were sufficiently skilled to participate.

Today, countless Unix sites are instantly accessible via the Internet. Unix is riddled with security loopholes, and you can practice hacking it in the privacy of your own home using Linux (a freeware Unix clone) on a cheap 486. You don't know Unix? No problem! Unix for Dummies, at your local bookstore, will get you started. Small wonder that 2600 local group meetings have grown exponentially in number.

Is this scary? Some more historical perspective may help to answer the question.

Twenty years ago, I used to drop in on meetings of TAP, the legendary phone-phreak affinity group in New York City. In a sleazy little office full of furniture that had been salvaged from the street, we stuck postage stamps on a badly duplicated newsletter and read correspondence from the jail cell of Captain Crunch, aka John Draper, the most infamous phreak of all.

It all seemed wonderfully subversive. Tom Bell, a key figure at the time, told me seriously that he avoided walking close to tall buildings in case telco agents should drop a file cabinet on his head. But in reality there was no significant threat either to or from the telephone company. The TAPpers were just a few misfits fascinated by technology and looking for some token power over a world that didn't seem to like them very much. Their maximum level of criminal activity was somewhere between trespassing and shoplifting; hackers today seem much the same.

I liked hanging out with the phone phreaks because their rebellious behavior gave me a vicarious thrill. In this, I am not unique. As a nation, we have always been fascinated by the exploits of renegades, from Jesse James to James Dean, and we've elevated some of them into folk heroes. Seen from this perspective, our current fascination with "dangerous hackers" is just a new manifestation of an old tradition.

But public sympathy for rebels is a fickle thing. If the rebels pose a threat that strikes too close to home, we feel no compunction about throwing them in jail.

So we come to paradox Number Four. The public is eager for stories of True Cybercrime, and the media is happy to glamorize the subject. But when teenagers take the bait and live out our fantasies for us, we punish them for frightening us too much.

One of the amusing things about journalists (myself included) is that they tend to believe the myths they jointly create. Consequently, at the HOPE conference, almost every reporter seemed to be searching for a hacker who would fit the classic media model of a devious, sinister, powerful figure. The journalists were asking, in effect, Where's the crime? - and none of them could find any. The conference was very bland, very laid-back. The attendees were totally nonthreatening. Even the "seminars" turned out to be rather lame, devoid of subversive content.

And yet, if you knew where to look....

Late Saturday night, slightly drunk and, frankly, bored by the harmlessness of the event, I found myself introduced to "Dark Fiber," a man in his 20s who had in his possession a certain document in a loose-leaf binder. He claimed that it was a system administrator's guide to New York City's new MetroCard fare collection system, and when he showed it to me, I saw that he was right. There were complete schematics, right down to the part numbers.

Dark Fiber was so pleased with his heist, he let me take his photograph holding the binder, standing outside the Hotel Pennsylvania at 2 a.m. with the rain coming down. A few days later, he gave me a phone interview.

He told me that he'd been a systems hacker on and off for several years, working through the Internet, cracking Unix sites and Vaxen, just sneaking in and looking around. He agreed that hacking had become easier and more widespread than ever before, but he said that the dangers were still being exaggerated - with encouragement from the hackers themselves. "Most of them understand that the media are very easily spooked," he told me. "Some of them take advantage of this. It's what I would call testosterone-influenced braggadocio. They enjoy it."

But isn't there some real damage involved?

"People have destroyed system files, wiped out password files. Others just blundered in and corrupted data by accident. But if data is properly backed up, there's no physical loss, just a large amount of inconvenience."

I asked him what he planned to do with the document in his possession.

"I'll probably run it through a copying machine and distribute it to a select few hacker friends."

Sell it?

"I won't sell it." He sounded offended by the idea. "A true hacker never does that. One of the overriding tenets of hackerdom is that information wants to be free, and a lot of us take that very seriously. You have to understand, my motivation isn't to ride free on the subway. I was born and raised in this city, and I've always paid my way. I'd just like to understand the system a little bit better. It's a purely intellectual interest on my behalf."

But if he shares his info widely, that could cause the MetroCard system to be hacked.

"I think the system will be hacked, and eventually it will have to be improved to make it more secure. Nevertheless, I think this information should be available."

But if details of the improvements are also stolen and shared, electronic fare collection will never be feasible.

"I see the paradox, but this is a central theme in hacking in general. Where do you draw the line? Every hacker has to wrestle with his conscience."

I don't claim to be able to resolve all the contradictions here, but I did reach some personal conclusions about the people involved.

The hackers at the HOPE conference were more trustworthy and less threatening than any "normal" crowd of teenage males whose idea of action on a Saturday night would most likely include drinking, driving, hassling women, and picking fights in bars. Hackers, in fact, tend to be quiet, shy, and honest. When a total stranger at the conference asked to borrow my new $500 camera, I loaned it to him without a second thought and was only mildly concerned when he disappeared with it for a quarter of an hour. Compare this with a crowd at a baseball game or a rock concert, and you begin to realize that the "hacker threat" is about as scary as a kid wearing a Halloween mask.

Eric Corley is one of the most evasive human beings I have ever attempted to interview, and his air of innocence doesn't quite jibe with the attitude and content of his magazine. Nudged by insistent questioning, he did finally admit to me that "I like to upset the status quo, challenge things that everybody agrees with.... I don't like monopolies or police."

He is in fact a troublemaker, but on a level that seems trivial compared with, say, trade-union organizers or anti-abortion activists. Moreover, by opening up the hacker subculture to the general public, Corley is devaluing his own currency. Any small group of diehard nonconformists tends to lose its power when the barriers come down. Hackerdom could turn into a harmless fad in the same way that radical hippie activism in the 1960s degenerated into a fashion statement after it received sufficient media exposure.

Robert Steele is a far more complicated character. When I posted a mild inquiry about Steele's background on a Usenet newsgroup, I received e-mail from Steele himself, cautioning me about the damage that irresponsible journalism could do to the hacker community and warning me of his personal willingness to sue. Still, he also wished me well in my work, and I had the disconcerting feeling that I was dealing with good cop and bad cop rolled into one.

I wrote back to him, he responded, and our communications became more cordial. He encouraged me to quote his e-mail and told me with disarming frankness, "I do not want to be Director of 'Central' Intelligence, but I could get real excited about being Director of National Intelligence, with a subordinate Director of Classified Intelligence (DCI), and a subordinate Director of Public Intelligence (DPI) who serves as the head of the National Information Foundation, which in turn helps nurture our distributed network of databases and expertise." These titles and offices do not currently exist, but the US Senate bill that Steele has drafted would create them, along with the kind of universal Net access that other bills have promised.

Steele figures he needs $1 billion per year to pay for his plan, but he says he only wants to establish and rationalize the information services, not control them. He seems, in fact, like Santa Claus, though we should remember that the annual $1 billion would ultimately come from us, as taxpayers.

More to the point, even though Steele seems sincere in his desire for "free" information, others in Washington may be less benign. If we want to look ahead and see the future of a government-run infobahn, maybe we should check the status of the last project of this type: the interstate highway system. This started out as an unencumbered gift to the nation, but now has some significant strings attached. To take just one example: states used to have the authority to set their own speed limits and the legal age for drinking alcohol. Today, they must follow federal "guidelines" in these areas if they want to continue receiving federal highway funds. As Barry Goldwater once said, "A government that is big enough to give you all you want is big enough to take it all away."

As for the supposed escalation of the "hacker threat," a comparison may help.

In rural areas, there are thousands of miles of railroad tracks, unfenced and easily accessible. Any disaffected teenager can put something on a track to derail a train. Kids frequently trespass on railroad property and occasionally tamper with the system; yet for some reason, this is no great cause for alarm. No one demands better railroad security or jail terms for trespassers.

Our information network is much better protected than our railroad network, and someone who cracks a system is able to cause far less human damage than someone who derails a train. Why, then, has "computer crime" caused so much hysteria? Perhaps because the public is so willing - eager, even - to be scared by bogeymen.

Journalists and politicians are well aware of this, and so was George Orwell. Near the end of 1984, Orwell's protagonist discovers that "Emmanuel Goldstein" does not actually exist. He's a fake, concocted by the totalitarian state to unite the people against a common enemy.

Scaremongering is an age-old political ritual. There are public officials who have benefited by playing up the "hacker threat" so that they can win approval by cracking down on it. In a similar way, other people in public service may advance their careers by playing up the info-terrorist threat, the corporate-data-security threat, or the financial-institution threat.

I'm not trivializing these problems. They exist. But we will surely be better off if we keep them in proportion and take modest steps to solve them ourselves, rather than allowing a central authority to take control.

The Internet has undergone astonishing, almost catastrophic growth, yet it still works relatively well without anyone in control of it in the conventional sense. If it had been "properly organized" or made "properly secure" from the "hacker threat," it might not be thriving as vigorously and responsively as it is today. The trusting people at the HOPE conference, who were quite happy to pay $25 for red pieces of paper, should perhaps drive a harder bargain when dealing with emissaries from Washington.

Charles Platt's (charles@mindvox.phantom.com) most recent work is The Silicon Man. He writes frequently for Wired.