Date: Sat, 31 Oct 92 16:11:58 CST >From: Jim Thomas Subject: File 2--Some comments on NBC Dateline's "Hacker" Segment About a month ago, Susan Adams, producer of NBC's Dateline called me. She indicated that Dateline was going to do a story on hackers, and she wanted to know how many "hacker busts" had gone to court. She limited the term "hacker" to teenaged computer intruders, and did not seem interested in the more serious crimes of professional criminals who ply their trade with computers or with computer abusers who prey on their employers. Suspecting a pre-defined slant to the story, I attempted to make it clear that, despite increased visibility of attention to computer abuse, there have been relatively few indictments. Operation Sun Devil, I explained, was mostly smoke and served more to dramatize "hacker activity" far more than its success in apprehending them. I provided some basic background in the Sun Devil, Len Rose, and Phrack cases, some of which she seemed to know. I emphasized the civil rights issues, the complexity of the "hacker phenomenon," and the hyperbole of law enforcement and media that distorts the nature of the problem and thereby obstructs solutions. At some length I attempted to explain the problem of media sensationalism, the problems of balancing Constitutional rights with legitimate law enforcement interests and the potential for abuse that created by an imbalance, and the need for responsible and incisive reporting by the media. Ms. Adams indicated that she had talked to Mike Godwin of the EFF, who I presumed would have told her the same thing, and others who claimed to have been contacted by Dateline staff indicated that they, too, cautioned against sensationalism. Believing that NBC would like to think that its quality of programming exceeds that of Geraldo's "Now it can be Told" (See CuD #3.37 special issue on "Mad Hacker's Key Party"), I anticipated a balanced, accurate, and non-sensationalized depiction of "hackers." To paraphrase H.L. Mencken, nobody ever went broke underestimating the accuracy of tv tabloid journalism. The program that aired on Tuesday, October 27, 1992, could have been worse, but that's hardly a sound way to evaluate a program. The teaser to the "Are Your Secrets Safe" segment framed the story around the potential dangers that "hackers" pose: They can wipe-out your bank account, crash the E911 system, and destroy the nation's telephone networks. In case we missed the point, footage from Sneaker's linked Ben Kingsly's scene, in which he discussed his mad scheme of "bringing down the whole damn system" with the activities of "hackers." The opening shoscreen shot of nic.ddn.mil and UFO information has a piscine smell--there was no evidence that it was anything more than a file readily obtained either by ftp or even (shades of Cliff Stoll) a file inserted in a computer system to trap intruders. Either way, the mystery of Quintin's identity seemed the message, and he provided nothing of any substance not known to anybody who roams the Internet. Brief interviews with Kent Alexander, the prosecutor in the "Atlanta 3" case, and with Scott Ticer of BellSouth, elicited the corporate/law-enforcement view of hackers as dangerous criminals who should be prosecuted. For them, the issues are black and white, simple, and unequivocal. The solutions to the problem are clear, as the Atlanta Legion of Doom cases indicated: Put 'em in prison. The moderator, Jon Scott, then informed the audience that, to learn more about the hacker world, he went "underground." Dramatic terminology, but grossly inaccurate. To go "underground" presumably would mean hooking up with people surreptitiously involved in on-going intrusion who could clearly demonstrate how one might break into military computers, access and re-program the E911 system, or shift money from one bank account to another. Scott did none of this. Instead, he interviewed two former LoD participants, both of whom are visible and quite "above ground," and neither of whom demonstrated much of value, let alone anything that could be considered dangerous. Adam Grant, sentenced to a brief stint in Federal prison in the "Atlanta 3" case, and Scott Chasin, a former LoD participant who, with some LoD friends, were partners in ComSec, a short-lived computer security consulting firm, demonstrated a few "hacker tricks," but nothing that could even remotely be considered dangerous. Grant explained "trashing"--rummaging through trash to find useful information--to Scott. Grant took Scott to a BellSouth trashbin to illustrate how he used to trash. Although BellSouth presumably implemented policies requiring locks on trashbins, on one side of the bin the lock was unlocked and there was no lock on the other side. One presumes nothing of interest was found, or it would have become another prop in the show. In Hacker Crackdown, Bruce Sterling provides an account of his own trashing experience during a moment of boredom at a law enforcement computer security conference (pp. 197-202) that was far more interesting and produced far more detailed information. The interview with Scott Chasin was equally misleading. Chasin typed what appeared to by a simple "whois" command that lists the Internet addresses of the target. "whois NSA" would produce a list of all accessible NSA addresses. For example, typing "whois jthomas" would produce the following addresses on military computers: whois jthomas Thomas, James (JT276)jthomas@TECNET1.JCTE.JCS.MIL (703) 695-1565 225-1565 Thomas, James (JT5)jthomas@WSMR-EMH82.ARMY.MIL (505) 678-5048 (DSN) 258-5048 Thomas, Jeffery (JT21)jthomas@TACHOST.AF.MIL (804) 764-6610 (DSN)574-6610 Thomas, Jeffrey K. (JKT9)jthomas@WSMR-EMH02.ARMY.MIL (505) 678-4597 (DSN) 258-4597 Thomas, Jennifer L. (JLT9)jthomas@APG-EMH5.APG.ARMY.MIL (301) 671-2619 (DSN) 584-2619 Thomas, Joseph, Jr. (JT168)jthomas@REDSTONE-EMH2.ARMY.MIL (205) 876-7407 (DSN) 746-7407 Thomasovich, John L. (JLT5)jthomas@PICA.ARMY.MIL (201) 724-3760 (DSN) 880-3760 Or, "whois 162.45.0.0" would give: Central Intelligence Agency (NET-CIA) Central Intelligence Agency OIT/ESG/DSED Washington, DC 20505 Netname: CIA Netnumber: 162.45.0.0 Coordinator: 703-281-8087 Record last updated on 22-Jul-92. Or, "ftp nic.ddn.mil" would connect us to the Network Information Center, which was shown on Quintin's screen, a military system that allows anonymous ftp privileges, where the command "cd /pub ; ls" would produce a list of the documents that one could (legally) rummage through. One could "grep" or "find" "UFO" or any other key word quite legitimately. Dateline did a major disservice to viewers by not explaining at least minimal basics of computer technology and the workings of Internet. Nothing portrayed by Chasin or Scott or on the screen necessarily indicated wrong doing, and in fact it seemed nothing more than a routine use of commands available to anyone with a Unix system and Internet access. In fact, we learned nothing that isn't explained in Krohl's "The Whole Internet" or Kehoe's "Zen and the Art of the Internet." Dateline took basic information and made it appear arcane, dangerous, and of special significance. Chasin next demonstrated "social engineering," in which a telephone caller attempts to con useful information from somebody through deception. Chasin was given a week to access any point of a system belonging to a corporation identified only as one of the "Fortune 500." Posing as a company computer operator, it took only a few calls and 90 minutes (collapsed for dramatic effect into about a minute on the program) to con a receptionist out of her password. Whether this access would allow deeper penetration into the computers or simply allow the intruder to read the secretary's private mail remains unknown. Although a convincing demonstration of social engineering, it also emphasizes a point that Dateline glossed over, which hackers and security personnel have been saying for years: The greatest threat to computer security is the individual user. Computer crime is serious. It is unacceptable. Computer predations are wrong. But, the Dateline description did little to illustrate its nature and complexity and did much to re-inforce public technophobia and fears of computer literate teenagers. The issue here isn't whether the term "hacker" is again abused, whether "hackers" receive good or bad press, or whether a program develops a slant that is merely not to one's liking. Dateline's error was far more serious than any of these trivial cavils. At root, Dateline presented misinformation, seemed to have a story carved out in advance and merely sought detail for it, and depicted little of substance in contriving a fear-mongering story organized around assertion rather than evidence. It only confused the nature of computer crime, and confused perceptions lead to bad laws, bad law enforcement, and no solutions. As Adam Grant pointed out, the fact that people have the ability to intrude upon a system or to shoot somebody does not mean they are necessarily social threats. To exaggerate a "hacker threat" feeds the folly of excessive punishment for computer delinquents, and it suggests that the answer to the "hacker problem" is to apprehend the hacker rather than address the broader questions of computer responsibility, computer security, and computer literacy. Even with its hyperbole, Dateline could have salvaged some respectability if it had concluded by informing users that computer systems generally are intended to be open, that *trust* is a crucial element of computer use, and that users themselves can take significant steps to increase security little effort. Dateline seemed uninterested in its responsibility to the public. It seemed more interested in presenting a sexy story. When Geraldo presented "Mad Hacker's Key Party," the producer had the class to engage in a dialogue with critics and seemed genuinely interested in learning from criticism. I wonder if Susan Adams, producer of this Dateline segment, will do the same? Downloaded From P-80 International Information Systems 304-744-2253