Date: Tue, 12 Jan 93 12:20:21 EDT
From: Jerry Leichter <leichter@LRW.COM>
Subject: 1--Media hype goes both ways (in re: Forbes article)

In Cu Digest, #4.66, Jim Thomas reviews article from the 21 December
1992 Forbes Magazine, and grants it CuD's 1992 MEDIA HYPE award.  I
read the article before reading Thomas's comments, and was considering
posting a very different summary.  Did we read the same words?

Let me briefly summarize what I got out of the article, and then go
over some of Thomas's points.  The article claims that we are seeing a
new kind of computer miscreant.  Let me call such people "crims", a
word I've just invented; according to the article, they identify
themselves as hackers (to the extent they identify themselves at all),
so the article also calls them hackers (sometimes, "hacker hoods"),
thus raising many irrelevant emotional issues.

Unlike old-style hackers, who were in it for what they could build; or
new-style hackers, who are nominally in it for what they can learn;
crims are in it for what they can steal.  The article does NOT claim
that the same people who've been hackers have now turned to real
crime; rather, as I read it it claims that the crims have taken the
techniques developed by the hackers and gone on to different things.
Just look at the title of the article:  "The Playground Bullies are
Learning how to Type".  The crims are the people who a few years ago
might be burglars or jewel thieves; today, they are learning how to go
after money and other valuable commodities (like trade or military
secrets) in their new, electronic form.

Thomas's criticism begins with a long attack on Brigid McMenamin, one
of the reporters on the piece.  He is upset that she keeps "bugging"
people for information.  Reporters do that; it's not their most
endearing quality, but it's essential to their job, especially when
dealing with people who don't particularly want to talk to them.  He
is upset that she kept asking about "illegal stuff" and "was oblivious
to facts or issues that did not bear upon hackers-as-criminals." Given
the article she was writing - exactly focusing on the crims - that's
exactly what I would have expected her to do.  Just because Thomas is
interested in the non-criminal side of hacking doesn't mean McMenamin
is under any obligation to be.  Thomas reports that in his own
conversations with McMenamin "Her questions suggested that she did not
understand the culture about which she was writing."  Again, Thomas
presumes that she was writing about the people *Thomas* is interested
in.

In general, Thomas's criticisms of McMemanim reveal him to be so
personally involved with the "hacker culture" that he studies that
he's protective of it - and blind to the possibility that the world
may be bigger and nastier than he would like.

Thomas then summarizes "The Story".  He criticizes it for not
presenting a "coherent and factual story about the types of computer
crime", but rather for making "hackers" the focal point and taking on
a narrative structure.  Well, I didn't particularly see "hackers" as
the focal point, and considering the nature of the material being
covered - it's all recent, and the crims are hardly likely to be
interested in making themselves available to reporters - a narrative
structure is probably inevitable.  Perhaps Thomas will write the
definitive study of the types of computer crime; I doubt any working
reporter will do so for a magazine.

Len Rose's story is told with a reasonable slant.  None of us know ALL
the facts, but at least Rose is pictured as a relatively innocent
victim, chosen pretty much at random to bear the weight of actions
taken by many people.  In fact, that's just what a prosecutor
interviewed in this piece of the story says:  Because of the nature of
the crimes, such as they are, the people caught and punished are often
not the ones who actually did much of anything.  He doesn't indicate
that he LIKES this - just the opposite.  He reports on facts about the
real world.

Thomas then says that the article describes a salami-slicing attack,
alleged to have taken place at Citibank.  He criticizes the article
for lack of evidence.  He's right, but after all, this was a criminal
enterprise, and the criminals weren't caught.  Just what evidence
would he expect?  He then goes on with a comment that makes no sense
at all:

	Has anybody calculated how many accounts one would have to "skim" a
	few pennies from before obtaining $200,000? At a dime apiece, that's
	over 2 million. If I'm figuring correctly, at one minute per account,
	60 accounts per minute non-stop for 24 hours a day all year, it would
	take nearly 4 straight years of on-line computer work for an
	out-sider.  According to the story, it took only 3 months.  At 20
	cents an account, that's over a million accounts.

Why would anyone even imagine that an attack of this nature would be
under-taken on an account-at-a-time basis?  The only way it makes
sense is for the attack to have modified the software.  If the
criminals had a way to directly siphon money out of an account, they
would have made one big killing and disappeared.  Citibank has many
thousands of accounts with much more than $200,000 in them; it
probably has many thousands of accounts for which a $200,000
discrepancy wouldn't be noticed until the end of the quarter.  A
salami-slice attack only makes sense when the attacker intends to
remain undetected, so that the attack continues to operate
indefinitely.

The romantic picture of the hacker sitting at his terminal, day in and
day out, moving a few pennies here and there, may have a lot of
appeal, but it's not reality.

The crux of the Thomas's critique is:  "Contrary to billing, there was
no evidence in the story, other than questionable rumor, of `hacker'
connection to organized crime."  But, again, that isn't the point of
the story, which to me seemed to do a fairly reasonable (though
imperfect) job of distinguishing between the innocents who "just want
to hack" and the new "crims".  The article does, however, warn that
the crims will have no compunctions about using the hackers, whether
by just showing up at hacker conventions to learn the latest tricks -
like every group, hackers think they can identify the "true" group
members who believe in the group's ideals, when in fact it's always
been trivially easy for those who are willing to lie to sneak in - or
by hiring hackers, with money, drugs, or whatever.

I don't know to what degree the rumors of the spread of the crims are
true.  It makes SENSE that they would be true, and in certain cases
(particularly cellular telephone fraud) we have strong evidence.  It's
naive to think that the hacker community or the hacker ethic is
somehow immune to the influence of criminal minds.

There was an explicit warning from some prosecuter quoted in the
article.  What he said was that people are upset by the crimes, and
government is responding harshly, often against the wrong targets.  No
one would be so stupid as to walk into a bank carrying a toy gun and
try to get money from a teller, intending to leave it at the door,
"just to test security".  Yet hackers seem to believe that they can do
the same thing with a bank's computers.  If there were no such thing
as real bank robbers, the toy gun game would be just fine; in the real
world, that's an excellent way to get shot - or sent to prison for
many years.  As the crims become more active - and even if the current
stories are all baseless, they inevitably will, and sooner rather than
later - any hackers who don't adjust to the new reality will find
themselves in big trouble.  Many's the idealist who's been lead by the
nose to help the dishonest - and it's usually the idealist who gets
stuck with the bills.

Downloaded From P-80 International Information Systems 304-744-2253