Date: Sat, 30 Jan 93 23:01:49 CST From: Jim Thomas Subject: 2--Forbes, NPR, and a Response to Jerry Leichter Jerry Leichter asks of our mutual reading of Forbes' Magazine's "The Hacker Hood" article (see CuD #4.66): "Did we read the same words?" Although his question is presumably rhetorical, and although we normally do not respond to articles (even if critical), Jerry's question and commentary raises too many issues to let pass. The answer to his rhetorical question is: No, we did not read the same words. Not only did we not read the same words in the Forbes piece, I'm not certain that Jerry read the Forbes article with particular care, and it's certain he did not read our response to it (or our oft-repeated position on "computer deviance" over the years) with care. This would be of little consequence except that he makes several false assertions about my own background and he embodies an attitude that perpetuates the kinds of misunderstandings that lead to questionable laws, law enforcement, and misunderstanding among the public. Although Jerry obviously wrote in passion and in good faith, his commentary again raises the issues that we found disturbing in the Forbes piece. We thank him for his post and for the opportunity to again address these issues. Jerry's criticism's of the Forbes' commentary can be divided into three parts: 1) His perception of my naivete; 2) His disagreement with our evaluation and interpretation of the Forbes writers and the substance of the article; and 3) A disagreement over the nature and extend of "hacker crime." 1. JERRY'S CRITICISMS OF THOMAS Jerry's criticisms of me include several of sufficient magnitude that they require a response. First, he claims that I'm apparently blinded to objectivity because of a commitment to hacking: >In general, Thomas's criticisms of McMemanim (sic) reveal him to be >so personally involved with the "hacker culture" that he >studies that he's protective of it - and blind to the >possibility that the world may be bigger and nastier than he >would like. Had he claimed that I'm so involved in civil rights that I sometimes lose objectivity, I might agree with him. However, even a cursory reading of my response indicates that the criticisms of one of the Forbes writers, Brigid McMenamin would reveal that the objections had nothing to do with hackers or rights, but with journalistic ethics and responsibility. Those with whom I spoke who were contacted by Ms. McMenamin all reached an independent consensus about her methods, "homework," and ability to write a factual story. Jerry counters with no facts that would dispute any of the interpretations, but instead seems to defend what some judged as incompetence. Is it not possible, in Jerry's worldview, to question a reporter's methods, especially when those methods seem troublesome to others who are experienced in dealing with the press? It's also unclear how Jerry interprets anything written by CuD editors as "protective" of "hacker culture." My Forbes commentary was quite clear: The issue isn't whether one supports of opposes "hacker culture." It's simply whether we believe that a medium such as Forbes should be committed to minimal standards of accuracy or whether we are willing to accept broad assertions and innuendo that contribute to the hysteria that feeds bad legislation and questionable law enforcement tactics such as those occuring during the "hacker crackdown." I also assure Jerry that, as a criminologist who has lived in and also studied the nastiest criminal cultures, I recognize that segments of the world are indeed big and nasty. I also recognize that nastiness is not limited to the criminal segment of society. In the scheme of things, even the worst of computer crime is generally not among the worst offenses that one can commit. He seems unaware that the current U.S. prison population hoovers around 900,000, and that it's increasing by almost ten percent a year. Much of this increase is due to "get tough" attitudes on crime in which an increasing number of behaviors are criminalized, sanctions for crimes are increased, and sentences imposed (and time served) grows longer. Jerry fails to understand that the issue isn't simply "hackers," but rather what constitutes an acceptable social response to new social offenses. Jerry also implies that to criticize increased criminalization and to oppose demonization for relatively mild offenses is naively idealistic. Although he fails to provide a rationale for this claim, it presumably stems from a view that sees advocates of civil rights siding with criminals rather than victims. This, of course, is a false argument. There is little, if any, evidence that civil rights advocates side with criminals. Rather, they side with the rule of law that, under our Constitution, guarantees protections to all people. The Forbes article creates an image that, in a time of strong opposition to civil rights, promotes inappropriately strong laws and weaker protections of rights. If adhering to the Enlightenment principles and Constitutional values on which our judicial (and social) system were founded makes me a naive idealist, then I'm guilty as charged. I find this a far more civilized stance than the alternative. 2. JERRY'S CRITICISMS OF MY INTERPRETATION OF THE FORBES PIECE Jerry "didn't particularly see 'hackers' as the focal point of the story." The title and the narrative of the piece seemed quite clear: "The Hacker Hoods?" Nearly every paragraph alluded to vague hacker criminality or to specific people identified as criminal "hackers." No, I do not think we did read the same words. If I had any lingering doubts about Jerry's lack of thoroughness in reading the Forbes piece, they were eliminated when I read his criticism of my commentary on the "salami attack." The Forbes piece adduced as an example of a "hacker crime" an unsupported story about a computer intruder who lopped a penny or two from various accounts. Jerry thinks it odd that one would question the veracity of the story and suggests that, contrary to what I said, a hacker could easily do this in a few seconds with a "big killing." He apparently failed to note that the story indicated this was done by skimming "off a penny or so from each account. Once he ((the hacker)) had $200,000, he quit" (p. 186). Again, it seems we didn't read the same words. The point wasn't whether this could be done, but that the story was provided as "fact" with no corroboration. In fact, neither the banking victim (Citibank) nor a nationally recognized computer crime expert (Donn Parker) had knowledge of the deed. As written in Forbes, the method does raise some skepticism, as Jerry concedes: >The romantic picture of the hacker sitting at his terminal, >day in and day out, moving a few pennies here and there, may >have a lot of appeal, but it's not reality. Here we agree. Had he read the Forbes piece accurately, he would see that this was precisely my point. The picture Jerry disputes is the one drawn in the Forbes piece. It appears that he agrees with me: The Forbes picture is not reality. The issue here isn't that Jerry didn't read either the Forbes piece or the commentary carefully. Rather, it's that his comments show how easily even an otherwise informed reader can uncritically gloss over material that doesn't conform to a preferred view. It's not that I disagree with Jerry (or the Forbes piece). Rather, the issue at stake lies in a fundamental difference over how material is to be presented. In highly volatile topics, sensationalistic portrayals strike me as irresponsible and reinforce attitudes that lead to unacceptable social responses. The Forbes piece and Jerry's uncritical acceptance of it contribute to what in past times were called witch hunts. Jerry seems to find it odd that one would object to claims being made without evidence: >He ((Thomas)) criticizes the article for lack of >evidence. He ((Thomas))'s right, but after all, this >was a criminal enterprise, and the criminals weren't >caught. Just what evidence would he expect? Crimes are detected in two ways. First, the criminal is apprehended in the act. Second, a victim reports the crime. As a criminologist, I've been taught that however one measures crime, it is generally done either by some combination of crimes known to police or by victimization surveys. In an article ostensibly describing crime, I would assume that there would be at least minimal evidence for the hard core crimes attributed to "hackers". It's obvious Jerry and I did not read the same words. Didn't he read Managing Editor Lawrence Minard's introduction? >While working with Bill Flanagan on the multibillion-dollar >telephone toll fraud phenomenon (Forbes, Aug. 3), Brigid >McMenamin was intrigued to find that organized crime was >hiring young computer hackers to do some of their electronic >dirty work. This is a claim. Other claims are made in the article. It's not unreasonable to expect at least minimal evidence for the claims made. The story was not based on facts but on innuendo. The Forbes piece was criticized *not* because it was in opposition to a preferred view of a particular social group, but because it took a stigmatized group and further demonized it by making claims without recourse to specific cases. 3. WHAT'S AT STAKE IN THIS DISCUSSION As I stated explicitly in my original Forbes commentary, the issue is not whether "hackers" are portrayed to one's liking. The point is how one creates images of groups or behaviors that lead to social stigma and criminal sanctions. I judged the Forbes piece to grossly err on the side of falsely dramatizing a label that has been misused, abused, and used to create what many judge as inappropriate or chaotic laws. If the Forbes piece were limited to identifying new types of computer crime without attempting to exaggerate the link between "hackers" and organized crime, and if it had been more factual, it would not have been objectionable. If it had focused on computer delinquents and the problems they cause by identifying explicit instances of security transgressions, telephone abuse, or other identifiable behaviors, it would have been less objectionable. Had it made a clear distinction between the culture of "hackers," whether the old-guard explorer or the newer nuisance and computer criminals who do use a computer to prey (but are not "hackers"), it would have been less objectionable. The Forbes piece did none of this. Instead, it distorted both "hacking" and computer crime. The authors did nothing to clarify a complex problem and did much to obscure it. There is computer crime? Old news. Some hackers commit computer crimes? Old news. What is new in the piece is that it implies a logic in which a) anyone adept at a computer is a hacker; b) Computer criminals (by definition) are adept at computers; c) Computer criminals are hackers. Conclusion: Look out for the hackers! Consider: Substitute the term "computer professionals" or "sys ads" for "hackers." "Sys ad bullies?" "Sys ads learn to type and commit crimes?" Computer criminals, by definition, have computer skills, and to conflate all computer crime with "hacking" makes as much sense as conflating computer criminals with any other label that captures the imagination of a public that can't distinguish between the reality and the simulacrum. In the Forbes piece, the symbol, "hackers," becomes an abstract demon. Forbes employed its resources, which are considerable, to produce a misleading piece that subverts the efforts of those who attempt to balance fair laws and their application to civil liberties. I doubt that Forbes' readers, over one million of them, were able to ascertain the complexities of this delicate balance from the article. The visibility of the Forbes article also put one author, William Flanagan, in the public eye on a National Public Radio "Morning Edition" segment (21 December, '92). Flanagan essentially repeated his points from the article. When asked by reporter Renee Montagne "But are we talking about computer hackers who've become criminals, or is it criminals who've become computer hackers?" Flanagan responded: It's--it's a bit of both actually. You really have three categories. You have the--the sport hackers who used to fool around and show off. They would go into a government or a telephone company computer and pull out a sensitive file and then show it off as a trophy. They really didn't have too much malice in what they were doing other than the anarchic thing that you will find among a lot of late-teenage boys and--and it's mainly boys. But some of them have been co-opted into it by the Mafia, by organized crime. They give them money and drugs and they perform some stunts for them like come up with telephone numbers. Then, there are those who are larcenous to start with and--and who have developed the techniques or have hired others to do it. Then, the third category--and perhaps this is even the most dangerous. It's people who have an awful lot of computer knowledge and are suddenly out of work and are very angry and have the capability of creating all kinds of mayhem or stealing great deals of money. Of course there are hackers who commit crimes, just as there are systems administrators who commit crimes. But, in putting together the beginnings of a data base on computer crime in recent years, I have yet to come across a pointer to a Mafia-related "hacker" case. The thinking reflected in Flanagan's commentary resembles that of someone who's read one too many National Inquirer articles or seen one too many Geraldo shows. It distorts the problem, distorts possible solutions, and offers no new information. When we distort the nature of the problem, we obstruct a solution. Flanagan repeats the error of equating Robert T. Morris, of "the Internet work" fame with "hackers." The reporter notes that he was given probation, and asks, "What about now?" Flanagan: He would be in jail and I guarantee you, his father's connections wouldn't have helped him in this day and age. Montagne: His father was... Flanagan: Was a high government official I think with the FTC. Throughout most of the '80s when these kids were caught, they would be given a rap on the knuckles and there was a widespread belief that all they had to do was to tell law enforcement or tell the telephone company how they did something and to give up that information or maybe give up the names of some of their friends, and they'd be let go. But that's not the case any more. Now, it's a seemingly minor error to assume that Morris's father's connections helped him, a claim for which there's no evidence. It's also relatively minor that a detail such as linking Morris' father to the FTC was wrong (the senior Morris was a computer security expert who was the chief scientist at the NSA's National Computer Security Center). It's also a minor quibble that Flanagan thinks that three years probation, a $10,000 fine, 400 of community service and almost $150,000 in legal fees is a light punishment. But, in the aggregate, these errors indicate that Flanagan, speaking as an "expert" on the issues of hacking and computer crime, doesn't know his subject. His pronouncements have a high profile: If it's in Forbes *and* on NPR, it *must* be true. Yet, his factual errors and the style of crafting them into narrative demonic images cast fatal doubt on his credibility. One way to counter this kind of hyperbole and disinformation is to provide an antidote by challenging the veracity of the facts and the images. This, as Jerry's response indicates, bothers some people. As I argued, I hope clearly, in the original Forbes commentary, the concern isn't with "hackers," but with law and justice. For over a decade, we have witnessed the curtailment of civil and other rights that were thought to be well-established. We have seen the criminalization of a variety of new behaviors and the imposition of harsher sentences on old ones. We have seen the abuses of a few law enforcement officials and others in pursuing their targets. We have seen creative use of seizure and forfeiture laws to take property and disrupt lives. We have seen a public, frustrated by crime, succumb to the hyperbole and rhetoric of politicians and media sensationalism. To oppose the Forbes piece and those who defend it is not to take issue with personalities or a given medium. Rather, it is a modest, perhaps chimerical attempt to joust with those repressive windmills that substitute emotionalism and ignorance in solving problems for the harder task of coming to grips with thier complexity and nuances. So, no, Jerry, we did not read the same words, nor do we see the world in the same way. Which is fine. We learn through the dialogic competition of ideas. And, yes, I do recognize that the world is a far more nasty place than suits my liking. However, I also recognize that not all of the nastiness is caused by criminals. To modify a line from Stephenson's Snow Crash, condensing fact from the vapor of nuance is fine, but replacing facts with vaporous nuances isn't. Downloaded From P-80 International Information Systems 304-744-2253