         News article that appeared in Computerworld Magazine

                               VIEWPOINT

                     Hackers aren't the real enemy


by: Chris Goggans

For years articles have been published about people who call
themselves "hackers."  These have been written by people who have
investigated hackers, who have been the targets of hackers, who secure
systems against hackers, and who claim to know hackers.  As a member
of the so-called "computer underground," I would like to present the
hacker's point of view.

I hope you will put aside any personal bias you may have toward people
who call themselves hackers because it is probably based on media
reports rather than real contact.

I also hope you won't refuse to read this because you have a problem
with my ethics.  Over the past 11 years, operating under the pseudonym
Erik Bloodaxe, I had opportunities to become rich beyond the dreams of
avarice and wreak great havoc on the world's computer networks.  Yet I
have done neither.  I have looked behind doors that were marked
"employees only" but have never disrupted the operation of business.
Voyeurism is a far cry from rape.

                       ILLEGAL BUT NOT CRIMINAL

Undeniably, the actions of some hackers are illegal, but they are
still hardly criminal in nature.  The intention of most of these
individuals is not to destroy or exploit systems but merely to learn
in minute detail how they are used and what they are used for.  The
quest is purely intellectual, but the drive to learn is so
overwhelming that any obstacle blocking its course will be
circumvented.  Unfortunately, the obstacles are usually state and
federal laws on unauthorized computer access.

The overwhelming difference between today's hackers and their 1960s
MIT namesakes is the many of my contemporaries began their endeavors
too young to have ready access to computer systems.  Few 13 year olds
find themselves with system privileges on a VAX through normal
channels.

My own first system was an Atari 8-bit computer with 16K of memory.  I
soon realized that the potential of such a machine was extremely
limited.  With the purchase of a modem, however, I was able to branch
out and suddenly found myself backed by state-of-the-art computing
power at remote sites across the globe.  Often, I was given access by
merely talking to administrators about the weak points in their
systems, but most often my only access was whatever account I may have
stumbled across.

Many people find it hard to understand why anyone would risk
prosecution just to explore a computer system.  I have asked myself
that same question many times and cannot come up with a definitive
answer.  I do know that it is an addiction so strong that it can, if
not balanced with other activities, lead to total obsession.  Every
hacker I know has spent days without sleep combing the recesses of a
computer network, testing utilities and reading files.  Many times I
have become so involved in a project that I have forgotten to eat.

Hackers share almost no demographic similarities: They are of all
income levels, races, colors and religions and come from almost every
country.  There are some shared characteristics, however.  Obsessive
compulsive behavior.  Others have a history of divorce in their
families, intelligence scores in the gifted to genius level, poor
study habits and a distrust of any authority figure.  Most hackers
also combine inherent paranoia and a flair for the romantic - which is
apparent in the colorful pseudonyms in use throughout the hacker
community.

In most cases, however, once hackers reach college age - or, at
minimum, the age of legal employment - access to the systems they
desire is more readily available through traditional means, and the
need to break a law to learn is curtailed.

Popular media has contributed greatly to the negative use of the word
"hacker."  Any person found abusing a long-distance calling card or
other credit card is referred to as a hacker.  Anyone found to have
breached computer security on a system is likewise referred to as a
hacker and heralded as a computer whiz, despite the fact that even
those with the most basic computer literacy can breach computer
security if they put their minds to it.

Although the media would have you believe otherwise, all statistics
show that hackers have never been more than a drop in the bucket when
it comes to serious computer crime.  In fact, hackers are rarely more
than a temporary nuisance, if they are discovered at all.  The real
danger lies in the fact that their methods are easily duplicated by
people whose motives are far more sinister.  Text files and other
information that hackers write on computer systems can be used by any
would-be corporate spy to help form is plan of attack on a company.

Given that almost everyone is aware of the existence and capabilities
of hackers - and aware of how others can go through the doors hackers
open - the total lack of security in the world's computers is
shocking.

                            POINTS OF ENTRY

The primary problem is poor systems administration.  Users are allowed
to select easily guessed passwords.  directory permissions are poorly
set.  Proper process accounting is neglected.  Utilities to counter
these problems exist for every operating system, yet they are not
widely used.

Many systems administrators are not provided with current information
to help them secure their systems.  there is a terrible lack of
communication between vendors and customers and inside the corporate
community as a whole.

Rather than inform everyone of problems when they are discovered,
vendors keep information in secret security databases or channel it to
a select few through electronic-mail lists.  This does little to help
the situation, and, in fact, it only makes matters worse because many
hackers have access to these databases and to archives of the
information sent in these mailing lists.

Another major problem in system security comes from telecommunications
equipment.  The various Bell operating companies have long been the
targets of hackers, and many hackers know how to operate both
corporate and central office systems better than the technicians who
do so for a living.

Increased use of computer networks has added a whole new dimension of
insecurity.  If a computer is allowed to communicate with another on
the same network, every computer in the link must be impenetrable or
the security of all sites is in jeopardy.  The most stunning examples
of this occur on the Internet.

With such a wide variety of problems and so little information
available to remedy them, the field of computer security consulting is
growing rapidly.  Unfortunately, what companies are buying is a false
sense of security.  The main players seem to be the national
accounting firms.  Their high-cost audits are most often procedural in
nature, however, and are rarely conducted by individuals with enough
technical expertise to make recommendations that will have a real and
lasting effect.

Ultimately, it is the responsibility of the systems administrators to
ensure that they have the proper tools to secure their sites against
intrusion.  Acquiring the necessary information can be difficult, but
if outsiders can get their hands on this information, so can the
people who are paid to do the job.



* Goggans is a 23-year old hacker.  He is currently seeking
  employment with anyone who won't make him cut his hair.
