4 Copyright 1986 Ken McLeod HACKERS: Friend of Foe? Much has been said and written lately about hackers and their activities. From attempting to reposition communications satellites to break-ins at computer facilities throughout the world. Is this just hype? Do these precocious children really possess the keys to computer disarmament? I could tell many sexy stories about hacker activity. Computers broken into, monetary fraud, late night sojourns to computer sites, ad infinitum, ad nauseum. I don't think salacious stories about highly motivated but misguided teenagers is the real issue. What is germain is that hackers represent a real and serious threat to information processing and are a problem created by society. Computer security personnel are faced with a modern day Hobson's choice. Do they ignore the "hackers", or, do the entrench themselves in a Maginot line of technical ramparts. Either choice may result in serious if not financially fatal costs to an organization. Hackers seem to have become steeped in an aura of technological mysticism-- often perceived as the Druids of the Church of Information Processing. Are video display terminals really their Oracle's? You be the judge! While the popular belief, at least within the "hacker culture", is to believe in an embodiment of computers and computer programming for the greater goal of understanding computer technology, in reality, most people espousing the "hacker ethic" actually fit quite nicely into the definition of a criminal. My "Theory of Hacking" was developed after I arrested more hackers than probably any other single law enforcement officer and in response to the inability of anyone else to explaing why hackers "hacked." Having had the privilege of conducting what was essentially empirical research while enforcing the law -- numerous hackers were arrested and interviewed. During my interviews with the hackers a strange pattern developed which seemed to be shared by most, if not all of those persons arrested. "Information may not be owned", was the recurrent theme. Each hacker seemed determined to rationalize why he, (or rarely "she"), felt it necessary to commit a criminal act in furtherance of the divine act of "Information Acquisition." This was strange behavior for a criminal, at least from the point of view of a traditional law enforcement officer. Why was the mere "reading" of data contained in a computer so important in the life of a hacker? What spiritual nirvana was reached when the ultimate goal has been reached: "Access Granted." A complete enforcement re-evaluation was required to combat the hacker problem. A realization came about when traditional views of the value of information was ignored, i.e. information = money, and a new outlook adopted: information = value/status/power. While the equations may at first glance seem equal, the variables of value, status and power have a much greater meaning among peers. Hackers, when compared to the public perception of a "common criminal", are not breaking into computer systems using the same standards as a conventional burglar (if criminal standards can exist!). A burglar or robber is usually concerned with simply the monetary value of what he steals. A hacker tends to have different motives although the end result may be the same. In accepting the fact that hackers seek information (usually) not for its pecuniary value, but for its value as a commodity of status and reputation, then we have reached the first step in combating hackers. What was and is really happening is that hackers are merely a logical metamorphosis of our reliance on the flow and value of data and informa- tion in our modern society. Hackers are not some subterranean breed of criminal who has learned the innermost secrets of the information age. In reality they are our own technologically created demons. Modern society has bred a generation of youngsters who have been taught to communicate and pass information as naturally as eating and sleeping. These hackers, for they usually are younger, realize that to possess information is the first step to power; for information in and of itself denotes power. It is not illogical that hackers are our own worst nightmares, created from ignorance and apathy. Hackers are simply eating at the trough of information which computer managers so eagerly spread throughout society, To combat hackers two attitudes must be accepted by computer professionals- - 1) Hackers have been created by society and are a natural extension of that society; and, 2) Apathy and ambivalence are rampant throughout the computer field. Hackers create no new problems, they simply feed on those areas in which computer designers, operators and managers have failed to protect. Law Enforcement is faced with serious problems in attempting to investigate and prosecute hackers. Computer professionals refuse to identify or report suspected or actual cases of computer crime, for fear of losing face amongst their peers. Too often hacker attacks, from inside or outside a company, are considered personnel problems, rather than crimes. Managers refuse to believe that some of the employees might acutally fit the hacker mold and fail to act accordingly. In November of 1984 one of the first hacker arrests I made was of a 28 year old school teacher. Since that time the ages of suspects or arrestees has steadily decreased to where we have detected cases of computer fraud committed by 12 year olds. Attempts to break into financial, government and private computers are discussed among hackers as easily as talking about the latest football scores. Groups of children now regularly control information secretly removed from the computers of America's largest corporations and government institutions. Arrests only tend to credentialize the hackers, making them experts in the eyes of many. This is disturbing. Are we to create a system of jails for the young intellectuals on out society? Certainly not! What is the answer? I believe that two things are going to occur--one a sure bet, the second worthy of debate. The first is that computer fraud dba "hacker activity" will continue to increase in both scope and complexity with correspondingly exponential losses. The second is that computer security professionals will continue to be slow to come around to accepting the fact that hackers are a part of the fabric of society and that to be dealt with, they must first be understood. Law Enforcement can not be the lone cry in the wilderness, baying for computer users to safeguard their information. Computer professionals must proactively protect their systems through a synergistic system of awareness, acceptance and technical competence. Pseudo-experts and "reformed hackers" are not the answer. Only through a policy of total commitment to computer security will the hcaker problem by effectively dealt with. z