Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (62 page)

If we, as a society, choose not to lock hackers up, then what should we do with them?

Perhaps a better question is, do we really need to do anything with them?

One answer is to simply ignore look-see hacking. Society could decide that it makes more sense to use valuable police resources to catch dangerous criminals--forgers, embezzlers, white-collar swindlers, corporate spies and malicious hackers--than to chase look-see hackers.

The law must still maintain the capacity to punish hard where someone has strayed into what society deems serious crime. However, almost any serious crime committed by a hacker could be committed by a non-hacker and prosecuted under other legislation. Fraud, wilful damage and dealing in stolen property are crimes regardless of the medium--and should be punished appropriately.

Does it make sense to view most look-see hackers--and by that I mean hackers who do not do malicious damage or commit fraud--as criminals?

Probably not. They are primarily just a nuisance and should be treated as such. This would not be difficult to do. The law-makers could simply declare look-see hacking to be a minor legal infringement. In the worst-case scenario, a repeat offender might have to do a little community service. But such community service needs to be managed properly. In one Australian case, a corrections officer assigned a hacker to dig ditches with a convicted rapist and murderer.

Many hackers have never had a job--in part because of the high youth unemployment in some areas--and so their community service might be their first ‘position’. The right community service placement must involve hackers using their computer skills to give something back to society, preferably in some sort of autonomous, creative project. A hacker’s enthusiasm, curiosity and willingness to experiment can be directed toward a positive outcome if managed properly.

In cases where hacking or phreaking has been an addiction, the problem should be treated, not criminalised. Most importantly, these hackers should not have convictions recorded against them, particularly if they’re young. As Paul Galbally said to the court at Mendax’s sentencing, ‘All the accused are intelligent--but their intelligence outstretched their maturity’. Chances are, most will be able to overcome or outgrow their addiction.

In practice, most Australia’s judges have been reasonably fair in their sentencing, certainly compared to judges overseas. None of the Australian hackers detailed in this work received a prison sentence.

Part of this is due to happenstance, but part is also due to the sound judgments of people like Judge Lewis and Judge Kimm. It must be very tempting, sitting on the bench every day, to shoot from the hip interpreting new laws.

As I sat in court listening to each judge, it quickly became clear that these judges had done their homework. With psychologist Tim Watson-Munro on the stand, Judge Lewis rapidly zeroed in on the subject of ‘free will’--as applied to addiction--regarding Prime Suspect. In Trax’s case, Judge Kimm asked pointed questions which he could only have formulated after serious study of the extensive legal brief. Their well-informed judgments suggested a deeper understanding both of hacking as a crime, and of the intent of the largely untested computer crime legislation.

However, a great deal of time and money has been wasted in the pursuit of look-see hackers, largely because this sort of hacking is treated as a major crime. Consider the following absurd situation created by Australia’s federal computer criminal legislation.

A spy breaks into a computer at the Liberal Party’s headquarters and reads the party’s top-secret election strategy, which he may want to pass on to the Labor Party. He doesn’t insert or delete any data in the process, or view any commercial information. The penalty under this legislation? A maximum of six months in prison.

That same spy decides he wants to get rich quick. Using the local telephone system, he hacks into a bank’s computer with the intention of defrauding the financial institution. He doesn’t view any commercial or personal information, or delete or insert any files. Yet the information he reviews--about the layout of a bank building, or how to set off its fire alarm or sprinkler system--proves vital in his plan to defraud the bank. His penalty: a maximum of two years prison.

Our spy now moves onto bigger and better things. He penetrates a Department of Defence computer with the intention of obtaining information about Australia’s military strategies and passing it on to the Malaysians. Again, he doesn’t delete or insert any data--he just reads every sensitive planning document he can find. Under the federal anti-hacking laws, the maximum penalty he would receive would also be two years prison.

Meanwhile, a look-see hacker breaks into a university computer without doing any damage. He doesn’t delete any files. He FTPs a public-domain file from another system and quietly tucks it away in a hidden, unused corner of the university machine. Maybe he writes a message to someone else on-line. If caught, the law, as interpreted by the AFP and the DPP, says he faces up to ten years in prison. The reason? He has inserted or deleted data.

Although the spy hacker might also face other charges--such as treason--this exercise illustrates some of the problems with the current computer crime legislation.

The letter of the law says that our look-see hacker might face a prison term five times greater than the bank fraud criminal or the military spy, and twenty times greater than the anti-Liberal Party subversive, if he inserts or deletes any data. The law, as interpreted by the AFP, says that the look-see hacking described above should have the same maximum ten-year prison penalty as judicial corruption. It’s a weird mental image--the corrupt judge and the look-see hacker sharing a prison cell.

Although the law-makers may not have fully understood the technological aspects of hacking when they introduced the computer crimes legislation, their intent seems clear. They were trying to differentiate between a malicious hacker and a look-see hacker, but they could have worded it better.

As it’s worded, the legislation puts malicious, destructive hacking on a par with look-see hacking by saying that anyone who destroys, erases, alters or inserts data via a carrier faces a prison term, regardless of the person’s intent. There is no gradation in the law between mere deletion of data and ‘aggravated deletion’--the maximum penalty is ten years for both. The AFP has taken advantage of this lack of distinction, and the result has been a steady stream of look-see hackers being charged with the most serious computer crime offences.

Parliament makes the laws. Government institutions such as the AFP, the DPP and the courts interpret and apply those laws. The AFP and to some extent the DPP have applied the strict letter of the law correctly in most of the hacking cases described in this book. They have, however, missed the intention of the law. Change the law and they may behave differently. Make look-see hacking a minor offence and the institutions will stop going after the soft targets and hopefully spend more time on the real criminals.

I have seen some of these hackers up close, studied them for two years and learned a bit about what makes them tick. In many ways, they are quintessentially Australian, always questioning authority and rebelling against ‘the establishment’. They’re smart--in some cases very smart. A few might even be classified as technical geniuses.

They’re mischievous, but also very enterprising. They’re rebels, public nuisances and dreamers.

Most of all, they know how to think outside the box.

This is not a flaw. Often, it is a very valuable trait--and one which pushes society forward into new frontiers. The question shouldn’t be whether we want to crush it but how we should steer it in a different direction.

END

If you would like to comment on this book, please write to [email protected]. All comments are passed onto Dreyfus & Assange.

_________________________________________________________________

Underground -- Glossary and Abbreviations

_________________________________________________________________

AARNET Australian Academic Research Network ACARB Australian Computer Abuse Research Bureau, once called CITCARB

AFP Australian Federal Police

Altos West German chat system and hacker hang-out, connected to X.25

network and run by Altos Computer Systems, Hamburg ANU Australian National University

ASIO Australian Security Intelligence Organisation Backdoor A program or modification providing secret access to a computer system, installed by a hacker to bypass normal security. Also used as a verb

BBS Bulletin Board System

BNL Brookhaven National Laboratory (US)

BRL Ballistics Research Laboratory (US)

BT British Telecom

CCITT Committee Consultatif Internationale Telegraph et Telephonie: Swiss telecommunications standards body (now defunct; see ITU) CCS Computer Crime Squad

CCU Computer Crimes Unit (Australian Federal Police) CERT Computer Emergency Response Team

CIAC Computer Incident Advisory Capability: DOE’s computer security team

CITCARB Chisholm Institute of Technology Computer Abuse Research Bureau (now defunct. See ACARB)

COBE Cosmic Background Explorer project: a NASA research project DARPA Defense Advanced Research Projects Agency (US) DCL Digital Command Language, a computer programming language used on VMS computers

DDN Defense Data Network

DEC Digital Equipment Corporation

DECNET A network protocol used to convey information between (primarily) VAX/VMS machines

DEFCON (a) Defense Readiness Conditions, a system of progressive alert postures in the US; (b) the name of Force’s computer program which automatically mapped out computer networks and scanned for accounts DES Data Encryption Standard, an encryption algorithm developed by IBM, NSA and NIST

Deszip Fast DES Unix password-cracking system developed by Matthew Bishop

Dial-up Modem access point into a computer or computer network DMS-100 Computerised telephone switch (exchange) made by NorTel DOD Department of Defense (US)

DOE Department of Energy (US)

DPP Director of Public Prosecutions

DST Direction de la Surveillance du Territoire-- French secret service agency

EASYNET Digital Equipment Corporation’s internal communication network (DECNET)

GTN Global Telecommunications Network: Citibank’s international data network

HEPNET High Energy Physics Network: DECNET-based network, primarily controlled by DOE, connected to NASA’s SPAN

IID Internal Investigations Division. Both the Victoria Police and the AFP have an IID

IP Internet Protocol (RFC791): a data communications protocol, used to transmit packets of data between computers on the Internet IS International Subversive (electronic magazine) ISU Internal Security Unit: anti-corruption unit of the Victoria Police

ITU International Telecommunications Union, the international telecommunications standards body

JANET Joint Academic Network (UK), a network of computers JPL Jet Propulsion Laboratory--a California-based NASA research centre affiliated with CalTech

LLNL Lawrence Livermore National Laboratory (US) LOD Legion of Doom

Lutzifer West German computer, connected to the X.25 network, which had a chat facility

MFC Multi Frequency Code (Group III): inter-exchange telecommunications system used by Telstra (Telecom) MILNET Military Network: TCP/IP unclassified US DOD computer network MOD Masters of Deception (or Destruction)

Modem Modulator De-modulator: a device used to transmit computer data over a regular telephone line

NCA National Crime Authority

Netlink A Primos/Dialcom command used to initiate a connection over an X.25 network

NIST National Institute of Standards (US)

NIC Network Information Center (US), run by DOD: a computer which assigned domain names for the Internet.

NRL Naval Research Laboratory (US)

NSA National Security Agency (US)

NUA Network User Address: the ‘telephone’ number of a computer on an X.25 network

NUI Network User Identifier (or Identification): combined username/password used on X.25 networks for billing purposes NorTel Northern Telecom, Canadian manufacturer of telecommunications equipment

PABX Private Automatic Branch Exchange

PAD Packet Assembler Disassembler--ASCII gateway to X.25 networks PAR ‘PAR?’--command on PAD to display PAD

parameters

RMIT Royal Melbourne Institute of Technology RTG Radioisotope Thermoelectric Generator, space probe Galileo’s plutonium-based power system

RTM Robert Tappan Morris (Jr), the Cornell University student who wrote the Internet worm, also known as the RTM worm Scanner A program which scans and compiles information, such as a list of NUAs

SPAN Space Physics Analysis Network: global DECNET- based network, primarily controlled by NASA

Sprint US telecommunications company, an X.25 network provider Sprinter Word used by some Australian and English hackers to denote scanner. Derived from scanning attacks on Sprint communications Sprintnet X.25 network controlled by Sprint communications Sun Sun Microsystems--a major producer of Unix workstations TCP Transmission Control Protocol (RFC793): a standard for data connection between two computers on the Internet TELENET An X.25 network, DNIC 3110

Telnet A method of connection between two computers on the Internet or other TCP/IP networks

Trojan A program installed by hackers to secretly gather information, such as passwords. Can also be a backdoor

Tymnet An X.25 network controlled by MCI, DNIC 3106

Unix Multi-user computer operating system developed by AT&T and Berkeley CSRG

VAX Virtual Address Extension: series of mini/mainframe computer systems produced by DEC

VMS Virtual Memory System: computer operating system produced by DEC

and used on its VAX machines

WANK Worms Against Nuclear Killers: the title of DECNET/VMS-based worm released into SPAN/DEC/HEPNET in 1989

X.25 International data communications network, using the X.25