The Hacker Ethic

  • Access to computers - and anything that might teach you something about the way the world works - should be unlimited and total. Always yield to the Hands-On Imperative!
  • All information should be free.
  • Mistrust authority - promote decentralization
  • Hackers should be judged by their hacking, not criteria such as degrees, age, race, sex, or position.
  • You can create art and beauty on a computer.
  • Computers can change your life for the better.
(Steven Levy "Hackers")

Television stories and newspaper reports today tend to portray hackers as terrorists, virus writers, and criminals. Yet, if we are to accept "The Hacker Ethic" above, that portrait isn't entirely accurate. On the other hand, a few hackers have not helped their case over the years by committing illegal acts, which, in some cases have sent them to prison. Even so, the hacker community has always maintained that any illegal acts by true hackers were nothing more than trespassing and that a true hacker would never do anything to cause damage or for monetary profit. In their vocabulary, the people who did such dastardly acts should have been called "crackers" or just plain "computer criminals."

The best known advocate for hackers is Emmanuel Goldstein, editor and publisher of 2600:The Hacker Quarterly and host of the weekly radio show "Off The Hook." 2600 (named after 2600 megahertz, the frequency of the analog telephone system prevalent between 1960 and 1990) regularly prints descriptions of security holes in banking, credit cards, home security and any systems that rely on electronics or code systems. (Check out one of the profiles hackers often exploit in 7 Sneaky Ways Hackers Can Get Your Facebook Password.)

When asked before a House of Representative committee whether his magazine wasn’t "a manual of computer crime," Goldstein replied, "No, we expose security problems both so consumers will understand their risks and businesses will repair the security holes." When then asked why he didn’t just call businesses and tell them about their security weakness, Goldstein replied, "Because they deny the weakness and don’t do anything." Goldstein further pointed out that half of his subscribers were law enforcement officials and corporate security personnel.

Nowhere was Goldstein’s contention more substantiated that in a 1991 episode shown on the "NBC Evening News with Tom Brokaw," in which Goldstein places a big white envelope marked "2600" in big letters into a Federal Express pickup box. A hacker then kneels in front of the box and, within 10 minutes, breaks the code on the supposedly unbreakable five-button lock.

Goldstein said that when a State University of New York student and hacker, concerned about the security of the locks after another student was attacked in her room, was able to crack the lock, Goldstein called its manufacturer, Simplex, to report the problem. He was told that he was incorrect and that the locks, also used at JFK Airport and on FedEx and UPS boxes, were completely secure and had "infinite combinations." Goldstein corrected the spokesperson, saying that there were really 1,085 combinations. The spokesperson reluctantly agreed to the number but said that it would take at least four hours for a person knowledgeable in the coding structures to begin to crack the lock.

The hacker who actually cracked the lock, Scott Skinner, explained the error in security at the time.

"While Simplex prefers people to think that there is an endless number of permutations to the lock, there are actually only 1,085," Skinner told me in a piece I wrote for Newsbytes in 1991. "In most cases, even this number is greatly reduced - if one knows that only three buttons are being used, it reduces the possibilities to 135. Additionally, we found that, once we had the combination to one Federal Express dropbox, it worked in every other one that we tried in the New York area."

Is Systems Security Getting Better?

That may have been way back in 1991, but while technology has changed, one thing hasn't: Companies are reluctant to admit security holes, feeling that such admissions will lead to a lack of customer confidence and drive customers away. Donald Delaney, New York State Police senior investigator, said at the time that one of his biggest problems was that after a representative of a company would call the state police complaining that they had been hacked and those responsible for the crime were apprehended, the company that had been victimized would ultimately choose not to press charges.

"It was extremely annoying," Delaney said, "that we would spend the taxpayer’s time and money conducting a criminal investigation and, upon successfully completing the investigation and arresting the perpetrators, find that the complainant wanted to walk away from the case." The NYSP soon began to require that, if a company initiated a complaint, it would be required to attest that it would aid in prosecution if the investigation was successful.

That may have happened more than 20 years ago, but more recent news suggests that not a lot has changed. On October 23, 2012, The New York Times reported that there had been a massive theft of customer credit card information at 63 Barnes & Nobles stores throughout the country. And here's the kicker: The breech was found on September 14th, over a month before the information was released to the public.

A company spokesperson, acknowledging the breach, was quoted by The Times as saying that "as a precaution, customers who used their credit card at any one of the 63 Barnes & Noble stores where information was stolen should change their PINs and scan their accounts for unauthorized transactions." Great advice. Unfortunately, it came five weeks after it became obvious that there was a problem, even though there was evidence that hackers had already used information from some customers' credit cards to make unauthorized purchases.

Barnes & Nobles' reason for withholding the information from its customers was that the Justice Department requested that it do so in order for the FBI to investigate who might be behind the break-in. The firm said that it had received two letters from the U.S. Attorney's office for the Southern District of New York, saying that it did not have to report the attacks to its customers during the investigation. At least one of the letters said the company could wait until December 24th to tell customers. To this skeptical observer, it seems that withholding the information that long would succeed in doing at least one thing: Preventing the scandal from impacting holiday sales.

Hackers Are Stretching Their Wings

Unfortunately, when you look at hacking on a larger scale, it can do a lot more damage than just credit card theft. On the same day that the Barnes & Noble story appeared, news broke about how hackers, presumed to be Iranian, unleashed a computer virus on August 15th on Saudi Aramco, one of the world’s most valuable companies. The hackers chose August 15th because more than 55,000 of the firm’s employees were home from work preparing for a major Islamic religious holiday. The virus is said to have erased data on three-quarters of Aramco’s corporate PCs and replaced the documents, emails, spreadsheets, and other files with an image of a burning American flag.

Initial examinations by American security experts led to the belief that the attack was perpetrated by Iranians in retaliation for the alleged 2010 cyberattack upon Iran using the Stuxnet computer virus, which destroyed centrifuges in an Iranian nuclear facility. (Learn more about this type of attack in Advanced Persistent Threats: First Salvo in the Coming Cyberwar?)

What all these stories have in common is a continued lack of security in computer systems worldwide. As a result, the world has changed dramatically since the Cold War of the Berlin Wall and the Cuban Missile Crisis. Back then, we all knew who the players were: Large and powerful nations. The difference may be that these players were held in check, if not by ethics, then by the understanding that attacks would bring mutual destruction.

Now, as Richard Clarke, former National Security Council counter-terrorism official, was quoted as saying "It (the cyberattack on the Saudi oil firm) proved that you don’t have to be sophisticated to do a lot of damage. There are lots of targets in the U.S. where they could do the same thing."

In other words, people with criminal or lethal intent don’t have to arm themselves and risk their own lives to steal and/or commit mayhem. They can, with the proper knowledge, exploit weaknesses in computer systems to wreak havoc; hospital systems, the electric grid, air traffic control systems, military defense systems, as well as our financial systems may all be vulnerable.

The Bottom Line

It's up to us to demand that our government, businesses, health-care organizations, and all public utilities install and maintain as close to unbreakable systems as possible, perhaps by paying "hackers" to continually try to crack those systems. Our lives, as well as our fortunes, are in their hands. Sadly, most of these organizations don’t seem to be doing a much better job now than they were decades ago.