Telecommunications talk. (Computer hackers and ethics) Brian J. Murphy.
Welcome to Telecommunications Talk! This is the first in a series of columns on the subject of computers and telephones.
Topics will include information utilities, bulletin board systems, hardware, software, and the purposes to which you can apply your computer/modem system.
We invite your participation. Users, feel free to tell us about your BBS systems, communications programs, and anything else you have that is of interest. If it checks out, we will use it. Manufacturers, let us know about your software and hardware products for telecommunications. We can't promise to use everything you send, but much material we receive will find its way into the column.
The Great Computer Hack
Milwaukee: Land of "Happy Days.' Richie Cunningham. Pottsy and Ralph. The Fonz. Neal Patrick and the 414s.
Neal Patrick and the 414s?
No, they are not a 50's rock group. In case you don't remember who Neal Patrick is, Sherman, let's set the Wayback Machine for August 1983. The place? Any front page of a newspaper will do: "Report "Break In' Of Atom Lab Computer,' "Cancer Clinic Computer Tampered With,' "Trespass At Los Alamos Computer.' How about the cover of Newsweek for September 5, 1983, with a picture of 414 "Hacker' Neal Patrick on the cover? Remember now?
The 414s were a very small group of high school age kids from Milwaukee who had met at an explorer post and found that they had a similar interest, telecomputing. Until the spring of '83, they had done nothing to merit national headlines or a Newsweek cover, but with a few log-ons all that changed.
To reconstruct events briefly, on August 11 it was revealed that one of the computers at the Los Alamos National Laboratory in New Mexico had been accessed by telephone by an unauthorized user sometime in late June.
Los Alamos, being the place where much of the nation's theoretical nuclear research is conducted, is understandably reluctant to provide too many details about what the unauthorized users may have been looking into. Perhaps "reluctant' isn't the word. "Absolutely refused to discuss,' may be the phrase most descriptive of their attitude. Their terse announcement to the press simply stated that an intrusion had taken place, that whatever it was the user on users had accessed was not classified nor did it deal with personnel matters.
So if the data they accessed wasn't the instructions for building an H-bomb or Dr. Edward Teller's attendance record, what was it? "Can't comment' said a Los Alamos spokeswoman when we attempted to weasel it out of her. She did make it clear, however, that whatever it was, was considered worth the time of the FBI to investigate.
At New York's Memorial Sloan-Kettering Cancer Center, a few more details were forthcoming. Again, Telenet had been used to gain unauthorized access to the computer. This time the computer data files accessed related to the monitoring of radiation treatment for cancer patients all across the country.
Spokeswoman Nancy Czaja explained that the program accessed is a utility used by radiation therapists to double check the amounts of radiation given in cancer therapy. Since radiation doses must be measured with precision to prevent them from becoming ineffective or counterproductive, this is a bad data bank with which to be playing idle games.
While he was playing with the data, the hacker managed to crash the system.
The total downtime was only five minutes, but it was enough to attract the attention of Sloan-Kettering's computer manager, who investigated certain security programs within the system. His investigation pointed to an unauthorized access of the system. It is not clear whether this access--and crash--was responsible for a block of data relating to billing being deleted from the system. After the initial incident was detected, the computer was accessed without permission "several more times.'
The Cancer Center has several computers, according to Ms. Czaja, but the one the hackers accessed was specially programmed to provide easy access by physicians to give them valuable assistance in planning radiation therapy. That is what it was doing on Telenet, and that is why it was so easy to break into.
How They Did It, Who They Are
So far as we know, Los Alamos and Sloan-Kettering were not deliberately picked for trespass by these teenagers. When you call Telenet, you type in a coded set of digits which, like a telephone number, conneots you to a participating computer. A few numbers are in the public or semi-publc domain (The Source and Delphi information utilities are examples); most are supposed to be strictly private. The trouble is that you can make a successful link with many of those numbers once you become proficient with the Telenet system.
Getting past the security program is another matter. If you recall the movie War Games, all you had to do to get into the Air Force's most secret NORAD computer was come up with a single word password. It turns out that there was more truth to that scene than we had thought because at least until the Los Alamos and Cancer Center incidents this past August, it was almost as easy to log onto some of the major institutional data processing systems around the country.
Mike Hoback is the system operator (sysop for short) of BBS-SUE, a bulletin board system in Milwaukee. He knows all the members of the 414 group and says that they found getting the passwords were still operative (these are it appeared in War Games.
Hobach said that the boys discovered that in many, if not most, of the big systems they invaded, the "default passwords' were still operative (these are code words used by manufacturers and programmers to access computers while they are being installed and programmed). Some of the most commonly used default passwords like system, service, and test/password seemed to work fine for the 414s when they attempted to log on to Telenet computers at random.
Sloan-Kettering and Los Alamos were the hacks that grabbed the attention of the papers--and the FBI, but the damage done by the hackers was reportedly minimal. Part of the hacking tradition, however, is mischief-making, and there had been at least one incident reportedly connected to a 414 member, according to Hobach, that illustrates the potential for serious damage.
About one year before the headlinemaking incidents, Hobach says, one of the 414s was responsible for causing serious damage to data files stored on a computer belonging to the Milwaukee School of Engineering. The boy responsible was reported to be too young to prosecute under Wisconsin law (which specifically prohibits unauthorized access into computers), but the school went after the boy's parents who wound up paying around $3000 to compensate for the damage.
Despite this incident, the 414s are not malicious mischief-makers, according to Hobach who says the boys have been portrayed unfairly in the press--especially the local Milwaukee papers which have taken a stern editorial stand on their capers. In reality, Hobach said, the 414s are nice young men of above average intelligence who generally do well in school and who really know what they are doing when it comes to computers. Neal Patrick, who has been the group's point man with the media, even operates his own BBS system, to which I have logged on myself. (By the way, patrick has not answered my message, as of this writing, to tell me his side of the 414 story.)
By logging on to sensitive data banks, the 414s caused the fertilizer to hit the ventilation system. In the press, they were portrayed as the sinister side of the computer revolution, but this is probably an unfair characterization if the testimony of other computer users in their home town is reliable. Except for some unsubstantiated details I ran across in communicating with various sources in Milwaukee, the 414s seem to enjoy a reputation among other computerists as nice kids.
The defense of those boys, at least by their fellow computerists, goes beyond the disclaimer that they didn't mean to hurt anything or anyone. It goes to the point where the claim is made that there is nothing wrong with inspecting, without invitation, the programs and data files on a private computer system.
One defender of the 414s said to me, summing up the arguments in favor of hacking, "If this information is so confidential or so private, why is it accessible via Telenet? Why don't the system managers change the default passwords?'
In the atmosphere of the bulletin board systems, where there is a free interchange of ideas, programs, and data, and where most of the users are relatively young, it sometimes seems as though the world of computers was meant to have no walls, only doors waiting to be opened. Unfortunately, this isn't so. There are some thresholds which, though not illegal to cross, are unethical to pass.
One cannot pass judgment on the 414s or an anyone else who hacks so far as their responsibility before the law is concerned. In most states and nationally, hacking is apparently not a crime, except where it violates the laws relating to national security. That means that it is not OK to look at the computers at NORAD or Los Alamos even if it were as simple as dialing the right number and answering the password prompt with Joshua.
This is not a problem of legality but of ethics. Some readers of this column, who enjoy their hacking, may find the following points tiresomely familiar, but they are, I think, worth repeating.
Take the Sloan-Kettering case as an example. All patient data are, by ancient and honorable tradition, privileged information. Of course, there is no evidence to indicate that the 414s were deliberately trying to connect with the Cancer Center in the first place, but once they had, they had violated the rights of physicians and of cancer patients.
The range of information stored in computer data files which private individuals and institutions prefer to keep private is wide. It includes their financial status, health history, and employment records. This information may seem harmless, but most people would be embarrassed to learn that their private lives have been scrutinized by strangers. Put yourself in their shoes. Would you want all your secrets accessible to anyone with a computer and a modem?
The argument has been made that if it is easy to access a computer, then it is OK to log on. But if the door to an office building or a private house were to be left open I am sure that most people would resist their curiosity and not walk in to examine files and personal papers, to go through wallets, pocketbooks, and strongboxes. This is not what nice people do. When you trespass in a computer system, that is exactly what you are doing, and it is wrong.
I have heard the assertion that all computers should be open to all people at all times. This is a wonderfully idealistic way of looking at computers, but it is not a theory that works in the real world.
Computers are made for whatever purposes their owners see fit. If a computer owner chooses to exclude all but authorized users from the system, that is fully within his rights, as it is within yours to decide who uses your system. Unrestricted access to all computers all the time is simply unrealistic.
No matter how much experience with computers you have, you will blunder from time to time and either lose data, hang up a program, or crash the computer. Even with easy to operate home computers, errors are easy to commit. It is much simpler on big systems, with which you have had limited experience and with software with which you are not familiar to do serious damage to the software and data files on the system you are hacking.
So what? Well, it is not nice to anonymously intrude into a private system and bomb data. In the case of computers handling files of financial data, there is a potential for serious expensive damage. The case of Sloan-Kettering demonstrates how hacking can actually harm the vital interests of some people.
You can also do harm to yourself. Although most companies and institutions with the big mainframe systems can probably afford to undo any damage that a hacker causes, they don't have to absorb the financial burden alone.
The fact is that when you violate a private system, you risk legal action to recover the cost of the damage to the system, the manhours required to restore data, and so forth. If the company can prove that the damage was willful, they can sue you and soak you for substantial damages.
Even big systems have breakdowns; actually they have more breakdowns than home computers. A big system will often have dozens of terminals and drives which are subjected to hellacious wear and tear. This is one of the reasons mainframe time is so expensive.
The bottom line is that it costs the mainframe operator much more to run his system than it costs you or me to run ours. The mainframe operator has a right to know and control who is using his equipment and to be compensated for its use.
A Bad Public Image
Aside from these ethical considerations there are the possible consequences of unrestricted computer trespass on telecommunications in general. Let's face it, the exploits of the 414s have given a black eye to the entire world of personal computing. As if there weren't enough concern that teens and young adults are "wasting their time' playing games on personal computers, now must combat the image of the teenage computer vandal. It is an unfair characterization of the vast, overwhelming majority of people under 21 who use home computers, but it is the sort of image that might just stick if we are all not careful.
Remember that we are at the mercy of the Federal Communications Commission, which regulates the phone lines, and the Congress and the state legislatures, which pass laws on how they may be used. Let's not create the kind of political pressure that would prompt any of these bodies to restrict our access to the phone lines.
We are also at the mercy of the multiple offspring of Ma Bell. It is quite well known among members of the telecomputing community that many local phone systems are thinking about levying extra charges for the use of modems on the public phone lines. If the image of telecomputerists is not one of responsible people but of pranksters irresponsibly using their computer/phone link to invade other people's privacy and damage their property, you can count on zero public and political support for keeping rates low.
I have probably said many things you didn't feel like reading, but I have seen too many good people and good causes unfairly and permanently smeared by people who were too ignorant and afraid to know what they were talking about.
Let's face it; there is a great deal of computer ignorance and computer fear out there. Let's not do anything that will make our hobby less prestigious or harder to pursue.
One final disclaimer. I have found that when the term "hackers' is used among telcomputerists, it refers not only to people who hunt at random for computers to access but also to people involved in a wide range of computer related activities. This latter group has done nothing wrong, and it would be unfair to suggest that they have.