Review of 'Who's reading your E-mail" by Richard Behars
The article exposes the vulnerability of computer data and of corporations with the popularity of the Internet. The Internet can allow hackers access to any computer in the world, with understated ease. Break-ins can go virtually undetected
Major corporations and government security departments have acknowledged that hacker break-ins are out of control. Some companies are too fearful to join networks because of this. Software programs brought out to deal with the growing problem, such as firewalls, are no longer totally effective. New technology has been developed such as ''Pilot Network Services' (offering supervised Internet access); 'Netranger' (a monitor device used by Pentagon) and 'Encrypton' (software that jumbles messages).
The basics of computer security (using difficult passwords, and guarding of data) are not being met in a disturbingly large number of American companies surveyed. A new bill demands that system operators become responsible for security. Hackers can be prosecuted (with subsequent heavy penalties) only if the exposed company has actively shown that it was security conscious. Further more, exposed companies are liable to other companies if their lack of security precautions allowed their computer network to become an opening for other company break-ins.
Companies are dis-inclined to report breaches in security as it denotes a poor image and highlights their vulnerability. Clients demand security, and lack of it will send them elsewhere.
Billions of dollars annually is spent on protection devices. Others are utilizing the expertise of former convicted hackers to fine tune and update their security features. It is a case of befriending the enemy in order to learn more. These hackers come out of goal with a ready market for their expertise, and great financial rewards.
The explosion of the Internet use, and networks around the world have brought with it a need for greater security consciousness amongst its users and systems operation managers. Technology needs to be constantly updated in the war against the ever-growing insidious and malicious hacker.
Review of 'Hackers: Taking a byte out of computer crime' by W. Roush.
Roush discusses the changing face of computer crime with the advent of the modem and stricter laws. The article touches on the effect these changes are having on hackers themselves, and the measures that are put in place to deal with the problem. It also explores the common ground which hackers and computer security experts agree on.
In the 1960's the dictionary definition of a hacker was that of a "computer virtuoso". Hackers comprised of young, computer literate and rebellious gangs vying for the status symbol image and thrill of breaking into a computer network.
This all changed with the popularity of the modem and an increasing number of computer users. The number of hackers exploded and thus the image of being a hacker became passe. The tougher security measures put in place, combined with more stringent laws (including imprisonment) had the effect of weeding out all but the keenest of hackers, and the most malicious.
Firms and security enforcers are now dealing with elite hackers whose intent is now focused on sinister revenge, malicious damage, political and defense corruption; and monetary greed. The cost of these types of computer crimes could run into the billions, but an accurate measure is unavailable. This is due either to the reluctance of corporations to report any break-ins (because they may feel guilty about their lax security), or because the information systems are so massive that the scale of corruption may be too difficult to detect.
There are also a select few who choose to label themselves as hackers with moral ethics. These second types of hacker prevalent today are assisting companies and law enforcers in the fight against dangerous hackers in a number of ways. These include holding hacker conventions and on-line information services to inform the public of new security risks, as well as being employed by corporations to break into their systems in order to secure and refine them. These hackers love computers and are motivated by the anger and frustration they feel at the prevailing laxity of security measures in place. Despite this level of co-operation there remains an inherent distrustful fear between the two camps. Fear is also a motivating factor for corporations in refusing to join networks, allocating enormous funds for security measures; restricting access to information; and utilizing passwords to deter alien entry.
Hacking crime is now far more sophisticated, varied and costly to society. There is a need to continue to work with ethical hackers in the battle for safety and order, otherwise we face an increasingly monitored future and a reduction in the freedom of computer use.
Review of 'The United States Vs Craig Neidorf' by D. Denning.
This article initially focuses on the US indictment of Neidorf, a student who started an Internet publication, 'Phrack'. This publication was accused by the United States government of being a fraudulent scheme devised by Nied and others to steal sensitive documents and make them freely available to the public. The court case was centered on an article about the countries E99 emergency system, and how he managed to fraudulently obtain a highly sensitive document which was then published with the intent to disrupt or halt all services.
The author had taken a keen interest in the case due to the implications it had on threats against freedom of the electronic press. The Electronic Frontier Foundation (EFF) was founded with just this concern. It helps to raise public awareness about civil liberties issues and works to preserve and protect the constitutional rights with the electronic media.
Denning was sought by Neidorf to assist in the case an expert witness and to provide evidence throughout the trial. The government dropped the charges after 4 days and it was declared a mistrial. It cost Neidorf $100,000, but potentially he stood to spend 65 years in goal.
Neidorf's case was argued that while Phrack may have seemed to promote illegal hacking, the public itself was not illegal. It advises readers not to engage in any intentional damage or harm. The purpose of Phrack was the free exchange of information as covered by the First Amendment of Constitutional Law and Civil Liberties. Neidorf actively co-operated with the government agents in every way prior the indictment. Furthermore, it was found that the supposed sensitive document (E911) was readily available elsewhere. There was nothing in Phrack that couldn't be found in any other published books or journals. In addition, Neidorf argued that if the E911 text had been a sensitive document, it certainly was not treated or secured as such by Bellcorp.
Denning questions the rights of government to seize documents and computer ware for extended periods, causing severe disruption, without appropriate court orders; and makes suggestions to rectify the process. The responsibilities of system operators are also called into question. They should take greater care from unauthorized break-ins, as they may be vulnerable to lawsuits if accused of taking inadequate protection. Denning also suggests an update of the current law, to bring it more into line with the UK Computer Misuse Act of 1990. There is an acknowledgement of a new threat emerging where computer criminals, as opposed to juvenile hackers, are potentially capable of industrial espionage and damaging infrastructures. There is also a final suggestion that the teaching of computer ethics could decrease the incidence of hacking.
A Compilation of Viewpoints
The articles written by Roush, Denning and Behar, as summarized earlier, have many common themes. Issues about hackers, the Internet, on line publications, invasions, security measures, and current laws are discussed within varying frameworks.
Denning's article approaches the topics through the lens of a court case involving Neidorf, a law student and the publisher of Phrack (an Internet billboard). The case highlights that there is a fine but distinct line between the right for freedom of information, and the unauthorized theft and use of it. In a subtle way, Denning also distinguishes between the two prevalent types of hacker.
Roush's article focuses primarily on the history and changing profile of today's hacker, and their interaction with companies and corporations.
Behar discusses vulnerabilities via networks and the various measures available to prevent or circumnavigate invasions.
All authors agree that the profile of hackers has changed since the early computer heydays of the 1980's. Juveniles who hacked for the thrill of it have been replaced by two distinct types of hackers. The first is the hacker with a self-professed personal code of moral ethics. These hackers invade networks, not only for the challenge, but to make the public aware of weak security links. They abhor lax security measures and feel justified in their actions, claiming a superior authority by publishing their exploits. Neidorf's case inadvertedly alluded to this, and the other articles pointed to ethical hackers who assist companies, or start security firms utilizing their expertise. These hackers are acknowledged by non-hackers with a reluctant acceptance. The second comprises of an elite number of hackers focused on malicious intent and greed.
The issue of on-line publications and information networks were discussed in different perspectives. All authors agree that the abundance of information and interaction available on- line is beneficial. Denning's article may suggest inadvertedly that there is a distinction between freedom of information and the moral overtones of freedom of publication. In Neidors case there was a clear distinction, according to the law. All agree that being on-line to a network leaves your system vulnerable to exposure by hackers from anywhere in the world.
The laws and penalties were discussed at length in Denning's article, with suggestions for improvements. Roush and Behar pointed out that convicted hackers had a lucrative ready made market for their expertise when they ended their prison term - being paid to assist corporations by breaking into their systems. They all agreed that prison sentences had deterred a large number of juvenile thrill seekers, and mature hackers.
Roush and Behar discuss the enormous, yet understated cost of company computer invasions. They point out the reluctance of those victims to report occurrences because of embarrassment, and the loss of trust client's feel with their security measures. They also suggest that invasions are understated because many companies do not even realize they have been corrupted. Hacking is very much out of control. Denning'' article indirectly showed how easily sensitive information could be extrapolated from a system. All articles show those hackers with strong social skills and graces can charm the information out of a beguiled or proud computer owner/manager.
Lastly, all the articles discussed the important overall theme of security measures. Roush and Behar point out that the most basic of measures, use of a difficult password, was sadly lacking in many companies surveyed. Dennings article features heavily on the inference of sensitive data, but the hypocrisy of BellSouth's not adequately securing it. Behar extends into great detail about the effectiveness of security measures available, and the acceptance and use of them. All agree that system operator managers are being forced legally to take more responsibility in their security measures.
The articles demonstrate from different perspectives the growing problem associated with the rapid rise in computer networks. The media provides us with further revelations on the matter. There is no doubt that the inherent psychology of human behavior determines that there will always be those whose intellectual and technological pursuits will find an outlet in those of computer intrusions. If convicted computer hackers are able to successfully utilize their same skills in a more productive manner, then perhaps we are missing the point altogether. Hackers need a suitable outlet for their expertise and instincts for challenge. Perhaps we should be looking at ways to channel that enthusiasm appropriately, before they discover the evil path.
In addition, perhaps the advent of the hackers is a blessing in disguise. If the articles stated research lends us to believe that many companies are lax in their responsibility to security measures then perhaps an intrusion followed by a court case is what is required to make managers sit up, take notice and take action. I am not suggesting the issue is open and clear cut. The advent of continuous new technology demands continuous changes within society, and new approaches. There are at least two ways to resolve the hacker problem: deal with it as it is encountered; or take a different and proactive approach. Either way, it is largely determined by our innovation and motivation, just as it is with budding hackers, really!
- Roush, W. (1995). 'Hackers: Taking a byte out of computer crime' in Technology Review, April, pp. 32-40.
- Denning, D. E. (1991). 'The United States Vs Craig Neidorf' in Communications of the ACM, 34, 3, 1991, pp. 24-32.
- Behar, R. 'Who's Reading Your E-mail?' in Time, February 3, 1997, pp. 64-67.