have
to go into "fault recovery" in the first place; but AT&T
has
always boasted of its "real world" reliability, and this
tactic
is a belt-and-suspenders routine.
The 4ESS switch used its new software to monitor its
fellow switches as they recovered from faults. As other
switches came back on line after recovery, they would
send their "OK" signals to the switch. The switch would
make a little note to that effect in its "status map,"
recognizing that the fellow switch was back and ready to
go, and should be sent some calls and put back to regular
work.
Unfortunately, while it was busy bookkeeping with
the status map, the tiny flaw in the brand-new software
came into play. The flaw caused the 4ESS switch to
interacted, subtly but drastically, with incoming telephone
calls from human users. If -- and only if -- two incoming
phone-calls happened to hit the switch within a hundredth
of a second, then a small patch of data would be garbled
by the flaw.
But the switch had been programmed to monitor
itself constantly for any possible damage to its data.
When the switch perceived that its data had been
somehow garbled, then it too would go down, for swift
repairs to its software. It would signal its fellow
switches
not to send any more work. It would go into the fault-
recovery mode for four to six seconds. And then the switch
would be fine again, and would send out its "OK, ready for
work" signal.
However, the "OK, ready for work" signal was the
*very thing that had caused the switch to go down in the
first place.* And *all* the System 7 switches had the same
flaw in their status-map software. As soon as they stopped
to make the bookkeeping note that their fellow switch was
"OK," then they too would become vulnerable to the slight
chance that two phone-calls would hit them within a
hundredth of a second.
At approximately 2:25 p.m. EST on Monday, January
15, one of AT&T's 4ESS toll switching systems in New York
City had an actual, legitimate, minor problem. It went into
fault recovery routines, announced "I'm going down," then
announced, "I'm back, I'm OK." And this cheery message
then blasted throughout the network to many of its fellow
4ESS switches.
Many of the switches, at first, completely escaped
trouble. These lucky switches were not hit by the
coincidence of two phone calls within a hundredth of a
second. Their software did not fail -- at first. But
three
switches -- in Atlanta, St. Louis, and Detroit -- were
unlucky, and were caught with their hands full. And they
went down. And they came back up, almost immediately.
And they too began to broadcast the lethal message that
they, too, were "OK" again, activating the lurking software
bug in yet other switches.
As more and more switches did have that bit of bad
luck and collapsed, the call-traffic became more and more
densely packed in the remaining switches, which were
groaning to keep up with the load. And of course, as the
calls became more densely packed, the switches were
*much more likely* to be hit twice within a hundredth of a
second.
It only took four seconds for a switch to get well.
There was no *physical* damage of any kind to the
switches, after all. Physically, they were working
perfectly.
This situation was "only" a software problem.
But the 4ESS switches were leaping up and down
every four to six seconds, in a virulent spreading wave all
over America, in utter, manic, mechanical stupidity. They
kept *knocking* one another down with their contagious
"OK" messages.
It took about ten minutes for the chain reaction to
cripple the network. Even then, switches would
periodically luck-out and manage to resume their normal
work. Many calls -- millions of them -- were managing to
get through. But millions weren't.
The switching stations that used System 6 were not
directly affected. Thanks to these old-fashioned switches,
AT&T's national system avoided complete collapse. This
fact also made it clear to engineers that System 7 was at
fault.
Bell Labs engineers, working feverishly in New
Jersey, Illinois, and Ohio, first tried their entire
repertoire
of standard network remedies on the malfunctioning
System 7. None of the remedies worked, of course,
because nothing like this had ever happened to any
phone system before.
By cutting out the backup safety network entirely,
they were able to reduce the frenzy of "OK" messages by
about half. The system then began to recover, as the
chain reaction slowed. By 11:30 pm on Monday January
15, sweating engineers on the midnight shift breathed a
sigh of relief as the last switch cleared-up.
By Tuesday they were pulling all the brand-new 4ESS
software and replacing it with an earlier version of System
7.
If these had been human operators, rather than
computers at work, someone would simply have
eventually stopped screaming. It would have been
*obvious* that the situation was not "OK," and common
sense would have kicked in. Humans possess common
sense -- at least to some extent. Computers simply don't.
On the other hand, computers can handle hundreds
of calls per second. Humans simply can't. If every single
human being in America worked for the phone company,
we couldn't match the performance of digital switches:
direct-dialling, three-way calling, speed-calling, call-
waiting, Caller ID, all the rest of the cornucopia of
digital
bounty. Replacing computers with operators is simply not
an option any more.
And yet we still, anachronistically, expect humans to
be running our phone system. It is hard for us to
understand that we have sacrificed huge amounts of
initiative and control to senseless yet powerful machines.
When the phones fail, we want somebody to be
responsible. We want somebody to blame.
When the Crash of January 15 happened, the
American populace was simply not prepared to
understand that enormous landslides in cyberspace, like
the Crash itself, can happen, and can be nobody's fault in
particular. It was easier to believe, maybe even in some
odd way more reassuring to believe, that some evil person,
or evil group, had done this to us. "Hackers" had done it.
With a virus. A trojan horse. A software bomb. A dirty
plot of some kind. People believed this, responsible
people. In 1990, they were looking hard for evidence to
confirm their heartfelt suspicions.
And they would look in a lot of places.
Come 1991, however, the outlines of an apparent new
reality would begin to emerge from the fog.
On July 1 and 2, 1991, computer-software collapses in
telephone switching stations disrupted service in
Washington DC, Pittsburgh, Los Angeles and San
Francisco. Once again, seemingly minor maintenance
problems had crippled the digital System 7. About twelve
million people were affected in the Crash of July 1, 1991.
Said the New York Times Service: "Telephone
company executives and federal regulators said they were
not ruling out the possibility of sabotage by computer
hackers, but most seemed to think the problems stemmed
from some unknown defect in the software running the
networks."
And sure enough, within the week, a red-faced
software company, DSC Communications Corporation of
Plano, Texas, owned up to "glitches" in the "signal transfer
point" software that DSC had designed for Bell Atlantic
and Pacific Bell. The immediate cause of the July 1 Crash
was a single mistyped character: one tiny typographical
flaw in one single line of the software. One mistyped
letter, in one single line, had deprived the nation's
capital
of phone service. It was not particularly surprising that
this tiny flaw had escaped attention: a typical System 7
station requires *ten million* lines of code.
On Tuesday, September 17, 1991, came the most
spectacular outage yet. This case had nothing to do with
software failures -- at least, not directly. Instead, a
group
of AT&T's switching stations in New York City had simply
run out of electrical power and shut down cold. Their
back-up batteries had failed. Automatic warning systems
were supposed to warn of the loss of battery power, but
those automatic systems had failed as well.
This time, Kennedy, La Guardia, and Newark airports
all had their voice and data communications cut. This
horrifying event was particularly ironic, as attacks on
airport computers by hackers had long been a standard
nightmare scenario, much trumpeted by computer-
security experts who feared the computer underground.
There had even been a Hollywood thriller about sinister
hackers ruining airport computers -- *Die Hard II.*
Now AT&T itself had crippled airports with computer
malfunctions -- not just one airport, but three at once,
some of the busiest in the world.
Air traffic came to a standstill throughout the Greater
New York area, causing more than 500 flights to be
cancelled, in a spreading wave all over America and even
into Europe. Another 500 or so flights were delayed,
affecting, all in all, about 85,000 passengers. (One of
these
passengers was the chairman of the Federal
Communications Commission.)
Stranded passengers in New York and New Jersey
were further infuriated to discover that they could not
even manage to make a long distance phone call, to
explain their delay to loved ones or business associates.
Thanks to the crash, about four and a half million
domestic calls, and half a million international calls,
failed
to get through.
The September 17 NYC Crash, unlike the previous
ones, involved not a whisper of "hacker" misdeeds. On the
contrary, by 1991, AT&T itself was suffering much of the
vilification that had formerly been directed at hackers.
Congressmen were grumbling. So were state and federal
regulators. And so was the press.
For their part, ancient rival MCI took out snide full-
page newspaper ads in New York, offering their own long-
distance services for the "next time that AT&T goes down."
"You wouldn't find a classy company like AT&T using
such advertising," protested AT&T Chairman Robert
Allen, unconvincingly. Once again, out came the full-page
AT&T apologies in newspapers, apologies for "an
inexcusable culmination of both human and mechanical
failure." (This time, however, AT&T offered no discount
on later calls. Unkind critics suggested that AT&T were
worried about setting any precedent for refunding the
financial losses caused by telephone crashes.)
Industry journals asked publicly if AT&T was "asleep
at the switch." The telephone network, America's
purported marvel of high-tech reliability, had gone down
three times in 18 months. *Fortune* magazine listed the
Crash of September 17 among the "Biggest Business
Goofs of 1991," cruelly parodying AT&T's ad campaign in
an article entitled "AT&T Wants You Back (Safely On the
Ground, God Willing)."
Why had those New York switching systems simply
run out of power? Because no human being had attended
to the alarm system. Why did the alarm systems blare
automatically, without any human being noticing?
Because the three telco technicians who *should* have
been listening were absent from their stations in the
power-room, on another floor of the building -- attending a
training class. A training class about the alarm systems
for
the power room!
"Crashing the System" was no longer
"unprecedented" by late 1991. On the contrary, it no
longer even seemed an oddity. By 1991, it was clear that
all the policemen in the world could no longer "protect"
the phone system from crashes. By far the worst crashes
the system had ever had, had been inflicted, by the
system, upon *itself.* And this time nobody was making
cocksure statements that this was an anomaly, something
that would never happen again. By 1991 the System's
defenders had met their nebulous Enemy, and the Enemy
was -- the System.
The date was May 9, 1990. The Pope was touring
Mexico City. Hustlers from the Medellin Cartel were
trying to buy black-market Stinger missiles in Florida. On
the comics page, Doonesbury character Andy was dying of
AIDS. And then.... a highly unusual item whose novelty
and calculated rhetoric won it headscratching attention in
newspapers all over America.
The US Attorney's office in Phoenix, Arizona, had
issued a press release announcing a nationwide law
enforcement crackdown against "illegal computer hacking
activities." The sweep was officially known as "Operation
Sundevil."
Eight paragraphs in the press release gave the bare
facts: twenty-seven search warrants carried out on May 8,
with three arrests, and a hundred and fifty agents on the
prowl in "twelve" cities across America. (Different counts
in local press reports yielded "thirteen," "fourteen," and
"sixteen" cities.) Officials estimated that criminal
losses
of revenue to telephone companies "may run into millions
of dollars." Credit for the Sundevil investigations was
taken by the US Secret Service, Assistant US Attorney Tim
Holtzen of Phoenix, and the Assistant Attorney General of
Arizona, Gail Thackeray.
The prepared remarks of Garry M. Jenkins,
appearing in a U.S. Department of Justice press release,
were of particular interest. Mr. Jenkins was the Assistant
Director of the US Secret Service, and the highest-ranking
federal official to take any direct public role in the
hacker
crackdown of 1990.
"Today, the Secret Service is sending a clear message
to those computer hackers who have decided to violate
the laws of this nation in the mistaken belief that they can
successfully avoid detection by hiding behind the relative
anonymity of their computer terminals.(...)
"Underground groups have been formed for the
purpose of exchanging information relevant to their
criminal activities. These groups often communicate with
each other through message systems between computers
called 'bulletin boards.'
"Our experience shows that many computer hacker
suspects are no longer misguided teenagers,
mischievously playing games with their computers in their
bedrooms. Some are now high tech computer operators
using computers to engage in unlawful conduct."
Who were these "underground groups" and "high-
tech operators?" Where had they come from? What did
they want? Who *were* they? Were they
"mischievous?" Were they dangerous? How had
"misguided teenagers" managed to alarm the United
States Secret Service? And just how widespread was this
sort of thing?
Of all the major players in the Hacker Crackdown:
the phone companies, law enforcement, the civil
libertarians, and the "hackers" themselves -- the "hackers"
are by far the most mysterious, by far the hardest to
understand, by far the *weirdest.*
Not only are "hackers" novel in their activities, but
they come in a variety of odd subcultures, with a variety of
languages, motives and values.
The earliest proto-hackers were probably those
unsung mischievous telegraph boys who were summarily
fired by the Bell Company in 1878.
Legitimate "hackers," those computer enthusiasts
who are independent-minded but law-abiding, generally
trace their spiritual ancestry to elite technical
universities,
especially M.I.T. and Stanford, in the 1960s.
But the genuine roots of the modern hacker
*underground* can probably be traced most successfully
to a now much-obscured hippie anarchist movement
known as the Yippies. The Yippies, who took their name
from the largely fictional "Youth International Party,"
carried out a loud and lively policy of surrealistic
subversion and outrageous political mischief. Their basic
tenets were flagrant sexual promiscuity, open and copious
drug use, the political overthrow of any powermonger over
thirty years of age, and an immediate end to the war in
Vietnam, by any means necessary, including the psychic
levitation of the Pentagon.
The two most visible Yippies were Abbie Hoffman
and Jerry Rubin. Rubin eventually became a Wall Street
broker. Hoffman, ardently sought by federal authorities,
went into hiding for seven years, in Mexico, France, and
the United States. While on the lam, Hoffman continued
to write and publish, with help from sympathizers in the
American anarcho-leftist underground. Mostly, Hoffman
survived through false ID and odd jobs. Eventually he
underwent facial plastic surgery and adopted an entirely
new identity as one "Barry Freed." After surrendering
himself to authorities in 1980, Hoffman spent a year in
prison on a cocaine conviction.
Hoffman's worldview grew much darker as the glory
days of the 1960s faded. In 1989, he purportedly
committed suicide, under odd and, to some, rather
suspicious circumstances.
Abbie Hoffman is said to have caused the Federal
Bureau of Investigation to amass the single largest
investigation file ever opened on an individual American
citizen. (If this is true, it is still questionable whether
the
FBI regarded Abbie Hoffman a serious public threat --
quite possibly, his file was enormous simply because
Hoffman left colorful legendry wherever he went). He
was a gifted publicist, who regarded electronic media as
both playground and weapon. He actively enjoyed
manipulating network TV and other gullible, image-
hungry media, with various weird lies, mindboggling
rumors, impersonation scams, and other sinister
distortions, all absolutely guaranteed to upset cops,
Presidential candidates, and federal judges. Hoffman's
most famous work was a book self-reflexively known as
*Steal This Book,* which publicized a number of methods
by which young, penniless hippie agitators might live off
the fat of a system supported by humorless drones. *Steal
This Book,* whose title urged readers to damage the very
means of distribution which had put it into their hands,
might be described as a spiritual ancestor of a computer
virus.
Hoffman, like many a later conspirator, made
extensive use of pay-phones for his agitation work -- in his
case, generally through the use of cheap brass washers as
coin-slugs.
During the Vietnam War, there was a federal surtax
imposed on telephone service; Hoffman and his cohorts
could, and did, argue that in systematically stealing
phone service they were engaging in civil disobedience:
virtuously denying tax funds to an illegal and immoral war.
But this thin veil of decency was soon dropped
entirely. Ripping-off the System found its own
justification in deep alienation and a basic outlaw
contempt for conventional bourgeois values. Ingenious,
vaguely politicized varieties of rip-off, which might be
described as "anarchy by convenience," became very
popular in Yippie circles, and because rip-off was so
useful, it was to survive the Yippie movement itself.
In the early 1970s, it required fairly limited
expertise
and ingenuity to cheat payphones, to divert "free"
electricity and gas service, or to rob vending machines and
parking meters for handy pocket change. It also required
a conspiracy to spread this knowledge, and the gall and
nerve actually to commit petty theft, but the Yippies had
these qualifications in plenty. In June 1971, Abbie
Hoffman and a telephone enthusiast sarcastically known
as "Al Bell" began publishing a newsletter called *Youth
International Party Line.* This newsletter was dedicated
to collating and spreading Yippie rip-off techniques,
especially of phones, to the joy of the freewheeling
underground and the insensate rage of all straight people.
As a political tactic, phone-service theft ensured that
Yippie advocates would always have ready access to the
long-distance telephone as a medium, despite the Yippies'
chronic lack of organization, discipline, money, or even a
steady home address.
*Party Line* was run out of Greenwich Village for a
couple of years, then "Al Bell" more or less defected from
the faltering ranks of Yippiedom, changing the
newsletter's name to *TAP* or *Technical Assistance
Program.* After the Vietnam War ended, the steam
began leaking rapidly out of American radical dissent.
But by this time, "Bell" and his dozen or so core
contributors had the bit between their teeth, and had
begun to derive tremendous gut-level satisfaction from
the sensation of pure *technical power.*
*TAP* articles, once highly politicized, became
pitilessly jargonized and technical, in homage or parody to
the Bell System's own technical documents, which *TAP*
studied closely, gutted, and reproduced without
permission. The *TAP* elite revelled in gloating
possession of the specialized knowledge necessary to beat
the system.
"Al Bell" dropped out of the game by the late 70s,
and "Tom Edison" took over; TAP readers (some 1400 of
them, all told) now began to show more interest in telex
switches and the growing phenomenon of computer
systems.
In 1983, "Tom Edison" had his computer stolen and
his house set on fire by an arsonist. This was an
eventually
mortal blow to *TAP* (though the legendary name was to
be resurrected in 1990 by a young Kentuckian computer-
outlaw named "Predat0r.")
#
Ever since telephones began to make money, there
have been people willing to rob and defraud phone
companies. The legions of petty phone thieves vastly
outnumber those "phone phreaks" who "explore the
system" for the sake of the intellectual challenge. The
New York metropolitan area (long in the vanguard of
American crime) claims over 150,000 physical attacks on
pay telephones every year! Studied carefully, a modern
payphone reveals itself as a little fortress, carefully
designed and redesigned over generations, to resist coin-
slugs, zaps of electricity, chunks of coin-shaped ice,
prybars, magnets, lockpicks, blasting caps. Public pay-
phones must survive in a world of unfriendly, greedy
people, and a modern payphone is as exquisitely evolved
as a cactus.
Because the phone network pre-dates the computer
network, the scofflaws known as "phone phreaks" pre-date
the scofflaws known as "computer hackers." In practice,
today, the line between "phreaking" and "hacking" is very
blurred, just as the distinction between telephones and
computers has blurred. The phone system has been
digitized, and computers have learned to "talk" over
phone-lines. What's worse -- and this was the point of the
Mr. Jenkins of the Secret Service -- some hackers have
learned to steal, and some thieves have learned to hack.
Despite the blurring, one can still draw a few useful
behavioral distinctions between "phreaks" and "hackers."
Hackers are intensely interested in the "system" per se,
and enjoy relating to machines. "Phreaks" are more
social, manipulating the system in a rough-and-ready
fashion in order to get through to other human beings,
fast, cheap and under the table.
Phone phreaks love nothing so much as "bridges,"
illegal conference calls of ten or twelve chatting
conspirators, seaboard to seaboard, lasting for many hours
-- and running, of course, on somebody else's tab,
preferably a large corporation's.
As phone-phreak conferences wear on, people drop
out (or simply leave the phone off the hook, while they
sashay off to work or school or babysitting), and new
people are phoned up and invited to join in, from some
other continent, if possible. Technical trivia, boasts,
brags,
lies, head-trip deceptions, weird rumors, and cruel gossip
are all freely exchanged.
The lowest rung of phone-phreaking is the theft of
telephone access codes. Charging a phone call to
somebody else's stolen number is, of course, a pig-easy
way of stealing phone service, requiring practically no
technical expertise. This practice has been very
widespread, especially among lonely people without much
money who are far from home. Code theft has flourished
especially in college dorms, military bases, and,
notoriously, among roadies for rock bands. Of late, code
theft has spread very rapidly among Third Worlders in the
US, who pile up enormous unpaid long-distance bills to
the Caribbean, South America, and Pakistan.
The simplest way to steal phone-codes is simply to
look over a victim's shoulder as he punches-in his own
code-number on a public payphone. This technique is
known as "shoulder-surfing," and is especially common in
airports, bus terminals, and train stations. The code is
then sold by the thief for a few dollars. The buyer abusing
the code has no computer expertise, but calls his Mom in
New York, Kingston or Caracas and runs up a huge bill
with impunity. The losses from this primitive phreaking
activity are far, far greater than the monetary losses
caused by computer-intruding hackers.
In the mid-to-late 1980s, until the introduction of
sterner telco security measures, *computerized* code
theft worked like a charm, and was virtually omnipresent
throughout the digital underground, among phreaks and
hackers alike. This was accomplished through
programming one's computer to try random code
numbers over the telephone until one of them worked.
Simple programs to do this were widely available in the
underground; a computer running all night was likely to
come up with a dozen or so useful hits. This could be
repeated week after week until one had a large library of
stolen codes.
Nowadays, the computerized dialling of hundreds of
numbers can be detected within hours and swiftly traced.
If a stolen code is repeatedly abused, this too can be
detected within a few hours. But for years in the 1980s,
the
publication of stolen codes was a kind of elementary
etiquette for fledgling hackers. The simplest way to
establish your bona-fides as a raider was to steal a code
through repeated random dialling and offer it to the
"community" for use. Codes could be both stolen, and
used, simply and easily from the safety of one's own
bedroom, with very little fear of detection or punishment.
Before computers and their phone-line modems
entered American homes in gigantic numbers, phone
phreaks had their own special telecommunications
hardware gadget, the famous "blue box." This fraud
device (now rendered increasingly useless by the digital
evolution of the phone system) could trick switching
systems into granting free access to long-distance lines.
It
did this by mimicking the system's own signal, a tone of
2600 hertz.
Steven Jobs and Steve Wozniak, the founders of
Apple Computer, Inc., once dabbled in selling blue-boxes
in college dorms in California. For many, in the early days
of phreaking, blue-boxing was scarcely perceived as
"theft," but rather as a fun (if sneaky) way to use excess
phone capacity harmlessly. After all, the long-distance
lines were *just sitting there*.... Whom did it hurt,
really?
If you're not *damaging* the system, and you're not
*using up any tangible resource,* and if nobody *finds
out* what you did, then what real harm have you done?
What exactly *have* you "stolen," anyway? If a tree falls
in the forest and nobody hears it, how much is the noise
worth? Even now this remains a rather dicey question.
Blue-boxing was no joke to the phone companies,
however. Indeed, when *Ramparts* magazine, a radical
publication in California, printed the wiring schematics
necessary to create a mute box in June 1972, the
magazine was seized by police and Pacific Bell phone-
company officials. The mute box, a blue-box variant,
allowed its user to receive long-distance calls free of
charge to the caller. This device was closely described in
a
*Ramparts* article wryly titled "Regulating the Phone
Company In Your Home." Publication of this article was
held to be in violation of Californian State Penal Code
section 502.7, which outlaws ownership of wire-fraud
devices and the selling of "plans or instructions for any
instrument, apparatus, or device intended to avoid
telephone toll charges."
Issues of *Ramparts* were recalled or seized on the
newsstands, and the resultant loss of income helped put
the magazine out of business. This was an ominous
precedent for free-expression issues, but the telco's
crushing of a radical-fringe magazine passed without
serious challenge at the time. Even in the freewheeling
California 1970s, it was widely felt that there was
something sacrosanct about what the phone company
knew; that the telco had a legal and moral right to protect
itself by shutting off the flow of such illicit information.
Most telco information was so "specialized" that it would
scarcely be understood by any honest member of the
public. If not published, it would not be missed. To
print
such material did not seem part of the legitimate role of a
free press.
In 1990 there would be a similar telco-inspired attack
on the electronic phreak/hacking "magazine" *Phrack.*
The *Phrack* legal case became a central issue in the
Hacker Crackdown, and gave rise to great controversy.
*Phrack* would also be shut down, for a time, at least, but
this time both the telcos and their law-enforcement allies
would pay a much larger price for their actions. The
*Phrack* case will be examined in detail, later.
Phone-phreaking as a social practice is still very
much alive at this moment. Today, phone-phreaking is
thriving much more vigorously than the better-known and
worse-feared practice of "computer hacking." New forms
of phreaking are spreading rapidly, following new
vulnerabilities in sophisticated phone services.
Cellular phones are especially vulnerable; their chips
can be re-programmed to present a false caller ID and
avoid billing. Doing so also avoids police tapping, making
cellular-phone abuse a favorite among drug-dealers.
"Call-sell operations" using pirate cellular phones can, and
have, been run right out of the backs of cars, which move
from "cell" to "cell" in the local phone system, retailing
stolen long-distance service, like some kind of demented
electronic version of the neighborhood ice-cream truck.
Private branch-exchange phone systems in large
corporations can be penetrated; phreaks dial-up a local
company, enter its internal phone-system, hack it, then
use the company's own PBX system to dial back out over
the public network, causing the company to be stuck with
the resulting long-distance bill. This technique is known
as "diverting." "Diverting" can be very costly, especially
because phreaks tend to travel in packs and never stop
talking. Perhaps the worst by-product of this "PBX fraud"
is that victim companies and telcos have sued one another
over the financial responsibility for the stolen calls, thus
enriching not only shabby phreaks but well-paid lawyers.
"Voice-mail systems" can also be abused; phreaks
can seize their own sections of these sophisticated
electronic answering machines, and use them for trading
codes or knowledge of illegal techniques. Voice-mail
abuse does not hurt the company directly, but finding
supposedly empty slots in your company's answering
machine all crammed with phreaks eagerly chattering
and hey-duding one another in impenetrable jargon can
cause sensations of almost mystical repulsion and dread.
Worse yet, phreaks have sometimes been known to
react truculently to attempts to "clean up" the voice-mail
system. Rather than humbly acquiescing to being thrown
out of their playground, they may very well call up the
company officials at work (or at home) and loudly demand
free voice-mail addresses of their very own. Such bullying
is taken very seriously by spooked victims.
Acts of phreak revenge against straight people are
rare, but voice-mail systems are especially tempting and
vulnerable, and an infestation of angry phreaks in one's
voice-mail system is no joke. They can erase legitimate
messages; or spy on private messages; or harass users with
recorded taunts and obscenities. They've even been
known to seize control of voice-mail security, and lock out
legitimate users, or even shut down the system entirely.
Cellular phone-calls, cordless phones, and ship-to-
shore telephony can all be monitored by various forms of
radio; this kind of "passive monitoring" is spreading
explosively today. Technically eavesdropping on other
people's cordless and cellular phone-calls is the fastest-
growing area in phreaking today. This practice strongly
appeals to the lust for power and conveys gratifying
sensations of technical superiority over the eavesdropping
victim. Monitoring is rife with all manner of tempting evil
mischief. Simple prurient snooping is by far the most
common activity. But credit-card numbers unwarily
spoken over the phone can be recorded, stolen and used.
And tapping people's phone-calls (whether through active
telephone taps or passive radio monitors) does lend itself
conveniently to activities like blackmail, industrial
espionage, and political dirty tricks.
It should be repeated that telecommunications
fraud, the theft of phone service, causes vastly greater
monetary losses than the practice of entering into
computers by stealth. Hackers are mostly young
suburban American white males, and exist in their
hundreds -- but "phreaks" come from both sexes and from
many nationalities, ages and ethnic backgrounds, and are
flourishing in the thousands.
#
The term "hacker" has had an unfortunate history.
This book, *The Hacker Crackdown,* has little to say about
"hacking" in its finer, original sense. The term can
signify
the free-wheeling intellectual exploration of the highest
and deepest potential of computer systems. Hacking can
describe the determination to make access to computers
and information as free and open as possible. Hacking
can involve the heartfelt conviction that beauty can be
found in computers, that the fine aesthetic in a perfect
program can liberate the mind and spirit. This is
"hacking" as it was defined in Steven Levy's much-praised
history of the pioneer computer milieu, *Hackers,*
published in 1984.
Hackers of all kinds are absolutely soaked through
with heroic anti-bureaucratic sentiment. Hackers long for
recognition as a praiseworthy cultural archetype, the
postmodern electronic equivalent of the cowboy and
mountain man. Whether they deserve such a reputation
is something for history to decide. But many hackers --
including those outlaw hackers who are computer
intruders, and whose activities are defined as criminal --
actually attempt to *live up to* this techno-cowboy
reputation. And given that electronics and
telecommunications are still largely unexplored
territories, there is simply *no telling* what hackers might
uncover.
For some people, this freedom is the very breath of
oxygen, the inventive spontaneity that makes life worth
living and that flings open doors to marvellous possibility
and individual empowerment. But for many people -- and
increasingly so -- the hacker is an ominous figure, a smart-
aleck sociopath ready to burst out of his basement
wilderness and savage other people's lives for his own
anarchical convenience.
Any form of power without responsibility, without
direct and formal checks and balances, is frightening to
people -- and reasonably so. It should be frankly admitted
that hackers *are* frightening, and that the basis of this
fear is not irrational.
Fear of hackers goes well beyond the fear of merely
criminal activity.
Subversion and manipulation of the phone system is
an act with disturbing political overtones. In America,
computers and telephones are potent symbols of
organized authority and the technocratic business elite.
But there is an element in American culture that has
always strongly rebelled against these symbols; rebelled
against all large industrial computers and all phone
companies. A certain anarchical tinge deep in the
American soul delights in causing confusion and pain to
all bureaucracies, including technological ones.
There is sometimes malice and vandalism in this
attitude, but it is a deep and cherished part of the
American national character. The outlaw, the rebel, the
rugged individual, the pioneer, the sturdy Jeffersonian
yeoman, the private citizen resisting interference in his
pursuit of happiness -- these are figures that all
Americans recognize, and that many will strongly applaud
and defend.
Many scrupulously law-abiding citizens today do
cutting-edge work with electronics -- work that has already
had tremendous social influence and will have much
more in years to come. In all truth, these talented,
hardworking, law-abiding, mature, adult people are far
more disturbing to the peace and order of the current
status quo than any scofflaw group of romantic teenage
punk kids. These law-abiding hackers have the power,
ability, and willingness to influence other people's lives
quite unpredictably. They have means, motive, and
opportunity to meddle drastically with the American social
order. When corralled into governments, universities, or
large multinational companies, and forced to follow
rulebooks and wear suits and ties, they at least have some
conventional halters on their freedom of action. But when
loosed alone, or in small groups, and fired by imagination
and the entrepreneurial spirit, they can move mountains -
- causing landslides that will likely crash directly into
your
office and living room.
These people, as a class, instinctively recognize that
a
public, politicized attack on hackers will eventually spread
to them -- that the term "hacker," once demonized, might
be used to knock their hands off the levers of power and
choke them out of existence. There are hackers today who
fiercely and publicly resist any besmirching of the noble
title of hacker. Naturally and understandably, they
deeply resent the attack on their values implicit in using
the word "hacker" as a synonym for computer-criminal.
This book, sadly but in my opinion unavoidably,
rather adds to the degradation of the term. It concerns
itself mostly with "hacking" in its commonest latter-day
definition, i.e., intruding into computer systems by stealth
and without permission.
The term "hacking" is used routinely today by
almost all law enforcement officials with any professional
interest in computer fraud and abuse. American police
describe almost any crime committed with, by, through, or
against a computer as hacking.
Most importantly, "hacker" is what computer-
intruders choose to call *themselves.* Nobody who
"hacks" into systems willingly describes himself (rarely,
herself) as a "computer intruder," "computer trespasser,"
"cracker," "wormer," "darkside hacker" or "high tech street
gangster." Several other demeaning terms have been
invented in the hope that the press and public will leave
the original sense of the word alone. But few people
actually use these terms. (I exempt the term "cyberpunk,"
which a few hackers and law enforcement people actually
do use. The term "cyberpunk" is drawn from literary
criticism and has some odd and unlikely resonances, but,
like hacker, cyberpunk too has become a criminal
pejorative today.)
In any case, breaking into computer systems was
hardly alien to the original hacker tradition. The first
tottering systems of the 1960s required fairly extensive
internal surgery merely to function day-by-day. Their
users "invaded" the deepest, most arcane recesses of their
operating software almost as a matter of routine.
"Computer security" in these early, primitive systems was
at best an afterthought. What security there was, was
entirely physical, for it was assumed that anyone allowed
near this expensive, arcane hardware would be a fully
qualified professional expert.
In a campus environment, though, this meant that
grad students, teaching assistants, undergraduates, and
eventually, all manner of dropouts and hangers-on ended
up accessing and often running the works.
Universities, even modern universities, are not in the
business of maintaining security over information. On the
contrary, universities, as institutions, pre-date the
"information economy" by many centuries and are not-
for-profit cultural entities, whose reason for existence
(purportedly) is to discover truth, codify it through
techniques of scholarship, and then teach it. Universities
are meant to *pass the torch of civilization,* not just
download data into student skulls, and the values of the
academic community are strongly at odds with those of all
would-be information empires. Teachers at all levels,
from kindergarten up, have proven to be shameless and
persistent software and data pirates. Universities do not
merely "leak information" but vigorously broadcast free
thought.
This clash of values has been fraught with
controversy. Many hackers of the 1960s remember their
professional apprenticeship as a long guerilla war against
the uptight mainframe-computer "information
priesthood." These computer-hungry youngsters had to
struggle hard for access to computing power, and many of
them were not above certain, er, shortcuts. But, over the
years, this practice freed computing from the sterile
reserve of lab-coated technocrats and was largely
responsible for the explosive growth of computing in
general society -- especially *personal* computing.
Access to technical power acted like catnip on
certain of these youngsters. Most of the basic techniques
of computer intrusion: password cracking, trapdoors,
backdoors, trojan horses -- were invented in college
environments in the 1960s, in the early days of network
computing. Some off-the-cuff experience at computer
intrusion was to be in the informal resume of most
"hackers" and many future industry giants. Outside of the
tiny cult of computer enthusiasts, few people thought
much about the implications of "breaking into"
computers. This sort of activity had not yet been
publicized, much less criminalized.
In the 1960s, definitions of "property" and "privacy"
had not yet been extended to cyberspace. Computers
were not yet indispensable to society. There were no vast
databanks of vulnerable, proprietary information stored in
computers, which might be accessed, copied without
permission, erased, altered, or sabotaged. The stakes
were low in the early days -- but they grew every year,
exponentially, as computers themselves grew.
By the 1990s, commercial and political pressures had
become overwhelming, and they broke the social
boundaries of the hacking subculture. Hacking had
become too important to be left to the hackers. Society
was now forced to tackle the intangible nature of
cyberspace-as-property, cyberspace as privately-owned
unreal-estate. In the new, severe, responsible, high-
stakes context of the "Information Society" of the 1990s,
"hacking" was called into question.
What did it mean to break into a computer without
permission and use its computational power, or look
around inside its files without hurting anything? What
were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were
they just *browsers,* harmless intellectual explorers?
Were they *voyeurs,* snoops, invaders of privacy? Should
they be sternly treated as potential *agents of espionage,*
or perhaps as *industrial spies?* Or were they best
defined as *trespassers,* a very common teenage
misdemeanor? Was hacking *theft of service?* (After
all, intruders were getting someone else's computer to
carry out their orders, without permission and without
paying). Was hacking *fraud?* Maybe it was best
described as *impersonation.* The commonest mode of
computer intrusion was (and is) to swipe or snoop
somebody else's password, and then enter the computer
in the guise of another person -- who is commonly stuck
with the blame and the bills.
Perhaps a medical metaphor was better -- hackers
should be defined as "sick," as *computer addicts* unable
to control their irresponsible, compulsive behavior.
But these weighty assessments meant little to the
people who were actually being judged. From inside the
underground world of hacking itself, all these perceptions
seem quaint, wrongheaded, stupid, or meaningless. The
most important self-perception of underground hackers --
from the 1960s, right through to the present day -- is that
they are an *elite.* The day-to-day struggle in the
underground is not over sociological definitions -- who
cares? -- but for power, knowledge, and status among
one's peers.
When you are a hacker, it is your own inner
conviction of your elite status that enables you to break,
or
let us say "transcend," the rules. It is not that *all*
rules go
by the board. The rules habitually broken by hackers are
*unimportant* rules -- the rules of dopey greedhead telco
bureaucrats and pig-ignorant government pests.
Hackers have their *own* rules, which separate
behavior which is cool and elite, from behavior which is
rodentlike, stupid and losing. These "rules," however, are
mostly unwritten and enforced by peer pressure and
tribal feeling. Like all rules that depend on the unspoken
conviction that everybody else is a good old boy, these
rules are ripe for abuse. The mechanisms of hacker peer-
pressure, "teletrials" and ostracism, are rarely used and
rarely work. Back-stabbing slander, threats, and
electronic harassment are also freely employed in down-
and-dirty intrahacker feuds, but this rarely forces a rival
out of the scene entirely. The only real solution for the
problem of an utterly losing, treacherous and rodentlike
hacker is to *turn him in to the police.* Unlike the Mafia
or Medellin Cartel, the hacker elite cannot simply execute
the bigmouths, creeps and troublemakers among their
to go into "fault recovery" in the first place; but AT&T
has
always boasted of its "real world" reliability, and this
tactic
is a belt-and-suspenders routine.
The 4ESS switch used its new software to monitor its
fellow switches as they recovered from faults. As other
switches came back on line after recovery, they would
send their "OK" signals to the switch. The switch would
make a little note to that effect in its "status map,"
recognizing that the fellow switch was back and ready to
go, and should be sent some calls and put back to regular
work.
Unfortunately, while it was busy bookkeeping with
the status map, the tiny flaw in the brand-new software
came into play. The flaw caused the 4ESS switch to
interacted, subtly but drastically, with incoming telephone
calls from human users. If -- and only if -- two incoming
phone-calls happened to hit the switch within a hundredth
of a second, then a small patch of data would be garbled
by the flaw.
But the switch had been programmed to monitor
itself constantly for any possible damage to its data.
When the switch perceived that its data had been
somehow garbled, then it too would go down, for swift
repairs to its software. It would signal its fellow
switches
not to send any more work. It would go into the fault-
recovery mode for four to six seconds. And then the switch
would be fine again, and would send out its "OK, ready for
work" signal.
However, the "OK, ready for work" signal was the
*very thing that had caused the switch to go down in the
first place.* And *all* the System 7 switches had the same
flaw in their status-map software. As soon as they stopped
to make the bookkeeping note that their fellow switch was
"OK," then they too would become vulnerable to the slight
chance that two phone-calls would hit them within a
hundredth of a second.
At approximately 2:25 p.m. EST on Monday, January
15, one of AT&T's 4ESS toll switching systems in New York
City had an actual, legitimate, minor problem. It went into
fault recovery routines, announced "I'm going down," then
announced, "I'm back, I'm OK." And this cheery message
then blasted throughout the network to many of its fellow
4ESS switches.
Many of the switches, at first, completely escaped
trouble. These lucky switches were not hit by the
coincidence of two phone calls within a hundredth of a
second. Their software did not fail -- at first. But
three
switches -- in Atlanta, St. Louis, and Detroit -- were
unlucky, and were caught with their hands full. And they
went down. And they came back up, almost immediately.
And they too began to broadcast the lethal message that
they, too, were "OK" again, activating the lurking software
bug in yet other switches.
As more and more switches did have that bit of bad
luck and collapsed, the call-traffic became more and more
densely packed in the remaining switches, which were
groaning to keep up with the load. And of course, as the
calls became more densely packed, the switches were
*much more likely* to be hit twice within a hundredth of a
second.
It only took four seconds for a switch to get well.
There was no *physical* damage of any kind to the
switches, after all. Physically, they were working
perfectly.
This situation was "only" a software problem.
But the 4ESS switches were leaping up and down
every four to six seconds, in a virulent spreading wave all
over America, in utter, manic, mechanical stupidity. They
kept *knocking* one another down with their contagious
"OK" messages.
It took about ten minutes for the chain reaction to
cripple the network. Even then, switches would
periodically luck-out and manage to resume their normal
work. Many calls -- millions of them -- were managing to
get through. But millions weren't.
The switching stations that used System 6 were not
directly affected. Thanks to these old-fashioned switches,
AT&T's national system avoided complete collapse. This
fact also made it clear to engineers that System 7 was at
fault.
Bell Labs engineers, working feverishly in New
Jersey, Illinois, and Ohio, first tried their entire
repertoire
of standard network remedies on the malfunctioning
System 7. None of the remedies worked, of course,
because nothing like this had ever happened to any
phone system before.
By cutting out the backup safety network entirely,
they were able to reduce the frenzy of "OK" messages by
about half. The system then began to recover, as the
chain reaction slowed. By 11:30 pm on Monday January
15, sweating engineers on the midnight shift breathed a
sigh of relief as the last switch cleared-up.
By Tuesday they were pulling all the brand-new 4ESS
software and replacing it with an earlier version of System
7.
If these had been human operators, rather than
computers at work, someone would simply have
eventually stopped screaming. It would have been
*obvious* that the situation was not "OK," and common
sense would have kicked in. Humans possess common
sense -- at least to some extent. Computers simply don't.
On the other hand, computers can handle hundreds
of calls per second. Humans simply can't. If every single
human being in America worked for the phone company,
we couldn't match the performance of digital switches:
direct-dialling, three-way calling, speed-calling, call-
waiting, Caller ID, all the rest of the cornucopia of
digital
bounty. Replacing computers with operators is simply not
an option any more.
And yet we still, anachronistically, expect humans to
be running our phone system. It is hard for us to
understand that we have sacrificed huge amounts of
initiative and control to senseless yet powerful machines.
When the phones fail, we want somebody to be
responsible. We want somebody to blame.
When the Crash of January 15 happened, the
American populace was simply not prepared to
understand that enormous landslides in cyberspace, like
the Crash itself, can happen, and can be nobody's fault in
particular. It was easier to believe, maybe even in some
odd way more reassuring to believe, that some evil person,
or evil group, had done this to us. "Hackers" had done it.
With a virus. A trojan horse. A software bomb. A dirty
plot of some kind. People believed this, responsible
people. In 1990, they were looking hard for evidence to
confirm their heartfelt suspicions.
And they would look in a lot of places.
Come 1991, however, the outlines of an apparent new
reality would begin to emerge from the fog.
On July 1 and 2, 1991, computer-software collapses in
telephone switching stations disrupted service in
Washington DC, Pittsburgh, Los Angeles and San
Francisco. Once again, seemingly minor maintenance
problems had crippled the digital System 7. About twelve
million people were affected in the Crash of July 1, 1991.
Said the New York Times Service: "Telephone
company executives and federal regulators said they were
not ruling out the possibility of sabotage by computer
hackers, but most seemed to think the problems stemmed
from some unknown defect in the software running the
networks."
And sure enough, within the week, a red-faced
software company, DSC Communications Corporation of
Plano, Texas, owned up to "glitches" in the "signal transfer
point" software that DSC had designed for Bell Atlantic
and Pacific Bell. The immediate cause of the July 1 Crash
was a single mistyped character: one tiny typographical
flaw in one single line of the software. One mistyped
letter, in one single line, had deprived the nation's
capital
of phone service. It was not particularly surprising that
this tiny flaw had escaped attention: a typical System 7
station requires *ten million* lines of code.
On Tuesday, September 17, 1991, came the most
spectacular outage yet. This case had nothing to do with
software failures -- at least, not directly. Instead, a
group
of AT&T's switching stations in New York City had simply
run out of electrical power and shut down cold. Their
back-up batteries had failed. Automatic warning systems
were supposed to warn of the loss of battery power, but
those automatic systems had failed as well.
This time, Kennedy, La Guardia, and Newark airports
all had their voice and data communications cut. This
horrifying event was particularly ironic, as attacks on
airport computers by hackers had long been a standard
nightmare scenario, much trumpeted by computer-
security experts who feared the computer underground.
There had even been a Hollywood thriller about sinister
hackers ruining airport computers -- *Die Hard II.*
Now AT&T itself had crippled airports with computer
malfunctions -- not just one airport, but three at once,
some of the busiest in the world.
Air traffic came to a standstill throughout the Greater
New York area, causing more than 500 flights to be
cancelled, in a spreading wave all over America and even
into Europe. Another 500 or so flights were delayed,
affecting, all in all, about 85,000 passengers. (One of
these
passengers was the chairman of the Federal
Communications Commission.)
Stranded passengers in New York and New Jersey
were further infuriated to discover that they could not
even manage to make a long distance phone call, to
explain their delay to loved ones or business associates.
Thanks to the crash, about four and a half million
domestic calls, and half a million international calls,
failed
to get through.
The September 17 NYC Crash, unlike the previous
ones, involved not a whisper of "hacker" misdeeds. On the
contrary, by 1991, AT&T itself was suffering much of the
vilification that had formerly been directed at hackers.
Congressmen were grumbling. So were state and federal
regulators. And so was the press.
For their part, ancient rival MCI took out snide full-
page newspaper ads in New York, offering their own long-
distance services for the "next time that AT&T goes down."
"You wouldn't find a classy company like AT&T using
such advertising," protested AT&T Chairman Robert
Allen, unconvincingly. Once again, out came the full-page
AT&T apologies in newspapers, apologies for "an
inexcusable culmination of both human and mechanical
failure." (This time, however, AT&T offered no discount
on later calls. Unkind critics suggested that AT&T were
worried about setting any precedent for refunding the
financial losses caused by telephone crashes.)
Industry journals asked publicly if AT&T was "asleep
at the switch." The telephone network, America's
purported marvel of high-tech reliability, had gone down
three times in 18 months. *Fortune* magazine listed the
Crash of September 17 among the "Biggest Business
Goofs of 1991," cruelly parodying AT&T's ad campaign in
an article entitled "AT&T Wants You Back (Safely On the
Ground, God Willing)."
Why had those New York switching systems simply
run out of power? Because no human being had attended
to the alarm system. Why did the alarm systems blare
automatically, without any human being noticing?
Because the three telco technicians who *should* have
been listening were absent from their stations in the
power-room, on another floor of the building -- attending a
training class. A training class about the alarm systems
for
the power room!
"Crashing the System" was no longer
"unprecedented" by late 1991. On the contrary, it no
longer even seemed an oddity. By 1991, it was clear that
all the policemen in the world could no longer "protect"
the phone system from crashes. By far the worst crashes
the system had ever had, had been inflicted, by the
system, upon *itself.* And this time nobody was making
cocksure statements that this was an anomaly, something
that would never happen again. By 1991 the System's
defenders had met their nebulous Enemy, and the Enemy
was -- the System.
The date was May 9, 1990. The Pope was touring
Mexico City. Hustlers from the Medellin Cartel were
trying to buy black-market Stinger missiles in Florida. On
the comics page, Doonesbury character Andy was dying of
AIDS. And then.... a highly unusual item whose novelty
and calculated rhetoric won it headscratching attention in
newspapers all over America.
The US Attorney's office in Phoenix, Arizona, had
issued a press release announcing a nationwide law
enforcement crackdown against "illegal computer hacking
activities." The sweep was officially known as "Operation
Sundevil."
Eight paragraphs in the press release gave the bare
facts: twenty-seven search warrants carried out on May 8,
with three arrests, and a hundred and fifty agents on the
prowl in "twelve" cities across America. (Different counts
in local press reports yielded "thirteen," "fourteen," and
"sixteen" cities.) Officials estimated that criminal
losses
of revenue to telephone companies "may run into millions
of dollars." Credit for the Sundevil investigations was
taken by the US Secret Service, Assistant US Attorney Tim
Holtzen of Phoenix, and the Assistant Attorney General of
Arizona, Gail Thackeray.
The prepared remarks of Garry M. Jenkins,
appearing in a U.S. Department of Justice press release,
were of particular interest. Mr. Jenkins was the Assistant
Director of the US Secret Service, and the highest-ranking
federal official to take any direct public role in the
hacker
crackdown of 1990.
"Today, the Secret Service is sending a clear message
to those computer hackers who have decided to violate
the laws of this nation in the mistaken belief that they can
successfully avoid detection by hiding behind the relative
anonymity of their computer terminals.(...)
"Underground groups have been formed for the
purpose of exchanging information relevant to their
criminal activities. These groups often communicate with
each other through message systems between computers
called 'bulletin boards.'
"Our experience shows that many computer hacker
suspects are no longer misguided teenagers,
mischievously playing games with their computers in their
bedrooms. Some are now high tech computer operators
using computers to engage in unlawful conduct."
Who were these "underground groups" and "high-
tech operators?" Where had they come from? What did
they want? Who *were* they? Were they
"mischievous?" Were they dangerous? How had
"misguided teenagers" managed to alarm the United
States Secret Service? And just how widespread was this
sort of thing?
Of all the major players in the Hacker Crackdown:
the phone companies, law enforcement, the civil
libertarians, and the "hackers" themselves -- the "hackers"
are by far the most mysterious, by far the hardest to
understand, by far the *weirdest.*
Not only are "hackers" novel in their activities, but
they come in a variety of odd subcultures, with a variety of
languages, motives and values.
The earliest proto-hackers were probably those
unsung mischievous telegraph boys who were summarily
fired by the Bell Company in 1878.
Legitimate "hackers," those computer enthusiasts
who are independent-minded but law-abiding, generally
trace their spiritual ancestry to elite technical
universities,
especially M.I.T. and Stanford, in the 1960s.
But the genuine roots of the modern hacker
*underground* can probably be traced most successfully
to a now much-obscured hippie anarchist movement
known as the Yippies. The Yippies, who took their name
from the largely fictional "Youth International Party,"
carried out a loud and lively policy of surrealistic
subversion and outrageous political mischief. Their basic
tenets were flagrant sexual promiscuity, open and copious
drug use, the political overthrow of any powermonger over
thirty years of age, and an immediate end to the war in
Vietnam, by any means necessary, including the psychic
levitation of the Pentagon.
The two most visible Yippies were Abbie Hoffman
and Jerry Rubin. Rubin eventually became a Wall Street
broker. Hoffman, ardently sought by federal authorities,
went into hiding for seven years, in Mexico, France, and
the United States. While on the lam, Hoffman continued
to write and publish, with help from sympathizers in the
American anarcho-leftist underground. Mostly, Hoffman
survived through false ID and odd jobs. Eventually he
underwent facial plastic surgery and adopted an entirely
new identity as one "Barry Freed." After surrendering
himself to authorities in 1980, Hoffman spent a year in
prison on a cocaine conviction.
Hoffman's worldview grew much darker as the glory
days of the 1960s faded. In 1989, he purportedly
committed suicide, under odd and, to some, rather
suspicious circumstances.
Abbie Hoffman is said to have caused the Federal
Bureau of Investigation to amass the single largest
investigation file ever opened on an individual American
citizen. (If this is true, it is still questionable whether
the
FBI regarded Abbie Hoffman a serious public threat --
quite possibly, his file was enormous simply because
Hoffman left colorful legendry wherever he went). He
was a gifted publicist, who regarded electronic media as
both playground and weapon. He actively enjoyed
manipulating network TV and other gullible, image-
hungry media, with various weird lies, mindboggling
rumors, impersonation scams, and other sinister
distortions, all absolutely guaranteed to upset cops,
Presidential candidates, and federal judges. Hoffman's
most famous work was a book self-reflexively known as
*Steal This Book,* which publicized a number of methods
by which young, penniless hippie agitators might live off
the fat of a system supported by humorless drones. *Steal
This Book,* whose title urged readers to damage the very
means of distribution which had put it into their hands,
might be described as a spiritual ancestor of a computer
virus.
Hoffman, like many a later conspirator, made
extensive use of pay-phones for his agitation work -- in his
case, generally through the use of cheap brass washers as
coin-slugs.
During the Vietnam War, there was a federal surtax
imposed on telephone service; Hoffman and his cohorts
could, and did, argue that in systematically stealing
phone service they were engaging in civil disobedience:
virtuously denying tax funds to an illegal and immoral war.
But this thin veil of decency was soon dropped
entirely. Ripping-off the System found its own
justification in deep alienation and a basic outlaw
contempt for conventional bourgeois values. Ingenious,
vaguely politicized varieties of rip-off, which might be
described as "anarchy by convenience," became very
popular in Yippie circles, and because rip-off was so
useful, it was to survive the Yippie movement itself.
In the early 1970s, it required fairly limited
expertise
and ingenuity to cheat payphones, to divert "free"
electricity and gas service, or to rob vending machines and
parking meters for handy pocket change. It also required
a conspiracy to spread this knowledge, and the gall and
nerve actually to commit petty theft, but the Yippies had
these qualifications in plenty. In June 1971, Abbie
Hoffman and a telephone enthusiast sarcastically known
as "Al Bell" began publishing a newsletter called *Youth
International Party Line.* This newsletter was dedicated
to collating and spreading Yippie rip-off techniques,
especially of phones, to the joy of the freewheeling
underground and the insensate rage of all straight people.
As a political tactic, phone-service theft ensured that
Yippie advocates would always have ready access to the
long-distance telephone as a medium, despite the Yippies'
chronic lack of organization, discipline, money, or even a
steady home address.
*Party Line* was run out of Greenwich Village for a
couple of years, then "Al Bell" more or less defected from
the faltering ranks of Yippiedom, changing the
newsletter's name to *TAP* or *Technical Assistance
Program.* After the Vietnam War ended, the steam
began leaking rapidly out of American radical dissent.
But by this time, "Bell" and his dozen or so core
contributors had the bit between their teeth, and had
begun to derive tremendous gut-level satisfaction from
the sensation of pure *technical power.*
*TAP* articles, once highly politicized, became
pitilessly jargonized and technical, in homage or parody to
the Bell System's own technical documents, which *TAP*
studied closely, gutted, and reproduced without
permission. The *TAP* elite revelled in gloating
possession of the specialized knowledge necessary to beat
the system.
"Al Bell" dropped out of the game by the late 70s,
and "Tom Edison" took over; TAP readers (some 1400 of
them, all told) now began to show more interest in telex
switches and the growing phenomenon of computer
systems.
In 1983, "Tom Edison" had his computer stolen and
his house set on fire by an arsonist. This was an
eventually
mortal blow to *TAP* (though the legendary name was to
be resurrected in 1990 by a young Kentuckian computer-
outlaw named "Predat0r.")
#
Ever since telephones began to make money, there
have been people willing to rob and defraud phone
companies. The legions of petty phone thieves vastly
outnumber those "phone phreaks" who "explore the
system" for the sake of the intellectual challenge. The
New York metropolitan area (long in the vanguard of
American crime) claims over 150,000 physical attacks on
pay telephones every year! Studied carefully, a modern
payphone reveals itself as a little fortress, carefully
designed and redesigned over generations, to resist coin-
slugs, zaps of electricity, chunks of coin-shaped ice,
prybars, magnets, lockpicks, blasting caps. Public pay-
phones must survive in a world of unfriendly, greedy
people, and a modern payphone is as exquisitely evolved
as a cactus.
Because the phone network pre-dates the computer
network, the scofflaws known as "phone phreaks" pre-date
the scofflaws known as "computer hackers." In practice,
today, the line between "phreaking" and "hacking" is very
blurred, just as the distinction between telephones and
computers has blurred. The phone system has been
digitized, and computers have learned to "talk" over
phone-lines. What's worse -- and this was the point of the
Mr. Jenkins of the Secret Service -- some hackers have
learned to steal, and some thieves have learned to hack.
Despite the blurring, one can still draw a few useful
behavioral distinctions between "phreaks" and "hackers."
Hackers are intensely interested in the "system" per se,
and enjoy relating to machines. "Phreaks" are more
social, manipulating the system in a rough-and-ready
fashion in order to get through to other human beings,
fast, cheap and under the table.
Phone phreaks love nothing so much as "bridges,"
illegal conference calls of ten or twelve chatting
conspirators, seaboard to seaboard, lasting for many hours
-- and running, of course, on somebody else's tab,
preferably a large corporation's.
As phone-phreak conferences wear on, people drop
out (or simply leave the phone off the hook, while they
sashay off to work or school or babysitting), and new
people are phoned up and invited to join in, from some
other continent, if possible. Technical trivia, boasts,
brags,
lies, head-trip deceptions, weird rumors, and cruel gossip
are all freely exchanged.
The lowest rung of phone-phreaking is the theft of
telephone access codes. Charging a phone call to
somebody else's stolen number is, of course, a pig-easy
way of stealing phone service, requiring practically no
technical expertise. This practice has been very
widespread, especially among lonely people without much
money who are far from home. Code theft has flourished
especially in college dorms, military bases, and,
notoriously, among roadies for rock bands. Of late, code
theft has spread very rapidly among Third Worlders in the
US, who pile up enormous unpaid long-distance bills to
the Caribbean, South America, and Pakistan.
The simplest way to steal phone-codes is simply to
look over a victim's shoulder as he punches-in his own
code-number on a public payphone. This technique is
known as "shoulder-surfing," and is especially common in
airports, bus terminals, and train stations. The code is
then sold by the thief for a few dollars. The buyer abusing
the code has no computer expertise, but calls his Mom in
New York, Kingston or Caracas and runs up a huge bill
with impunity. The losses from this primitive phreaking
activity are far, far greater than the monetary losses
caused by computer-intruding hackers.
In the mid-to-late 1980s, until the introduction of
sterner telco security measures, *computerized* code
theft worked like a charm, and was virtually omnipresent
throughout the digital underground, among phreaks and
hackers alike. This was accomplished through
programming one's computer to try random code
numbers over the telephone until one of them worked.
Simple programs to do this were widely available in the
underground; a computer running all night was likely to
come up with a dozen or so useful hits. This could be
repeated week after week until one had a large library of
stolen codes.
Nowadays, the computerized dialling of hundreds of
numbers can be detected within hours and swiftly traced.
If a stolen code is repeatedly abused, this too can be
detected within a few hours. But for years in the 1980s,
the
publication of stolen codes was a kind of elementary
etiquette for fledgling hackers. The simplest way to
establish your bona-fides as a raider was to steal a code
through repeated random dialling and offer it to the
"community" for use. Codes could be both stolen, and
used, simply and easily from the safety of one's own
bedroom, with very little fear of detection or punishment.
Before computers and their phone-line modems
entered American homes in gigantic numbers, phone
phreaks had their own special telecommunications
hardware gadget, the famous "blue box." This fraud
device (now rendered increasingly useless by the digital
evolution of the phone system) could trick switching
systems into granting free access to long-distance lines.
It
did this by mimicking the system's own signal, a tone of
2600 hertz.
Steven Jobs and Steve Wozniak, the founders of
Apple Computer, Inc., once dabbled in selling blue-boxes
in college dorms in California. For many, in the early days
of phreaking, blue-boxing was scarcely perceived as
"theft," but rather as a fun (if sneaky) way to use excess
phone capacity harmlessly. After all, the long-distance
lines were *just sitting there*.... Whom did it hurt,
really?
If you're not *damaging* the system, and you're not
*using up any tangible resource,* and if nobody *finds
out* what you did, then what real harm have you done?
What exactly *have* you "stolen," anyway? If a tree falls
in the forest and nobody hears it, how much is the noise
worth? Even now this remains a rather dicey question.
Blue-boxing was no joke to the phone companies,
however. Indeed, when *Ramparts* magazine, a radical
publication in California, printed the wiring schematics
necessary to create a mute box in June 1972, the
magazine was seized by police and Pacific Bell phone-
company officials. The mute box, a blue-box variant,
allowed its user to receive long-distance calls free of
charge to the caller. This device was closely described in
a
*Ramparts* article wryly titled "Regulating the Phone
Company In Your Home." Publication of this article was
held to be in violation of Californian State Penal Code
section 502.7, which outlaws ownership of wire-fraud
devices and the selling of "plans or instructions for any
instrument, apparatus, or device intended to avoid
telephone toll charges."
Issues of *Ramparts* were recalled or seized on the
newsstands, and the resultant loss of income helped put
the magazine out of business. This was an ominous
precedent for free-expression issues, but the telco's
crushing of a radical-fringe magazine passed without
serious challenge at the time. Even in the freewheeling
California 1970s, it was widely felt that there was
something sacrosanct about what the phone company
knew; that the telco had a legal and moral right to protect
itself by shutting off the flow of such illicit information.
Most telco information was so "specialized" that it would
scarcely be understood by any honest member of the
public. If not published, it would not be missed. To
such material did not seem part of the legitimate role of a
free press.
In 1990 there would be a similar telco-inspired attack
on the electronic phreak/hacking "magazine" *Phrack.*
The *Phrack* legal case became a central issue in the
Hacker Crackdown, and gave rise to great controversy.
*Phrack* would also be shut down, for a time, at least, but
this time both the telcos and their law-enforcement allies
would pay a much larger price for their actions. The
*Phrack* case will be examined in detail, later.
Phone-phreaking as a social practice is still very
much alive at this moment. Today, phone-phreaking is
thriving much more vigorously than the better-known and
worse-feared practice of "computer hacking." New forms
of phreaking are spreading rapidly, following new
vulnerabilities in sophisticated phone services.
Cellular phones are especially vulnerable; their chips
can be re-programmed to present a false caller ID and
avoid billing. Doing so also avoids police tapping, making
cellular-phone abuse a favorite among drug-dealers.
"Call-sell operations" using pirate cellular phones can, and
have, been run right out of the backs of cars, which move
from "cell" to "cell" in the local phone system, retailing
stolen long-distance service, like some kind of demented
electronic version of the neighborhood ice-cream truck.
Private branch-exchange phone systems in large
corporations can be penetrated; phreaks dial-up a local
company, enter its internal phone-system, hack it, then
use the company's own PBX system to dial back out over
the public network, causing the company to be stuck with
the resulting long-distance bill. This technique is known
as "diverting." "Diverting" can be very costly, especially
because phreaks tend to travel in packs and never stop
talking. Perhaps the worst by-product of this "PBX fraud"
is that victim companies and telcos have sued one another
over the financial responsibility for the stolen calls, thus
enriching not only shabby phreaks but well-paid lawyers.
"Voice-mail systems" can also be abused; phreaks
can seize their own sections of these sophisticated
electronic answering machines, and use them for trading
codes or knowledge of illegal techniques. Voice-mail
abuse does not hurt the company directly, but finding
supposedly empty slots in your company's answering
machine all crammed with phreaks eagerly chattering
and hey-duding one another in impenetrable jargon can
cause sensations of almost mystical repulsion and dread.
Worse yet, phreaks have sometimes been known to
react truculently to attempts to "clean up" the voice-mail
system. Rather than humbly acquiescing to being thrown
out of their playground, they may very well call up the
company officials at work (or at home) and loudly demand
free voice-mail addresses of their very own. Such bullying
is taken very seriously by spooked victims.
Acts of phreak revenge against straight people are
rare, but voice-mail systems are especially tempting and
vulnerable, and an infestation of angry phreaks in one's
voice-mail system is no joke. They can erase legitimate
messages; or spy on private messages; or harass users with
recorded taunts and obscenities. They've even been
known to seize control of voice-mail security, and lock out
legitimate users, or even shut down the system entirely.
Cellular phone-calls, cordless phones, and ship-to-
shore telephony can all be monitored by various forms of
radio; this kind of "passive monitoring" is spreading
explosively today. Technically eavesdropping on other
people's cordless and cellular phone-calls is the fastest-
growing area in phreaking today. This practice strongly
appeals to the lust for power and conveys gratifying
sensations of technical superiority over the eavesdropping
victim. Monitoring is rife with all manner of tempting evil
mischief. Simple prurient snooping is by far the most
common activity. But credit-card numbers unwarily
spoken over the phone can be recorded, stolen and used.
And tapping people's phone-calls (whether through active
telephone taps or passive radio monitors) does lend itself
conveniently to activities like blackmail, industrial
espionage, and political dirty tricks.
It should be repeated that telecommunications
fraud, the theft of phone service, causes vastly greater
monetary losses than the practice of entering into
computers by stealth. Hackers are mostly young
suburban American white males, and exist in their
hundreds -- but "phreaks" come from both sexes and from
many nationalities, ages and ethnic backgrounds, and are
flourishing in the thousands.
#
The term "hacker" has had an unfortunate history.
This book, *The Hacker Crackdown,* has little to say about
"hacking" in its finer, original sense. The term can
signify
the free-wheeling intellectual exploration of the highest
and deepest potential of computer systems. Hacking can
describe the determination to make access to computers
and information as free and open as possible. Hacking
can involve the heartfelt conviction that beauty can be
found in computers, that the fine aesthetic in a perfect
program can liberate the mind and spirit. This is
"hacking" as it was defined in Steven Levy's much-praised
history of the pioneer computer milieu, *Hackers,*
published in 1984.
Hackers of all kinds are absolutely soaked through
with heroic anti-bureaucratic sentiment. Hackers long for
recognition as a praiseworthy cultural archetype, the
postmodern electronic equivalent of the cowboy and
mountain man. Whether they deserve such a reputation
is something for history to decide. But many hackers --
including those outlaw hackers who are computer
intruders, and whose activities are defined as criminal --
actually attempt to *live up to* this techno-cowboy
reputation. And given that electronics and
telecommunications are still largely unexplored
territories, there is simply *no telling* what hackers might
uncover.
For some people, this freedom is the very breath of
oxygen, the inventive spontaneity that makes life worth
living and that flings open doors to marvellous possibility
and individual empowerment. But for many people -- and
increasingly so -- the hacker is an ominous figure, a smart-
aleck sociopath ready to burst out of his basement
wilderness and savage other people's lives for his own
anarchical convenience.
Any form of power without responsibility, without
direct and formal checks and balances, is frightening to
people -- and reasonably so. It should be frankly admitted
that hackers *are* frightening, and that the basis of this
fear is not irrational.
Fear of hackers goes well beyond the fear of merely
criminal activity.
Subversion and manipulation of the phone system is
an act with disturbing political overtones. In America,
computers and telephones are potent symbols of
organized authority and the technocratic business elite.
But there is an element in American culture that has
always strongly rebelled against these symbols; rebelled
against all large industrial computers and all phone
companies. A certain anarchical tinge deep in the
American soul delights in causing confusion and pain to
all bureaucracies, including technological ones.
There is sometimes malice and vandalism in this
attitude, but it is a deep and cherished part of the
American national character. The outlaw, the rebel, the
rugged individual, the pioneer, the sturdy Jeffersonian
yeoman, the private citizen resisting interference in his
pursuit of happiness -- these are figures that all
Americans recognize, and that many will strongly applaud
and defend.
Many scrupulously law-abiding citizens today do
cutting-edge work with electronics -- work that has already
had tremendous social influence and will have much
more in years to come. In all truth, these talented,
hardworking, law-abiding, mature, adult people are far
more disturbing to the peace and order of the current
status quo than any scofflaw group of romantic teenage
punk kids. These law-abiding hackers have the power,
ability, and willingness to influence other people's lives
quite unpredictably. They have means, motive, and
opportunity to meddle drastically with the American social
order. When corralled into governments, universities, or
large multinational companies, and forced to follow
rulebooks and wear suits and ties, they at least have some
conventional halters on their freedom of action. But when
loosed alone, or in small groups, and fired by imagination
and the entrepreneurial spirit, they can move mountains -
- causing landslides that will likely crash directly into
your
office and living room.
These people, as a class, instinctively recognize that
a
public, politicized attack on hackers will eventually spread
to them -- that the term "hacker," once demonized, might
be used to knock their hands off the levers of power and
choke them out of existence. There are hackers today who
fiercely and publicly resist any besmirching of the noble
title of hacker. Naturally and understandably, they
deeply resent the attack on their values implicit in using
the word "hacker" as a synonym for computer-criminal.
This book, sadly but in my opinion unavoidably,
rather adds to the degradation of the term. It concerns
itself mostly with "hacking" in its commonest latter-day
definition, i.e., intruding into computer systems by stealth
and without permission.
The term "hacking" is used routinely today by
almost all law enforcement officials with any professional
interest in computer fraud and abuse. American police
describe almost any crime committed with, by, through, or
against a computer as hacking.
Most importantly, "hacker" is what computer-
intruders choose to call *themselves.* Nobody who
"hacks" into systems willingly describes himself (rarely,
herself) as a "computer intruder," "computer trespasser,"
"cracker," "wormer," "darkside hacker" or "high tech street
gangster." Several other demeaning terms have been
invented in the hope that the press and public will leave
the original sense of the word alone. But few people
actually use these terms. (I exempt the term "cyberpunk,"
which a few hackers and law enforcement people actually
do use. The term "cyberpunk" is drawn from literary
criticism and has some odd and unlikely resonances, but,
like hacker, cyberpunk too has become a criminal
pejorative today.)
In any case, breaking into computer systems was
hardly alien to the original hacker tradition. The first
tottering systems of the 1960s required fairly extensive
internal surgery merely to function day-by-day. Their
users "invaded" the deepest, most arcane recesses of their
operating software almost as a matter of routine.
"Computer security" in these early, primitive systems was
at best an afterthought. What security there was, was
entirely physical, for it was assumed that anyone allowed
near this expensive, arcane hardware would be a fully
qualified professional expert.
In a campus environment, though, this meant that
grad students, teaching assistants, undergraduates, and
eventually, all manner of dropouts and hangers-on ended
up accessing and often running the works.
Universities, even modern universities, are not in the
business of maintaining security over information. On the
contrary, universities, as institutions, pre-date the
"information economy" by many centuries and are not-
for-profit cultural entities, whose reason for existence
(purportedly) is to discover truth, codify it through
techniques of scholarship, and then teach it. Universities
are meant to *pass the torch of civilization,* not just
download data into student skulls, and the values of the
academic community are strongly at odds with those of all
would-be information empires. Teachers at all levels,
from kindergarten up, have proven to be shameless and
persistent software and data pirates. Universities do not
merely "leak information" but vigorously broadcast free
thought.
This clash of values has been fraught with
controversy. Many hackers of the 1960s remember their
professional apprenticeship as a long guerilla war against
the uptight mainframe-computer "information
priesthood." These computer-hungry youngsters had to
struggle hard for access to computing power, and many of
them were not above certain, er, shortcuts. But, over the
years, this practice freed computing from the sterile
reserve of lab-coated technocrats and was largely
responsible for the explosive growth of computing in
general society -- especially *personal* computing.
Access to technical power acted like catnip on
certain of these youngsters. Most of the basic techniques
of computer intrusion: password cracking, trapdoors,
backdoors, trojan horses -- were invented in college
environments in the 1960s, in the early days of network
computing. Some off-the-cuff experience at computer
intrusion was to be in the informal resume of most
"hackers" and many future industry giants. Outside of the
tiny cult of computer enthusiasts, few people thought
much about the implications of "breaking into"
computers. This sort of activity had not yet been
publicized, much less criminalized.
In the 1960s, definitions of "property" and "privacy"
had not yet been extended to cyberspace. Computers
were not yet indispensable to society. There were no vast
databanks of vulnerable, proprietary information stored in
computers, which might be accessed, copied without
permission, erased, altered, or sabotaged. The stakes
were low in the early days -- but they grew every year,
exponentially, as computers themselves grew.
By the 1990s, commercial and political pressures had
become overwhelming, and they broke the social
boundaries of the hacking subculture. Hacking had
become too important to be left to the hackers. Society
was now forced to tackle the intangible nature of
cyberspace-as-property, cyberspace as privately-owned
unreal-estate. In the new, severe, responsible, high-
stakes context of the "Information Society" of the 1990s,
"hacking" was called into question.
What did it mean to break into a computer without
permission and use its computational power, or look
around inside its files without hurting anything? What
were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were
they just *browsers,* harmless intellectual explorers?
Were they *voyeurs,* snoops, invaders of privacy? Should
they be sternly treated as potential *agents of espionage,*
or perhaps as *industrial spies?* Or were they best
defined as *trespassers,* a very common teenage
misdemeanor? Was hacking *theft of service?* (After
all, intruders were getting someone else's computer to
carry out their orders, without permission and without
paying). Was hacking *fraud?* Maybe it was best
described as *impersonation.* The commonest mode of
computer intrusion was (and is) to swipe or snoop
somebody else's password, and then enter the computer
in the guise of another person -- who is commonly stuck
with the blame and the bills.
Perhaps a medical metaphor was better -- hackers
should be defined as "sick," as *computer addicts* unable
to control their irresponsible, compulsive behavior.
But these weighty assessments meant little to the
people who were actually being judged. From inside the
underground world of hacking itself, all these perceptions
seem quaint, wrongheaded, stupid, or meaningless. The
most important self-perception of underground hackers --
from the 1960s, right through to the present day -- is that
they are an *elite.* The day-to-day struggle in the
underground is not over sociological definitions -- who
cares? -- but for power, knowledge, and status among
one's peers.
When you are a hacker, it is your own inner
conviction of your elite status that enables you to break,
or
let us say "transcend," the rules. It is not that *all*
rules go
by the board. The rules habitually broken by hackers are
*unimportant* rules -- the rules of dopey greedhead telco
bureaucrats and pig-ignorant government pests.
Hackers have their *own* rules, which separate
behavior which is cool and elite, from behavior which is
rodentlike, stupid and losing. These "rules," however, are
mostly unwritten and enforced by peer pressure and
tribal feeling. Like all rules that depend on the unspoken
conviction that everybody else is a good old boy, these
rules are ripe for abuse. The mechanisms of hacker peer-
pressure, "teletrials" and ostracism, are rarely used and
rarely work. Back-stabbing slander, threats, and
electronic harassment are also freely employed in down-
and-dirty intrahacker feuds, but this rarely forces a rival
out of the scene entirely. The only real solution for the
problem of an utterly losing, treacherous and rodentlike
hacker is to *turn him in to the police.* Unlike the Mafia
or Medellin Cartel, the hacker elite cannot simply execute
the bigmouths, creeps and troublemakers among their