HACKING

Prepared for the Macmillan Encyclopedia of Computers

J.A.N. Lee [1]

1991 January 23
Final Draft

• Originally - A person who pulls clever practical jokes.

• Generally - A good programmer.
• According to the Press - A malicious meddler who tries to discover sensitive information
by snooping around where they should not be.

Introduction

The term "hacking" in the 1980's became a buzzword in the media which was taken to be derogatory and
which by misuse and overuse was attached to any form of socially non-acceptable computing activity
outside of polite society. Within this context "hackers" were assumed to be the fringe society of the
computing fraternity, mainly characterized as "youngsters" who did not know any better and who had
obtained access to a technology with which they terrorized the world of communications and computing. To
be tagged as a "hacker" was to portray a person as member of a less than acceptable group of near criminals
whose activities were not be to be undertaken by the upright citizenry. These connotations are in contrast to
the use of the term in the 1950's and 1960's when hackers were at least to be tolerated for their potential,
though not necessarily displayed in public. In many ways the early use of the term held a connotation
similar to that of a "boffin" during World War II who was characterized as a backroom activist who when
left to their own devices could produce some wonderful inventions. Scientists such as Edison (electric light
bulb, phonograph, etc.), Fleming (penicillin), Barnes-Wallis (the bouncing bomb and swept wing aircraft),
Watson-Watt (radar) and possibly even Babbage (the difference and analytical engines), may have been
honored to be identified as hackers. Only in more recent times has there been a confusion between the terms
"hacker", "petty criminal" and possibly "nerd".

The Term - its Origins and Development

[2]hack (hak),
n. 1. a horse for hire. 2. an old, worn out horse. 3. a literary drudge. 4. a coach for hire. 5. a taxi cab.
adj. 1. employed as a hack. 2. trite. v.t. to chop or cut roughly. v.i. 1. to make rough cuts. 2. to give
harsh dry coughs. n. 1. a tool for hacking. 2. a gash or notch. 3. a harsh,dry cough. - hack'er. n. -
hack'ing, adj.

The concept of hacking as a methodology to achieve some particular goal has the allusion of working at
something by experimentation or empirical means, learning about the process under review or development
by ad hoc mechanisms. This may have had an origin from the use of the term "v.t. to chop or cut roughly.
v.i. to make rough cuts" as in the process of empirical development where numerous different routes are
explored in a search for the most effective approach to a solution, but without necessarily having planned a
prearranged ordering of search or necessarily a methodology for evaluation. To chance upon a solution
through "hacking through a problem" is often as educational as structured learning, and thus it is not
unreasonable to approach a problem in a field which is devoid of structure and methodology by "hacking".
In hacking a computer, the enhancement of the system is an end in itself - applications of that system don't
count. In the same manner, hacking has no life cycle and no specific end goal; an improvement is in itself
an achievement, but not necessarily a reason for further activity. While hacking was generally counter-
society it is not necessarily anti-society. In fact, the result of hacking is a "hack" and the beauty of a hack
can only be realized if other can share in its beauty with others; the private hack is nonexistent.

The Early Years

Until the mid-1960's computing, programming and computer science had very little structure and many of
the advances in the field were achieved through ad hoc methods. Hacking as a methodology matched the
"free thinking" style of life of this period, and while there was an air of formalism amongst many
professionals, in fact the basic methodology of computation was to repeat what had been successful up to
that point; hacking merely changed the focus to concentrate on what might be done not what had been done.
Hacking was (is) a form of development in which there were (are) no rules - just intelligent and intuitive
exploration. Only as a structure was imposed on the field and acceptable methodologies for achieving a
result were recognized did the art of hacking fall into disrepute; the hackers of the 1960's were the "flower
children" of the computing world. The resurrection of the term in the 1980's implied a lack of connection to
the reality and rationality of industrial computing.

Hacking is dependent on "free" access to computers - it grew up where such access was available in an
unsupervised, non-regulated, non-conforming, interactive, hands-on environment (MIT, Berkeley) and
eventually in the environment of personal computers.

The People

Throughout the early years of computing, following the development of the ENIAC, access to computing
systems was highly restricted. To use such a system required the existence of a formal problem and
commonly a formal application for the award of processing time in a process similar to that in applying for
a research grant. Thus there was very little opportunity for solving a problem by empirical means; problems
and solutions were well planned in advance, and priorities of need scheduled the accessibility of the
machine. Perhaps the only persons who had such opportunities for experimentation were those who
constructed or managed the machines - and they generally knew enough about the systems to not need to
experiment. Thus hacking had to wait until there was a much more freer access to computing power by
those whose interests were not as specific as to write a proposal and who were attracted to the machines for
the sheer enjoyment of exploration.

The first opportunities for unfettered access to computing facilities occurred at MIT in the late-1950's when
Lincoln Laboratories loaned the TX-0 computer to the Research Laboratory of Electronics (RLE). While
there was a strong bureaucracy which controlled access to the IBM 704 computer in the Computation
Center run by Philip Morse, Jack Dennis who "controlled" the TX-0 provided unrestrained access once the
needs of formal research activities were satisfied. While this generally implied that available time was in the
"graveyard shift" this did not matter to the aficionados of what we might recognize as the first "personal
computer"; they merely altered their circadian rhythms to accommodate this minor shortcoming. The TX-0
was originally designed by Lincoln Laboratories as a hands-on controller for a much larger system under
development, and thus its style of use was much different than that of the IBM 704 and the batch processing
mode of operation. The TX-0 soon fell under the spell of, and cast its own web over the first hacker
community. From this environment grew a plethora of proficiencies built-in to the skills of the hacker
community. Perhaps we shall never totally tally the technological concepts which originated in this
environment, but by all accounts it was a very fertile bed. Primary in the collection of products must be the
whole field of computer games. "Star Wars" existed on the PDP-1 computer years before the Ping-Pong
paddle was introduced into the family television, and twenty years before there was a personal computer.
The technology and theory of game playing never crossed the minds of hackers, and yet their products were
legends. Early script writing was developed for the TX-0 and the Computer Museum (Boston MA) still
shows the cowboy film which was the result of this effort. In both instances such developments would not
have had a high priority on a closed shop system.

The Benefits of Hacking

With respect to the problems of testing programs, Conway and Gries[3] suggested that this was a fertile
ground to demonstrate the usefulness of the "most depraved minds"! Thus a benefit to the computer
community is the free-wheeling exploration of systems by the benign hacker. Freedom and control may be
incompatible attributes of such an environment, but it is clear that the tasks of program or system usage in a
productive setting are not amenable to the recognition and acceptance of bugs and errors. On the other hand
the challenge of testing may be a logical outlet for hacking inclinations in the make-up of a programmer. In
several cases systems have been purposely exposed to hackers to test their security and their robustness. In
1989 LeeMah DataCom Security Corporation challenged hackers to retrieve a secret message hidden in a
computer in Atlanta GA[4]. After giving the potential intruders a phone number and password, they were
asked to retrieve a hidden message in the system. The prize was to be an eight-day, seven night, all-
expenses paid trip for two to St. Moritz or Tahiti! In a seven-day period, with the rate of calls starting at 100
calls per hour on the first day, 7,476 attempts to access the critical message were attempted. Not one
attempt succeeded! The company claimed to have "proven that a system ... will effectively meet the needs
of dial-up access systems" and users "need not accept arduous, user-hostile telecommunications security
plans". The challenge was repeated in 1990 with two sites, with the same basic start-up information, but
with the challenge period extended to two weeks. Once again the system resisted intrusion. John Tuomy
stated "the problem with all the coverage of successful hacker break-ins is that some people might get the
impression that these hackers are invincible, or that the FBI arrests of some of them will act as a deterrent.
The fact is that the government couldn't possibly arrest all the hackers out there, and certainly not guarantee
the safety of the nation's computers. We believe strongly that computer crime can be prevented, but that
businesses have to do it themselves".

The Psychology of Hacking and Programming

There is a certain allure to computing which is difficult to replicate in other environments. In many respects
computing is always "real" rather than merely an example or model, though there is equally always the
hope for more power and greater facilities to do bigger and better hacks. Whereas in other endeavors the
development of a project such as a hot-rod car or a trip to Hawaii costs real dollars, computing costs
nothing - it is a utility. Driving a hot-rod on a dirt strip is also fraught with real physical danger, while hot-
rodding a computer is safe. The computer does not hit back even when the worst of effects are programmed.

Even the non-hacker and the non-programmer are effected by the computer. With the advent of e-mail
systems, one can easily recognize the change in personality with comes from a non-evasive form of
communication[5]. Persons who are puppydogs in face-to-face communication become wolves when they
do not have to look into the eyes of the receiver and are not threatened physically by their textual
combatant. Levy (1984) suggests that there is a "code of ethics" for hacking which, though not pasted on
the walls, is in the air:

• Access to Computers - and anything which might teach you something about the way the world
works - should be unlimited and total. Always yield to the Hands-On Imperative!
• All information should be free.
• Mistrust Authority - Promote Decentralization.
• Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or
position.
• You can create art and beauty on a computer.
 • Computers can change your life for the better.

Hacking, whether it is benign or felonious, is associated with learning and exploration. While there are elder
hackers, they grew up from the hacking covens of youngsters interested in exploring and exploiting the new
ethereal world of electronic tripping. But like so many other new technologies, the growth of the amateur
capabilities and the sharing of findings, soon outgrows the normal and the useful; to find an area in which to
make a mark requires an excursion into the not so acceptable domains.

Communications and Accessible Computing

The period of the early 1960's at MIT was the period when Fernando Corbató and his colleagues took upon
themselves the development of an interactive time sharing system which would provide personal computing
to the university community while at the same time using all the available machine cycles. John McCarthy
had realized that it was essential that a machine be used to its utmost, and that while batch processing
solved the administrative problem of utilization, the downside of the solution was extremely long turn
around times for individual programs. His solution was to have several programs ready for execution, so
that while one program was waiting for a delaying activity (such as human input) another program could
use the available machine cycles. In his memorandum to Philip Morse he used the example of the TX-0 to
reinforce his arguments of how computing really should be accomplished. However he did not realize that
in creating such a system the bureaucracy of the batch operating system would be carried over in the form
of login identifiers and passwords. The hacker community was continually frustrated by the bureaucracy
which accompanied the use of the Compatible Time Sharing System (CTSS) and the systems within Project
MAC. The TX-0 had always been operated without a logon identification or password; files were in public
storage, unrestrained by protective systems. Persons could roam through these files at will and were free to
make changes and updates to files left there by others. On the premise that you can always make things
better programs would be debugged overnight, have new features added, or be incorporated into other
programs freely.
CTSS discouraged hacking. Add to this the fact that it was run on a two-million-dollar IBM machine that
the hackers thought was much inferior to their PDP-6, and you had one loser system. No one was asking the
hackers to use CTSS, but it was there, and sometimes you just have to do some hacking on what's available.
When a hacker would try to use it, and a message would come on-screen saying that you couldn't log on
without the proper password, he would be compelled to retaliate. Because to hackers, passwords were even
more odious than locked doors. What could be worse than someone telling you that you weren't authorized
to use his computer?

As it turned out, the hackers learned the CTSS system so well that they could circumvent the password
requirements. Once they were on the system, they would rub it in a bit by leaving messages to the
administrators high-tech equivalents of "Kilroy Was Here."

The Incompatible Time-sharing System (ITS): The title was particularly ironic because, in terms of
friendliness to other systems and programs, ITS was much more compatible than CTSS. True to the Hacker
Ethic, ITS could easily be linked to other things - that way it could be infinitely extended so users could
probe the world more effectively. As in any time-sharing system, several users would be able to run
programs on ITS at the same time. But on ITS, one user could also run several programs at once. ITS also
allowed considerable use of the displays, and had what was for the time a very advanced system of editing
that used the full screen.

There was an even more striking embodiment of the Hacker Ethic within ITS. Unlike almost any other
time-sharing system, ITS did not use passwords. It was designed, in fact, to allow hackers maximum access
to any user's file. The old practice of having paper tapes in a drawer, a collective program library where
you'd have people use and improve your programs, was embedded in ITS; each user could open a set of
personal files, stored on a disk. The open architecture of ITS encouraged users to look through these files,
see what neat hacks other people were working on, look for bugs in the programs, and fix them. If you
wanted a routine to calculate sine functions, for instance, you might look in [the] files and find [a] ten-
instruction sine hack. You could go through the programs of the master hackers, looking for ideas, admiring
the code. The idea was that computer programs belonged not to individuals, but to the world of users.

[6]

Of this period, self-confessed hacker Guy Steele (1983) said: "Despite stories you have read about the anti-
social nerds glued permanently to display screens, totally addicted to the computer, hackers have (human)
friend too. Often these friendships are formed and maintained through the computer". This era reached it's
intended goal of providing interactive computing through the technology of time-sharing. It is also created
the marriage between computers and communications systems which opened the door to a whole new field
to explore.

The 1980's

The 1970's was a period of intense but limited activity by small groups of hackers. One such group was the
Homebrew Club in the California Bay area, centered somewhat on Berkeley and concentrating on hardware
systems in contrast to the earlier hacking activities on the east coast which had primarily been in relation to
software. From this group came a number of innovations including a number of primordial personal
computers -- Lee Felsenstein and the Sol, and the 6502-based Apple I from Steve Jobs and Steve Wozniak.
Previously Wozniak had developed a "blue box" to access phone systems but legitimized his activities by
turning to the development of the Apple I board. Cap'n Crunch[7] (John Draper) had earlier engineered a
blue box based on the tones necessary to activate the Bell Telephone system and as published in various
magazines to advertise the new tonal system; Draper added a few tones including one which, accessed the
operator routines and thus provided an easy entrance into the toll call network. From this community grew
not only the need but the answer to the demand for personal computing. They also inadvertently opened up
a Pandora's box of accessibility when they connected the microcomputer to the telephone system through a
modem. And so we moved into the 1980's with the personal computer moving into homes and bedrooms.
No longer was it the privileged or canny few who had access to teletypes and who could access main frame
computers. Even the smallest computer costing as little as $100 could be coupled to the family TV and a
modem to provide an electronic tripping medium for the new breed of hackers. And this new breed did not
build on the knowledge of the advances made by their predecessors; they had the equipment, they had the
urge and, most times unbeknownst to their parents, they acquired the knowledge to travel the world without
leaving the privacy of their bedrooms. No-one provided a code of ethics for their wanderings because their
teachers were not sufficiently knowledgeable of the potential of this combination of computer and modem,
and their parents had no adolescent experiences of their own on which to build an expectation of the
outreach of the offspring. What was (and is) needed was a computer education package which had similar
moral and ethical scenarios as they would have found in high school courses in driver education or sex
education.

As the owner of a personal computer extends his awareness knowledge of the system there are several paths
that can lead to further awareness and to further exploration: to install or develop new software packages, or
to explore other people's packages. Given the limited resources of a teenager, the former is not easy unless
currency can be exchanged for other possessions. Bulletin Boards were an early development for
communication between PC users, but by their very nature they insisted on the possession of an
environment which permitted a wider latitude of exploration than just a bulletin board. These boards also
became (and still are) the repositories of software packages, many of them donated to the public domain by
their developers. In other cases proprietary or copyrighted packages were available for some small cost --
either the provision of some other unique piece of software or in other cases an identification such as a
credit card number. Though the board promised not to charge the card for any software, the card number
did get used in other nefarious ways without the owner's prior knowledge; in many cases, of course, the
card number belonged to the parent of the provider. Bulletin Boards were the obvious places to store the
necessary hacking information for the uninitiated to make their first tours of computerworld. Boards have
been found to contain the telephone numbers of local (and not so local) computer systems, information on
the means of constructing blue boxes (and their modem equivalent) and other non-computational gadgets
such as Molotov cocktails and Mace guns! Other boards have contained credit card numbers (which is of
limited usefulness once the card has been reported as missing), credit card authorization information and
merchant identification codes. Of course, not all Bulletin Boards are provided for perverse purposes, but
one must ask the question as to what a board operator gets out of supplying this service. The operation of a
board can use up a great deal of computing power, a dedicated telephone and ample storage. Like the TX-0,
most bulletin boards have an open storage system, or at the very least provide supervisory access to files by
the owner. Thus the owner collects information and products as they pass through the board; that is his pay-
off.

Authors have categorized hackers of the 1980's to classify the intrusive form of their attack or the rationale
for their entry into a system. Donn Parker[8] suggested that their intentions could be classified into three
groupings based on their actions while accessing a system:

benign
- the hacker whose intentions are purely educational
unsavory
- the intruder whose intentions are not necessarily malicious but whose very presence can be
negative
malicious
- the intruder whose primary intention is to cause the system to crash or to wreck havoc in its
operation

while Landreth [9] suggested they could best be categorized by their activities:

novice
- the user whose first steps into the world of electronic tripping are tentative and exploratory, and
whose intentions are merely to emulate those who he believes have gone before
student
- the visitor who has a fair knowledge of the means of access and whose new intentions are to learn
more about the system under scrutiny without plans to change anything or to leave anything behind
tourist
- having discovered all there is to be known about his local systems decides to visit similar systems
worldwide
crasher
- the hacker whose challenge is to defeat a system by bringing it to its knees
thief
- the system intruder whose intentions are to retrieve from the systems he can access data and
programs that he can put to his own use (including providing the stolen information to others)

Viruses, Worms and other Infections

In the beginning the tools of hackers were ingenuity and intuition which when combined with a detailed
knowledge of the system being hacked resulted in systems which did special and new things in a better and
more responsive manner through software enhancements. Later the Homebrew Club and their
contemporaries reached the same achievements through the development of hardware devices. With the
introduction of the personal computer and modems, new tools were available and new techniques of
hacking were necessary. The results were different also; now hacks could be inserted into systems a
thousand miles away, though it would be very disappointing not to be around when the hack was activated.
Just as in the days of CTSS the first task was to overcome the basic security system by locating an available
login identification and the corresponding password. Two basic approaches to identification are possible:
(1) to understand the basic mechanism for assigning/selecting identifications, or (2) to find the system
backdoor access which is generally provided to allow a supervisor to access the system after crashes and an
otherwise locked system. With the advent of wide area networks and the need to send e-mail to users, login
identification has become much more predictable - last name, last name and first initial, first initial and last
name, initials, etc. Even when the actual identifier is different, many systems provide an alias which is
equally predictable. Similarly passwords, without some special mechanism for generation, are predictable if
one has a knowledge of the user - children's names, dog's names, special interests, etc. Landreth[10]
provided an appendix in his book which listed the manufacturer installed identifications and passwords
which were delivered with each machine. He pointed out that in many cases the user did not change these
"open doors" either because they were unaware of their availability or since they were frightened that if
these access keys were to be changed they might forget them and thus be denied entrance at a later time.
More direct methods can be used in direct contact with the user of an account to be attacked. Termed by
Parker[11] as "shoulder surfing", some attackers have learned the techniques of reading a user's keystrokes
and obtaining the password by this means even though it is not printed on the terminal screen; the
identification is printed for all to see! This technique is particularly simple in observing the keystrokes on a
number pad such as used with an ATM machine.

Quite commonly banks assign Personal Identification Numbers which have a pattern to them -- up and
down on line (8255), the corners, (7931) or some other pattern which is easier to remember than the number
itself. This considerably eases the task of the shoulder surfer.

In 1984 the FBI reported that the average embezzlement netted the perpetrator $15,000, but the means for
the computer knowledgeable embezzler is simpler than that for the person who has to work in the open.
Hiding behind the anonymity of a programmer the embezzler can now alter the program to suit his needs
(such as collecting the fractions of cents not assigned to an account in interest calculations) or making
minor, but accumulative, modifications to the input (and corresponding output) data. This termed "data
diddling". This attack methodology which would probably be rejected as conforming to the Hacker Ethic
and thus not be used by the true hacker. This methodology is much more common as a technique of a
embezzlement by an employee of (say) a bank or a financial agency who does not necessarily have a
background in programming. Simply, the input data to a system is modified in order to benefit the
perpetrator -- the introduction of a bogus bank account through which funds are transferred long enough
before assignment to the true account to accrue small amounts of interest. Very few account holder actually
check their interest credits to the penny; interest after all is "free" and the interest rate changes quarterly so
it is difficult for the average person to verify these account entries regularly. An obvious place for an
embezzlement. In social service agencies, dead beneficiaries have been kept on the books and the checks
diverted to another address where they can be collected by the data diddler. One of the most insidious forms
of system attack is the result of sabotage by legitimate users, possibly disgruntled employees of the system
owner, or by previous employees who were discharged under a cloud. In some cases this might well be
initially perpetrated as a safeguard against later unsatisfactory actions by the owner. For example, there
have been a number of cases where a piece of code has been inserted into the payroll program so that if the
identification of the employee is not in the data base then the system should crash! In one case which we
examined, this piece of code was installed as a set of data in a COBOL program, which were thought to be
taxation constants be other investigators of the apparently flawed hardware system. Procedures of this form
are termed logic bombs, since they were triggered by a logical condition. Similarly an alternative action,
such as the otherwise of a select statement might be filled with an unsavory procedure, thus forming a trap
door through which the program may fall.

Hackers seeking to access a system can use a variety of methodologies depending on the capabilities (or
weaknesses) of the system under attack. It is not unusual for multi-user systems to provide a mechanism by
which legitimate users who own several accounts might move from one to another readily, thus obviating
the need to completely exit the system before accessing the new account. In most systems this requires the
use of a new password but this password is not always subjected to the same revision policies as primary
passwords. Alternatively, a user can access the data of another account by linking to that account. Thus a
hacker piggybacking on a legitimate, and commonly a guest account, and thereby to sidestep into another
domain. Of course the common method of access is to impersonate the legitimate user through the use of
his identification and password.

Hackers who Landreth classified as "crashers" have numerous methods, not all of which necessitate actual
access to the system code and by which method the system can be crashed. Other methods can use the
actual characteristics of the system so as to make it useless to other users. For example, an interactive
system which permits the instantiation of multi-tasking is liable to attack through the overloading of the
system by nonsense, infinite, cycle (or storage) grabbing routines. Such a system will slowly grind to a
standstill. In the case of the Internet virus of 1988[12], a similar situation was created which slowly
overloaded the communications network until it was unable carry legitimate messages. In late 1988 a
"Christmas Tree" package almost brought the BITNET[13] to its knees. In this case a victim would find a
message on his screen which said "Enter Merry Christmas". When he typed in this command a Christmas
Tree was displayed on the screen with appropriate seasonal greetings. However at the same time the
package sent itself in a mail message to all the names in his mail distribution file! Quickly the network
filled with messages, but fortunately the package could be identified by potential victims and thwarted.

Viruses, like the term hackers, have become the byword of the recent years. Viruses and hackers seem to go
together. Contrasted to logic bombs and trap doors, viruses have the basic characteristic that they replicate
under certain circumstances and thus are said to to "infect" other software items. Viruses themselves may
have two potential purposes - to replicate themselves and to perpetrate some mischief as a bomb or a worm.
On the other hand, a virus may do nothing more than replicate itself. The minuteness of simple viruses
mean that they can be embedded in other systems quite easily and any differences in file size may be
attributed to version differences. A common technique is to embed a virus within a commonly used system
and to modify the initial load module to link to the virus before starting up the application. By attaching
themselves to word processors or spreadsheets the likelihood of initiation of a virus is greatly increased.
Viruses can be introduced into a system by a variety of doors. A system connected to a network is liable for
entry through e-mail, through the linkage to other infected systems, through the use of bulletin boards to
download software. Viruses can also be carried in on diskettes which have be used in infected systems.
Attractive software, commonly to be obtained illicitly to circumvent copyrights or protective locks serve as
"trojan horses" and carry with them the virus. One particularly obnoxious form of virus is the "worm"
which has the characteristics of eating its way (by destroying data and programs) through the storage
system of a computer. Antidotes to viruses have been constructed for many of the well known versions and
a new industry has been created to build virus detectives, immunization procedures and antidotes. Like safe
sex, there are virtues associated with obtaining software and data through well known, legitimate sources!

The Internet Virus

[14]
On November 2, 1988 the Internet system which interconnects the majority of computer networks in the
United States was the victim of a virus which was later to be found to have originated at Cornell University
in the account of Robert Morris. The virus, dubbed a worm by some since it not only replicated itself
throughout the network by multiply infected single systems, took advantage of some well known flaws in
the recent version of UNIX® running on Sun 3 systems and VAX® computers. The basic vehicle for
operation was the finger utility which is provided to permit a user to locate another user on the system and
possibly (depending on the amount of data captured by the system administrator) other information such as
phone number and address. Fundamentally the virus used the lack of memory protection on an input buffer
to modify a portion of the operating system in order to access user passwords and therefrom delivered a
complex (but relatively small) virus which collected system files from remote machines.

The effects were twofold. On the one hand there was an almost immediate and devastating decline in the
operability of the network and numerous machines attached to it. On the other hand it immediately raised
the visibility of the need for action on the system security, an improved legalistic approach to computer
crime, and the need to make everyone aware of the consequences of and their responsibility for their actions
in this non-threatening world of computers and communications.

The Prospects and Countermeasures

In discussing hackers and the melanoma alleged to be associated with their activities, we have perhaps
overlooked the ultimate instantiation of their trade - the computer criminal. Clearly the computer is a tool
that can be used in illegitimate manners just as almost any other tool in our modern repertoire can be used
inappropriately. While much of the alleged activity of hackers has com under scrutiny in the legislatures,
there is still a line between the hacker and the criminal. This line may hinge on intent and purpose, and
while it is not clear that hackers accrue a great deal of financial benefit by their actions, the impact on the
owner of a (hardware or software) system is not that different. Consider the disparity between the hacker
ethic that information should be free and the right to privacy of individuals whose records are stored in a
data bank. Fundamentally the system owner must rely on three elements which will provide his protection:

Computer Security
- technical means by which the system is protected by layers of security through which control of
communication is verified and by which data and software is checked for sanity and cleanliness
Computer Law
- the enactment of a series of punitive measures which define precisely the illegitimate activities
with respect to computer systems usage, and the installation of an enforcement mechanism by
which infringements of the law are detected and prosecuted
Computer Ethics
- the introduction of studies of ethical behavior into our educational system, in the same manner in
which ethical (and moral) behavior is taught alongside sex and driver education

Bibliography

ACM. 1989. "The Worm Story", A collection of papers and reports, Comm. ACM, Vol. 32, No. 6, pp. 677-703.

Perry, Tekla S. & Paul Wallich. May 1984. "Can Computer Crime be Stopped?", IEEE Spectrum.

Gemignani, Michael. 1989. "Viruses and Criminal Law", Legally Speaking, Comm. ACM, Vol. 32, No. 6, pp. 669-671.

Conway, Richard, and David Gries. 1975. An introduction to programming : a structured approach using PL/1 and PL/C, 2nd ed.,
Winthrop Publishers, Cambridge, MA.
Irwin, Stephen T. 1990. "The Great Hacker Challenge of 1989", Technical Support,..

Landreth, Bill. 1985. Out of the Inner Circle: A Hacker's Guide to Computer Security, Microsoft Press, Bellvue WA, 230 pp.

Lee, J.A.N., Roz Steier, Gerald Segal. 1986. "Positive Alternatives: A Report of an ACM Panel on Hacking", Comm. ACM,
Vol.29, No.4, April 1986, pp.297-299.

Levy, Steven. 1984. Hackers: Heroes of the Computer Revolution, Anchor Press/Doubleday, Garden City, NY, 458 pp.

Parker, Donn B. 1976. Crime by Computer, Scribner's, New York.

Parker, Donn B. 1983. Fighting Computer Crime, Scribner's, New York.

Parker, Donn, and John F. Maxfield. 1985. "The Nature and Extent of Electronic Computer Intrusion", Workshop on Protection of
Computer Systems and Software, National Science Foundation.

Samuelson, Pamela. 1989. "Can Hackers be Sued for Damages Caused by Computer Viruses?", Legally Speaking, Comm. ACM,
Vol. 32, No. 6, pp. 666-669.

Shapiro, Norman Z. and Robert H. Anderson. 1985. Towards an Ethics and Etiquette for Electronic Mail, Rep. No. R-3283-
NSF/RC, Rand Corp., Santa Monica CA.

Steele, Jr., Guy L. at al. 1983. The Hacker's Dictionary, Harper & Row, Publ., New York.

Footnotes

{1} Department of Computer Science

Virginia Polytechnic Institute and State University

Blacksburg VA 24061-0106

[2] Websters New World Dictionary, 1967.

[3] Conway and Gries 1975.

[4] Irwin 1990.

[5] Shapiro 1985.

[6] Levy 1985

[7] Draper took the pseudonym Cap'n Crunch from the cereal when he found that the plastic whistle enclosed as a premium
activated the operator controls of the phone system.

[8] Parker 1984.

[9] Landreth 1985.

[10] ibid
[11] ibid

[12] ACM 1989.

[13] Because It's Time NETwork.

[14] ACM 1989.

Phone Hacking

During lunch, the topic of American Idol came up. I asked if anyone heard of any stories where someone
was caught using custom hardware/software to increase the number of phone votes. Tonight, I stumbled on
to a article discussing the same thing.

Now there are reports that hackers are messing with the system. They're using a combination of auto-dialing
hardware and software that ranges from homegrown applications to souped-up old BBS dial-up software
like Procomm to dial in and vote in record numbers for perhaps the worst performers in the group. The
software apparently helps them overcome whatever technological safeguards the show has in place to
prevent people from voting more than once. Some believe they are also using hardware like the automatic
phone dialer PowerDialer ($248) to beat busy signals. It can dial the same number up to 25 times per
minute. It's just a TV show, I know, but the competition matters to these young talents, and this chicanery
has apparently resulted in some less-than-stellar singers sticking around for way too long