Chapter
10
COMPUTER CRIME: TERMINAL SLAVES,
CREDIT CARD FRAUD, AND CENSORSHIP
What really constitutes a computer crime? Where is the line between harmless exploration of a computer system and real crimes?
In the eyes of the law, computer crime is any type of crime involving a computer in some way. If I hit somebody over the head with a computer, it could theoretically be viewed as a computer crime. A more specific definition would be that computer crime is the act of transferring or damaging information in cyberspace without permission. This definition is accurate in most cases. In Sweden, the authorities mostly concerned with computer crime are: the Police, the National Security Police (SÄPO), Military Intelligence and Counter-espionage, the Crime Prevention Council (BRÅ), the Department of the Interior, and Datainspektionen (see the previous chapter for details on this authority).
Additionally, other involved parties include the security departments of the large corporations, a few non-profit organizations , informal networks, and (naturally) criminal organizations . It is not surprising that all these people view the problem in totally different ways.
The National Police Board classify computer crimes under the following categories:
1. Computers or software used in the commission of a crime
2. Computers or software subjected to criminal tampering
3. Software that has been illegally copied or modified
4. Illegal entry into, or use of, computers or computer networks
Most computer crimes committed have
nothing to do with hackers. Mostly, it involves people at banks, the Postal
Service, governmental insurance agencies, or private corporations in charge
of billing and payments. Many succumb to temptation after seeing how
easy
it is to transfer money back and forth between accounts, grant themselves
financial aid or welfare payments, falsifying invoices, etc. It is really
only an "improvement" (exacerbation?) in the old ways of economic
crime. An example is a Swedish social worker who gave himself 400,000
Swedish crowns (about $50,000) in welfare payments, and then went to Venezuela
to bail out a friend that had been jailed for political activities. He
was able to do this because he knew about some weakness in the disbursement
system: welfare payments were only reported every fortnight. This is typical
of the most extensive form of computer crime. Compared to this type of
crime, hacking and phreaking are a drop in the ocean. The worst computer
crimes are perpetrated by people in respectable positions, and are almost
never
exposed. But of course, you already knew this.
The reason that these crimes do not receive as much publicity as the hackers' pranks is that the former relates to a very sensitive relationship: integrity and loyalty within the company or the governmental institution is very important for protection against external threats. It is, however, much more difficult to ensure that one's employees are satisfied and loyal than blaming hackers working from the outside. This principle has been used by entire countries to avoid having to deal with internal problems. By shifting the blame to, for example, Jews, communists, or Muslims, they can create a clear picture of the threat and a target for aggression, while keeping attention away from one's own problems.
The average age of the average computer criminal is between 30 and 40 years. Half of the criminals have worked for more than 10 years within the company. 45% are women . Hackers? I don't think so. (Source: Nätvärlden #8, 1994, p. 36 [a Swedish computer networking magazine]).
So much for internal computer crime.
A more "hacker-like" crime is defrauding ATMs (cash machines) or credit card companies. During the early period of ATMs in Sweden (1960's), when the withdrawals were still logged on punchcards inside the machines, someone went around and withdrew around 900,000 crowns (about $120,000) over Easter holiday, using fake ATM cards. This is not as easy to do today. Perhaps. Many Swedish hackers have access to the machines used to read and imprint the magnetic strips on the cards. They have also ferreted out a lot of knowledge about the nature of the information stored on these strips, mostly of general interest to the system. It is, however, difficult to enter an ATM using a "back door". The banks have developed their own telecommunications network which is inaccessible by regular telephones, and it is through this system that ATM transactions take place.
As for myself, I am constantly fascinated by people's trust in magnetic cards. All cards with a magnetic strip, like ATM or credit cards, are standardized, and can be copied using appropriate equipment. A friend of mine amused himself by withdrawing money using his old credit card. He had simply copied the information from his ATM card to the credit card. I was also not in the least surprised to learn (in April 1995) that some youths in Helsingborg (a city in southern Sweden) had reproduced local public transit cards and sold them at half price. (Courtesy of the hacker named Wolf , mentioned in chapter 4). The telephone company's own phone cards are frightfully insecure; this is also true of the cards used for cellular phones and satellite decoders. Often, it is the case of a totally unprotected standard format.
Apropos cards: Credit cards are, unfortunately, very popular among hackers. Let us take a look at some statistics from 1989, when there was about six to seven million credit cards in Sweden. In this year, revenues from credit card transactions reached a total of around 20-30 billion crowns (about $300 million), divided into about 50 million transactions averaging about 400 crowns ($50) each. 18,000 fraud cases were reported that year, in which each report would cover about 50 instances of fraudulent use (i. e., somebody used someone else's card about 50 times before it was reported). The police would rather not investigate any cases involving less than 50,000 crowns ($6,000). I can't even begin to speculate about today's figures. It is, however, unlikely that those 18,000 crimes were committed solely by hackers.
It is often ridiculously simple to call for free or shop using someone else's credit card. Previously, before stricter verification measures, many hackers "carded" merchandise from abroad. Especially computer and other electronic equipment, of course. I have already discussed how card numbers are obtained through social engineering, dumpster diving, and other techniques. If a phreaker cleans out your credit card, you will most likely never find out. The credit card companies do not give out this information to their customers. The most common explanation is "a technical error".
With the exception of stealing credit card numbers and their associated codes, hackers do not consider themselves to be in the business of computer crime. A hacker considers computer crime to be one in which computers are used for the purpose of acquiring anything besides information. A criminal using hacker methods is therefore not a hacker, but a computer criminal. Traditional hacking is about curiosity, not greed.
Sabotage
Computer sabotage is a rare but venerable
form of computer crime. The word sabotage
is derived from the French word
sabot ,
which means "wooden shoe". It originally refers to the time
when French textile workers threw wooden shoes into automatic weaving
machines, because they were upset that machines had stolen their jobs.
An mechanized loom is in many ways similar to a computer, so you could
say that sabotage originally was computer sabotage. This type of activity
has been around since the English instigator Ned
Ludd (and his luddists
) destroyed looms and Spinning Jennys in
the mid-18th century.
Swedish anarchists have often threatened to sabotage computer centers. (Especially through the underground magazine Brand ["Fire"].) Like most anarchist threats, it's all talk. Swedish anarchists seem to have a hard time finding and accessing computer centers, so they stick to destroying Shell gas stations and other easily identified targets. The IRA, however, has bombed some computers in Northern Ireland. In the U.S., as early as 1969, a group of peace activists known as Beaver 55 entered a computer system in Michigan, erasing around 1,000 data tapes that supposedly contained blueprints for chemical weapons. This was carried out with the help of ordinary magnets.
There was also a French activist group called CLODO (Comité de Liberation ou de Detournement des Ordinateurs). Between 1979 and 1983, these activists destroyed a number of computers in the Toulouse region. They wanted to protest against a computer society in which (in their opinion) computers were used to control people - direct descendants of the original saboteurs , in good French tradition. Groups like this make up the militant branch of the civil rights movements to which EFF and Chaos Computer Club also belong.
The most frightening example of this type of activity is perhaps the Unabomber (Theodore Kaczynski), who carried out 16 bombings which, altogether, killed three people and injured 23. On Wednesday, August 2, 1995, the Washington Post and The New York Times published excerpts of a manifesto written by Kaczynski, and which turned out to be a well-written argument against the explosive growth of technology in modern society.
It is not only the hardware that can be subject to sabotage. Obviously, programs and other information that is stored on a computer can be tampered with. An editor at the Encyclopedia Brittanica , in Chicago, became so angry over being fired that he changed a great number of words in the encyclopedia. Among others, he changed Jesus to Allah . There are innumerable examples of employees exacting revenge on their employers in a similar manner. Another sabotage took place in Israel. By accessing an Israeli newspaper's computers, a 19-year-old hacker managed to publish a false article about his computer instructor being arrested and charged with drug-related crimes in the U.S. (A rather amusing hack , in my opinion, but still rather serious considering the importance of mass media in our society. Compare this to Captain Midnight , in chapter 4.)
Nazis
Distributing (like the phreakers
did) stolen credit card numbers and codes, passwords for computer systems,
and similar information, is - obviously - illegal. Some BBSs, like
Ausgebombt ,
run classifieds for weapons, steroids, and items that might well be "hot".
They can also contain hard-core child or violent pornography, or racist
propaganda. Swedish nazis discovered technology at an early stage, and
frequently communicate electronically. At least one organization that
I know of, with ties to VAM ( Translator's
Note: VAM = Vitt Ariskt Motstånd
- "White Aryan Resistance", a Swedish white supremacist group,
and a bunch of freaking psychos. I just noticed that the English initials
for the organization would be "WAR"), have had guest speakers
on computer-related topics.
To be a racist, however, is not illegal. However, incitement to violence and ethnic persecution are very illegal. I personally don't find this relevant to a discussion about hackers. Most hackers are not racists, nor in the least interested in steroids, stolen firearms, or child pornography. When it comes to BBSs, you should follow the same rules that apply to the rest of society: if you see something suspicious on a Swedish BBS, which could constitute a prosecutable offense - call the police. Also keep in mind that those heavily involved in a political movement like neo-nazism usually don't waste time and effort starting and running BBSs without good reason. Before letting your thoughts and actions be guided by hate and disgust, you should consider that these people have often thought long and hard about what they are doing. Have you?
Incitements to criminal action or spreading racist messages is equally illegal whether it is carried out through computers, magazines, or leaflets. On the Internet, most system administrators have enough of a sense of responsibility to remove such garbage when they come across it. If you find something suspicious on the Internet, it is usually simplest to find out who is responsible for the computer on which the information is stored, and inform them. Calling the Swedish police is usually pointless, since most of the Internet exists abroad (primarily in the U.S.). In some countries, it isn't even criminal to distribute racist information or similar stuff. In those cases, the Swedish government is virtually powerless.
The only methods for an authority to contain information stored in another country - with more lenient laws - are to either cut off the nation's computer systems(1) (which is neither easy nor desirable), or through international legislation by the UN. But there is another way! The Internet is built by people, for people, and functions through people. You can give your honest opinion to those responsible for distributing the information. In the worst cases, you can convince the person responsible for the computer on which the information is stored to remove it. Before resorting to such measures, however, you should think twice. Many view the Internet as a gigantic library, and if you come up with ideas about "censoring" this library, you should consider the fact that you are attacking free speech, and be prepared to take responsibility for that. In such a case, your actions are comparable to going into the nearest library, picking some books out of the shelves, taking them out on the street and burning them.
Information technology has thus brought global problems to your desk at home. How ironic. Now it is no longer possible to shut out world problems; you have to get involved . Dear God. Personally, I think this type of discussion is so useful to ordinary Swedish society that it outweighs any threat posed by this "dangerous" information. The problems of Sri Lanka and the Ivory Coast are suddenly our problems as well. As long as child porn is permitted somewhere in the world(2) , there will also be such material on our own Internet. Such matters are everyone 's problem, like environmental problems. The problem should be solved in its home court: the World. The UN, perhaps.(3)
The Police
The Swedish police - through the
National police Board - have a computer crime expert, superintendent
Hans Wranghult
in Malmö. He took his studies, as did most European experts in this
field, in California. His most prominent work is a report called
Datorkriminalitet - Hackers, insiders,
och datorstödd brottslighet ("Computer
Crime - Hackers, Insiders, and Computer-Assisted Crime"), which seems
to be an edited version of his class notes from the States, slightly adjusted
to Swedish conditions. (I am holding my breath in anticipation of his
future creations.) Despite this report being a very detailed treatment
of computer crime and various perspectives relating to it, it relays a
very simplified picture of hackers. Apparently, Hans has listened mostly
to his teachers, and never asked any amateurs what they thought of hackers.
His section on hackers begins as follows:
"Originally, the word hacker was a label for the person who was responsible for testing computer systems within the organization for which he worked. The method used was to subject the system to all kinds of attacks, in order to spot errors or weaknesses in the software or the security systems."
This statement is not true, since the first hackers were students in charge of developing computer systems, and the statement is indicative of a basic view of hackers as always being busy testing or cracking security systems. If you have read this book from the beginning, you know that this is a fairly small aspect of hacking culture. Another possibility is that Wranghult is simplifying intentionally, in order to motivate his men. The police base their work on a dichotomous "us-against-them" style of thinking, and if he had started talking about good hackers as well as bad ones, the limits of the law's thinking (with regards to hackers) would perhaps have become a little fuzzy.
He is especially critical of the image of the hacker as a hero, which is blasphemy in his opinion. If he had known how journalists employ hackers, as when Chaos Computer Club hacked into information about the West German nuclear power program, or when the anonymous hacker exposed the Ausgebombt BBS, he would have been forced to reconsider his vilification of hacker activities. Apparently the police have thought twice about this, because in June of 1995, they announced that they would be happy to enlist the help of hackers to combat computer crime.
In regards to S Ä PO's interest in hackers and computer culture, there is not a lot of available information. This is not unusual, since it's how things work. Bengt Angerfelt and Roland Frenzell are in charge of computer security issues at SÄPO, and their work probably consists mostly of gathering information and knowledge about computer crimes, so that someone will know what to do if there is a threat to national security. Hopefully, they know more about computer security than anyone else in Sweden. Considering the fiasco with the encryption system, they should have improved their expertise by now.
Military intelligence is also interested (naturally) in computer security issues. I know even less about this - but the only thing I know for sure is well-known among hackers: military intelligence collects as much information as they can about system and data security. This information is then used to, among other things, improve their own security. No military person would ever have the urge to bring this knowledge to the state or the business world. There are some obvious reasons for this. Business in general, and especially the computer companies, are concerned with the security of their equipment. For example, if the American NSA (National Security Agency) informed a company that manufactured a certain operating system of their system's security gaps, these would immediately be fixed. Why is this not in the interest of military intelligence? Very simple, really: since the software systems are exported, the military can use the security weaknesses to attack foreign computer systems in case of war. The military (at least in the U.S.) has its own hackers and virus creators. I mean, why not? These weapons are hardly controversial, and not limited by international agreements. Of course, they're armed to the teeth with tools for electronic warfare. By being aware of security glitches, one can protect oneself and attack others. For the same reason, Swedish intelligence would never advise Ericsson about faults in the AXE systems.
A number of Sweden's best hackers have been hired as security experts by SÄPO as well as military intelligence and counter-espionage agencies.(4) Probably, this expertise is used in "bugging" electronic communications (which is not illegal, in contrast to telephone surveillance).
Big Brother Wants to See You
But what about the distribution of
information that may be "dangerous to the public"? It is not
as intuitive to propose that information such as The
Terrorist's Handbook, drug recipes, bomb blueprints, or
perhaps technical information
about telephone cards should
be illegal. A popular term for this is - strangely - sociopathic
information . To be a sociopath
means to exhibit aggressively antisocial behavior, and belonging to a
group that does not accept current social norms
Therefore, hackers, ravers, anarchists, Freemasons, and other subgroups can be viewed as sociopathic. So can Rotary. Sociopathic information, therefore, is information that is written by socially maladjusted people. For example, spreading liberal ideas in a totalitarian communist country would have to be considered very sociopathic. It is not against the law to be socially maladjusted. It isn't even prohibited to distribute sociopathic information. However, there are a few authoritarian elements in our society that would like this to be so. During my research for this book, I have fortunately only found one example of this Big Brother attitude:
In a funky report from Institutet för Rättsinformatik ("The Institute for Legal Information"), attorney Anders Wallin tells us how he thinks the law views sociopathic information. In around 50 pages, he manages the feat of repeatedly condemning so-called sociopathic information, while failing to mention even once that this information is actually not illegal. Rather, he leans on a legal paradigm that views anything that threatens society as it is today as dangerous, by definition. Imposed on ideology, this would be called conservatism. Wallin mentions, among other things, that he hasn't been able to find the sociopathic The Anarchist's Cookbook in any Swedish library, and goes on to lament the fact that similar information is available on several Swedish databases. What he doesn't mention, however, is that this book has been cleared for publication. If you want to read a really sociopathic book, go find Jerry Rubin's Do It! , which is available at many Swedish libraries. It also happens to be published by the respectable publisher Pan/Nordstedts. The list can be made longer.
Apparently, sociopathic information is a term applied to books that normal people shouldn't read, because if they do, they will become corrupt. Alternatively: books that youth shouldn't read, or they will become corrupt. Or: books that not everyone should read, for their judgment cannot be trusted (as for myself, I am rather childishly fond of the freedom of the press). At the same time, I have to say that I don't think that everything in Wallin's report is bad. What I find erroneous is the implicit call for censorship that exists between the lines of this report. Wallin thinks it's horrible that young boys should be able to read hacker books and terrorism manuals. And I understand him - there are those who have managed to cause great damage using knowledge found in such material. Apparently, someone in the U.S. managed to blow up their little sister. I am not blind to such things. But Wallin has obviously read this material himself...
This drives cyberpunks up the wall, and is regarded - justifiably - as authoritarianism. The final responsibility for prohibiting teenagers from building bombs at home should be with the parents. And if the kids are old enough to have left the nest, I would consider them worthy of our trust. Actually, I believe they can handle reading these books, if they find it amusing. I happen to consider a person that manufactures a bomb at home to have more than one loose screw, and not at all a reason to abrogate the rights of normal people to free speech and press. I willingly confess: I own oogles of sociopathic information. Yep, it's true. I have, among other things, used them for research of this book. Almost all of the information I possess is in a digital form, and because I like to, I distribute it with abandon, which I consider not at all irresponsible.
Making Computer Viruses Illegal??
Prohibiting the manufacture of computer
viruses is also questionable. Especially since there aren't any plans
to criminalize possession
of computer viruses - only their creation.
Can I not produce a computer virus and infect my own computer if I feel
like it? This seems strange, in my opinion. A relevant fact is that you
could make a computer virus with paper and pencil, if you wanted to. It
is not until it is fed into a computer and distributed that it can cause
damage.(5)
Big Brother: What do you want to make viruses for? There's no good in that. Don't do it. Don't do it, I tell you. Why are you writing poems? Where's the good in that? Don't. Go to the factory instead, and do some work. Be of use, I tell you.
On the other hand, I agree that the intentional distribution of computer viruses should be criminal. The debate has been going on in the U.S., where, for example, the well-known virus fighter Alan Solomon (known as Dr Solomon ) has clearly stated that he would consider a ban on virus manufacturing as violating the rights and freedoms of the individual. Furthermore, a virus can not be accurately compared to a bomb, since an isolated computer with a virus on it poses no public threat. Especially if the user know what he or she is doing, which is usually the case when it comes to virus makers. Additionally, a virus does not consist of something tangible (like chemicals or metal), but only of pure information. A computer virus can be constructed through a series of commands written on a piece of paper; it is simply a case of the same information in different forms. Thus, a virus on paper would be legal since we have freedom of the press, while a virus in machine-readable form would be illegal since we do not have freedom of information? Aren't they the same thing?
Our modern Trojan horse, in the form of a computer virus, will most likely meet the same end as Karl Gerhard 's play Den ökända hästen från Troja ("The Notorious Trojan Horse), which was quickly and definitively banned as it criticized the Nazi infiltration of Sweden in the 1940's. Unwanted art should not be exhibited (in the interest of the State), and you do not at all know best what to do with your computer (sarcasm ;-).
"Datainspektionen" and
Integrity
The vanguard of the computer crime-fighting
forces in Sweden consists of Datainspektionen
. This governmental agency's primary purpose
is ensuring that state institutions and corporations follow Datalagen
(the Swedish Data Code), which has been
constructed specifically to protect the individual from a totalitarian
information society. Datainspektionen was born in 1973 as a product of
an international public debate with its origins in San Francisco. In connection
with the Census of 1970, when for the first time all data was electronically
registered, many had begun drawing parallels to George
Orwell's 1984 ,
and this gave birth to a debate about data integrity. The insinuation
was that government, to a certain extent, was collecting information that
they had no legitimate use for, and which could be used to control citizens
in every aspect.(6)
The former director of Datainspektionen,
Jan Freese ,
who still seems to exert considerable influence on the agency, is an important
philosopher in the field. In practice, it seems that much of what Jan
writes or speaks is adopted by Datainspektionen without further discussion.
This is not so bad, since the guy mostly displays common sense. He has
made several sound propositions for information legislation, and prepared
Swedish society for the information revolution to a great degree. Especially
good is his proposition of a general
integrity law , covering databases
containing information on individuals and privacy violations, whether
or not computers and electronics are involved. This law should, according
to Freese, regulate (quoted from Datateknik
#8/1995):
*
Access to and searches of private property
*
Physical searches of persons, medical check-ups, and psychological tests
*
Surveillance/espionage
*
Illegal photography/recordings
*
Electronic surveillance ("bugging")
*
Distribution of privileged information
*
Use of third parties' names, images, and similar information
*
Abuse of third parties' communications
And this is also basically the kind
of record-keeping that the EFF, cypherpunks, and others are working against.
The difference, in the case of cypherpunks, is that they are of the opinion
that the regime (in the US) has totally failed to protect the integrity
of the individual. They even suggest that the government cannot handle
these matters without becoming totalitarian. Thus
, the individual should protect him- or herself
through cryptography, anonymity measures, etc. The libertarian heritage
is apparent, based on the American pioneers, who had to protect their
farms and land with their own arms since the legal system was not fully
established. That time is so far back in Swedish history that it's become
foreign to us. We are used to government taking care of everything.
The reason that more and more people arm themselves with encryption is that the electronic parallel universe, cyberspace, is barbaric and uncivilized, and that even government employees appear to act instinctively and arbitrarily with regards to computers. If an integrity protection law like the one proposed by Freese had existed at an earlier stage, the problem would be absent. However, note the following: Datainspektionen is subordinate to the executive branch of the Swedish Congress. If the government gets the urge to register all political dissidents, Datainspektionen cannot do anything about it, despite it being written into law that the executive should consult Datainspektionen before creating any database on its own initiative. Datainspektionen is in no way a safeguard against a totalitarian society! Only those who blindly trust institutions and governments would dare to rely on Datainspektionen for this purpose.
From hacking to computer crime
Can hacking lead to crime? The answer
is a clear YES. Hacker groups, like any other, have their share of psychopaths
and deviant followers. Social engineering in itself must be considered
a giant step away from social norms. It is
dishonest to deceive other people, and viewing
the person at the other end of the phone line as an object is frighteningly
cold-blooded. Some phreakers have constructed blue boxes that they've
sold for around $1500, and this activity is clearly not rooted in ideology.
Phreakers defend their criminal activity in the classical manner: first of all, only large corporations are victimized. Losses from credit card fraud against private individuals are usually absorbed by the issuing banks. At the same time, they nonchalantly ignore the fact that they create a hell of a hassle for the individuals who have to prove to the credit card companies that they didn't use their cards themselves. The elitist attitude often becomes an excuse to do whatever one feels like. At the same time, it should be noted that media as well as credit card companies exaggerate the consequences of being subject to credit card fraud. Even credit card company investigators can think, and generally understand that a well-educated father of two doesn't make repeated conference calls across half the world just for the hell of it. Many investigations are dismissed at an early stage.
Second, hackers often point to the fact that they don't derive any material gain from hacking. Hackers are known for breaking into phone companies and stealing only manuals. This, of course, confuses prosecutors. A hacker does not fit tour stereotype of a criminal who absconds with other people's property for their own gain. For an hacker hungry for information, the crime itself is the reward, which may seem a little odd.
Manufacturing a computer virus, or spraying graffiti on a concrete wall, does not offer much in the way of profit. Possibly it could be sabotage or vandalism, but it is not a matter of organized crime. Perhaps virus manufacturing is, like graffiti, best viewed as an unpopular form of art; a product of our time, in which everything artistic must be sanctioned, planned, and spontaneity virtually extinguished.
Hacking a network is more a matter of exploring the system than stealing system time. In some countries, like Canada, it is permitted to walk into another persons house, look around, and leave, as long as nothing is stolen or damaged. From an ethical perspective, it is a tricky problem. In the Netherlands it was, until 1987, completely legal to enter a computer as long as nothing was destroyed or modified.(7)
Third, they defend their acts on ideological grounds - by which society is described as generally corrupt, and the real crooks are the large corporations and currency traders, who manipulate all of humanity to run their errands through their speculation. The opposite is the beauty of established society, as Oscar Wilde once expressed it: It is better to live unjustly, than without justice.
In this view, it is permissible to speak and theorize about making society more just, while direct action must be regarded as illegal, from a social perspective. It is the same principle that covers all undemocratic actions - whether it concerns those of hackers, environmentalists, or peace activists. If you break the law, you commit a crime. Period. Personally, I think that any activists who break the law, be it hackers or cyberpunks as well as tree-huggers, peace activists, or anti-abortionists who blow up abortion clinics, should be sentenced and jailed if society deems it necessary. It is not the responsibility of society to decide which values serve to justify illegal acts. My opinion, on the other hand, is due to the fact that I firmly believe in humankind's ability to achieve results in a representative democracy.(8) Anarchists, on the other hand, conclude that there should be no laws at all. (Which I can't really agree with). It's a question of values, and in our present society, un-legitimized actions are considered criminal. If those actions victimize individuals, they're misdirected.
It's been submitted that hackers could form entire underground syndicates and cooperate with the Mafia. This is, so far, mere speculation. In my opinion, the hacker mentality is not really fit for organized crime. The hacker immediately retreats when he/she feels physically threatened, and removed from his/her protected existence behind the screen. This doesn't mean that he or she is chicken , but rather that the whole thing is "for fun".
Many hackers receive strange requests like "you who are so technically skilled, couldn't you build a pirate decoder... ", "couldn't you (whatever)" , The fact is that even though the hackers definitely can do this, they very seldom do. Hackers are anti-authoritarian and detest being bossed around. "Figure it out on your own!" is the most frequent answer. The hacker doesn't want some subordinate role as technical genius in some criminal organization. Why should he? He could make a lot more money in a low-paid computer job than any criminal organization could offer, with the possible exception of the Mafia or foreign intelligence agencies. However, they are often willing to give advice, tips, and ideas: "Are you stuck?", "Have you found anything interesting?" - but as far as economic motivation (not curiosity) is concerned - forget it.
I would go so far as to say that we should be grateful that the little annoying hackers discovered security glitches in the computer systems, rather than the big fish . During the golden age of phreakers (in the 70s), several large gambling syndicates used blue boxes, which they manufactured on a near-industrial scale and sold at usurious rates. You can hold any opinion you want about this, but no one can deny that the hackers' activities have been important to industry, if not always beneficial . (Otherwise they wouldn't have become such a popular topic). When Bob in Springfield makes his own phone cards and sells them for $20-$100, this is hardly to be considered industrial-scale production or even production for his own gain. Considering the simple equipment used in the process, and the time spent on constructing it, it would more closely resemble a total loss. It would, therefore, seem to exist an ideological reason for constructing the phone cards. Freedom of information? Anarchy?
Personally, I would have to say that the "hardware viruses" in the form of an electronic device called Big Red , found in some American and Australian banking computers, are much more frightening than anything any hacker has ever invented. This thing copies, encrypts, and hides important information on a computer's hard drive so that some informed people can easily access it. Big Red could very well be constructed by the Mafia or some international intelligence agency. These must have been deliberately installed from the inside of an organization, as opposed to the hacker's curiosity-driven exploits.
As of July 1995, an unusually sophisticated computer theft ring was still operating in Sweden. They entered offices and only stole computers, not monitors or keyboards (these were cut off). From some older models, only memory chips and hard drives were taken. In order to work undisturbed, the gang cut the telephone company's alarm cables by gong through access boxes on the street, in the way the hackers of the film Sneakers did it. The gang communicated via radio, and the police even succeeded in taping their communications. Still, they weren't caught.
There's no doubt as to the origin of these thieves. Some of them are definitely some type of hacker, others are more hardened techno-criminals. The similarity to Gibson's characters is striking: the only loot is information technology, memory is worth its weight in gold, and the criminals possess fantastic technical skills. I will not for one second deny that these offenders have learned many of their skills used in their ventures through different hacker magazines: Rolig Teknik, Phrack, any number of books from small, obscure publishers. (And certainly, from common textbooks). But this is actually not the problem.
The problem is us. The problem is that we watch movies like Sneakers, The Saint, Why Me? etc., in which we can identify with the romantic or comical criminal, despite the fact that we objectively judge such a person to be the enemy of society and scum deserving of all that is coming to them. We need the criminal, or in this case, the technologically advanced criminal , to know that it's still possible to circumvent all electronic security systems. Because - if we can't escape technological supervision, well, then we can't become lawless, and then being lawful is no longer a free choice. There is no longer any anti-career that we can look down upon in our eternal quest to jet upwards through the social hierarchy. There is no honor to preserve, because if no one can be dishonorable, one cannot know what it means to be honorable. Crime exists in the form of an engine that drives us to act straight, warns us if we approach the edge of propriety, and makes us feel content with our successful lives. We, of course, do not run around at night, cutting cables, and stealing computers, do we? We work during the days and sleep at night. Each day needs its night. Every society's glowing, law-abiding segment needs its photophobic underground movement.
We award our geniuses two types of careers. Either they go through twelve years of high school and four years of college to become engineers and continue their careers upwards or sideways in the chase for more status, more money, and more exciting work projects. (Imagine, I could be CEO one day... I'll have to read up on some finance too... make the right contacts, hold the right opinions...). But what if you don't like school? What if the awfully long education bores you, but your interest is still burning for electronic devices and computers? No problem. Society has something for you too: vocational education, no status, no money, and no exciting work projects like PLEX programming or control system construction. You will never go to the right schools, know the right people, or read the right books. You won't have the correct social heritage. This is despite the fact that you are perhaps intelligent and capable and would be more suitable for Ericsson's training programs than anyone else! The hiring practices at high-tech companies are tastefully oriented towards turning non-degreed applicants back to the slums they came from.
Remaining option: anti-career. Use your knowledge to break down society's security systems so that the poor citizens will know it's not invulnerable. Give them something to fight and live for. Give them an external threat so that they won't have to take a look in the mirror. Be an outlaw to set the parameters for the lawful. Don't think that crime doesn't pay - sometimes it does. Just as long as a few get caught now and then so that the good people will have something to abhor.
Your criminals are the devils that let you see the angels within yourselves. I'll be damned if they're any worse than you!(9)
Corporate Security Forces
One of the most unpleasant computer
crimes I know of was committed (and perhaps is still being committed)
by Telia .
In April 1995, the electronic magazine Z
Central (a subsidiary of Z-mag@zine)
made public that Telia possessed its own net surveillance unit, which
had as its mission to gather information about subscribers suspected of
being phreakers or hackers. Using phone-switch computers, they could easily
record who made what calls and where. It seems that Telia systematically
traced and surveilled some hackers, which really is something that only
the cops have a right to do. This information was further distributed
to other companies which Telia suspected of having been infiltrated by
these hackers. These procedures are illegal, according to the fourth
section of the Data Code, which prohibits registering information concerning
possible criminality without the prior permission of Datainspektionen.
Permission is almost never granted - in order to prevent totalitarian
social control.
It should be added that this discussion about Telia's phone usage registration is not a new one. As early as 1981, Telia had an electronic surveillance machine named TAL-T M80 , which permitted the logging of all usage on a particular line, and could send the log to a central computer for storage. Since then, Telia has introduced this type of surveillance to virtually any phone in Sweden, since this function is built into every AXE switch. In reality, anything you do using a phone is recorded by the AXE switch. If you pick up the phone and then dial one digit before hanging up, this action is registered as a time and a button-press in a computer. Telia is then able to retrieve a complete listing of all calls and non-calls performed - anything that has taken place on the line. The information, according to Telia, is used to assess and improve existing systems, and to resolve disputes with subscribers. The info is stored on computer tape for about six months.(10)
Anyone that has worked for a large corporation will understand why Telia can't resist registering and analyzing its business. However, distributing such information is against telecommunications as well as privacy laws. Telia, of course, acted in "good faith" in its attempt to "help" the victimized companies, but that doesn't excuse the breach of privacy involved. I've even seen indications that Telia use their databases for various purposes within the company. The information is ruthlessly consulted by Telia's security departments when they suspect hacker activity, in order to extract information from hackers about their possible transgressions. (In many cases, Telia's own computers suffer from inadequate security.(11) ) This takes place despite the fact that this information is not even supposed to be available to the police...
To facilitate computer crime-fighting, they've begun to investigate the possibility of constructing a so-called expert system , an artificially intelligent agent instructed to analyze the bands in which all Swedish phone calls are registered, in the search for behavior patterns that seem suspect. This involves checking out people that make long and frequent calls without interruptions, call a lot of toll-free numbers, etc., in order to compile a database of "suspicious" subscribers. Hopefully, Telia does not intend to use the system, since this would imply a completely illegal data-handling procedure. But what price is too high to maintain security?
Telia serves as an example for large corporations' views on computer crime. Of those crimes committed against Telia's technological installations, 87% consist of theft and vandalism, while computer intrusion and technical manipulation makes up about 10%. The latter category includes hackers' and phreakers' activities, but also a great deal of other activity that has nothing to do with those underground groups. ( But, since hackers have a definable culture and system of ethics, they're easier to point out and condemn). In addition, Telia is a company that suffers from an almost paranoid fear that someone will understand how their systems work. All communications companies feel this way. Since the technological safeguards at Telia's switches are inadequate, they rely on a psychological form of protection, which simply means that information is kept secret so that a possible attacker cannot know how the systems work. In the same manner, it protects its own organization, its own internal phone numbers, etc. Even within the organization, safeguards are in place. They are diligent about not giving any more information than necessary to operators. There is no comprehensive understanding of Telia's systems except among CEOs, high-level engineers, and system developers. The only road to those positions lies in internal advancement. Knowledge in regards to Telia's systems is therefore only supposed to exist within the organization, and no one outside Telia should know anything about how the switches really work. Hands-off , as opposed to "hands-on", that is. Just use the system. Don't ever try to figure out how it works, even if you're interested. Do not examine, do not rummage among the cables, just call, pay, and be happy!
The reason that Telia has its own security organization is that the police has neither the time nor the funding to investigate Telia's problems. (As I mentioned earlier, they are reluctant to investigate fraud amounting to less than $8000 or so). Telia has officially said that the company needs about 30 security managers plus about 10 or so specialists within the areas of physical security, system security, data processing, secrecy, and information security. The last category is the one that is supposed to make sure that I, among others, should not know the information contained in the previous sentence. (These figures, however, originate in the time when Telia was still called Televerket, and had to release information because of the freedom of information laws). Presumably, the information security officials now have a structured organization which ensures that potentially dangerous information does not leave the company or end up in public records.
Another thing, which should be completely made clear, is that large corporations like Telia cannot afford morals. Once they have discovered fraud affecting the company, they first have to decide whether it pays off to go after the criminals and improve security before taking any action. If improving security poses too much of an inconvenience for legitimate users, resulting in loss of customers, it is more cost-effective to let the hackers be. This has led to many hackers raising their eyebrows and wondering whether the communications companies are laid back, stupid, or just plain moronic. In reality, their only concern is money. That's why it's still so easy to call using fake credit card numbers - it is simply too expensive to effectively address the problem.
At this point, allow me to make a connection. When I spoke of cyberpunk, I mentioned that William Gibson et. al. chronicle a future in which all finance and development is handled by large corporations, with a strictly hierarchical organization and a ridiculously strenuous work ethic. In the R&D labs, new technological innovations are pushed out by bored engineers with their fingers constantly on the fast-forward button. Everything in the organization of these companies is designed to make the people inside the hierarchy feel as important as possible, so that they will work as effectively as possible and push their underlings to work even harder. The result is a frighteningly effective but psychopathic organization, which can push social development beyond any imaginable limits.
Those hackers that have been forced to enter Telia's regional offices in the capacity of informers, have - with awe - described the rigorous security procedures. They have passed many doors, all with flashing diodes and demanding access cards to prevent the wrong person from being in the wrong place at the wrong time. At the very top of the building, there are the offices of the highest executives, after a total of perhaps five doors that all require pass codes. The hierarchy demands that the offices gain size as they gain altitude. At the top, they are posh. This is the final goal of all the residents of the building. The denizens of the lower levels of this tower of power are not allowed to pass through as much as half the doors leading to the top level. In this manner, the eternal desire to climb to the top is preserved.
The hacker is called to this place. The man on the other side of the desk is not evil. He is not inhuman, psychopathic, or simply cruel. He is diligent. He believes in the ten stories of concrete through which the hacker has just been transported. He has been, for his entire life since leaving the university, a part of this hierarchy. Since he is a CEO, he has been among those displaying the greatest loyalty and faithfulness to the company and the entire social system which has enabled it to exist. He can not, for the life of him, imagine that any of this could be based on an incorrect assumption - that there could be anything wrong with the market economy system, a giant wheel in which he himself is but a tiny, tiny cog. Somewhere deep inside, he retains a small illusion of freedom and independence which he nurtures tenderly.
He has a lot of respect for the hacker. The 20-year-old on the other side of the table managed, after all, to breach all the walls he has built. And the hacker didn't accomplish this through violence, but through intelligence. He manipulated Telia's computers. He was one step ahead of Telia's own security teams. The boss is impressed. But at the same time he knows, based on his fundamental appreciation of the society which lets him live in a plush two-story house with a housewife, two kids, and two cars, that this kid is wrong. The boy is a criminal, and should be treated like one. He knows that he is dealing with a dangerous individual. He has completely swallowed the myth of the hacker as a cold-blooded, anarchistic antagonist. It his him , the Chief of Security, who is right. The concrete, the desk, the condo, the market, the school system... all of these back him up. Of course he's right. How else are things supposed to work?
Of course, he has to know how the kid did it. Since he knows that he's right, he feels entitled to use any means available. In the concrete chambers in Göteborg, Farsta, and Kalmar, his devoted servants stand at attention - IBM 3081 d, AS/9000, Sperry 1100/92 - computers that obey his every command. Even before the hacker was brought to the office, he had lists printed of all the calls that this individual had made during the last six months. An exhaustive list, with dates and times down to the second. So he called his girlfriend in the middle of the night after a two-hour call to a toll-free number in the States? Why? Is she involved as well? It'll be a long interrogation. The hacker on the other side of the desk doesn't know that the list that is about to be put in front of his nose by Telia's security chief is totally useless from a legal point of view. Nothing is witnessed or signed; only five calls have been traced. These calls constitute the only binding evidence.
The hacker, with his boring middle-class background, looks across the table and straight into the eyes of the impressive boss. He locks gazes with Gibson's psychopathic Tessier-Ashpool concern. He sees the enormous company's pulsating brain sitting in front of him, dressed in Lacoste pants and a white shirt. The question is whether he understands this.
The BBS that Vanished
Let's imagine that a group of cyberpunks,
in the near future, create a BBS named Pheliks
to spread information using a powerful personal
computer with several telecommunications lines. Stored on this BBS is
pirated software, drug recipes, anarchist pamphlets, in-depth descriptions
of Telia's AXE switches, documentation for smart credit cards, and much
more. The software industry, spearheaded by Microsoft, are pissed. The
credit card companies, spearheaded by Visa and Mastercard, are pissed.
The police, wishing to maintain order, knows that this is against the
law and feels compelled to act. Unfortunately, the cyberpunks are aware
of the possible countermeasures of the police and other authorities, and
have implemented their own counter-countermeasures. When the authorities
call up the BBS they are greeted by the following message:
Pheliks BBS - open 24 hours at 28.800 bps.
NOTE: Pheliks BBS is open to amateurs. Police, journalists, researchers, or other persons in an official capacity, as well as business persons or representatives of non-profit organizations, are NOT WELCOME. If you belong to any of these categories, we humbly but firmly ask you to terminate your connection to Pheliks BBS. Press ENTER to confirm that you do not belong to any of the above categories. Press +++ath0 to terminate the connection.
Through this messages, paragraph 21 of the data code is invoked, with the result that anyone not complying with the request is guilty of a computer crime. In this way, every form of electronic search is made impossible, and the BBS is not threatened by governmental agencies or research institutes, which are bound to stay within the law. Journalists could in this case appeal to their moral right, as a third power of the State, to breach the data code in the public interest. The software companies, in the form of Business Software Alliance, would also (most likely) not give a shit about the data code and proceed despite the message. After a scoop in the papers, combined with repeated anonymous tips (read: lobbying) from the BSA, and combined with some sort of surveillance indicating that there might even be illegal drugs in the same location as the BBS, the police could raid the BBS after all.
However, the cyberpunks have predicted this scenario as well. When the cops bring the BBS computer to the station, they find that the part of the hard drive containing the BBS's information has been encrypted with the Securedrive program. This software uses 128-bit DES encryption, known to be uncrackable. To encrypt your hard drive is perfectly legal - businesses do it to protect confidential information from theft, and as opposed to everyday locks, encryption cannot be opened by force. At the same time the police turned the computer off, it became useless as evidence. For investigative reasons, of course, the cops could keep the computer for a century or so, and in this manner prevent the suspicious activity from recurring. Unfortunately, computers are not that expensive. Even before the investigation has begun, the well-organized cyberpunks have gotten a new computer and restored the entire BBS from tape backups stored in a totally separate location. Companies use the same method to protect valuable information from theft, fire, or hardware malfunction.
The police can then, given reasonable cause, install surveillance equipment and record the traffic to and from the BBS, record cyberpunks keystrokes, etc., in order to make a successful bust. But this is very expensive, and there has to be a good reason for such measures. It is also probably that the software companies resort to illegitimate measures. Perhaps they retain a samurai hacker, like the computer cowboy Case in Gibson's novels, to enter the BBS and crash it on the orders of the company. Perhaps some company manages to convince Telia to shut down the BBS's phone lines. In this way, established society can protect itself against the cyberpunks, and maintain the ideals that have been threatened.
The real danger occurs when too many groups like that appear, hiding from governments and companies, or form an organized, nationwide base. The worst thing that can happen is that the BBS moves to an unknown address on the Internet, possibly in Taiwan or Chile. If you can afford to rent space on a computer on the other side of the world (which probably is cheaper than having your own), there are no problems with maintaining such an operation from Sweden. This is when the cyberpunks can go from information syndicate to broad, underground, political movement. And this is the real threat to established society. It is not certain that it is a threat to society from a historical perspective. I will return to this question.(12)