==Phrack Classic== Volume Three, Issue 32, File #7 of 12 13th Annual National Computer Security Conference October 1-4, 1990 Omni Shoreham Hotel Washington, D.C. A "Knight Lightning" Perspective by Craig M. Neidorf Dr. Dorothy Denning first hinted at inviting me to take part on her panel "Hackers: Who Are They?" in May 1990 when we first came into contact while preparing for my trial. At the time I did not feel that it was a very good idea since no one knew what would happen to me over the next few months. At the conclusion of my trial I agreed to participate and surprisingly, my attorney, Sheldon Zenner (of Katten, Muchin, & Zavis), accepted an invitation to speak as well. A few weeks later there was some dissension to the idea of having me appear at the conference from some professionals in the field of computer security. They felt that my presence at such a conference undermined what they stood for and would be observed by computer "hackers" as a reward of sorts for my notoriety in the hacker community. Fortunately Dr. Denning stuck to her personal values and did not exclude me from speaking. Unlike Gordon Meyer, I was unable to attend Dr. Denning's presentation "Concerning Hackers Who Break Into Computer Systems" and the ethics sessions, although I was informed upon my arrival of the intense interest from the conference participants and the reactions to my now very well known article announcing the "Phoenix Project." Not wishing to miss any more class than absolutely necessary, I arrived in Washington D.C. late in the day on Wednesday, October 4th. By some bizarre coincidence I ended up on the same flight with Sheldon Zenner. I had attended similar conventions before such as the Zeta Beta Tau National Convention in Baltimore the previous year, but there was something different about this one. I suppose considering what I have been through it was only natural for me to be a little uneasy when surrounded by computer security professionals, but oddly enough this feeling soon passed as I began to encounter friends both old and new. Zenner and I met up with Dorothy and Peter Denning and soon after I met Terry Gross, an attorney hired by the Electronic Frontier Foundation who had helped with my case in reference to the First Amendment issues. Emmanuel Goldstein, editor of 2600 Magazine and probably the chief person responsible for spreading the news and concern about my indictment last Spring, and Frank Drake, editor of W.O.R.M. showed up. I had met Drake once before. Finally I ran into Gordon Meyer. So for a while we all exchanged stories about different events surrounding our lives and how things had changed over the years only to be interrupted once by a odd gentleman from Germany who inquired if we were members of the Chaos Computer Club. At the banquet that evening, I was introduced to Peter Neumann (who among many other things is the moderator of the Internet Digest known as "RISKS") and Marc Rotenberg (Computer Professionals for Social Responsibility). Because of the great interest in the ethics sessions and comments I had heard from people who had attended, I felt a strange irony come into play. I've hosted and attended numerous "hacker" conventions over the years, the most notable being "SummerCon". At these conventions one of the main time consuming activities has always been to play detective and attempt to solve the mystery of which one of the guests or other people at the hotel were there to spy on us (whether they were government agents or some other form of security personnel). So where at SummerCon the youthful hackers were all racing around looking for the "feds," at the NCSC I wondered if the security professionals were reacting in an inverse capacity... Who Are The Hackers? Despite this attitude or maybe because of it, I and the other panelists, wore our nametags proudly with a feeling of excitement surrounding us. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - October 4, 1990 Dorothy Denning had gathered the speakers for an early morning brunch and I finally got a chance to meet Katie Hafner in person. The panelists discussed some possibilities of discussion questions to start off the presentation and before I knew it, it was time to meet the public. As we gathered in the front of the conference room, I was dismayed to find that the people in charge of the setting up the nameboards (that would sit in front of each panelist) had attended the Cook school of spelling and labeled me as "Neirdorf." Zenner thought this was hysterical. Luckily they were able to correct the error before we began. Hackers: Who Are They? Dr. Denning started the presentation by briefly introducing each panelist and asking them a couple of questions. Katie Hafner disputed the notion that her work has caused a glorification of hacking because of the severe hardships the people she interviewed had to endure. I found myself sympathizing with her as I knew what it was like to be in their positions. Many people commented later that her defense of Mitnick seemed a little insincere as he had indeed committed some serious acts. Not knowing all of the details surrounding Mitnick's case and not relying on the general newsmedia as a basis for opinion I withheld any sort of judgment. Emmanuel Goldstein and Frank Drake appeared to take on the mantle of being the spokespersons for the hackers, although I'm unsure if they would agree with this characterization. Drake's main point of view dealt with the idea that young hackers seek to be able to use resources that they are otherwise excluded from. He claimed to once have been a system intruder, but now that he is in college and has ample computing resources available to him, he no longer sees a need to "hack." Goldstein on the other hand sought to justify hacking as being beneficial to society because the hackers are finding security holes and alerting security to fix these problems before something catastrophic occurs. Gordon Meyer tried to explain the hacker mind-set and how the average hackers does not see using corporate resources as having a real financial burden to today's companies. Some people misunderstood his remarks to be speaking from a factual position and took offense, stating that the costs are great indeed. He also explained the differences between Phrack and the Computer Underground Digest. Most notable is that CuD does not print tutorials about computer systems. Sheldon Zenner focused on the freedom of the speech and press issues. He also spoke about technical details of the U.S. v. Neidorf case and the court rulings that resulted from it. One major point of interest was his quite reasonable belief that the courts will soon be holding companies financially liable for damages that may occur because of illegal intrusion into their systems. This was not to suggest that a criminal defense strategy could be that a company did not do enough to keep an intruder out, but instead that the company could be held civilly liable by outside parties. Zenner and Denning alike discussed the nature of Phrack's articles. They found that the articles appearing in Phrack contained the same types of material found publicly in other computer and security magazines, but with one significant difference. The tone of the articles. An article named "How to Hack Unix" in Phrack usually contained very similar information to an article you might see in Communications of the ACM only to be named "Securing Unix Systems." But the differences were more extreme than just the titles. Some articles in Phrack seemed to suggest exploiting security holes while the Communications of the ACM concentrated more on fixing the problem. The information in both articles would be comparable, but the audiences reading and writing these articles were often very different. I explained the concept and operation of Phrack and wandered into a discussion about lack of privacy concerning electronic mail on the Internet from government officials, system managers, and possibly even by hackers. I went on to remark that the security professionals were missing the point and the problem. The college and high-school students while perhaps doing some exploration and causing some slight disturbances are not the place to be focusing their efforts. The real danger comes from career criminals and company insiders who know the systems very well from being a part of it. These people are the source of computer crime in this country and are the ones who need to be dealt with. Catching a teenage hacker may be an easier task, but ultimately will change nothing. To this point I agreed that a hacker gaining entry and exposing holes on computer systems may be a service to some degree, but unlike Goldstein, I could not maintain that such activity should bring prosecutorial immunity to the hacker. This is a matter of discretion for security personnel and prosecutors to take into consideration. I hope they do. To a large degree I was rather silent on stage. Perhaps because I was cut off more than once or maybe even a little stagefright, but largely because many of the questions posed by the audience were wrong on their face for me to answer. I was not going to stand and defend hacking for its own sake nor was I there to explain the activities of every hacker in existence. So I let Goldstein and Drake handle questions geared to be answered by a system intruder and I primarily only spoke out concerning the First Amendment and Phrack distribution. In one instance a man upset both by Drake's comments about how the hackers just want to use resources they can't get elsewhere and by Goldstein's presentation of the Operation Sun-Devil raids and the attack on "Zod" in New York spoke up and accused us of being viciously one sided. He said that none of us (and he singled me out specifically) look to be age 14 (he said he could believe I was 18) and that "our" statement that its ok for hackers to gain access to systems simply because they lacked the resources elsewhere meant it was ok for kids to steal money to buy drugs. I responded by asking him if he was suggesting that if these "kids" were rich and did not steal the money, it would be ok to purchase drugs? I was sure that it was just a bad analogy so I changed the topic afterwards. He was right to a certain extent, all of the hackers are not age 14 or even in highschool or college, but is this really all that important of a distinction? The activities of the Secret Service agents and other law enforcement officials in Operation Sun-Devil and other investigations have been overwhelming and very careless. True this is just their standard way of doing business and they may not have even singled out the hackers as a group to focus excess zeal, but recognizing that the hackers are in a worst case scenario "white-collar offenders," shouldn't they alter their technique? Something that might be important to make clear is that in truth my indictment and the indictments on members of the Legion of Doom in Atlanta had absolutely nothing to do with Operation Sun-Devil despite the general media creation. Another interesting point that was brought out at the convention was that there was so much activity and the Secret Service kept so busy in the state of Arizona (possibly by some state official) concerning the hacker "problem" that perhaps this is the reason the government did not catch on to the great Savings & Loan multi-Billion dollar loss. One gentleman spoke about his son being in a hospital where all his treatments were being run by computer. He added that a system intruder might quite by accident disrupt the system inadvertently endangering his son's life. Isn't this bad? Obviously yes it is bad, but what was worse is that a critical hospital computer system would be hooked up to a phoneline anyway. The main reason for treatment in a hospital is so that the doctors are *there* to monitor and assist patients. Could you imagine a doctor dialing in from home with a modem to make his rounds? There was some discussion about an editor's responsibility to inform corporations if a hacker were to drop off material that he/she had breached their security. I was not entirely in opposition to the idea, but the way I would propose to do it was probably in the pages of a news article. This may seem a little roundabout, but when you stop and consider all of the private security consultants out there, they do not run around providing information to corporations for free. They charge enormous fees for their services. There are some organizations that do perform services for free (CERT comes to mind), but that is the reason they were established and they receive funding from the government which allows them to be more generous. It is my belief that if a hacker were to give me some tips about security holes and I in turn reported this information to a potential victim corporation, the corporation would be more concerned with how and from whom I got the information than with fixing the problem. One of the government's expert witnesses from U.S. v. Neidorf attended this session and he prodded Zenner and I with questions about the First Amendment that were not made clear from the trial. Zenner did an excellent job of clarifying the issues and presenting the truth where this Bellcore employee sought to show us in a poor light. During the commentary on the First Amendment, Hafner, Zenner, and I discussed a July 22, 1988 article containing a Pacific Bell telephone document copied by a hacker and sent to John Markoff that appeared on the front page of the New York Times. A member of the audience said that this was ok, but the Phrack article containing the E911 material was not because Phrack was only sent to hackers. Zenner went on to explain that this was far from true since private security, government employees, legal scholars, reporters, and telecom security personnel all received Phrack without discrimination. There really is a lot that both the hackers and security professionals have to learn about each other. It began to get late and we were forced to end our session. I guess what surprised me the most were all of the people that stayed behind to speak with us. There were representatives from NASA, U.S. Sprint, Ford Aerospace, the Department of Defense, a United States Army Lt. Colonel who all thanked us for coming to speak. It was a truly unique experience in that a year ago I would have presumed these people to be fighting against me and now it seems that they are reasonable, decent people, with an interest in trying to learn and help end the problems. I also met Mrs. Gail Meyer for the first time in person as well. I was swamped with people asking me how they could get Phrack and for the most part I referred them to Gordon Meyer and CuD (and the CuD ftp). Just before we went to lunch I met Donn Parker and Art Brodsky, an editor from Communications Daily. So many interesting people to speak with and so little time. I spent a couple hours at the National Gallery of Art with Emmanuel Goldstein, flew back to St. Louis, and returned to school. It was definitely an enLightening experience. ++++++++++++++++++++++++++++++ A very special thank you goes to Dorothy Denning, a dear friend who made it possible for me to attend the conference. :Craig M. Neidorf a/k/a Knight Lightning C483307 @ UMCVMB.MISSOURI.EDU C483307 @ UMCVMB.BITNET _______________________________________________________________________________