Every journalist worth his salt knows Adam Penenberg
as the Forbes reporter who uncovered Stephen Glass's fabrications in
The New Republic. Penenberg has turned his investigative talents to the
world of corporate spies in Spooked: Espionage in Corporate America (Perseus
Publishing), which he coauthored with a real-live spook, Marc Barry. Since his
coauthor was less known to the media world, we thought you might enjoy meeting
him.
As founder of C3I Analytics (a corporate intelligence
firm), Marc Barry has many identities: environmentalist, venture capitalist,
headhunter. But in his own home, he's a gym addict, a collector of sixties-era
Pop Art furniture and the only person to have written three state laws without
a law degree.
Marc Barry's spacious loft in New York's Little Italy
is populated in all its corners by jewel-toned psychedelic couches, curvaceous
green and purple Ultrasuede-covered chairs, and not much else. He could share
a decorator with Austin Powers, or A Clockwork Orange's Korova Milkbar.
"I view this stuff as functional art," he says. Pointing at the bright,
sleek lounges, he remarks," I'm waiting for a guy I know to come over and
see these. The biggest piece of that fabric I'd ever seen before was just about
enough to cover that tongue chair over there. He bought it from a dealer in
France, and I envied him. He paid twelve thousand dollars for it. When he sees
this, he'll have a conniption fit." He lounges with his feet up on the
couch in question.
MB: Tell me how you and Adam collaborated on the
book.
Barry: Adam was the
co-writer and it was his whole idea to do the book. I'm good at what I do, but
I mean, the book could not have been written without him, especially as far
as the whole structure of the book goes. I handled all the technical aspects.
I did the sourcing. But all the character stuff was written by Adam. Anything
where you see two people talking in a room, that's Adam. I'm the parts about
where corporate intelligence came from, the CIA's involvement, the National
Security Administration's (NSA) involvement. That's what I know. Adam's very
good at getting in people's heads, putting down how it was done, what was happening-that's
not something I can do. I can write a narrative of things that happened to me
and I can do it in the third person. But I frankly wouldn't have done it for
the money they were offering.
MB: In Chapter 4, "The Kite", which
The New York Times Magazine excerpted, you pose as an environmentalist
and the president of a fake company. Do you often assume false identities in
your work?
Barry: Well, in my work I've posed as a venture
capitalist, as a recruiter, a headhunter. I've met people who thought
they were interviewing for a job, and in reality I was debriefing them on who
they were actually working for. I've set up front companies. They're very elaborate
and convoluted ruses. But the point of that chapter ("The Kite") is
that you don't always need that. Sometimes if you have a telephone and you know
exactly where the information is, it's easy to bang it out.
I would rather they'd chosen the chapter called "The
Intelligencing of Corporate America," or the Motorola chapter ("Motorola:
First in Business Collection"). Those were both more technical. I hate
pandering to the lowest common denominator. What do I care whether a bunch of
stupid people understand or not? Unfortunately, that's who the publisher wants
you to write to-Horatio the Hornblower, standing in Barnes & Noble. They're
trying to get him to plunk down his $26.50. I'm really amazed at how low the
bar is in publishing.
I think people in my industry are going to read the book,
and they are going to laugh, because it doesn't tell nearly enough.
MB: Are you satisfied with how the book turned
out? Is there anything you would have done differently?
Barry: I just wish I was free to speak more candidly
about what I know. If I could talk about the things that I have done in my career,
there'd be congressional hearings. There's nothing that corporate America is
doing that is less ruthless than what the US intelligence community-the CIA
or the NSA or the DIA-is doing. And there's just so much hypocrisy involved.
It's all hidden behind layers of nondisclosure agreements.
I don't see anything wrong with what they're doing either.
The trouble I see is that nobody will own up to it. I mean, I've got money in
the stock market. I think the average person wants companies to be using competitive
intelligence.
I've had board members of SCIP (the Society of Competitive
Intelligence Professionals) asking me to do some pretty dubious things because
they don't want to get caught doing it themselves. That's what bothers me. They
should just own up to what they're doing. If you don't agree with it, fine.
If you resent me for talking about it, that's fine too, but don't deny it. Don't
sit there and tell me it doesn't exist when it does. Then you're creating a
scenario where I have to prove you wrong. And if I have to prove you wrong,
that's going to be ugly.
MB: If everyone owned up to it, it wouldn't be
secret.
Barry: Well, we're in such a PR-driven society. If it seems like it might
result in some bad publicity, they don't want to do it. The C.I. industry itself
is so concerned with image, and so concerned with cultivating an industry and
making it more user-friendly and more palatable to a broader cross section of
other industries that they want everyone to think that it's all warm and fuzzy.
The leaders of the SCIP community will say, "Oh, our intelligence is all
open source, nothing that could be remotely considered underhanded," and
that's just not true. And granted, there is a lot out there. There's more information
than most people realize out there, if you know where to look. But certain things,
like Merck's new synthetic fluid for the knee that hasn't even passed clinical
trials yet-you're not going to get that information unless you bamboozle it
out of somebody. You're not going to get that without deception. And that's
what I excel at.
MB: Tell me about your company, C3I Analytics.
I hear you're building a war room?
Barry: Basically 75 percent of what we're doing
right now is competitive intelligence. The other 25 percent is a joint venture
I'm involved in with Raytheon. They're an enormous defense contractor-the guys
who build satellites for the CIA. We're talking about building a $12 million
war room. There's only one other facility like it in the world-the LIWA (Land
Information Warfare Activity) center, owned by the Army. There's 24 feet of
panoramic video screens going around the room, and supercomputers capable of
dragging in huge nets of raw data from the world press and public files.
We can also do things like scenario war-rooming, where,
say, Texaco wants to know about a huge oil reserve in the Caspian Sea. And Shell
Oil gets control of it. So Texaco wants to know what's going to happen to prices
globally. We can take all the elements in play, turn it into a scenario and
run it. The idea is to provide big picture analysis. We can videoconference
between 500 people in various parts of the world-everything from that to weather
patterns. The guy who designed the war room, I've been told, actually designed
the set for Star Trek: The Next Generation. It's very space-age looking. It's
got a captain's chair.
In May when we were writing the manuscript, it said it
was going to cost 7 million dollars. Now it's up to 12. My guess is by the time
this thing is built, it's probably going to cost 15 or more.
It should be a lot of fun. It's going to be my New York
Times obituary-"that name sounds familiar, who's that? Oh the guy that
built that war room." We're charging clients a million dollars a year.
We're going to handle everything from trademark counterfeiting to merging to
competitive intelligence.
MB: When you were in high school, did you think,
"I'm going to grow up and build a war room?"
Barry: That was the last thing on my mind. I was
drinking and going to strip clubs, hanging out with my friends. I'm in the business
for the cerebral aspects of this. They have it, they're going to hide it-how
am I going to get it? Every chase, every caper I do is totally different. It
never gets boring. I mean, I can go to a party and I'll know a little bit about
a million different subjects.
I enjoy when people hide something and it's up to me
to try to get it out of them. It's funny, because I hate it in my personal life.
I rationalize all the duplicity and underhandedness by saying, "If I'm
not doing it in my personal life, then I'm cool."
I have a very compartmentalized life. That's why this book is getting kind of
tricky. It's crossing the line. It's turning into my life.
MB: Do you feel like they're trying to sell this
book based on your mystique?
Barry: I'm no different than anybody else. They
try to sell you as this larger-than-life character, and I can understand the
reasons for that. It's just hard to deal with at times. Sometimes I don't feel
like playing spy. Most of the people I get talking to me are like, "So,
do you bug telephones?" Jesus, how about a token for the cool machine!
If I did do those things, I wouldn't tell you. There's
a lot more to it. I specialize in "humint"-human intelligence, eliciting
from people. That other thing is "sigint," signal intelligence. It's
a different deal. And then they're like, "Oh, fascinating," and they
scribble in their notebooks. My friends down in D.C. and I goof on that. It
sounds really pompous, but we say to each other, "If they really knew what
went on…."
Running phone tolls and things like that are just starting
to come out now. I've been running people's phone tolls for years! I used to
do that on girlfriends, girls I just met. Then I found out how bad that is.
It really ruins the relationship because then you have this profile of what
she is. It robs you of all the magic of getting to know somebody. When you run
somebody, you know their whole life history. If they're fibbing or embellishing,
you know that too. You're like, "Don't give me that, I've got your ten-year
address history right here!"
Biography
Adam Penenberg is a well-known
investigative journalist. He currently writes for Time and Fortune,
and was on staff at Forbes magazine and Forbes.com. His work has also
appeared in the New York Times, Wired, and Playboy. He
resides in New York City.
Marc Barry is an intelligence
practitioner and a national expert on intellectual property. He is the founder
of C3I Analytics, a corporate intelligence firm in New York City. His clients
are Fortune 400 companies.
An excerpt from Spooked: Espionage in Corporate America
by Adam L. Penenberg and Marc Barry
Chapter 9: "Chief Hacking Officer"
Marc Maiffret, his hair purple, spiky, and coated
in gel, doesn't look like an operative paid to steal what a Kashmiri terrorist
believed was top-secret U.S. military software. Partial to black pants and silk
button-down shirts, Maiffret likes "to dress like Nicholas Cage,"
but at five foot six he's built more like a neo-Gothic version of Barney Rubble.
It has come as no surprise to the twenty-year-old cybersavant
known as "Chameleon" that life is a numbers game. For as long as he
can remember, the digital intruder turned Internet security guru has existed
in a netherworld of digits. Zeroes and ones "that I manipulated and that
manipulated me," strung together in the language of binary code, the basis
of the commands he used to forge the applications that underlie the operating
systems that serve as the brains of the computer networks he breaks into.
Chameleon, who specializes in tearing apart Microsoft
software for security holes, says "I didn't graduate from MIT with top
honors. My world has revolved around breaking software and systems while the
security professionals' world has revolved around fixing and securing their
systems against me and my attacks-attacks they know nothing about."
Now, as a cofounder of eEye, a top Internet security
consulting firm, he has become one of those computer security
pros he used to outfox. Maiffret has business cards, but that doesn't mean he
has gone mainstream. After all, they read, "Chief Hacking Officer."
He, and antiestablishment propeller-heads like him, with hacker handles like
"Jericho," "Dildog," "Punkis," and "Tweety
Fish," personify why corporate espionage has not yet been retrofitted for
cyberspace.
But how tempting it must be for corporate America. Already
most companies store vast caches of valuable data-including personnel records,
customer billing, confidential financial information, confidential blueprints,
marketing plans, and technologies in the R&D stage-in their computer networks.
From a remote location anywhere in the world, a skilled digital intruder could
sneak into a corporate network by tricking the network software to run his commands
and not those of the system administrator. Once inside, he could jump from machine
to machine, copying documents and confidential e-mail. A world of bits and bytes,
since he leaves his bounty behind as well as taking it with him, a company wouldn't
even know it had been hacked-unless the perp bragged.
"I think as businesses move more data online,
their competitors will find it tempting to hire hackers," says Dale Coddington,
systems security engineer for eEye Digital Security. "Since the FBI's track
record catching them is less than stellar, there's little chance a well-trained
hacker will get caught. With such low risk and high reward, it's inevitable
some company is going to get burned through cyberspace. The question is, will
it even know about it?"
Since the dawn of electronic time (the 1960s) computer
hackers have roamed "cyberspace"-even before that word was first coined
by sci-fi writer William Gibson in the 1984 paperback Neuromancer. At first
the Internet connected a select group of universities and research institutions;
the term "hacker" was either used to describe someone with a bad golf
swing or a geek who explored the innermost workings of computer systems. In
neither instance was a hacker a lawbreaker. He usually attained his skills by
spending thousands of hours spelunking through large networks, studying how
they were cobbled together. The invention of the World Wide Web in 1989 changed
all this. At first the Information Superhighway was a mere backcountry road,
riddled with potholes and service disruptions. As late as 1996 most Americans
had never heard of the web, the word "browser" was used to describe
someone wandering around a store without a plan, and few corporations maintained
a presence in cyberspace.
As the 1990s hustled forward companies began to recognize
the inevitability of business-to-consumer e-commerce, and by 2000 there were
millions of web sites, many of them belonging to corporations and small businesses,
as well as universities, research centers, think tanks, mom-and-pop operations,
religious and political zealots, porn providers, online scammers and hate groups,
newspapers, magazines, and publishing houses, hackers, and music and software
pirates, as well as your regular Joe and Josephine Q. Public.
But more web sites means more computer assaults. In
1988, the first year for which statistics are available, there were 6 reported
hacking incidents, according to CERT (part of Carnegie Mellon University's Software
Engineering Institute). Four years later there were 773. The year 1995 saw 2,412
attacks launched on computers, with the number quadrupling to 9,859 in the year
1999. The first quarter of 2000 continued this trend, setting a pace that should
easily eclipse 10,000 hacks for the year. And these are just the reported ones.
The Pentagon alone suffers hundreds of attacks a week, as do scores of other
government and military sites. Motorola, the New York Times, and Yahoo! are
just a few of the companies that have had their web sites taken over by obstreperous
digital felons.
Greater global interconnectedness isn't just part of
a cybergeek's daily musings, it has also been working its way into the mainstream.
Horror flick sequels specialist Wes Craven (director of Scream et al. and numerous
Nightmares on Elm Street) says: "I look at computers and their growing
global linkage as the beginning of neural pathways to planet consciousness.
It began with the telegraph, the foundation for using numbers to convey information,
to the computers of today. The way that computers are growing closer together,
linked by the Internet, creates a digital central nervous system. There's a
brain forming around the skin of the planet."
Trippy, maybe. But this greater human virtual connectivity
comes at a price: security. The ease with which a massive wave of "denial
of service" (DOS) attacks were launched against powerhouse e-commerce success
stories in February 2000 illustrates that everyone, even the richest corporation,
is equally vulnerable in cyberspace. Yahoo!, E*Trade, Amazon, Buy.com, and a
score of other sites were hit with a hailstorm of tiny electronic packets containing
anticorporate messages. The company's routers and servers hyperventilated from
the onslaught, slowing traffic to a crawl and in some cases shutting down the
network. In real-world terms it was the equivalent of a million irate PC owners
simultaneously dialing twenty frazzled tech-support operators. The result: a
stream of busy signals and a whole lot of frustrated customers.
"Hackers have known for a long time a large-scale
DOS like this could be done, but no one's had the chutzpah to do it before,"
says Tweety Fish, a member of "Cult of the Dead Cow," an underground
hacker organization the DOS attackers sent greetings to within the code used
to flood targets. (Dead Cow members had nothing to do with it.)
Computer security company ICSA estimates there are 1
million hackers around the globe, many of them "script kiddies," or
wannabees who wouldn't know computer code from Morse code but who get behind
corporate firewalls by relying on point-and-click
software available from hacker sites on the Internet-free for the asking, for
those who know where to surf.
But don't expect corporations to turn to hackers to
find out what rivals are up to any time soon. Corporate suits don't trust computer
culture kids like Maiffret, and have even less desire to work with them; usually
corporate IT departments' interface with his kind is when the company's home
page has been graffitied by some "script kiddie." When companies hire
computer experts from the outside, it is usually for computer forensics, another
hot field. This is used to catch a disgruntled employee stealing data, or to
nab someone distributing confidential material via e-mail. In 1998 Maiffret
was hired to gather evidence for a civil suit. The client's spiteful ex-lover
had stolen the license for a valuable microsurgical clamp from his company,
AroSurgical of Newport Beach, California. Maiffret specially coded software
to monitor her corporate e-mail account, hoping she would be reckless enough
to continue using it. He was pleased when she did, dialing in from home. Maiffret
didn't monitor her outgoing e-mail but he could see the incoming messages.
Every ten minutes the program would check her e-mail
account, make copies, and send them to us, a program that it took me about forty-five
minutes to code. We could have used the Microsoft Outlook program, but I didn't
want files removed from the server, because then she wouldn't have gotten her
mail and gotten suspicious.
One of the e-mails came from a company she had solicted
that mentioned the existence of the document and would they be interested in
talking. AroSurgical got an injunction, barring her from using the pilfered
license, and eEye got to bill $240 an hour.
Maiffret believes he has the creativity to solve almost
any problem on the fly-and that's because of his hacker roots. But many computer
security firms claim they won't hire people like him. They say they are fearful
of a criminal past.
ISS, an Internet security company headquartered in Atlanta,
has for years decried the use of hackers by its competitors. The company guarantees
its employees have pure pasts by conducting extensive background checks. But,
points out Space Rogue publisher of the Hacker News Network and a member of
the L0pht Heavy Industries, a hacker think tank in Boston, companies already
hire hackers, they just don't know it.
"There is no national hacker registry to
check on someone's hacker status," says Space Rogue, who, along with other
members of L0pht, testified before Congress in 1998 about threats to the National
Electronic Infrastructure. "Any company that comes out and claims, 'We
do not hire hackers' is deluding itself," he continues.
ISS CEO Christopher Klaus, who kicked off his company
in 1994 with a single product, calls hiring hackers "a questionable practice,
which could lead to tremendous legal liability." The $3 billion company,
housed in Atlanta, refers to itself as "the world's leading provider of
security management solutions for the Internet," claiming more than 5,000
customers, including twenty-one of the twenty-five largest U.S. commercial banks,
nine of the ten largest telecommunications companies, and more than thirty-five
government agencies. Klaus, himself a reformed hacker who used the identity
"Coup" would have a lot to lose if he brought in the wrong guys.
But ISS has in fact hired a half a dozen or more known
hackers in recent years, some who have the reputation for being quite malicious,
including one who goes by the name "Prym" and has been linked to a
number of high-profile assaults on corporate, government, military, and proenvironmental
web sites: "Phree Kevin Mitnick or we will
club 600 baby seals," the nasty teen once scrawled across GreenPeace's
home page. (At the time hacker Kevin Mitnick was in prison, and a major cause
cèlébre.)
Klaus admits Prym was on ISS's payroll but "it
was mutually decided we would part company. He no longer works at ISS."
Another ISS employee edited the hacker 'zine Phrack, and at least two others
coded hacker software exploits that somehow got into the wild. These exploits,
some computer professionals say, were responsible for thousands of successful
computer attacks over an eighteen-month period. Although Klaus says that he
knew nothing about the extracurricular hacktivities of some of the young professionals
he hired for his "X-Team," a much-hyped special security unit within
the company, it's been an open secret in hacking circles for years.
Hackers like Maiffret detest law enforcement, distrust
government, and can't stand corporations. Even when one of their own-Coup-turned
corporate, he became, in their eyes, a hypocrite by disavowing his roots. Hackers'
currency is up-to-the-second information, the lifeblood of their vocations.
Who'd want to help a corporation make money? Besides, those who come equipped
with the highest hacker skill levels often carry on two lives: In the virtual
world they are shadowy figures who explore the farthest reaches of cyberspace
for security holes. They create new scripts, sometimes malicious, contact software
vendors to warn them about flaws in their products, set up web sites to comment
on the scene, and publish copies of hacked corporate home pages (available at
www.attrition.org).
They are often computer activists with a bent for anarchy.
Information, the old hacker credo goes, wants to be free. In the real world,
however, that same information about hacking and security vulnerabilities reaps
them six-figure salaries as network consultants. Just because they are upper-income-earning,
tax-paying, law-abiding citizens when they are not wired into their computers
doesn't mean they have changed their worldviews. Hacking isn't just the accumulation
of a special set of skills, it's a way of life, an obsession, more a new type
of millennial philosophy than a job description at an "information resource"
company.
No one better personifies this than Dildog, also a member
of Cult of the Dead Cow, who was lounging in his hotel suite at the 1999 Defcon
hacking convention, a smile smeared on his face. Being Las Vegas in July, the
temperature outside is 100 degrees, but Dildog was air-conditioned cool. The
unveiling of his latest software upgrade for "Back Orifice," a not-so-subtle
dig at Microsoft's Back Office, had been a rousing success. The software is
a corporate spook's hottest fantasy tool. Once installed on a target's computer
network (it could be secretly planted merely by sending it as an e-mail attachment)
it gave the user total access and control. From a remote location, a spy could
explore every nook and cranny of the system and analyze every single activity,
as if he were the systems administrator. He could capture all passwords and
keystrokes, copy all documents and files, hop unhindered from machine to machine,
from web server to e-mail files, surf through databases containing vast caches
of credit cards, and wiggle his way into vast stores of personal information
gathered from customers. The software also came equipped with programs that
could turn on and control built-in microphones and PC cameras without the user
knowing. Anyone could be watched and recorded at any time. Call it the Corporate
Cam.
But that's not why Dildog, who earns big bucks at an
established technology company, created it. Although software makers, computer
security companies, antivirus makers, and law enforcement claimed the release
of Back Orifice 2000 was just a way for hackers to legitimize illegal computer
intrusions, Dildog says he is just trying to point out potential problems with
Microsoft's software. Computer security companies are "afraid to admit
that their detection system is horribly and possibly irreparably flawed,"
he says. "[They] give people the impression their software 'raises the
bar' against the average hacker. Unfortunately, this also fools people with
really critical networks into thinking that this software is sufficient to protect
them. People trusting this stuff to protect them <el> are in for a surprise."
A gaggle of followers, most of them in their twenties
and dressed in noir black, with tattoos, piercings, and scraggly hair, waited
for Dildog in his hotel suite. They sat cross-legged on the carpet, availing
themselves to a well-stocked minibar piled high with bottles of vodka, bourbon,
and whiskey. Of the 3,000 hackers, crackers, geeks, "scene whores"
(hacker groupies), computer security professionals, journalists, undercover
cops, and federal agents who attended the 1999 Defcon hacker convention, 2,000
of them had crammed into a conference room at the Alexis Park Hotel to watch
the BO2K release. The year before, Cult of the Dead Cow had chosen Defcon to
promote the first version of its Back Orifice. Written by fellow Cult member
Sir Dystic, it worked on Windows 95 and 98 machines by secretly creating a back
door so that a remote user could control all functions on those computers.
The upgrade Dildog-coded version had been designed to
work with networks that run on Windows NT, and it camouflaged itself extremely
well. Cult of the Dead Cow members didn't travel all the way to Las Vegas to
disappoint. They kicked off the conference with a laser light show, culminating
in a deafening electronic moo sound. The crowd gyrated and cheered. Then, while
Dildog and his associates explained their don't-blame-us-if-Microsoft-products-suck
philosophy, a CD-ROM label was projected on the wall behind them, a cow head
spinning and spinning. At the end of the presentation, Cult members flung two
dozen CD-ROMS containing the Back Orifice update. The crowd surged forward.
Antivirus makers and computer security company reps watched closely, hoping
to later corral someone with a copy. The first one to crack the program would
win bragging rights, their names in a press release, perhaps even a mention
in some magazine or newspaper articles as heros who thwarted the evil intentions
of the Cult of the Dead Cow hacker gang.
An employee of ISS threw himself into the mob and somehow
snagged a copy. Within twenty-four hours, the company would crack parts of the
program and release an application that could identify it. At the time, Dildog
didn't know this, and even if he had he wouldn't have cared. In an earlier Internet
conversation, according to [Dildog?], an ISS employee had approached him and
asked how much of a bribe it would take for him to pass the company an advance
copy of the software, he claims. "Money doesn't motivate us," he said,
but as a joke the Cult sent the ISS minion back a note saying it would take
$1 million and a monster truck. Later, Cult members would be chagrined to discover
the original discs dispersed at Defcon had been infected with the Chernobyl
computer virus. "Very embarrassing," Tweety Fish admits.
Although ISS had been more than happy to play up the
fact that it could detect the software, Dildog fully expected companies would
not only reverse-engineer it, they would soon come up with a removal tool. That
was why he'd released his software as "open source," which meant hackers
the world over could tweak the code to suit their needs. From previous experience,
Dildog figured BO2K would then spread like a virus, morphing into perhaps dozens
of different versions. He counted more than 300,000 downloads of the original
Back Orifice, which ran solely on Windows 95 and 98 and was spread primarily
by e-mail attachment. Who knew how many other copies had been spread friend
to friend, hacker to hacker, "cracker" to victim? Dildog didn't care.
Like Louis Malle, the French film director who once said, "I like confusion,
but it drives the crew crazy," Dildog enjoyed anarchy and confusion, believing
the question was usually more important than the answer.
In a hacker's eyes, only one thing could be worse than
dealing with a corporation, and that would be breakfasting with law enforcement.
A number of geeks complain that FBI agents have stormed into their homes waving
warrants and confiscating computers. "And the feds never seem to get around
to returning your stuff either," says Maiffret, who was raided by the feds
in 1998. "Even if they did give it back, the way technology changes it
would just be old tech anyway. So it's really a way of them to punish you without
actually having to go to the trouble of taking you to court." Just dealing
with an allegation can cost $2,000 to $5,000, and perhaps $20,000 to deal with
more serious legal issues. Or more.
Kevin Mitnick's defense team, which was paid a fraction
of what it usually earns to defend the star-crossed computer addict, billed
the government for 3,000 hours of work over three years, but put in more than
double that. At the usual L.A. lawyer rates, that would have meant Mitnick's
bill, if he'd paid legal retail, would have topped $2 million. Why did his case
drag on so long? Because "prosecutors [were] trying to make an example
of him," surmises Jennifer Granick, a San Francisco lawyer who has defended
a number of hackers.
What had Mitnick done to land him five years in jail?
The indictment alleged he had copied proprietary computer and cell-phone software
code from Motorola, Nokia, and Sun, worth, the government claimed, $80 million.
In essence, prosecutors were charging him with economic espionage before there
was a law against it. Mitnick, who was sentenced to a halfway house as a teenager
for treatment for an obsession with computers, admits he hoarded this information
but never shared it with anyone. He claims he wanted to study it.
"When he was in jail his eyes would shine
whenever we would talk about computer code," says Brian Martin, aka "Jericho,"
webmaster of attrition.org, a site that tracks computer crime, and a former
member of the Mitnick defense's computer forensics team. How did Mitnick, known
less for his computer skills and more for his verbal dexterity, score his software
fix? With Motorola, he says, it was easy. One day on his way home after work
he stopped at a pay phone and, posing as an engineer, demanded the source code
to a new cell phone. "A few minutes later I called back and was told it
was already being transmitted to an online account I'd given them," Mitnick
says. By the time he got home he had scored the blueprints to Motorola's latest
product.
For a pretty abstract kind of crime, the government's
tactics were heavy-handed, as if it were dealing with a terrorist. Mitnick wasn't
just denied bail, he was denied a bail hearing. Donald Randolph, Mitnick's court-appointed
attorney, says he had never heard of that before in his twenty-five years of
practice. It took almost a year, and a number of motions filed by Randolph,
before the prosecution turned over the nine gigabytes of electronic evidence
it had accumulated, so the defense could prepare its case. Prosecutors were
reluctant to give Mitnick a laptop to prepare his defense. Much of the rationale
for the delay was the unfounded fear that somehow Mitnick could-without a modem-wreak
cyberhavoc from prison. Indeed, prison officials had imbued Mitnick with powers
befitting James Bond. He was once stowed in solitary confinement because prison
officials were afraid he could turn his walkman into an FM transmitter that
could be used to bug the warden's office.
When legal historians look back on Mitnick's case, they
may be left scratching their heads over some of Judge Mariana Pfaelzer's odder
rulings. It is with the issue of encryption that the Mitnick case really broke
new ground. "This may be the first case in which encryption issues were
litigated in a criminal arena," says Randolph of the Santa Monica, California-based
firm Randolph & Levanas. "But get ready, it's going to be a regular
issue starting now." Especially after the Department of Justice had for
a time tossed around a very bad idea called the "Cyberspace Electronic
Security Act." The bill was scary for a number of reasons. It would have
permitted investigators to secretly enter your home, your private property,
and search through your computer, or even install software without your knowledge
that could intercept your keystrokes-your passwords, private e-mail conversations
and online chats, or override encryption programs. Fortunately, after word of
the proposal leaked out and met a storm of resistance, the Department of Justice
quietly buried it.
But it continued to be concerned that criminals will
rely more and more on encryption. Unfortunately, its proposed solution would
have been like using satellite surveillance to nab a purse-snatcher. Of course,
the irony was not lost on hackers: the Department of Justice was asking permission
to breach Americans' computer systems while at the same time they went after
people who breached Americans' computer systems, American companies, and the
American government.
With Mitnick, the issue centered around a section of
encrypted data found on the laptop in his possession when he was arrested in
1995. Since the prosecution couldn't crack the code, they said they wouldn't
turn it over to the defense as discovery until Mitnick handed over the encryption
key. The judge agreed. "In essence, the prosecution was arguing that their
ignorance provides the justification for withholding evidence," Randolph
says. "To the best of our knowledge, never before had this tactic been
attempted." The reason Mitnick's attorneys wanted to see the evidence,
besides their constitutional right to do so, was to see if there was any evidence
that would point to Mitnick's innocence. If, for instance, he got Motorola cell
phone source code from a source other than Motorola, he would not be guilty
of computer fraud. (He might have been in receipt of stolen property, but that
would have been a misdemeanor.) And Motorola's source code, and Sun's and Nokia's,
had been floating around hacker circles for years.
What was the result of the well-publicized treatment
Kevin Mitnick received? Hundreds of attacks on corporate, government, and military
web sites protesting his treatment, with web sites like kevinmitnick.com and
freekevin.com spreading the latest Kevin Mitnick news. Much of the reporting,
naturally, derided law enforcement.
Martin even posted this joke on attrition.org: The NSA,
the CIA, and the FBI all want to prove they are the best at apprehending criminals,
so the president gives them a test. He releases a rabbit into the forest and
commands each of them to catch it. The NSA places animal informants throughout
the forest, and interrogate all plant and mineral witnesses. After three months
of extensive investigations, they conclude that rabbits do not exist. The CIA,
after two weeks with no leads, burns down the forest, killing everything in
it, including the rabbit, which an unnamed agency source announces had it coming.
The FBI takes only two hours to emerge from the forest with a badly beaten bear.
The bear is yelling: "Okay, okay, I'm a rabbit, I'm a rabbit."
Hackers are always on red alert for the FBI. In fact,
when Maiffret was contacted over the Internet by the alleged terrorist Khalid
Ibrahim, a member of Harkat-ul-Ansar, a militant Indian separatist group on
the State Department's list of the thirty most dangerous terrorist organizations
in the world, he assumed Ibrahim worked for the feds. There are myriad reasons
law enforcement has not been up to the task of combating digital crime. First,
there is the dot com brain drain. The best and brightest take their pensions
and jump to tech companies that pay three times their annual government salary.
(You never hear of a top chief technology officer leaving his six-figure job
to take a position with the FBI.) Or they start their own consultant firms.
Law enforcement agents are also hampered by the realities of cyberspace. Unlike
a crime scene in the real world, you can't seal off the entire
computer network to a massive e-commerce site like Yahoo! Traditional crime-solving
methods that have proved successful against terrorism and street crime don't
work in the vagaries of cyberspace. Yet the FBI is stretched so thin, it often
sends street agents to cover computer crime cases, the type of people who wouldn't
know a URL from a UFO. Which is why the Bureau is viewed in such a dim light
online. "The FBI is clueless when it comes to hackers," says Martin.
"Their idea of a crime strategy is to track down rumors over the Internet
in the hopes that someone is dumb enough to admit something."
This was the method they used to track who they thought
had committed the February 2000 denial of service attacks. A week after the
first wave, the FBI thought it had found its malicious geek: a pimply faced
twenty-year-old "script kiddie" with low-level computer skills who,
investigators believed, launched the electronic barrage from his job in tech
support at a major auto parts supplier in Dearborn, Michigan. Although speculation
had been running wild as to the identity of the culprit, hackers, crackers,
pirates, and thieves treading on the seamy side of cyberspace were committing
"serial bragging": taking credit for the attacks on hacker chat channels.
Many had blithely assumed the name "MafiaBoy," one of the potential
perps mentioned in a stream of news stories about the investigation. There were
dozens of MafiaBoys running around the Internet in the days and weeks after
the DOS. But one hacker wannabe stood out from the rest. "Pig Farmer,"
also known as "Eurostylin" and "Bean Farmer," had e-mailed
Martin at the attrition site (he said he was a fan) right after the first wave
of attacks, bragging about his exploits. When he couldn't answer simple questions
about the assaults, however, he was dismissed as yet another crackpot craving
the limelight.
As the real culprits unleashed torrents of electronic
packets at more e-commerce sites over the course of the week-Amazon, Charles
Schwab, Datek, ZDNet, and Lycos, among many others-Pig Farmer widened his contacts,
sending mail from America Online to dozens of journalists in the hopes someone
would listen to him. But nobody would. In an Internet Relay Chat (IRC) with
some alleged cronies, Pig Farmer, ostensibly named because his parents have
a farm where they raise pigs, beans, and corn, wrote: "I have sent 15 journalists
an e-mail so we can get our message out. They have not responded to us, but
the ones who have say we are not legit but we'll show them." He also brashly
claimed he would hit CNN and Time Warner the next day, and they were attacked.
When Martin asked him after the first wave of attacks
why he was doing this, Pig Farmer responded: "If you notice the targets,
They are all PUBLICLY traded companies, This was an attempt to put a "Scare"
into internet stock holders." But without hard evidence, Martin still couldn't
be sure. He then passed on the e-mail that Pig Farmer had sent him to James
M. Atkinson, founder of Granite Island Group of Gloucester, Massachusetts, a
company that specializes in technical surveillance countermeasures. Atkinson,
in addition to conducting bug sweeps of corporations, is also an expert hacker
tracker. Because Atkinson has close ties to law enforcement, he knew agents
had nothing on Pig Farmer, and was floundering in its investigation of the DOS
attacker. All he had to start with was Pig Farmer's e-mail, which was a shame.
It was no way to conduct an investigation. But Atkinson decided he would donate
a few days of his time to see if he could help out.
It took almost no time for him to locate Pig Farmer's
file directories and home page on AOL, complete with pictures of a barn, trailer,
and souped-up car. Atkinson, who conducted hundreds of analysis projects like
this, was not in the business of catching digital criminals. His company focused
on bug sweeps, wiretap detection, and protecting corporations and government
agencies from illegal surveillance or technical espionage.
"It took me 23 minutes to find out who the
guy was," Atkinson says. "The way you catch mischief makers is you
look for minutiae and small mistakes they make. When Pig Farmer reached out
to media people, he left a trail that led back to him."
On the AOL home page, Atkinson found a photo of a bright
red 1999 Dodge sports car with chrome wheels and, most important, tinted windows.
Pig Farmer had deleted the license number from the photo, but he kept the car
waxed and shiny and Atkinson was able to extract an image of his target by taking
a photo of his car with a Sony digital camera using a flash in bright sunlight.
Pig Farmer had received a ticket for the tinted windows, something he seemed
proud of since he tried to unsuccessfully scan the image into his home page.
But the file got corrupted. Of a 680-kilobyte file, only 630K got through. Atkinson
downloaded the entire site into his Silicon Graphics workstation and recovered
the fragments of the damaged document. On the ticket, he had eradicated his
name and address, but not the number on the ticket, nor the license number of
his car, the date, or the time. Atkinson made a call to the Michigan State Police
and within nineteen minutes an officer phoned back with the potential perp's
name, address, and other relevant information.
Pig Farmer "bragged about the attacks before, during
and after," Atkinson says. "He seemed to do everything he could to
draw attention to himself." With Janet Reno screaming behind the scenes
that she wanted to hold a press conference announcing an arrest, the FBI got
more than a dozen subpoenas and brought Pig Farmer in for questioning. But it
didn't take long for agents and Department of Justice attorneys to realize all
they had was a twenty-year-old hacker wannabe who had wasted their time. Pig
Farmer had been reading everything he could of the DOS attacks through the media,
then immediately crowed about it online in chat channels and through e-mails.
If bragging were a crime, Pig Farmer might be serving a life sentence. Instead,
the feds had to let him go.
Of course, "if hackers didn't brag, I wouldn't
have a job," says a man who goes by the initials "J3," who trolls
the hacker underground, monitoring discussion channels on Internet Relay Chat,
checking out the latest info on "phreaking,"-cracking the phone system-dialing
up bulletin boards and checking out web sites that offer password-cracking software
and how-to guides. For J3 this isn't just a hobby, it's a job. The computer
security firm ICSA hired him to as a kind of hacker spy. When he gets wind of
a new security hole, he passes the information on to ICSA's tech staff so that
the company can either develop a defense or tip off software makers before the
flaw can be exploited. "I've found a company's entire password file posted
to a web site, or that hackers have root in a network or that a merchant site
with a database of credit cards has been compromised," he says. "I
then contact the companies and warn them."
Yet the hacks keep on coming, and law enforcement has
had little success in catching those responsible. That indicates that despite
the contentious relationship between hackers and corporate America it's only
a matter of time before spies turn to the Internet to syphon away valuable R&D
from business competitors. It doesn't take William Gibson-like imagination to
see why cyberspace will be the corporate battleground of the future.
The rise of colossal databases and innovations in data-sifting
technologies have created an informational glut, with the spread of the web
the final step. A talented hacker can uncover corporate secrets instantly with
a few taps of the keyboard. For decades this information rested in remote mainframes
difficult to access, even for the ones who put it there, or were filed away
in dusty cabinets at corporate headquarters. The move to desktop PCs and local
servers in the 1990s has distributed this data far and wide. Computers now hold
half a billion bank accounts, half a billion credit card accounts, 200 million
credit history files (approximately one for each American over eighteen), hundreds
of millions of mortgage and retirement funds, medical claims, and more. That's
just on the consumer end. There are also thousands of corporate computer networks
accessible from the outside over phone lines, since its employees have to be
able to dial in remotely. But letting in some and keeping out others, while
providing basics like e-mail and Internet surfing, is challenging. No amount
of computer security has been able to keep hackers out. If a company has a web
site, it is vulnerable to a computer miscreant sneaking in right through the
company's virtual welcome mat: its home page.
This was how a lone fifteen-year-old tenth-grader from
suburban America cracked India's most important nuclear research center in Bombay
in May 1998. He was watching TV coverage of India's underground nuclear tests
and for some reason it stuck in his craw. He was not sure exactly why. After
all, he was much too young to remember Hiroshima, Nagasaki, and the Cuban Missile
Crisis. He couldn't even find India on the map. Some Third World hole that couldn't
even feed its own people was getting into a nuclear arms race with Pakistan
and China. The more he thought about it, the madder he got, so he decided to
wreak vengeance on the Indians. And he would accomplish this without leaving
his bedroom. In cyberspace, where the young hacker spent much of his life, he
went by the nick "t3k-9," pronounced "Tech-9." He was especially
adept at cracking passwords and log-ins, the keys to illegally accessing computer
systems. On this particular day, t3k-9 stomped upstairs carrying his favorite
hack snacks-chocolate Poptarts, Coca-Cola, and sour jawbreakers-and went to
his bedroom, where he booted up his computer and listened to the comforting
squawk of his modem. He checked in with search engine Infoseek, and plugged
in ".in atomic," the equivalent of typing "India, atomic research."
One of the first sites to come up was India's Bhabha Atomic Research Center
(BARC), which he read had been instrumental in helping India develop the A-bomb.
He pointed and clicked his way to the BARC site and
accessed the John the Ripper DES Encryption Cracker software he had downloaded
off the Internet, where literally thousands of complex hacker applications and
"how-to" guides are available from web sites and hacker chat channels.
The password cruncher worked by setting up a phony log-in program so that BARC
thought it was accepting a connection from a friendly machine. Then, by brute
force, the cruncher tried every single combination of letters and numbers until
it hit the jackpot.
First, the application ran through all the lettered
combinations at the speed of digital light-a, b, aa, bb, cc-then after going
through the entire alphabet, backtracking to ab, ac, ad, and so forth. t3k-9
had also added special customized word lists that combine letters and numbers
he'd downloaded over the course of his travels. Forty-five seconds after he'd
started, t3k-9 was amazed to discover that he'd cracked one of the passwords.
He was inside India's number one atomic research network. His eyes bugged. He
checked the password: "ANSI." Someone's name, he thought, the same
as the log-in prompt. He couldn't believe his luck. The administrator hadn't
followed standard password selection rules, which would have meant complex strings
of numbers and letters-more difficult to crack because the longer it takes,
the greater the likelihood you'll get caught.
t3k-9's first step was to download all the passwords
and log-in names. Then he installed a back door that would enable him to gain
entry into the system without being detected. After that, he consulted the network
map, which was open to public display. He headed over to the web server and
read through e-mails written in scientific geek-speak, then riffled through
some documents on particle physics. Boring stuff, he thought. He decided to
get out while the getting was good, downloading a few e-mails and a scientific
document for souvenirs. Then, after erasing logs to ensure no one would be able
to track him, he logged off.
If he'd kept this to himself, no one would have ever
known. And in the days to follow, India's top nuclear research facility would
probably never have suffered the ignominy of perhaps 100 hackers running roughshod
through its computer network like gangs on a rampage. But t3k-9 couldn't keep
mum. He did what every self-respecting hacker would do. He bragged. He posted
the whole BARC password file-all 800 passwords and log-in names-on one of the
hacker channels. Immediately, hackers began accessing this information and attacked
Bhabha. Within days hackers from all over the world were wilding through the
research center's computer systems, deleting files and copying e-mails, including
one that questioned the legitimacy of one of the explosions, and tearing down
the web site, replacing it with a mushroom cloud and a giggly greeting. If t3k-9
had been a terrorist or corporate spy instead of a kid who found physics papers
lame, who knows what he could have downloaded?
Thus far, corporations have shown much less imagination
than t3k-9, although they are beginning to keep tabs on their rivals over the
Net: "We know our competitors check out our web site because we track their
domain names," says Michael Renda, a manager of Internet projects at AlliedSignal.
"And of course, we do the same to them." The Net makes it a snap to
check out a competitor-its prices, customer lists, suppliers, distributors,
and new product information, because companies are caught between two conflicting
missions: providing customer and partner information available over the Internet
and at the same time protecting their proprietary information.
DuPont on its web site offers anyone with access to
a computer and a modem a list of every factory and yarn spinner the company
uses in the production of the fabric CoolMax, which is used in athletic apparel.
"They list factories and yarn spinners, their addresses, plant managers,"
says Mary Ellen Bates of Bates Information Services of Washington, D.C. "You
can call suppliers-are they paying you enough, asking you to provide a new fabric,
threatening to move operations to Shanghai? If you want to make a competing
product you try to schmooze the plant managers. I don't see why it's beneficial
to DuPont to display this kind of stuff."
Rumors abound on the Net about hackers being hired by
corporations to steal proprietary information or money, but cases that come
to public light are rare. Companies have been known to get victimized over the
Internet in other ways, however. Until recently corporations parked whole divisions
of employees and their direct report chain on their web sites, along with corporate
profiles and résumés. Boeing on its web site listed the personnel
of whole divisions, hundreds and hundreds of workers, including those who worked
on technology used in the space shuttle. The Aerospace company's web site used
to be "a gold mine for a competitor that would like to hire away staff
who come with lots of sensitive information," says Robert D. Aaron of the
Atlanta-based research firm Aaron/Smith Associates. "And you know who to
talk to about each person. You can call up their boss, work your way up the
organizational chart, and find out information about an executive, his background,
how he is to work for." Eventually Boeing got wise and pulled this material.
To a hacker like Chameleon, however, accessing harder-to-get
information requires more talent and skill. Before Maiffret escaped a severe
addiction to hacking to grab a lucrative chunk of the dot com craze, he spent
most of his days locked in his room in the southern Californian suburban home
he shared with his mother and sister, plugged into his computer for thirty-six-hour-long
hack sprees, probing networks to learn about the latest architectures, Internet
servers, software exploit scripts and techniques, coding and decoding software,
chatting up girls via e-mail and instant messaging, including one virtual relationship
that he says ended disastrously, and dissecting back issues of Phrack, an online
hacker zine.
Only when he couldn't keep his eyelids propped open
any longer would he pull himself away from his virtual existence, crawl across
the carpet to a corner of his room, and curl up on a comforter to catch some
REM. "I preferred sleeping on the floor because I rarely slept," Maiffret
recalls. School wasn't relevant. He stopped attending. The twenty-four-hour
clock lost meaning; his life had been shaped into two seamless parts: cyberspace
and sleep.
Not only was Chameleon known for his technical skills
and respected as an "elite," or in the digital lexicon of the Net,
"3l33t" hacker, he also viewed himself as a kind of twenty-first-century
electronic poet and political activist. When he cracked a U.S. Department of
Defense web site dedicated to artificial intelligence, he wrote: "It's
funny how people go through life searching for the truth, yet when they find
it they wish they hadn't searched for it. The truth is a virus and people don't
want to get it. Live and deal with the truth, because sooner or later you will
have to face it." For fun, Chameleon slipped in a piece of software that
played the whistley theme to the X-Files every time someone accessed the page.
His first brush with fame came when he was seventeen,
and ironically, for something he didn't do. At the time, Chameleon was affiliated
with a hacker band called "Noid," with whom he had penetrated dozens
of corporate networks, joyriding around the computers, riffling through servers
and files, "to see how things worked," Maiffret says. At the time,
the big news in computer security was that a hacker group called the Masters
of Downloading (MOD) had stolen a piece of military software called DEM, or
the Defense Information Systems Network Equipment Manager.
CBS News managed to get word to MOD, but since members
were based in Europe, they told CBS to talk to Chameleon. Since he didn't want
to do the show alone, Chameleon grabbed his roommate, a "phone phreaker"-someone
who manipulates the telephone system to get what he wants-and they marched down
to the studio. To protect their identities their faces were shadowed and voices
modulated. But Chameleon had no intention of saying anything remotely incriminating,
at least nothing true, so he lied. "I never
claimed I stole the software; I said MOD did it, because that was true. But
I did say I was a member of MOD. Man, and man, what a stupid lie!"
Shortly afterward Chameleon was pinged online. Someone
by the name of Ibrahim told him he wanted the software. He kept messaging Chameleon,
saying he'd pay good money for it. "At first I thought it was a guy messing
with me; happens all the time on IRC," Chameleon says. "I played along,
even though I thought it was b.s. But then the guy told me to check a P.O. box"
three towns over from where Chameleon lived in Irvine, California.
When he got there, he peered inside the box. The lone
piece of mail was a pink slip. A certified letter. This meant you had to sign
for it. Which meant if the guy was an undercover agent, Chameleon could be in
big trouble. He and his Noid boys had been extra busy lately, having defaced
a slew of web sites in recent weeks. "We had gone on a spree, 10 or 12
sites, including the Army, Navy, Air Force-hell, we hacked one of each of the
three branches of the military," Chameleon says. But he also realized his
interactions with Ibrahim had been 100 percent legal, at least from his side.
"Even if he was FBI, I hadn't given him software or anything," Chameleon
says. So he opened up the box, grabbed the pink slip, marched up to the counter
and accepted two $500 money orders. Written on the envelope was a pager number,
a contact in Chicago. Chameleon wadded up the envelope and chucked it in the
trash.
Okay, maybe the guy is a terrorist, Chameleon thought,
or maybe he's FBI. Nevertheless, he filled out the money orders and cashed them
at a bank down the street. "I would never rip anyone off but I had no problem
doing it to a terrorist. Besides, that was a hell of a lot of money for me back
then," he says. He took most of his booty and bought a Nintendo 64 game
for his mentally handicapped sister, since "the doctors told me any toy
that requires hand-eye coordination would be good for her." He used the
rest to tool around town and fly up to San Jose to visit a friend. Meanwhile
Ibrahim kept trying to raise him over IRC, the messages becoming more threatening.
"I gave you money and what the fuck? I don't want to have to go back to
my people and tell them you ripped us off," Ibrahim wrote.
Afraid, Chameleon stopped venturing online.
But this didn't prevent him from waking up with a jolt
a few mornings after, a gun nuzzling his temple.
